CVE Daily
← All years

All CVEs — 2014

Page 1/34.

Browse all CVEs by publication year. Use filters to refine.

CVSS ≥ 0.0
2014-12-31
Low

CVE-2014-9433

Multiple cross-site scripting (XSS) vulnerabilities in cms/front_content.php in Contenido before 4.9.6, when advanced mod rewrite (AMR) is disabled, allow remote attackers to inject arbitrary web scr…

CVSS: 2.6 CWE: CWE-79
Read more
Medium

CVE-2014-9432

Multiple cross-site scripting (XSS) vulnerabilities in templates/2k11/admin/overview.inc.tpl in Serendipity before 2.0-rc2 allow remote attackers to inject arbitrary web script or HTML via a blog com…

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2014-9431

Multiple cross-site request forgery (CSRF) vulnerabilities in Smoothwall Express 3.1 and 3.0 SP3 allow remote attackers to hijack the authentication of administrators for requests that change the (1)…

CVSS: 6.8 CWE: CWE-352
Read more
Medium

CVE-2014-9430

Cross-site scripting (XSS) vulnerability in httpd/cgi-bin/vpn.cgi/vpnconfig.dat in Smoothwall Express 3.0 SP3 allows remote attackers to inject arbitrary web script or HTML via the COMMENT parameter…

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2014-9429

Multiple cross-site scripting (XSS) vulnerabilities in Smoothwall Express 3.1 and 3.0 SP3 allow remote attackers to inject arbitrary web script or HTML via the (1) PROFILENAME parameter in a Save act…

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2014-9119

Directory traversal vulnerability in download.php in the DB Backup plugin 4.5 and earlier for Wordpress allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.

CVSS: 5.0 CWE: CWE-22
Read more
High

CVE-2014-8145

Multiple heap-based buffer overflows in Sound eXchange (SoX) 14.4.1 and earlier allow remote attackers to have unspecified impact via a crafted WAV file to the (1) start_read or (2) AdpcmReadBlock fu…

CVSS: 7.5 CWE: CWE-119
Read more
Medium

CVE-2014-8144

Cross-site request forgery (CSRF) vulnerability in doorkeeper before 1.4.1 allows remote attackers to hijack the authentication of unspecified victims for requests that read a user OAuth authorizatio…

CVSS: 6.8 CWE: CWE-352
Read more
Medium

CVE-2011-5284

Cross-site request forgery (CSRF) vulnerability in the web management interface in httpd/cgi-bin/shutdown.cgi in Smoothwall Express 3.1 and 3.0 SP3 and earlier allows remote attackers to hijack the a…

CVSS: 6.8 CWE: CWE-352
Read more
Medium

CVE-2011-5283

Cross-site scripting (XSS) vulnerability in the web management interface in httpd/cgi-bin/ipinfo.cgi in Smoothwall Express 3.1 and 3.0 SP3 and earlier allows remote attackers to inject arbitrary web…

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2014-9401

Cross-site request forgery (CSRF) vulnerability in the WP Limit Posts Automatically plugin 0.7 and earlier for WordPress allows remote attackers to hijack the authentication of administrators for req…

CVSS: 6.8 CWE: CWE-352
Read more
Medium

CVE-2014-9400

Multiple cross-site request forgery (CSRF) vulnerabilities in the Wp Unique Article Header Image plugin 1.0 and earlier for WordPress allow remote attackers to hijack the authentication of administra…

CVSS: 6.8 CWE: CWE-352
Read more
Medium

CVE-2014-9399

Cross-site request forgery (CSRF) vulnerability in the TweetScribe plugin 1.1 and earlier for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduc…

CVSS: 6.8 CWE: CWE-352
Read more
Medium

CVE-2014-9398

Cross-site request forgery (CSRF) vulnerability in the Twitter LiveBlog plugin 1.1.2 and earlier for WordPress allows remote attackers to hijack the authentication of administrators for requests that…

CVSS: 6.8 CWE: CWE-352
Read more
Medium

CVE-2014-9397

Cross-site request forgery (CSRF) vulnerability in the twimp-wp plugin for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site script…

CVSS: 6.8 CWE: CWE-352
Read more
Medium

CVE-2014-9396

Multiple cross-site request forgery (CSRF) vulnerabilities in the SimpleFlickr plugin 3.0.3 and earlier for WordPress allow remote attackers to hijack the authentication of administrators for request…

