| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1001 |
CVE-2014-5410 |
399 |
|
DoS |
2014-10-03 |
2014-10-06 |
7.1 |
None |
Remote |
Medium |
Not required |
None |
None |
Complete |
|
The DNP3 feature on Rockwell Automation Allen-Bradley MicroLogix 1400 1766-Lxxxxx A FRN controllers 7 and earlier and 1400 1766-Lxxxxx B FRN controllers before 15.001 allows remote attackers to cause a denial of service (process disruption) via malformed packets over (1) an Ethernet network or (2) a serial line. |
|
1002 |
CVE-2014-5389 |
89 |
|
Exec Code Sql |
2014-10-06 |
2015-11-02 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in content-audit-schedule.php in the Content Audit plugin before 1.6.1 for WordPress allows remote attackers to execute arbitrary SQL commands via the "Audited content types" option in the content-audit page to wp-admin/options-general.php. |
|
1003 |
CVE-2014-5376 |
20 |
|
|
2014-10-08 |
2018-10-09 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
|
Adaptive Computing Moab before 7.2.9 and 8 before 8.0.0, when a pre-generated key is used, does not validate that the requesting user matches the actor in the message, which allows remote authenticated users to impersonate arbitrary users via the actor field in a message. |
|
1004 |
CVE-2014-5375 |
20 |
|
|
2014-10-08 |
2018-10-09 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
|
The server in Adaptive Computing Moab before 7.2.9 and 8 before 8.0.0 does not properly validate the message owner matches the submitting user, which allows remote authenticated users to impersonate arbitrary users via the UserId and Owner tags. |
|
1005 |
CVE-2014-5351 |
255 |
|
|
2014-10-10 |
2020-01-21 |
2.1 |
None |
Remote |
High |
??? |
Partial |
None |
None |
|
The kadm5_randkey_principal_3 function in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5 (aka krb5) before 1.13 sends old keys in a response to a -randkey -keepold request, which allows remote authenticated users to forge tickets by leveraging administrative access. |
|
1006 |
CVE-2014-5331 |
79 |
|
XSS |
2014-10-19 |
2015-07-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Aflax allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
1007 |
CVE-2014-5330 |
79 |
|
XSS |
2014-10-19 |
2015-07-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in BirdBlog allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
1008 |
CVE-2014-5328 |
399 |
|
DoS Overflow |
2014-10-12 |
2014-10-15 |
6.8 |
None |
Remote |
Low |
??? |
None |
None |
Complete |
|
Buffer overflow in the Webserver component on the Huawei E5332 router before 21.344.27.00.1080 allows remote authenticated users to cause a denial of service (reboot) via a long parameter in an API service request message. |
|
1009 |
CVE-2014-5327 |
399 |
|
DoS Overflow |
2014-10-12 |
2014-10-15 |
6.8 |
None |
Remote |
Low |
??? |
None |
None |
Complete |
|
Buffer overflow in the Webserver component on the Huawei E5332 router before 21.344.27.00.1080 allows remote authenticated users to cause a denial of service (reboot) via a long URI. |
|
1010 |
CVE-2014-5308 |
89 |
1
|
Exec Code Sql |
2014-10-08 |
2014-10-09 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
|
Multiple SQL injection vulnerabilities in TestLink 1.9.11 allow remote authenticated users to execute arbitrary SQL commands via the (1) name parameter in a Search action to lib/project/projectView.php or (2) id parameter to lib/events/eventinfo.php. |
|
1011 |
CVE-2014-5300 |
287 |
1
|
Exec Code Bypass |
2014-10-08 |
2018-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Adaptive Computing Moab before 7.2.9 and 8 before 8.0.0 allows remote attackers to bypass the signature check, impersonate arbitrary users, and execute commands via a message without a signature. |
|
1012 |
CVE-2014-5298 |
264 |
|
Bypass |
2014-10-10 |
2018-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
FileUploadsFilter.php in X2Engine 4.1.7 and earlier, when running on case-insensitive file systems, allows remote attackers to bypass the upload blacklist and conduct unrestricted file upload attacks by uploading a file with an executable extension that contains uppercase letters, as demonstrated using a PHP program. |
|
1013 |
CVE-2014-5297 |
94 |
|
|
2014-10-10 |
2018-10-09 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The actionSendErrorReport method in protected/controllers/SiteController.php in X2Engine 2.8 through 4.1.7 allows remote attackers to conduct PHP object injection and Server-Side Request Forgery (SSRF) attacks via crafted serialized data in the report parameter. |
|
1014 |
CVE-2014-5276 |
79 |
1
|
XSS |
2014-10-20 |
2017-09-08 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in Pro Chat Rooms Text Chat Rooms 8.2.0 allow remote authenticated users to inject arbitrary web script or HTML via (1) an uploaded profile picture or (2) the edit parameter to profiles/index.php. |
|
1015 |
CVE-2014-5275 |
89 |
1
|
Exec Code Sql |
2014-10-20 |
2017-09-08 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
Multiple SQL injection vulnerabilities in includes/functions.php in Pro Chat Rooms Text Chat Rooms 8.2.0 allow remote authenticated users to execute arbitrary SQL commands via the (1) password, (2) email, or (3) id parameter. |
|
1016 |
CVE-2014-5270 |
200 |
|
+Info |
2014-10-10 |
