| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2014-9387 |
264 |
|
+Priv |
2014-12-17 |
2018-10-09 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
SAP BusinessObjects Edge 4.1 allows remote attackers to obtain the SI_PLATFORM_SEARCH_SERVER_LOGON_TOKEN token and gain privileges via a crafted CORBA call, aka SAP Note 2039905. |
|
2 |
CVE-2014-9361 |
200 |
|
+Priv +Info |
2014-12-10 |
2014-12-11 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The LoginToboggan module 7.x-1.x before 7.x-1.4 for Drupal does not properly unset the authorized user role for certain users, which allows remote attackers with the pre-authorized role to gain privileges and possibly obtain sensitive information by accessing a Page Not Found (404) page. |
|
3 |
CVE-2014-9322 |
269 |
1
|
+Priv |
2014-12-17 |
2023-01-17 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
arch/x86/kernel/entry_64.S in the Linux kernel before 3.17.5 does not properly handle faults associated with the Stack Segment (SS) segment register, which allows local users to gain privileges by triggering an IRET instruction that leads to access to a GS Base address from the wrong space. |
|
4 |
CVE-2014-9273 |
119 |
|
Exec Code Overflow +Priv |
2014-12-08 |
2018-10-30 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
lib/handle.c in Hivex before 1.3.11 allows local users to execute arbitrary code and gain privileges via a small hive files, which triggers an out-of-bounds read or write. |
|
5 |
CVE-2014-9222 |
17 |
|
+Priv Mem. Corr. |
2014-12-24 |
2018-08-31 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
AllegroSoft RomPager 4.34 and earlier, as used in Huawei Home Gateway products and other vendors and products, allows remote attackers to gain privileges via a crafted cookie that triggers memory corruption, aka the "Misfortune Cookie" vulnerability. |
|
6 |
CVE-2014-9183 |
255 |
|
+Priv |
2014-12-02 |
2014-12-03 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
ZTE ZXDSL 831CII has a default password of admin for the admin account, which allows remote attackers to gain administrator privileges. |
|
7 |
CVE-2014-9091 |
264 |
|
+Priv |
2014-12-10 |
2014-12-11 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Icecast before 2.4.0 does not change the supplementary group privileges when <changeowner> is configured, which allows local users to gain privileges via unspecified vectors. |
|
8 |
CVE-2014-9000 |
264 |
|
Exec Code +Priv |
2014-11-20 |
2014-11-20 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
Mule Enterprise Management Console (MMC) does not properly restrict access to handler/securityService.rpc, which allows remote authenticated users to gain administrator privileges and execute arbitrary code via a crafted request that adds a new user. NOTE: this issue was originally reported for ESB Runtime 3.5.1, but it originates in MMC. |
|
9 |
CVE-2014-8896 |
287 |
|
+Priv |
2014-12-22 |
2017-09-08 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
|
The Collaboration Server in IBM InfoSphere Master Data Management Server for Product Information Management 9.x through 9.1 and InfoSphere Master Data Management - Collaborative Edition 10.x through 10.1, 11.0 before FP7, and 11.3 and 11.4 before 11.4 FP1 allows remote authenticated users to modify the administrator's credentials and consequently gain privileges via unspecified vectors. |
|
10 |
CVE-2014-8890 |
264 |
|
+Priv |
2014-12-18 |
2017-09-08 |
5.1 |
None |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
|
IBM WebSphere Application Server Liberty Profile 8.5.x before 8.5.5.4 allows remote attackers to gain privileges by leveraging the combination of a servlet's deployment descriptor security constraints and ServletSecurity annotations. |
|
11 |
CVE-2014-8884 |
119 |
|
DoS Overflow +Priv |
2014-11-30 |
2018-01-05 |
6.1 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Complete |
|
Stack-based buffer overflow in the ttusbdecfe_dvbs_diseqc_send_master_cmd function in drivers/media/usb/ttusb-dec/ttusbdecfe.c in the Linux kernel before 3.17.4 allows local users to cause a denial of service (system crash) or possibly gain privileges via a large message length in an ioctl call. |
|
12 |
CVE-2014-8651 |
264 |
|
+Priv |
2014-12-06 |
2016-12-07 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
The KDE Clock KCM policykit helper in kde-workspace before 4.11.14 and plasma-desktop before 5.1.1 allows local users to gain privileges via a crafted ntpUtility (ntp utility name) argument. |
|
13 |
CVE-2014-8595 |
17 |
|
DoS +Priv |
2014-11-19 |
2018-10-30 |
1.9 |
None |
Local |
Medium |
Not required |
None |
None |