CVSS: 6.8 CWE: CWE-352
Read more
Medium

CVE-2014-9395

Multiple cross-site request forgery (CSRF) vulnerabilities in the Simplelife plugin 1.2 and earlier for WordPress allow remote attackers to hijack the authentication of administrators for requests th…

CVSS: 6.8 CWE: CWE-352
Read more
Medium

CVE-2014-9394

Multiple cross-site request forgery (CSRF) vulnerabilities in the PWGRandom plugin 1.11 and earlier for WordPress allow remote attackers to hijack the authentication of administrators for requests th…

CVSS: 6.8 CWE: CWE-352
Read more
Medium

CVE-2014-9393

Multiple cross-site request forgery (CSRF) vulnerabilities in the Post to Twitter plugin 0.7 and earlier for WordPress allow remote attackers to hijack the authentication of administrators for reques…

CVSS: 6.8 CWE: CWE-352
Read more
Medium

CVE-2014-9392

Cross-site request forgery (CSRF) vulnerability in the PictoBrowser (pictobrowser-gallery) plugin 0.3.1 and earlier for WordPress allows remote attackers to hijack the authentication of administrator…

CVSS: 6.8 CWE: CWE-352
Read more
Medium

CVE-2014-9391

Multiple cross-site request forgery (CSRF) vulnerabilities in the gSlideShow plugin 0.1 and earlier for WordPress allow remote attackers to hijack the authentication of administrators for requests th…

CVSS: 6.8 CWE: CWE-352
Read more
Medium

CVE-2014-9367

Incomplete blacklist vulnerability in the urlEncode function in lib/TWiki.pm in TWiki 6.0.0 and 6.0.1 allows remote attackers to conduct cross-site scripting (XSS) attacks via a "'" (single quote) in…

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2014-9325

Multiple cross-site scripting (XSS) vulnerabilities in TWiki 6.0.1 allow remote attackers to inject arbitrary web script or HTML via the (1) QUERYSTRING variable in lib/TWiki.pm or (2) QUERYPARAMSTRI…

CVSS: 4.3 CWE: CWE-79
Read more
High

CVE-2014-9254

bb_func_unsub.php in MiniBB 3.1 before 20141127 uses an incorrect regular expression, which allows remote attackers to conduct SQl injection attacks via the code parameter in an unsubscribe action to…

CVSS: 7.5 CWE: CWE-89
Read more
Medium

CVE-2014-8752

Multiple cross-site scripting (XSS) vulnerabilities in view.php in JCE-Tech PHP Video Script (aka Video Niche Script) 4.0 allow remote attackers to inject arbitrary web script or HTML via the (1) vid…

CVSS: 4.3 CWE: CWE-79
Read more
2014-12-30
High

CVE-2013-3295

Directory traversal vulnerability in install/popup.php in Exponent CMS before 2.2.0 RC1 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the page parameter.

CVSS: 7.5 CWE: CWE-22
Read more
Medium

CVE-2011-2727

The (1) templatewrap/templatefoot.php, (2) cmsjs/plugin.js.php, and (3) cmsincludes/cms_plugin_api_link.inc.php scripts in Tribal Tribiq CMS before 5.2.7c allow remote attackers to obtain sensitive i…

CVSS: 4.3 CWE: CWE-200
Read more
2014-12-29
Medium

CVE-2014-8109

mod_lua.c in the mod_lua module in the Apache HTTP Server 2.3.x and 2.4.x through 2.4.10 does not support an httpd configuration in which the same Lua authorization provider is used with different ar…

CVSS: 4.3 CWE: CWE-863
Read more
Medium

CVE-2014-3556

The STARTTLS implementation in mail/ngx_mail_smtp_handler.c in the SMTP proxy in nginx 1.5.x and 1.6.x before 1.6.1 and 1.7.x before 1.7.4 does not properly restrict I/O buffering, which allows man-i…

CVSS: 6.8 CWE: CWE-77
Read more
Medium

CVE-2014-1908

The error-handling feature in (1) bp.php, (2) videowhisper_streaming.php, and (3) ls/rtmp.inc.php in the VideoWhisper Live Streaming Integration plugin before 4.29.5 for WordPress allows remote attac…

