CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In 2014

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2014-2880 1 2014-04-17 2014-04-17
0.0
None ??? ??? ??? ??? ??? ???
Open redirect vulnerability in Oracle Identity Manager 11g R2 SP1 (11.1.2.1.0) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the backUrl parameter in a changepwd action to identity/faces/firstlogin.
2 CVE-2014-2879 XSS 2014-04-17 2014-04-17
0.0
None ??? ??? ??? ??? ??? ???
Multiple cross-site scripting (XSS) vulnerabilities in Dell SonicWALL Email Security 7.4.5 and earlier allow remote authenticated administrators to inject arbitrary web script or HTML via (1) the uploadPatch parameter to the System/Advanced page (settings_advanced.html) or (2) the uploadLicenses parameter in the License management (settings_upload_dlicense.html) page.
3 CVE-2014-2874 78 Exec Code 2014-04-15 2014-04-16
10.0
None Remote Low Not required Complete Complete Complete
PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 allows remote attackers to execute arbitrary code via shell metacharacters in an unspecified context.
4 CVE-2014-2873 200 +Info 2014-04-15 2014-04-16
5.0
None Remote Low Not required Partial None None
PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 does not require authentication for access to log files, which allows remote attackers to obtain sensitive server information by using a predictable name in a request for a file.
5 CVE-2014-2872 200 +Info 2014-04-15 2014-04-16
5.0
None Remote Low Not required Partial None None
PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 allows remote attackers to obtain potentially sensitive information from a directory listing via unspecified vectors.
6 CVE-2014-2871 200 +Info 2014-04-15 2014-04-16
5.0
None Remote Low Not required Partial None None
PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 relies on an HTTP session for entering credentials on login pages, which allows remote attackers to obtain sensitive information by sniffing the network.
7 CVE-2014-2870 255 +Info 2014-04-15 2014-04-16
5.0
None Remote Low Not required Partial None None
The default configuration of PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 uses cleartext for storage of credentials in a database, which makes it easier for context-dependent attackers to obtain sensitive information via unspecified vectors.
8 CVE-2014-2869 200 +Info 2014-04-15 2014-04-16
5.0
None Remote Low Not required Partial None None
PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 allows remote attackers to obtain sensitive information via requests to unspecified URIs, as demonstrated by pathname, SQL server, e-mail address, and IP address information.
9 CVE-2014-2868 Exec Code 2014-04-15 2014-04-16
7.5
None Remote Low Not required Partial Partial Partial
PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 allows remote attackers to modify the flow of execution of ColdFusion code by using an HTTP GET request to set a ColdFusion variable.
10 CVE-2014-2867 Exec Code 2014-04-15 2014-04-16
10.0
None Remote Low Not required Complete Complete Complete
Unrestricted file upload vulnerability in PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 allows remote attackers to execute arbitrary code by uploading a ColdFusion page, and then accessing it via unspecified vectors.
11 CVE-2014-2866 94 2014-04-15 2014-04-16
10.0
None Remote Low Not required Complete Complete Complete
PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 relies on client JavaScript code for access restrictions, which allows remote attackers to perform unspecified operations by modifying this code.
12 CVE-2014-2865 264 Bypass 2014-04-15 2014-04-16
7.5
None Remote Low Not required Partial Partial Partial
PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 allows remote attackers to bypass intended access restrictions via a '\0' character, as demonstrated by using this character within a pathname on the drive containing the web root directory of a ColdFusion installation.
13 CVE-2014-2864 22 Dir. Trav. 2014-04-15 2014-04-16
10.0
None Remote Low Not required Complete Complete Complete
Multiple directory traversal vulnerabilities in PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 allow remote attackers to have an unspecified impact via a filename parameter containing directory traversal sequences.
14 CVE-2014-2863 22 Dir. Trav. 2014-04-15 2014-04-16
10.0
None Remote Low Not required Complete Complete Complete
Multiple absolute path traversal vulnerabilities in PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 allow remote attackers to have an unspecified impact via a full pathname in a parameter.
