| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2014-8961 |
22 |
|
Dir. Trav. +Info |
2014-11-30 |
2018-10-30 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
Directory traversal vulnerability in libraries/error_report.lib.php in the error-reporting feature in phpMyAdmin 4.1.x before 4.1.14.7 and 4.2.x before 4.2.12 allows remote authenticated users to obtain potentially sensitive information about a file's line count via a crafted parameter. |
|
2 |
CVE-2014-8959 |
22 |
|
Dir. Trav. |
2014-11-30 |
2018-10-30 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
Directory traversal vulnerability in libraries/gis/GIS_Factory.class.php in the GIS editor in phpMyAdmin 4.0.x before 4.0.10.6, 4.1.x before 4.1.14.7, and 4.2.x before 4.2.12 allows remote authenticated users to include and execute arbitrary local files via a crafted geometry-type parameter. |
|
3 |
CVE-2014-8564 |
310 |
|
DoS |
2014-11-13 |
2018-10-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The _gnutls_ecc_ansi_x963_export function in gnutls_ecc.c in GnuTLS 3.x before 3.1.28, 3.2.x before 3.2.20, and 3.3.x before 3.3.10 allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted (1) Elliptic Curve Cryptography (ECC) certificate or (2) certificate signing requests (CSR), related to generating key IDs. |
|
4 |
CVE-2014-8483 |
125 |
|
DoS |
2014-11-06 |
2018-10-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The blowfishECB function in core/cipher.cpp in Quassel IRC 0.10.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a malformed string. |
|
5 |
CVE-2014-8132 |
|
|
DoS |
2014-12-29 |
2018-10-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Double free vulnerability in the ssh_packet_kexinit function in kex.c in libssh 0.5.x and 0.6.x before 0.6.4 allows remote attackers to cause a denial of service via a crafted kexinit packet. |
|
6 |
CVE-2014-8104 |
399 |
|
DoS |
2014-12-03 |
2020-05-12 |
6.8 |
None |
Remote |
Low |
??? |
None |
None |
Complete |
|
OpenVPN 2.x before 2.0.11, 2.1.x, 2.2.x before 2.2.3, and 2.3.x before 2.3.6 allows remote authenticated users to cause a denial of service (server crash) via a small control channel packet. |
|
7 |
CVE-2014-8080 |
|
|
DoS |
2014-11-03 |
2018-10-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The REXML parser in Ruby 1.9.x before 1.9.3-p550, 2.0.x before 2.0.0-p594, and 2.1.x before 2.1.4 allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document, aka an XML Entity Expansion (XEE) attack. |
|
8 |
CVE-2014-7829 |
22 |
|
Dir. Trav. |
2014-11-18 |
2019-08-08 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.21, 4.0.x before 4.0.12, 4.1.x before 4.1.8, and 4.2.x before 4.2.0.beta4, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via vectors involving a \ (backslash) character, a similar issue to CVE-2014-7818. |
|
9 |
CVE-2014-7818 |
22 |
|
Dir. Trav. |
2014-11-08 |
2019-08-08 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.20, 4.0.x before 4.0.11, 4.1.x before 4.1.7, and 4.2.x before 4.2.0.beta3, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via a /..%2F sequence. |
|
10 |
CVE-2014-7155 |
264 |
|
DoS +Priv |
2014-10-02 |
2018-10-30 |
5.8 |
None |
Local Network |
Low |
Not required |
Partial |
Partial |
Partial |
|
The x86_emulate function in arch/x86/x86_emulate/x86_emulate.c in Xen 4.4.x and earlier does not properly check supervisor mode permissions, which allows local HVM users to cause a denial of service (guest crash) or gain guest kernel mode privileges via vectors involving an (1) HLT, (2) LGDT, (3) LIDT, or (4) LMSW instruction. |
|
11 |
CVE-2014-7154 |
362 |
|
DoS |
2014-10-02 |
2018-10-30 |
6.1 |
None |
Local Network |
Low |
Not required |
None |
None |
Complete |
|
