Multiple cross-site scripting (XSS) vulnerabilities in cms/front_content.php in Contenido before 4.9.6, when advanced mod rewrite (AMR) is disabled, allow remote attackers to inject arbitrary web script or HTML via the (1) idart, (2) lang, or (3) idcat parameter.
Max CVSS
2.6
EPSS Score
0.68%
Published
2014-12-31
Updated
2018-10-09
Multiple cross-site scripting (XSS) vulnerabilities in templates/2k11/admin/overview.inc.tpl in Serendipity before 2.0-rc2 allow remote attackers to inject arbitrary web script or HTML via a blog comment in the QUERY_STRING to serendipity/index.php.
Max CVSS
4.3
EPSS Score
0.68%
Published
2014-12-31
Updated
2018-10-09
Multiple cross-site request forgery (CSRF) vulnerabilities in Smoothwall Express 3.1 and 3.0 SP3 allow remote attackers to hijack the authentication of administrators for requests that change the (1) admin or (2) dial password via a request to httpd/cgi-bin/changepw.cgi.
Max CVSS
6.8
EPSS Score
0.18%
Published
2014-12-31
Updated
2017-09-08
Cross-site scripting (XSS) vulnerability in httpd/cgi-bin/vpn.cgi/vpnconfig.dat in Smoothwall Express 3.0 SP3 allows remote attackers to inject arbitrary web script or HTML via the COMMENT parameter in an Add action.
Max CVSS
4.3
EPSS Score
0.16%
Published
2014-12-31
Updated
2017-09-08
Multiple cross-site scripting (XSS) vulnerabilities in Smoothwall Express 3.1 and 3.0 SP3 allow remote attackers to inject arbitrary web script or HTML via the (1) PROFILENAME parameter in a Save action to httpd/cgi-bin/pppsetup.cgi or (2) COMMENT parameter in an Add action to httpd/cgi-bin/ddns.cgi.
Max CVSS
4.3
EPSS Score
0.16%
Published
2014-12-31
Updated
2017-09-08
The apprentice_load function in libmagic/apprentice.c in the Fileinfo component in PHP through 5.6.4 attempts to perform a free operation on a stack-based character array, which allows remote attackers to cause a denial of service (memory corruption or application crash) or possibly have unspecified other impact via unknown vectors. NOTE: this is disputed by the vendor because the standard erealloc behavior makes the free operation unreachable
Max CVSS
7.5
EPSS Score
0.79%
Published
2014-12-31
Updated
2024-03-21
Double free vulnerability in the zend_ts_hash_graceful_destroy function in zend_ts_hash.c in the Zend Engine in PHP through 5.5.20 and 5.6.x through 5.6.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.
Max CVSS
7.5
EPSS Score
6.63%
Published
2014-12-31
Updated
2022-08-04
Double free vulnerability in the ssl_parse_clienthello_use_srtp_ext function in d1_srtp.c in LibreSSL before 2.1.2 allows remote attackers to cause a denial of service or possibly have unspecified other impact by triggering a certain length-verification error during processing of a DTLS handshake.
Max CVSS
7.5
EPSS Score
0.34%
Published
2014-12-29
Updated
2014-12-30
The rock_continue function in fs/isofs/rock.c in the Linux kernel through 3.18.1 does not restrict the number of Rock Ridge continuation entries, which allows local users to cause a denial of service (infinite loop, and system crash or hang) via a crafted iso9660 image.
Max CVSS
4.9
EPSS Score
0.04%
Published
2014-12-26
Updated
2023-02-13
The __switch_to function in arch/x86/kernel/process_64.c in the Linux kernel through 3.18.1 does not ensure that Thread Local Storage (TLS) descriptors are loaded before proceeding with other steps, which makes it easier for local users to bypass the ASLR protection mechanism via a crafted application that reads a TLS base address.
Max CVSS
2.1
EPSS Score
0.04%
Published
2014-12-26
Updated
2018-01-05
The eSpace Meeting ActiveX control (eSpaceStatusCtrl.dll) in Huawei eSpace Desktop before V200R001C03 allows local users to cause a denial of service (memory overflow) via unspecified vectors.
Max CVSS
2.1
EPSS Score
0.08%
Published
2014-12-24
Updated
2019-05-20
The Meeting component in Huawei eSpace Desktop before V100R001C03 allows local users to cause a denial of service (program exit) via a crafted image.
Max CVSS
2.1
EPSS Score
0.05%
Published
2014-12-24
Updated
2019-05-20
Multiple untrusted search path vulnerabilities in Huawei eSpace Desktop before V200R003C00 allow local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse (1) mfc71enu.dll, (2) mfc71loc.dll, (3) tcapi.dll, or (4) airpcap.dll.
