CVEs from 2014
Total
7,931
critical
critical 837
high
high 1,288
medium
medium 4,980
low
low 583
% Critical
10.6%
% with KEV
0.4%
% with exploit
0.5%
Top vendors
Top products
- chrome 3,804
- moodle 1,668
- flash_player 1,397
- firefox 1,239
- mediawiki 1,130
- ffmpeg 998
- acrobat 966
- acrobat_reader 944
| CVE | Severity | CVSS | Risk | Published | Description | Impact |
|---|---|---|---|---|---|---|
| CVE-2014-6271 | unknown | — | 2.5 | 4y ago | GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute code. | |
| CVE-2014-6278 | unknown | — | 1.5 | 8mo ago | GNU Bash contains an OS command injection vulnerability which allows remote attackers to execute arbitrary commands via a crafted environment. | |
| CVE-2014-3931 | unknown | — | 1.5 | 11mo ago | Multi-Router Looking Glass (MRLG) contains a buffer overflow vulnerability that could allow remote attackers to cause an arbitrary memory write and memory corruption. | |
| CVE-2014-2120 | unknown | — | 1.5 | 2y ago | Cisco Adaptive Security Appliance (ASA) contains a cross-site scripting (XSS) vulnerability in the WebVPN login page. This vulnerability allows remote attackers to inject arbitrary web script or HTML… | |
| CVE-2014-0502 | unknown | — | 1.5 | 2y ago | Adobe Flash Player contains a double free vulnerability that allows a remote attacker to execute arbitrary code. | |
| CVE-2014-0497 | unknown | — | 1.5 | 2y ago | Adobe Flash Player contains an integer underflow vulnerability that allows a remote attacker to execute arbitrary code. | |
| CVE-2014-100005 | unknown | — | 1.5 | 2y ago | D-Link DIR-600 routers contain a cross-site request forgery (CSRF) vulnerability that allows an attacker to change router configurations by hijacking an existing administrator session. | |
| CVE-2014-8361 | unknown | — | 1.5 | 3y ago | Realtek SDK contains an improper input validation vulnerability in the miniigd SOAP service that allows remote attackers to execute malicious code via a crafted NewInternalClient request. | |
| CVE-2014-0196 | unknown | — | 1.5 | 3y ago | Linux Kernel contains a race condition vulnerability within the n_tty_write function that allows local users to cause a denial-of-service (DoS) or gain privileges via read and write operations with l… | |
| CVE-2014-4148 | unknown | — | 1.5 | 4y ago | A remote code execution vulnerability exists when the Windows kernel-mode driver improperly handles TrueType fonts. | |
| CVE-2014-3153 | unknown | — | 1.5 | 4y ago | The futex_requeue function in kernel/futex.c in Linux kernel does not ensure that calls have two different futex addresses, which allows local users to gain privileges. | |
| CVE-2014-2817 | unknown | — | 1.5 | 4y ago | Microsoft Internet Explorer cotains an unspecified vulnerability that allows remote attackers to gain privileges via a crafted web site. | |
| CVE-2014-4077 | unknown | — | 1.5 | 4y ago | Microsoft Input Method Editor (IME) Japanese is a keyboard with Japanese characters that can be enabled on Windows systems as it is included by default (with the default set as disabled). IME Japanes… | |
| CVE-2014-0546 | unknown | — | 1.5 | 4y ago | Adobe Reader and Acrobat on Windows allow attackers to bypass a sandbox protection mechanism, and consequently execute native code in a privileged context. | |
| CVE-2014-8439 | unknown | — | 1.5 | 4y ago | Adobe Flash Player has a vulnerability in the way it handles a dereferenced memory pointer which could lead to code execution. | |
| CVE-2014-4123 | unknown | — | 1.5 | 4y ago | Microsoft Internet Explorer contains an unspecified vulnerability that allows remote attackers to gain privileges via a crafted web site. | |
| CVE-2014-3120 | unknown | — | 1.5 | 4y ago | Elasticsearch enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code. | |
| CVE-2014-4113 | unknown | — | 1.5 | 4y ago | Microsoft Win32k contains an unspecified vulnerability that allows for privilege escalation. | |
| CVE-2014-0160 | unknown | — | 1.5 | 4y ago | The TLS and DTLS implementations in OpenSSL do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information. | |
| CVE-2014-0322 | unknown | — | 1.5 | 4y ago | Use-after-free vulnerability in Microsoft Internet Explorer allows remote attackers to execute code. | |
