CVEs from 2014
Total
7,915
critical
critical 837
high
high 1,288
medium
medium 4,980
low
low 583
% Critical
10.6%
% with KEV
0.4%
% with exploit
0.6%
Top vendors
Top products
- chrome 3,804
- moodle 1,668
- flash_player 1,397
- firefox 1,239
- mediawiki 1,130
- ffmpeg 998
- acrobat 966
- acrobat_reader 944
| CVE | Severity | CVSS | Risk | Published | Description | Impact |
|---|---|---|---|---|---|---|
| CVE-2014-5413 | medium | — | 6.4 | 12y ago | Schneider Electric StruxureWare SCADA Expert ClearSCADA 2010 R3 through 2014 R1 uses the MD5 algorithm for an X.509 certificate, which makes it easier for remote attackers to spoof servers via a cryp… | |
| CVE-2014-5412 | medium | — | 6.4 | 12y ago | Schneider Electric StruxureWare SCADA Expert ClearSCADA 2010 R3 through 2014 R1 allows remote attackers to read database records by leveraging access to the guest account. | |
| CVE-2014-3172 | medium | — | 6.4 | 12y ago | The Debugger extension API in browser/extensions/api/debugger/debugger_api.cc in Google Chrome before 37.0.2062.94 does not validate a tab's URL before an attach operation, which allows remote attack… | |
| CVE-2014-3170 | medium | — | 6.4 | 12y ago | extensions/common/url_pattern.cc in Google Chrome before 37.0.2062.94 does not prevent use of a '\0' character in a host name, which allows remote attackers to spoof the extension permission dialog b… | |
| CVE-2014-5120 | medium | — | 6.4 | 12y ago | gd_ctx.c in the GD component in PHP 5.4.x before 5.4.32 and 5.5.x before 5.5.16 does not ensure that pathnames lack %00 sequences, which might allow remote attackers to overwrite arbitrary files via … | |
| CVE-2014-5160 | medium | — | 6.4 | 12y ago | Multiple directory traversal vulnerabilities in crs.exe in the Cell Request Service in HP Data Protector allow remote attackers to create arbitrary files via an opcode-1091 request, or create or dele… | |
| CVE-2014-3895 | medium | — | 6.4 | 12y ago | The I-O DATA TS-WLCAM camera with firmware 1.06 and earlier, TS-WLCAM/V camera with firmware 1.06 and earlier, TS-WPTCAM camera with firmware 1.08 and earlier, TS-PTCAM camera with firmware 1.08 and … | |
| CVE-2014-4948 | medium | — | 6.4 | 12y ago | Unspecified vulnerability in Citrix XenServer 6.2 Service Pack 1 and earlier allows attackers to cause a denial of service and obtain sensitive information by modifying the guest virtual hard disk (V… | |
| CVE-2014-3159 | medium | — | 6.4 | 12y ago | The WebContentsDelegateAndroid::OpenURLFromTab function in components/web_contents_delegate_android/web_contents_delegate_android.cc in Google Chrome before 36.0.1985.122 on Android does not properly… | |
| CVE-2014-4209 | medium | — | 6.4 | 12y ago | Unspecified vulnerability in Oracle Java SE 5.0u65, 6u75, 7u60, and 8u5 allows remote attackers to affect confidentiality and integrity via vectors related to JMX. | |
| CVE-2014-2493 | medium | — | 6.4 | 12y ago | Unspecified vulnerability in the Oracle JDeveloper component in Oracle Fusion Middleware 11.1.1.7.0, 11.1.2.4.0, and 12.1.2.0.0 allows remote attackers to affect confidentiality and availability via … | |
| CVE-2014-4962 | medium | — | 6.4 | 12y ago | Shopizer 1.1.5 and earlier allows remote attackers to reduce the total cost of their shopping cart via a negative number in the productQuantity parameter, which causes the price of the item to be sub… | |
| CVE-2014-2783 | medium | — | 6.4 | 12y ago | Microsoft Internet Explorer 7 through 11 does not prevent use of wildcard EV SSL certificates, which might allow remote attackers to spoof a trust level by leveraging improper issuance of a wildcard … | |
| CVE-2014-3308 | medium | — | 6.4 | 12y ago | Cisco IOS XR on Trident line cards in ASR 9000 devices lacks a static punt policer, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted packets, aka B… | |
