CVEs from 2014
Total
7,931
critical
critical 837
high
high 1,288
medium
medium 4,980
low
low 583
% Critical
10.6%
% with KEV
0.4%
% with exploit
0.6%
Top vendors
Top products
- chrome 3,804
- moodle 1,668
- flash_player 1,397
- firefox 1,239
- mediawiki 1,130
- ffmpeg 998
- acrobat 966
- acrobat_reader 944
| CVE | Severity | CVSS | Risk | Published | Description | Impact |
|---|---|---|---|---|---|---|
| CVE-2014-0683 | critical | — | 10.0 | 12y ago | The web management interface on the Cisco RV110W firewall with firmware 1.2.0.9 and earlier, RV215W router with firmware 1.1.0.5 and earlier, and CVR100W router with firmware 1.0.1.19 and earlier doe… | |
| CVE-2014-2206 | critical | — | 10.0 | 12y ago | Stack-based buffer overflow in GetGo Download Manager 4.9.0.1982, 4.8.2.1346, 4.4.5.502, and earlier allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a long… | |
| CVE-2014-0862 | critical | — | 10.0 | 12y ago | Unspecified vulnerability in Jazz Team Server in IBM Rational Collaborative Lifecycle Management (CLM) 3.x before 3.0.1.6 iFix 2 and 4.x before 4.0.6 allows remote attackers to execute arbitrary code… | |
| CVE-2014-2075 | critical | — | 10.0 | 12y ago | TIBCO Enterprise Administrator 1.0.0 and Enterprise Administrator SDK 1.0.0 do not properly enforce administrative authentication requirements, which allows remote attackers to execute arbitrary comm… | |
| CVE-2014-0721 | critical | — | 10.0 | 12y ago | The Cisco Unified SIP Phone 3905 with firmware before 9.4(1) allows remote attackers to obtain root access via a session on the test interface on TCP port 7870, aka Bug ID CSCuh75574. | |
| CVE-2014-0498 | critical | — | 10.0 | 12y ago | Stack-based buffer overflow in Adobe Flash Player before 11.7.700.269 and 11.8.x through 12.0.x before 12.0.0.70 on Windows and Mac OS X and before 11.2.202.341 on Linux, Adobe AIR before 4.0.0.1628 … | |
| CVE-2014-0501 | critical | — | 10.0 | 13y ago | Adobe Shockwave Player before 12.0.9.149 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE… | |
| CVE-2014-0500 | critical | — | 10.0 | 13y ago | Adobe Shockwave Player before 12.0.9.149 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE… | |
| CVE-2014-0294 | critical | — | 10.0 | 13y ago | Microsoft Forefront Protection 2010 for Exchange Server does not properly parse e-mail content, which might allow remote attackers to execute arbitrary code via a crafted message, aka "RCE Vulnerabil… | |
| CVE-2014-1488 | critical | — | 10.0 | 13y ago | The Web workers implementation in Mozilla Firefox before 27.0 and SeaMonkey before 2.24 allows remote attackers to execute arbitrary code via vectors involving termination of a worker process that ha… | |
| CVE-2014-1478 | critical | — | 10.0 | 13y ago | Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 27.0 and SeaMonkey before 2.24 allow remote attackers to cause a denial of service (memory corruption and applicat… | |
| CVE-2014-1681 | critical | — | 10.0 | 13y ago | Multiple unspecified vulnerabilities in Google Chrome before 32.0.1700.102 have unknown impact and attack vectors, related to 12 "security fixes [that were not] either contributed by external researc… | |
| CVE-2014-0494 | critical | — | 10.0 | 13y ago | Adobe Digital Editions 2.0.1 allows attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via unspecified vectors. | |
| CVE-2014-0650 | critical | — | 10.0 | 13y ago | The web interface in Cisco Secure Access Control System (ACS) 5.x before 5.4 Patch 3 allows remote attackers to execute arbitrary operating-system commands via a request to this interface, aka Bug ID… | |
| CVE-2014-0648 | critical | — | 10.0 | 13y ago | The RMI interface in Cisco Secure Access Control System (ACS) 5.x before 5.5 does not properly enforce authentication and authorization requirements, which allows remote attackers to obtain administr… | |
| CVE-2014-0495 | critical | — | 10.0 | 13y ago | Adobe Reader and Acrobat 10.x before 10.1.9 and 11.x before 11.0.06 on Windows and Mac OS X allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified … | |
