CVE Daily
← All years

All CVEs — 2014

Page 8/34.

Browse all CVEs by publication year. Use filters to refine.

CVSS ≥ 0.0
2014-10-22
Medium

CVE-2014-8381

Multiple cross-site scripting (XSS) vulnerabilities in Megapolis.Portal Manager allow remote attackers to inject arbitrary web script or HTML via the (1) dateFrom or (2) dateTo parameter.

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2014-8088

The (1) Zend_Ldap class in Zend before 1.12.9 and (2) Zend\Ldap component in Zend 2.x before 2.2.8 and 2.3.x before 2.3.3 allows remote attackers to bypass authentication via a password starting with…

CVSS: 5.0 CWE: CWE-287
Read more
Medium

CVE-2014-7183

Multiple cross-site scripting (XSS) vulnerabilities in the search.php in LiteCart 1.1.2.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) query parameter or (2)…

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2014-7182

Multiple cross-site scripting (XSS) vulnerabilities in the WP Google Maps plugin before 6.0.27 for WordPress allow remote attackers to inject arbitrary web script or HTML via the poly_id parameter in…

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2014-6387

gpc_api.php in MantisBT 1.2.17 and earlier allows remote attackers to bypass authenticated via a password starting will a null byte, which triggers an unauthenticated bind.

CVSS: 5.0 CWE: CWE-287
Read more
High

CVE-2014-3676

Heap-based buffer overflow in Shim allows remote attackers to execute arbitrary code via a crafted IPv6 address, related to the "tftp:// DHCPv6 boot option."

CVSS: 7.5 CWE: CWE-787
Read more
Medium

CVE-2014-3675

Shim allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted DHCPv6 packet.

CVSS: 5.0 CWE: CWE-125
Read more
Medium

CVE-2013-7407

Cross-site request forgery (CSRF) vulnerability in the MRBS module for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

CVSS: 6.8 CWE: CWE-352
Read more
2014-10-21
Low

CVE-2014-3111

Multiple cross-site scripting (XSS) vulnerabilities in FOG 0.27 through 0.32 allow remote authenticated users to inject arbitrary web script or HTML via the (1) Printer Model field to the Printer Man…

CVSS: 3.5 CWE: CWE-79
Read more
Medium

CVE-2014-2531

SQL injection vulnerability in xhr.php in InterWorx Web Control Panel (aka InterWorx Hosting Control Panel and InterWorx-CP) before 5.0.14 build 577 allows remote authenticated users to execute arbit…

CVSS: 6.5 CWE: CWE-89
Read more
Medium

CVE-2014-8380

Cross-site scripting (XSS) vulnerability in Splunk 6.1.1 allows remote attackers to inject arbitrary web script or HTML via the HTTP Referer Header in a "404 Not Found" response. NOTE: this vulnerab…

CVSS: 4.3 CWE: CWE-79
Read more
Low

CVE-2014-8379

Multiple cross-site scripting (XSS) vulnerabilities in the Marketo MA module before 7.x-1.5 for Drupal allow remote authenticated users with certain permissions to inject arbitrary web script or HTML…

CVSS: 3.5 CWE: CWE-79
Read more
Low

CVE-2014-8378

Cross-site scripting (XSS) vulnerability in the TableField module 7.x-2.x before 7.x-2.3 allows remote authenticated users with the "administer content types" or "administer taxonomy" permission to i…

CVSS: 3.5 CWE: CWE-79
Read more
Medium

CVE-2014-8377

Cross-site scripting (XSS) vulnerability in Webasyst Shop-Script 5.2.2.30933 allows remote attackers to inject arbitrary web script or HTML via the phone number field in a new contact to phpecom/inde…

CVSS: 4.3 CWE: CWE-79
Read more
Low

CVE-2014-8376

Cross-site scripting (XSS) vulnerability in the context administration sub-panel in the Site Banner module before 7.x-4.1 for Drupal allows remote authenticated users with the "Administer contexts" C…

CVSS: 3.5 CWE: CWE-79
Read more
Medium

CVE-2014-7280

Cross-site scripting (XSS) vulnerability in the Web UI before 2.3.4 Build #85 for Tenable Nessus 5.x allows remote web servers to inject arbitrary web script or HTML via the server header.

