| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1351 |
CVE-2014-9487 |
611 |
|
DoS |
2017-10-17 |
2017-11-08 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The getid3 library in MediaWiki before 1.24.1, 1.23.8, 1.22.15 and 1.19.23 allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack. NOTE: Related to CVE-2014-2053. |
|
1352 |
CVE-2014-9474 |
119 |
|
Overflow |
2017-10-10 |
2017-11-05 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Buffer overflow in the mpfr_strtofr function in GNU MPFR before 3.1.2-p11 allows context-dependent attackers to have unspecified impact via vectors related to incorrect documentation for mpn_set_str. |
|
1353 |
CVE-2014-9148 |
284 |
|
Bypass |
2017-10-16 |
2017-10-25 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Fiyo CMS 2.0.1.8 allows remote attackers to bypass intended access restrictions and execute the (1) "Install and Update" or (2) Backup super administrator function via the view parameter in a direct request to fiyo/dapur. |
|
1354 |
CVE-2014-9147 |
200 |
|
+Info |
2017-10-16 |
2017-10-25 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Fiyo CMS 2.0.1.8 allows remote attackers to obtain sensitive information via a direct request to the database backup file in .backup/. |
|
1355 |
CVE-2014-9118 |
77 |
|
Exec Code |
2017-10-17 |
2018-10-09 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
|
The web administrative portal in Zhone zNID GPON 2426A before S3.0.501 allows remote attackers to execute arbitrary commands via shell metacharacters in the ipAddr parameter to zhnping.cmd. |
|
1356 |
CVE-2014-9092 |
119 |
|
DoS Overflow |
2017-10-10 |
2018-07-12 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
libjpeg-turbo before 1.3.1 allows remote attackers to cause a denial of service (crash) via a crafted JPEG file, related to the Exif marker. |
|
1357 |
CVE-2014-8957 |
79 |
|
XSS |
2017-10-06 |
2017-10-12 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in OpenKM before 6.4.19 allows remote authenticated users to inject arbitrary web script or HTML via the Tasks parameter. |
|
1358 |
CVE-2014-8758 |
79 |
|
XSS |
2017-10-06 |
2017-10-12 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Best Gallery Albums Plugin before 3.0.70for WordPress allows remote attackers to inject arbitrary web script or HTML via the order_id parameter in the gallery_album_sorting page to wp-admin/admin.php. |
|
1359 |
CVE-2014-8621 |
89 |
|
Exec Code Sql |
2017-10-16 |
2017-10-25 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in the Store Locator plugin 2.3 through 3.11 for WordPress allows remote attackers to execute arbitrary SQL commands via the sl_custom_field parameter to sl-xml.php. |
|
1360 |
CVE-2014-8492 |
79 |
|
XSS |
2017-10-06 |
2017-10-13 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in assets/misc/fallback-page.php in the Profile Builder plugin before 2.0.3 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) site_name, (2) message, or (3) site_url parameter. |
|
1361 |
CVE-2014-8491 |
200 |
|
+Info |
2017-10-18 |
2017-11-08 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Grand Flagallery plugin before 4.25 for WordPress allows remote attackers to obtain the installation path via a request to (1) flagallery-skins/banner_widget_default/gallery.php or (2) flash-album-gallery/skins/banner_widget_default/gallery.php. |
|
1362 |
CVE-2014-8357 |
255 |
|
|
2017-10-17 |
2018-10-09 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
backupsettings.html in the web administrative portal in Zhone zNID GPON 2426A before S3.0.501 places a session key in a URL, which allows remote attackers to obtain arbitrary user passwords via the sessionKey parameter in a getConfig action to backupsettings.conf. |
|
1363 |
CVE-2014-8324 |
20 |
|
DoS |
2017-10-17 |
2018-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
network.c in Aircrack-ng before 1.2 Beta 3 allows remote attackers to cause a denial of service (segmentation fault) via a response with a crafted length parameter. |
|
1364 |
CVE-2014-8323 |
20 |
|
DoS |
2017-10-17 |
2018-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
buddy-ng.c in Aircrack-ng before 1.2 Beta 3 allows remote attackers to cause a denial of service (segmentation fault) via a response with a crafted length parameter. |