| CVE-2014-0493 | critical | — | 10.0 | 13y ago | Adobe Reader and Acrobat 10.x before 10.1.9 and 11.x before 11.0.06 on Windows and Mac OS X allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified … | |
| CVE-2014-0492 | critical | — | 10.0 | 13y ago | Adobe Flash Player before 11.7.700.260 and 11.8.x and 11.9.x before 12.0.0.38 on Windows and Mac OS X and before 11.2.202.335 on Linux, Adobe AIR before 4.0.0.1390, Adobe AIR SDK before 4.0.0.1390, a… | |
| CVE-2014-0491 | critical | — | 10.0 | 13y ago | Adobe Flash Player before 11.7.700.260 and 11.8.x and 11.9.x before 12.0.0.38 on Windows and Mac OS X and before 11.2.202.335 on Linux, Adobe AIR before 4.0.0.1390, Adobe AIR SDK before 4.0.0.1390, a… | |
| CVE-2014-1201 | critical | — | 10.0 | 13y ago | Buffer overflow in the INetViewX ActiveX control in the Lorex Edge LH310 and Edge+ LH320 series with firmware 7-35-28-1B26E, Edge2 LH330 series with firmware 11.17.38-33_1D97A, and Edge3 LH340 series… | |
| CVE-2014-0428 | critical | — | 10.0 | 13y ago | Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; Java SE Embedded 7u45; and OpenJDK 7 allows remote attackers to affect confidentiality, integrity, and availability via vectors rel… | |
| CVE-2014-0422 | critical | — | 10.0 | 13y ago | Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; Java SE Embedded 7u45; and OpenJDK 7 allows remote attackers to affect confidentiality, integrity, and availability via vectors rel… | |
| CVE-2014-0415 | critical | — | 10.0 | 13y ago | Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnera… | |
| CVE-2014-0410 | critical | — | 10.0 | 13y ago | Unspecified vulnerability in Oracle Java SE 6u65 and 7u45 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment, a different vulnera… | |
| CVE-2014-0659 | critical | — | 10.0 | 13y ago | The Cisco WAP4410N access point with firmware through 2.0.6.1, WRVS4400N router with firmware 1.x through 1.1.13 and 2.x through 2.0.2.1, and RVS4000 router with firmware through 2.0.3.2 allow remote… | |
| CVE-2014-1236 | critical | — | 10.0 | 13y ago | Stack-based buffer overflow in the chkNum function in lib/cgraph/scan.l in Graphviz 2.34.0 allows remote attackers to have unspecified impact via vectors related to a "badly formed number" and a "lon… | |
| CVE-2014-125112 | critical | 9.8 | 9.8 | 2mo ago | Plack::Middleware::Session::Cookie versions through 0.21 for Perl allows remote code execution. Plack::Middleware::Session::Cookie versions through 0.21 has a security vulnerability where it allows … | |
| CVE-2014-9515 | critical | 9.8 | 9.8 | 9y ago | Dozer improperly uses a reflection-based approach to type conversion, which might allow remote attackers to execute arbitrary code via a crafted serialized object. | |
| CVE-2014-3630 | critical | 9.8 | 9.8 | 9y ago | XML external entity (XXE) vulnerability in the Java XML processing functionality in Play before 2.2.6 and 2.3.x before 2.3.5 might allow remote attackers to read arbitrary files, cause a denial of se… | |
| CVE-2014-0121 | critical | 9.8 | 9.8 | 9y ago | The admin terminal in Hawt.io does not require authentication, which allows remote attackers to execute arbitrary commands via the k parameter. | |
| CVE-2014-4914 | critical | 9.8 | 9.8 | 9y ago | The Zend_Db_Select::order function in Zend Framework before 1.12.7 does not properly handle parentheses, which allows remote attackers to conduct SQL injection attacks via unspecified vectors. | |
| CVE-2014-8389 | critical | 9.8 | 9.8 | 9y ago | cgi-bin/mft/wireless_mft.cgi in AirLive BU-2015 with firmware 1.03.18 16.06.2014, AirLive BU-3026 with firmware 1.43 21.08.2014, AirLive MD-3025 with firmware 1.81 21.08.2014, AirLive WL-2000CAM with… | |
| CVE-2014-0073 | critical | 9.8 | 9.8 | 9y ago | The CDVInAppBrowser class in the Apache Cordova In-App-Browser standalone plugin (org.apache.cordova.inappbrowser) before 0.3.2 for iOS and the In-App-Browser plugin for iOS from Cordova 2.6.0 throug… | |
| CVE-2014-3624 | critical | 9.8 | 9.8 | 9y ago | Apache Traffic Server 5.1.x before 5.1.1 allows remote attackers to bypass access restrictions by leveraging failure to properly tunnel remap requests using CONNECT. | |
