| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2014-9350 |
19 |
1
|
DoS |
2014-12-08 |
2017-09-08 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
TP-Link TL-WR740N 4 with firmware 3.17.0 Build 140520, 3.16.6 Build 130529, and 3.16.4 Build 130205 allows remote attackers to cause a denial of service (httpd crash) via vectors involving a "new" value in the isNew parameter to PingIframeRpm.htm. |
|
2 |
CVE-2014-9349 |
79 |
1
|
XSS |
2014-12-08 |
2017-09-08 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in admin/robots.lib.php in RobotStats 1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) nom or (2) user_agent parameter to admin/robots.php. |
|
3 |
CVE-2014-9348 |
89 |
1
|
Exec Code Sql |
2014-12-08 |
2017-09-08 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in the formulaireRobot function in admin/robots.lib.php in RobotStats 1.0 allows remote attackers to execute arbitrary SQL commands via the robot parameter to admin/robots.php. |
|
4 |
CVE-2014-9347 |
89 |
1
|
Exec Code Sql |
2014-12-08 |
2017-09-08 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in dosearch.php in phpMyRecipes 1.2.2 allows remote attackers to execute arbitrary SQL commands via the words_exact parameter. |
|
5 |
CVE-2014-9345 |
89 |
1
|
Exec Code Sql |
2014-12-08 |
2014-12-09 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in Guruperl.net Advertise With Pleasure! Professional (aka AWP PRO) 6.6 and earlier allows remote attackers to execute arbitrary SQL commands via the group_id parameter in a list_zone action to cgi/client.cgi. |
|
6 |
CVE-2014-9322 |
269 |
1
|
+Priv |
2014-12-17 |
2020-08-14 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
arch/x86/kernel/entry_64.S in the Linux kernel before 3.17.5 does not properly handle faults associated with the Stack Segment (SS) segment register, which allows local users to gain privileges by triggering an IRET instruction that leads to access to a GS Base address from the wrong space. |
|
7 |
CVE-2014-9305 |
89 |
1
|
Exec Code Sql |
2014-12-08 |
2014-12-09 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in the shortcodeProductsTable function in models/Cart66Ajax.php in the Cart66 Lite plugin before 1.5.2 for WordPress allows remote authenticated users to execute arbitrary SQL commands via the id parameter in a shortcode_products_table action to wp-admin/admin-ajax.php. |
|
8 |
CVE-2014-9258 |
89 |
1
|
Exec Code Sql |
2014-12-19 |
2015-04-18 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in ajax/getDropdownValue.php in GLPI before 0.85.1 allows remote authenticated users to execute arbitrary SQL commands via the condition parameter. |
|
9 |
CVE-2014-9178 |
89 |
1
|
Exec Code Sql |
2014-12-02 |
2018-10-09 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Multiple SQL injection vulnerabilities in classes/ajax.php in the Smarty Pants Plugins SP Project & Document Manager plugin (sp-client-document-manager) 2.4.1 and earlier for WordPress allow remote attackers to execute arbitrary SQL commands via the (1) vendor_email[] parameter in the email_vendor function or id parameter in the (2) download_project, (3) download_archive, or (4) remove_cat function. |
|
10 |
CVE-2014-9175 |
89 |
1
|
Exec Code Sql |
2014-12-02 |
2017-09-08 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in wpdatatables.php in the wpDataTables plugin 1.5.3 and earlier for WordPress allows remote attackers to execute arbitrary SQL commands via the table_id parameter in a get_wdtable action to wp-admin/admin-ajax.php. |
|
11 |
CVE-2014-9173 |
89 |
1
|
Exec Code Sql |
2014-12-02 |
2017-09-08 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in view.php in the Google Doc Embedder plugin before 2.5.15 for WordPress allows remote attackers to execute arbitrary SQL commands via the gpid parameter. |
|
12 |
CVE-2014-9144 |
77 |
1
|
Exec Code |
2014-12-05 |
2018-10-09 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Technicolor Router TD5130 with firmware 2.05.C29GV allows remote attackers to execute arbitrary commands via shell metacharacters in the ping field (setobject_ip parameter). |
|
13 |
CVE-2014-9143 |
17 |
1
|
|
2014-12-05 |
2018-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Open redirect vulnerability in Technicolor Router TD5130 with firmware 2.05.C29GV allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the failrefer parameter. |
|
14 |
CVE-2014-9142 |
79 |
1
|
XSS |
