CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In 2014

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2014-8766 89 Exec Code Sql 2014-10-14 2014-10-21
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in Allomani Weblinks 1.0 allow remote attackers to execute arbitrary SQL commands via the (1) cat parameter in a browse action to index.php or (2) unspecified parameters to admin.php.
2 CVE-2014-8765 79 XSS 2014-10-14 2014-10-22
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the Project Issue File Review module (PIFR) module 6.x-2.x before 6.x-2.17 for Drupal allow (1) remote attackers to inject arbitrary web script or HTML via a crafted patch, which triggers a PIFR client to test the patch and return the results to the PIFR_Server test results page or (2) remote authenticated users with the "manage PIFR environments" permission to inject arbitrary web script or HTML via vectors involving a PIFR_Server administrative page.
3 CVE-2014-8764 287 Bypass 2014-10-22 2014-10-23
5.0
None Remote Low Not required None Partial None
DokuWiki 2014-05-05a and earlier, when using Active Directory for LDAP authentication, allows remote attackers to bypass authentication via a user name and password starting with a null (\0) character, which triggers an anonymous bind.
4 CVE-2014-8763 287 Bypass 2014-10-22 2014-10-23
5.0
None Remote Low Not required None Partial None
DokuWiki before 2014-05-05b, when using Active Directory for LDAP authentication, allows remote attackers to bypass authentication via a password starting with a null (\0) character and a valid user name, which triggers an unauthenticated bind.
5 CVE-2014-8762 200 +Info 2014-10-22 2014-10-23
5.0
None Remote Low Not required Partial None None
The ajax_mediadiff function in DokuWiki before 2014-05-05a allows remote attackers to access arbitrary images via a crafted namespace in the ns parameter.
6 CVE-2014-8761 200 +Info 2014-10-22 2014-10-23
5.0
None Remote Low Not required Partial None None
inc/template.php in DokuWiki before 2014-05-05a only checks for access to the root namespace, which allows remote attackers to access arbitrary images via a media file details ajax call.
7 CVE-2014-8760 310 2014-10-24 2014-10-27
5.0
None Remote Low Not required Partial None None
ejabberd before 2.1.13 does not enforce the starttls_required setting when compression is used, which causes clients to establish connections without encryption.
8 CVE-2014-8756 20 Exec Code 2014-10-17 2014-10-23
6.8
None Remote Medium Not required Partial Partial Partial
The NcrCtl4.NcrNet.1 control in Panasonic Network Camera Recorder before 4.04R03 allows remote attackers to execute arbitrary code via a crafted GetVOLHeader method call, which writes null bytes to an arbitrary address.
9 CVE-2014-8755 20 Exec Code 2014-10-17 2014-10-22
6.8
None Remote Medium Not required Partial Partial Partial
Panasonic Network Camera View 3 and 4 allows remote attackers to execute arbitrary code via a crafted page, which triggers an invalid pointer dereference, related to "the ability to nullify an arbitrary address in memory."
10 CVE-2014-8750 362 2014-10-15 2014-10-22
6.5
None Remote Low Single system Partial Partial Partial
Race condition in the VMware driver in OpenStack Compute (Nova) before 2014.1.4 and 2014.2 before 2014.2rc1 allows remote authenticated users to access unintended consoles by spawning an instance that triggers the same VNC port to be allocated to two different instances.
11 CVE-2014-8748 79 XSS 2014-10-13 2014-10-15
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in the Google Doubleclick for Publishers (DFP) module 7.x-1.x before 7.x-1.2 for Drupal allows remote authenticated users with the "administer dfp" permission to inject arbitrary web script or HTML via a slot name.
12 CVE-2014-8747 79 XSS 2014-10-13 2014-10-24
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the Drupal Commons module 7.x-3.x before 7.x-3.9 for Drupal allows remote attackers to inject arbitrary web script or HTML via vectors related to content creation and activity stream messages.
13 CVE-2014-8746 79 XSS 2014-10-13 2014-10-15
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in the Skeleton theme 7.x-1.2 through 7.x-1.3 before 7.x-1.4, for Drupal allows remote authenticated users with the "administer themes" permission to inject arbitrary web script or HTML via vectors related to theme settings.
14 CVE-2014-8745 79 XSS 2014-10-13 2014-10-15
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in the Custom Search module 6.x-1.x before 6.x-1.13 and 7.x-1.x before 7.x-1.15 for Drupal allows remote authenticated users with the "administer taxonomy" permission to inject arbitrary web script or HTML via a taxonomy vocabulary label.
15 CVE-2014-8744 79 XSS 2014-10-13 2014-10-15
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in the Nivo Slider module 7.x-2.x before 7.x-1.11 for Drupal allows remote authenticated users with the "administer nivo slider" permission to inject arbitrary web script or HTML via an image title.