15 CVE-2014-2862 264 2014-04-15 2014-04-16
6.5
None Remote Low Single system Partial Partial Partial
PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 does not check authorization in unspecified situations, which allows remote authenticated users to perform actions via unknown vectors.
16 CVE-2014-2861 XSS Bypass 2014-04-15 2014-04-16
4.3
None Remote Medium Not required None Partial None
Incomplete blacklist vulnerability in PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted string, as demonstrated by bypassing a protection mechanism that removes only the "alert" string.
17 CVE-2014-2860 79 XSS 2014-04-15 2014-04-16
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 allow remote attackers to inject arbitrary web script or HTML via a crafted HTTP request to a (1) ColdFusion or (2) JavaScript component.
18 CVE-2014-2859 264 Bypass 2014-04-15 2014-04-16
7.5
None Remote Low Not required Partial Partial Partial
PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 allows remote attackers to bypass intended access restrictions via a direct request.
19 CVE-2014-2858 22 Dir. Trav. +Info 2014-04-15 2014-04-16
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in the Resources plugin 1.0.0 before 1.2.6 for Pivotal Grails 2.0.0 through 2.3.6 allows remote attackers to obtain sensitive information via unspecified vectors related to a "configured block." NOTE: this issue was SPLIT from CVE-2014-0053 per ADT2 due to different vulnerability types.
20 CVE-2014-2857 264 +Info 2014-04-15 2014-04-16
5.0
None Remote Low Not required Partial None None
The default configuration of the Resources plugin 1.0.0 before 1.2.6 for Pivotal Grails 2.0.0 through 2.3.6 does not properly restrict access to files in the META-INF directory, which allows remote attackers to obtain sensitive information via a direct request. NOTE: this issue was SPLIT from CVE-2014-0053 due to different researchers per ADT5.
21 CVE-2014-2852 20 DoS 2014-04-14 2014-04-15
5.0
None Remote Low Not required None None Partial
OpenAFS before 1.6.7 delays the listen thread when an RXS_CheckResponse fails, which allows remote attackers to cause a denial of service (performance degradation) via an invalid packet.
22 CVE-2014-2851 189 DoS Overflow +Priv 2014-04-14 2014-04-15
6.9
None Local Medium Not required Complete Complete Complete
Integer overflow in the ping_init_sock function in net/ipv4/ping.c in the Linux kernel through 3.14.1 allows local users to cause a denial of service (use-after-free and system crash) or possibly gain privileges via a crafted application that leverages an improperly managed reference counter.
23 CVE-2014-2850 78 1 Exec Code 2014-04-11 2014-04-14
8.5
None Remote Medium Single system Complete Complete Complete
The network interface configuration page (netinterface) in Sophos Web Appliance before 3.8.2 allows remote administrators to execute arbitrary commands via shell metacharacters in the address parameter.
24 CVE-2014-2849 264 1 2014-04-11 2014-04-14
8.5
None Remote Low Single system None Complete Complete
The Change Password dialog box (change_password) in Sophos Web Appliance before 3.8.2 allows remote authenticated users to change the admin user password via a crafted request.
25 CVE-2014-2848 362 +Priv 2014-04-11 2014-04-14
6.9
None Local Medium Not required Complete Complete Complete
A race condition in the wmi_malware_scan.nbin plugin before 201402262215 for Nessus 5.2.1 allows local users to gain privileges by replacing the dissolvable agent executable in the Windows temp directory with a Trojan horse program.
26 CVE-2014-2847 89 1 Exec Code Sql 2014-04-11 2014-04-14
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in default.asp in CIS Manager CMS allows remote attackers to execute arbitrary SQL commands via the TroncoID parameter.
27 CVE-2014-2842 399 DoS 2014-04-15 2014-04-16
7.8
None Remote Low Not required None None Complete
Juniper ScreenOS 6.3 and earlier allows remote attackers to cause a denial of service (crash and restart or failover) via a malformed SSL/TLS packet.
28 CVE-2014-2829 264 DoS 2014-04-10 2014-04-11
7.8
None Remote Low Not required None None Complete
Erlang Solutions MongooseIM through 1.3.1 rev. 2 does not properly restrict the processing of compressed XML elements, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XMPP stream, aka an "xmppbomb" attack.
