CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In November 2014

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
51 CVE-2014-8995 89 Exec Code Sql 2014-11-20 2017-09-08
5.0
None Remote Low Not required None Partial None
SQL injection vulnerability in Maarch LetterBox 2.8 allows remote attackers to execute arbitrary SQL commands via the UserId cookie.
52 CVE-2014-8994 18 2014-11-28 2017-09-08
3.6
None Local Low Not required None Partial Partial
The check_diskio plugin 3.2.6 and earlier for Nagios and Icinga allows local users to write to arbitrary files via a symlink attack on a temporary file with a predictable name (tmp/check_diskio_status-*-*).
53 CVE-2014-8991 DoS 2014-11-24 2021-03-15
2.1
None Local Low Not required None None Partial
pip 1.3 through 1.5.6 allows local users to cause a denial of service (prevention of package installation) by creating a /tmp/pip-build-* file for another user.
54 CVE-2014-8989 264 Bypass 2014-11-30 2017-01-03
4.6
None Local Low Not required Partial Partial Partial
The Linux kernel through 3.17.4 does not properly restrict dropping of supplemental group memberships in certain namespace scenarios, which allows local users to bypass intended file permissions by leveraging a POSIX ACL containing an entry for the group category that is more restrictive than the entry for the other category, aka a "negative groups" issue, related to kernel/groups.c, kernel/uid16.c, and kernel/user_namespace.c.
55 CVE-2014-8988 264 Bypass 2014-11-24 2017-09-08
4.0
None Remote Low ??? Partial None None
MantisBT before 1.2.18 allows remote authenticated users to bypass the $g_download_attachments_threshold and $g_view_attachments_threshold restrictions and read attachments for private projects by leveraging access to a project that does not restrict access to attachments and a request to the download URL.
56 CVE-2014-8986 79 XSS 2014-11-24 2017-01-03
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the selection list in the filters in the Configuration Report page (adm_config_report.php) in MantisBT 1.2.13 through 1.2.17 allows remote administrators to inject arbitrary web script or HTML via a crafted config option, a different vulnerability than CVE-2014-8987.
57 CVE-2014-8962 119 Exec Code Overflow 2014-11-26 2018-10-09
7.5
None Remote Low Not required Partial Partial Partial
Stack-based buffer overflow in stream_decoder.c in libFLAC before 1.3.1 allows remote attackers to execute arbitrary code via a crafted .flac file.
58 CVE-2014-8961 22 Dir. Trav. +Info 2014-11-30 2018-10-30
4.0
None Remote Low ??? Partial None None
Directory traversal vulnerability in libraries/error_report.lib.php in the error-reporting feature in phpMyAdmin 4.1.x before 4.1.14.7 and 4.2.x before 4.2.12 allows remote authenticated users to obtain potentially sensitive information about a file's line count via a crafted parameter.
59 CVE-2014-8960 79 XSS 2014-11-30 2016-12-22
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in libraries/error_report.lib.php in the error-reporting feature in phpMyAdmin 4.1.x before 4.1.14.7 and 4.2.x before 4.2.12 allows remote authenticated users to inject arbitrary web script or HTML via a crafted filename.
60 CVE-2014-8959 22 Dir. Trav. 2014-11-30 2018-10-30
6.5
None Remote Low ??? Partial Partial Partial
Directory traversal vulnerability in libraries/gis/GIS_Factory.class.php in the GIS editor in phpMyAdmin 4.0.x before 4.0.10.6, 4.1.x before 4.1.14.7, and 4.2.x before 4.2.12 allows remote authenticated users to include and execute arbitrary local files via a crafted geometry-type parameter.
61 CVE-2014-8958 79 XSS 2014-11-30 2016-12-22
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.6, 4.1.x before 4.1.14.7, and 4.2.x before 4.2.12 allow remote authenticated users to inject arbitrary web script or HTML via a crafted (1) database, (2) table, or (3) column name that is improperly handled during rendering of the table browse page; a crafted ENUM value that is improperly handled during rendering of the (4) table print view or (5) zoom search page; or (6) a crafted pma_fontsize cookie that is improperly handled during rendering of the home page.
62 CVE-2014-8955 79 XSS 2014-11-17 2017-09-08
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the Contact Form Clean and Simple (clean-and-simple-contact-form-by-meg-nicholas) plugin 4.4.0 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the cscf[name] parameter to contact-us/.
63 CVE-2014-8954 79 1 XSS 2014-11-17 2015-08-06
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in phpSound 1.0.5 allow remote attackers to inject arbitrary web script or HTML via the (1) Title or (2) Description fields in a playlist or the (3) filter parameter in an explore action to index.php.
