Search
Total
201818 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2014-9104 | 1 Openvpn | 1 Openvpn Access Server | 2018-10-09 | 6.8 MEDIUM | N/A |
| Multiple cross-site request forgery (CSRF) vulnerabilities in the XML-RPC API in the Desktop Client in OpenVPN Access Server 1.5.6 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) disconnecting established VPN sessions, (2) connect to arbitrary VPN servers, or (3) create VPN profiles and execute arbitrary commands via crafted API requests. | |||||
| CVE-2014-9118 | 1 Dasanzhone | 2 Znid 2426a, Znid 2426a Firmware | 2018-10-09 | 9.0 HIGH | 8.8 HIGH |
| The web administrative portal in Zhone zNID GPON 2426A before S3.0.501 allows remote attackers to execute arbitrary commands via shell metacharacters in the ipAddr parameter to zhnping.cmd. | |||||
| CVE-2014-9129 | 1 Creative Minds | 1 Cm Download Manager | 2018-10-09 | 6.8 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in the CreativeMinds CM Downloads Manager plugin before 2.0.7 for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the addons_title parameter in the CMDM_admin_settings page to wp-admin/admin.php. | |||||
| CVE-2014-9140 | 1 Redhat | 1 Tcpdump | 2018-10-09 | 5.0 MEDIUM | N/A |
| Buffer overflow in the ppp_hdlc function in print-ppp.c in tcpdump 4.6.2 and earlier allows remote attackers to cause a denial of service (crash) cia a crafted PPP packet. | |||||
| CVE-2014-9142 | 1 Technicolor | 1 Td5130 Router Firmware | 2018-10-09 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in Technicolor Router TD5130 with firmware 2.05.C29GV allows remote attackers to inject arbitrary web script or HTML via the failrefer parameter. | |||||
| CVE-2014-9143 | 1 Technicolor | 1 Td5130 Router Firmware | 2018-10-09 | 4.3 MEDIUM | N/A |
| Open redirect vulnerability in Technicolor Router TD5130 with firmware 2.05.C29GV allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the failrefer parameter. | |||||
| CVE-2014-9144 | 1 Technicolor | 1 Td5130 Router Firmware | 2018-10-09 | 7.5 HIGH | N/A |
| Technicolor Router TD5130 with firmware 2.05.C29GV allows remote attackers to execute arbitrary commands via shell metacharacters in the ping field (setobject_ip parameter). | |||||
| CVE-2014-9178 | 1 Smartypantsplugins | 1 Sp Project \& Document Manager | 2018-10-09 | 7.5 HIGH | N/A |
| Multiple SQL injection vulnerabilities in classes/ajax.php in the Smarty Pants Plugins SP Project & Document Manager plugin (sp-client-document-manager) 2.4.1 and earlier for WordPress allow remote attackers to execute arbitrary SQL commands via the (1) vendor_email[] parameter in the email_vendor function or id parameter in the (2) download_project, (3) download_archive, or (4) remove_cat function. | |||||
| CVE-2014-7216 | 1 Yahoo | 1 Messenger | 2018-10-09 | 9.3 HIGH | N/A |
| Multiple stack-based buffer overflows in Yahoo! Messenger 11.5.0.228 and earlier allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the (1) shortcut or (2) title keys in an emoticons.xml file. | |||||
| CVE-2014-7807 | 1 Apache | 1 Cloudstack | 2018-10-09 | 5.0 MEDIUM | N/A |
| Apache CloudStack 4.3.x before 4.3.2 and 4.4.x before 4.4.2 allows remote attackers to bypass authentication via a login request without a password, which triggers an unauthenticated bind. | |||||
| CVE-2014-7809 | 1 Apache | 1 Struts | 2018-10-09 | 6.8 MEDIUM | N/A |
| Apache Struts 2.0.0 through 2.3.x before 2.3.20 uses predictable <s:token/> values, which allows remote attackers to bypass the CSRF protection mechanism. | |||||
| CVE-2014-7857 | 1 D-link | 14 Dnr-326, Dnr-326 Firmware, Dns-320b and 11 more | 2018-10-09 | 10.0 HIGH | 9.8 CRITICAL |
| D-Link DNS-320L firmware before 1.04b12, DNS-327L before 1.03b04 Build0119, DNR-326 1.40b03, DNS-320B 1.02b01, DNS-345 1.03b06, DNS-325 1.05b03, and DNS-322L 2.00b07 allow remote attackers to bypass authentication and log in with administrator permissions by passing the cgi_set_wto command in the cmd parameter, and setting the spawned session's cookie to username=admin. | |||||
| CVE-2014-7858 | 1 D-link | 2 Dnr-326, Dnr-326 Firmware | 2018-10-09 | 10.0 HIGH | 9.8 CRITICAL |
