CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 7 and 7.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2014-7984 264 Bypass 2014-10-08 2014-10-09
7.5
None Remote Low Not required Partial Partial Partial
Joomla! CMS 2.5.x before 2.5.19 and 3.x before 3.2.3 allows remote attackers to authenticate and bypass intended restrictions via vectors involving GMail authentication.
2 CVE-2014-7981 89 Exec Code Sql 2014-10-08 2014-10-09
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in Joomla! CMS 3.1.x and 3.2.x before 3.2.3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
3 CVE-2014-7967 DoS 2014-10-08 2014-10-08
7.5
None Remote Low Not required Partial Partial Partial
Multiple unspecified vulnerabilities in Google V8 before 3.28.71.15, as used in Google Chrome before 38.0.2125.101, allow attackers to cause a denial of service or possibly have other impact via unknown vectors.
4 CVE-2014-7299 Bypass +Info 2014-10-07 2014-10-08
7.5
None Remote Low Not required Partial Partial Partial
Unspecified vulnerability in administrative interfaces in ArubaOS 6.3.1.11, 6.3.1.11-FIPS, 6.4.2.1, and 6.4.2.1-FIPS on Aruba controllers allows remote attackers to bypass authentication, and obtain potentially sensitive information or add guest accounts, via an SSH session.
5 CVE-2014-7226 94 1 Exec Code 2014-10-09 2014-10-10
7.5
None Remote Low Not required Partial Partial Partial
The file comment feature in Rejetto HTTP File Server (hfs) 2.3c and earlier allows remote attackers to execute arbitrary code by uploading a file with certain invalid UTF-8 byte sequences that are interpreted as executable macro symbols.
6 CVE-2014-7145 399 DoS 2014-09-28 2014-10-04
7.8
None Remote Low Not required None None Complete
The SMB2_tcon function in fs/cifs/smb2pdu.c in the Linux kernel before 3.16.3 allows remote CIFS servers to cause a denial of service (NULL pointer dereference and client system crash) or possibly have unspecified other impact by deleting the IPC$ share during resolution of DFS referrals.
7 CVE-2014-6632 287 Bypass 2014-10-08 2014-10-09
7.5
None Remote Low Not required Partial Partial Partial
Joomla! 2.5.x before 2.5.25, 3.x before 3.2.4, and 3.3.x before 3.3.4 allows remote attackers to authenticate and bypass intended access restrictions via vectors involving LDAP authentication.
8 CVE-2014-6607 255 1 +Priv 2014-10-06 2014-10-07
7.5
None Remote Low Not required Partial Partial Partial
M/Monit 3.3.2 and earlier does not verify the original password before changing passwords, which allows remote attackers to change the password of other users and gain privileges via the fullname and password parameters, a different vulnerability than CVE-2014-6409.
9 CVE-2014-6508 2014-10-15 2014-10-19
7.8
None Remote Low Not required None None Complete
Unspecified vulnerability in Oracle Sun Solaris 10 and 11 allows remote attackers to affect availability via vectors related to iSCSI Data Mover (IDM).
10 CVE-2014-6500 2014-10-15 2014-10-19
7.5
None Remote Low Not required Partial Partial Partial
Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier, and 5.6.20 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to SERVER:SSL:yaSSL, a different vulnerability than CVE-2014-6491.
11 CVE-2014-6493 2014-10-15 2014-10-17
7.6
None Remote High Not required Complete Complete Complete
Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnerability than CVE-2014-4288, CVE-2014-6503, and CVE-2014-6532.
12 CVE-2014-6492 2014-10-15 2014-10-17
7.6
None Remote High Not required Complete Complete Complete
Unspecified vulnerability in Oracle Java SE 6u81, 7u67, and 8u20, when running on Firefox, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment.