64 CVE-2014-8953 352 1 CSRF 2014-11-17 2017-09-08
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in Php Scriptlerim Who's Who script allow remote attackers to hijack the authentication of administrators or requests that (1) add an admin account via a request to filepath/yonetim/plugin/adminsave.php or have unspecified impact via a request to (2) ayarsave.php, (3) uyesave.php, (4) slaytadd.php, or (5) slaytsave.php.
65 CVE-2014-8952 DoS 2014-11-16 2017-09-08
7.1
None Remote Medium Not required None None Complete
Multiple unspecified vulnerabilities in Check Point Security Gateway R75.40VS, R75.45, R75.46, R75.47, R76, R77, and R77.10, when the (1) IPS blade, (2) IPsec Remote Access, (3) Mobile Access / SSL VPN blade, (4) SSL Network Extender, (5) Identify Awareness blade, (6) HTTPS Inspection, (7) UserCheck, or (8) Data Leak Prevention blade module is enabled, allow remote attackers to cause a denial of service ("stability issue") via an unspecified "traffic condition."
66 CVE-2014-8951 DoS 2014-11-16 2017-09-08
7.1
None Remote Medium Not required None None Complete
Unspecified vulnerability in Check Point Security Gateway R75, R76, R77, and R77.10, when UserCheck is enabled and the (1) Application Control, (2) URL Filtering, (3) DLP, (4) Threat Emulation, (5) Anti-Bot, or (6) Anti-Virus blade is used, allows remote attackers to cause a denial of service (fwk0 process crash, core dump, and restart) via a redirect to the UserCheck page.
67 CVE-2014-8950 DoS 2014-11-16 2017-09-08
7.1
None Remote Medium Not required None None Complete
Unspecified vulnerability in Check Point Security Gateway R77 and R77.10, when the (1) URL Filtering or (2) Identity Awareness blade is used, allows remote attackers to cause a denial of service (crash) via vectors involving an HTTPS request.
68 CVE-2014-8949 94 1 Exec Code 2014-11-16 2014-11-18
6.0
None Remote Medium ??? Partial Partial Partial
The iMember360 plugin 3.8.012 through 3.9.001 for WordPress allows remote authenticated administrators to execute arbitrary commands via shell metacharacters in the i4w_trace parameter. NOTE: this can be leveraged with CVE-2014-8948 to allow remote attackers to execute code. NOTE: it is not clear whether this issue itself crosses privileges.
69 CVE-2014-8948 352 1 Exec Code CSRF 2014-11-16 2014-11-17
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in the iMember360 plugin 3.8.012 through 3.9.001 for WordPress allows remote attackers to hijack the authentication of administrators for requests that with an unspecified impact via the i4w_trace parameter. NOTE: this can be leveraged with CVE-2014-8948 to execute arbitrary commands.
70 CVE-2014-8884 119 DoS Overflow +Priv 2014-11-30 2018-01-05
6.1
None Local Low Not required Partial Partial Complete
Stack-based buffer overflow in the ttusbdecfe_dvbs_diseqc_send_master_cmd function in drivers/media/usb/ttusb-dec/ttusbdecfe.c in the Linux kernel before 3.17.4 allows local users to cause a denial of service (system crash) or possibly gain privileges via a large message length in an ioctl call.
71 CVE-2014-8801 22 1 Dir. Trav. 2014-11-28 2021-03-23
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in services/getfile.php in the Paid Memberships Pro plugin before 1.7.15 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the QUERY_STRING in a getfile action to wp-admin/admin-ajax.php.
72 CVE-2014-8799 22 1 Dir. Trav. 2014-11-28 2020-02-05
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in the dp_img_resize function in php/dp-functions.php in the DukaPress plugin before 2.5.4 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the src parameter to lib/dp_image.php.
73 CVE-2014-8770 94 1 Exec Code 2014-11-13 2019-07-16
9.0
None Remote Low ??? Complete Complete Complete
Unrestricted file upload vulnerability in magmi/web/magmi.php in the MAGMI (aka Magento Mass Importer) plugin 0.7.17a and earlier for Magento Community Edition (CE) allows remote authenticated users to execute arbitrary code by uploading a ZIP file that contains a PHP file, then accessing the PHP file via a direct request to it in magmi/plugins/.