| CVE-2014-4507 | medium | — | 6.4 | 12y ago | Directory traversal vulnerability in Smart-Proxy in Foreman before 1.4.5 and 1.5.x before 1.5.1 allows remote attackers to overwrite arbitrary files via a .. (dot dot) in the dst parameter to tftp/fe… | |
| CVE-2014-3865 | medium | — | 6.4 | 12y ago | Multiple directory traversal vulnerabilities in dpkg-source in dpkg-dev 1.3.0 allow remote attackers to modify files outside of the intended directories via a source package with a crafted Index: pse… | |
| CVE-2014-3864 | medium | — | 6.4 | 12y ago | Directory traversal vulnerability in dpkg-source in dpkg-dev 1.3.0 allows remote attackers to modify files outside of the intended directories via a crafted source package that lacks a --- header lin… | |
| CVE-2014-3227 | medium | — | 6.4 | 12y ago | dpkg 1.15.9, 1.16.x before 1.16.14, and 1.17.x before 1.17.9 expect the patch program to be compliant with a need for the "C-style encoded filenames" feature, but is supported in environments with no… | |
| CVE-2014-1418 | medium | — | 6.4 | 12y ago | Django 1.4 before 1.4.13, 1.5 before 1.5.8, 1.6 before 1.6.5, and 1.7 before 1.7b4 does not properly include the (1) Vary: Cookie or (2) Cache-Control header in responses, which allows remote attacke… | |
| CVE-2014-2993 | medium | — | 6.4 | 12y ago | The Birebin.com application for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted c… | |
| CVE-2014-2992 | medium | — | 6.4 | 12y ago | The Misli.com application for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted cer… | |
| CVE-2014-0350 | medium | — | 6.4 | 12y ago | The Poco::Net::X509Certificate::verify method in the NetSSL library in POCO C++ Libraries before 1.4.6p4 allows man-in-the-middle attackers to spoof SSL servers via crafted DNS PTR records that are r… | |
| CVE-2014-2269 | medium | — | 6.4 | 12y ago | modules/Users/ForgotPassword.php in vTiger 6.0 before Security Patch 2 allows remote attackers to reset the password for arbitrary users via a request containing the username, password, and confirmPa… | |
| CVE-2014-2922 | medium | — | 6.4 | 12y ago | The getObjectByToken function in Newsletter.php in the Pimcore_Tool_Newsletter module in pimcore 1.4.9 through 2.1.0 does not properly handle an object obtained by unserializing a pathname, which all… | |
| CVE-2014-1974 | medium | — | 6.4 | 12y ago | Directory traversal vulnerability in the LYSESOFT AndExplorer application before 20140403 and AndExplorerPro application before 20140405 for Android allows attackers to overwrite or create arbitrary … | |
| CVE-2014-0071 | medium | — | 6.4 | 12y ago | PackStack in Red Hat OpenStack 4.0 does not enforce the default security groups when deployed to Neutron, which allows remote attackers to bypass intended access restrictions and make unauthorized co… | |
| CVE-2014-2338 | medium | — | 6.4 | 12y ago | IKEv2 in strongSwan 4.0.7 before 5.1.3 allows remote attackers to bypass authentication by rekeying an IKE_SA during (1) initiation or (2) re-authentication, which triggers the IKE_SA state to be set… | |
| CVE-2014-2439 | medium | — | 6.4 | 12y ago | Unspecified vulnerability in the Oracle Secure Global Desktop (SGD) component in Oracle Virtualization 5.0 and 5.1 allows remote attackers to affect confidentiality and integrity via unknown vectors … | |
| CVE-2014-2409 | medium | — | 6.4 | 12y ago | Unspecified vulnerability in Oracle Java SE 6u71, 7u51, and 8, and Java SE Embedded 7u51, allows remote attackers to affect confidentiality and integrity via unknown vectors related to Deployment. | |
| CVE-2014-0138 | medium | — | 6.4 | 12y ago | The default configuration in cURL and libcurl 7.10.6 before 7.36.0 re-uses (1) SCP, (2) SFTP, (3) POP3, (4) POP3S, (5) IMAP, (6) IMAPS, (7) SMTP, (8) SMTPS, (9) LDAP, and (10) LDAPS connections, whic… | |
| CVE-2014-0166 | medium | — | 6.4 | 12y ago | The wp_validate_auth_cookie function in wp-includes/pluggable.php in WordPress before 3.7.2 and 3.8.x before 3.8.2 does not properly determine the validity of authentication cookies, which makes it e… | |