| CVE-2014-0780 | unknown | — | 1.5 | 4y ago | InduSoft Web Studio NTWebServer contains a directory traversal vulnerability that allows remote attackers to read administrative passwords in APP files, allowing for remote code execution. | |
| CVE-2014-9163 | unknown | — | 1.5 | 4y ago | Stack-based buffer overflow in Adobe Flash Player allows attackers to execute code remotely. | |
| CVE-2014-6324 | unknown | — | 1.5 | 4y ago | The Kerberos Key Distribution Center (KDC) in Microsoft allows remote authenticated domain users to obtain domain administrator privileges. | |
| CVE-2014-6332 | unknown | — | 1.5 | 4y ago | OleAut32.dll in OLE in Microsoft Windows allows remote attackers to remotely execute code via a crafted web site. | |
| CVE-2014-6287 | unknown | — | 1.5 | 4y ago | The findMacroMarker function in parserLib.pas in Rejetto HTTP File Server (HFS or HttpFileServer) allows remote attackers to execute arbitrary programs. | |
| CVE-2014-4114 | unknown | — | 1.5 | 4y ago | A vulnerability exists in Windows Object Linking & Embedding (OLE) that could allow remote code execution if a user opens a file that contains a specially crafted OLE object. | |
| CVE-2014-0496 | unknown | — | 1.5 | 4y ago | Adobe Reader and Acrobat contain a use-after-free vulnerability which can allow for code execution. | |
| CVE-2014-6352 | unknown | — | 1.5 | 4y ago | Microsoft Windows allow remote attackers to execute arbitrary code via a crafted OLE object. | |
| CVE-2014-1761 | unknown | — | 1.5 | 4y ago | Microsoft Word contains a memory corruption vulnerability which when exploited could allow for remote code execution. | |
| CVE-2014-4404 | unknown | — | 1.5 | 4y ago | Heap-based buffer overflow in IOHIDFamily in Apple OS X, which affects, iOS before 8 and Apple TV before 7, allows attackers to execute arbitrary code in a privileged context. | |
| CVE-2014-1776 | unknown | — | 1.5 | 4y ago | Microsoft Internet Explorer contains a memory corruption vulnerability that allows remote attackers to execute code in the context of the current user. | |
| CVE-2014-7169 | unknown | — | 1.5 | 4y ago | GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute code. This CVE correctly remediates the vul… | |
| CVE-2014-1812 | unknown | — | 1.5 | 5y ago | Microsoft Windows Active Directory contains a privilege escalation vulnerability due to the way it distributes passwords that are configured using Group Policy preferences. An authenticated attacker … | |
| CVE-2014-0130 | unknown | — | 1.5 | 12y ago | Directory traversal vulnerability in actionpack/lib/abstract_controller/base.rb in the implicit-render implementation in Ruby on Rails allows remote attackers to read arbitrary files via a crafted re… | |
| CVE-2014-4650 | unknown | — | 1.0 | — | The CGIHTTPServer module in Python 2.7.5 and 3.3.4 does not properly handle URLs in which URL encoding is used for path separators, which allows remote attackers to read script source code or conduct… | |
| CVE-2014-0486 | unknown | — | — | — | Knot DNS before 1.5.2 allows remote attackers to cause a denial of service (application crash) via a crafted DNS message. | |
| CVE-2014-0021 | unknown | — | — | — | Chrony before 1.29.1 has traffic amplification in cmdmon protocol | |
| CVE-2014-4607 | unknown | — | — | — | Integer overflow in the LZO algorithm variant in Oberhumer liblzo2 and lzo-2 before 2.07 on 32-bit platforms might allow remote attackers to execute arbitrary code via a crafted Literal Run. | |
| CVE-2014-9625 | unknown | — | — | — | The GetUpdateFile function in misc/update.c in the Updater in VideoLAN VLC media player before 2.1.6 performs an incorrect cast operation from a 64-bit integer to a 32-bit integer, which allows remot… | |
| CVE-2014-9626 | unknown | — | — | — | Integer underflow in the MP4_ReadBox_String function in modules/demux/mp4/libmp4.c in VideoLAN VLC media player before 2.1.6 allows remote attackers to cause a denial of service or possibly have unsp… | |
| CVE-2014-9630 | unknown | — | — | — | The rtp_packetize_xiph_config function in modules/stream_out/rtpfmt.c in VideoLAN VLC media player before 2.1.6 uses a stack-allocation approach with a size determined by arbitrary input data, which … | |
