| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2014-9419 |
200 |
|
Bypass +Info |
2014-12-25 |
2018-01-04 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The __switch_to function in arch/x86/kernel/process_64.c in the Linux kernel through 3.18.1 does not ensure that Thread Local Storage (TLS) descriptors are loaded before proceeding with other steps, which makes it easier for local users to bypass the ASLR protection mechanism via a crafted application that reads a TLS base address. |
|
2 |
CVE-2014-9408 |
200 |
|
+Info |
2014-12-19 |
2018-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Ekahau B4 staff badge tag 5.7 with firmware 1.4.52, Real-Time Location System (RTLS) Controller 6.0.5-FINAL, and Activator 3 uses part of the MAC address as part of the RC4 setup key, which makes it easier for remote attackers to guess the key via a brute-force attack. |
|
3 |
CVE-2014-9361 |
200 |
|
+Priv +Info |
2014-12-10 |
2014-12-11 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The LoginToboggan module 7.x-1.x before 7.x-1.4 for Drupal does not properly unset the authorized user role for certain users, which allows remote attackers with the pre-authorized role to gain privileges and possibly obtain sensitive information by accessing a Page Not Found (404) page. |
|
4 |
CVE-2014-9355 |
200 |
|
+Info |
2014-12-19 |
2014-12-22 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
Puppet Enterprise before 3.7.1 allows remote authenticated users to obtain licensing and certificate signing request information by leveraging access to an unspecified API endpoint. |
|
5 |
CVE-2014-9303 |
200 |
|
+Info |
2014-12-07 |
2018-10-09 |
7.8 |
None |
Remote |
Low |
Not required |
Complete |
None |
None |
|
EntryPass N5200 Active Network Control Panel allows remote attackers to read device memory and obtain the administrator username and password via a URL starting with an ASCII character o through z or A through D, different vectors than CVE-2014-8868. |
|
6 |
CVE-2014-9279 |
200 |
|
+Info |
2014-12-08 |
2017-09-07 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The print_test_result function in admin/upgrade_unattended.php in MantisBT 1.1.0a3 through 1.2.x before 1.2.18 allows remote attackers to obtain database credentials via a URL in the hostname parameter and reading the parameters in the response sent to the URL. |
|
7 |
CVE-2014-9252 |
200 |
|
+Info |
2014-12-15 |
2016-03-21 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Zenoss Core through 5 Beta 3 stores cleartext passwords in the session database, which might allow local users to obtain sensitive information by reading database entries, aka ZEN-15416. |
|
8 |
CVE-2014-9250 |
200 |
|
+Info |
2014-12-15 |
2016-03-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Zenoss Core through 5 Beta 3 does not include the HTTPOnly flag in a Set-Cookie header for the authentication cookie, which makes it easier for remote attackers to obtain credential information via script access to this cookie, aka ZEN-10418. |
|
9 |
CVE-2014-9247 |
200 |
|
+Info |
2014-12-15 |
2016-03-21 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
Zenoss Core through 5 Beta 3 allows remote authenticated users to obtain sensitive (1) user account, (2) e-mail address, and (3) role information by visiting the ZenUsers (aka User Manager) page, aka ZEN-15389. |
|
10 |
CVE-2014-9245 |
200 |
|
+Info |
2014-12-15 |
2016-03-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Zenoss Core through 5 Beta 3 allows remote attackers to obtain sensitive information by attempting a product-rename action with an invalid new name and then reading a stack trace, as demonstrated by internal URL information, aka ZEN-15382. |
|
11 |
CVE-2014-9177 |
200 |
|
+Info |
2014-12-02 |
2017-09-07 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The HTML5 MP3 Player with Playlist Free plugin before 2.7 for WordPress allows remote attackers to obtain the installation path via a request to html5plus/playlist.php. |
|
12 |
CVE-2014-9162 |
200 |
|
+Info |
2014-12-10 |
2018-12-20 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Adobe Flash Player before 13.0.0.259 and 14.x through 16.x before 16.0.0.235 on Windows and OS X and before 11.2.202.425 on Linux allows attackers to obtain sensitive information via unspecified vectors. |
