CVE-2014-7992

Public exploit
The DLSw implementation in Cisco IOS does not initialize packet buffers, which allows remote attackers to obtain sensitive credential information from process memory via a session on TCP port 2067, aka Bug ID CSCur14014.
Max CVSS
5.0
EPSS Score
2.54%
Published
2014-11-18
Updated
2017-09-08

CVE-2014-5377

Public exploit
ReadUsersFromMasterServlet in ManageEngine DeviceExpert before 5.9 build 5981 allows remote attackers to obtain user account credentials via a direct request.
Max CVSS
5.0
EPSS Score
23.90%
Published
2014-09-04
Updated
2018-10-09

CVE-2014-4863

Public exploit
The Arris Touchstone DG950A cable modem with software 7.10.131 has an SNMP community of public, which allows remote attackers to obtain sensitive password, key, and SSID information via an SNMP request.
Max CVSS
5.0
EPSS Score
2.20%
Published
2014-09-05
Updated
2014-09-08

CVE-2014-0644

Public exploit
EMC Cloud Tiering Appliance (CTA) 10 through SP1 allows remote attackers to read arbitrary files via an api/login request containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, as demonstrated by reading the /etc/shadow file.
Max CVSS
7.8
EPSS Score
36.40%
Published
2014-04-17
Updated
2014-04-17

CVE-2013-7331

Known exploited
Public exploit
The Microsoft.XMLDOM ActiveX control in Microsoft Windows 8.1 and earlier allows remote attackers to determine the existence of local pathnames, UNC share pathnames, intranet hostnames, and intranet IP addresses by examining error codes, as demonstrated by a res:// URL, and exploited in the wild in February 2014.
Max CVSS
4.3
EPSS Score
53.72%
Published
2014-02-26
Updated
2019-05-14
CISA KEV Added
2022-05-25

