CVEs from 2014
Total
7,926
critical
critical 837
high
high 1,288
medium
medium 4,980
low
low 583
% Critical
10.6%
% with KEV
0.4%
% with exploit
0.6%
Top vendors
Top products
- chrome 3,804
- moodle 1,668
- flash_player 1,397
- firefox 1,239
- mediawiki 1,130
- ffmpeg 998
- acrobat 966
- acrobat_reader 944
| CVE | Severity | CVSS | Risk | Published | Description | Impact |
|---|---|---|---|---|---|---|
| CVE-2014-4506 | low | — | 2.1 | 12y ago | Cross-site scripting (XSS) vulnerability in the Custom Meta module 6.x-1.x before 6.x-1.2 and 7.x-1.x before 7.x-1.3 for Drupal allows remote authenticated users with the "administer custom meta sett… | |
| CVE-2014-4303 | low | — | 2.1 | 12y ago | Multiple cross-site scripting (XSS) vulnerabilities in the Touch theme 7.x-1.x before 7.x-1.9 for Drupal allow remote authenticated users with the Administer themes permission to inject arbitrary web… | |
| CVE-2014-4039 | low | — | 2.1 | 12y ago | ppc64-diag 2.6.1 uses 0775 permissions for /tmp/diagSEsnap and does not properly restrict permissions for /tmp/diagSEsnap/snapH.tar.gz, which allows local users to obtain sensitive information by rea… | |
| CVE-2014-3873 | low | — | 2.1 | 12y ago | The ktrace utility in the FreeBSD kernel 8.4 before p11, 9.1 before p14, 9.2 before p7, and 9.3-BETA1 before p1 uses an incorrect page fault kernel trace entry size, which allows local users to obtai… | |
| CVE-2014-0202 | low | — | 2.1 | 12y ago | The setup script in ovirt-engine-dwh, as used in the Red Hat Enterprise Virtualization Manager data warehouse (rhevm-dwh) package before 3.3.3, stores the history database password in cleartext, whic… | |
| CVE-2014-0201 | low | — | 2.1 | 12y ago | ovirt-engine-reports, as used in the Red Hat Enterprise Virtualization reports package (rhevm-reports) before 3.3.3, uses world-readable permissions on configuration files, which allows local users t… | |
| CVE-2014-0200 | low | — | 2.1 | 12y ago | The Red Hat Enterprise Virtualization Manager reports (rhevm-reports) package before 3.3.3-1 uses world-readable permissions on the datasource configuration file (js-jboss7-ds.xml), which allows loca… | |
| CVE-2014-0199 | low | — | 2.1 | 12y ago | The setup script in ovirt-engine-reports, as used in the Red Hat Enterprise Virtualization reports (rhevm-reports) package before 3.3.3, stores the reports database password in cleartext, which allow… | |
| CVE-2014-1738 | low | — | 2.1 | 12y ago | The raw_cmd_copyout function in drivers/block/floppy.c in the Linux kernel through 3.14.3 does not properly restrict access to certain pointers during processing of an FDRAWCMD ioctl call, which allo… | |
| CVE-2014-3123 | low | — | 2.1 | 12y ago | Cross-site scripting (XSS) vulnerability in admin/manage-images.php in the NextCellent Gallery plugin before 1.19.18 for WordPress allows remote authenticated users with the NextGEN Upload images, Ne… | |
| CVE-2014-3426 | low | — | 2.1 | 12y ago | NCSA Mosaic 2.1 through 2.7b5 allows local users to cause a denial of service ("remote control" outage) by creating a /tmp/Mosaic.pid file for every possible PID. | |
| CVE-2014-3425 | low | — | 2.1 | 12y ago | NCSA Mosaic 2.0 and earlier allows local users to cause a denial of service ("remote control" outage) by creating a /tmp/xmosaic.pid file for every possible PID. | |
| CVE-2014-0164 | low | — | 2.1 | 12y ago | openshift-origin-broker-util, as used in Red Hat OpenShift Enterprise 1.2.7 and 2.0.5, uses world-readable permissions for the mcollective client.cfg configuration file, which allows local users to o… | |
| CVE-2014-0189 | low | — | 2.1 | 12y ago | virt-who uses world-readable permissions for /etc/sysconfig/virt-who, which allows local users to obtain password for hypervisors by reading the file. | |
| CVE-2014-0181 | low | — | 2.1 | 12y ago | The Netlink implementation in the Linux kernel through 3.14.1 does not provide a mechanism for authorizing socket operations based on the opener of a socket, which allows local users to bypass intend… | |