|
1365 |
CVE-2014-8087 |
79 |
|
XSS |
2017-10-16 |
2017-10-25 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the post highlights plugin before 2.6.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the txt parameter in a headline action to ajax/ph_save.php. |
|
1366 |
CVE-2014-7851 |
264 |
|
+Priv |
2017-10-16 |
2019-11-06 |
6.0 |
None |
Remote |
Medium |
??? |
Partial |
Partial |
Partial |
|
oVirt 3.2.2 through 3.5.0 does not invalidate the restapi session after logout from the webadmin, which allows remote authenticated users with knowledge of another user's session data to gain that user's privileges by replacing their session token with that of another user. |
|
1367 |
CVE-2014-7813 |
400 |
|
DoS |
2017-10-18 |
2017-11-07 |
4.0 |
None |
Remote |
Low |
??? |
None |
None |
Partial |
|
Red Hat CloudForms 3 Management Engine (CFME) allows remote authenticated users to cause a denial of service (resource consumption) via vectors involving calls to the .to_sym rails function and lack of garbage collection of inserted symbols. |
|
1368 |
CVE-2014-7242 |
295 |
|
+Info |
2017-10-18 |
2017-11-08 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The SumaHo application 3.0.0 and earlier for Android and the SumaHo "driving capability" diagnosis result transmission application 1.2.2 and earlier for Android allow man-in-the-middle attackers to spoof servers and obtain sensitive information by leveraging failure to verify SSL/TLS server certificates. |
|
1369 |
CVE-2014-7240 |
79 |
|
XSS |
2017-10-06 |
2017-10-12 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Easy Contact Form Solution plugin before 1.7 for WordPress allows remote attackers to inject arbitrary web script or HTML via the value parameter in a master_response action to wp-admin/admin-ajax.php. |
|
1370 |
CVE-2014-3744 |
22 |
|
Dir. Trav. |
2017-10-23 |
2017-11-15 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary files via a %2e%2e (encoded dot dot) in an unspecified path. |
|
1371 |
CVE-2014-3741 |
77 |
|
Exec Code |
2017-10-23 |
2017-11-21 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The printDirect function in lib/printer.js in the node-printer module 0.0.1 and earlier for Node.js allows remote attackers to execute arbitrary commands via unspecified characters in the lpr command. |
|
1372 |
CVE-2014-3709 |
352 |
|
CSRF |
2017-10-18 |
2017-11-07 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The org.keycloak.services.resources.SocialResource.callback method in JBoss KeyCloak before 1.0.3.Final allows remote attackers to conduct cross-site request forgery (CSRF) attacks by leveraging lack of CSRF protection. |
|
1373 |
CVE-2014-3706 |
295 |
|
|
2017-10-18 |
2017-11-07 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
ovirt-engine, as used in Red Hat MRG 3, allows man-in-the-middle attackers to spoof servers by leveraging failure to verify key attributes in vdsm X.509 certificates. |
|
1374 |
CVE-2014-3702 |
22 |
|
DoS Dir. Trav. |
2017-10-16 |
2017-11-07 |
6.4 |
None |
Remote |
Low |
Not required |
None |
Partial |
Partial |
|
Directory traversal vulnerability in eNovance eDeploy allows remote attackers to create arbitrary directories and files and consequently cause a denial of service (resource consumption) via a .. (dot dot) the session parameter. |
|
1375 |
CVE-2014-3624 |
284 |
|
Bypass |
2017-10-30 |
2017-11-17 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Apache Traffic Server 5.1.x before 5.1.1 allows remote attackers to bypass access restrictions by leveraging failure to properly tunnel remap requests using CONNECT. |
|
1376 |
CVE-2014-3600 |
611 |
|
|
2017-10-27 |
2019-03-27 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
XML external entity (XXE) vulnerability in Apache ActiveMQ 5.x before 5.10.1 allows remote consumers to have unspecified impact via vectors involving an XPath based selector when dequeuing XML messages. |
|
1377 |
CVE-2014-3579 |
611 |
|
|
2017-10-27 |
2019-03-27 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
XML external entity (XXE) vulnerability in Apache ActiveMQ Apollo 1.x before 1.7.1 allows remote consumers to have unspecified impact via vectors involving an XPath based selector when dequeuing XML messages. |