CVSS: 4.3 CWE: CWE-79
Read more
High

CVE-2014-5006

Directory traversal vulnerability in ZOHO ManageEngine Desktop Central (DC) before 9 build 90055 allows remote attackers to execute arbitrary code via a .. (dot dot) in the fileName parameter to mdm/…

CVSS: 7.5 CWE: CWE-22
Read more
High

CVE-2014-5005

Directory traversal vulnerability in ZOHO ManageEngine Desktop Central (DC) before 9 build 90055 allows remote attackers to execute arbitrary code via a .. (dot dot) in the fileName parameter in an L…

CVSS: 7.5 CWE: CWE-22
Read more
Medium

CVE-2014-4577

Absolute path traversal vulnerability in reviews.php in the WP AmASIN - The Amazon Affiliate Shop plugin 0.9.6 and earlier for WordPress allows remote attackers to read arbitrary files via a full pat…

CVSS: 5.0 CWE: CWE-22
Read more
Medium

CVE-2014-4517

Cross-site scripting (XSS) vulnerability in getNetworkSites.php in the CBI Referral Manager plugin 1.2.1 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via t…

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2014-4514

Cross-site scripting (XSS) vulnerability in includes/api_tenpay/inc.tenpay_notify.php in the Alipay plugin 3.6.0 and earlier for WordPress allows remote attackers to inject arbitrary web script or HT…

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2014-8375

SQL injection vulnerability in GBgallery.php in the GB Gallery Slideshow plugin 1.5 for WordPress allows remote administrators to execute arbitrary SQL commands via the selected_group parameter in a…

CVSS: 6.5 CWE: CWE-89
Read more
High

CVE-2013-7406

SQL injection vulnerability in the MRBS module for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

CVSS: 7.5 CWE: CWE-89
Read more
Medium

CVE-2012-5702

Multiple cross-site scripting (XSS) vulnerabilities in dotProject before 2.1.7 allow remote attackers to inject arbitrary web script or HTML via the (1) callback parameter in a color_selector action,…

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2012-5242

Directory traversal vulnerability in functions/suggest.php in Banana Dance B.2.6 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the name parame…

CVSS: 6.8 CWE: CWE-22
Read more
2014-10-20
High

CVE-2014-8366

SQL injection vulnerability in openSIS 4.5 through 5.3 allows remote attackers to execute arbitrary SQL commands via the Username and password to index.php.

CVSS: 7.5 CWE: CWE-89
Read more
Medium

CVE-2014-8365

Multiple cross-site scripting (XSS) vulnerabilities in Xornic Contact Us allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) email parameter to contact.php or (3) PA…

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2014-3863

Cross-site scripting (XSS) vulnerability in the JChatSocial component before 2.3 for Joomla! allows remote attackers to inject arbitrary web script or HTML via the filename parameter in a file upload…

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2014-8364

Cross-site scripting (XSS) vulnerability in ss_handler.php in the WordPress Spreadsheet (wpSS) plugin 0.62 for WordPress allows remote attackers to inject arbitrary web script or HTML via the ss_id p…

CVSS: 4.3 CWE: CWE-79
Read more
High

CVE-2014-8363

SQL injection vulnerability in ss_handler.php in the WordPress Spreadsheet (wpSS) plugin 0.62 for WordPress allows remote attackers to execute arbitrary SQL commands via the ss_id parameter.