| CVE-2014-1933 | low | — | 2.1 | 12y ago | The (1) JpegImagePlugin.py and (2) EpsImagePlugin.py scripts in Python Image Library (PIL) 1.1.7 and earlier and Pillow before 2.3.1 uses the names of temporary files on the command line, which makes… | |
| CVE-2014-0085 | low | — | 2.1 | 12y ago | Exposure of Sensitive Information to an Unauthorized Actor in JBoss Fuse | |
| CVE-2014-2466 | low | — | 2.1 | 12y ago | Unspecified vulnerability in the Oracle Agile PLM Framework component in Oracle Supply Chain Products Suite 9.3.3 allows remote authenticated users to affect confidentiality via unknown vectors relat… | |
| CVE-2014-2690 | low | — | 2.1 | 12y ago | Citrix VDI-in-a-Box 5.3.x before 5.3.6 and 5.4.x before 5.4.3 allows local users to obtain administrator credentials by reading the log. | |
| CVE-2014-1279 | low | — | 2.1 | 12y ago | Apple TV before 6.1 does not properly restrict logging, which allows local users to obtain sensitive information by reading log data. | |
| CVE-2014-1274 | low | — | 2.1 | 12y ago | FaceTime in Apple iOS before 7.1 allows physically proximate attackers to obtain sensitive FaceTime contact information by using the lock screen for an invalid FaceTime call. | |
| CVE-2014-2040 | low | — | 2.1 | 12y ago | Multiple cross-site scripting (XSS) vulnerabilities in the (1) callback_multicheck, (2) callback_radio, and (3) callback_wysiwygin functions in mfrh_class.settings-api.php in the Media File Renamer p… | |
| CVE-2014-2038 | low | — | 2.1 | 12y ago | The nfs_can_extend_write function in fs/nfs/write.c in the Linux kernel before 3.13.3 relies on a write delegation to extend a write operation without a certain up-to-date verification, which allows … | |
| CVE-2014-1832 | low | — | 2.1 | 13y ago | Phusion Passenger 4.0.37 allows local users to write to certain files and directories via a symlink attack on (1) control_process.pid or a (2) generation-* file. NOTE: this vulnerability exists beca… | |
| CVE-2014-1604 | low | — | 2.1 | 13y ago | The parser cache functionality in parsergenerator.py in RPLY (aka python-rply) before 0.7.1 allows local users to spoof cache data by pre-creating a temporary rply-*.json file with a predictable name. | |
| CVE-2014-0647 | low | — | 2.1 | 13y ago | The Starbucks 2.6.1 application for iOS stores sensitive information in plaintext in the Crashlytics log file (/Library/Caches/com.crashlytics.data/com.starbucks.mystarbucks/session.clslog), which al… | |
| CVE-2014-1831 | low | — | 2.1 | 13y ago | Phusion Passenger before 4.0.37 allows local users to write to certain files and directories via a symlink attack on (1) control_process.pid or a (2) generation-* file. | |
| CVE-2014-0979 | low | — | 2.1 | 13y ago | The start_authentication function in lightdm-gtk-greeter.c in LightDM GTK+ Greeter before 1.7.1 does not properly handle the return value from the lightdm_greeter_get_authentication_user function, wh… | |
| CVE-2014-1445 | low | — | 2.1 | 13y ago | The wanxl_ioctl function in drivers/net/wan/wanxl.c in the Linux kernel before 3.11.7 does not properly initialize a certain data structure, which allows local users to obtain sensitive information f… | |
| CVE-2014-1234 | low | — | 2.1 | 13y ago | Paratrooper-newrelic Exposes of Sensitive Information to an Unauthorized Actor | |
| CVE-2014-1233 | low | — | 2.1 | 13y ago | Local API Login Credentials Disclosure in paratrooper-pingdom | |
| CVE-2014-8923 | low | — | 1.9 | 11y ago | The (1) IBM Tivoli Identity Manager Active Directory adapter before 5.1.24 and (2) IBM Security Identity Manager Active Directory adapter before 6.0.14 for IBM Security Identity Manager on Windows, w… | |
| CVE-2014-6195 | low | — | 1.9 | 11y ago | The (1) Java GUI and (2) Web GUI components in the IBM Tivoli Storage Manager (TSM) Backup-Archive client 5.4 and 5.5 before 5.5.4.4 on AIX, Linux, and Solaris; 5.4.x and 5.5.x on Windows and z/OS; 6… | |