29 CVE-2014-2828 287 DoS 2014-04-15 2014-04-16
5.0
None Remote Low Not required None None Partial
The V3 API in OpenStack Identity (Keystone) 2013.1 before 2013.2.4 and icehouse before icehouse-rc2 allows remote attackers to cause a denial of service (CPU consumption) via a large number of the same authentication method in a request, aka "authentication chaining."
30 CVE-2014-2752 255 2014-04-10 2014-04-11
7.5
None Remote Low Not required Partial Partial Partial
SAP Business Object Processing Framework (BOPF) for ABAP has hardcoded credentials, which makes it easier for remote attackers to obtain access via unspecified vectors.
31 CVE-2014-2751 255 2014-04-10 2014-04-11
7.5
None Remote Low Not required Partial Partial Partial
SAP Print and Output Management has hardcoded credentials, which makes it easier for remote attackers to obtain access via unspecified vectors.
32 CVE-2014-2750 20 DoS 2014-04-10 2014-04-11
4.3
None Remote Medium Not required None None Partial
Prosody before 0.9.4, when mod_compression is enabled, allows remote attackers to cause a denial of service (resource consumption) via compressed XML elements in an XMPP stream, aka "zip bomb" attack.
33 CVE-2014-2749 200 +Info 2014-04-10 2014-04-11
5.0
None Remote Low Not required Partial None None
The HANA ICM process in SAP HANA allows remote attackers to obtain the platform version, host name, instance number, and possibly other sensitive information via a malformed HTTP GET request.
34 CVE-2014-2748 264 2014-04-10 2014-04-11
7.5
None Remote Low Not required Partial Partial Partial
The Security Audit Log facility in SAP Enhancement Package (EHP) 6 for SAP ERP 6.0 allows remote attackers to modify or delete arbitrary log classes via unspecified vectors. NOTE: some of these details are obtained from third party information.
35 CVE-2014-2746 264 DoS 2014-04-10 2014-04-11
7.8
None Remote Low Not required None None Complete
net/IOService.java in Tigase before 5.2.1 does not properly restrict the processing of compressed XML elements, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XMPP stream, aka an "xmppbomb" attack.
36 CVE-2014-2745 264 DoS 2014-04-10 2014-04-11
7.8
None Remote Low Not required None None Complete
Prosody before 0.9.4 does not properly restrict the processing of compressed XML elements, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XMPP stream, aka an "xmppbomb" attack, related to core/portmanager.lua and util/xmppstream.lua.
37 CVE-2014-2744 20 DoS 2014-04-10 2014-04-11
7.8
None Remote Low Not required None None Complete
plugins/mod_compression.lua in (1) Prosody before 0.9.4 and (2) Lightwitch Metronome through 3.4 negotiates stream compression while a session is unauthenticated, which allows remote attackers to cause a denial of service (resource consumption) via compressed XML elements in an XMPP stream, aka an "xmppbomb" attack.
38 CVE-2014-2743 264 DoS 2014-04-10 2014-04-11
7.8
None Remote Low Not required None None Complete
plugins/mod_compression.lua in Lightwitch Metronome through 3.4 does not properly restrict the processing of compressed XML elements, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XMPP stream, aka an "xmppbomb" attack.
39 CVE-2014-2742 264 DoS 2014-04-10 2014-04-11
7.8
None Remote Low Not required None None Complete
Isode M-Link before 16.0v7 does not properly restrict the processing of compressed XML elements, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XMPP stream, aka an "xmppbomb" attack.
40 CVE-2014-2741 264 DoS 2014-04-10 2014-04-11
7.8
None Remote Low Not required None None Complete
Ignite Realtime Openfire before 3.9.2 does not properly restrict the processing of compressed XML elements, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XMPP stream, aka an "xmppbomb" attack.