CVSS: 5.0 CWE: CWE-200
Read more
Critical

CVE-2014-1905

Unrestricted file upload vulnerability in ls/vw_snapshots.php in the VideoWhisper Live Streaming Integration plugin before 4.29.5 for WordPress allows remote attackers to execute arbitrary PHP code b…

CVSS: 10.0 CWE: CWE-77
Read more
Medium

CVE-2014-6168

Cross-site request forgery (CSRF) vulnerability in IBM Security Identity Manager 5.1 before 5.1.0.15 IF0056 allows remote authenticated users to hijack the authentication of arbitrary users for reque…

CVSS: 6.0 CWE: CWE-352
Read more
Low

CVE-2014-6123

IBM Rational AppScan Source 8.0 through 8.0.0.2 and 8.5 through 8.5.0.1 and Security AppScan Source 8.6 through 8.6.0.2, 8.7 through 8.7.0.1, 8.8, 9.0 through 9.0.0.1, and 9.0.1 allow local users to…

CVSS: 2.1 CWE: CWE-200
Read more
2014-12-28
Medium

CVE-2014-6229

The HashContext class in hphp/runtime/ext/ext_hash.cpp in Facebook HipHop Virtual Machine (HHVM) before 3.3.0 incorrectly expects that a certain key string uses '\0' for termination, which allows rem…

CVSS: 5.0 CWE: CWE-200
Read more
High

CVE-2014-2208

CRLF injection vulnerability in the LightProcess protocol implementation in hphp/util/light-process.cpp in Facebook HipHop Virtual Machine (HHVM) before 2.4.2 allows remote attackers to execute arbit…

CVSS: 7.5 CWE: CWE-94
Read more
Medium

CVE-2012-1415

Cross-site request forgery (CSRF) vulnerability in lib/logout.php in DFLabs PTK 1.0.5 and earlier allows remote attackers to hijack the authentication of administrators or investigators for requests…

CVSS: 6.8 CWE: CWE-352
Read more
Medium

CVE-2012-1303

Multiple cross-site scripting (XSS) vulnerabilities in amCharts Flash 1 allow remote attackers to inject arbitrary web script or HTML via the (1) data_file or (2) settings_file parameter to ampie.swf…

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2012-1302

Multiple cross-site scripting (XSS) vulnerabilities in amMap 2.6.3 allow remote attackers to inject arbitrary web script or HTML via the (1) data_file or (2) settings_file parameter to ammap.swf, or…

CVSS: 4.3 CWE: CWE-79
Read more
High

CVE-2011-4722

Directory traversal vulnerability in the TFTP Server 1.0.0.24 in Ipswitch WhatsUp Gold allows remote attackers to read arbitrary files via a .. (dot dot) in the Filename field of an RRQ operation.

CVSS: 7.8 CWE: CWE-22
Read more
High

CVE-2013-4663

git_http_controller.rb in the redmine_git_hosting plugin for Redmine allows remote attackers to execute arbitrary commands via shell metacharacters in (1) the service parameter to info/refs, related…

CVSS: 7.5 CWE: CWE-77
Read more
Medium

CVE-2012-1203

Cross-site request forgery (CSRF) vulnerability in starnet/index.php in SyndeoCMS 3.0 and earlier allows remote attackers to hijack the authentication of administrators for requests that add user acc…

CVSS: 6.8 CWE: CWE-352
Read more
Medium

CVE-2011-4720

Hillstone HS TFTP Server 1.3.2 allows remote attackers to cause a denial of service (daemon crash) via a long filename in a (1) RRQ or (2) WRQ operation.

CVSS: 5.0 CWE: CWE-20
Read more
2014-12-27
Medium

CVE-2013-6241

The Birthday widget in the backend in Open-Xchange (OX) AppSuite 7.2.x before 7.2.2-rev25 and 7.4.x before 7.4.0-rev14, in certain user-id sharing scenarios, does not properly construct a SQL stateme…

CVSS: 4.0 CWE: CWE-200
Read more
Medium

CVE-2013-6043

The login function in Softaculous Webuzo before 2.1.4 provides different error messages for invalid authentication attempts depending on whether the user account exists, which allows remote attackers…

CVSS: 5.0 CWE: CWE-200
Read more
High

CVE-2013-6041

index.php in Softaculous Webuzo before 2.1.4 allows remote attackers to execute arbitrary commands via shell metacharacters in a SOFTCookies sid cookie within a login action.

