CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In September 2014

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2014-5460 20 2 Exec Code 2014-09-11 2018-10-09
6.5
None Remote Low ??? Partial Partial Partial
Unrestricted file upload vulnerability in the Tribulant Slideshow Gallery plugin before 1.4.7 for WordPress allows remote authenticated users to execute arbitrary code by uploading a PHP file, then accessing it via a direct request to the file in wp-content/uploads/slideshow-gallery/.
2 CVE-2012-1417 79 2 XSS 2014-09-17 2017-08-29
3.5
None Remote Medium ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Local Phone book and Blacklist form in Yealink VOIP Phones allow remote authenticated users to inject arbitrary web script or HTML via the user field to cgi-bin/ConfigManApp.com.
3 CVE-2012-0984 79 2 XSS 2014-09-11 2017-08-29
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in XOOPS before 2.5.5 allow remote attackers to inject arbitrary web script or HTML via the (1) to_userid parameter to modules/pm/pmlite.php or the (2) current_file, (3) imgcat_id, or (4) target parameter to class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/xoopsimagemanager/xoopsimagebrowser.php.
4 CVE-2014-6619 79 1 XSS 2014-09-30 2017-09-08
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in register-exec.php in Restaurant Script (PizzaInn_Project) 1.0.0 allow remote attackers to inject arbitrary web script or HTML via the (1) fname, (2) lname, or (3) login parameter.
5 CVE-2014-6446 94 1 Exec Code 2014-09-26 2015-10-01
7.5
None Remote Low Not required Partial Partial Partial
The Infusionsoft Gravity Forms plugin 1.5.3 through 1.5.10 for WordPress does not properly restrict access, which allows remote attackers to upload arbitrary files and execute arbitrary PHP code via a request to utilities/code_generator.php.
6 CVE-2014-6070 79 1 XSS 2014-09-11 2017-09-08
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Adiscon LogAnalyzer before 3.6.6 allow remote attackers to inject arbitrary web script or HTML via the hostname in (1) index.php or (2) detail.php.
7 CVE-2014-6043 264 1 2014-09-11 2020-03-26
6.5
None Remote Low ??? Partial Partial Partial
ZOHO ManageEngine EventLog Analyzer 9.0 build 9002 and 8.2 build 8020 does not properly restrict access to the database browser, which allows remote authenticated users to obtain access to the database via a direct request to event/runQuery.do. Fixed in Build 10000.
8 CVE-2014-5521 89 1 Exec Code Sql 2014-09-02 2014-09-03
6.5
None Remote Low ??? Partial Partial Partial
plugins/useradmin/fingeruser.php in XRMS CRM, possibly 1.99.2, allows remote authenticated users to execute arbitrary code via shell metacharacters in the username parameter.
9 CVE-2014-5519 94 1 Exec Code 2014-09-11 2014-11-13
7.5
None Remote Low Not required Partial Partial Partial
The Ploticus module in PhpWiki 1.5.0 allows remote attackers to execute arbitrary code via shell metacharacters in a device option in the edit[content] parameter to index.php/HeIp. NOTE: some of these details are obtained from third party information.
10 CVE-2014-5465 22 1 Dir. Trav. 2014-09-03 2014-09-03
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in force-download.php in the Download Shortcode plugin 0.2.3 and earlier for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.
11 CVE-2014-5464 79 1 XSS 2014-09-08 2018-10-09
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the nDPI traffic classification library in ntopng (aka ntop) before 1.2.1 allows remote attackers to inject arbitrary web script or HTML via the HTTP Host header.
12 CVE-2014-5377 200 1 +Info 2014-09-04 2018-10-09
5.0
None Remote Low Not required Partial None None
ReadUsersFromMasterServlet in ManageEngine DeviceExpert before 5.9 build 5981 allows remote attackers to obtain user account credentials via a direct request.
13 CVE-2014-3740 79 1 XSS 2014-09-11 2018-10-10
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in SpiceWorks before 7.2.00195 allows remote authenticated users to inject arbitrary web script or HTML via the Summary field in a ticket request to the portal page.
14 CVE-2014-3631 1 DoS 2014-09-28 2015-03-18
7.2
None Local Low Not required Complete Complete Complete
The assoc_array_gc function in the associative-array implementation in lib/assoc_array.c in the Linux kernel before 3.16.3 does not properly implement garbage collection, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via multiple "keyctl newring" operations followed by a "keyctl timeout" operation.
15 CVE-2014-2223 94 1 Exec Code 2014-09-11 2015-01-08
7.5
None Remote Low Not required Partial Partial Partial
Unrestricted file upload vulnerability in plog-admin/plog-upload.php in Plogger 1.0 RC1 and earlier allows remote authenticated users to execute arbitrary code by uploading a ZIP file that contains a PHP file and a non-zero length PNG file, then accessing the PHP file via a direct request to it in plog-content/uploads/archive/.