2014-12-05 |
2018-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Technicolor Router TD5130 with firmware 2.05.C29GV allows remote attackers to inject arbitrary web script or HTML via the failrefer parameter. |
|
15 |
CVE-2014-9141 |
264 |
1
|
Exec Code |
2014-12-03 |
2014-12-17 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
The installer in Thomson Reuters Fixed Assets CS 13.1.4 and earlier uses weak permissions for connectbgdl.exe, which allows local users to execute arbitrary code by modifying this program. |
|
16 |
CVE-2014-9113 |
264 |
1
|
|
2014-12-02 |
2014-12-15 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
CCH Wolters Kluwer ProSystem fx Engagement (aka PFX Engagement) 7.1 and earlier uses weak permissions (Authenticated Users: Modify and Write) for the (1) Pfx.Engagement.WcfServices, (2) PFXEngDesktopService, (3) PFXSYNPFTService, and (4) P2EWinService service files in PFX Engagement\, which allows local users to obtain LocalSystem privileges via a Trojan horse file. |
|
17 |
CVE-2014-8810 |
89 |
1
|
Exec Code Sql |
2014-12-24 |
2018-10-30 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in ajax/mail_functions.php in the WP Symposium plugin before 14.11 for WordPress allows remote authenticated users to execute arbitrary SQL commands via the tray parameter in a getMailMessage action. |
|
18 |
CVE-2014-8800 |
79 |
1
|
XSS |
2014-12-05 |
2014-12-05 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in nextend-facebook-settings.php in the Nextend Facebook Connect plugin before 1.5.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the fb_login_button parameter in a newfb_update_options action. |
|
19 |
CVE-2014-8728 |
89 |
1
|
Exec Code Sql |
2014-12-02 |
2014-12-05 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in the login page (login/login) in Subex ROC Fraud Management (aka Fraud Management System and FMS) 7.4 and earlier allows remote attackers to execute arbitrary SQL commands via the ranger_user[name] parameter. |
|
20 |
CVE-2014-8272 |
|
1
|
Exec Code |
2014-12-19 |
2015-02-05 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
The IPMI 1.5 functionality in Dell iDRAC6 modular before 3.65, iDRAC6 monolithic before 1.98, and iDRAC7 before 1.57.57 does not properly select session ID values, which makes it easier for remote attackers to execute arbitrary commands via a brute-force attack. |
|
21 |
CVE-2014-7285 |
77 |
1
|
Exec Code |
2014-12-17 |
2017-01-03 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts. |
|
22 |
CVE-2014-5284 |
264 |
1
|
+Priv |
2014-12-02 |
2014-12-02 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
host-deny.sh in OSSEC before 2.8.1 writes to temporary files with predictable filenames without verifying ownership, which allows local users to modify access restrictions in hosts.deny and gain root privileges by creating the temporary files before automatic IP blocking is performed. |
|
23 |
CVE-2014-4880 |
119 |
1
|
Exec Code Overflow |
2014-12-08 |
2014-12-08 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Buffer overflow in Hikvision DVR DS-7204 Firmware 2.2.10 build 131009, and other models and versions, allows remote attackers to execute arbitrary code via an RTSP PLAY request with a long Authorization header. |
|
24 |
CVE-2014-4701 |
200 |
1
|
+Info |
2014-12-05 |
2016-11-28 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The check_dhcp plugin in Nagios Plugins before 2.0.2 allows local users to obtain sensitive information from INI configuration files via the extra-opts flag, a different vulnerability than CVE-2014-4702. |
|
25 |
CVE-2012-1415 |
352 |
1
|
CSRF |
2014-12-28 |
2014-12-29 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in lib/logout.php in DFLabs PTK 1.0.5 and earlier allows remote attackers to hijack the authentication of administrators or investigators for requests that trigger a logout. |
|
26 |
CVE-2012-1203 |
352 |
1
|
CSRF |
2014-12-28 |
2014-12-29 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in starnet/index.php in SyndeoCMS 3.0 and earlier allows remote attackers to hijack the authentication of administrators for requests that add user accounts via a save_user action. |
|
27 |
CVE-2011-5284 |
352 |
1
|
CSRF |
2014-12-31 |
2017-09-08 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in the web management interface in httpd/cgi-bin/shutdown.cgi in Smoothwall Express 3.1 and 3.0 SP3 and earlier allows remote attackers to hijack the authentication of administrators for requests that perform a reboot via a request to cgi-bin/shutdown.cgi. |
