CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In October 2014 (CVSS score >= 5)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2014-8766 89 Exec Code Sql 2014-10-14 2017-09-08
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in Allomani Weblinks 1.0 allow remote attackers to execute arbitrary SQL commands via the (1) cat parameter in a browse action to index.php or (2) unspecified parameters to admin.php.
2 CVE-2014-8764 287 Bypass 2014-10-22 2016-07-15
5.0
None Remote Low Not required None Partial None
DokuWiki 2014-05-05a and earlier, when using Active Directory for LDAP authentication, allows remote attackers to bypass authentication via a user name and password starting with a null (\0) character, which triggers an anonymous bind.
3 CVE-2014-8763 287 Bypass 2014-10-22 2016-07-15
5.0
None Remote Low Not required None Partial None
DokuWiki before 2014-05-05b, when using Active Directory for LDAP authentication, allows remote attackers to bypass authentication via a password starting with a null (\0) character and a valid user name, which triggers an unauthenticated bind.
4 CVE-2014-8762 200 +Info 2014-10-22 2016-04-04
5.0
None Remote Low Not required Partial None None
The ajax_mediadiff function in DokuWiki before 2014-05-05a allows remote attackers to access arbitrary images via a crafted namespace in the ns parameter.
5 CVE-2014-8761 200 +Info 2014-10-22 2015-09-10
5.0
None Remote Low Not required Partial None None
inc/template.php in DokuWiki before 2014-05-05a only checks for access to the root namespace, which allows remote attackers to access arbitrary images via a media file details ajax call.
6 CVE-2014-8760 310 2014-10-25 2015-09-10
5.0
None Remote Low Not required Partial None None
ejabberd before 2.1.13 does not enforce the starttls_required setting when compression is used, which causes clients to establish connections without encryption.
7 CVE-2014-8756 Exec Code 2014-10-17 2021-11-09
6.8
None Remote Medium Not required Partial Partial Partial
The NcrCtl4.NcrNet.1 control in Panasonic Network Camera Recorder before 4.04R03 allows remote attackers to execute arbitrary code via a crafted GetVOLHeader method call, which writes null bytes to an arbitrary address.
8 CVE-2014-8755 20 Exec Code 2014-10-17 2014-12-16
6.8
None Remote Medium Not required Partial Partial Partial
Panasonic Network Camera View 3 and 4 allows remote attackers to execute arbitrary code via a crafted page, which triggers an invalid pointer dereference, related to "the ability to nullify an arbitrary address in memory."
9 CVE-2014-8750 362 2014-10-15 2018-11-16
6.5
None Remote Low ??? Partial Partial Partial
Race condition in the VMware driver in OpenStack Compute (Nova) before 2014.1.4 and 2014.2 before 2014.2rc1 allows remote authenticated users to access unintended consoles by spawning an instance that triggers the same VNC port to be allocated to two different instances.
10 CVE-2014-8538 310 +Info 2014-10-29 2014-11-14
5.4
None Local Network Medium Not required Partial Partial Partial
The Hijab Modern (aka com.Aisyaidea.HijabModern) application 1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
11 CVE-2014-8533 Exec Code 2014-10-29 2014-10-30
7.5
None Remote Low Not required Partial Partial Partial
McAfee Network Data Loss Prevention (NDLP) before 9.3 allows remote attackers to execute arbitrary code via vectors related to ICMP redirection.
12 CVE-2014-8531 310 Exec Code 2014-10-29 2017-09-08
6.5
None Remote Low ??? Partial Partial Partial
The TLS/SSL Server in McAfee Network Data Loss Prevention (NDLP) before 9.3 uses weak cipher algorithms, which makes it easier for remote authenticated users to execute arbitrary code via unspecified vectors.
13 CVE-2014-8530 DoS +Info 2014-10-29 2014-10-30
7.5
None Remote Low Not required Partial Partial Partial
Unspecified vulnerability in McAfee Network Data Loss Prevention (NDLP) before 9.3 allows remote attackers to obtain sensitive information, affect integrity, or cause a denial of service via unknown vectors, related to simultaneous logins.
14 CVE-2014-8525 200 +Info 2014-10-29 2017-09-08
5.0
None Remote Low Not required Partial None None
McAfee Network Data Loss Prevention (NDLP) before 9.3 does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.
15 CVE-2014-8524 200 +Info 2014-10-29 2014-10-30
5.0
None Remote Low Not required Partial None None
McAfee Network Data Loss Prevention (NDLP) before 9.3 does not disable the autocomplete setting for the password and other fields, which allows remote attackers to obtain sensitive information via unspecified vectors.
16 CVE-2014-8523 352 CSRF 2014-10-29 2014-10-30
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in McAfee Network Data Loss Prevention (NDLP) before 9.3 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
17 CVE-2014-8522 287 2014-10-29 2014-10-30
7.5
None Remote Low Not required Partial Partial Partial
The MySQL database in McAfee Network Data Loss Prevention (NDLP) before 9.3 does not require a password, which makes it easier for remote attackers to obtain access.