CVSS: 7.5 CWE: CWE-78
Read more
High

CVE-2013-4793

The update function in umbraco.webservices/templates/templateService.cs in the TemplateService component in Umbraco CMS before 6.0.4 does not require authentication, which allows remote attackers to…

CVSS: 7.5 CWE: CWE-287
Read more
Critical

CVE-2014-9188

Buffer overflow in an ActiveX control in MDraw30.ocx in Schneider Electric ProClima before 6.1.7 allows remote attackers to execute arbitrary code via unspecified vectors, a different vulnerability t…

CVSS: 10.0 CWE: CWE-77
Read more
High

CVE-2014-8514

Buffer overflow in an ActiveX control in MDraw30.ocx in Schneider Electric ProClima before 6.1.7 allows remote attackers to execute arbitrary code via unspecified vectors, a different vulnerability t…

CVSS: 7.5 CWE: CWE-119
Read more
High

CVE-2014-8513

Buffer overflow in an ActiveX control in MDraw30.ocx in Schneider Electric ProClima before 6.1.7 allows remote attackers to execute arbitrary code via unspecified vectors, a different vulnerability t…

CVSS: 7.5 CWE: CWE-119
Read more
High

CVE-2014-8512

Buffer overflow in an ActiveX control in Atx45.ocx in Schneider Electric ProClima before 6.1.7 allows remote attackers to execute arbitrary code via unspecified vectors, a different vulnerability tha…

CVSS: 7.5 CWE: CWE-119
Read more
Critical

CVE-2014-8511

Buffer overflow in an ActiveX control in Atx45.ocx in Schneider Electric ProClima before 6.1.7 allows remote attackers to execute arbitrary code via unspecified vectors, a different vulnerability tha…

CVSS: 10.0 CWE: CWE-119
Read more
High

CVE-2014-0748

apinit on Cray devices with CLE before 4.2.UP02 and 5.x before 5.1.UP00 does not use alpsauth data to validate the UID in a launch message, which allows local users to gain privileges via a modified…

CVSS: 7.2 CWE: CWE-20
Read more
2014-12-26
Low

CVE-2013-4754

Multiple cross-site scripting (XSS) vulnerabilities in Owl Intranet Knowledgebase 1.10 allow remote authenticated users to inject arbitrary web script or HTML via (1) the Search field to browse.php o…

CVSS: 3.5 CWE: CWE-79
Read more
Low

CVE-2013-4753

Multiple cross-site scripting (XSS) vulnerabilities in Claroline 1.11.9 and earlier allow remote authenticated users to inject arbitrary web script or HTML via (1) the Search field in an inbox action…

CVSS: 3.5 CWE: CWE-79
Read more
High

CVE-2011-3623

Multiple stack-based buffer overflows in VideoLAN VLC media player before 1.0.2 allow remote attackers to execute arbitrary code via (1) a crafted ASF file, related to the ASF_ObjectDumpDebug functio…

CVSS: 7.5 CWE: CWE-119
Read more
High

CVE-2010-1445

Heap-based buffer overflow in VideoLAN VLC media player before 1.0.6 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted byte str…

CVSS: 7.5 CWE: CWE-119
Read more
High

CVE-2010-1444

The ZIP archive decompressor in VideoLAN VLC media player before 1.0.6 allows remote attackers to cause a denial of service (invalid memory access and application crash) or possibly execute arbitrary…

CVSS: 7.5 CWE: CWE-119
Read more
High

CVE-2010-1442

VideoLAN VLC media player before 1.0.6 allows remote attackers to cause a denial of service (invalid memory access and application crash) or possibly execute arbitrary code via a crafted byte stream…

CVSS: 7.5 CWE: CWE-119
Read more
High

CVE-2010-1441

Multiple heap-based buffer overflows in VideoLAN VLC media player before 1.0.6 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted…

CVSS: 7.5 CWE: CWE-119
Read more
Low

CVE-2011-3592

Multiple cross-site scripting (XSS) vulnerabilities in the PMA_unInlineEditRow function in js/sql.js in phpMyAdmin 3.4.x before 3.4.5 allow remote authenticated users to inject arbitrary web script o…