Race condition in HVMOP_track_dirty_vram in Xen 4.0.0 through 4.4.x does not ensure possession of the guarding lock for dirty video RAM tracking, which allows certain local guest domains to cause a denial of service via unspecified vectors. |
|
12 |
CVE-2014-6300 |
79 |
|
XSS CSRF |
2014-11-08 |
2018-10-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the micro history implementation in phpMyAdmin 4.0.x before 4.0.10.3, 4.1.x before 4.1.14.4, and 4.2.x before 4.2.8.1 allows remote attackers to inject arbitrary web script or HTML, and consequently conduct a cross-site request forgery (CSRF) attack to create a root account, via a crafted URL, related to js/ajax.js. |
|
13 |
CVE-2014-5461 |
119 |
|
DoS Overflow |
2014-09-04 |
2018-10-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Buffer overflow in the vararg functions in ldo.c in Lua 5.1 through 5.2.x before 5.2.3 allows context-dependent attackers to cause a denial of service (crash) via a small number of arguments to a function with a large number of fixed arguments. |
|
14 |
CVE-2014-5459 |
59 |
|
|
2014-09-27 |
2021-03-29 |
3.6 |
None |
Local |
Low |
Not required |
None |
Partial |
Partial |
|
The PEAR_REST class in REST.php in PEAR in PHP through 5.6.0 allows local users to write to arbitrary files via a symlink attack on a (1) rest.cachefile or (2) rest.cacheid file in /tmp/pear/cache/, related to the retrieveCacheFirst and useLocalCache functions. |
|
15 |
CVE-2014-5177 |
20 |
|
|
2014-08-03 |
2019-04-22 |
1.2 |
None |
Local |
High |
Not required |
Partial |
None |
None |
|
libvirt 1.0.0 through 1.2.x before 1.2.5, when fine grained access control is enabled, allows local users to read arbitrary files via a crafted XML document containing an XML external entity declaration in conjunction with an entity reference to the (1) virDomainDefineXML, (2) virNetworkCreateXML, (3) virNetworkDefineXML, (4) virStoragePoolCreateXML, (5) virStoragePoolDefineXML, (6) virStorageVolCreateXML, (7) virDomainCreateXML, (8) virNodeDeviceCreateXML, (9) virInterfaceDefineXML, (10) virStorageVolCreateXMLFrom, (11) virConnectDomainXMLFromNative, (12) virConnectDomainXMLToNative, (13) virSecretDefineXML, (14) virNWFilterDefineXML, (15) virDomainSnapshotCreateXML, (16) virDomainSaveImageDefineXML, (17) virDomainCreateXMLWithFiles, (18) virConnectCompareCPU, or (19) virConnectBaselineCPU API method, related to an XML External Entity (XXE) issue. NOTE: this issue was SPLIT from CVE-2014-0179 per ADT3 due to different affected versions of some vectors. |
|
16 |
CVE-2014-4987 |
264 |
|
Bypass |
2014-07-20 |
2018-10-30 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
server_user_groups.php in phpMyAdmin 4.1.x before 4.1.14.2 and 4.2.x before 4.2.6 allows remote authenticated users to bypass intended access restrictions and read the MySQL user list via a viewUsers request. |
|
17 |
CVE-2014-4617 |
20 |
|
DoS |
2014-06-25 |
2018-10-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The do_uncompress function in g10/compress.c in GnuPG 1.x before 1.4.17 and 2.x before 2.0.24 allows context-dependent attackers to cause a denial of service (infinite loop) via malformed compressed packets, as demonstrated by an a3 01 5b ff byte sequence. |
|
18 |
CVE-2014-3985 |
|
|
DoS |
2014-09-11 |
2020-09-28 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The getHTTPResponse function in miniwget.c in MiniUPnP 1.9 allows remote attackers to cause a denial of service (crash) via crafted headers that trigger an out-of-bounds read. |
|
19 |
CVE-2014-3968 |
|
|
DoS |
2014-06-05 |
2018-10-30 |
5.5 |
None |
Local Network |
Low |
??? |
None |
None |
Complete |
|
The HVMOP_inject_msi function in Xen 4.2.x, 4.3.x, and 4.4.x allows local guest HVM administrators to cause a denial of service (host crash) via a large number of crafted requests, which trigger an error messages to be logged. |
|
20 |