13 CVE-2014-6491 2014-10-15 2014-10-19
7.5
None Remote Low Not required Partial Partial Partial
Unspecified vulnerability in Oracle MySQL Server 5.5.39 and earlier and 5.6.20 and earlier allows remote attackers to affect confidentiality, integrity, and availability via vectors related to SERVER:SSL:yaSSL, a different vulnerability than CVE-2014-6500.
14 CVE-2014-6473 2014-10-15 2014-10-19
7.2
None Local Low Not required Complete Complete Complete
Unspecified vulnerability in Oracle Sun Solaris 10 and 11 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Zone Framework.
15 CVE-2014-6446 94 Exec Code 2014-09-26 2014-09-28
7.5
None Remote Low Not required Partial Partial Partial
The Infusionsoft Gravity Forms plugin 1.5.3 through 1.5.10 for WordPress does not properly restrict access, which allows remote attackers to upload arbitrary files and execute arbitrary PHP code via a request to utilities/code_generator.php.
16 CVE-2014-6418 399 DoS 2014-09-28 2014-09-29
7.1
None Remote Medium Not required None None Complete
net/ceph/auth_x.c in Ceph, as used in the Linux kernel before 3.16.3, does not properly validate auth replies, which allows remote attackers to cause a denial of service (system crash) or possibly have unspecified other impact via crafted data from the IP address of a Ceph Monitor.
17 CVE-2014-6417 399 DoS 2014-09-28 2014-09-29
7.8
None Remote Low Not required None None Complete
net/ceph/auth_x.c in Ceph, as used in the Linux kernel before 3.16.3, does not properly consider the possibility of kmalloc failure, which allows remote attackers to cause a denial of service (system crash) or possibly have unspecified other impact via a long unencrypted auth ticket.
18 CVE-2014-6416 119 DoS Overflow Mem. Corr. 2014-09-28 2014-09-29
7.8
None Remote Low Not required None None Complete
Buffer overflow in net/ceph/auth_x.c in Ceph, as used in the Linux kernel before 3.16.3, allows remote attackers to cause a denial of service (memory corruption and panic) or possibly have unspecified other impact via a long unencrypted auth ticket.
19 CVE-2014-6394 22 Dir. Trav. 2014-10-08 2014-10-09
7.5
None Remote Low Not required Partial Partial Partial
visionmedia send before 0.8.4 for Node.js uses a partial comparison for verifying whether a directory is within the document root, which allows remote attackers to access restricted directories, as demonstrated using "public-restricted" under a "public" directory.
20 CVE-2014-6389 94 1 Exec Code 2014-10-06 2014-10-07
7.5
None Remote Low Not required Partial Partial Partial
backup.php in PHPCompta/NOALYSS before 6.7.2 allows remote attackers to execute arbitrary commands via shell metacharacters in the d parameter.
21 CVE-2014-6298 94 Exec Code 2014-10-03 2014-10-06
7.5
None Remote Low Not required Partial Partial Partial
Unrestricted file upload vulnerability in the mm_forum extension before 1.9.3 for TYPO3 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via unspecified vectors.
22 CVE-2014-6295 89 Exec Code Sql 2014-10-03 2014-10-06
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the WEC Map (wec_map) extension before 3.0.3 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
23 CVE-2014-6293 89 Exec Code Sql 2014-10-03 2014-10-06
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the Statistics (ke_stats) extension before 1.1.2 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, as exploited in the wild in February 2014.
24 CVE-2014-6290 20 2014-10-03 2014-10-06
7.5
None Remote Low Not required Partial Partial Partial
The News (tt_news) extension before 3.5.2 for TYPO3 allows remote attackers to have unspecified impact via vectors related to an "insecure unserialize" issue.
25 CVE-2014-6289 264 Bypass 2014-10-03 2014-10-06
7.5
None Remote Low Not required Partial Partial Partial
The Ajax dispatcher for Extbase in the Yet Another Gallery (yag) extension before 3.0.1 and Tools for Extbase development (pt_extbase) extension before 1.5.1 allows remote attackers to bypass access restrictions and execute arbitrary controller actions via unspecified vectors.