CVSS: 3.5 CWE: CWE-79
Read more
Low

CVE-2011-3591

Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 3.4.x before 3.4.5 allow remote authenticated users to inject arbitrary web script or HTML via a crafted row that triggers an imprope…

CVSS: 3.5 CWE: CWE-79
Read more
High

CVE-2011-1798

rendering/svg/RenderSVGText.cpp in WebCore in WebKit in Google Chrome before 11.0.696.65 does not properly perform a cast of an unspecified variable during an attempt to handle a block child, which a…

CVSS: 7.5 CWE: CWE-20
Read more
High

CVE-2011-1793

rendering/svg/RenderSVGResourceFilter.cpp in WebCore in WebKit in Google Chrome before 11.0.696.65 allows remote attackers to cause a denial of service (application crash) or possibly have unspecifie…

CVSS: 7.5 CWE: CWE-20
Read more
Low

CVE-2014-9419

The __switch_to function in arch/x86/kernel/process_64.c in the Linux kernel through 3.18.1 does not ensure that Thread Local Storage (TLS) descriptors are loaded before proceeding with other steps,…

CVSS: 2.1 CWE: CWE-200
Read more
2014-12-25
High

CVE-2014-2217

Absolute path traversal vulnerability in the RadAsyncUpload control in the RadControls in Telerik UI for ASP.NET AJAX before Q3 2012 SP2 allows remote attackers to write to arbitrary files, and conse…

CVSS: 7.5 CWE: CWE-22
Read more
Medium

CVE-2014-1449

The Maxthon Cloud Browser application before 4.1.6.2000 for Android allows remote attackers to spoof the address bar via crafted JavaScript code that uses the history API.

CVSS: 5.0 CWE: CWE-284
Read more
Medium

CVE-2014-7193

The Crumb plugin before 3.0.0 for Node.js does not properly restrict token access in situations where a hapi route handler has CORS enabled, which allows remote attackers to obtain sensitive informat…

CVSS: 5.8 CWE: CWE-284
Read more
Medium

CVE-2014-3971

The CmdAuthenticate::_authenticateX509 function in db/commands/authentication_commands.cpp in mongod in MongoDB 2.6.x before 2.6.2 allows remote attackers to cause a denial of service (daemon crash)…

CVSS: 5.0 CWE: CWE-20
Read more
2014-12-24
Low

CVE-2014-9418

The eSpace Meeting ActiveX control (eSpaceStatusCtrl.dll) in Huawei eSpace Desktop before V200R001C03 allows local users to cause a denial of service (memory overflow) via unspecified vectors.

CVSS: 2.1 CWE: CWE-119
Read more
Low

CVE-2014-9417

The Meeting component in Huawei eSpace Desktop before V100R001C03 allows local users to cause a denial of service (program exit) via a crafted image.

CVSS: 2.1 CWE: CWE-20
Read more
Low

CVE-2014-9415

Huawei eSpace Desktop before V100R001C03 allows local users to cause a denial of service (program exit) via a crafted QES file.

CVSS: 1.9 CWE: CWE-20
Read more
Medium

CVE-2014-9414

The W3 Total Cache plugin before 0.9.4.1 for WordPress does not properly handle empty nonces, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and hijack the authent…

CVSS: 6.8 CWE: CWE-352
Read more
Medium

CVE-2014-9413

Multiple cross-site request forgery (CSRF) vulnerabilities in the IP Ban (simple-ip-ban) plugin 1.2.3 for WordPress allow remote attackers to hijack the authentication of administrators for requests…

CVSS: 6.8 CWE: CWE-352
Read more
Medium

CVE-2014-9334

Multiple cross-site request forgery (CSRF) vulnerabilities in the Bird Feeder plugin 1.2.3 for WordPress allow remote attackers to hijack the authentication of administrators for requests that conduc…

CVSS: 6.8 CWE: CWE-352
Read more
Critical

CVE-2014-9223

Multiple buffer overflows in AllegroSoft RomPager, as used in Huawei Home Gateway products and other vendors and products, allow remote attackers to cause a denial of service or possibly execute arbi…

CVSS: 10.0 CWE: CWE-119
Read more
Medium

CVE-2014-8810

SQL injection vulnerability in ajax/mail_functions.php in the WP Symposium plugin before 14.11 for WordPress allows remote authenticated users to execute arbitrary SQL commands via the tray parameter…

CVSS: 6.5 CWE: CWE-89
Read more
Medium

CVE-2014-8809

Multiple cross-site scripting (XSS) vulnerabilities in the WP Symposium plugin before 14.11 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) text parameter in a…

CVSS: 4.3 CWE: CWE-79
Read more
High

CVE-2014-8138

Heap-based buffer overflow in the jp2_decode function in JasPer 1.900.1 and earlier allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted JPEG…

CVSS: 7.5 CWE: CWE-119
Read more
High

CVE-2004-2771

The expand function in fio.c in Heirloom mailx 12.5 and earlier and BSD mailx 8.1.2 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in an email address.