|
1378 |
CVE-2014-3531 |
79 |
|
XSS |
2017-10-18 |
2017-10-27 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in Foreman before 1.5.2 allow remote authenticated users to inject arbitrary web script or HTML via the operating system (1) name or (2) description. |
|
1379 |
CVE-2014-3526 |
200 |
|
+Info |
2017-10-30 |
2019-12-11 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Apache Wicket before 1.5.12, 6.x before 6.17.0, and 7.x before 7.0.0-M3 might allow remote attackers to obtain sensitive information via vectors involving identifiers for storing page markup for temporary user sessions. |
|
1380 |
CVE-2014-3164 |
476 |
|
DoS |
2017-10-18 |
2017-11-07 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
cmds/servicemanager/service_manager.c in Android before commit 7d42a3c31ba78a418f9bdde0e0ab951469f321b5 allows attackers to cause a denial of service (NULL pointer dereference, or out-of-bounds write) via vectors related to binder passed lengths. |
|
1381 |
CVE-2014-2903 |
310 |
|
|
2017-10-06 |
2017-10-17 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
CyaSSL does not check the key usage extension in leaf certificates, which allows remote attackers to spoof servers via a crafted server certificate not authorized for use in an SSL/TLS handshake. |
|
1382 |
CVE-2014-2664 |
434 |
|
Exec Code |
2017-10-17 |
2017-11-08 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
Unrestricted file upload vulnerability in the ProfileController::actionUploadPhoto method in protected/controllers/ProfileController.php in X2Engine X2CRM before 4.0 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in an unspecified directory. |
|
1383 |
CVE-2014-2277 |
284 |
|
+Info |
2017-10-17 |
2020-02-04 |
3.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
None |
|
The make_temporary_filename function in perltidy 20120701-1 and earlier allows local users to obtain sensitive information or write to arbitrary files via a symlink attack, related to use of the tmpnam function. |
|
1384 |
CVE-2014-2023 |
89 |
1
|
Exec Code Sql |
2017-10-26 |
2017-11-15 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Multiple SQL injection vulnerabilities in the Tapatalk plugin 4.9.0 and earlier and 5.x through 5.2.1 for vBulletin allow remote attackers to execute arbitrary SQL commands via a crafted xmlrpc API request to (1) unsubscribe_forum.php or (2) unsubscribe_topic.php in mobiquo/functions/. |
|
1385 |
CVE-2014-1203 |
77 |
|
Exec Code |
2017-10-24 |
2019-12-11 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The get_login_ip_config_file function in Eyou Mail System before 3.6 allows remote attackers to execute arbitrary commands via shell metacharacters in the domain parameter to admin/domain/ip_login_set/d_ip_login_get.php. |
|
1386 |
CVE-2014-0691 |
331 |
|
Bypass |
2017-10-24 |
2017-11-14 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Cisco WebEx Meetings Server before 1.1 uses meeting IDs with insufficient entropy, which makes it easier for remote attackers to bypass authentication and join arbitrary meetings without a password, aka Bug ID CSCuc79643. |
|
1387 |
CVE-2014-0208 |
79 |
|
XSS |
2017-10-16 |
2017-11-01 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the search auto-completion functionality in Foreman before 1.4.4 allows remote authenticated users to inject arbitrary web script or HTML via a crafted key name. |
|
1388 |
CVE-2014-0115 |
22 |
|
Dir. Trav. |
2017-10-30 |
2017-11-15 |
7.8 |
None |
Remote |
Low |
Not required |
Complete |
None |
None |
|
Directory traversal vulnerability in the log viewer in Apache Storm 0.9.0.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter to log. |
|
1389 |
CVE-2014-0073 |
264 |
|
+Priv |
2017-10-30 |
2018-10-09 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The CDVInAppBrowser class in the Apache Cordova In-App-Browser standalone plugin (org.apache.cordova.inappbrowser) before 0.3.2 for iOS and the In-App-Browser plugin for iOS from Cordova 2.6.0 through 2.9.0 does not properly validate callback identifiers, which allows remote attackers to execute arbitrary JavaScript in the host page and consequently gain privileges via a crafted gap-iab: URI. |
|
1390 |
CVE-2014-0072 |