CVE-2014-3967 |
|
|
DoS |
2014-06-05 |
2018-10-30 |
5.5 |
None |
Local Network |
Low |
??? |
None |
None |
Complete |
|
The HVMOP_inject_msi function in Xen 4.2.x, 4.3.x, and 4.4.x does not properly check the return value from the IRQ setup check, which allows local HVM guest administrators to cause a denial of service (NULL pointer dereference and crash) via unspecified vectors. |
|
21 |
CVE-2014-3730 |
20 |
|
|
2014-05-16 |
2018-10-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The django.util.http.is_safe_url function in Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly validate URLs, which allows remote attackers to conduct open redirect attacks via a malformed URL, as demonstrated by "http:\\\djangoproject.com." |
|
22 |
CVE-2014-3694 |
310 |
|
+Info |
2014-10-29 |
2018-10-30 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
|
The (1) bundled GnuTLS SSL/TLS plugin and the (2) bundled OpenSSL SSL/TLS plugin in libpurple in Pidgin before 2.10.10 do not properly consider the Basic Constraints extension during verification of X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. |
|
23 |
CVE-2014-3639 |
399 |
|
DoS |
2014-09-22 |
2018-10-30 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
The dbus-daemon in D-Bus before 1.6.24 and 1.8.x before 1.8.8 does not properly close old connections, which allows local users to cause a denial of service (incomplete connection consumption and prevention of new connections) via a large number of incomplete connections. |
|
24 |
CVE-2014-3638 |
399 |
|
DoS |
2014-09-22 |
2018-10-30 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
The bus_connections_check_reply function in config-parser.c in D-Bus before 1.6.24 and 1.8.x before 1.8.8 allows local users to cause a denial of service (CPU consumption) via a large number of method calls. |
|
25 |
CVE-2014-3637 |
17 |
|
DoS |
2014-09-22 |
2019-06-24 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8 does not properly close connections for processes that have terminated, which allows local users to cause a denial of service via a D-bus message containing a D-Bus connection file descriptor. |
|
26 |
CVE-2014-3636 |
399 |
|
DoS |
2014-10-25 |
2018-10-30 |
1.9 |
None |
Local |
Medium |
Not required |
None |
None |
Partial |
|
D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8 allows local users to (1) cause a denial of service (prevention of new connections and connection drop) by queuing the maximum number of file descriptors or (2) cause a denial of service (disconnect) via multiple messages that combine to have more than the allowed number of file descriptors for a single sendmsg call. |
|
27 |
CVE-2014-3635 |
119 |
|
DoS Exec Code Overflow |
2014-09-22 |
2018-10-30 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Off-by-one error in D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8, when running on a 64-bit system and the max_message_unix_fds limit is set to an odd number, allows local users to cause a denial of service (dbus-daemon crash) or possibly execute arbitrary code by sending one more file descriptor than the limit, which triggers a heap-based buffer overflow or an assertion failure. |
|
28 |
CVE-2014-3566 |
310 |
|
|
2014-10-15 |
2021-11-17 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the "POODLE" issue. |
|
29 |
CVE-2014-3533 |
20 |
|
DoS |
2014-07-19 |
2018-10-30 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
dbus 1.3.0 before 1.6.22 and 1.8.x before 1.8.6 allows local users to cause a denial of service (disconnect) via a certain sequence of crafted messages that cause the dbus-daemon to forward a message containing an invalid file descriptor. |
|
30 |
CVE-2014-3532 |
20 |
|
DoS |
2014-07-19 |
2020-08-11 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