CVSS: 7.5 CWE: CWE-20
Read more
High

CVE-2014-4322

drivers/misc/qseecom.c in the QSEECOM driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not validate certain…

CVSS: 7.2 CWE: CWE-787
Read more
Low

CVE-2014-6188

Multiple cross-site scripting (XSS) vulnerabilities in IBM WebSphere Service Registry and Repository (WSRR) 6.3.x before 6.3.0.5, 7.0.x through 7.0.0.5, 7.5.x before 7.5.0.3, and 8.0.x before 8.0.0.2…

CVSS: 3.5 CWE: CWE-79
Read more
Medium

CVE-2014-6187

Multiple cross-site request forgery (CSRF) vulnerabilities in IBM WebSphere Service Registry and Repository (WSRR) 6.3.x before 6.3.0.5, 7.0.x before 7.0.0.5, 7.5.x before 7.5.0.3, and 8.0.x before 8…

CVSS: 6.0 CWE: CWE-352
Read more
Low

CVE-2014-6180

Cross-site scripting (XSS) vulnerability in the Web UI in IBM WebSphere Service Registry and Repository (WSRR) 7.0.x before 7.0.0.5 and 7.5.x before 7.5.0.1 allows remote authenticated users to injec…

CVSS: 3.5 CWE: CWE-79
Read more
Medium

CVE-2014-6179

Cross-site scripting (XSS) vulnerability in the Web UI in IBM WebSphere Service Registry and Repository (WSRR) 7.5.x before 7.5.0.4 and 8.0.x before 8.0.0.2 allows remote attackers to inject arbitrar…

CVSS: 4.3 CWE: CWE-79
Read more
Low

CVE-2014-6178

Cross-site scripting (XSS) vulnerability in the widgets in IBM WebSphere Service Registry and Repository (WSRR) 7.5.x before 7.5.0.4 and 8.0.x before 8.0.0.3 allows remote authenticated users to inje…

CVSS: 3.5 CWE: CWE-79
Read more
Medium

CVE-2014-6155

Multiple directory traversal vulnerabilities in the ServiceRegistry UI in IBM WebSphere Service Registry and Repository (WSRR) 7.5.x through 7.5.0.4, 8.0.x before 8.0.0.3, and 8.5.x before 8.5.0.1 al…

CVSS: 4.0 CWE: CWE-22
Read more
Low

CVE-2014-6132

Cross-site scripting (XSS) vulnerability in the Web UI in IBM WebSphere Service Registry and Repository (WSRR) 6.3 through 6.3.0.5, 7.0.x through 7.0.0.5, 7.5.x through 7.5.0.4, 8.0.x before 8.0.0.3,…

CVSS: 3.5 CWE: CWE-79
Read more
Medium

CVE-2014-7994

Cisco-Meraki MS, MR, and MX devices with firmware before 2014-09-24 allow remote attackers to execute arbitrary commands by leveraging knowledge of a cross-device secret and a per-device secret, and…

CVSS: 5.4 CWE: CWE-20
Read more
Low

CVE-2014-7993

Cisco-Meraki MS, MR, and MX devices with firmware before 2014-09-24 allow remote attackers to obtain sensitive credential information by leveraging unspecified HTTP handler access on the local networ…

CVSS: 3.3 CWE: CWE-200
Read more
2014-12-23
Medium

CVE-2014-9412

Multiple cross-site scripting (XSS) vulnerabilities in NetIQ Access Manager (NAM) 4.x before 4.1 allow remote attackers to inject arbitrary web script or HTML via (1) an arbitrary parameter to roma/j…