| CVE-2014-3600 | critical | 9.8 | 9.8 | 9y ago | Improper Restriction of XML External Entity Reference in Apache ActiveMQ | |
| CVE-2014-3579 | critical | 9.8 | 9.8 | 9y ago | Apache ActiveMQ Apollo XXE Vulnerability | |
| CVE-2014-2023 | critical | 9.8 | 9.8 | 9y ago | Multiple SQL injection vulnerabilities in the Tapatalk plugin 4.9.0 and earlier and 5.x through 5.2.1 for vBulletin allow remote attackers to execute arbitrary SQL commands via a crafted xmlrpc API r… | |
| CVE-2014-1203 | critical | 9.8 | 9.8 | 9y ago | The get_login_ip_config_file function in Eyou Mail System before 3.6 allows remote attackers to execute arbitrary commands via shell metacharacters in the domain parameter to admin/domain/ip_login_se… | |
| CVE-2014-3741 | critical | 9.8 | 9.8 | 9y ago | Potential Command Injection in printer | |
| CVE-2014-9733 | critical | 9.8 | 9.8 | 9y ago | nw.js before 0.11.5 can simulate user input events in a normal frame, which allows remote attackers to have unspecified impact via unknown vectors. | |
| CVE-2014-9487 | critical | 9.8 | 9.8 | 9y ago | The getid3 library in MediaWiki before 1.24.1, 1.23.8, 1.22.15 and 1.19.23 allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML Externa… | |
| CVE-2014-9148 | critical | 9.8 | 9.8 | 9y ago | Fiyo CMS 2.0.1.8 allows remote attackers to bypass intended access restrictions and execute the (1) "Install and Update" or (2) Backup super administrator function via the view parameter in a direct … | |
| CVE-2014-8621 | critical | 9.8 | 9.8 | 9y ago | SQL injection vulnerability in the Store Locator plugin 2.3 through 3.11 for WordPress allows remote attackers to execute arbitrary SQL commands via the sl_custom_field parameter to sl-xml.php. | |
| CVE-2014-9474 | critical | 9.8 | 9.8 | 9y ago | Buffer overflow in the mpfr_strtofr function in GNU MPFR before 3.1.2-p11 allows context-dependent attackers to have unspecified impact via vectors related to incorrect documentation for mpn_set_str. | |
| CVE-2014-0030 | critical | 9.8 | 9.8 | 9y ago | The XML-RPC protocol support in Apache Roller before 5.0.3 allows attackers to conduct XML External Entity (XXE) attacks via unspecified vectors. | |
| CVE-2014-8686 | critical | 9.8 | 9.8 | 9y ago | CodeIgniter before 2.2.0 makes it easier for attackers to decode session cookies by leveraging fallback to a custom XOR-based encryption scheme when the Mcrypt extension for PHP is not available. | |
| CVE-2014-8684 | critical | 9.8 | 9.8 | 9y ago | CodeIgniter and Kohana vulnerable to PHP Object Injection | |
| CVE-2014-9618 | critical | 9.8 | 9.8 | 9y ago | The Client Filter Admin portal in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote attackers to bypass authentication and subsequently create arbitrary profiles via … | |
| CVE-2014-9611 | critical | 9.8 | 9.8 | 9y ago | Netsweeper before 4.0.5 allows remote attackers to bypass authentication and create arbitrary accounts and policies via a request to webadmin/nslam/index.php. | |
| CVE-2014-8174 | critical | 9.8 | 9.8 | 9y ago | eDeploy makes it easier for remote attackers to execute arbitrary code by leveraging use of HTTP to download files. | |
| CVE-2014-9558 | critical | 9.8 | 9.8 | 9y ago | Multiple SQL injection vulnerabilities in SmartCMS v.2. | |
| CVE-2014-9513 | critical | 9.8 | 9.8 | 9y ago | Insecure use of temporary files in xbindkeys-config 0.1.3-2 allows remote attackers to execute arbitrary code. | |
| CVE-2014-8428 | critical | 9.8 | 9.8 | 9y ago | Privilege escalation vulnerability in Barracuda Load Balancer 5.0.0.015 via the use of an improperly protected SSH key. | |
| CVE-2014-8426 | critical | 9.8 | 9.8 | 9y ago | Hard coded weak credentials in Barracuda Load Balancer 5.0.0.015. | |
| CVE-2014-7859 | critical | 9.8 | 9.8 | 9y ago | Stack-based buffer overflow in login_mgr.cgi in D-Link firmware DNR-320L and DNS-320LW before 1.04b08, DNR-322L before 2.10 build 03, DNR-326 before 2.10 build 03, and DNS-327L before 1.04b01 allows … | |
| CVE-2014-7858 | critical | 9.8 | 9.8 | 9y ago | The check_login function in D-Link DNR-326 before 2.10 build 03 allows remote attackers to bypass authentication and log in by setting the username cookie parameter to an arbitrary string. | |