| CVE-2014-9629 | unknown | — | — | — | Integer overflow in the Encode function in modules/codec/schroedinger.c in VideoLAN VLC media player before 2.1.6 and 2.2.x before 2.2.1 allows remote attackers to conduct buffer overflow attacks and… | |
| CVE-2014-1935 | unknown | — | — | — | 9base 1:6-6 and 1:6-7 insecurely creates temporary files which results in predictable filenames. | |
| CVE-2014-2031 | unknown | — | — | — | Deadwood before 2.3.09, 3.x before 3.2.05, and as used in MaraDNS before 1.4.14 and 2.x before 2.0.09, allow remote attackers to cause a denial of service (out-of-bounds read and crash) by leveraging… | |
| CVE-2014-6310 | unknown | — | — | — | Buffer overflow in CHICKEN 4.9.0 and 4.9.0.1 may allow remote attackers to execute arbitrary code via the 'select' function. | |
| CVE-2014-0242 | unknown | — | — | — | mod_wsgi module before 3.4 for Apache, when used in embedded mode, might allow remote attackers to obtain sensitive information via the Content-Type header which is generated from memory that may hav… | |
| CVE-2014-1845 | unknown | — | — | — | An unspecified setuid root helper in Enlightenment before 0.17.6 allows local users to gain privileges by leveraging failure to properly sanitize the environment. | |
| CVE-2014-8126 | unknown | — | — | — | The scheduler in HTCondor before 8.2.6 allows remote authenticated users to execute arbitrary code. | |
| CVE-2014-3875 | unknown | — | — | — | The addto parameter to fup in Frams' Fast File EXchange (F*EX, aka fex) before fex-2014053 allows remote attackers to conduct cross-site scripting (XSS) attacks | |
| CVE-2014-6412 | unknown | — | — | — | WordPress before 4.4 makes it easier for remote attackers to predict password-recovery tokens via a brute-force approach. | |
| CVE-2014-1947 | unknown | — | — | — | Stack-based buffer overflow in the WritePSDImage function in coders/psd.c in ImageMagick 6.5.4 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary … | |
| CVE-2014-5509 | unknown | — | — | — | clipedit in the Clipboard module for Perl allows local users to delete arbitrary files via a symlink attack on /tmp/clipedit$$. | |
| CVE-2014-3180 | unknown | — | — | — | In kernel/compat.c in the Linux kernel before 3.17, as used in Google Chrome OS and other products, there is a possible out-of-bounds read. restart_syscall uses uninitialized data when restarting com… | |
| CVE-2014-8181 | unknown | — | — | — | The kernel in Red Hat Enterprise Linux 7 and MRG-2 does not clear garbage data for SG_IO buffer, which may leaking sensitive information to userspace. | |
| CVE-2014-0148 | unknown | — | — | — | Qemu before 2.0 block driver for Hyper-V VHDX Images is vulnerable to infinite loops and other potential issues when calculating BAT entries, due to missing bounds checks for block_size and logical_s… | |
| CVE-2014-0144 | unknown | — | — | — | QEMU before 2.0.0 block drivers for CLOOP, QCOW2 version 2 and various other image formats are vulnerable to potential memory corruptions, integer/buffer overflows or crash caused by missing input va… | |
| CVE-2014-3471 | unknown | — | — | — | Use-after-free vulnerability in hw/pci/pcie.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (QEMU instance crash) via hotplug and hotunplug operations of Virti… | |
| CVE-2014-125128 | unknown | — | — | — | 'sanitize-html' prior to version 1.0.3 is vulnerable to Cross-site Scripting (XSS). The function 'naughtyHref' doesn't properly validate the hyperreference (`href`) attribute in anchor tags (`<a>`), … | |
| CVE-2014-6262 | unknown | — | — | — | Multiple format string vulnerabilities in the python module in RRDtool, as used in Zenoss Core before 4.2.5 and other products, allow remote attackers to execute arbitrary code or cause a denial of s… | |
| CVE-2014-10070 | unknown | — | — | — | zsh before 5.0.7 allows evaluation of the initial values of integer variables imported from the environment (instead of treating them as literal numbers). That could allow local privilege escalation,… | |