CVSS: 7.5 CWE: CWE-89
Read more
Low

CVE-2014-5169

Cross-site scripting (XSS) vulnerability in the Date module before 7.x-2.8 for Drupal allows remote authenticated users with the permission to create a date field to inject arbitrary web script or HT…

CVSS: 3.5 CWE: CWE-79
Read more
Low

CVE-2014-5026

Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.8b allow remote authenticated users with console access to inject arbitrary web script or HTML via a (1) Graph Tree Title in a delete…

CVSS: 3.5 CWE: CWE-79
Read more
Low

CVE-2014-5025

Cross-site scripting (XSS) vulnerability in data_sources.php in Cacti 0.8.8b allows remote authenticated users with console access to inject arbitrary web script or HTML via the name_cache parameter…

CVSS: 3.5 CWE: CWE-79
Read more
Medium

CVE-2014-3564

Multiple heap-based buffer overflows in the status_handler function in (1) engine-gpgsm.c and (2) engine-uiserver.c in GPGME before 1.5.1 allow remote attackers to cause a denial of service (crash) a…

CVSS: 6.8 CWE: CWE-119
Read more
Medium

CVE-2014-8331

Multiple cross-site request forgery (CSRF) vulnerabilities in Huawei HiLink E3236 before E3276sTCPU-V200R002B470D13SP00C00 and E3276sWebUI-V100R007B100D03SP01C03 and E3276 before E3236sTCPU-V200R002B…

CVSS: 6.8 CWE: CWE-352
Read more
Low

CVE-2014-8330

Cross-site scripting (XSS) vulnerability in EspoCRM allows remote authenticated users to inject arbitrary web script or HTML via the Name field in a new account.

CVSS: 3.5 CWE: CWE-79
Read more
Low

CVE-2014-5276

Multiple cross-site scripting (XSS) vulnerabilities in Pro Chat Rooms Text Chat Rooms 8.2.0 allow remote authenticated users to inject arbitrary web script or HTML via (1) an uploaded profile picture…

CVSS: 3.5 CWE: CWE-79
Read more
Medium

CVE-2014-5275

Multiple SQL injection vulnerabilities in includes/functions.php in Pro Chat Rooms Text Chat Rooms 8.2.0 allow remote authenticated users to execute arbitrary SQL commands via the (1) password, (2) e…

CVSS: 6.5 CWE: CWE-89
Read more
Medium

CVE-2014-3978

SQL injection vulnerability in TomatoCart 1.1.8.6.1 allows remote authenticated users to execute arbitrary SQL commands via the First Name and Last Name fields in a new address book contact.

CVSS: 6.5 CWE: CWE-89
Read more
Medium

CVE-2014-3830

Cross-site scripting (XSS) vulnerability in info.php in TomatoCart 1.1.8.6.1 allows remote attackers to inject arbitrary web script or HTML via the faqs_id parameter.

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2012-5695

Multiple cross-site request forgery (CSRF) vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) 0.1.2 through 0.1.4 allow remote attackers to hijack the authentication of administrator…

CVSS: 6.8 CWE: CWE-352
Read more
Medium

CVE-2012-5694

Multiple SQL injection vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 allow remote attackers to execute arbitrary SQL commands via the (1) agentPhNo, (2) controlPhNo…

CVSS: 6.8 CWE: CWE-89
Read more
Critical

CVE-2014-8329

Schrack Technik microControl with firmware before 1.7.0 (937) stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain access data for…

CVSS: 10.0 CWE: CWE-287
Read more
Low

CVE-2014-5449

Zarafa WebAccess 4.1 and WebApp uses world-readable permissions for the files in their tmp directory, which allows local users to obtain sensitive information by reading temporary session data.

CVSS: 2.1 CWE: CWE-200
Read more
Low

CVE-2014-5448

Zarafa 5.00 uses world-readable permissions for the files in the log directory, which allows local users to obtain sensitive information by reading the log files.