20 |
|
|
2017-10-30 |
2018-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
ios/CDVFileTransfer.m in the Apache Cordova File-Transfer standalone plugin (org.apache.cordova.file-transfer) before 0.4.2 for iOS and the File-Transfer plugin for iOS from Cordova 2.4.0 through 2.9.0 might allow remote attackers to spoof SSL servers by leveraging a default value of true for the trustAllHosts option. |
|
1391 |
CVE-2014-0047 |
|
|
|
2017-10-06 |
2017-10-13 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Docker before 1.5 allows local users to have unspecified impact via vectors involving unsafe /tmp usage. |
|
1392 |
CVE-2014-0043 |
200 |
|
+Info |
2017-10-03 |
2017-10-11 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
In Apache Wicket 1.5.10 or 6.13.0, by issuing requests to special urls handled by Wicket, it is possible to check for the existence of particular classes in the classpath and thus check whether a third party library with a known security vulnerability is in use. |
|
1393 |
CVE-2014-0030 |
611 |
|
|
2017-10-10 |
2019-05-06 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The XML-RPC protocol support in Apache Roller before 5.0.3 allows attackers to conduct XML External Entity (XXE) attacks via unspecified vectors. |
|
1394 |
CVE-2014-0029 |
79 |
|
XSS |
2017-10-16 |
2017-11-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in the SAM web application in Red Hat katello-headpin allow remote attackers to inject arbitrary web script or HTML via unspecified parameters. |
|
1395 |
CVE-2013-7377 |
77 |
|
Exec Code |
2017-10-23 |
2017-11-21 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The codem-transcode module before 0.5.0 for Node.js, when ffprobe is enabled, allows remote attackers to execute arbitrary commands via a POST request to /probe. |
|
1396 |
CVE-2013-6924 |
77 |
|
Exec Code |
2017-10-11 |
2017-11-03 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Seagate BlackArmor NAS devices with firmware sg2000-2000.1331 allow remote attackers to execute arbitrary commands via shell metacharacters in the ip parameter to backupmgt/getAlias.php. |
|
1397 |
CVE-2013-6355 |
|
|
+Info |
2017-10-17 |
2017-10-17 |
0.0 |
None |
??? |
??? |
??? |
??? |
??? |
??? |
|
The Microsoft Graphics Component in Windows Server 2003 Service Pack 2, x64 Edition Service Pack 2, SP2 for Itanium-based Systems, Windows Vista Service pack 2 and x64 Edition Service Pack 2, Windows Server 2008 for 32-bit Systems Service Pack 2, x64-based Systems Service Pack 2, and Itanium-based Systems Service Pack 2, Windows 7 for 32-bit Systems Service Pack 1, and x64-based Systems Service Pack 1, Windows Server 2008 R2 for x64-based Systems Service Pack 1, and Itanium-based Systems Service Pack 1, Windows 8 and Windows 8.1 for 32-bit Systems and x64-based Systems, Windows Server 2012 and Windows Server 2012 R2, Windows RT and Windows RT 8.1, and the Server Core installation option for Windows Server 2008 for 32-bit Systems Service pack 2, Windows Server 2008 for x64-based Systems Service Pack 2, Windows Server 2008 R2 for x64-based Systems Service Pack 1, Windows Server 2012, and Windows Server 2012 R2 does not properly decode JPEG images in memory, which allows remote attackers to obtain sensitive information via a crafted JPEG. |
|
1398 |
CVE-2013-6049 |
20 |
|
|
2017-10-20 |
2017-11-08 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
apt-listbugs before 0.1.10 creates temporary files insecurely, which allows attackers to have unspecified impact via unknown vectors. |
|
1399 |
CVE-2013-4366 |
20 |
|
|
2017-10-30 |
2020-07-28 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
http/impl/client/HttpClientBuilder.java in Apache HttpClient 4.3.x before 4.3.1 does not ensure that X509HostnameVerifier is not null, which allows attackers to have unspecified impact via vectors involving hostname verification. |
|
1400 |
CVE-2013-4246 |
284 |
|
DoS +Info |
2017-10-30 |
2017-11-18 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
libsvn_fs_fs/fs_fs.c in Apache Subversion 1.8.x before 1.8.2 might allow remote authenticated users with commit access to corrupt FSFS repositories and cause a denial of service or obtain sensitive information by editing packed revision properties. |