Partial |
|
arch/x86/x86_emulate/x86_emulate.c in Xen 3.2.1 through 4.4.x does not properly check privileges, which allows local HVM guest users to gain privileges or cause a denial of service (crash) via a crafted (1) CALL, (2) JMP, (3) RETF, (4) LCALL, (5) LJMP, or (6) LRET far branch instruction. |
|
14 |
CVE-2014-8583 |
254 |
|
+Priv |
2014-12-16 |
2017-07-01 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
mod_wsgi before 4.2.4 for Apache, when creating a daemon process group, does not properly handle when group privileges cannot be dropped, which might allow attackers to gain privileges via unspecified vectors. |
|
15 |
CVE-2014-8496 |
255 |
|
+Priv |
2014-12-10 |
2014-12-10 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Digicom DG-5514T ADSL router with firmware 3.2 generates predictable session IDs, which allows remote attackers to gain administrator privileges via a brute force session hijacking attack. |
|
16 |
CVE-2014-8494 |
264 |
|
+Priv |
2014-11-03 |
2017-09-08 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
ESTsoft ALUpdate 8.5.1.0.0 uses weak permissions (Users: Full Control) for the (1) AlUpdate folder and (2) AlUpdate.exe, which allows local users to gain privileges via a Trojan horse file. |
|
17 |
CVE-2014-8419 |
264 |
|
+Priv |
2014-11-26 |
2018-10-09 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
Wibu-Systems CodeMeter Runtime before 5.20 uses weak permissions (read and write access for all users) for codemeter.exe, which allows local users to gain privileges via a Trojan horse file. |
|
18 |
CVE-2014-8418 |
264 |
|
+Priv |
2014-11-24 |
2019-07-16 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
|
The DB dialplan function in Asterisk Open Source 1.8.x before 1.8.32, 11.x before 11.1.4.1, 12.x before 12.7.1, and 13.x before 13.0.1 and Certified Asterisk 1.8 before 1.8.28-cert8 and 11.6 before 11.6-cert8 allows remote authenticated users to gain privileges via a call from an external protocol, as demonstrated by the AMI protocol. |
|
19 |
CVE-2014-8417 |
264 |
|
Exec Code +Priv |
2014-11-24 |
2019-07-16 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
ConfBridge in Asterisk 11.x before 11.14.1, 12.x before 12.7.1, and 13.x before 13.0.1 and Certified Asterisk 11.6 before 11.6-cert8 allows remote authenticated users to (1) gain privileges via vectors related to an external protocol to the CONFBRIDGE dialplan function or (2) execute arbitrary system commands via a crafted ConfbridgeStartRecord AMI action. |
|
20 |
CVE-2014-8373 |
264 |
|
+Priv |
2014-12-11 |
2018-10-09 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
|
The VMware Remote Console (VMRC) function in VMware vCloud Automation Center (vCAC) 6.0.1 through 6.1.1 allows remote authenticated users to gain privileges via vectors involving the "Connect (by) Using VMRC" function. |
|
21 |
CVE-2014-8368 |
264 |
|
Exec Code +Priv |
2014-11-25 |
2018-12-20 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
|
The web interface in Aruba Networks AirWave before 7.7.14 and 8.x before 8.0.5 allows remote authenticated users to gain privileges and execute arbitrary commands via unspecified vectors. |
|
22 |
CVE-2014-8270 |
264 |
|
Exec Code +Priv |
2014-12-12 |
2014-12-12 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
BMC Track-It! 11.3 allows remote attackers to gain privileges and execute arbitrary code by creating an account whose name matches that of a local system account, then performing a password reset. |
|
23 |
CVE-2014-8120 |
|
|
+Priv |
2014-12-18 |
2023-02-13 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The agent in Thermostat before 1.0.6, when using unspecified configurations, allows local users to obtain the JMX management URLs of all local Java virtual machines and gain privileges via unknown vectors. |
|
24 |
CVE-2014-7989 |
20 |
|
+Priv |
2014-11-07 |
2017-09-08 |
6.8 |
None |
Local |
Low |
??? |
Complete |
Complete |
Complete |
|
Cisco Unified Computing System on B-Series blade servers allows local users to gain shell privileges via a crafted (1) ping6 or (2) traceroute6 command, aka Bug ID CSCuq38176. |
|
25 |
CVE-2014-7826 |
476 |
|
DoS +Priv |
2014-11-10 |
2023-02-13 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
kernel/trace/trace_syscalls.c in the Linux kernel through 3.17.2 does not properly handle private syscall numbers during use of the ftrace subsystem, which allows local users to gain privileges or cause a denial of service (invalid pointer dereference) via a crafted application. |
|
26 |
CVE-2014-7286 |
119 |
|
Overflow +Priv |
2014-12-22 |
2016-09-06 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
