| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
51 |
CVE-2014-8995 |
89 |
|
Exec Code Sql |
2014-11-20 |
2017-09-08 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
SQL injection vulnerability in Maarch LetterBox 2.8 allows remote attackers to execute arbitrary SQL commands via the UserId cookie. |
|
52 |
CVE-2014-8994 |
18 |
|
|
2014-11-28 |
2017-09-08 |
3.6 |
None |
Local |
Low |
Not required |
None |
Partial |
Partial |
|
The check_diskio plugin 3.2.6 and earlier for Nagios and Icinga allows local users to write to arbitrary files via a symlink attack on a temporary file with a predictable name (tmp/check_diskio_status-*-*). |
|
53 |
CVE-2014-8991 |
|
|
DoS |
2014-11-24 |
2021-03-15 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a /tmp/pip-build-* file for another user. |
|
54 |
CVE-2014-8989 |
264 |
|
Bypass |
2014-11-30 |
2017-01-03 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
The Linux kernel through 3.17.4 does not properly restrict dropping of supplemental group memberships in certain namespace scenarios, which allows local users to bypass intended file permissions by leveraging a POSIX ACL containing an entry for the group category that is more restrictive than the entry for the other category, aka a "negative groups" issue, related to kernel/groups.c, kernel/uid16.c, and kernel/user_namespace.c. |
|
55 |
CVE-2014-8988 |
264 |
|
Bypass |
2014-11-24 |
2017-09-08 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
MantisBT before 1.2.18 allows remote authenticated users to bypass the $g_download_attachments_threshold and $g_view_attachments_threshold restrictions and read attachments for private projects by leveraging access to a project that does not restrict access to attachments and a request to the download URL. |
|
56 |
CVE-2014-8986 |
79 |
|
XSS |
2014-11-24 |
2017-01-03 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the selection list in the filters in the Configuration Report page (adm_config_report.php) in MantisBT 1.2.13 through 1.2.17 allows remote administrators to inject arbitrary web script or HTML via a crafted config option, a different vulnerability than CVE-2014-8987. |
|
57 |
CVE-2014-8962 |
119 |
|
Exec Code Overflow |
2014-11-26 |
2018-10-09 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Stack-based buffer overflow in stream_decoder.c in libFLAC before 1.3.1 allows remote attackers to execute arbitrary code via a crafted .flac file. |
|
58 |
CVE-2014-8961 |
22 |
|
Dir. Trav. +Info |
2014-11-30 |
2018-10-30 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
Directory traversal vulnerability in libraries/error_report.lib.php in the error-reporting feature in phpMyAdmin 4.1.x before 4.1.14.7 and 4.2.x before 4.2.12 allows remote authenticated users to obtain potentially sensitive information about a file's line count via a crafted parameter. |
|
59 |
CVE-2014-8960 |
79 |
|
XSS |
2014-11-30 |
2016-12-22 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in libraries/error_report.lib.php in the error-reporting feature in phpMyAdmin 4.1.x before 4.1.14.7 and 4.2.x before 4.2.12 allows remote authenticated users to inject arbitrary web script or HTML via a crafted filename. |
|
60 |
CVE-2014-8959 |
22 |
|
Dir. Trav. |
2014-11-30 |
2018-10-30 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
Directory traversal vulnerability in libraries/gis/GIS_Factory.class.php in the GIS editor in phpMyAdmin 4.0.x before 4.0.10.6, 4.1.x before 4.1.14.7, and 4.2.x before 4.2.12 allows remote authenticated users to include and execute arbitrary local files via a crafted geometry-type parameter. |
|
61 |
CVE-2014-8958 |
79 |
|
XSS |
2014-11-30 |
2016-12-22 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.6, 4.1.x before 4.1.14.7, and 4.2.x before 4.2.12 allow remote authenticated users to inject arbitrary web script or HTML via a crafted (1) database, (2) table, or (3) column name that is improperly handled during rendering of the table browse page; a crafted ENUM value that is improperly handled during rendering of the (4) table print view or (5) zoom search page; or (6) a crafted pma_fontsize cookie that is improperly handled during rendering of the home page. |
|
62 |
CVE-2014-8955 |
79 |
|
XSS |
2014-11-17 |
2017-09-08 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Contact Form Clean and Simple (clean-and-simple-contact-form-by-meg-nicholas) plugin 4.4.0 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the cscf[name] parameter to contact-us/. |
|
63 |
CVE-2014-8954 |
