CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In 2014(Execute Code)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2014-7169 78 Exec Code 2014-09-24 2014-09-28
10.0
None Remote Low Not required Complete Complete Complete
GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271.
2 CVE-2014-7153 89 Exec Code Sql 2014-09-22 2014-09-22
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in the editgallery function in admin/gallery_func.php in the Huge-IT Image Gallery plugin 1.0.1 for WordPress allows remote authenticated users to execute arbitrary SQL commands via the removeslide parameter to wp-admin/admin.php.
3 CVE-2014-6446 94 Exec Code 2014-09-26 2014-09-28
7.5
None Remote Low Not required Partial Partial Partial
The Infusionsoft Gravity Forms plugin 1.5.3 through 1.5.10 for WordPress does not properly restrict access, which allows remote attackers to upload arbitrary files and execute arbitrary PHP code via a request to utilities/code_generator.php.
4 CVE-2014-6278 78 Exec Code 2014-09-30 2014-09-30
10.0
None Remote Low Not required Complete Complete Complete
GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary commands via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277.
5 CVE-2014-6277 78 DoS Exec Code 2014-09-27 2014-09-29
10.0
None Remote Low Not required Complete Complete Complete
GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access, and untrusted-pointer read and write operations) via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271 and CVE-2014-7169.
6 CVE-2014-6273 DoS Exec Code Overflow 2014-09-30 2014-09-30
0.0
None ??? ??? ??? ??? ??? ???
Buffer overflow in the HTTP transport code in apt-get in APT 1.0.1 and earlier allows man-in-the-middle attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted URL.
7 CVE-2014-6271 78 Exec Code 2014-09-24 2014-09-28
10.0
None Remote Low Not required Complete Complete Complete
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.
8 CVE-2014-6270 119 DoS Exec Code Overflow 2014-09-12 2014-09-22
6.8
None Remote Medium Not required Partial Partial Partial
Off-by-one error in the snmpHandleUdp function in snmp_core.cc in Squid 2.x and 3.x, when an SNMP port is configured, allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted UDP SNMP request, which triggers a heap-based buffer overflow.
9 CVE-2014-6252 119 DoS Exec Code Overflow 2014-09-05 2014-09-08
6.5
None Remote Low Single system Partial Partial Partial
Buffer overflow in disp+work.exe 7000.52.12.34966 and 7200.117.19.50294 in the Dispatcher in SAP NetWeaver 7.00 and 7.20 allows remote authenticated users to cause a denial of service or execute arbitrary code via unspecified vectors.
10 CVE-2014-6241 89 Exec Code Sql 2014-09-11 2014-09-11
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the wt_directory extension before 1.4.1 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
11 CVE-2014-6239 89 Exec Code Sql 2014-09-11 2014-09-11
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the Address visualization with Google Maps (st_address_map) extension before 0.3.6 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
12 CVE-2014-6235 Exec Code 2014-09-11 2014-09-11
7.5
None Remote Low Not required Partial Partial Partial
Unspecified vulnerability in the ke DomPDF extension before 0.0.5 for TYPO3 allows remote attackers to execute arbitrary code via unknown vectors.
13 CVE-2014-6233 89 Exec Code Sql 2014-09-11 2014-09-11
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the Flat Manager (flatmgr) extension before 2.7.10 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
14 CVE-2014-6231 Exec Code 2014-09-11 2014-09-11
7.5
None Remote Low Not required Partial Partial Partial
Unspecified vulnerability in the CWT Frontend Edit (cwt_feedit) extension before 1.2.5 for TYPO3 allows remote authenticated users to execute arbitrary code via unknown vectors.
15 CVE-2014-6055 DoS Exec Code Overflow 2014-09-30 2014-09-30
0.0
None ??? ??? ??? ??? ??? ???
Multiple stack-based buffer overflows in the File Transfer feature in rfbserver.c in LibVNCServer 0.9.9 and earlier allow remote authenticated users to cause a denial of service (crash) and possibly execute arbitrary code via a (1) long file or (2) directory name or the (3) FileTime attribute in a rfbFileTransferOffer message.
16 CVE-2014-6051 DoS Exec Code Overflow 2014-09-30 2014-09-30
0.0
None ??? ??? ??? ??? ??? ???
Integer overflow in the MallocFrameBuffer function in vncviewer.c in LibVNCServer 0.9.9 and earlier allows remote VNC servers to cause a denial of service (crash) and possibly execute arbitrary code via an advertisement for a large screen size, which triggers a heap-based buffer overflow.
17 CVE-2014-5521 89 1 Exec Code Sql 2014-09-02 2014-09-03
6.5
None Remote Low Single system Partial Partial Partial
plugins/useradmin/fingeruser.php in XRMS CRM, possibly 1.99.2, allows remote authenticated users to execute arbitrary code via shell metacharacters in the username parameter.