| CVE-2014-7857 | critical | 9.8 | 9.8 | 9y ago | D-Link DNS-320L firmware before 1.04b12, DNS-327L before 1.03b04 Build0119, DNR-326 1.40b03, DNS-320B 1.02b01, DNS-345 1.03b06, DNS-325 1.05b03, and DNS-322L 2.00b07 allow remote attackers to bypass … | |
| CVE-2014-9981 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, an overflow check in the USB interface was insufficient during boot. | |
| CVE-2014-9980 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, a Sample App failed to check a length potentially leading to unauthorized access to secure memory. | |
| CVE-2014-9979 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, a variable is uninitialized in a TrustZone system call potentially leading to the compromise of secure memory. | |
| CVE-2014-9978 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, a buffer overflow vulnerability exists in a QTEE service. | |
| CVE-2014-9977 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, a buffer overflow vulnerability exists in PlayReady DRM. | |
| CVE-2014-9976 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, a buffer overflow vulnerability exists in 1x call processing. | |
| CVE-2014-9975 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, a rollback vulnerability potentially exists in Full Disk Encryption. | |
| CVE-2014-9974 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, validation of buffer lengths was missing in Keymaster. | |
| CVE-2014-9973 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, validation of a buffer length was missing in a PlayReady DRM routine. | |
| CVE-2014-9972 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, disabling asserts can potentially cause a NULL pointer dereference during an out-of-memory condition. | |
| CVE-2014-9971 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, disabling asserts causes an instruction inside of an assert to not be executed resulting in incorrect control flow. | |
| CVE-2014-9969 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, the GPS client may use an insecure cryptographic algorithm. | |
| CVE-2014-9968 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, a buffer overflow vulnerability exists in the UIMDIAG interface. | |
| CVE-2014-9411 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, the use of an out-of-range pointer offset is potentially possible in rollback protection. | |
| CVE-2014-9984 | critical | 9.8 | 9.8 | 9y ago | nscd in the GNU C Library (aka glibc or libc6) before version 2.20 does not correctly compute the size of an internal buffer when processing netgroup requests, possibly leading to an nscd daemon cras… | |
| CVE-2014-8687 | critical | 9.8 | 9.8 | 9y ago | Seagate Business NAS devices with firmware before 2015.00322 allow remote attackers to execute arbitrary code with root privileges by leveraging use of a static encryption key to create session token… | |
| CVE-2014-3527 | critical | 9.8 | 9.8 | 9y ago | Authorization Bypass in Spring Security | |
| CVE-2014-9654 | critical | 9.8 | 9.8 | 9y ago | The Regular Expressions package in International Components for Unicode (ICU) for C/C++ before 2014-12-03, as used in Google Chrome before 40.0.2214.91, calculates certain values without ensuring tha… | |
| CVE-2014-7921 | critical | 9.8 | 9.8 | 9y ago | mediaserver in Android 4.0.3 through 5.x before 5.1 allows attackers to gain privileges. NOTE: This is a different vulnerability than CVE-2014-7920. | |
| CVE-2014-7920 | critical | 9.8 | 9.8 | 9y ago | mediaserver in Android 2.2 through 5.x before 5.1 allows attackers to gain privileges. NOTE: This is a different vulnerability than CVE-2014-7921. | |
| CVE-2014-3928 | critical | 9.8 | 9.8 | 9y ago | Cougar-LG stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain credentials. | |
| CVE-2014-3927 | critical | 9.8 | 9.8 | 9y ago | mrlg-lib.php in mrlg4php before 1.0.8 allows remote attackers to execute arbitrary shell code. | |
| CVE-2014-9693 | critical | 9.8 | 9.8 | 9y ago | Huawei Tecal RH1288 V2 V100R002C00SPC107 and earlier versions, Tecal RH2265 V2 V100R002C00, Tecal RH2285 V2 V100R002C00SPC115 and earlier versions, Tecal RH2265 V2 V100R002C00, Tecal RH2285H V2 V100R… | |