CVSS: 2.1 CWE: CWE-200
Read more
Low

CVE-2014-5447

Zarafa WebAccess 7.1.10 and WebApp 1.6 beta uses weak permissions (644) for config.php, which allows local users to obtain sensitive information by reading the PHP session files. NOTE: this vulnerab…

CVSS: 2.1 CWE: CWE-200
Read more
Medium

CVE-2014-5098

Cross-site scripting (XSS) vulnerability in the Search module before 1.2.2 in Jamroom allows remote attackers to inject arbitrary web script or HTML via the query string to search/results/.

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2014-5094

Status2k allows remote attackers to obtain configuration information via a phpinfo action in a request to status/index.php, which calls the phpinfo function.

CVSS: 5.0 CWE: CWE-200
Read more
High

CVE-2014-2081

Multiple SQL injection vulnerabilities in the login in web_reports/cgi-bin/InfoStation.cgi in Innovative vtls-Virtua before 2013.2.4 and 2014.x before 2014.1.1 allow remote attackers to execute arbit…

CVSS: 7.5 CWE: CWE-89
Read more
Medium

CVE-2012-5866

Cross-site scripting (XSS) vulnerability in include.php in Achievo 1.4.5 allows remote attackers to inject arbitrary web script or HTML via the field parameter.

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2012-5865

SQL injection vulnerability in dispatch.php in Achievo 1.4.5 allows remote authenticated users to execute arbitrary SQL commands via the activityid parameter in a stats action.

CVSS: 6.5 CWE: CWE-89
Read more
Medium

CVE-2012-5701

Multiple SQL injection vulnerabilities in dotProject before 2.1.7 allow remote authenticated administrators to execute arbitrary SQL commands via the (1) search_string or (2) where parameter in a con…

CVSS: 6.8 CWE: CWE-89
Read more
Medium

CVE-2014-6308

Directory traversal vulnerability in OSClass before 3.4.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter in a render action to oc-admin/index.php.

CVSS: 5.0 CWE: CWE-22
Read more
Medium

CVE-2014-6280

Multiple cross-site scripting (XSS) vulnerabilities in OSClass before 3.4.2 allow remote attackers to inject arbitrary web script or HTML via the (1) action or (2) nsextt parameter to oc-admin/index.…

CVSS: 4.3 CWE: CWE-79
Read more
High

CVE-2012-5244

Multiple SQL injection vulnerabilities in Banana Dance B.2.6 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) return, (2) display, (3) table, or (4) search parameter t…

CVSS: 7.5 CWE: CWE-89
Read more
Medium

CVE-2012-2413

Cross-site scripting (XSS) vulnerability in the ja_purity template for Joomla! 1.5.26 and earlier allows remote attackers to inject arbitrary web script or HTML via the Mod* cookie parameter to html/…

CVSS: 4.3 CWE: CWE-79
Read more
2014-10-19
Medium

CVE-2014-7874

Cross-site request forgery (CSRF) vulnerability in HP System Management Homepage (SMH) before 3.2.3 on HP-UX B.11.23, and before 3.2.8 on HP-UX B.11.31, allows remote attackers to hijack the authenti…

CVSS: 6.8 CWE: CWE-352
Read more
Medium

CVE-2014-6116

The Telemetry Component in WebSphere MQ 8.0.0.1 before p000-001-L140910 allows remote attackers to bypass authentication by setting the JAASConfig property in an MQTT client configuration.

CVSS: 4.3 CWE: CWE-287
Read more
Low

CVE-2014-6100

Cross-site scripting (XSS) vulnerability in the Admin UI in IBM Tivoli Directory Server 6.1 before 6.1.0.64-ISS-ITDS-IF0064, 6.2 before 6.2.0.39-ISS-ITDS-FP0039, and 6.3 before 6.3.0.33-ISS-ITDS-IF00…

CVSS: 3.5 CWE: CWE-79
Read more
Medium

CVE-2014-5331

Cross-site scripting (XSS) vulnerability in Aflax allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2014-5330

Cross-site scripting (XSS) vulnerability in BirdBlog allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVSS: 4.3 CWE: CWE-79
Read more
High

CVE-2014-4840

IBM TRIRIGA Application Platform 3.2 and 3.3 before 3.3.0.2, 3.3.1 before 3.3.1.3, 3.3.2 before 3.3.2.2, and 3.4 before 3.4.0.1 allows remote attackers to execute arbitrary code via a crafted URL.