dbus 1.3.0 before 1.6.22 and 1.8.x before 1.8.6, when running on Linux 2.6.37-rc4 or later, allows local users to cause a denial of service (system-bus disconnect of other services or applications) by sending a message containing a file descriptor, then exceeding the maximum recursion depth before the initial message is forwarded. |
|
31 |
CVE-2014-3528 |
255 |
|
|
2014-08-19 |
2018-10-30 |
4.0 |
None |
Remote |
High |
Not required |
Partial |
Partial |
None |
|
Apache Subversion 1.0.0 through 1.7.x before 1.7.17 and 1.8.x before 1.8.10 uses an MD5 hash of the URL and authentication realm to store cached credentials, which makes it easier for remote servers to obtain the credentials via a crafted authentication realm. |
|
32 |
CVE-2014-3522 |
297 |
|
|
2014-08-19 |
2018-10-30 |
4.0 |
None |
Remote |
High |
Not required |
Partial |
Partial |
None |
|
The Serf RA layer in Apache Subversion 1.4.0 through 1.7.x before 1.7.18 and 1.8.x before 1.8.10 does not properly handle wildcards in the Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof servers via a crafted certificate. |
|
33 |
CVE-2014-3495 |
295 |
|
|
2019-12-13 |
2019-12-19 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
duplicity 0.6.24 has improper verification of SSL certificates |
|
34 |
CVE-2014-3169 |
|
|
DoS |
2014-08-27 |
2018-10-30 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Use-after-free vulnerability in core/dom/ContainerNode.cpp in the DOM implementation in Blink, as used in Google Chrome before 37.0.2062.94, allows remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging script execution that occurs before notification of node removal. |
|
35 |
CVE-2014-3168 |
|
|
DoS |
2014-08-27 |
2018-10-30 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Use-after-free vulnerability in the SVG implementation in Blink, as used in Google Chrome before 37.0.2062.94, allows remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging improper caching associated with animation. |
|
36 |
CVE-2014-2913 |
|
|
Exec Code |
2014-05-07 |
2018-10-30 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
** DISPUTED ** Incomplete blacklist vulnerability in nrpe.c in Nagios Remote Plugin Executor (NRPE) 2.15 and earlier allows remote attackers to execute arbitrary commands via a newline character in the -a option to libexec/check_nrpe. NOTE: this issue is disputed by multiple parties. It has been reported that the vendor allows newlines as "expected behavior." Also, this issue can only occur when the administrator enables the "dont_blame_nrpe" option in nrpe.conf despite the "HIGH security risk" warning within the comments. |
|
37 |
CVE-2014-2576 |
310 |
|
|
2014-10-15 |
2018-10-30 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
plugins/rssyl/feed.c in Claws Mail before 3.10.0 disables the CURLOPT_SSL_VERIFYHOST check for CN or SAN host name fields, which makes it easier for remote attackers to spoof servers and conduct man-in-the-middle (MITM) attacks. |
|
38 |
CVE-2014-2554 |
20 |
|
|
2014-04-23 |
2018-10-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
OTRS 3.1.x before 3.1.21, 3.2.x before 3.2.16, and 3.3.x before 3.3.6 allows remote attackers to conduct clickjacking attacks via an IFRAME element. |
|
39 |
CVE-2014-2524 |
59 |
|
|
2014-08-20 |
2018-10-30 |
3.3 |
None |
Local |
Medium |
Not required |
None |
Partial |
Partial |
|
The _rl_tropen function in util.c in GNU readline before 6.3 patch 3 allows local users to create or overwrite arbitrary files via a symlink attack on a /var/tmp/rltrace.[PID] file. |
|
40 |
CVE-2014-2386 |
189 |
|
DoS Overflow |
2014-03-25 |