18 CVE-2014-8520 200 +Info 2014-10-29 2017-09-08
5.0
None Remote Low Not required Partial None None
McAfee Network Data Loss Prevention (NDLP) before 9.3 allows remote attackers to obtain sensitive information via vectors related to open network ports.
19 CVE-2014-8509 119 Exec Code Overflow 2014-10-31 2014-11-03
7.5
None Remote Low Not required Partial Partial Partial
The lazy_bdecode function in BitTorrent bootstrap-dht (aka Bootstrap) allows remote attackers to execute arbitrary code via a crafted packet, which triggers an out-of-bounds read, related to "Improper Indexing."
20 CVE-2014-8506 89 Exec Code Sql 2014-10-28 2017-09-08
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in Etiko CMS allow remote attackers to execute arbitrary SQL commands via the (1) page_id parameter to loja/index.php or (2) article_id parameter to index.php.
21 CVE-2014-8495 310 +Info 2014-10-31 2017-09-08
5.0
None Remote Low Not required Partial None None
Citrix XenMobile MDX Toolkit before 9.0.4, when used to wrap iOS 8 applications, does not properly encrypt cached application data, which allows context-dependent attackers to obtain sensitive information by reading the cache.
22 CVE-2014-8375 89 Exec Code Sql 2014-10-21 2015-08-06
6.5
None Remote Low ??? Partial Partial Partial
SQL injection vulnerability in GBgallery.php in the GB Gallery Slideshow plugin 1.5 for WordPress allows remote administrators to execute arbitrary SQL commands via the selected_group parameter in a gb_ajax_get_group action to wp-admin/admin-ajax.php.
23 CVE-2014-8366 89 Exec Code Sql 2014-10-20 2020-09-03
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in openSIS 4.5 through 5.3 allows remote attackers to execute arbitrary SQL commands via the Username and password to index.php.
24 CVE-2014-8363 89 Exec Code Sql 2014-10-20 2014-10-25
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in ss_handler.php in the WordPress Spreadsheet (wpSS) plugin 0.62 for WordPress allows remote attackers to execute arbitrary SQL commands via the ss_id parameter.
25 CVE-2014-8346 94 DoS 2014-10-24 2014-10-24
7.8
None Remote Low Not required None None Complete
The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.
26 CVE-2014-8334 78 Exec Code 2014-10-31 2018-10-09
6.5
None Remote Low ??? Partial Partial Partial
The WP-DBManager (aka Database Manager) plugin before 2.7.2 for WordPress allows remote authenticated users to execute arbitrary commands via shell metacharacters in the (1) $backup['filepath'] (aka "Path to Backup:" field) or (2) $backup['mysqldumppath'] variable.
27 CVE-2014-8331 352 CSRF 2014-10-20 2017-09-08
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in Huawei HiLink E3236 before E3276sTCPU-V200R002B470D13SP00C00 and E3276sWebUI-V100R007B100D03SP01C03 and E3276 before E3236sTCPU-V200R002B146D41SP00C00 and E3236sWebUI-V100R007B100D03SP01C03 allow remote attackers to hijack the authentication of administrators for requests that (1) change configuration settings or (2) use device functions.
28 CVE-2014-8329 287 +Info 2014-10-20 2014-10-23
10.0
None Remote Low Not required Complete Complete Complete
Schrack Technik microControl with firmware before 1.7.0 (937) stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain access data for the ftp and telnet services via a direct request for ZTPUsrDtls.txt.
29 CVE-2014-8325 399 DoS 2014-10-22 2014-10-23
7.8
None Remote Low Not required None None Complete
The Calendar Base (cal) extension before 1.5.9 and 1.6.x before 1.6.1 for TYPO3 allows remote attackers to cause a denial of service (resource consumption) via vectors related to the PHP PCRE library.
30 CVE-2014-8316 2014-10-16 2018-10-09
5.0
None Remote Low Not required Partial None None
XML External Entity (XXE) vulnerability in polestar_xml.jsp in SAP BusinessObjects Explorer 14.0.5 build 882 allows remote attackers to read arbitrary files via the xmlParameter parameter in an explorationSpaceUpdate request.
31 CVE-2014-8315 200 +Info 2014-10-16 2018-10-09
5.0
None Remote Low Not required Partial None None
polestar_xml.jsp in SAP BusinessObjects Explorer 14.0.5 build 882 replies with different timing depending on if a connection can be made, which allows remote attackers to conduct port scanning attacks via a host name and port in the cms parameter.
32 CVE-2014-8313 94 Exec Code 2014-10-16 2018-10-09
6.0
None Remote Medium ??? Partial Partial Partial
Eval injection in ide/core/base/server/net.xsjs in the Developer Workbench in SAP HANA allows remote attackers to execute arbitrary XSJX code via unspecified vectors.
33 CVE-2014-8310 20 DoS 2014-10-16 2018-10-09
7.1
None Remote Medium Not required None None Complete
The CMS CORBA listener in SAP BusinessObjects BI Edge 4.0 allows remote attackers to cause a denial of service (server shutdown) via crafted OSCAFactory::Session ORB message.