| CVE-2014-5233 | low | — | 1.9 | 12y ago | The Siemens SIMATIC WinCC Sm@rtClient app before 1.0.2 for iOS allows physically proximate attackers to discover Sm@rtServer credentials by leveraging an error in the credential-processing mechanism. | |
| CVE-2014-5232 | low | — | 1.9 | 12y ago | The Siemens SIMATIC WinCC Sm@rtClient app before 1.0.2 for iOS allows local users to bypass an intended application-password requirement by leveraging the running of the app in the background state. | |
| CVE-2014-9415 | low | — | 1.9 | 12y ago | Huawei eSpace Desktop before V100R001C03 allows local users to cause a denial of service (program exit) via a crafted QES file. | |
| CVE-2014-7170 | low | — | 1.9 | 12y ago | Race condition in Puppet Server 0.2.0 allows local users to obtain sensitive information by accessing it in between package installation or upgrade and the start of the service. | |
| CVE-2014-8595 | low | — | 1.9 | 12y ago | arch/x86/x86_emulate/x86_emulate.c in Xen 3.2.1 through 4.4.x does not properly check privileges, which allows local HVM guest users to gain privileges or cause a denial of service (crash) via a craf… | |
| CVE-2014-6146 | low | — | 1.9 | 12y ago | IBM Sterling B2B Integrator 5.2.x through 5.2.4, when the Connect:Direct Server Adapter is configured, does not properly process the logging configuration, which allows local users to obtain sensitiv… | |
| CVE-2014-3636 | low | — | 1.9 | 12y ago | D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8 allows local users to (1) cause a denial of service (prevention of new connections and connection drop) by queuing the maximum number of… | |
| CVE-2014-4450 | low | — | 1.9 | 12y ago | The QuickType feature in the Keyboards subsystem in Apple iOS before 8.1 collects typing-prediction data from fields with an off autocomplete attribute, which makes it easier for attackers to discove… | |
| CVE-2014-4448 | low | — | 1.9 | 12y ago | House Arrest in Apple iOS before 8.1 relies on the hardware UID for its encryption key, which makes it easier for physically proximate attackers to obtain sensitive information from a Documents direc… | |
| CVE-2014-5423 | low | — | 1.9 | 12y ago | CareFusion Pyxis SupplyStation 8.1 with hardware test tool before 1.0.16 allows local users to obtain potentially sensitive information by reading a temporary (1) debugging file or (2) developer file. | |
| CVE-2014-4822 | low | — | 1.9 | 12y ago | IBM WebSphere MQ classes for Java libraries 8.0 before 8.0.0.1 and Websphere MQ Explorer 7.5 before 7.5.0.5 and 8.0 before 8.0.0.2 allow local users to discover preconfigured cleartext passwords via … | |
| CVE-2014-4447 | low | — | 1.9 | 12y ago | Profile Manager in Apple OS X Server before 4.0 allows local users to discover cleartext passwords by reading a file after a (1) profile setup or (2) profile edit occurs. | |
| CVE-2014-6540 | low | — | 1.9 | 12y ago | Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 4.1.34, before 4.2.26, and before 4.3.14 allows local users to affect availability via vecto… | |
| CVE-2014-4421 | low | — | 1.9 | 12y ago | The network-statistics interface in the kernel in Apple iOS before 8 and Apple TV before 7 does not properly initialize memory, which allows attackers to obtain sensitive memory-content and memory-la… | |
| CVE-2014-4420 | low | — | 1.9 | 12y ago | The network-statistics interface in the kernel in Apple iOS before 8 and Apple TV before 7 does not properly initialize memory, which allows attackers to obtain sensitive memory-content and memory-la… | |
| CVE-2014-4419 | low | — | 1.9 | 12y ago | The network-statistics interface in the kernel in Apple iOS before 8 and Apple TV before 7 does not properly initialize memory, which allows attackers to obtain sensitive memory-content and memory-la… | |
| CVE-2014-4386 | low | — | 1.9 | 12y ago | Race condition in the App Installation feature in Apple iOS before 8 allows local users to gain privileges and install unverified apps by leveraging /tmp write access. | |