|
13 |
CVE-2014-9156 |
200 |
|
+Info |
2014-12-01 |
2014-12-01 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
The FileField module 6.x-3.x before 6.x-3.13 for Drupal does not properly check permissions to view files, which allows remote authenticated users with permission to create or edit content to read private files by attaching an uploaded file. |
|
14 |
CVE-2014-9154 |
200 |
|
+Info |
2014-12-01 |
2014-12-05 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
The Notify module 7.x-1.x before 7.x-1.1 for Drupal does not properly restrict access to (1) new or (2) modified nodes or (3) their fields, which allows remote authenticated users to obtain node titles, teasers, and fields by reading a notification email. |
|
15 |
CVE-2014-9026 |
264 |
|
+Info |
2014-11-20 |
2014-11-20 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
The Ubercart module 7.x-3.x before 7.x-3.7 for Drupal does not properly protect the per-user order history view, which allows remote authenticated users with the "view own orders" permission to obtain sensitive information via unspecified vectors. |
|
16 |
CVE-2014-9025 |
200 |
|
+Info |
2014-11-20 |
2014-11-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The default checkout completion rule in the commerce_order module in the Drupal Commerce module 7.x-1.x before 7.x-1.10 for Drupal uses the email address as the username for new accounts created at checkout, which allows remote attackers to obtain sensitive information via unspecified vectors. |
|
17 |
CVE-2014-9018 |
200 |
|
+Info |
2014-12-03 |
2017-09-07 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Icecast before 2.4.1 transmits the output of the on-connect script, which might allow remote attackers to obtain sensitive information, related to shared file descriptors. |
|
18 |
CVE-2014-8961 |
22 |
|
Dir. Trav. +Info |
2014-11-30 |
2018-10-30 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
Directory traversal vulnerability in libraries/error_report.lib.php in the error-reporting feature in phpMyAdmin 4.1.x before 4.1.14.7 and 4.2.x before 4.2.12 allows remote authenticated users to obtain potentially sensitive information about a file's line count via a crafted parameter. |
|
19 |
CVE-2014-8874 |
200 |
|
+Info |
2014-12-02 |
2018-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The ke_questionnaire extension 2.5.2 and earlier for TYPO3 uses predictable names for the questionnaire answer forms, which makes it easier for remote attackers to obtain sensitive information via a direct request. |
|
20 |
CVE-2014-8868 |
264 |
|
+Info |
2014-12-07 |
2018-10-09 |
7.8 |
None |
Remote |
Low |
Not required |
Complete |
None |
None |
|
EntryPass N5200 Active Network Control Panel does not properly restrict access, which allows remote attackers to obtain the administrator username and password, and possibly other sensitive information, via a request to /4. |
|
21 |
CVE-2014-8788 |
200 |
|
+Info |
2014-12-02 |
2014-12-05 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
GleamTech FileVista before 6.1 allows remote authenticated users to obtain sensitive information via a crafted path when saving a zip file, which reveals the installation path in an error message. |
|
22 |
CVE-2014-8775 |
200 |
|
+Info |
2014-12-03 |
2014-12-05 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
MODX Revolution 2.x before 2.2.15 does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie. |
|
23 |
CVE-2014-8769 |
119 |
|
DoS Overflow +Info |
2014-11-20 |
2018-10-09 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
None |
Partial |
|
tcpdump 3.8 through 4.6.2 might allow remote attackers to obtain sensitive information from memory or cause a denial of service (packet loss or segmentation fault) via a crafted Ad hoc On-Demand Distance Vector (AODV) packet, which triggers an out-of-bounds memory access. |
|
24 |
CVE-2014-8762 |
200 |
|
+Info |
2014-10-22 |
2016-04-04 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The ajax_mediadiff function in DokuWiki before 2014-05-05a allows remote attackers to access arbitrary images via a crafted namespace in the ns parameter. |
|
25 |
CVE-2014-8761 |
200 |
|
+Info |
2014-10-22 |
2015-09-10 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