16 CVE-2014-2009 200 1 +Info 2014-09-12 2017-08-29
5.0
None Remote Low Not required Partial None None
The mPAY24 payment module before 1.6 for PrestaShop allows remote attackers to obtain credentials, the installation path, and other sensitive information via a direct request to api/curllog.log.
17 CVE-2014-2008 89 1 Exec Code Sql 2014-09-12 2017-08-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in confirm.php in the mPAY24 payment module before 1.6 for PrestaShop allows remote attackers to execute arbitrary SQL commands via the TID parameter.
18 CVE-2013-3632 264 1 Exec Code 2014-09-29 2014-09-30
9.0
None Remote Low ??? Complete Complete Complete
The Cron service in rpc.php in OpenMediaVault allows remote authenticated users to execute cron jobs as arbitrary users and execute arbitrary commands via the username parameter.
19 CVE-2013-2586 79 1 XSS 2014-09-29 2017-08-29
4.3
None Remote Medium Not required None Partial None
XAMPP 1.8.1 does not properly restrict access to xampp/lang.php, which allows remote attackers to modify xampp/lang.tmp and execute cross-site scripting (XSS) attacks via the WriteIntoLocalDisk method.
20 CVE-2012-6658 79 1 XSS 2014-09-17 2014-09-18
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in SpiceWorks 5.3.75941 allow remote attackers to inject arbitrary web script or HTML via the (1) syslocation, (2) syscontact, or (3) sysName configuration in snmpd.conf. NOTE: this entry was SPLIT from CVE-2012-2956 per ADT2 due to different vulnerability types.
21 CVE-2012-5700 79 1 XSS 2014-09-22 2017-08-29
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Baby Gekko before 1.2.2f allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter to admin/index.php or the (2) username or (3) password parameter in blocks/loginbox/loginbox.template.php to index.php. NOTE: some of these details are obtained from third party information.
22 CVE-2012-4768 79 1 XSS 2014-09-04 2017-08-29
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the Download Monitor plugin before 3.3.5.9 for WordPress allows remote attackers to inject arbitrary web script or HTML via the dlsearch parameter to the default URI.
23 CVE-2012-4240 89 1 Exec Code Sql 2014-09-11 2017-08-29
6.5
None Remote Low ??? Partial Partial Partial
SQL injection vulnerability in modules/calendar/json.php in Group-Office community before 4.0.90 allows remote authenticated users to execute arbitrary SQL commands via the sort parameter.
24 CVE-2012-4234 79 1 XSS 2014-09-04 2017-08-29
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the group moderation screen in the control center (control.php) in Phorum before 5.2.19 allows remote attackers to inject arbitrary web script or HTML via the group parameter.
25 CVE-2012-2956 89 1 Exec Code Sql XSS 2014-09-17 2017-08-29
6.5
None Remote Low ??? Partial Partial Partial
SQL injection vulnerability in SpiceWorks 5.3.75941 allows remote authenticated users to execute arbitrary SQL commands via the id parameter to api_v2.json. NOTE: this entry was SPLIT per ADT2 due to different vulnerability types. CVE-2012-6658 is for the XSS.
26 CVE-2012-2588 79 1 XSS 2014-09-19 2017-08-29
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in MailEnable Enterprise 6.5 allow remote attackers to inject arbitrary web script or HTML via the (1) From, (2) To, or (3) Subject header or (4) body in an SMTP e-mail message.
27 CVE-2012-2583 79 1 XSS 2014-09-17 2017-08-29
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Mini Mail Dashboard Widget plugin 1.42 for WordPress allows remote attackers to inject arbitrary web script or HTML via the body of an email.
28 CVE-2014-7199 79 XSS 2014-09-30 2014-10-04
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.19, 1.22.x before 1.22.11, and 1.23.x before 1.23.4 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG file.
29 CVE-2014-7190 352 CSRF 2014-09-30 2014-10-01
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in Openfiler 2.99.1 allow remote attackers to hijack the authentication of administrators for requests that (1) shutdown or (2) reboot the server via a request to admin/system_shutdown.html.
30 CVE-2014-7187 119 DoS Overflow 2014-09-28 2018-10-09
10.0
None Remote Low Not required Complete Complete Complete
Off-by-one error in the read_token_word function in parse.y in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via deeply nested for loops, aka the "word_lineno" issue.
31 CVE-2014-7186 119 DoS Overflow 2014-09-28 2018-10-09
10.0
None Remote Low Not required Complete Complete Complete
The redirection implementation in parse.y in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via crafted use of here documents, aka the "redir_stack" issue.