Buffer overflow in AClient in Symantec Deployment Solution 6.9 and earlier on Windows XP and Server 2003 allows local users to gain privileges via unspecified vectors. |
|
27 |
CVE-2014-7259 |
200 |
|
+Priv +Info |
2014-12-05 |
2014-12-05 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
SQUARE ENIX Co., Ltd. Kaku-San-Sei Million Arthur before 2.25 for Android stores "product credentials" on the SD card, which allows attackers to gain privileges via a crafted application. |
|
28 |
CVE-2014-7155 |
264 |
|
DoS +Priv |
2014-10-02 |
2018-10-30 |
5.8 |
None |
Local Network |
Low |
Not required |
Partial |
Partial |
Partial |
|
The x86_emulate function in arch/x86/x86_emulate/x86_emulate.c in Xen 4.4.x and earlier does not properly check supervisor mode permissions, which allows local HVM users to cause a denial of service (guest crash) or gain guest kernel mode privileges via vectors involving an (1) HLT, (2) LGDT, (3) LIDT, or (4) LMSW instruction. |
|
29 |
CVE-2014-6625 |
284 |
|
+Priv |
2014-11-19 |
2014-11-19 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
|
The Policy Manager in Aruba Networks ClearPass before 6.3.6 and 6.4.x before 6.4.1 allows remote authenticated users to gain privileges via unspecified vectors. |
|
30 |
CVE-2014-6607 |
255 |
1
|
+Priv |
2014-10-06 |
2014-10-07 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
M/Monit 3.3.2 and earlier does not verify the original password before changing passwords, which allows remote attackers to change the password of other users and gain privileges via the fullname and password parameters, a different vulnerability than CVE-2014-6409. |
|
31 |
CVE-2014-6350 |
264 |
|
+Priv |
2014-11-11 |
2018-10-12 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Microsoft Internet Explorer 10 and 11 allows remote attackers to gain privileges via a crafted web site, aka "Internet Explorer Elevation of Privilege Vulnerability," a different vulnerability than CVE-2014-6349. |
|
32 |
CVE-2014-6349 |
264 |
|
+Priv |
2014-11-11 |
2018-10-12 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Microsoft Internet Explorer 10 and 11 allows remote attackers to gain privileges via a crafted web site, aka "Internet Explorer Elevation of Privilege Vulnerability," a different vulnerability than CVE-2014-6350. |
|
33 |
CVE-2014-6322 |
20 |
|
+Priv |
2014-11-11 |
2019-05-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The Windows Audio service in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to gain privileges via a crafted web site, as demonstrated by execution of web script in Internet Explorer, aka "Windows Audio Service Vulnerability." |
|
34 |
CVE-2014-5507 |
264 |
1
|
+Priv |
2014-11-03 |
2017-09-08 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
iBackup 10.0.0.32 and earlier uses weak permissions (Everyone: Full Control) for ib_service.exe, which allows local users to gain privileges via a Trojan horse file. |
|
35 |
CVE-2014-5455 |
428 |
1
|
+Priv |
2014-08-25 |
2020-06-01 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Unquoted Windows search path vulnerability in the ptservice service prior to PrivateTunnel version 3.0 (Windows) and OpenVPN Connect version 3.1 (Windows) allows local users to gain privileges via a crafted program.exe file in the %SYSTEMDRIVE% folder. |
|
36 |
CVE-2014-5453 |
264 |
1
|
+Priv |
2014-08-25 |
2014-08-26 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
Ubisoft Uplay PC before 4.6.1.3217 use weak permissions (Everyone: Full Control) for the program installation directory (%PROGRAMFILES%\Ubisoft Game Launcher), which allows local users to gain privileges via a Trojan horse file. |
|
37 |
CVE-2014-5430 |
|
|
+Priv |
2014-11-07 |
2014-11-07 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Untrusted search path vulnerability in ABB RobotStudio 5.6x before 5.61.02 and Test Signal Viewer 1.5 allows local users to gain privileges via a Trojan horse DLL that is accessed as a result of incorrect DLL configuration by an optional installation program. |
|
38 |
CVE-2014-5421 |
255 |
|
+Priv |
2014-10-19 |
2014-10-22 |
6.8 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Partial |
|
CareFusion Pyxis SupplyStation 8.1 with hardware test tool 1.0.16 and earlier has a hardcoded database password, which makes it easier for local users to gain privileges by leveraging cabinet access. |
|
39 |
CVE-2014-5307 |
119 |
|
Overflow +Priv |
2014-08-26 |
2018-10-09 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
Heap-based buffer overflow in the PavTPK.sys kernel mode driver of Panda Security 2014 products before hft131306s24_r1 allows local users to gain privileges via a crafted argument to a 0x222008 IOCTL call. |