| CVE-2014-1506 | medium | — | 6.4 | 12y ago | Directory traversal vulnerability in Android Crash Reporter in Mozilla Firefox before 28.0 on Android allows attackers to trigger the transmission of local files to arbitrary servers, or cause a deni… | |
| CVE-2014-0503 | medium | — | 6.4 | 12y ago | Adobe Flash Player before 11.7.700.272 and 11.8.x through 12.0.x before 12.0.0.77 on Windows and OS X, and before 11.2.202.346 on Linux, allows remote attackers to bypass the Same Origin Policy via u… | |
| CVE-2014-1907 | medium | — | 6.4 | 12y ago | Multiple directory traversal vulnerabilities in the VideoWhisper Live Streaming Integration plugin before 4.29.5 for WordPress allow remote attackers to (1) read arbitrary files via a .. (dot dot) in… | |
| CVE-2014-2234 | medium | — | 6.4 | 12y ago | A certain Apple patch for OpenSSL in Apple OS X 10.9.2 and earlier uses a Trust Evaluation Agent (TEA) feature without terminating certain TLS/SSL handshakes as specified in the SSL_CTX_set_verify ca… | |
| CVE-2014-1885 | medium | — | 6.4 | 12y ago | The ForzeArmate application for Android, when Adobe PhoneGap 2.9.0 or earlier is used, allows remote attackers to execute arbitrary JavaScript code, and consequently obtain write access to external-s… | |
| CVE-2014-0675 | medium | — | 6.4 | 13y ago | The Expressway component in Cisco TelePresence Video Communication Server (VCS) uses the same default X.509 certificate across different customers' installations, which makes it easier for remote att… | |
| CVE-2014-0807 | medium | — | 6.4 | 13y ago | data/class/pages/shopping/LC_Page_Shopping_Deliv.php in LOCKON EC-CUBE 2.4.4 and earlier, and 2.11.0 through 2.12.2, allows remote attackers to modify data via unspecified vectors. | |
| CVE-2014-6541 | medium | — | 6.3 | 12y ago | Unspecified vulnerability in the Recovery component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2, when running on Windows, allows remote authenticated users to affec… | |
| CVE-2014-6465 | medium | — | 6.3 | 12y ago | Unspecified vulnerability in the Oracle Communications Session Border Controller component in Oracle Communications Applications SCX640m5 allows remote authenticated users to affect availability via … | |
| CVE-2014-3346 | medium | — | 6.3 | 12y ago | The web framework in Cisco Transport Gateway for Smart Call Home (aka TG-SCH or Transport Gateway Installation Software) does not validate an unspecified parameter, which allows remote authenticated … | |
| CVE-2014-4199 | medium | — | 6.3 | 12y ago | vm-support 0.88 in VMware Tools, as distributed with VMware Workstation through 10.0.3 and other products, allows local users to write to arbitrary files via a symlink attack on a file in /tmp. | |
| CVE-2014-2521 | medium | — | 6.3 | 12y ago | EMC Documentum Content Server before 6.7 SP2 P16 and 7.x before 7.1 P07 allows remote authenticated users to read sensitive object metadata via an RPC command. | |
| CVE-2014-2520 | medium | — | 6.3 | 12y ago | EMC Documentum Content Server before 6.7 SP2 P16 and 7.x before 7.1 P07, when Oracle Database is used, does not properly restrict DQL hints, which allows remote authenticated users to conduct DQL inj… | |
| CVE-2014-3081 | medium | — | 6.3 | 12y ago | prodtest.php on IBM GCM16 and GCM32 Global Console Manager switches with firmware before 1.20.20.23447 allows remote authenticated users to read arbitrary files via the filename parameter. | |
| CVE-2014-5260 | medium | — | 6.3 | 12y ago | The (1) mkxmltype and (2) mkdtskel scripts in XML-DT before 0.64 allow local users to overwrite arbitrary files via a symlink attack on a /tmp/_xml_##### temporary file. | |
| CVE-2014-3064 | medium | — | 6.3 | 12y ago | The GDS component in IBM InfoSphere Master Data Management - Collaborative Edition 10.x and 11.x before 11.0 FP4 and InfoSphere Master Data Management Server for Product Information Management 9.0 an… | |