2017-11-04 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Libgcrypt before 1.5.4, as used in GnuPG and other products, does not properly perform ciphertext normalization and ciphertext randomization, which makes it easier for physically proximate attackers to conduct key-extraction attacks by leveraging the ability to collect voltage data from exposed metal, a different vector than CVE-2013-4576. |
|
1017 |
CVE-2014-5169 |
79 |
|
XSS |
2014-10-20 |
2014-10-24 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Date module before 7.x-2.8 for Drupal allows remote authenticated users with the permission to create a date field to inject arbitrary web script or HTML via the date field title. |
|
1018 |
CVE-2014-5148 |
119 |
|
DoS Overflow +Priv |
2014-10-26 |
2017-08-29 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Xen 4.4.x, when running on an ARM system and "handling an unknown system register access from 64-bit userspace," returns to an instruction of the trap handler for kernel space faults instead of an instruction that is associated with faults in 64-bit userspace, which allows local guest users to cause a denial of service (crash) and possibly gain privileges via a crafted process. |
|
1019 |
CVE-2014-5098 |
79 |
|
XSS |
2014-10-20 |
2018-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Search module before 1.2.2 in Jamroom allows remote attackers to inject arbitrary web script or HTML via the query string to search/results/. |
|
1020 |
CVE-2014-5094 |
200 |
|
+Info |
2014-10-20 |
2017-08-29 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Status2k allows remote attackers to obtain configuration information via a phpinfo action in a request to status/index.php, which calls the phpinfo function. |
|
1021 |
CVE-2014-5075 |
310 |
|
|
2014-10-25 |
2016-11-28 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The Ignite Realtime Smack XMPP API 4.x before 4.0.2, and 3.x and 2.x when a custom SSLContext is used, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. |
|
1022 |
CVE-2014-5026 |
79 |
|
XSS |
2014-10-20 |
2018-10-30 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.8b allow remote authenticated users with console access to inject arbitrary web script or HTML via a (1) Graph Tree Title in a delete or (2) edit action; (3) CDEF Name, (4) Data Input Method Name, or (5) Host Templates Name in a delete action; (6) Data Source Title; (7) Graph Title; or (8) Graph Template Name in a delete or (9) duplicate action. |
|
1023 |
CVE-2014-5025 |
79 |
|
XSS |
2014-10-20 |
2018-10-30 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in data_sources.php in Cacti 0.8.8b allows remote authenticated users with console access to inject arbitrary web script or HTML via the name_cache parameter in a ds_edit action. |
|
1024 |
CVE-2014-5006 |
22 |
1
|
Exec Code Dir. Trav. |
2014-10-21 |
2020-01-17 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Directory traversal vulnerability in ZOHO ManageEngine Desktop Central (DC) before 9 build 90055 allows remote attackers to execute arbitrary code via a .. (dot dot) in the fileName parameter to mdm/mdmLogUploader. |
|
1025 |
CVE-2014-5005 |
22 |
1
|
Exec Code Dir. Trav. |
2014-10-21 |
2020-01-17 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Directory traversal vulnerability in ZOHO ManageEngine Desktop Central (DC) before 9 build 90055 allows remote attackers to execute arbitrary code via a .. (dot dot) in the fileName parameter in an LFU action to statusUpdate. |
|
1026 |
CVE-2014-4906 |
310 |
|
+Info |
2014-10-21 |
2014-11-14 |
5.4 |
None |
Local Network |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The Brisbane & Queensland Alert (aka com.queensland.alert) application 2.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. |
|
1027 |
CVE-2014-4905 |
310 |
|
+Info |
2014-10-21 |
2014-11-14 |
5.4 |
None |
Local Network |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The Clean Internet Browser (aka com.cleantab.browsesecure) application 1.36 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. |
|
1028 |
CVE-2014-4904 |
310 |
|
+Info |
2014-10-21 |
2014-11-14 |
5.4 |
None |
Local Network |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The Crossmo Calendar (aka com.crossmo.calendar) application 1.7.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. |
|
1029 |
CVE-2014-4903 |
310 |
|
+Info |
2014-10-21 |
2014-11-14 |
5.4 |
None |
Local Network |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The Kakao Bingo Garden (aka com.mocoga.bingogarden) application 1.0.14 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. |
|
1030 |
CVE-2014-4901 |
310 |
|
+Info |
2014-10-21 |
2014-11-14 |
5.4 |
None |
Local Network |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The Bond Trading (aka com.appmakr.app613309) application 197705 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. |
|
1031 |
CVE-2014-4900 |
310 |
|
+Info |
2014-10-21 |
2014-11-14 |
5.4 |
None |
Local Network |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The migme (aka com.projectgoth) application 4.03.002 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. |
|
1032 |
CVE-2014-4899 |
310 |
|
+Info |
2014-10-21 |
2014-11-14 |
5.4 |
None |
Local Network |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The Indian Cement Review (aka com.magzter.indiancementreview) application 3.01 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. |