34 CVE-2014-8309 200 +Info 2014-10-16 2018-10-09
5.0
None Remote Low Not required Partial None None
SAP BusinessObjects 4.0 and BusinessObjects XI (BOXI) R2 and 3.1 generates error messages for a failed logon attempt with different time delays depending on whether the user account exists, which allows remote attackers to enumerate valid usernames via SecEnterprise authentication requests to the Session web service.
35 CVE-2014-8306 89 Exec Code Sql 2014-10-16 2014-12-16
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the sql_query function in cart.php in C97net Cart Engine before 4.0 allows remote attackers to execute arbitrary SQL commands via the item_id variable, as demonstrated by the (1) item_id[0] or (2) item_id[] parameter.
36 CVE-2014-8305 2014-10-16 2014-12-16
6.4
None Remote Low Not required Partial Partial None
Open redirect vulnerability in the redir function in includes/function.php in C97net Cart Engine before 4.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the HTTP Referer header to (1) index.php, (2) cart.php, (3) msg.php, or (4) page.php.
37 CVE-2014-8295 89 1 Exec Code Sql 2014-10-15 2014-10-22
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in joblogs.php in Bacula-Web 5.2.10 allows remote attackers to execute arbitrary SQL commands via the jobid parameter.
38 CVE-2014-8294 89 Exec Code Sql 2014-10-15 2014-10-22
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in Voice Of Web AllMyGuests 0.4.1 allow remote attackers to execute arbitrary SQL commands via the (1) allmyphp_cookie cookie to admin.php or the (2) Username or (3) Password.
39 CVE-2014-8240 119 DoS Exec Code Overflow 2014-10-16 2017-09-08
7.5
None Remote Low Not required Partial Partial Partial
Integer overflow in TigerVNC allows remote VNC servers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to screen size handling, which triggers a heap-based buffer overflow, a similar issue to CVE-2014-6051.
40 CVE-2014-8088 287 Bypass 2014-10-22 2017-11-04
5.0
None Remote Low Not required None Partial None
The (1) Zend_Ldap class in Zend before 1.12.9 and (2) Zend\Ldap component in Zend 2.x before 2.2.8 and 2.3.x before 2.3.3 allows remote attackers to bypass authentication via a password starting with a null byte, which triggers an unauthenticated bind.
41 CVE-2014-8082 200 +Info 2014-10-31 2018-10-09
5.0
None Remote Low Not required Partial None None
lib/functions/database.class.php in TestLink before 1.9.13 allows remote attackers to obtain sensitive information via unspecified vectors, which reveals the installation path in an error message.
42 CVE-2014-8081 94 Exec Code 2014-10-31 2018-10-09
7.5
None Remote Low Not required Partial Partial Partial
lib/execute/execSetResults.php in TestLink before 1.9.13 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via the filter_result_result parameter.
43 CVE-2014-8074 119 Exec Code Overflow 2014-10-17 2016-04-04
6.8
None Remote Medium Not required Partial Partial Partial
Buffer overflow in the SetLogFile method in Foxit.FoxitPDFSDKProCtrl.5 in Foxit PDF SDK ActiveX 2.3 through 5.0.1820 before 5.0.2.924 allows remote attackers to execute arbitrary code via a long string, related to global variables.
44 CVE-2014-8073 352 CSRF 2014-10-23 2017-09-08
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in OpenMRS 2.1 Standalone Edition allows remote attackers to hijack the authentication of administrators for requests that add a new user via a Save User action to admin/users/user.form.
45 CVE-2014-8070 2014-10-14 2014-10-21
6.8
None Remote Medium Not required Partial Partial Partial
Open redirect vulnerability in YOOtheme Pagekit CMS 0.8.7 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirect parameter to index.php/user/logout.
46 CVE-2014-8068 200 +Info 2014-10-09 2017-09-08
5.0
None Remote Low Not required Partial None None
Adobe Digital Editions (DE) 4 does not use encryption for transmission of data to adelogs.adobe.com, which allows remote attackers to obtain sensitive information by sniffing the network, as demonstrated by book-navigation information.
47 CVE-2014-7986 264 2014-10-31 2018-10-09
5.0
None Remote Low Not required None None Partial
install/index.php in EspoCRM before 2.6.0 allows remote attackers to re-install the application via a 1 value in the installProcess parameter.
48 CVE-2014-7985 22 Dir. Trav. 2014-10-31 2018-10-09
10.0
None Remote Low Not required Complete Complete Complete
Directory traversal vulnerability in EspoCRM before 2.6.0 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the action parameter to install/index.php.
49 CVE-2014-7984 264 Bypass 2014-10-08 2014-10-10
7.5
None Remote Low Not required Partial Partial Partial
Joomla! CMS 2.5.x before 2.5.19 and 3.x before 3.2.3 allows remote attackers to authenticate and bypass intended restrictions via vectors involving GMail authentication.
50 CVE-2014-7981 89 Exec Code Sql 2014-10-08 2014-10-10
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in Joomla! CMS 3.1.x and 3.2.x before 3.2.3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
Total number of vulnerabilities : 1097   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.