16 CVE-2014-8743 79 XSS 2014-10-13 2014-10-15
3.5
None Remote Medium Single system None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the Maestro module 7.x-1.x before 7.x-1.4 for Drupal allow remote authenticated users with certain permissions to inject arbitrary web script or HTML via a (1) Role or (2) Organic Group name.
17 CVE-2014-8538 +Info 2014-10-29 2014-10-29
0.0
None ??? ??? ??? ??? ??? ???
The Hijab Modern (aka com.Aisyaidea.HijabModern) application 1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
18 CVE-2014-8537 +Info 2014-10-29 2014-10-29
0.0
None ??? ??? ??? ??? ??? ???
McAfee Network Data Loss Prevention (NDLP) before 9.2.2 allows local users to obtain sensitive information by reading the logs.
19 CVE-2014-8536 +Info 2014-10-29 2014-10-29
0.0
None ??? ??? ??? ??? ??? ???
McAfee Network Data Loss Prevention (NDLP) before 9.2.2 allows local users to obtain sensitive information by reading unspecified error messages.
20 CVE-2014-8535 Bypass 2014-10-29 2014-10-29
0.0
None ??? ??? ??? ??? ??? ???
McAfee Network Data Loss Prevention (NDLP) before 9.2.2 allows local users to bypass intended restriction on unspecified functionality via unknown vectors.
21 CVE-2014-8534 DoS 2014-10-29 2014-10-29
0.0
None ??? ??? ??? ??? ??? ???
Unspecified vulnerability in the login form in McAfee Network Data Loss Prevention (NDLP) before 9.2.2 allows local users to cause a denial of service via a crafted value in the domain field.
22 CVE-2014-8533 Exec Code 2014-10-29 2014-10-29
0.0
None ??? ??? ??? ??? ??? ???
McAfee Network Data Loss Prevention (NDLP) before 9.3 allows remote attackers to execute arbitrary code via vectors related to ICMP redirection.
23 CVE-2014-8532 +Info 2014-10-29 2014-10-29
0.0
None ??? ??? ??? ??? ??? ???
Unspecified vulnerability in McAfee Network Data Loss Prevention before (NDLP) before 9.3 allows local users to obtain sensitive information and impact integrity via unknown vectors, related to partition mounting.
24 CVE-2014-8531 Exec Code 2014-10-29 2014-10-29
0.0
None ??? ??? ??? ??? ??? ???
The TLS/SSL Server in McAfee Network Data Loss Prevention (NDLP) before 9.3 uses weak cipher algorithms, which makes it easier for remote authenticated users to execute arbitrary code via unspecified vectors.
25 CVE-2014-8530 DoS +Info 2014-10-29 2014-10-29
0.0
None ??? ??? ??? ??? ??? ???
Unspecified vulnerability in McAfee Network Data Loss Prevention (NDLP) before 9.3 allows remote attackers to obtain sensitive information, affect integrity, or cause a denial of service via unknown vectors, related to simultaneous logins.
26 CVE-2014-8529 +Info 2014-10-29 2014-10-29
0.0
None ??? ??? ??? ??? ??? ???
McAfee Network Data Loss Prevention (NDLP) before 9.3 stores the SSH key in cleartext, which allows local users to obtain sensitive information via unspecified vectors.
27 CVE-2014-8528 +Info 2014-10-29 2014-10-29
0.0
None ??? ??? ??? ??? ??? ???
McAfee Network Data Loss Prevention (NDLP) before 9.3 logs session IDs, which allows local users to obtain sensitive information by reading the audit log.
28 CVE-2014-8527 +Info 2014-10-29 2014-10-29
0.0
None ??? ??? ??? ??? ??? ???
McAfee Network Data Loss Prevention (NDLP) before 9.3 allows local users to obtain sensitive information and affect integrity via vectors related to a "plain text password."
29 CVE-2014-8526 +Info 2014-10-29 2014-10-29
0.0
None ??? ??? ??? ??? ??? ???
McAfee Network Data Loss Prevention (NDLP) before 9.3 allows local users to obtain sensitive information by reading a Java stack trace.
30 CVE-2014-8525 +Info 2014-10-29 2014-10-29
0.0
None ??? ??? ??? ??? ??? ???
McAfee Network Data Loss Prevention (NDLP) before 9.3 does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.
31 CVE-2014-8524 +Info 2014-10-29 2014-10-29
0.0
None ??? ??? ??? ??? ??? ???
McAfee Network Data Loss Prevention (NDLP) before 9.3 does not disable the autocomplete setting for the password and other fields, which allows remote attackers to obtain sensitive information via unspecified vectors.
32 CVE-2014-8523 CSRF 2014-10-29 2014-10-29
0.0
None ??? ??? ??? ??? ??? ???
Cross-site request forgery (CSRF) vulnerability in McAfee Network Data Loss Prevention (NDLP) before 9.3 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
33 CVE-2014-8522 2014-10-29 2014-10-29
0.0
None ??? ??? ??? ??? ??? ???