CVSS: 4.3 CWE: CWE-79
Read more
High

CVE-2014-9115

SQL injection vulnerability in the rate_picture function in include/functions_rate.inc.php in Piwigo before 2.5.5, 2.6.x before 2.6.4, and 2.7.x before 2.7.2 allows remote attackers to execute arbitr…

CVSS: 7.5 CWE: CWE-89
Read more
Medium

CVE-2014-5217

Cross-site request forgery (CSRF) vulnerability in nps/servlet/webacc in the Administration Console server in NetIQ Access Manager (NAM) 4.x before 4.1 allows remote attackers to hijack the authentic…

CVSS: 6.8 CWE: CWE-352
Read more
Medium

CVE-2014-5216

Multiple cross-site scripting (XSS) vulnerabilities in NetIQ Access Manager (NAM) 4.x before 4.0.1 HF3 allow remote attackers to inject arbitrary web script or HTML via (1) the location parameter in…

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2014-5215

NetIQ Access Manager (NAM) 4.x before 4.0.1 HF3 allows remote authenticated administrators to discover service-account passwords via a request to (1) roma/jsp/volsc/monitoring/dev_services.jsp or (2)…

CVSS: 4.0 CWE: CWE-200
Read more
Medium

CVE-2014-8026

Cross-site scripting (XSS) vulnerability in the Guest Server in Cisco Jabber allows remote attackers to inject arbitrary web script or HTML via a (1) GET or (2) POST parameter, aka Bug ID CSCus08074.

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2014-8025

The API in the Guest Server in Cisco Jabber, when HTML5 is used, allows remote attackers to obtain sensitive information by sniffing the network during an HTTP (1) GET or (2) POST response, aka Bug I…

CVSS: 4.3 CWE: CWE-200
Read more
Medium

CVE-2014-8024

The API in the Guest Server in Cisco Jabber, when the HTML5 CORS feature is used, allows remote attackers to obtain sensitive information by sniffing the network during an HTTP (1) GET or (2) POST re…

CVSS: 4.3 CWE: CWE-200
Read more
Medium

CVE-2014-6135

IBM Security AppScan Enterprise 8.5 before 8.5 IFix 002, 8.6 before 8.6 IFix 004, 8.7 before 8.7 IFix 004, 8.8 before 8.8 iFix 003, 9.0 before 9.0.0.1 iFix 003, and 9.0.1 before 9.0.1 iFix 001 allows…

CVSS: 4.3 CWE: CWE-20
Read more
Low

CVE-2014-6121

Cross-site scripting (XSS) vulnerability in IBM Security AppScan Enterprise 8.5 before 8.5 IFix 002, 8.6 before 8.6 IFix 004, 8.7 before 8.7 IFix 004, 8.8 before 8.8 iFix 003, 9.0 before 9.0.0.1 iFix…

CVSS: 3.5 CWE: CWE-79
Read more
Critical

CVE-2014-6119

IBM Security AppScan Enterprise 8.5 before 8.5 IFix 002, 8.6 before 8.6 IFix 004, 8.7 before 8.7 IFix 004, 8.8 before 8.8 iFix 003, 9.0 before 9.0.0.1 iFix 003, and 9.0.1 before 9.0.1 iFix 001 allows…

CVSS: 9.3 CWE: CWE-94
Read more
2014-12-22
Medium

CVE-2014-8992

Cross-site scripting (XSS) vulnerability in manager/assets/fileapi/FileAPI.flash.image.swf in MODX Revolution 2.3.2-pl allows remote attackers to inject arbitrary web script or HTML via the callback…

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2014-8018

Multiple cross-site scripting (XSS) vulnerabilities in Business Voice Services Manager (BVSM) pages in the Application Software in Cisco Unified Communications Domain Manager 8 allow remote attackers…

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2014-8017

The periodic-backup feature in Cisco Identity Services Engine (ISE) allows remote attackers to discover backup-encryption passwords via a crafted request that triggers inclusion of a password in a re…

CVSS: 5.0 CWE: CWE-200
Read more
High

CVE-2014-5208

BKBCopyD.exe in the Batch Management Packages in Yokogawa CENTUM CS 3000 through R3.09.50 and CENTUM VP through R4.03.00 and R5.x through R5.04.00, and Exaopc through R3.72.10, does not require authe…