|
28 |
CVE-2011-5283 |
79 |
1
|
XSS |
2014-12-31 |
2017-09-08 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the web management interface in httpd/cgi-bin/ipinfo.cgi in Smoothwall Express 3.1 and 3.0 SP3 and earlier allows remote attackers to inject arbitrary web script or HTML via the IP parameter in a Run action. |
|
29 |
CVE-2011-4722 |
22 |
1
|
Dir. Trav. |
2014-12-28 |
2017-08-29 |
7.8 |
None |
Remote |
Low |
Not required |
Complete |
None |
None |
|
Directory traversal vulnerability in the TFTP Server 1.0.0.24 in Ipswitch WhatsUp Gold allows remote attackers to read arbitrary files via a .. (dot dot) in the Filename field of an RRQ operation. |
|
30 |
CVE-2014-9433 |
79 |
|
XSS |
2014-12-31 |
2018-10-09 |
2.6 |
None |
Remote |
High |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in cms/front_content.php in Contenido before 4.9.6, when advanced mod rewrite (AMR) is disabled, allow remote attackers to inject arbitrary web script or HTML via the (1) idart, (2) lang, or (3) idcat parameter. |
|
31 |
CVE-2014-9432 |
79 |
|
XSS |
2014-12-31 |
2018-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in templates/2k11/admin/overview.inc.tpl in Serendipity before 2.0-rc2 allow remote attackers to inject arbitrary web script or HTML via a blog comment in the QUERY_STRING to serendipity/index.php. |
|
32 |
CVE-2014-9431 |
352 |
|
CSRF |
2014-12-31 |
2017-09-08 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Multiple cross-site request forgery (CSRF) vulnerabilities in Smoothwall Express 3.1 and 3.0 SP3 allow remote attackers to hijack the authentication of administrators for requests that change the (1) admin or (2) dial password via a request to httpd/cgi-bin/changepw.cgi. |
|
33 |
CVE-2014-9430 |
79 |
|
XSS |
2014-12-31 |
2017-09-08 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in httpd/cgi-bin/vpn.cgi/vpnconfig.dat in Smoothwall Express 3.0 SP3 allows remote attackers to inject arbitrary web script or HTML via the COMMENT parameter in an Add action. |
|
34 |
CVE-2014-9429 |
79 |
|
XSS |
2014-12-31 |
2017-09-08 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in Smoothwall Express 3.1 and 3.0 SP3 allow remote attackers to inject arbitrary web script or HTML via the (1) PROFILENAME parameter in a Save action to httpd/cgi-bin/pppsetup.cgi or (2) COMMENT parameter in an Add action to httpd/cgi-bin/ddns.cgi. |
|
35 |
CVE-2014-9426 |
17 |
|
DoS Mem. Corr. |
2014-12-31 |
2015-03-17 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
** DISPUTED ** The apprentice_load function in libmagic/apprentice.c in the Fileinfo component in PHP through 5.6.4 attempts to perform a free operation on a stack-based character array, which allows remote attackers to cause a denial of service (memory corruption or application crash) or possibly have unspecified other impact via unknown vectors. NOTE: this is disputed by the vendor because the standard erealloc behavior makes the free operation unreachable. |
|
36 |
CVE-2014-9425 |
|
|
DoS |
2014-12-31 |
2018-01-05 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Double free vulnerability in the zend_ts_hash_graceful_destroy function in zend_ts_hash.c in the Zend Engine in PHP through 5.5.20 and 5.6.x through 5.6.4 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. |
|
37 |
CVE-2014-9424 |
|
|
DoS |
2014-12-29 |
2014-12-30 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Double free vulnerability in the ssl_parse_clienthello_use_srtp_ext function in d1_srtp.c in LibreSSL before 2.1.2 allows remote attackers to cause a denial of service or possibly have unspecified other impact by triggering a certain length-verification error during processing of a DTLS handshake. |
|
38 |
CVE-2014-9420 |
399 |
|
DoS |
2014-12-26 |
2018-01-05 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
The rock_continue function in fs/isofs/rock.c in the Linux kernel through 3.18.1 does not restrict the number of Rock Ridge continuation entries, which allows local users to cause a denial of service (infinite loop, and system crash or hang) via a crafted iso9660 image. |
|
39 |
CVE-2014-9419 |
200 |
|
Bypass +Info |
2014-12-26 |