26 CVE-2014-6288 264 Bypass 2014-10-03 2014-10-10
7.5
None Remote Low Not required Partial Partial Partial
The powermail extension 2.x before 2.0.11 for TYPO3 allows remote attackers to bypass the CAPTCHA protection mechanism via unspecified vectors.
27 CVE-2014-6287 94 2014-10-07 2014-10-07
7.5
None Remote Low Not required Partial Partial Partial
The findMacroMarker function in parserLib.pas in Rejetto HTTP File Server (aks HFS or HttpFileServer) 2.3x before 2.3c allows remote attackers to execute arbitrary programs via a %00 sequence in a search action.
28 CVE-2014-6241 89 Exec Code Sql 2014-09-11 2014-09-11
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the wt_directory extension before 1.4.1 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
29 CVE-2014-6239 89 Exec Code Sql 2014-09-11 2014-09-11
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the Address visualization with Google Maps (st_address_map) extension before 0.3.6 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
30 CVE-2014-6236 2014-09-11 2014-09-11
7.5
None Remote Low Not required Partial Partial Partial
Unspecified vulnerability in the LumoNet PHP Include (lumophpinclude) extension before 1.2.1 for TYPO3 allows remote attackers to execute arbitrary scripts via vectors related to extension links.
31 CVE-2014-6235 Exec Code 2014-09-11 2014-09-11
7.5
None Remote Low Not required Partial Partial Partial
Unspecified vulnerability in the ke DomPDF extension before 0.0.5 for TYPO3 allows remote attackers to execute arbitrary code via unknown vectors.
32 CVE-2014-6233 89 Exec Code Sql 2014-09-11 2014-09-11
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the Flat Manager (flatmgr) extension before 2.7.10 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
33 CVE-2014-6231 Exec Code 2014-09-11 2014-09-11
7.5
None Remote Low Not required Partial Partial Partial
Unspecified vulnerability in the CWT Frontend Edit (cwt_feedit) extension before 1.2.5 for TYPO3 allows remote authenticated users to execute arbitrary code via unknown vectors.
34 CVE-2014-6051 189 DoS Exec Code Overflow 2014-09-30 2014-10-04
7.5
None Remote Low Not required Partial Partial Partial
Integer overflow in the MallocFrameBuffer function in vncviewer.c in LibVNCServer 0.9.9 and earlier allows remote VNC servers to cause a denial of service (crash) and possibly execute arbitrary code via an advertisement for a large screen size, which triggers a heap-based buffer overflow.
35 CVE-2014-5519 94 1 Exec Code 2014-09-11 2014-09-11
7.5
None Remote Low Not required Partial Partial Partial
The Ploticus module in PhpWiki 1.5.0 allows remote attackers to execute arbitrary code via shell metacharacters in a device option in the edit[content] parameter to index.php/HeIp. NOTE: some of these details are obtained from third party information.
36 CVE-2014-5504 255 Exec Code 2014-09-04 2014-09-08
7.5
None Remote Low Not required Partial Partial Partial
SolarWinds Log and Event Manager before 6.0 uses "static" credentials, which makes it easier for remote attackers to obtain access to the database and execute arbitrary code via unspecified vectors, related to HyperSQL.
37 CVE-2014-5458 89 Exec Code Sql 2014-08-25 2014-08-26
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in sqrl_verify.php in php-sqrl allows remote attackers to execute arbitrary SQL commands via the message parameter.
38 CVE-2014-5453 264 1 +Priv 2014-08-25 2014-08-26
7.2
None Local Low Not required Complete Complete Complete
Ubisoft Uplay PC before 4.6.1.3217 use weak permissions (Everyone: Full Control) for the program installation directory (%PROGRAMFILES%\Ubisoft Game Launcher), which allows local users to gain privileges via a Trojan horse file.