79 |
1
|
XSS |
2014-11-17 |
2015-08-06 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in phpSound 1.0.5 allow remote attackers to inject arbitrary web script or HTML via the (1) Title or (2) Description fields in a playlist or the (3) filter parameter in an explore action to index.php. |
|
64 |
CVE-2014-8953 |
352 |
1
|
CSRF |
2014-11-17 |
2017-09-08 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Multiple cross-site request forgery (CSRF) vulnerabilities in Php Scriptlerim Who's Who script allow remote attackers to hijack the authentication of administrators or requests that (1) add an admin account via a request to filepath/yonetim/plugin/adminsave.php or have unspecified impact via a request to (2) ayarsave.php, (3) uyesave.php, (4) slaytadd.php, or (5) slaytsave.php. |
|
65 |
CVE-2014-8952 |
|
|
DoS |
2014-11-16 |
2017-09-08 |
7.1 |
None |
Remote |
Medium |
Not required |
None |
None |
Complete |
|
Multiple unspecified vulnerabilities in Check Point Security Gateway R75.40VS, R75.45, R75.46, R75.47, R76, R77, and R77.10, when the (1) IPS blade, (2) IPsec Remote Access, (3) Mobile Access / SSL VPN blade, (4) SSL Network Extender, (5) Identify Awareness blade, (6) HTTPS Inspection, (7) UserCheck, or (8) Data Leak Prevention blade module is enabled, allow remote attackers to cause a denial of service ("stability issue") via an unspecified "traffic condition." |
|
66 |
CVE-2014-8951 |
|
|
DoS |
2014-11-16 |
2017-09-08 |
7.1 |
None |
Remote |
Medium |
Not required |
None |
None |
Complete |
|
Unspecified vulnerability in Check Point Security Gateway R75, R76, R77, and R77.10, when UserCheck is enabled and the (1) Application Control, (2) URL Filtering, (3) DLP, (4) Threat Emulation, (5) Anti-Bot, or (6) Anti-Virus blade is used, allows remote attackers to cause a denial of service (fwk0 process crash, core dump, and restart) via a redirect to the UserCheck page. |
|
67 |
CVE-2014-8950 |
|
|
DoS |
2014-11-16 |
2017-09-08 |
7.1 |
None |
Remote |
Medium |
Not required |
None |
None |
Complete |
|
Unspecified vulnerability in Check Point Security Gateway R77 and R77.10, when the (1) URL Filtering or (2) Identity Awareness blade is used, allows remote attackers to cause a denial of service (crash) via vectors involving an HTTPS request. |
|
68 |
CVE-2014-8949 |
94 |
1
|
Exec Code |
2014-11-16 |
2014-11-18 |
6.0 |
None |
Remote |
Medium |
??? |
Partial |
Partial |
Partial |
|
The iMember360 plugin 3.8.012 through 3.9.001 for WordPress allows remote authenticated administrators to execute arbitrary commands via shell metacharacters in the i4w_trace parameter. NOTE: this can be leveraged with CVE-2014-8948 to allow remote attackers to execute code. NOTE: it is not clear whether this issue itself crosses privileges. |
|
69 |
CVE-2014-8948 |
352 |
1
|
Exec Code CSRF |
2014-11-16 |
2014-11-17 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in the iMember360 plugin 3.8.012 through 3.9.001 for WordPress allows remote attackers to hijack the authentication of administrators for requests that with an unspecified impact via the i4w_trace parameter. NOTE: this can be leveraged with CVE-2014-8948 to execute arbitrary commands. |
|
70 |
CVE-2014-8884 |
119 |
|
DoS Overflow +Priv |
2014-11-30 |
2018-01-05 |
6.1 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Complete |
|
Stack-based buffer overflow in the ttusbdecfe_dvbs_diseqc_send_master_cmd function in drivers/media/usb/ttusb-dec/ttusbdecfe.c in the Linux kernel before 3.17.4 allows local users to cause a denial of service (system crash) or possibly gain privileges via a large message length in an ioctl call. |
|
71 |
CVE-2014-8801 |
22 |
1
|
Dir. Trav. |
2014-11-28 |
2021-03-23 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Directory traversal vulnerability in services/getfile.php in the Paid Memberships Pro plugin before 1.7.15 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the QUERY_STRING in a getfile action to wp-admin/admin-ajax.php. |
|
72 |
CVE-2014-8799 |
22 |
1
|
Dir. Trav. |
2014-11-28 |
2020-02-05 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Directory traversal vulnerability in the dp_img_resize function in php/dp-functions.php in the DukaPress plugin before 2.5.4 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the src parameter to lib/dp_image.php. |
|
73 |
CVE-2014-8770 |
94 |
1
|
Exec Code |
2014-11-13 |
2019-07-16 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
|