CVSS: 7.5 CWE: CWE-20
Read more
Low

CVE-2014-4838

Cross-site scripting (XSS) vulnerability in GanttProjectSchedulerPopup.jsp in IBM TRIRIGA Application Platform 3.2 and 3.3 before 3.3.0.2, 3.3.1 before 3.3.1.3, 3.3.2 before 3.3.2.2, and 3.4 before 3…

CVSS: 3.5 CWE: CWE-79
Read more
Low

CVE-2014-4837

Cross-site scripting (XSS) vulnerability in NewDocument.jsp in IBM TRIRIGA Application Platform 3.2 and 3.3 before 3.3.0.2, 3.3.1 before 3.3.1.3, 3.3.2 before 3.3.2.2, and 3.4 before 3.4.0.1 allows r…

CVSS: 3.5 CWE: CWE-79
Read more
Low

CVE-2014-4836

Cross-site scripting (XSS) vulnerability in breakOutWithName.jsp in IBM TRIRIGA Application Platform 3.2 and 3.3 before 3.3.0.2, 3.3.1 before 3.3.1.3, 3.3.2 before 3.3.2.2, and 3.4 before 3.4.0.1 all…

CVSS: 3.5 CWE: CWE-79
Read more
Medium

CVE-2014-4833

IBM Security QRadar SIEM QRM 7.1 MR1 and QRM/QVM 7.2 MR2 allows remote authenticated users to gain privileges via invalid input.

CVSS: 6.5 CWE: CWE-20
Read more
Medium

CVE-2014-4828

IBM Security QRadar SIEM QRM 7.1 MR1 and QRM/QVM 7.2 MR2 allows remote attackers to conduct clickjacking attacks via a crafted HTTP request.

CVSS: 4.3 CWE: CWE-20
Read more
Medium

CVE-2014-4827

Cross-site scripting (XSS) vulnerability in IBM Security QRadar SIEM QRM 7.1 MR1 and QRM/QVM 7.2 MR2 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.

CVSS: 4.3 CWE: CWE-79
Read more
High

CVE-2014-3567

Memory leak in the tls_decrypt_ticket function in t1_lib.c in OpenSSL before 0.9.8zc, 1.0.0 before 1.0.0o, and 1.0.1 before 1.0.1j allows remote attackers to cause a denial of service (memory consump…

CVSS: 7.1 CWE: CWE-20
Read more
High

CVE-2014-3513

Memory leak in d1_srtp.c in the DTLS SRTP extension in OpenSSL 1.0.1 before 1.0.1j allows remote attackers to cause a denial of service (memory consumption) via a crafted handshake message.

CVSS: 7.1 CWE: CWE-20
Read more
Medium

CVE-2014-3408

Cross-site scripting (XSS) vulnerability in the web framework in Cisco Prime Optical 10 allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCuq80…

CVSS: 6.8 CWE: CWE-79
Read more
High

CVE-2014-3406

Race condition in the IP logging feature in Cisco Intrusion Prevention System (IPS) Software 7.1(7)E4 and earlier allows remote attackers to cause a denial of service (device reload) via crafted IP t…

CVSS: 7.1 CWE: CWE-362
Read more
Medium

CVE-2014-3021

IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.35, 8.0 before 8.0.0.10, and 8.5 before 8.5.5.4 does not properly handle HTTP headers, which allows remote attackers to obtain sensitive cookie…

CVSS: 5.0 CWE: CWE-20
Read more
Medium

CVE-2014-2647

Cross-site scripting (XSS) vulnerability in HP Operations Agent in HP Operations Manager (formerly OpenView Communications Broker) before 11.14 allows remote attackers to inject arbitrary web script…