| The check_login function in D-Link DNR-326 before 2.10 build 03 allows remote attackers to bypass authentication and log in by setting the username cookie parameter to an arbitrary string. | |||||
| CVE-2014-7860 | 1 D-link | 4 Dns-320l, Dns-320l Firmware, Dns-327l and 1 more | 2018-10-09 | 5.0 MEDIUM | 5.3 MEDIUM |
| The web/web_file/fb_publish.php script in D-Link DNS-320L before 1.04b12 and DNS-327L before 1.03b04 Build0119 does not authenticate requests, which allows remote attackers to obtain arbitrary photos and publish them to an arbitrary Facebook profile via a target album_id and access_token. | |||||
| CVE-2014-7862 | 1 Zohocorp | 1 Desktop Central | 2018-10-09 | 7.5 HIGH | 9.8 CRITICAL |
| The DCPluginServelet servlet in ManageEngine Desktop Central and Desktop Central MSP before build 90109 allows remote attackers to create administrator accounts via an addPlugInUser action. | |||||
| CVE-2014-7864 | 1 Zohocorp | 1 Manageengine Opmanager | 2018-10-09 | 7.5 HIGH | N/A |
| Multiple SQL injection vulnerabilities in the FailOverHelperServlet (aka FailServlet) servlet in ZOHO ManageEngine OpManager 8 through 11.5 build 11400 and IT360 10.5 and earlier allow remote attackers and remote authenticated users to execute arbitrary SQL commands via the (1) customerName or (2) serverRole parameter in a standbyUpdateInCentral operation to servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet. | |||||
| CVE-2014-7871 | 1 Open-xchange | 1 Open-xchange Appsuite | 2018-10-09 | 6.5 MEDIUM | N/A |
| SQL injection vulnerability in Open-Xchange (OX) AppSuite before 7.4.2-rev36 and 7.6.x before 7.6.0-rev23 allows remote authenticated users to execute arbitrary SQL commands via a crafted jslob API call. | |||||
| CVE-2014-7952 | 1 Google | 1 Android | 2018-10-09 | 4.6 MEDIUM | 7.8 HIGH |
| The backup mechanism in the adb tool in Android might allow attackers to inject additional applications (APKs) and execute arbitrary code by leveraging failure to filter application data streams. | |||||
| CVE-2014-7953 | 1 Google | 1 Android | 2018-10-09 | 6.9 MEDIUM | 7.0 HIGH |
| Race condition in the bindBackupAgent method in the ActivityManagerService in Android 4.4.4 allows local users with adb shell access to execute arbitrary code or any valid package as system by running "pm install" with the target apk, and simultaneously running a crafted script to process logcat's output looking for a dexopt line, which once found should execute bindBackupAgent with the uid member of the ApplicationInfo parameter set to 1000. | |||||
| CVE-2014-7954 | 1 Google | 1 Android | 2018-10-09 | 2.1 LOW | 4.6 MEDIUM |
| Directory traversal vulnerability in the doSendObjectInfo method in frameworks/av/media/mtp/MtpServer.cpp in Android 4.4.4 allows physically proximate attackers with a direct connection to the target Android device to upload files outside of the sdcard via a .. (dot dot) in a name parameter of an MTP request. | |||||
| CVE-2014-7956 | 1 Podsfoundation | 1 Pods | 2018-10-09 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the Pods plugin before 2.5 for WordPress allows remote attackers to inject arbitrary web script or HTML via the id parameter in an edit action in the pods page to wp-admin/admin.php. | |||||
| CVE-2014-7957 | 1 Pods Foundation | 1 Pods | 2018-10-09 | 6.8 MEDIUM | N/A |
| Multiple cross-site request forgery (CSRF) vulnerabilities in the Pods plugin before 2.5 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) conduct cross-site scripting (XSS) attacks via the toggled parameter in a toggle action in the pods-components page to wp-admin/admin.php, (2) delete a pod in a delete action in the pods page to wp-admin/admin.php, (3) reset pod settings and data via the pods_reset parameter in the pod-settings page to wp-admin/admin.php, (4) deactivate and reset pod data via the pods_reset_deactivate parameter in the pod-settings page to wp-admin/admin.php, (5) delete the admin role via the id parameter in a delete action in the pods-component-roles-and-capabilities page to wp-admin/admin.php, or (6) enable "roles and capabilities" in a toggle action in the pods-components page to wp-admin/admin.php. | |||||
| CVE-2014-7985 | 1 Espocrm | 1 Espocrm | 2018-10-09 | 10.0 HIGH | N/A |