| CVE-2014-4384 | low | — | 1.9 | 12y ago | Directory traversal vulnerability in the App Installation feature in Apple iOS before 8 allows local users to install unverified apps by triggering code-signature validation of an unintended bundle. | |
| CVE-2014-4371 | low | — | 1.9 | 12y ago | The network-statistics interface in the kernel in Apple iOS before 8 and Apple TV before 7 does not properly initialize memory, which allows attackers to obtain sensitive memory-content and memory-la… | |
| CVE-2014-5036 | low | — | 1.9 | 12y ago | The Storage Controller (SC) component in Eucalyptus 3.4.2 through 4.0.x before 4.0.1, when Dell Equallogic SAN is used, logs the CHAP user credentials, which allows local users to obtain sensitive in… | |
| CVE-2014-0974 | low | — | 1.9 | 12y ago | The boot_linux_from_mmc function in app/aboot/aboot.c in the Little Kernel (LK) bootloader, as distributed with Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other produ… | |
| CVE-2014-0179 | low | — | 1.9 | 12y ago | libvirt 0.7.5 through 1.2.x before 1.2.5 allows local users to cause a denial of service (read block and hang) via a crafted XML document containing an XML external entity declaration in conjunction … | |
| CVE-2014-5030 | low | — | 1.9 | 12y ago | CUPS before 2.0 allows local users to read arbitrary files via a symlink attack on (1) index.html, (2) index.class, (3) index.pl, (4) index.php, (5) index.pyc, or (6) index.py. | |
| CVE-2014-4652 | low | — | 1.9 | 12y ago | Race condition in the tlv handler functionality in the snd_ctl_elem_user_tlv function in sound/core/control.c in the ALSA control implementation in the Linux kernel before 3.15.2 allows local users t… | |
| CVE-2014-1352 | low | — | 1.9 | 12y ago | Lock Screen in Apple iOS before 7.1.2 does not properly enforce the limit on failed passcode attempts, which makes it easier for physically proximate attackers to conduct brute-force passcode-guessin… | |
| CVE-2014-3956 | low | — | 1.9 | 12y ago | The sm_close_on_exec function in conf.c in sendmail before 8.14.9 has arguments in the wrong order, and consequently skips setting expected FD_CLOEXEC flags, which allows local users to access uninte… | |
| CVE-2014-3716 | low | — | 1.9 | 12y ago | Xen 4.4.x does not properly check alignment, which allows local users to cause a denial of service (crash) via an unspecified field in a DTB header in a 32-bit guest kernel. | |
| CVE-2014-2893 | low | — | 1.9 | 12y ago | The GetHTMLRunDir function in the scan-build utility in Clang 3.5 and earlier allows local users to obtain sensitive information or overwrite arbitrary files via a symlink attack on temporary directo… | |
| CVE-2014-1515 | low | — | 1.9 | 12y ago | Mozilla Firefox before 28.0.1 on Android processes a file: URL by copying a local file onto the SD card, which allows attackers to obtain sensitive information from the Firefox profile directory via … | |
| CVE-2014-0076 | low | — | 1.9 | 12y ago | The Montgomery ladder implementation in OpenSSL through 1.0.0l does not ensure that certain swap operations have a constant-time behavior, which makes it easier for local users to obtain ECDSA nonces… | |
| CVE-2014-0017 | low | — | 1.9 | 12y ago | The RAND_bytes function in libssh before 0.6.3, when forking is enabled, does not properly reset the state of the OpenSSL pseudo-random number generator (PRNG), which causes the state to be shared be… | |
| CVE-2014-1281 | low | — | 1.9 | 12y ago | Photos Backend in Apple iOS before 7.1 does not properly manage the asset-library cache during deletions, which allows physically proximate attackers to obtain sensitive photo data by launching the P… | |
| CVE-2014-0135 | low | — | 1.9 | 12y ago | Kafo allows local users to obtain passwords and other sensitive information by reading default_values.yaml | |