|
40 |
CVE-2014-5285 |
|
|
+Priv +Info |
2014-09-04 |
2014-09-05 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Unspecified vulnerability in the Authentication Module in TIBCO Spotfire Server before 4.5.2, 5.0.x before 5.0.3, 5.5.x before 5.5.2, 6.0.x before 6.0.3, and 6.5.x before 6.5.1 allows remote attackers to gain privileges, and obtain sensitive information or modify data, via unknown vectors. |
|
41 |
CVE-2014-5284 |
264 |
1
|
+Priv |
2014-12-02 |
2014-12-02 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
host-deny.sh in OSSEC before 2.8.1 writes to temporary files with predictable filenames without verifying ownership, which allows local users to modify access restrictions in hosts.deny and gain root privileges by creating the temporary files before automatic IP blocking is performed. |
|
42 |
CVE-2014-5263 |
119 |
|
DoS Overflow +Priv Mem. Corr. |
2014-08-26 |
2014-11-19 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
vmstate_xhci_event in hw/usb/hcd-xhci.c in QEMU 1.6.0 does not terminate the list with the VMSTATE_END_OF_LIST macro, which allows attackers to cause a denial of service (out-of-bounds access, infinite loop, and memory corruption) and possibly gain privileges via unspecified vectors. |
|
43 |
CVE-2014-5207 |
269 |
1
|
DoS +Priv |
2014-08-18 |
2020-08-14 |
6.2 |
None |
Local |
High |
Not required |
Complete |
Complete |
Complete |
|
fs/namespace.c in the Linux kernel through 3.16.1 does not properly restrict clearing MNT_NODEV, MNT_NOSUID, and MNT_NOEXEC and changing MNT_ATIME_MASK during a remount of a bind mount, which allows local users to gain privileges, interfere with backups and auditing on systems that had atime enabled, or cause a denial of service (excessive filesystem updating) on systems that had atime disabled via a "mount -o remount" command within a user namespace. |
|
44 |
CVE-2014-5148 |
119 |
|
DoS Overflow +Priv |
2014-10-26 |
2017-08-29 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Xen 4.4.x, when running on an ARM system and "handling an unknown system register access from 64-bit userspace," returns to an instruction of the trap handler for kernel space faults instead of an instruction that is associated with faults in 64-bit userspace, which allows local guest users to cause a denial of service (crash) and possibly gain privileges via a crafted process. |
|
45 |
CVE-2014-4973 |
20 |
|
+Priv |
2014-09-23 |
2014-09-24 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
The ESET Personal Firewall NDIS filter (EpFwNdis.sys) driver in the Firewall Module Build 1183 (20140214) and earlier in ESET Smart Security and ESET Endpoint Security products 5.0 through 7.0 allows local users to gain privileges via a crafted argument to a 0x830020CC IOCTL call. |
|
46 |
CVE-2014-4971 |
20 |
3
|
+Priv |
2014-07-26 |
2018-10-12 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
Microsoft Windows XP SP3 does not validate addresses in certain IRP handler routines, which allows local users to write data to arbitrary memory locations, and consequently gain privileges, via a crafted address in an IOCTL call, related to (1) the MQAC.sys driver in the MQ Access Control subsystem and (2) the BthPan.sys driver in the Bluetooth Personal Area Networking subsystem. |
|
47 |
CVE-2014-4943 |
269 |
1
|
+Priv |
2014-07-19 |
2020-08-14 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
The PPPoL2TP feature in net/l2tp/l2tp_ppp.c in the Linux kernel through 3.15.6 allows local users to gain privileges by leveraging data-structure differences between an l2tp socket and an inet socket. |
|
48 |
CVE-2014-4870 |
20 |
|
+Priv |
2014-10-07 |
2014-10-07 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
/opt/vyatta/bin/sudo-users/vyatta-clear-dhcp-lease.pl on the Brocade Vyatta 5400 vRouter 6.4R(x), 6.6R(x), and 6.7R1 does not properly validate parameters, which allows local users to gain privileges by leveraging the sudo configuration. |
|
49 |
CVE-2014-4867 |
264 |
|
+Priv |
2014-10-10 |
2014-10-15 |
6.8 |
None |
Local |
Low |
??? |
Complete |
Complete |
Complete |
|
Cryoserver Security Appliance 7.3.x uses weak permissions for /etc/init.d/cryoserver, which allows local users to gain privileges by leveraging access to the support account and running the /bin/cryo-mgmt program. |
|
50 |
CVE-2014-4833 |
20 |
|
+Priv |
2014-10-19 |
2017-08-29 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
IBM Security QRadar SIEM QRM 7.1 MR1 and QRM/QVM 7.2 MR2 allows remote authenticated users to gain privileges via invalid input. |