| Directory traversal vulnerability in EspoCRM before 2.6.0 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the action parameter to install/index.php. | |||||
| CVE-2014-7986 | 1 Espocrm | 1 Espocrm | 2018-10-09 | 5.0 MEDIUM | N/A |
| install/index.php in EspoCRM before 2.6.0 allows remote attackers to re-install the application via a 1 value in the installProcess parameter. | |||||
| CVE-2014-7987 | 1 Espocrm | 1 Espocrm | 2018-10-09 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in EspoCRM before 2.6.0 allows remote attackers to inject arbitrary web script or HTML via the desc parameter in an errors action to install/index.php. | |||||
| CVE-2014-8081 | 1 Testlink | 1 Testlink | 2018-10-09 | 7.5 HIGH | N/A |
| lib/execute/execSetResults.php in TestLink before 1.9.13 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via the filter_result_result parameter. | |||||
| CVE-2014-8082 | 1 Testlink | 1 Testlink | 2018-10-09 | 5.0 MEDIUM | N/A |
| lib/functions/database.class.php in TestLink before 1.9.13 allows remote attackers to obtain sensitive information via unspecified vectors, which reveals the installation path in an error message. | |||||
| CVE-2014-8083 | 1 Osclass | 1 Osclass | 2018-10-09 | 7.5 HIGH | N/A |
| SQL injection vulnerability in the Search::setJsonAlert method in OSClass before 3.4.3 allows remote attackers to execute arbitrary SQL commands via the alert parameter in a search alert subscription action. | |||||
| CVE-2014-8084 | 1 Osclass | 1 Osclass | 2018-10-09 | 7.5 HIGH | N/A |
| Directory traversal vulnerability in oc-includes/osclass/controller/ajax.php in OSClass before 3.4.3 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the ajaxfile parameter in a custom action. | |||||
| CVE-2014-8085 | 1 Osclass | 1 Osclass | 2018-10-09 | 6.8 MEDIUM | N/A |
| Unrestricted file upload vulnerability in the CWebContact::doModel method in oc-includes/osclass/controller/contact.php in OSClass before 3.4.3 allows remote attackers to execute arbitrary PHP code by uploading a file with a PHP extension, then accessing it via a direct request to the file in an unspecified directory. | |||||
| CVE-2014-8308 | 1 Sap | 1 Businessobjects | 2018-10-09 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the Send to Inbox functionality in SAP BusinessObjects BI EDGE 4.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2014-8309 | 1 Sap | 2 Businessobjects, Businessobjects Xi | 2018-10-09 | 5.0 MEDIUM | N/A |
| SAP BusinessObjects 4.0 and BusinessObjects XI (BOXI) R2 and 3.1 generates error messages for a failed logon attempt with different time delays depending on whether the user account exists, which allows remote attackers to enumerate valid usernames via SecEnterprise authentication requests to the Session web service. | |||||
| CVE-2014-8310 | 1 Sap | 1 Businessobjects | 2018-10-09 | 7.1 HIGH | N/A |
| The CMS CORBA listener in SAP BusinessObjects BI Edge 4.0 allows remote attackers to cause a denial of service (server shutdown) via crafted OSCAFactory::Session ORB message. | |||||
| CVE-2014-8311 | 1 Sap | 1 Businessobjects | 2018-10-09 | 3.5 LOW | N/A |
| SAP BusinessObjects Edge 4.0 allows remote attackers to obtain sensitive information via an InfoStore query to a CORBA listener. | |||||
| CVE-2014-8312 | 1 Sap | 1 Netweaver Abap | 2018-10-09 | 3.5 LOW | N/A |
| Business Warehouse (BW) in SAP Netweaver AS ABAP 7.31 allows remote authenticated users to obtain sensitive information via a request to the RSDU_CCMS_GET_PROFILE_PARAM RFC function. | |||||
| CVE-2014-8313 | 1 Sap | 1 Hana | 2018-10-09 | 6.0 MEDIUM | N/A |
| Eval injection in ide/core/base/server/net.xsjs in the Developer Workbench in SAP HANA allows remote attackers to execute arbitrary XSJX code via unspecified vectors. | |||||
| CVE-2014-8314 | 1 Sap | 1 Hana | 2018-10-09 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in SAP HANA Developer Edition Revision 70 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors to (1) epm/admin/DataGen.xsjs or (2) epm/services/multiply.xsjs in the democontent. | |||||
| CVE-2014-8315 | 1 Sap | 1 Businessobjects Explorer | 2018-10-09 | 5.0 MEDIUM | N/A |