| CVE-2014-3264 | medium | — | 6.3 | 12y ago | Cisco Adaptive Security Appliance (ASA) Software 9.1(.5) and earlier allows remote authenticated users to cause a denial of service (device reload) via crafted attributes in a RADIUS packet, aka Bug … | |
| CVE-2014-2183 | medium | — | 6.3 | 12y ago | The L2TP module in Cisco IOS XE 3.10S(.2) and earlier on ASR 1000 routers allows remote authenticated users to cause a denial of service (ESP card reload) via a malformed L2TP packet, aka Bug ID CSCu… | |
| CVE-2014-2719 | medium | — | 6.3 | 12y ago | Advanced_System_Content.asp in the ASUS RT series routers with firmware before 3.0.0.4.374.5517, when an administrator session is active, allows remote authenticated users to obtain the administrator… | |
| CVE-2014-1272 | medium | — | 6.3 | 12y ago | CrashHouseKeeping in Crash Reporting in Apple iOS before 7.1 and Apple TV before 6.1 allows local users to change arbitrary file permissions by leveraging a symlink. | |
| CVE-2014-2205 | medium | — | 6.3 | 12y ago | The Import and Export Framework in McAfee ePolicy Orchestrator (ePO) before 4.6.7 Hotfix 940148 allows remote authenticated users with permissions to add dashboards to read arbitrary files by importi… | |
| CVE-2014-0755 | medium | — | 6.3 | 13y ago | Rockwell Automation RSLogix 5000 7 through 20.01, and 21.0, does not properly implement password protection for .ACD files (aka project files), which allows local users to obtain sensitive informatio… | |
| CVE-2014-0667 | medium | — | 6.3 | 13y ago | The RMI interface in Cisco Secure Access Control System (ACS) does not properly enforce authorization requirements, which allows remote authenticated users to read arbitrary files via a request to th… | |
| CVE-2014-0400 | medium | — | 6.3 | 13y ago | Unspecified vulnerability in the Oracle Internet Directory component in Oracle Fusion Middleware 11.1.1.6 and 11.1.1.7 allows remote authenticated users to affect confidentiality via vectors related … | |
| CVE-2014-3248 | medium | — | 6.2 | 9y ago | Untrusted search path vulnerability in Puppet Enterprise 2.8 before 2.8.7, Puppet before 2.7.26 and 3.x before 3.6.2, Facter 1.6.x and 2.x before 2.0.2, Hiera before 1.3.4, and Mcollective before 2.5… | |
| CVE-2014-8716 | medium | 6.2 | 6.2 | 9y ago | The JPEG decoder in ImageMagick before 6.8.9-9 allows local users to cause a denial of service (out-of-bounds memory access and crash). | |
| CVE-2014-8727 | medium | — | 6.2 | 12y ago | Multiple directory traversal vulnerabilities in F5 BIG-IP before 10.2.2 allow local users with the "Resource Administrator" or "Administrator" role to enumerate and delete arbitrary files via a .. (d… | |
| CVE-2014-5207 | medium | — | 6.2 | 12y ago | fs/namespace.c in the Linux kernel through 3.16.1 does not properly restrict clearing MNT_NODEV, MNT_NOSUID, and MNT_NOEXEC and changing MNT_ATIME_MASK during a remount of a bind mount, which allows … | |
| CVE-2014-5045 | medium | — | 6.2 | 12y ago | The mountpoint_last function in fs/namei.c in the Linux kernel before 3.15.8 does not properly maintain a certain reference count during attempts to use the umount system call in conjunction with a s… | |
| CVE-2014-4014 | medium | — | 6.2 | 12y ago | The capabilities implementation in the Linux kernel before 3.14.8 does not properly consider that namespaces are inapplicable to inodes, which allows local users to bypass intended chmod restrictions… | |
| CVE-2014-0240 | medium | — | 6.2 | 12y ago | The mod_wsgi module before 3.5 for Apache, when daemon mode is enabled, does not properly handle error codes returned by setuid when run on certain Linux kernels, which allows local users to gain pri… | |
| CVE-2014-2349 | medium | — | 6.2 | 12y ago | Emerson DeltaV 10.3.1, 11.3, 11.3.1, and 12.3 uses hardcoded credentials for diagnostic services, which allows remote attackers to bypass intended access restrictions via a TCP session, as demonstrat… | |