41 CVE-2014-2739 20 DoS 2014-04-14 2014-04-15
4.6
None Local Network High Not required None None Complete
The cma_req_handler function in drivers/infiniband/core/cma.c in the Linux kernel 3.14.x through 3.14.1 attempts to resolve an RDMA over Converged Ethernet (aka RoCE) address that is properly resolved within a different module, which allows remote attackers to cause a denial of service (incorrect pointer dereference and system crash) via crafted network traffic.
42 CVE-2014-2730 399 DoS 2014-04-05 2014-04-07
5.0
None Remote Low Not required None None Partial
The XML parser in Microsoft Office 2007 SP3, 2010 SP1 and SP2, and 2013, and Office for Mac 2011, does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory consumption and persistent application hang) via a crafted XML document containing a large number of nested entity references, as demonstrated by a crafted text/plain e-mail message to Outlook, a similar issue to CVE-2003-1564.
43 CVE-2014-2714 20 DoS 2014-04-14 2014-04-15
7.1
None Remote Medium Not required None None Complete
The Enhanced Web Filtering (EWF) in Juniper Junos before 10.4R15, 11.4 before 11.4R9, 12.1 before 12.1R7, 12.1X44 before 12.1X44-D20, 12.1X45 before 12.1X45-D10, and 12.1X46 before 12.1X46-D10, as used in the SRX Series services gateways, allows remote attackers to cause a denial of service (flow daemon crash and restart) via a crafted URL.
44 CVE-2014-2713 DoS 2014-04-14 2014-04-15
5.0
None Remote Low Not required None None Partial
Juniper Junos before 11.4R11, 12.1 before 12.1R9, 12.2 before 12.2R7, 12.3R4 before 12.3R4-S3, 13.1 before 13.1R4, 13.2 before 13.2R2, and 13.3 before 13.3R1, as used in MX Series and T4000 routers, allows remote attackers to cause a denial of service (PFE restart) via a crafted IP packet to certain (1) Trio or (2) Cassis-based Packet Forwarding Engine (PFE) modules.
45 CVE-2014-2712 79 XSS 2014-04-14 2014-04-15
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in J-Web in Juniper Junos before 10.0S25, 10.4before 10.4R10, 11.4 before 11.4R11, 12.1 before 12.1R9, 12.1X44 before 12.1X44-D30, 12.1X45 before 12.1X45-D20, 12.1X46 before 12.1X46-D10, and 12.2 before 12.2R1 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters to index.php.
46 CVE-2014-2711 79 XSS 2014-04-14 2014-04-15
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in J-Web in Juniper Junos before 11.4R11, 11.4X27 before 11.4X27.62 (BBE), 12.1 before 12.1R9, 12.1X44 before 12.1X44-D35, 12.1X45 before 12.1X45-D25, 12.1X46 before 12.1X46-D20, 12.2 before 12.2R7, 12.3 before 12.3R6, 13.1 before 13.1R4, 13.2 before 13.2R3, and 13.3 before 13.3R1 allows remote attackers to inject arbitrary web script or HTML via unspecified.
47 CVE-2014-2708 89 Exec Code Sql 2014-04-10 2014-04-11
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in graph_xport.php in Cacti 0.8.8b allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
48 CVE-2014-2707 Exec Code 2014-04-17 2014-04-17
0.0
None ??? ??? ??? ??? ??? ???
cups-browsed in cups-filters 1.0.41 before 1.0.51 in allows remote IPP printers to execute arbitrary commands via shell metacharacters in the (1) model or (2) PDL, related to "System V interface scripts generated for queues."
49 CVE-2014-2706 362 DoS 2014-04-14 2014-04-15
7.1
None Remote Medium Not required None None Complete
Race condition in the mac80211 subsystem in the Linux kernel before 3.13.7 allows remote attackers to cause a denial of service (system crash) via network traffic that improperly interacts with the WLAN_STA_PS_STA state (aka power-save mode), related to sta_info.c and tx.c.
50 CVE-2014-2690 264 2014-04-15 2014-04-16
2.1
None Local Low Not required Partial None None
Citrix VDI-in-a-Box 5.3.x before 5.3.6 and 5.4.x before 5.4.3 allows local users to obtain administrator credentials by reading the log.
Total number of vulnerabilities : 1955   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.