| CVE-2014-0890 | low | — | 1.9 | 12y ago | The Connect client in IBM Sametime 8.5.1, 8.5.1.1, 8.5.1.2, 8.5.2, 8.5.2.1, 9.0, and 9.0.0.1, when a certain com.ibm.collaboration.realtime.telephony.*.level setting is used, logs cleartext passwords… | |
| CVE-2014-0058 | low | — | 1.9 | 12y ago | The security audit functionality in Red Hat JBoss Enterprise Application Platform (EAP) 6.x before 6.2.1 logs request parameters in plaintext, which might allow local users to obtain passwords by rea… | |
| CVE-2014-0018 | low | — | 1.9 | 13y ago | Red Hat JBoss Enterprise Application Platform (JBEAP) 6.2.0 and JBoss WildFly Application Server, when run under a security manager, do not properly restrict access to the Modular Service Container (… | |
| CVE-2014-0019 | low | — | 1.9 | 13y ago | Stack-based buffer overflow in socat 1.3.0.0 through 1.7.2.2 and 2.0.0-b1 through 2.0.0-b6 allows local users to cause a denial of service (segmentation fault) via a long server name in the PROXY-CON… | |
| CVE-2014-1446 | low | — | 1.9 | 13y ago | The yam_ioctl function in drivers/net/hamradio/yam.c in the Linux kernel before 3.12.8 does not initialize a certain structure member, which allows local users to obtain sensitive information from ke… | |
| CVE-2014-4812 | low | — | 1.8 | 12y ago | The installer in IBM Security AppScan Source 8.x and 9.x through 9.0.1 has an open network port for a debug service, which allows remote attackers to obtain sensitive information by connecting to thi… | |
| CVE-2014-2926 | low | — | 1.7 | 12y ago | kapfa.sys in Kaseya Virtual System Administrator (VSA) 6.5 before 6.5.0.17 and 7.0 before 7.0.0.16 allows local users to cause a denial of service (NULL pointer dereference and application crash) via… | |
| CVE-2014-2603 | low | — | 1.7 | 12y ago | Unspecified vulnerability on HP 8/20q switches, SN6000 switches, and 8Gb Simple SAN Connection Kit with firmware before 8.0.14.08.00 allows remote authenticated users to obtain sensitive information … | |
| CVE-2014-1444 | low | — | 1.7 | 13y ago | The fst_get_iface function in drivers/net/wan/farsync.c in the Linux kernel before 3.11.7 does not properly initialize a certain data structure, which allows local users to obtain sensitive informati… | |
| CVE-2014-5029 | low | — | 1.5 | 12y ago | The web interface in CUPS 1.7.4 allows local users in the lp group to read arbitrary files via a symlink attack on a file in /var/cache/cups/rss/ and language[0] set to null. NOTE: this vulnerabilit… | |
| CVE-2014-2485 | low | — | 1.4 | 12y ago | Unspecified vulnerability in the Siebel Core - EAI component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows local users to affect confidentiality via unknown vectors related to Integration Business Serv… | |
| CVE-2014-6134 | low | — | 1.2 | 11y ago | IBM Rational ClearCase 8.0.0 before 8.0.0.14 and 8.0.1 before 8.0.1.7, when Installation Manager before 1.8.2 is used, retains cleartext server passwords in process memory throughout the installation… | |
| CVE-2014-5177 | low | — | 1.2 | 12y ago | libvirt 1.0.0 through 1.2.x before 1.2.5, when fine grained access control is enabled, allows local users to read arbitrary files via a crafted XML document containing an XML external entity declarat… | |
| CVE-2014-3537 | low | — | 1.2 | 12y ago | The web interface in CUPS before 1.7.4 allows local users in the lp group to read arbitrary files via a symlink attack on a file in /var/cache/cups/rss/. | |
| CVE-2014-2343 | low | — | 1.2 | 12y ago | Triangle MicroWorks SCADA Data Gateway before 3.00.0635 allows physically proximate attackers to cause a denial of service (excessive data processing) via a crafted DNP request over a serial line. | |
| CVE-2014-4248 | low | — | 1.0 | 12y ago | Unspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.3, 12.2.2, and 12.2.3 allows local users to affect confidentiality via … | |
| CVE-2014-2488 | low | — | 1.0 | 12y ago | Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 3.2.24, 4.0.26, 4.1.34, 4.2.26, and 4.3.12 allows local users to affect confidentiality via … |