inc/template.php in DokuWiki before 2014-05-05a only checks for access to the root namespace, which allows remote attackers to access arbitrary images via a media file details ajax call. |
|
26 |
CVE-2014-8736 |
200 |
|
Bypass +Info |
2014-11-12 |
2014-11-13 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Open Atrium Core module for Drupal before 7.x-2.22 allows remote attackers to bypass access restrictions and read file attachments that have been removed from a node by leveraging a previous revision of the node. |
|
27 |
CVE-2014-8735 |
200 |
|
+Info |
2014-11-12 |
2014-11-13 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
The Bad Behavior module 6.x-2.x before 6.x-2.2216 and 7.x-2.x before 7.x-2.2216 for Drupal logs usernames and passwords, which allows remote authenticated users with the "administer bad behavior" permission to obtain sensitive information by reading a log file. |
|
28 |
CVE-2014-8709 |
200 |
|
+Info |
2014-11-10 |
2017-09-07 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The ieee80211_fragment function in net/mac80211/tx.c in the Linux kernel before 3.13.5 does not properly maintain a certain tail pointer, which allows remote attackers to obtain sensitive cleartext information by reading packets. |
|
29 |
CVE-2014-8678 |
200 |
|
+Info |
2014-11-25 |
2015-02-17 |
7.8 |
None |
Remote |
Low |
Not required |
Complete |
None |
None |
|
The ConfigSaveServlet servlet in ManageEngine OpUtils before build 71024 allows remote attackers to "disclose" files via a crafted filename, related to "saveFile." |
|
30 |
CVE-2014-8666 |
200 |
|
+Info |
2014-11-06 |
2014-11-06 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The User & Server configuration, InfoView refresh, user rights (BI-BIP-ADM) component in SAP Business Intellignece allows remote attackers to obtain audit event details via unspecified vectors. |
|
31 |
CVE-2014-8665 |
200 |
|
+Info |
2014-11-06 |
2014-11-06 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The SAP Business Intelligence Development Workbench allows remote attackers to obtain sensitive information by reading unspecified files. |
|
32 |
CVE-2014-8656 |
255 |
1
|
+Info |
2014-11-06 |
2014-11-06 |
10.0 |
Admin |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
The Compal Broadband Networks (CBN) CH6640E and CG6640E Wireless Gateway 1.0 with firmware CH6640-3.5.11.7-NOSH have a default password of (1) admin for the admin account and (2) compalbn for the root account, which makes it easier for remote attackers to obtain access to certain sensitive information via unspecified vectors. |
|
33 |
CVE-2014-8655 |
264 |
1
|
Bypass +Info |
2014-11-06 |
2017-09-07 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Compal Broadband Networks (CBN) CH6640E and CG6640E Wireless Gateway 1.0 with firmware CH6640-3.5.11.7-NOSH allows remote attackers to bypass authentication and obtain sensitive information via an (a) admin or a (b) root value in the userData cookie in a request to (1) CmgwWirelessSecurity.xml, (2) DocsisConfigFile.xml, or (3) CmgwBasicSetup.xml in xml/ or (4) basicDDNS.html, (5) basicLanUsers.html, or (6) rootDesc.xml. |
|
34 |
CVE-2014-8598 |
19 |
|
Exec Code +Info |
2014-11-18 |
2017-09-07 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
|
The XML Import/Export plugin in MantisBT 1.2.x does not restrict access, which allows remote attackers to (1) upload arbitrary XML files via the import page or (2) obtain sensitive information via the export page. NOTE: this issue can be combined with CVE-2014-7146 to execute arbitrary PHP code. |
|
35 |
CVE-2014-8566 |
200 |
|
DoS Overflow +Info |
2014-11-15 |
2015-11-20 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
None |
Partial |
|
The mod_auth_mellon module before 0.8.1 allows remote attackers to obtain sensitive information or cause a denial of service (segmentation fault) via unspecified vectors related to a "session overflow" involving "sessions overlapping in memory." |
|
36 |
CVE-2014-8553 |
200 |
|
+Info |
2014-12-17 |
2017-09-07 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The mci_account_get_array_by_id function in api/soap/mc_account_api.php in MantisBT before 1.2.18 allows remote attackers to obtain sensitive information via a (1) mc_project_get_users, (2) mc_issue_get, (3) mc_filter_get_issues, or (4) mc_project_get_issues SOAP request. |