| CVE-2014-3125 | medium | — | 6.2 | 12y ago | Xen 4.4.x, when running on an ARM system, does not properly context switch the CNTKCTL_EL1 register, which allows local guest users to modify the hardware timers and cause a denial of service (crash)… | |
| CVE-2014-0742 | medium | — | 6.2 | 12y ago | The Certificate Authority Proxy Function (CAPF) CLI implementation in the CSR management feature in Cisco Unified Communications Manager (Unified CM) 10.0(1) and earlier allows local users to read or… | |
| CVE-2014-0741 | medium | — | 6.2 | 12y ago | The certificate-import feature in the Certificate Authority Proxy Function (CAPF) CLI implementation in Cisco Unified Communications Manager (Unified CM) 10.0(1) and earlier allows local users to rea… | |
| CVE-2014-3146 | medium | 6.1 | 6.1 | 4y ago | Incomplete blacklist vulnerability in the lxml.html.clean module in lxml before 3.3.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via control characters in the link scheme t… | |
| CVE-2014-9678 | medium | 6.1 | 6.1 | 9y ago | FlexPaperViewer.swf in Flexpaper before 2.3.1 allows remote attackers to conduct content-spoofing attacks via the Swfile parameter. | |
| CVE-2014-9677 | medium | 6.1 | 6.1 | 9y ago | Cross-site scripting (XSS) vulnerability in FlexPaperViewer.swf in Flexpaper before 2.3.1 allows remote attackers to inject arbitrary web script or HTML via the Swfile parameter. | |
| CVE-2014-8087 | medium | 6.1 | 6.1 | 9y ago | Cross-site scripting (XSS) vulnerability in the post highlights plugin before 2.6.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the txt parameter in a headline ac… | |
| CVE-2014-0029 | medium | 6.1 | 6.1 | 9y ago | Multiple cross-site scripting (XSS) vulnerabilities in the SAM web application in Red Hat katello-headpin allow remote attackers to inject arbitrary web script or HTML via unspecified parameters. | |
| CVE-2014-8758 | medium | 6.1 | 6.1 | 9y ago | Cross-site scripting (XSS) vulnerability in Best Gallery Albums Plugin before 3.0.70for WordPress allows remote attackers to inject arbitrary web script or HTML via the order_id parameter in the gall… | |
| CVE-2014-8492 | medium | 6.1 | 6.1 | 9y ago | Multiple cross-site scripting (XSS) vulnerabilities in assets/misc/fallback-page.php in the Profile Builder plugin before 2.0.3 for WordPress allow remote attackers to inject arbitrary web script or … | |
| CVE-2014-7240 | medium | 6.1 | 6.1 | 9y ago | Cross-site scripting (XSS) vulnerability in the Easy Contact Form Solution plugin before 1.7 for WordPress allows remote attackers to inject arbitrary web script or HTML via the value parameter in a … | |
| CVE-2014-9758 | medium | 6.1 | 6.1 | 9y ago | Cross-site scripting (XSS) vulnerability in Magento E-Commerce Platform 1.9.0.1. | |
| CVE-2014-9557 | medium | 6.1 | 6.1 | 9y ago | Multiple cross-site scripting (XSS) vulnerabilities in SmartCMS v.2. | |
| CVE-2014-9514 | medium | 6.1 | 6.1 | 9y ago | Cross-site scripting (XSS) vulnerability in BMC Footprints Service Core 11.5. | |
| CVE-2014-9469 | medium | 6.1 | 6.1 | 9y ago | Cross-site scripting (XSS) vulnerability in vBulletin 3.5.4, 3.6.0, 3.6.7, 3.8.7, 4.2.2, 5.0.5, and 5.1.3. | |
| CVE-2014-8753 | medium | 6.1 | 6.1 | 9y ago | Multiple cross-site scripting (XSS) vulnerabilities in Cit-e-Net Cit-e-Access 6. | |
| CVE-2014-8168 | medium | 6.1 | 6.1 | 9y ago | Red Hat Satellite 6 allows local users to access mongod and delete pulp_database. | |
| CVE-2014-4925 | medium | 6.1 | 6.1 | 9y ago | Cross-site scripting (XSS) vulnerability in Good for Enterprise for Android 2.8.0.398 and 1.9.0.40. | |
| CVE-2014-0141 | medium | 6.1 | 6.1 | 9y ago | Cross-site scripting (XSS) vulnerability in Red Hat Satellite 6.0.3. | |
| CVE-2014-9564 | medium | 6.1 | 6.1 | 9y ago | CRLF injection vulnerability in IBM Flex System EN6131 40Gb Ethernet and IB6131 40Gb Infiniband Switch firmware before 3.4.1110 allows remote attackers to inject arbitrary HTTP headers and conduct HT… | |