CVE-2013-3982

Public exploit
The Meeting Server in IBM Sametime 8.x through 8.5.2.1 and 9.x through 9.0.0.1 allows remote attackers to obtain unspecified installation information and technical data via a request to a public page.
Max CVSS
5.0
EPSS Score
0.41%
Published
2014-05-26
Updated
2017-08-29
The __switch_to function in arch/x86/kernel/process_64.c in the Linux kernel through 3.18.1 does not ensure that Thread Local Storage (TLS) descriptors are loaded before proceeding with other steps, which makes it easier for local users to bypass the ASLR protection mechanism via a crafted application that reads a TLS base address.
Max CVSS
2.1
EPSS Score
0.04%
Published
2014-12-26
Updated
2018-01-05
Ekahau B4 staff badge tag 5.7 with firmware 1.4.52, Real-Time Location System (RTLS) Controller 6.0.5-FINAL, and Activator 3 uses part of the MAC address as part of the RC4 setup key, which makes it easier for remote attackers to guess the key via a brute-force attack.
Max CVSS
5.0
EPSS Score
0.48%
Published
2014-12-19
Updated
2018-10-09
The LoginToboggan module 7.x-1.x before 7.x-1.4 for Drupal does not properly unset the authorized user role for certain users, which allows remote attackers with the pre-authorized role to gain privileges and possibly obtain sensitive information by accessing a Page Not Found (404) page.
Max CVSS
4.3
EPSS Score
0.19%
Published
2014-12-10
Updated
2014-12-11
Puppet Enterprise before 3.7.1 allows remote authenticated users to obtain licensing and certificate signing request information by leveraging access to an unspecified API endpoint.
Max CVSS
4.0
EPSS Score
0.12%
Published
2014-12-19
Updated
2019-07-10
EntryPass N5200 Active Network Control Panel allows remote attackers to read device memory and obtain the administrator username and password via a URL starting with an ASCII character o through z or A through D, different vectors than CVE-2014-8868.
Max CVSS
7.8
EPSS Score
0.48%
Published
2014-12-07
Updated
2018-10-09
The print_test_result function in admin/upgrade_unattended.php in MantisBT 1.1.0a3 through 1.2.x before 1.2.18 allows remote attackers to obtain database credentials via a URL in the hostname parameter and reading the parameters in the response sent to the URL.
Max CVSS
5.0
EPSS Score
0.50%
Published
2014-12-08
Updated
2021-01-12
Zenoss Core through 5 Beta 3 stores cleartext passwords in the session database, which might allow local users to obtain sensitive information by reading database entries, aka ZEN-15416.
Max CVSS
2.1
EPSS Score
0.04%
Published
2014-12-15
Updated
2016-03-21
Zenoss Core through 5 Beta 3 does not include the HTTPOnly flag in a Set-Cookie header for the authentication cookie, which makes it easier for remote attackers to obtain credential information via script access to this cookie, aka ZEN-10418.
Max CVSS
5.0
EPSS Score
0.35%
Published
2014-12-15
Updated
2016-03-21
Zenoss Core through 5 Beta 3 allows remote authenticated users to obtain sensitive (1) user account, (2) e-mail address, and (3) role information by visiting the ZenUsers (aka User Manager) page, aka ZEN-15389.
Max CVSS
4.0
EPSS Score
0.15%
Published
2014-12-15
Updated
2016-03-21
Zenoss Core through 5 Beta 3 allows remote attackers to obtain sensitive information by attempting a product-rename action with an invalid new name and then reading a stack trace, as demonstrated by internal URL information, aka ZEN-15382.
Max CVSS
5.0
EPSS Score
0.33%
Published
2014-12-15
Updated
2016-03-21
The HTML5 MP3 Player with Playlist Free plugin before 2.7 for WordPress allows remote attackers to obtain the installation path via a request to html5plus/playlist.php.
Max CVSS
5.0
EPSS Score
0.61%
Published
2014-12-02
Updated
2017-09-08
Adobe Flash Player before 13.0.0.259 and 14.x through 16.x before 16.0.0.235 on Windows and OS X and before 11.2.202.425 on Linux allows attackers to obtain sensitive information via unspecified vectors.
Max CVSS
10.0
EPSS Score
0.53%
Published
2014-12-10
Updated
2018-12-20
The FileField module 6.x-3.x before 6.x-3.13 for Drupal does not properly check permissions to view files, which allows remote authenticated users with permission to create or edit content to read private files by attaching an uploaded file.
Max CVSS
4.0
EPSS Score
0.18%
Published
2014-12-01
Updated
2014-12-01
The Notify module 7.x-1.x before 7.x-1.1 for Drupal does not properly restrict access to (1) new or (2) modified nodes or (3) their fields, which allows remote authenticated users to obtain node titles, teasers, and fields by reading a notification email.
Max CVSS
4.0
EPSS Score
0.10%
Published
2014-12-01
Updated
2014-12-05
The default checkout completion rule in the commerce_order module in the Drupal Commerce module 7.x-1.x before 7.x-1.10 for Drupal uses the email address as the username for new accounts created at checkout, which allows remote attackers to obtain sensitive information via unspecified vectors.
Max CVSS
5.0
EPSS Score
0.19%
Published
2014-11-20
Updated
2014-11-21
Icecast before 2.4.1 transmits the output of the on-connect script, which might allow remote attackers to obtain sensitive information, related to shared file descriptors.
Max CVSS
5.0
EPSS Score
1.98%
Published
2014-12-03
Updated
2017-09-08
The ke_questionnaire extension 2.5.2 and earlier for TYPO3 uses predictable names for the questionnaire answer forms, which makes it easier for remote attackers to obtain sensitive information via a direct request.
Max CVSS
5.0
EPSS Score
0.32%
Published
2014-12-02
Updated
2018-10-09
GleamTech FileVista before 6.1 allows remote authenticated users to obtain sensitive information via a crafted path when saving a zip file, which reveals the installation path in an error message.
Max CVSS
4.0
EPSS Score
0.14%
Published
2014-12-02
Updated
2014-12-05
MODX Revolution 2.x before 2.2.15 does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.
Max CVSS
5.0
EPSS Score
0.24%
Published
2014-12-03
Updated
2019-10-22
356 vulnerabilities found
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!