2018-01-05 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The __switch_to function in arch/x86/kernel/process_64.c in the Linux kernel through 3.18.1 does not ensure that Thread Local Storage (TLS) descriptors are loaded before proceeding with other steps, which makes it easier for local users to bypass the ASLR protection mechanism via a crafted application that reads a TLS base address. |
|
40 |
CVE-2014-9418 |
119 |
|
DoS Overflow |
2014-12-24 |
2019-05-20 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
The eSpace Meeting ActiveX control (eSpaceStatusCtrl.dll) in Huawei eSpace Desktop before V200R001C03 allows local users to cause a denial of service (memory overflow) via unspecified vectors. |
|
41 |
CVE-2014-9417 |
20 |
|
DoS |
2014-12-24 |
2019-05-20 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
The Meeting component in Huawei eSpace Desktop before V100R001C03 allows local users to cause a denial of service (program exit) via a crafted image. |
|
42 |
CVE-2014-9416 |
|
|
Exec Code |
2014-12-24 |
2019-05-20 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Multiple untrusted search path vulnerabilities in Huawei eSpace Desktop before V200R003C00 allow local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse (1) mfc71enu.dll, (2) mfc71loc.dll, (3) tcapi.dll, or (4) airpcap.dll. |
|
43 |
CVE-2014-9415 |
20 |
|
DoS |
2014-12-24 |
2019-05-20 |
1.9 |
None |
Local |
Medium |
Not required |
None |
None |
Partial |
|
Huawei eSpace Desktop before V100R001C03 allows local users to cause a denial of service (program exit) via a crafted QES file. |
|
44 |
CVE-2014-9414 |
352 |
|
CSRF |
2014-12-24 |
2018-10-09 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The W3 Total Cache plugin before 0.9.4.1 for WordPress does not properly handle empty nonces, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and hijack the authentication of administrators for requests that change the mobile site redirect URI via the mobile_groups[*][redirect] parameter and an empty _wpnonce parameter in the w3tc_mobile page to wp-admin/admin.php. |
|
45 |
CVE-2014-9413 |
352 |
|
XSS CSRF |
2014-12-24 |
2017-09-08 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Multiple cross-site request forgery (CSRF) vulnerabilities in the IP Ban (simple-ip-ban) plugin 1.2.3 for WordPress allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the (1) ip_list, (2) user_agent_list, or (3) redirect_url parameter in the simple-ip-ban page to wp-admin/options-general.php. |
|
46 |
CVE-2014-9412 |
79 |
|
XSS |
2014-12-23 |
2021-04-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in NetIQ Access Manager (NAM) 4.x before 4.1 allow remote attackers to inject arbitrary web script or HTML via (1) an arbitrary parameter to roma/jsp/debug/debug.jsp or (2) an arbitrary parameter in a debug.DumpAll action to nps/servlet/webacc, a different issue than CVE-2014-5216. |
|
47 |
CVE-2014-9408 |
200 |
|
+Info |
2014-12-19 |
2018-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Ekahau B4 staff badge tag 5.7 with firmware 1.4.52, Real-Time Location System (RTLS) Controller 6.0.5-FINAL, and Activator 3 uses part of the MAC address as part of the RC4 setup key, which makes it easier for remote attackers to guess the key via a brute-force attack. |
|
48 |
CVE-2014-9407 |
352 |
|
CSRF |
2014-12-19 |
2014-12-19 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Multiple cross-site request forgery (CSRF) vulnerabilities in Revive Adserver before 3.0.5 allow remote attackers to hijack the authentication of administrators for requests that (1) delete data via a request to agency-delete.php, (2) tracker-delete.php, or (3) userlog-delete.php in admin/ or (4) unlink accounts via a request to admin-user-unlink.php. (5) advertiser-user-unlink.php, or (6) affiliate-user-unlink.php in admin/. |
|
49 |
CVE-2014-9406 |
255 |
|
|
2014-12-18 |
2014-12-18 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier has a default password of password for the admin account, which makes it easier for remote attackers to obtain access via a request to home_loggedout.php. |
|
50 |
CVE-2014-9403 |
|
|
DoS |
2014-12-19 |
2015-09-29 |
4.0 |
None |
Remote |
Low |
??? |
None |
None |
Partial |
|
The CWebAdminMod::ChanPage function in modules/webadmin.cpp in ZNC before 1.4 allows remote authenticated users to cause a denial of service (NULL pointer dereference and crash) by adding a channel with the same name as an existing channel but without the leading # character, related to a "use-after-delete" error. |