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2014-2358

Multiple cross-site request forgery (CSRF) vulnerabilities in the administrative web interface in the proxy server on Fox-IT Fox DataDiode appliances before 1.7.2 allow remote attackers to hijack the…

CVSS: 6.8 CWE: CWE-352
Read more
2014-10-18
Medium

CVE-2014-4444

SecurityAgent in Apple OS X before 10.10 does not ensure that a Kerberos ticket is in the cache for the correct user, which allows local users to gain privileges in opportunistic circumstances by lev…

CVSS: 4.4 CWE: CWE-287
Read more
High

CVE-2014-4443

Apple OS X before 10.10 allows remote attackers to cause a denial of service (NULL pointer dereference) via crafted ASN.1 data.

CVSS: 7.8 CWE: CWE-20
Read more
Medium

CVE-2014-4442

The kernel in Apple OS X before 10.10 allows local users to cause a denial of service (panic) via a message to a system control socket.

CVSS: 4.7 CWE: CWE-20
Read more
Medium

CVE-2014-4439

Mail in Apple OS X before 10.10 does not properly recognize the removal of a recipient address from a message, which makes it easier for remote attackers to obtain sensitive information in opportunis…

CVSS: 4.3 CWE: CWE-200
Read more
Medium

CVE-2014-4438

Race condition in LoginWindow in Apple OS X before 10.10 allows physically proximate attackers to obtain access by leveraging an unattended workstation on which screen locking had been attempted.

CVSS: 6.9 CWE: CWE-362
Read more
Medium

CVE-2014-4436

IOHIDFamily in Apple OS X before 10.10 allows attackers to cause denial of service (out-of-bounds read operation) via a crafted application.

CVSS: 4.3 CWE: CWE-119
Read more
Medium

CVE-2014-4435

The "iCloud Find My Mac" feature in Apple OS X before 10.10 does not properly enforce rate limiting of lost-mode PIN entry, which makes it easier for physically proximate attackers to obtain access v…

CVSS: 4.4 CWE: CWE-287
Read more
Medium

CVE-2014-4434

The kernel in Apple OS X before 10.10 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted filename on an HFS filesystem.

CVSS: 4.9 CWE: CWE-20
Read more
High

CVE-2014-4433

Heap-based buffer overflow in the kernel in Apple OS X before 10.10 allows physically proximate attackers to execute arbitrary code via crafted resource forks in an HFS filesystem.

CVSS: 7.2 CWE: CWE-119
Read more
Medium

CVE-2014-4426

AFP File Server in Apple OS X before 10.10 allows remote attackers to discover the network addresses of all interfaces via an unspecified command to one interface.

CVSS: 4.3 CWE: CWE-200
Read more
Medium

CVE-2014-4425

CFPreferences in Apple OS X before 10.10 does not properly enforce the "require password after sleep or screen saver begins" setting, which makes it easier for physically proximate attackers to obtai…

CVSS: 4.6 CWE: CWE-287
Read more
Medium

CVE-2014-4417

Safari in Apple OS X before 10.10 allows remote attackers to cause a denial of service (universal Push Notification outage) via a web site that triggers an uncaught SafariNotificationAgent exception…

CVSS: 5.0 CWE: CWE-20
Read more
Medium

CVE-2014-4351

Buffer overflow in QuickTime in Apple OS X before 10.10 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted audio samples in an m4a file.