CVSS: 7.5 CWE: CWE-284
Read more
Low

CVE-2014-8899

Cross-site scripting (XSS) vulnerability in the Collaboration Server in IBM InfoSphere Master Data Management Server for Product Information Management 9.x through 9.1 and InfoSphere Master Data Mana…

CVSS: 3.5 CWE: CWE-79
Read more
Low

CVE-2014-8898

Cross-site scripting (XSS) vulnerability in the Collaboration Server in IBM InfoSphere Master Data Management Server for Product Information Management 9.x through 9.1 and InfoSphere Master Data Mana…

CVSS: 3.5 CWE: CWE-79
Read more
Low

CVE-2014-8897

Cross-site scripting (XSS) vulnerability in the Collaboration Server in IBM InfoSphere Master Data Management Server for Product Information Management 9.x through 9.1 and InfoSphere Master Data Mana…

CVSS: 3.5 CWE: CWE-79
Read more
Medium

CVE-2014-8896

The Collaboration Server in IBM InfoSphere Master Data Management Server for Product Information Management 9.x through 9.1 and InfoSphere Master Data Management - Collaborative Edition 10.x through…

CVSS: 4.0 CWE: CWE-287
Read more
High

CVE-2014-7286

Buffer overflow in AClient in Symantec Deployment Solution 6.9 and earlier on Windows XP and Server 2003 allows local users to gain privileges via unspecified vectors.

CVSS: 7.2 CWE: CWE-119
Read more
2014-12-20
High

CVE-2014-9295

Multiple stack-based buffer overflows in ntpd in NTP before 4.2.8 allow remote attackers to execute arbitrary code via a crafted packet, related to (1) the crypto_recv function when the Autokey Authe…

CVSS: 7.5 CWE: CWE-119
Read more
High

CVE-2014-9193

Innominate mGuard with firmware before 7.6.6 and 8.x before 8.1.4 allows remote authenticated admins to obtain root privileges by changing a PPP configuration setting.

CVSS: 8.5 CWE: CWE-269
Read more
Medium

CVE-2014-8019

Directory traversal vulnerability in Cisco Enterprise Content Delivery System (ECDS) allows remote attackers to read arbitrary files via a crafted URL, aka Bug ID CSCuo90148.

CVSS: 5.0 CWE: CWE-22
Read more
Medium

CVE-2014-8007

Cisco Prime Infrastructure allows remote authenticated users to read device-discovery passwords by examining the HTML source code of the Quick Discovery options page, aka Bug ID CSCum00019.

CVSS: 4.0 CWE: CWE-200
Read more
Medium

CVE-2014-3410

The syslog-management subsystem in Cisco Adaptive Security Appliance (ASA) Software allows remote attackers to obtain an administrator password by waiting for an administrator to copy a file, and the…

CVSS: 4.3 CWE: CWE-200
Read more
2014-12-19
Medium

CVE-2013-7401

The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by us…

CVSS: 5.0 CWE: CWE-119
Read more
Medium

CVE-2014-5213

nds/files/opt/novell/eDirectory/lib64/ndsimon/public/images in iMonitor in Novell eDirectory before 8.8 SP8 Patch 4 allows remote authenticated users to obtain sensitive information from process memo…

CVSS: 4.0 CWE: CWE-200
Read more
Medium

CVE-2014-5212

Cross-site scripting (XSS) vulnerability in nds/search/data in iMonitor in Novell eDirectory before 8.8 SP8 Patch 4 allows remote attackers to inject arbitrary web script or HTML via the rdn paramete…

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2014-9408

Ekahau B4 staff badge tag 5.7 with firmware 1.4.52, Real-Time Location System (RTLS) Controller 6.0.5-FINAL, and Activator 3 uses part of the MAC address as part of the RC4 setup key, which makes it…

CVSS: 5.0 CWE: CWE-200
Read more
Medium

CVE-2014-9407

Multiple cross-site request forgery (CSRF) vulnerabilities in Revive Adserver before 3.0.5 allow remote attackers to hijack the authentication of administrators for requests that (1) delete data via…

CVSS: 6.8 CWE: CWE-352
Read more
Medium

CVE-2014-9380

The dissector_cvs function in dissectors/ec_cvs.c in Ettercap 0.8.1 allows remote attackers to cause a denial of service (out-of-bounds read) via a packet containing only a CVS_LOGIN signature.

CVSS: 5.0 CWE: CWE-119
Read more