| polestar_xml.jsp in SAP BusinessObjects Explorer 14.0.5 build 882 replies with different timing depending on if a connection can be made, which allows remote attackers to conduct port scanning attacks via a host name and port in the cms parameter. | |||||
| CVE-2014-8316 | 1 Sap | 1 Businessobjects Explorer | 2018-10-09 | 5.0 MEDIUM | N/A |
| XML External Entity (XXE) vulnerability in polestar_xml.jsp in SAP BusinessObjects Explorer 14.0.5 build 882 allows remote attackers to read arbitrary files via the xmlParameter parameter in an explorationSpaceUpdate request. | |||||
| CVE-2014-8323 | 1 Aircrack-ng | 1 Aircrack-ng | 2018-10-09 | 5.0 MEDIUM | 7.5 HIGH |
| buddy-ng.c in Aircrack-ng before 1.2 Beta 3 allows remote attackers to cause a denial of service (segmentation fault) via a response with a crafted length parameter. | |||||
| CVE-2014-8324 | 1 Aircrack-ng | 1 Aircrack-ng | 2018-10-09 | 5.0 MEDIUM | 7.5 HIGH |
| network.c in Aircrack-ng before 1.2 Beta 3 allows remote attackers to cause a denial of service (segmentation fault) via a response with a crafted length parameter. | |||||
| CVE-2014-8334 | 1 Wp-dbmanager Project | 1 Wp-dbmanager | 2018-10-09 | 6.5 MEDIUM | N/A |
| The WP-DBManager (aka Database Manager) plugin before 2.7.2 for WordPress allows remote authenticated users to execute arbitrary commands via shell metacharacters in the (1) $backup['filepath'] (aka "Path to Backup:" field) or (2) $backup['mysqldumppath'] variable. | |||||
| CVE-2014-8339 | 2 Clip-share, Nuevolab | 2 Clipshare, Nuevoplayer | 2018-10-09 | 7.5 HIGH | N/A |
| SQL injection vulnerability in midroll.php in Nuevolab Nuevoplayer for ClipShare 8.0 and earlier allows remote attackers to execute arbitrary SQL commands via the ch parameter. | |||||
| CVE-2014-8340 | 1 Zoneo-soft | 1 Phptraffica | 2018-10-09 | 7.5 HIGH | N/A |
| SQL injection vulnerability in Php/Functions/log_function.php in phpTrafficA 2.3 and earlier allows remote attackers to execute arbitrary SQL commands via a User-Agent HTTP header. | |||||
| CVE-2014-8357 | 1 Dasanzhone | 2 Znid 2426a, Znid 2426a Firmware | 2018-10-09 | 4.0 MEDIUM | 8.8 HIGH |
| backupsettings.html in the web administrative portal in Zhone zNID GPON 2426A before S3.0.501 places a session key in a URL, which allows remote attackers to obtain arbitrary user passwords via the sessionKey parameter in a getConfig action to backupsettings.conf. | |||||
| CVE-2014-8371 | 1 Vmware | 1 Vcenter Server Appliance | 2018-10-09 | 4.3 MEDIUM | N/A |
| VMware vCenter Server Appliance (vCSA) 5.5 before Update 2, 5.1 before Update 3, and 5.0 before Update 3c does not properly validate certificates when connecting to a CIM Server on an ESXi host, which allows man-in-the-middle attackers to spoof CIM servers via a crafted certificate. | |||||
| CVE-2014-8373 | 1 Vmware | 1 Vcloud Automation Center | 2018-10-09 | 9.0 HIGH | N/A |
| The VMware Remote Console (VMRC) function in VMware vCloud Automation Center (vCAC) 6.0.1 through 6.1.1 allows remote authenticated users to gain privileges via vectors involving the "Connect (by) Using VMRC" function. | |||||
| CVE-2014-8387 | 1 Advantech | 2 Eki-6340, Eki-6340 Firmware | 2018-10-09 | 9.0 HIGH | N/A |
| cgi/utility.cgi in Advantech EKI-6340 2.05 Wi-Fi Mesh Access Point allows remote authenticated users to execute arbitrary commands via shell metacharacters in the pinghost parameter to ping.cgi. | |||||
| CVE-2014-8389 | 1 Airlive | 10 Bu-2015, Bu-2015 Firmware, Bu-3026 and 7 more | 2018-10-09 | 10.0 HIGH | 9.8 CRITICAL |
| cgi-bin/mft/wireless_mft.cgi in AirLive BU-2015 with firmware 1.03.18 16.06.2014, AirLive BU-3026 with firmware 1.43 21.08.2014, AirLive MD-3025 with firmware 1.81 21.08.2014, AirLive WL-2000CAM with firmware LM.1.6.18 14.10.2011, and AirLive POE-200CAM v2 with firmware LM.1.6.17.01 uses hard-coded credentials in the embedded Boa web server, which allows remote attackers to obtain user credentials via crafted HTTP requests. | |||||
| CVE-2014-7181 | 1 Maxfoundry | 1 Maxbuttons | 2018-10-09 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the Max Foundry MaxButtons plugin before 1.26.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the id parameter in a button action on the maxbuttons-controller page to wp-admin/admin.php, related to the button creation page. | |||||