|
1033 |
CVE-2014-4898 |
310 |
|
+Info |
2014-10-21 |
2014-11-14 |
5.4 |
None |
Local Network |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The Harivijay (aka com.upasanhar.marathi.harivijay) application 4.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. |
|
1034 |
CVE-2014-4897 |
310 |
|
+Info |
2014-10-21 |
2014-11-14 |
5.4 |
None |
Local Network |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The Touriosity Travelmag (aka com.magzter.touriositytravelmag) application 3.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. |
|
1035 |
CVE-2014-4896 |
310 |
|
+Info |
2014-10-21 |
2014-11-14 |
5.4 |
None |
Local Network |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The Parque Imperial (aka com.a792139893520606f84b2188a.a23428594a) application 1.02 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. |
|
1036 |
CVE-2014-4895 |
310 |
|
+Info |
2014-10-21 |
2014-11-14 |
5.4 |
None |
Local Network |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The Herpin Time Radio (aka com.herpin.time.radio) application 2.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. |
|
1037 |
CVE-2014-4894 |
310 |
|
+Info |
2014-10-21 |
2014-11-14 |
5.4 |
None |
Local Network |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The MyMetro (aka com.myrippleapps.mymetro) application 2.4.7 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. |
|
1038 |
CVE-2014-4892 |
310 |
|
+Info |
2014-10-21 |
2014-11-14 |
5.4 |
None |
Local Network |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The uControl Smart Home Automation (aka de.ucontrol) application 1.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. |
|
1039 |
CVE-2014-4891 |
310 |
|
+Info |
2014-10-21 |
2014-11-14 |
5.4 |
None |
Local Network |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The CT iHub (aka com.concursive.ctihub) application 1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. |
|
1040 |
CVE-2014-4890 |
310 |
|
+Info |
2014-10-21 |
2014-11-14 |
5.4 |
None |
Local Network |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The Nano Digest (aka com.magzter.nanodigest) application 3.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. |
|
1041 |
CVE-2014-4889 |
310 |
|
+Info |
2014-10-21 |
2014-11-14 |
5.4 |
None |
Local Network |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The Diabetic Diet Guide (aka com.wDiabeticDietGuide) application 2.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. |
|
1042 |
CVE-2014-4888 |
310 |
|
+Info |
2014-10-21 |
2014-11-14 |
5.4 |
None |
Local Network |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The BattleFriends at Sea GOLD (aka com.tequilamobile.warshipslivegold) application 1.1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. |
|
1043 |
CVE-2014-4887 |
310 |
|
+Info |
2014-10-21 |
2014-11-14 |
5.4 |
None |
Local Network |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The Joint Radio Blues (aka com.nobexinc.wls_69685189.rc) application 3.2.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. |
|
1044 |
CVE-2014-4885 |
310 |
|
+Info |
2014-10-21 |
2014-11-10 |
5.4 |
None |
Local Network |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The CPWORLD Close Protection World (aka com.tapatalk.closeprotectionworldcom) application 3.4.4 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. |
|
1045 |
CVE-2014-4884 |
310 |
|
+Info |
2014-10-21 |
2014-11-10 |
5.4 |
None |
Local Network |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The Conrad Hotel (aka com.wConradHotel) application 0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. |
|
1046 |
CVE-2014-4881 |
310 |
|
+Info |
2014-10-16 |
2014-11-14 |
5.4 |
None |
Local Network |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The PartyTrack library for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. |
|
1047 |
CVE-2014-4877 |
22 |
|
Exec Code Dir. Trav. |
2014-10-29 |
2017-02-17 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Absolute path traversal vulnerability in GNU Wget before 1.16, when recursion is enabled, allows remote FTP servers to write to arbitrary files, and consequently execute arbitrary code, via a LIST response that references the same filename within two entries, one of which indicates that the filename is for a symlink. |
|
1048 |
CVE-2014-4874 |
200 |
|
+Info |
2014-10-10 |
2016-06-28 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
BMC Track-It! 11.3.0.355 allows remote authenticated users to read arbitrary files by visiting the TrackItWeb/Attachment page. |
|
1049 |
CVE-2014-4873 |
89 |
|
Exec Code Sql |
2014-10-10 |
2015-09-10 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in TrackItWeb/Grid/GetData in BMC Track-It! 11.3.0.355 allows remote authenticated users to execute arbitrary SQL commands via crafted POST data. |
|
1050 |
CVE-2014-4872 |
287 |
|
Exec Code +Info |
2014-10-10 |
2016-06-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
BMC Track-It! 11.3.0.355 does not require authentication on TCP port 9010, which allows remote attackers to upload arbitrary files, execute arbitrary code, or obtain sensitive credential and configuration information via a .NET Remoting request to (1) FileStorageService or (2) ConfigurationService. |