Max CVSS
4.4
EPSS Score
0.06%
Published
2014-12-24
Updated
2019-05-20
Huawei eSpace Desktop before V100R001C03 allows local users to cause a denial of service (program exit) via a crafted QES file.
Max CVSS
1.9
EPSS Score
0.05%
Published
2014-12-24
Updated
2019-05-20
The W3 Total Cache plugin before 0.9.4.1 for WordPress does not properly handle empty nonces, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and hijack the authentication of administrators for requests that change the mobile site redirect URI via the mobile_groups[*][redirect] parameter and an empty _wpnonce parameter in the w3tc_mobile page to wp-admin/admin.php.
Max CVSS
6.8
EPSS Score
1.43%
Published
2014-12-24
Updated
2023-05-26
Multiple cross-site request forgery (CSRF) vulnerabilities in the IP Ban (simple-ip-ban) plugin 1.2.3 for WordPress allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the (1) ip_list, (2) user_agent_list, or (3) redirect_url parameter in the simple-ip-ban page to wp-admin/options-general.php.
Max CVSS
6.8
EPSS Score
0.29%
Published
2014-12-24
Updated
2017-09-08
Multiple cross-site scripting (XSS) vulnerabilities in NetIQ Access Manager (NAM) 4.x before 4.1 allow remote attackers to inject arbitrary web script or HTML via (1) an arbitrary parameter to roma/jsp/debug/debug.jsp or (2) an arbitrary parameter in a debug.DumpAll action to nps/servlet/webacc, a different issue than CVE-2014-5216.
Max CVSS
4.3
EPSS Score
0.46%
Published
2014-12-23
Updated
2021-04-09
Ekahau B4 staff badge tag 5.7 with firmware 1.4.52, Real-Time Location System (RTLS) Controller 6.0.5-FINAL, and Activator 3 uses part of the MAC address as part of the RC4 setup key, which makes it easier for remote attackers to guess the key via a brute-force attack.
Max CVSS
5.0
EPSS Score
0.48%
Published
2014-12-19
Updated
2018-10-09
Multiple cross-site request forgery (CSRF) vulnerabilities in Revive Adserver before 3.0.5 allow remote attackers to hijack the authentication of administrators for requests that (1) delete data via a request to agency-delete.php, (2) tracker-delete.php, or (3) userlog-delete.php in admin/ or (4) unlink accounts via a request to admin-user-unlink.php. (5) advertiser-user-unlink.php, or (6) affiliate-user-unlink.php in admin/.
Max CVSS
6.8
EPSS Score
0.09%
Published
2014-12-19
Updated
2014-12-19
ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier has a default password of password for the admin account, which makes it easier for remote attackers to obtain access via a request to home_loggedout.php.
Max CVSS
10.0
EPSS Score
0.31%
Published
2014-12-18
Updated
2014-12-18
The CWebAdminMod::ChanPage function in modules/webadmin.cpp in ZNC before 1.4 allows remote authenticated users to cause a denial of service (NULL pointer dereference and crash) by adding a channel with the same name as an existing channel but without the leading # character, related to a "use-after-delete" error.
Max CVSS
4.0
EPSS Score
0.71%
Published
2014-12-19
Updated
2015-09-29
Cross-site request forgery (CSRF) vulnerability in the WP Limit Posts Automatically plugin 0.7 and earlier for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the lpa_post_letters parameter in the wp-limit-posts-automatically.php page to wp-admin/options-general.php.
Max CVSS
6.8
EPSS Score
0.18%
Published
2014-12-31
Updated
2017-09-08
Multiple cross-site request forgery (CSRF) vulnerabilities in the Wp Unique Article Header Image plugin 1.0 and earlier for WordPress allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the (1) gt_default_header or (2) gt_homepage_header parameter in the wp-unique-header.php page to wp-admin/options-general.php.
Max CVSS
6.8
EPSS Score
0.18%
Published
2014-12-31
Updated
2017-09-08
Cross-site request forgery (CSRF) vulnerability in the TweetScribe plugin 1.1 and earlier for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the tweetscribe_username parameter in a save action in the tweetscribe.php page to wp-admin/options-general.php.
Max CVSS
6.8
EPSS Score
2.58%
Published
2014-12-31
Updated
2015-01-03
Cross-site request forgery (CSRF) vulnerability in the Twitter LiveBlog plugin 1.1.2 and earlier for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the mashtlb_twitter_username parameter in the twitter-liveblog.php page to wp-admin/options-general.php.
Max CVSS
6.8
EPSS Score
2.58%
Published
2014-12-31
Updated
2015-01-03
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!