| CVE-2014-8182 | unknown | — | — | — | An off-by-one error leading to a crash was discovered in openldap 2.4 when processing DNS SRV messages. If slapd was configured to use the dnssrv backend, an attacker could crash the service with cra… | |
| CVE-2014-4150 | unknown | — | — | — | The scheme48-send-definition function in cmuscheme48.el in Scheme 48 allows local users to write to arbitrary files via a symlink attack on /tmp/s48lose.tmp. | |
| CVE-2014-3591 | unknown | — | — | — | Libgcrypt before 1.6.3 and GnuPG before 1.4.19 does not implement ciphertext blinding for Elgamal decryption, which allows physically proximate attackers to obtain the server's private key by determi… | |
| CVE-2014-0048 | unknown | — | — | — | An issue was found in Docker before 1.6.0. Some programs and scripts in Docker are downloaded via HTTP and then executed or used in unsafe ways. | |
| CVE-2014-2901 | unknown | — | — | — | wolfssl before 3.2.0 does not properly issue certificates for a server's hostname. | |
| CVE-2014-2904 | unknown | — | — | — | wolfssl before 3.2.0 has a server certificate that is not properly authorized for server authentication. | |
| CVE-2014-1846 | unknown | — | — | — | Enlightenment before 0.17.6 might allow local users to gain privileges via vectors involving the gdb method. | |
| CVE-2014-10073 | unknown | — | — | — | The create_response function in server/server.c in Psensor before 1.1.4 allows Directory Traversal because it lacks a check for whether a file is under the webserver directory. | |
| CVE-2014-9628 | unknown | — | — | — | The MP4_ReadBox_String function in modules/demux/mp4/libmp4.c in VideoLAN VLC media player before 2.1.6 allows remote attackers to trigger an unintended zero-size malloc and conduct buffer overflow a… | |
| CVE-2014-2914 | unknown | — | — | — | fish (aka fish-shell) 2.0.0 before 2.1.1 does not restrict access to the configuration service (aka fish_config), which allows remote attackers to execute arbitrary code via unspecified vectors, as d… | |
| CVE-2014-10400 | unknown | — | — | — | The session.lua library in CGILua 5.0.x uses sequential session IDs, which makes it easier for remote attackers to predict the session ID and hijack arbitrary sessions. NOTE: this vulnerability was S… | |
| CVE-2014-2875 | unknown | — | — | — | The session.lua library in CGILua 5.2 alpha 1 and 5.2 alpha 2 uses weak session IDs generated based on OS time, which allows remote attackers to hijack arbitrary sessions via a brute force attack. NO… | |
| CVE-2014-9485 | unknown | — | — | — | Directory traversal vulnerability in the do_extract_currentfile function in miniunz.c in miniunzip in minizip before 1.1-5 might allow remote attackers to write to arbitrary files via a crafted entry… | |
| CVE-2014-0175 | unknown | — | — | — | mcollective has a default password set at install | |
| CVE-2014-125009 | unknown | — | — | — | A vulnerability classified as problematic has been found in FFmpeg 2.0. This affects the function add_yblock of the file libavcodec/snow.h. The manipulation leads to memory corruption. It is possible… | |
| CVE-2014-125002 | unknown | — | — | — | A vulnerability was found in FFmpeg 2.0. It has been classified as problematic. Affected is the function dnxhd_init_rc of the file libavcodec/dnxhdenc.c. The manipulation leads to memory corruption. … | |
| CVE-2014-125004 | unknown | — | — | — | A vulnerability has been found in FFmpeg 2.0 and classified as problematic. This vulnerability affects the function decode_hextile of the file libavcodec/vmnc.c. The manipulation leads to memory corr… | |
| CVE-2014-125006 | unknown | — | — | — | A vulnerability, which was classified as problematic, has been found in FFmpeg 2.0. Affected by this issue is the function output_frame of the file libavcodec/h264.c. The manipulation leads to memory… | |
| CVE-2014-125005 | unknown | — | — | — | A vulnerability, which was classified as problematic, was found in FFmpeg 2.0. This affects the function decode_vol_header of the file libavcodec/mpeg4videodec.c. The manipulation leads to memory cor… | |
| CVE-2014-125007 | unknown | — | — | — | A vulnerability classified as problematic was found in FFmpeg 2.0. Affected by this vulnerability is the function intra_pred of the file libavcodec/hevcpred_template.c. The manipulation leads to memo… | |