32 CVE-2014-7169 78 Exec Code 2014-09-25 2021-11-17
10.0
None Remote Low Not required Complete Complete Complete
GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271.
33 CVE-2014-7153 89 Exec Code Sql 2014-09-22 2014-09-22
6.5
None Remote Low ??? Partial Partial Partial
SQL injection vulnerability in the editgallery function in admin/gallery_func.php in the Huge-IT Image Gallery plugin 1.0.1 for WordPress allows remote authenticated users to execute arbitrary SQL commands via the removeslide parameter to wp-admin/admin.php.
34 CVE-2014-7152 79 XSS 2014-09-26 2014-09-30
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the Easy MailChimp Forms plugin 3.0 through 5.0.6 for WordPress allows remote attackers to inject arbitrary web script or HTML via the update_options action to wp-admin/admin-ajax.php.
35 CVE-2014-7145 399 DoS 2014-09-28 2016-08-24
7.8
None Remote Low Not required None None Complete
The SMB2_tcon function in fs/cifs/smb2pdu.c in the Linux kernel before 3.16.3 allows remote CIFS servers to cause a denial of service (NULL pointer dereference and client system crash) or possibly have unspecified other impact by deleting the IPC$ share during resolution of DFS referrals.
36 CVE-2014-6850 310 +Info 2014-09-30 2014-11-14
5.4
None Local Network Medium Not required Partial Partial Partial
The SED Account (aka com.starkville.smartapps) application 1.153.0034 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
37 CVE-2014-6848 310 +Info 2014-09-30 2014-11-14
5.4
None Local Network Medium Not required Partial Partial Partial
The DS file (aka com.synology.DSfile) application 4.1.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
38 CVE-2014-6847 310 +Info 2014-09-30 2014-11-14
5.4
None Local Network Medium Not required Partial Partial Partial
The Horoscopes and Dreams (aka com.horoscopesanddreams) application 1.0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
39 CVE-2014-6846 310 +Info 2014-09-30 2014-11-14
5.4
None Local Network Medium Not required Partial Partial Partial
The Four Seasons Beverly Hills (aka com.intelitycorp.FourSeasons.android.ice) application @7F050007 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
40 CVE-2014-6845 310 +Info 2014-09-30 2014-11-14
5.4
None Local Network Medium Not required Partial Partial Partial
The MediaFire (aka com.mediafire.android) application 1.1.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
41 CVE-2014-6844 310 +Info 2014-09-30 2014-11-14
5.4
None Local Network Medium Not required Partial Partial Partial
The ABC Song (aka com.tabtale.abcsingalong) application 1.0.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
42 CVE-2014-6843 310 +Info 2014-09-30 2014-11-14
5.4
None Local Network Medium Not required Partial Partial Partial
The Sweatshop (aka com.orderingapps.sweatshop) application 2.96 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
43 CVE-2014-6842 310 +Info 2014-09-30 2014-11-14
5.4
None Local Network Medium Not required Partial Partial Partial
The Daily Advertiser Print (aka com.lafayettedailyadv.android.prod) application 6.7 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
44 CVE-2014-6841 310 +Info 2014-09-30 2014-11-14
5.4
None Local Network Medium Not required Partial Partial Partial
The RTI INDIA (aka com.vbulletin.build_890) application 3.8.21 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
45 CVE-2014-6840 310 +Info 2014-09-30 2014-11-14
5.4
None Local Network Medium Not required Partial Partial Partial
The My Wedding Planner (aka app.wedding) application 1.5 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
46 CVE-2014-6839 310 +Info 2014-09-30 2014-11-14
5.4
None Local Network Medium Not required Partial Partial Partial
The Alma Corinthiana (aka com.alma.corinthiana) application 1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
47 CVE-2014-6838 310 +Info 2014-09-30 2014-11-14
5.4
None Local Network Medium Not required Partial Partial Partial
The Groupama toujours la (aka com.groupama.toujoursla) application 1.3.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
48 CVE-2014-6837 310 +Info 2014-09-30 2014-11-14
5.4
None Local Network Medium Not required Partial Partial Partial
The Hillside (aka com.hillside.hermanus) application 1.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
49 CVE-2014-6836 310 +Info 2014-09-30 2014-11-14
5.4
None Local Network Medium Not required Partial Partial Partial
The DS photo+ (aka com.synology.dsphoto) application 3.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
50 CVE-2014-6835 310 +Info 2014-09-30 2014-11-14
5.4
None Local Network Medium Not required Partial Partial Partial
The Herbal Guide (aka com.pocket.herbal.guide) application 1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
Total number of vulnerabilities : 1150   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.