39 CVE-2014-5440 89 Exec Code Sql 2014-09-12 2014-09-15
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in Login.aspx in MPEX Business Solutions MX-SmartTimer before 13.19.18 allows remote attackers to execute arbitrary SQL commands via the ct100%24CPHContent%24password parameter.
40 CVE-2014-5410 399 DoS 2014-10-03 2014-10-06
7.1
None Remote Medium Not required None None Complete
The DNP3 feature on Rockwell Automation Allen-Bradley MicroLogix 1400 1766-Lxxxxx A FRN controllers 7 and earlier and 1400 1766-Lxxxxx B FRN controllers before 15.001 allows remote attackers to cause a denial of service (process disruption) via malformed packets over (1) an Ethernet network or (2) a serial line.
41 CVE-2014-5399 89 Exec Code Sql 2014-08-27 2014-08-28
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in Schneider Electric Wonderware Information Server (WIS) Portal 4.0 SP1 through 5.5 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
42 CVE-2014-5396 2014-08-22 2014-08-27
7.5
None Remote Low Not required Partial Partial Partial
The web interface in Schrack Technik microControl with firmware before 1.7.0 (937) has a hardcoded password of not for the "user" account, which makes it easier for remote attackers to obtain access via unspecified vectors.
43 CVE-2014-5389 89 Exec Code Sql 2014-10-06 2014-10-07
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in content-audit-schedule.php in the Content Audit plugin before 1.6.1 for WordPress allows remote attackers to execute arbitrary SQL commands via the "Audited content types" option in the content-audit page to wp-admin/options-general.php.
44 CVE-2014-5307 119 Overflow +Priv 2014-08-26 2014-08-27
7.2
None Local Low Not required Complete Complete Complete
Heap-based buffer overflow in the PavTPK.sys kernel mode driver of Panda Security 2014 products before hft131306s24_r1 allows local users to gain privileges via a crafted argument to a 0x222008 IOCTL call.
45 CVE-2014-5297 94 2014-10-09 2014-10-10
7.5
None Remote Low Not required Partial Partial Partial
The actionSendErrorReport method in protected/controllers/SiteController.php in X2Engine 2.8 through 4.1.7 allows remote attackers to conduct PHP object injection and Server-Side Request Forgery (SSRF) attacks via crafted serialized data in the report parameter.
46 CVE-2014-5285 +Priv +Info 2014-09-04 2014-09-05
7.5
None Remote Low Not required Partial Partial Partial
Unspecified vulnerability in the Authentication Module in TIBCO Spotfire Server before 4.5.2, 5.0.x before 5.0.3, 5.5.x before 5.5.2, 6.0.x before 6.0.3, and 6.5.x before 6.5.1 allows remote attackers to gain privileges, and obtain sensitive information or modify data, via unknown vectors.
47 CVE-2014-5262 89 Exec Code Sql 2014-08-22 2014-08-23
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the graph settings script (graph_settings.php) in Cacti 0.8.8b and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
48 CVE-2014-5261 94 Exec Code 2014-08-22 2014-08-23
7.5
None Remote Low Not required Partial Partial Partial
The graph settings script (graph_settings.php) in Cacti 0.8.8b and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in a font size, related to the rrdtool commandline in lib/rrd.php.
49 CVE-2014-5250 2014-08-14 2014-08-14
7.5
None Remote Low Not required Partial Partial Partial
Unspecified vulnerability in the AJAX autocompletion callback in the Biblio Autocomplete module 6.x-1.x before 6.x-1.1 and 7.x-1.x before 7.x-1.5 for Drupal allows remote attackers to access data via unspecified vectors.
50 CVE-2014-5249 89 Exec Code Sql 2014-08-14 2014-08-14
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the "Biblio self autocomplete" submodule in the Biblio Autocomplete module 6.x-1.x before 6.x-1.1 and 7.x-1.x before 7.x-1.5 for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.