CVSS: 6.8 CWE: CWE-119
Read more
Medium

CVE-2014-3573

The oVirt Engine backend module, as used in Red Hat Enterprise Virtualization Manager before 3.4.2, uses an "insecure DocumentBuilderFactory," which allows remote attackers to read arbitrary files or…

CVSS: 6.5 CWE: CWE-20
Read more
2014-10-17
Medium

CVE-2014-2279

Multiple directory traversal vulnerabilities in SeedDMS (formerly LetoDMS and MyDMS) before 4.3.4 allow (1) remote authenticated users with access to the LogManagement functionality to read arbitrary…

CVSS: 6.4 CWE: CWE-22
Read more
Medium

CVE-2014-2278

Unrestricted file upload vulnerability in op/op.AddFile2.php in SeedDMS (formerly LetoDMS and MyDMS) before 4.3.4 allows remote attackers to execute arbitrary code by uploading a file with an executa…

CVSS: 5.1 CWE: CWE-20
Read more
Low

CVE-2014-2995

Multiple cross-site scripting (XSS) vulnerabilities in twitget.php in the Twitget plugin before 3.3.3 for WordPress allow remote authenticated administrators to inject arbitrary web script or HTML vi…

CVSS: 3.5 CWE: CWE-79
Read more
Medium

CVE-2014-2559

Multiple cross-site request forgery (CSRF) vulnerabilities in twitget.php in the Twitget plugin before 3.3.3 for WordPress allow remote attackers to hijack the authentication of administrators for re…

CVSS: 6.8 CWE: CWE-352
Read more
Medium

CVE-2014-8755

Panasonic Network Camera View 3 and 4 allows remote attackers to execute arbitrary code via a crafted page, which triggers an invalid pointer dereference, related to "the ability to nullify an arbitr…

CVSS: 6.8 CWE: CWE-20
Read more
Medium

CVE-2014-8074

Buffer overflow in the SetLogFile method in Foxit.FoxitPDFSDKProCtrl.5 in Foxit PDF SDK ActiveX 2.3 through 5.0.1820 before 5.0.2.924 allows remote attackers to execute arbitrary code via a long stri…

CVSS: 6.8 CWE: CWE-119
Read more
Medium

CVE-2014-2066

Session fixation vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to hijack web sessions via vectors involving the "override" of Jenkins cookies.

CVSS: 6.8 CWE: CWE-287
Read more
Medium

CVE-2014-2065

Cross-site scripting (XSS) vulnerability in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to inject arbitrary web script or HTML via the iconSize cookie.

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2014-2064

The loadUserByUsername function in hudson/security/HudsonPrivateSecurityRealm.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to determine whether a user exists via vector…

CVSS: 5.0 CWE: CWE-200
Read more
Medium

CVE-2014-2062

Jenkins before 1.551 and LTS before 1.532.2 does not invalidate the API token when a user is deleted, which allows remote authenticated users to retain access via the token.

CVSS: 6.5 CWE: CWE-287
Read more
Low

CVE-2014-8320

Cross-site scripting (XSS) vulnerability in the Custom Search module 6.x-1.x before 6.x-1.12 and 7.x-1.x before 7.x-1.14 for Drupal allows remote authenticated users with certain permissions to injec…

CVSS: 3.5 CWE: CWE-79
Read more
Low

CVE-2014-8319

Cross-site scripting (XSS) vulnerability in the easy_social_admin_summary function in the Easy Social module 7.x-2.x before 7.x-2.11 for Drupal allows remote authenticated users with certain permissi…

CVSS: 3.5 CWE: CWE-79
Read more
Low

CVE-2014-8318

Cross-site scripting (XSS) vulnerability in the Webform module 6.x-3.x before 6.x-3.20, 7.x-3.x before 7.x-3.20, and 7.x-4.x before 7.x-4.0-beta2 for Drupal allows remote authenticated users with cer…

CVSS: 3.5 CWE: CWE-79
Read more
Low

CVE-2014-8317

Cross-site scripting (XSS) vulnerability in the Webform Validation module 6.x-1.x before 6.x-1.6 and 7.x-1.x before 7.x-1.4 for Drupal allows remote authenticated users with certain permissions to in…

CVSS: 3.5 CWE: CWE-79
Read more
2014-10-16
Medium

CVE-2014-8315

polestar_xml.jsp in SAP BusinessObjects Explorer 14.0.5 build 882 replies with different timing depending on if a connection can be made, which allows remote attackers to conduct port scanning attack…

CVSS: 5.0 CWE: CWE-200
Read more
Medium

CVE-2014-8314

Multiple cross-site scripting (XSS) vulnerabilities in SAP HANA Developer Edition Revision 70 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors to (1) epm/admin/Da…

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2014-8313

Eval injection in ide/core/base/server/net.xsjs in the Developer Workbench in SAP HANA allows remote attackers to execute arbitrary XSJX code via unspecified vectors.