|
37 |
CVE-2014-8552 |
200 |
|
+Info |
2014-11-26 |
2014-11-26 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The WinCC server in Siemens SIMATIC WinCC 7.0 through SP3, 7.2 before Update 9, and 7.3 before Update 2; SIMATIC PCS 7 7.1 through SP4, 8.0 through SP2, and 8.1; and TIA Portal 13 before Update 6 allows remote attackers to read arbitrary files via crafted packets. |
|
38 |
CVE-2014-8538 |
310 |
|
+Info |
2014-10-29 |
2014-11-14 |
5.4 |
None |
Local Network |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The Hijab Modern (aka com.Aisyaidea.HijabModern) application 1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. |
|
39 |
CVE-2014-8537 |
200 |
|
+Info |
2014-10-29 |
2017-09-07 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
McAfee Network Data Loss Prevention (NDLP) before 9.2.2 allows local users to obtain sensitive information by reading the logs. |
|
40 |
CVE-2014-8536 |
200 |
|
+Info |
2014-10-29 |
2017-09-07 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
McAfee Network Data Loss Prevention (NDLP) before 9.2.2 allows local users to obtain sensitive information by reading unspecified error messages. |
|
41 |
CVE-2014-8532 |
|
|
+Info |
2014-10-29 |
2014-10-30 |
3.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
None |
|
Unspecified vulnerability in McAfee Network Data Loss Prevention before (NDLP) before 9.3 allows local users to obtain sensitive information and impact integrity via unknown vectors, related to partition mounting. |
|
42 |
CVE-2014-8530 |
|
|
DoS +Info |
2014-10-29 |
2014-10-30 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Unspecified vulnerability in McAfee Network Data Loss Prevention (NDLP) before 9.3 allows remote attackers to obtain sensitive information, affect integrity, or cause a denial of service via unknown vectors, related to simultaneous logins. |
|
43 |
CVE-2014-8529 |
310 |
|
+Info |
2014-10-29 |
2014-10-30 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
McAfee Network Data Loss Prevention (NDLP) before 9.3 stores the SSH key in cleartext, which allows local users to obtain sensitive information via unspecified vectors. |
|
44 |
CVE-2014-8528 |
200 |
|
+Info |
2014-10-29 |
2014-10-30 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
McAfee Network Data Loss Prevention (NDLP) before 9.3 logs session IDs, which allows local users to obtain sensitive information by reading the audit log. |
|
45 |
CVE-2014-8527 |
255 |
|
+Info |
2014-10-29 |
2014-10-30 |
3.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
None |
|
McAfee Network Data Loss Prevention (NDLP) before 9.3 allows local users to obtain sensitive information and affect integrity via vectors related to a "plain text password." |
|
46 |
CVE-2014-8526 |
200 |
|
+Info |
2014-10-29 |
2014-10-30 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
McAfee Network Data Loss Prevention (NDLP) before 9.3 allows local users to obtain sensitive information by reading a Java stack trace. |
|
47 |
CVE-2014-8525 |
200 |
|
+Info |
2014-10-29 |
2017-09-07 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
McAfee Network Data Loss Prevention (NDLP) before 9.3 does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie. |
|
48 |
CVE-2014-8524 |
200 |
|
+Info |
2014-10-29 |
2014-10-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
McAfee Network Data Loss Prevention (NDLP) before 9.3 does not disable the autocomplete setting for the password and other fields, which allows remote attackers to obtain sensitive information via unspecified vectors. |
|
49 |
CVE-2014-8520 |
200 |
|
+Info |
2014-10-29 |
2017-09-07 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
McAfee Network Data Loss Prevention (NDLP) before 9.3 allows remote attackers to obtain sensitive information via vectors related to open network ports. |
|
50 |
CVE-2014-8495 |
310 |
|
+Info |
2014-10-31 |
2017-09-07 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Citrix XenMobile MDX Toolkit before 9.0.4, when used to wrap iOS 8 applications, does not properly encrypt cached application data, which allows context-dependent attackers to obtain sensitive information by reading the cache. |
