CVE-2014-9222

Public exploit
AllegroSoft RomPager 4.34 and earlier, as used in Huawei Home Gateway products and other vendors and products, allows remote attackers to gain privileges via a crafted cookie that triggers memory corruption, aka the "Misfortune Cookie" vulnerability.
Max CVSS
10.0
EPSS Score
97.21%
Published
2014-12-24
Updated
2018-08-31

CVE-2014-9016

Public exploit
The password hashing API in Drupal 7.x before 7.34 and the Secure Password Hashes (aka phpass) module 6.x-2.x before 6.x-2.1 for Drupal allows remote attackers to cause a denial of service (CPU and memory consumption) via a crafted request.
Max CVSS
5.0
EPSS Score
3.97%
Published
2014-11-24
Updated
2021-04-20

CVE-2014-8998

Public exploit
lib/message.php in X7 Chat 2.0.0 through 2.0.5.1 allows remote authenticated users to execute arbitrary PHP code via a crafted HTTP header to index.php, which is processed by the preg_replace function with the eval switch.
Max CVSS
6.5
EPSS Score
95.43%
Published
2014-11-20
Updated
2017-09-08

CVE-2014-8799

Public exploit
Directory traversal vulnerability in the dp_img_resize function in php/dp-functions.php in the DukaPress plugin before 2.5.4 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the src parameter to lib/dp_image.php.
Max CVSS
5.0
EPSS Score
17.84%
Published
2014-11-28
Updated
2020-02-05

CVE-2014-8791

Public exploit
project/register.php in Tuleap before 7.7, when sys_create_project_in_one_step is disabled, allows remote authenticated users to conduct PHP object injection attacks and execute arbitrary PHP code via the data parameter.
Max CVSS
6.0
EPSS Score
29.10%
Published
2014-12-02
Updated
2018-10-09

CVE-2014-8681

Public exploit
SQL injection vulnerability in the GetIssues function in models/issue.go in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.6.x before 0.5.6.1025 Beta allows remote attackers to execute arbitrary SQL commands via the label parameter to user/repos/issues.
Max CVSS
7.5
EPSS Score
0.25%
Published
2014-11-21
Updated
2017-09-08

CVE-2014-8598

Public exploit
The XML Import/Export plugin in MantisBT 1.2.x does not restrict access, which allows remote attackers to (1) upload arbitrary XML files via the import page or (2) obtain sensitive information via the export page. NOTE: this issue can be combined with CVE-2014-7146 to execute arbitrary PHP code.
Max CVSS
6.4
EPSS Score
0.65%
Published
2014-11-18
Updated
2017-09-08

CVE-2014-8586

Public exploit
SQL injection vulnerability in the CP Multi View Event Calendar plugin 1.01 for WordPress allows remote attackers to execute arbitrary SQL commands via the calid parameter.
Max CVSS
7.5
EPSS Score
11.47%
Published
2014-11-04
Updated
2017-09-08

CVE-2014-8517

Public exploit
The fetch_url function in usr.bin/ftp/fetch.c in tnftp, as used in NetBSD 5.1 through 5.1.4, 5.2 through 5.2.2, 6.0 through 6.0.6, and 6.1 through 6.1.5 allows remote attackers to execute arbitrary commands via a | (pipe) character at the end of an HTTP redirect.
Max CVSS
7.5
EPSS Score
95.88%
Published
2014-11-17
Updated
2017-11-06

CVE-2014-8499

Public exploit
Multiple SQL injection vulnerabilities in ManageEngine Password Manager Pro (PMP) and Password Manager Pro Managed Service Providers (MSP) edition before 7.1 build 7105 allow remote authenticated users to execute arbitrary SQL commands via the SEARCH_ALL parameter to (1) SQLAdvancedALSearchResult.cc or (2) AdvancedSearchResult.cc.
Max CVSS
6.5
EPSS Score
2.08%
Published
2014-11-17
Updated
2017-09-08

CVE-2014-8440

Public exploit
Adobe Flash Player before 13.0.0.252 and 14.x and 15.x before 15.0.0.223 on Windows and OS X and before 11.2.202.418 on Linux, Adobe AIR before 15.0.0.356, Adobe AIR SDK before 15.0.0.356, and Adobe AIR SDK & Compiler before 15.0.0.356 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-0576, CVE-2014-0581, and CVE-2014-8441.
Max CVSS
10.0
EPSS Score
97.38%
Published
2014-11-11
Updated
2018-12-20

CVE-2014-8424

Public exploit
ARRIS VAP2500 before FW08.41 does not properly validate passwords, which allows remote attackers to bypass authentication.
Max CVSS
7.8
EPSS Score
89.78%
Published
2014-11-28
Updated
2014-11-28

CVE-2014-8423

Public exploit
Unspecified vulnerability in the management portal in ARRIS VAP2500 before FW08.41 allows remote attackers to execute arbitrary commands via unknown vectors.
Max CVSS
10.0
EPSS Score
40.91%
Published
2014-11-28
Updated
2014-11-28