18 CVE-2014-5519 94 1 Exec Code 2014-09-11 2014-09-11
7.5
None Remote Low Not required Partial Partial Partial
The Ploticus module in PhpWiki 1.5.0 allows remote attackers to execute arbitrary code via shell metacharacters in a device option in the edit[content] parameter to index.php/HeIp. NOTE: some of these details are obtained from third party information.
19 CVE-2014-5506 Exec Code 2014-09-04 2014-09-13
6.8
None Remote Medium Not required Partial Partial Partial
Double free vulnerability in SAP Crystal Reports allows remote attackers to execute arbitrary code via crafted connection string record in an RPT file.
20 CVE-2014-5505 119 Exec Code Overflow 2014-09-04 2014-09-13
6.8
None Remote Medium Not required Partial Partial Partial
Stack-based buffer overflow in SAP Crystal Reports allows remote attackers to execute arbitrary code via a crafted data source string in an RPT file.
21 CVE-2014-5504 255 Exec Code 2014-09-04 2014-09-08
7.5
None Remote Low Not required Partial Partial Partial
SolarWinds Log and Event Manager before 6.0 uses "static" credentials, which makes it easier for remote attackers to obtain access to the database and execute arbitrary code via unspecified vectors, related to HyperSQL.
22 CVE-2014-5460 20 1 Exec Code 2014-09-11 2014-09-15
6.5
None Remote Low Single system Partial Partial Partial
Unrestricted file upload vulnerability in the Tribulant Slideshow Gallery plugin before 1.4.7 for WordPress allows remote authenticated users to execute arbitrary code by uploading a PHP file, then accessing it via a direct request to the file in wp-content/uploads/slideshow-gallery/.
23 CVE-2014-5458 89 Exec Code Sql 2014-08-25 2014-08-26
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in sqrl_verify.php in php-sqrl allows remote attackers to execute arbitrary SQL commands via the message parameter.
24 CVE-2014-5454 Exec Code 2014-08-25 2014-08-26
6.0
None Remote Medium Single system Partial Partial Partial
Unrestricted file upload vulnerability in the image upload module in SAS Visual Analytics 6.4M1 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via unspecified vectors.
25 CVE-2014-5440 89 Exec Code Sql 2014-09-12 2014-09-15
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in Login.aspx in MPEX Business Solutions MX-SmartTimer before 13.19.18 allows remote attackers to execute arbitrary SQL commands via the ct100%24CPHContent%24password parameter.
26 CVE-2014-5399 89 Exec Code Sql 2014-08-27 2014-08-28
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in Schneider Electric Wonderware Information Server (WIS) Portal 4.0 SP1 through 5.5 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
27 CVE-2014-5383 89 Exec Code Sql 2014-08-21 2014-08-21
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in AlienVault OSSIM before 4.7.0 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.
28 CVE-2014-5340 94 Exec Code 2014-09-02 2014-09-03
9.3
None Remote Medium Not required Complete Complete Complete
The wato component in Check_MK before 1.2.4p4 and 1.2.5 before 1.2.5i4 uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, related to an automation URL.
29 CVE-2014-5324 94 Exec Code 2014-09-26 2014-09-26
6.5
None Remote Low Single system Partial Partial Partial
Unrestricted file upload vulnerability in the N-Media file uploader plugin before 3.4 for WordPress allows remote authenticated users to execute arbitrary PHP code by leveraging Author privileges to store a file.
30 CVE-2014-5262 89 Exec Code Sql 2014-08-22 2014-08-23
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the graph settings script (graph_settings.php) in Cacti 0.8.8b and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
31 CVE-2014-5261 94 Exec Code 2014-08-22 2014-08-23
7.5
None Remote Low Not required Partial Partial Partial
The graph settings script (graph_settings.php) in Cacti 0.8.8b and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in a font size, related to the rrdtool commandline in lib/rrd.php.
32 CVE-2014-5249 89 Exec Code Sql 2014-08-14 2014-08-14
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the "Biblio self autocomplete" submodule in the Biblio Autocomplete module 6.x-1.x before 6.x-1.1 and 7.x-1.x before 7.x-1.5 for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
33 CVE-2014-5210 94 Exec Code 2014-08-21 2014-08-21
10.0
None Remote Low Not required Complete Complete Complete
The av-centerd SOAP service in AlienVault OSSIM before 4.7.0 allows remote attackers to execute arbitrary commands via a crafted (1) remote_task or (2) get_license request, a different vulnerability than CVE-2014-3804 and CVE-2014-3805.
34 CVE-2014-5203 Exec Code 2014-08-18 2014-08-28
7.5
None Remote Low Not required Partial Partial Partial
wp-includes/class-wp-customize-widgets.php in the widget implementation in WordPress 3.9.x before 3.9.2 might allow remote attackers to execute arbitrary code via crafted serialized data.