Unrestricted file upload vulnerability in magmi/web/magmi.php in the MAGMI (aka Magento Mass Importer) plugin 0.7.17a and earlier for Magento Community Edition (CE) allows remote authenticated users to execute arbitrary code by uploading a ZIP file that contains a PHP file, then accessing the PHP file via a direct request to it in magmi/plugins/. |
|
74 |
CVE-2014-8769 |
119 |
|
DoS Overflow +Info |
2014-11-20 |
2018-10-09 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
None |
Partial |
|
tcpdump 3.8 through 4.6.2 might allow remote attackers to obtain sensitive information from memory or cause a denial of service (packet loss or segmentation fault) via a crafted Ad hoc On-Demand Distance Vector (AODV) packet, which triggers an out-of-bounds memory access. |
|
75 |
CVE-2014-8768 |
191 |
1
|
DoS |
2014-11-20 |
2018-10-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Multiple Integer underflows in the geonet_print function in tcpdump 4.5.0 through 4.6.2, when in verbose mode, allow remote attackers to cause a denial of service (segmentation fault and crash) via a crafted length value in a Geonet frame. |
|
76 |
CVE-2014-8767 |
189 |
|
DoS |
2014-11-20 |
2018-10-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Integer underflow in the olsr_print function in tcpdump 3.9.6 through 4.6.2, when in verbose mode, allows remote attackers to cause a denial of service (crash) via a crafted length value in an OLSR frame. |
|
77 |
CVE-2014-8736 |
200 |
|
Bypass +Info |
2014-11-12 |
2014-11-13 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Open Atrium Core module for Drupal before 7.x-2.22 allows remote attackers to bypass access restrictions and read file attachments that have been removed from a node by leveraging a previous revision of the node. |
|
78 |
CVE-2014-8735 |
200 |
|
+Info |
2014-11-12 |
2019-07-16 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
The Bad Behavior module 6.x-2.x before 6.x-2.2216 and 7.x-2.x before 7.x-2.2216 for Drupal logs usernames and passwords, which allows remote authenticated users with the "administer bad behavior" permission to obtain sensitive information by reading a log file. |
|
79 |
CVE-2014-8734 |
264 |
|
|
2014-11-12 |
2017-09-08 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
The Organic Groups Menu (aka OG Menu) module before 7.x-2.2 for Drupal allows remote authenticated users with the "access administration pages" permission to change module settings via unspecified vectors. |
|
80 |
CVE-2014-8732 |
79 |
|
XSS |
2014-11-17 |
2018-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in phpMemcachedAdmin 1.2.2 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
81 |
CVE-2014-8727 |
22 |
1
|
Dir. Trav. |
2014-11-17 |
2017-09-08 |
6.2 |
None |
Local |
Low |
??? |
None |
Complete |
Complete |
|
Multiple directory traversal vulnerabilities in F5 BIG-IP before 10.2.2 allow local users with the "Resource Administrator" or "Administrator" role to enumerate and delete arbitrary files via a .. (dot dot) in the name parameter to (1) tmui/Control/jspmap/tmui/system/archive/properties.jsp or (2) tmui/Control/form. |
|
82 |
CVE-2014-8714 |
399 |
|
DoS |
2014-11-23 |
2018-01-05 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The dissect_write_structured_field function in epan/dissectors/packet-tn5250.c in the TN5250 dissector in Wireshark 1.10.x before 1.10.11 and 1.12.x before 1.12.2 allows remote attackers to cause a denial of service (infinite loop) via a crafted packet. |
|
83 |
CVE-2014-8713 |
119 |
|
DoS Overflow |
2014-11-23 |
2018-01-05 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Stack-based buffer overflow in the build_expert_data function in epan/dissectors/packet-ncp2222.inc in the NCP dissector in Wireshark 1.10.x before 1.10.11 and 1.12.x before 1.12.2 allows remote attackers to cause a denial of service (application crash) via a crafted packet. |
|
84 |
CVE-2014-8712 |
399 |
|
DoS |
2014-11-23 |
2018-01-05 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The build_expert_data function in epan/dissectors/packet-ncp2222.inc in the NCP dissector in Wireshark 1.10.x before 1.10.11 and 1.12.x before 1.12.2 does not properly initialize a data structure, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. |
|
85 |
CVE-2014-8711 |
189 |
|
DoS Overflow |
2014-11-23 |
2018-01-05 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Multiple integer overflows in epan/dissectors/packet-amqp.c in the AMQP dissector in Wireshark 1.10.x before 1.10.11 and 1.12.x before 1.12.2 allow remote attackers to cause a denial of service (application crash) via a crafted amqp_0_10 PDU in a packet. |