2018-10-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Multiple off-by-one errors in Icinga, possibly 1.10.2 and earlier, allow remote attackers to cause a denial of service (crash) via unspecified vectors to the (1) display_nav_table, (2) print_export_link, (3) page_num_selector, or (4) page_limit_selector function in cgi/cgiutils.c or (5) status_page_num_selector function in cgi/status.c, which triggers a stack-based buffer overflow. |
|
41 |
CVE-2014-2324 |
22 |
|
Dir. Trav. |
2014-03-14 |
2021-02-24 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Multiple directory traversal vulnerabilities in (1) mod_evhost and (2) mod_simple_vhost in lighttpd before 1.4.35 allow remote attackers to read arbitrary files via a .. (dot dot) in the host name, related to request_check_hostname. |
|
42 |
CVE-2014-2323 |
89 |
|
Exec Code Sql |
2014-03-14 |
2021-02-26 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in mod_mysql_vhost.c in lighttpd before 1.4.35 allows remote attackers to execute arbitrary SQL commands via the host name, related to request_check_hostname. |
|
43 |
CVE-2014-2030 |
787 |
|
DoS Exec Code Overflow |
2020-02-06 |
2020-02-11 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Stack-based buffer overflow in the WritePSDImage function in coders/psd.c in ImageMagick, possibly 6.8.8-5, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted PSD image, involving the L%06ld string, a different vulnerability than CVE-2014-1947. |
|
44 |
CVE-2014-1958 |
120 |
|
Exec Code Overflow |
2020-02-06 |
2020-02-12 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Buffer overflow in the DecodePSDPixels function in coders/psd.c in ImageMagick before 6.8.8-5 might allow remote attackers to execute arbitrary code via a crafted PSD image, involving the L%06ld string, a different vulnerability than CVE-2014-2030. |
|
45 |
CVE-2014-1934 |
59 |
|
|
2014-05-08 |
2018-10-30 |
3.3 |
None |
Local |
Medium |
Not required |
None |
Partial |
Partial |
|
tag.py in eyeD3 (aka python-eyed3) 7.0.3, 0.6.18, and earlier for Python allows local users to modify arbitrary files via a symlink attack on a temporary file. |
|
46 |
CVE-2014-1909 |
189 |
|
Exec Code Overflow Bypass |
2014-05-14 |
2018-10-30 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Integer signedness error in system/core/adb/adb_client.c in Android Debug Bridge (ADB) for Android 4.4 in the Android SDK Platform Tools 18.0.1 allows ADB servers to execute arbitrary code via a negative length value, which bypasses a signed comparison and triggers a stack-based buffer overflow. |
|
47 |
CVE-2014-1839 |
|
|
|
2014-03-11 |
2018-10-30 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The Execute class in shellutils in logilab-commons before 0.61.0 uses tempfile.mktemp, which allows local users to have an unspecified impact by pre-creating the temporary file. |
|
48 |
CVE-2014-1838 |
59 |
|
|
2014-03-11 |
2018-10-30 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The (1) extract_keys_from_pdf and (2) fill_pdf functions in pdf_ext.py in logilab-commons before 0.61.0 allows local users to overwrite arbitrary files and possibly have other unspecified impact via a symlink attack on /tmp/toto.fdf. |
|
49 |
CVE-2014-1716 |
94 |
|
XSS |
2014-04-09 |
2018-10-30 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Cross-site scripting (XSS) vulnerability in the Runtime_SetPrototype function in runtime.cc in Google V8, as used in Google Chrome before 34.0.1847.116, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka "Universal XSS (UXSS)." |
|
50 |
CVE-2014-1564 |
824 |
|
+Info |
2014-09-03 |
2018-10-30 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Mozilla Firefox before 32.0, Firefox ESR 31.x before 31.1, and Thunderbird 31.x before 31.1 do not properly initialize memory for GIF rendering, which allows remote attackers to obtain sensitive information from process memory via crafted web script that interacts with a CANVAS element associated with a malformed GIF image. |