35 CVE-2014-5201 89 Exec Code Sql 2014-08-12 2014-08-13
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the Gallery Objects plugin 0.4 for WordPress allows remote attackers to execute arbitrary SQL commands via the viewid parameter in a go_view_object action to wp-admin/admin-ajax.php.
36 CVE-2014-5200 89 Exec Code Sql 2014-08-12 2014-08-13
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in game_play.php in the FB Gorilla plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the id parameter.
37 CVE-2014-5192 89 1 Exec Code Sql 2014-08-07 2014-08-07
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in admin/admin.php in Sphider 1.3.6 allows remote attackers to execute arbitrary SQL commands via the filter parameter.
38 CVE-2014-5189 89 Exec Code Sql 2014-08-07 2014-09-25
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in lib/optin/optin_page.php in the Lead Octopus plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the id parameter.
39 CVE-2014-5186 89 Exec Code Sql 2014-08-06 2014-08-07
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in the All Video Gallery (all-video-gallery) plugin 1.2 for WordPress allows remote authenticated administrators to execute arbitrary SQL commands via the id parameter in an edit action in the allvideogallery_videos page to wp-admin/admin.php.
40 CVE-2014-5185 89 Exec Code Sql 2014-08-06 2014-08-07
6.0
None Remote Medium Single system Partial Partial Partial
SQL injection vulnerability in the Quartz plugin 1.01.1 for WordPress allows remote authenticated users with Contributor privileges to execute arbitrary SQL commands via the quote parameter in an edit action in the quartz/quote_form.php page to wp-admin/edit.php.
41 CVE-2014-5184 89 Exec Code Sql 2014-08-06 2014-08-07
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in the stripshow-storylines page in the stripShow plugin 2.5.2 for WordPress allows remote authenticated administrators to execute arbitrary SQL commands via the story parameter in an edit action to wp-admin/admin.php.
42 CVE-2014-5183 89 Exec Code Sql 2014-08-06 2014-08-07
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in includes/mode-edit.php in the Simple Retail Menus (simple-retail-menus) plugin before 4.1 for WordPress allows remote authenticated editors to execute arbitrary SQL commands via the targetmenu parameter in an edit action to wp-admin/admin.php.
43 CVE-2014-5182 89 Exec Code Sql 2014-08-06 2014-08-07
6.0
None Remote Medium Single system Partial Partial Partial
Multiple SQL injection vulnerabilities in the yawpp plugin 1.2 for WordPress allow remote authenticated users with Contributor privileges to execute arbitrary SQL commands via vectors related to (1) admin_functions.php or (2) admin_update.php, as demonstrated by the id parameter in the update action to wp-admin/admin.php.
44 CVE-2014-5180 89 Exec Code Sql 2014-08-06 2014-08-07
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in the videos page in the HDW Player Plugin (hdw-player-video-player-video-gallery) 2.4.2 for WordPress allows remote authenticated administrators to execute arbitrary SQL commands via the id parameter in the edit action to wp-admin/admin.php.
45 CVE-2014-5159 89 Exec Code Sql 2014-08-21 2014-08-21
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the ossim-framework service in AlienVault OSSIM before 4.6.0 allows remote attackers to execute arbitrary SQL commands via the ws_data parameter.
46 CVE-2014-5158 94 Exec Code 2014-08-21 2014-08-21
10.0
None Remote Low Not required Complete Complete Complete
The (1) av-centerd SOAP service and (2) backup command in the ossim-framework service in AlienVault OSSIM before 4.6.0 allows remote attackers to execute arbitrary commands via unspecified vectors.
47 CVE-2014-5119 189 DoS Exec Code 2014-08-29 2014-09-28
7.5
None Remote Low Not required Partial Partial Partial
Off-by-one error in the __gconv_translit_find function in gconv_trans.c in GNU C Library (aka glibc) allows context-dependent attackers to cause a denial of service (crash) or execute arbitrary code via vectors related to the CHARSET environment variable and gconv transliteration modules.
48 CVE-2014-5112 94 Exec Code 2014-07-28 2014-07-29
7.5
None Remote Low Not required Partial Partial Partial
maint/modules/home/index.php in Fonality trixbox allows remote attackers to execute arbitrary commands via shell metacharacters in the lang parameter.
49 CVE-2014-5109 89 Exec Code Sql 2014-07-28 2014-07-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in maint/modules/endpointcfg/endpoint_generic.php in Fonality trixbox allows remote attackers to execute arbitrary SQL commands via the mac parameter in a Submit action.
50 CVE-2014-5104 89 Exec Code Sql 2014-07-28 2014-07-29
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in ol-commerce 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) a_country parameter in a process action to affiliate_signup.php, (2) affiliate_banner_id parameter to affiliate_show_banner.php, (3) country parameter in a process action to create_account.php, or (4) entry_country_id parameter in an edit action to admin/create_account.php.
Total number of vulnerabilities : 1121   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.