| CVE-2014-125008 | unknown | — | — | — | A vulnerability classified as problematic has been found in FFmpeg 2.0. Affected is the function vorbis_header of the file libavformat/oggparsevorbis.c. The manipulation leads to memory corruption. I… | |
| CVE-2014-125010 | unknown | — | — | — | A vulnerability was found in FFmpeg 2.0. It has been rated as critical. Affected by this issue is the function decode_slice_header of the file libavcodec/h64.c. The manipulation leads to memory corru… | |
| CVE-2014-125015 | unknown | — | — | — | A vulnerability classified as critical has been found in FFmpeg 2.0. Affected is the function read_var_block_data. The manipulation leads to memory corruption. It is possible to launch the attack rem… | |
| CVE-2014-125011 | unknown | — | — | — | A vulnerability was found in FFmpeg 2.0. It has been declared as problematic. Affected by this vulnerability is the function decode_frame of the file libavcodec/ansi.c. The manipulation leads to inte… | |
| CVE-2014-125012 | unknown | — | — | — | A vulnerability was found in FFmpeg 2.0. It has been classified as problematic. Affected is an unknown function of the file libavcodec/dxtroy.c. The manipulation leads to integer coercion error. It i… | |
| CVE-2014-125017 | unknown | — | — | — | A vulnerability classified as critical was found in FFmpeg 2.0. This vulnerability affects the function rpza_decode_stream. The manipulation leads to memory corruption. The attack can be initiated re… | |
| CVE-2014-125019 | unknown | — | — | — | A vulnerability, which was classified as problematic, was found in FFmpeg 2.0. This affects the function decode_nal_unit of the component Slice Segment Handler. The manipulation leads to memory corru… | |
| CVE-2014-125021 | unknown | — | — | — | A vulnerability was found in FFmpeg 2.0 and classified as problematic. This issue affects the function cmv_process_header. The manipulation leads to memory corruption. The attack may be initiated rem… | |
| CVE-2014-125025 | unknown | — | — | — | A vulnerability classified as problematic has been found in FFmpeg 2.0. This affects the function decode_pulses. The manipulation leads to memory corruption. It is possible to initiate the attack rem… | |
| CVE-2014-2970 | unknown | — | — | — | ||
| CVE-2014-125106 | unknown | — | — | — | Nanopb before 0.3.1 allows size_t overflows in pb_dec_bytes and pb_dec_string. | |
| CVE-2014-1936 | unknown | — | — | — | rc before 1.7.1-5 insecurely creates temporary files. | |
| CVE-2014-3519 | unknown | — | — | — | The open_by_handle_at function in vzkernel before 042stab090.5 in the OpenVZ modification for the Linux kernel 2.6.32, when using simfs, might allow local container users with CAP_DAC_READ_SEARCH cap… | |
| CVE-2014-4610 | unknown | — | — | — | Integer overflow in the get_len function in libavutil/lzo.c in FFmpeg before 0.10.14, 1.1.x before 1.1.12, 1.2.x before 1.2.7, 2.0.x before 2.0.5, 2.1.x before 2.1.5, and 2.2.x before 2.2.4 allows re… | |
| CVE-2014-10399 | unknown | — | — | — | The session.lua library in CGILua 5.1.x uses the same ID for each session, which allows remote attackers to hijack arbitrary sessions. NOTE: this vulnerability was SPLIT from CVE-2014-2875. | |
| CVE-2014-6311 | unknown | — | — | — | generate_doygen.pl in ace before 6.2.7+dfsg-2 creates predictable file names in the /tmp directory which allows attackers to gain elevated privileges. | |
| CVE-2014-8183 | unknown | — | — | — | ||
| CVE-2014-8321 | unknown | — | — | — | Stack-based buffer overflow in the gps_tracker function in airodump-ng.c in Aircrack-ng before 1.2 RC 1 allows local users to execute arbitrary code or gain privileges via unspecified vectors. | |
| CVE-2014-6274 | unknown | — | — | — | git-annex had a bug in the S3 and Glacier remotes where if embedcreds=yes was set, and the remote used encryption=pubkey or encryption=hybrid, the embedded AWS credentials were stored in the git repo… | |
| CVE-2014-5278 | unknown | — | — | — | A vulnerability exists in Docker before 1.2 via container names, which may collide with and override container IDs. |