|
86 |
CVE-2014-8710 |
119 |
|
DoS Overflow |
2014-11-23 |
2018-01-05 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The decompress_sigcomp_message function in epan/sigcomp-udvm.c in the SigComp UDVM dissector in Wireshark 1.10.x before 1.10.11 allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted packet. |
|
87 |
CVE-2014-8709 |
200 |
|
+Info |
2014-11-10 |
2017-09-08 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The ieee80211_fragment function in net/mac80211/tx.c in the Linux kernel before 3.13.5 does not properly maintain a certain tail pointer, which allows remote attackers to obtain sensitive cleartext information by reading packets. |
|
88 |
CVE-2014-8683 |
79 |
|
XSS |
2014-11-21 |
2018-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in models/issue.go in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.x before 0.5.8 allows remote attackers to inject arbitrary web script or HTML via the text parameter to api/v1/markdown. |
|
89 |
CVE-2014-8682 |
89 |
1
|
Exec Code Sql |
2014-11-21 |
2018-10-09 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Multiple SQL injection vulnerabilities in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.x before 0.5.6.1105 Beta allow remote attackers to execute arbitrary SQL commands via the q parameter to (1) api/v1/repos/search, which is not properly handled in models/repo.go, or (2) api/v1/users/search, which is not properly handled in models/user.go. |
|
90 |
CVE-2014-8681 |
89 |
1
|
Exec Code Sql |
2014-11-21 |
2017-09-08 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in the GetIssues function in models/issue.go in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.6.x before 0.5.6.1025 Beta allows remote attackers to execute arbitrary SQL commands via the label parameter to user/repos/issues. |
|
91 |
CVE-2014-8678 |
200 |
|
+Info |
2014-11-25 |
2015-02-17 |
7.8 |
None |
Remote |
Low |
Not required |
Complete |
None |
None |
|
The ConfigSaveServlet servlet in ManageEngine OpUtils before build 71024 allows remote attackers to "disclose" files via a crafted filename, related to "saveFile." |
|
92 |
CVE-2014-8672 |
79 |
|
XSS |
2014-11-07 |
2015-05-12 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the RewardingYourself application for Android and BlackBerry OS allows remote attackers to inject arbitrary web script or HTML via a crafted QR code. |
|
93 |
CVE-2014-8671 |
79 |
|
XSS |
2014-11-07 |
2015-10-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the GWT Mobile PhoneGap Showcase application for Android allows remote attackers to inject arbitrary web script or HTML via a crafted Bluetooth Device Name field. |
|
94 |
CVE-2014-8670 |
|
|
|
2014-11-06 |
2017-09-08 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Open redirect vulnerability in go.php in vBulletin 4.2.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter. |
|
95 |
CVE-2014-8669 |
94 |
|
Exec Code |
2014-11-06 |
2014-11-07 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
The SAP Promotion Guidelines (CRM-MKT-MPL-TPM-PPG) module for SAP CRM allows remote attackers to execute arbitrary code via unspecified vectors. |
|
96 |
CVE-2014-8668 |
89 |
|
Exec Code Sql |
2014-11-06 |
2017-09-08 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in SAP Contract Accounting allows remote attackers to execute arbitrary SQL commands via unspecified vectors. |
|
97 |
CVE-2014-8667 |
79 |
|
XSS |
2014-11-06 |
2014-11-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in SAP HANA Web-based Development Workbench allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
98 |
CVE-2014-8666 |
200 |
|
+Info |
2014-11-06 |
2014-11-07 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The User & Server configuration, InfoView refresh, user rights (BI-BIP-ADM) component in SAP Business Intellignece allows remote attackers to obtain audit event details via unspecified vectors. |
|
99 |
CVE-2014-8665 |
200 |
|
+Info |
2014-11-06 |
2014-11-07 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The SAP Business Intelligence Development Workbench allows remote attackers to obtain sensitive information by reading unspecified files. |
|
100 |
CVE-2014-8664 |
89 |
|
Exec Code Sql |
2014-11-06 |
2017-09-08 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in Product Safety (EHS-SAF) component in SAP Environment, Health, and Safety Management allows remote attackers to execute arbitrary SQL commands via unspecified vectors. |