CVE-2014-8270

Public exploit
BMC Track-It! 11.3 allows remote attackers to gain privileges and execute arbitrary code by creating an account whose name matches that of a local system account, then performing a password reset.
Max CVSS
5.0
EPSS Score
2.08%
Published
2014-12-12
Updated
2023-08-02

CVE-2014-7992

Public exploit
The DLSw implementation in Cisco IOS does not initialize packet buffers, which allows remote attackers to obtain sensitive credential information from process memory via a session on TCP port 2067, aka Bug ID CSCur14014.
Max CVSS
5.0
EPSS Score
2.54%
Published
2014-11-18
Updated
2017-09-08

CVE-2014-7816

Public exploit
Directory traversal vulnerability in JBoss Undertow 1.0.x before 1.0.17, 1.1.x before 1.1.0.CR5, and 1.2.x before 1.2.0.Beta3, when running on Windows, allows remote attackers to read arbitrary files via a .. (dot dot) in a resource URI.
Max CVSS
5.0
EPSS Score
4.58%
Published
2014-12-01
Updated
2015-03-04

CVE-2014-7285

Public exploit
The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts.
Max CVSS
6.5
EPSS Score
45.07%
Published
2014-12-17
Updated
2017-01-03

CVE-2014-7228

Public exploit
Akeeba Restore (restore.php), as used in Joomla! 2.5.4 through 2.5.25, 3.x through 3.2.5, and 3.3.0 through 3.3.4; Akeeba Backup for Joomla! Professional 3.0.0 through 4.0.2; Backup Professional for WordPress 1.0.b1 through 1.1.3; Solo 1.0.b1 through 1.1.2; Admin Tools Core and Professional 2.0.0 through 2.4.4; and CMS Update 1.0.a1 through 1.0.1, when performing a backup or update for an archive, does not delete parameters from $_GET and $_POST when it is cleansing $_REQUEST, but later accesses $_GET and $_POST using the getQueryParam function, which allows remote attackers to bypass encryption and execute arbitrary code via a command message that extracts a crafted archive.
Max CVSS
7.5
EPSS Score
95.17%
Published
2014-11-03
Updated
2016-05-09

CVE-2014-7205

Public exploit
Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for the hapi server framework for Node.js allows remote attackers to execute arbitrary Javascript code via unspecified vectors.
Max CVSS
10.0
EPSS Score
87.46%
Published
2014-10-08
Updated
2019-07-16

CVE-2014-7146

Public exploit
The XmlImportExport plugin in MantisBT 1.2.17 and earlier allows remote attackers to execute arbitrary PHP code via a crafted (1) description field or (2) issuelink attribute in an XML file, which is not properly handled when executing the preg_replace function with the e modifier.
Max CVSS
7.5
EPSS Score
35.16%
Published
2014-11-18
Updated
2017-09-08

CVE-2014-6446

Public exploit
The Infusionsoft Gravity Forms plugin 1.5.3 through 1.5.10 for WordPress does not properly restrict access, which allows remote attackers to upload arbitrary files and execute arbitrary PHP code via a request to utilities/code_generator.php.
Max CVSS
7.5
EPSS Score
66.62%
Published
2014-09-26
Updated
2015-10-01

CVE-2014-6352

Known exploited
Public exploit
Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allow remote attackers to execute arbitrary code via a crafted OLE object, as exploited in the wild in October 2014 with a crafted PowerPoint document.
Max CVSS
9.3
EPSS Score
96.88%
Published
2014-10-22
Updated
2018-10-12
CISA KEV Added
2022-02-25

CVE-2014-6332

Known exploited
Public exploit
OleAut32.dll in OLE in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via a crafted web site, as demonstrated by an array-redimensioning attempt that triggers improper handling of a size value in the SafeArrayDimen function, aka "Windows OLE Automation Array Remote Code Execution Vulnerability."
Max CVSS
9.3
EPSS Score
97.39%
Published
2014-11-11
Updated
2019-05-15
CISA KEV Added
2022-03-25

CVE-2014-6324

Known exploited
Public exploit
The Kerberos Key Distribution Center (KDC) in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 allows remote authenticated domain users to obtain domain administrator privileges via a forged signature in a ticket, as exploited in the wild in November 2014, aka "Kerberos Checksum Vulnerability."
Max CVSS
9.0
EPSS Score
97.23%
Published
2014-11-18
Updated
2019-02-26
CISA KEV Added
2022-03-25

CVE-2014-6287

Known exploited
Public exploit
The findMacroMarker function in parserLib.pas in Rejetto HTTP File Server (aks HFS or HttpFileServer) 2.3x before 2.3c allows remote attackers to execute arbitrary programs via a %00 sequence in a search action.
Max CVSS
10.0
EPSS Score
97.29%
Published
2014-10-07
Updated
2021-02-26
CISA KEV Added
2022-03-25
159 vulnerabilities found
1 2 3 4 5 6 7
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!