CVSS: 6.0 CWE: CWE-94
Read more
High

CVE-2014-8310

The CMS CORBA listener in SAP BusinessObjects BI Edge 4.0 allows remote attackers to cause a denial of service (server shutdown) via crafted OSCAFactory::Session ORB message.

CVSS: 7.1 CWE: CWE-20
Read more
Medium

CVE-2014-8309

SAP BusinessObjects 4.0 and BusinessObjects XI (BOXI) R2 and 3.1 generates error messages for a failed logon attempt with different time delays depending on whether the user account exists, which all…

CVSS: 5.0 CWE: CWE-200
Read more
Medium

CVE-2014-8308

Cross-site scripting (XSS) vulnerability in the Send to Inbox functionality in SAP BusinessObjects BI EDGE 4.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2014-8307

Multiple cross-site scripting (XSS) vulnerabilities in skins/default/outline.tpl in C97net Cart Engine before 4.0 allow remote attackers to inject arbitrary web script or HTML via the (1) path parame…

CVSS: 4.3 CWE: CWE-79
Read more
High

CVE-2014-8306

SQL injection vulnerability in the sql_query function in cart.php in C97net Cart Engine before 4.0 allows remote attackers to execute arbitrary SQL commands via the item_id variable, as demonstrated…

CVSS: 7.5 CWE: CWE-89
Read more
Medium

CVE-2014-8304

Cross-site scripting (XSS) vulnerability in In-Portal CMS 5.2.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the next_template parameter to admin/index.php.

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2014-8303

Cross-site scripting (XSS) vulnerability in Splunk Web in Splunk Enterprise 6.1.x before 6.1.4 and 6.0.x before 6.0.6 allows remote attackers to inject arbitrary web script or HTML via vectors relate…

CVSS: 4.3 CWE: CWE-79
Read more
Low

CVE-2014-8302

Cross-site scripting (XSS) vulnerability in Splunk Web in Splunk Enterprise 6.1.x before 6.1.4, 6.0.x before 6.0.6, and 5.0.x before 5.0.10 allows remote attackers to inject arbitrary web script or H…

CVSS: 3.5 CWE: CWE-79
Read more
Medium

CVE-2014-8301

Cross-site scripting (XSS) vulnerability in Splunk Web in Splunk Enterprise 5.0.x before 5.0.10 allows remote attackers to inject arbitrary web script or HTML via the HTTP Referer header.

CVSS: 4.3 CWE: CWE-79
Read more
High

CVE-2014-8240

Integer overflow in TigerVNC allows remote VNC servers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to screen size handling, which triggers a heap-base…

CVSS: 7.5 CWE: CWE-119
Read more
Medium

CVE-2014-7181

Cross-site scripting (XSS) vulnerability in the Max Foundry MaxButtons plugin before 1.26.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the id parameter in a butt…

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2014-7138

Cross-site scripting (XSS) vulnerability in the Google Calendar Events plugin before 2.0.4 for WordPress allows remote attackers to inject arbitrary web script or HTML via the gce_feed_ids parameter…

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2014-3680

Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/READ permission to obtain the default value for the password field of a parameterized job by reading the DOM.

CVSS: 4.0 CWE: CWE-200
Read more
Medium

CVE-2014-3667

Jenkins before 1.583 and LTS before 1.565.3 does not properly prevent downloading of plugins, which allows remote authenticated users with the Overall/READ permission to obtain sensitive information…

CVSS: 4.0 CWE: CWE-200
Read more