| CVE-2014-6189 | medium | 6.1 | 6.1 | 9y ago | Cross-site scripting (XSS) vulnerability in IBM Security Network Protection 3100, 4100, 5100, and 7100 devices with firmware 5.2 before 5.2.0.0-ISS-XGS-All-Models-Hotfix-FP0008 and 5.3 before 5.3.0.5… | |
| CVE-2014-6393 | medium | 6.1 | 6.1 | 9y ago | The Express web framework before 3.11 and 4.x before 4.5 for Node.js does not provide a charset field in HTTP Content-Type headers in 400 level responses, which might allow remote attackers to conduc… | |
| CVE-2014-9310 | medium | 6.1 | 6.1 | 9y ago | Cross-site scripting (XSS) vulnerability in the WordPress Backup to Dropbox plugin before 4.1 for WordPress. | |
| CVE-2014-2710 | medium | 6.1 | 6.1 | 9y ago | Multiple cross-site scripting (XSS) vulnerabilities in Oliver (formerly Webshare) 1.3.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to the (1) login pa… | |
| CVE-2014-8703 | medium | 6.1 | 6.1 | 9y ago | Cross-site scripting (XSS) vulnerability in Wonder CMS 2014 allows remote attackers to inject arbitrary web script or HTML. | |
| CVE-2014-3926 | medium | 6.1 | 6.1 | 9y ago | Cross-site scripting (XSS) vulnerability in lg.cgi in Cougar LG 1.9 allows remote attackers to inject arbitrary web script or HTML via the "addr" parameter. | |
| CVE-2014-9916 | medium | 6.1 | 6.1 | 9y ago | Multiple cross-site scripting (XSS) vulnerabilities in Bilboplanet 2.0 allow remote attackers to inject arbitrary web script or HTML via the (1) tribe_name or (2) tags parameter in a tribes page requ… | |
| CVE-2014-9905 | medium | 6.1 | 6.1 | 9y ago | Multiple cross-site scripting (XSS) vulnerabilities in the Web Calendar in SOGo before 2.2.0 allow remote attackers to inject arbitrary web script or HTML via the (1) title of an appointment or (2) c… | |
| CVE-2014-9760 | medium | 6.1 | 6.1 | 9y ago | Cross-site scripting (XSS) vulnerability in the displayLogin function in html/index.php in GOsa allows remote attackers to inject arbitrary web script or HTML via the username. | |
| CVE-2014-9772 | medium | 6.1 | 6.1 | 10y ago | XSS Filter Bypass via Encoded URL in validator | |
| CVE-2014-2045 | medium | 6.1 | 6.1 | 10y ago | Multiple cross-site scripting (XSS) vulnerabilities in the old and new interfaces in Viprinet Multichannel VPN Router 300 allow remote attackers to inject arbitrary web script or HTML via the usernam… | |
| CVE-2014-9717 | medium | 6.1 | 6.1 | 10y ago | fs/namespace.c in the Linux kernel before 4.0.2 processes MNT_DETACH umount2 system calls without verifying that the MNT_LOCKED flag is unset, which allows local users to bypass intended access restr… | |
| CVE-2014-7151 | medium | 6.1 | 6.1 | 11y ago | Multiple cross-site scripting (XSS) vulnerabilities in the NEX-Forms Lite plugin 2.1.0 for WordPress allow remote attackers to inject arbitrary web script or HTML via the form_fields parameter in a (… | |
| CVE-2014-6444 | medium | 6.1 | 6.1 | 11y ago | Multiple cross-site scripting (XSS) vulnerabilities in the Titan Framework plugin before 1.6 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) t parameter to ifr… | |
| CVE-2014-9422 | medium | — | 6.1 | 11y ago | The check_rpcsec_auth function in kadmin/server/kadm_rpc_svc.c in kadmind in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 allows remote authenticated user… | |
| CVE-2014-6385 | medium | — | 6.1 | 12y ago | Juniper Junos 11.4 before 11.4R13, 12.1X44 before 12.1X44-D45, 12.1X46 before 12.1X46-D30, 12.1X47 before 12.1X47-D15, 12.2 before 12.2R9, 12.3R7 before 12.3R7-S1, 12.3 before 12.3R8, 13.1 before 13.… | |
| CVE-2014-8884 | medium | — | 6.1 | 12y ago | Stack-based buffer overflow in the ttusbdecfe_dvbs_diseqc_send_master_cmd function in drivers/media/usb/ttusb-dec/ttusbdecfe.c in the Linux kernel before 3.17.4 allows local users to cause a denial o… |