The MySQL database in McAfee Network Data Loss Prevention (NDLP) before 9.3 does not require a password, which makes it easier for remote attackers to obtain access.
34 CVE-2014-8521 XSS 2014-10-29 2014-10-29
0.0
None ??? ??? ??? ??? ??? ???
Cross-site scripting (XSS) vulnerability in McAfee Network Data Loss Prevention (NDLP) before 9.3 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
35 CVE-2014-8520 +Info 2014-10-29 2014-10-29
0.0
None ??? ??? ??? ??? ??? ???
McAfee Network Data Loss Prevention (NDLP) before 9.3 allows remote attackers to obtain sensitive information via vectors related to open network ports.
36 CVE-2014-8519 2014-10-29 2014-10-29
0.0
None ??? ??? ??? ??? ??? ???
Unspecified vulnerability in McAfee Network Data Loss Prevention (NDLP) before 9.2.2 allows local users to read arbitrary files via unknown vectors.
37 CVE-2014-8518 2014-10-29 2014-10-29
0.0
None ??? ??? ??? ??? ??? ???
The (1) Removable Media or (2) CD and DVD encryption offsite access options (formerly Endpoint Encryption for Removable Media or EERM) in McAfee File and Removable Media Protection (FRP) 4.3.0.x and Endpoint Encryption for Files and Folders (EEFF) 3.2.x through 4.2.x uses weak entropy, which make it easier fo local users to obtain passwords via a brute force attack.
38 CVE-2014-8506 89 Exec Code Sql 2014-10-28 2014-10-28
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in Etiko CMS allow remote attackers to execute arbitrary SQL commands via the (1) page_id parameter to loja/index.php or (2) article_id parameter to index.php.
39 CVE-2014-8505 79 XSS 2014-10-28 2014-10-28
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Etiko CMS allow remote attackers to inject arbitrary web script or HTML via the (1) page_id parameter to loja/index.php or (2) article_id parameter to index.php.
40 CVE-2014-8381 79 XSS 2014-10-22 2014-10-23
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Megapolis.Portal Manager allow remote attackers to inject arbitrary web script or HTML via the (1) dateFrom or (2) dateTo parameter.
41 CVE-2014-8380 79 XSS 2014-10-21 2014-10-24
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Splunk 6.1.1 allows remote attackers to inject arbitrary web script or HTML via the HTTP Referer Header in a "404 Not Found" response. NOTE: this vulnerability might exist because of a CVE-2010-2429 regression.
42 CVE-2014-8379 79 XSS 2014-10-21 2014-10-23
3.5
None Remote Medium Single system None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the Marketo MA module before 7.x-1.5 for Drupal allow remote authenticated users with certain permissions to inject arbitrary web script or HTML via vectors related to field titles to the (1) Webform or (2) User sub-modules.
43 CVE-2014-8378 79 XSS 2014-10-21 2014-10-23
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in the TableField module 7.x-2.x before 7.x-2.3 allows remote authenticated users with the "administer content types" or "administer taxonomy" permission to inject arbitrary web script or HTML via vectors related to the field help text in an entity edit form.
44 CVE-2014-8377 79 XSS 2014-10-21 2014-10-24
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Webasyst Shop-Script 5.2.2.30933 allows remote attackers to inject arbitrary web script or HTML via the phone number field in a new contact to phpecom/index.php/webasyst/contacts/.
45 CVE-2014-8376 79 XSS 2014-10-21 2014-10-24
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in the context administration sub-panel in the Site Banner module before 7.x-4.1 for Drupal allows remote authenticated users with the "Administer contexts" Context UI module permission to inject arbitrary web script or HTML via vectors related to context settings.
46 CVE-2014-8375 89 Exec Code Sql 2014-10-21 2014-10-24
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in GBgallery.php in the GB Gallery Slideshow plugin 1.5 for WordPress allows remote administrators to execute arbitrary SQL commands via the selected_group parameter in a gb_ajax_get_group action to wp-admin/admin-ajax.php.
47 CVE-2014-8366 89 Exec Code Sql 2014-10-20 2014-10-24
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in openSIS 4.5 through 5.3 allows remote attackers to execute arbitrary SQL commands via the Username and password to index.php.
48 CVE-2014-8365 79 XSS 2014-10-20 2014-10-24
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Xornic Contact Us allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) email parameter to contact.php or (3) PATH_INFO to setup.php, related to the "PHP_SELF" variable.
49 CVE-2014-8364 79 XSS 2014-10-20 2014-10-24
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in ss_handler.php in the WordPress Spreadsheet (wpSS) plugin 0.62 for WordPress allows remote attackers to inject arbitrary web script or HTML via the ss_id parameter.
50 CVE-2014-8363 89 Exec Code Sql 2014-10-20 2014-10-24
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in ss_handler.php in the WordPress Spreadsheet (wpSS) plugin 0.62 for WordPress allows remote attackers to execute arbitrary SQL commands via the ss_id parameter.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.