| CVE-2014-5009 | critical | 9.8 | 9.8 | 9y ago | Snoopy allows remote attackers to execute arbitrary commands. NOTE: this vulnerability exists due to an incomplete fix for CVE-2014-5008. | |
| CVE-2014-5008 | critical | 9.8 | 9.8 | 9y ago | Snoopy allows remote attackers to execute arbitrary commands. | |
| CVE-2014-9826 | critical | 9.8 | 9.8 | 9y ago | ImageMagick allows remote attackers to have unspecified impact via vectors related to error handling in sun files. | |
| CVE-2014-3582 | critical | 9.8 | 9.8 | 9y ago | In Ambari 1.2.0 through 2.2.2, it may be possible to execute arbitrary system commands on the Ambari Server host while generating SSL certificates for hosts in an Ambari cluster. | |
| CVE-2014-6440 | critical | 9.8 | 9.8 | 9y ago | VideoLAN VLC media player before 2.1.5 allows remote attackers to execute arbitrary code or cause a denial of service. | |
| CVE-2014-8731 | critical | 9.8 | 9.8 | 9y ago | PHPMemcachedAdmin 1.2.2 and earlier allows remote attackers to execute arbitrary PHP code via vectors related "serialized data and the last part of the concatenated filename," which creates a file in… | |
| CVE-2014-7279 | critical | 9.8 | 9.8 | 9y ago | The Konke Smart Plug K does not require authentication for TELNET sessions, which allows remote attackers to obtain "equipment management authority" via TCP traffic to port 23. | |
| CVE-2014-9939 | critical | 9.8 | 9.8 | 9y ago | ihex.c in GNU Binutils before 2.26 contains a stack buffer overflow when printing bad bytes in Intel Hex objects. | |
| CVE-2014-9847 | critical | 9.8 | 9.8 | 9y ago | The jng decoder in ImageMagick 6.8.9.9 allows remote attackers to have an unspecified impact. | |
| CVE-2014-9846 | critical | 9.8 | 9.8 | 9y ago | Buffer overflow in the ReadRLEImage function in coders/rle.c in ImageMagick 6.8.9.9 allows remote attackers to have unspecified impact. | |
| CVE-2014-9843 | critical | 9.8 | 9.8 | 9y ago | The DecodePSDPixels function in coders/psd.c in ImageMagick 6.8.9.9 allows remote attackers to have unspecified impact via unknown vectors. | |
| CVE-2014-9841 | critical | 9.8 | 9.8 | 9y ago | The ReadPSDLayers function in coders/psd.c in ImageMagick 6.8.9.9 allows remote attackers to have unspecified impact via unknown vectors, related to "throwing of exceptions." | |
| CVE-2014-9852 | critical | 9.8 | 9.8 | 9y ago | distribute-cache.c in ImageMagick re-uses objects after they have been destroyed, which allows remote attackers to have unspecified impact via unspecified vectors. | |
| CVE-2014-8708 | critical | 9.8 | 9.8 | 9y ago | Pluck CMS 4.7.2 allows remote attackers to execute arbitrary code via the blog form feature. | |
| CVE-2014-8705 | critical | 9.8 | 9.8 | 9y ago | PHP remote file inclusion vulnerability in editInplace.php in Wonder CMS 2014 allows remote attackers to execute arbitrary PHP code via a URL in the hook parameter. | |
| CVE-2014-8704 | critical | 9.8 | 9.8 | 9y ago | Directory traversal vulnerability in index.php in Wonder CMS 2014 allows remote attackers to include and execute arbitrary local files via a crafted theme. | |
| CVE-2014-9921 | critical | 9.8 | 9.8 | 9y ago | Information disclosure vulnerability in McAfee (now Intel Security) Cloud Analysis and Deconstructive Services (CADS) 1.0.0.3x, 1.0.0.4d and earlier allows remote unauthenticated users to view, add, … | |
| CVE-2014-8362 | critical | 9.8 | 9.8 | 10y ago | Vivint Sky Control Panel 1.1.1.9926 allows remote attackers to enable and disable the alarm system and modify other security settings via the Web-enabled interface. | |
| CVE-2014-9912 | critical | 9.8 | 9.8 | 10y ago | The get_icu_disp_value_src_php function in ext/intl/locale/locale_methods.c in PHP before 5.3.29, 5.4.x before 5.4.30, and 5.5.x before 5.5.14 does not properly restrict calls to the ICU uresbund.cpp… | |
| CVE-2014-9911 | critical | 9.8 | 9.8 | 10y ago | Stack-based buffer overflow in the ures_getByKeyWithFallback function in common/uresbund.cpp in International Components for Unicode (ICU) before 54.1 for C/C++ allows remote attackers to cause a den… |