74 CVE-2014-8769 119 DoS Overflow +Info 2014-11-20 2018-10-09
6.4
None Remote Low Not required Partial None Partial
tcpdump 3.8 through 4.6.2 might allow remote attackers to obtain sensitive information from memory or cause a denial of service (packet loss or segmentation fault) via a crafted Ad hoc On-Demand Distance Vector (AODV) packet, which triggers an out-of-bounds memory access.
75 CVE-2014-8768 191 1 DoS 2014-11-20 2018-10-30
5.0
None Remote Low Not required None None Partial
Multiple Integer underflows in the geonet_print function in tcpdump 4.5.0 through 4.6.2, when in verbose mode, allow remote attackers to cause a denial of service (segmentation fault and crash) via a crafted length value in a Geonet frame.
76 CVE-2014-8767 189 DoS 2014-11-20 2018-10-30
5.0
None Remote Low Not required None None Partial
Integer underflow in the olsr_print function in tcpdump 3.9.6 through 4.6.2, when in verbose mode, allows remote attackers to cause a denial of service (crash) via a crafted length value in an OLSR frame.
77 CVE-2014-8736 200 Bypass +Info 2014-11-12 2014-11-13
5.0
None Remote Low Not required Partial None None
The Open Atrium Core module for Drupal before 7.x-2.22 allows remote attackers to bypass access restrictions and read file attachments that have been removed from a node by leveraging a previous revision of the node.
78 CVE-2014-8735 200 +Info 2014-11-12 2019-07-16
4.0
None Remote Low ??? Partial None None
The Bad Behavior module 6.x-2.x before 6.x-2.2216 and 7.x-2.x before 7.x-2.2216 for Drupal logs usernames and passwords, which allows remote authenticated users with the "administer bad behavior" permission to obtain sensitive information by reading a log file.
79 CVE-2014-8734 264 2014-11-12 2017-09-08
3.5
None Remote Medium ??? None Partial None
The Organic Groups Menu (aka OG Menu) module before 7.x-2.2 for Drupal allows remote authenticated users with the "access administration pages" permission to change module settings via unspecified vectors.
80 CVE-2014-8732 79 XSS 2014-11-17 2018-10-09
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in phpMemcachedAdmin 1.2.2 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
81 CVE-2014-8727 22 1 Dir. Trav. 2014-11-17 2017-09-08
6.2
None Local Low ??? None Complete Complete
Multiple directory traversal vulnerabilities in F5 BIG-IP before 10.2.2 allow local users with the "Resource Administrator" or "Administrator" role to enumerate and delete arbitrary files via a .. (dot dot) in the name parameter to (1) tmui/Control/jspmap/tmui/system/archive/properties.jsp or (2) tmui/Control/form.
82 CVE-2014-8714 399 DoS 2014-11-23 2018-01-05
5.0
None Remote Low Not required None None Partial
The dissect_write_structured_field function in epan/dissectors/packet-tn5250.c in the TN5250 dissector in Wireshark 1.10.x before 1.10.11 and 1.12.x before 1.12.2 allows remote attackers to cause a denial of service (infinite loop) via a crafted packet.
83 CVE-2014-8713 119 DoS Overflow 2014-11-23 2018-01-05
5.0
None Remote Low Not required None None Partial
Stack-based buffer overflow in the build_expert_data function in epan/dissectors/packet-ncp2222.inc in the NCP dissector in Wireshark 1.10.x before 1.10.11 and 1.12.x before 1.12.2 allows remote attackers to cause a denial of service (application crash) via a crafted packet.
84 CVE-2014-8712 399 DoS 2014-11-23 2018-01-05
5.0
None Remote Low Not required None None Partial
The build_expert_data function in epan/dissectors/packet-ncp2222.inc in the NCP dissector in Wireshark 1.10.x before 1.10.11 and 1.12.x before 1.12.2 does not properly initialize a data structure, which allows remote attackers to cause a denial of service (application crash) via a crafted packet.
85 CVE-2014-8711 189 DoS Overflow 2014-11-23 2018-01-05
5.0
None Remote Low Not required None None Partial
Multiple integer overflows in epan/dissectors/packet-amqp.c in the AMQP dissector in Wireshark 1.10.x before 1.10.11 and 1.12.x before 1.12.2 allow remote attackers to cause a denial of service (application crash) via a crafted amqp_0_10 PDU in a packet.
86 CVE-2014-8710 119 DoS Overflow 2014-11-23 2018-01-05
5.0
None Remote Low Not required None None Partial
The decompress_sigcomp_message function in epan/sigcomp-udvm.c in the SigComp UDVM dissector in Wireshark 1.10.x before 1.10.11 allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted packet.
87 CVE-2014-8709 200 +Info 2014-11-10 2017-09-08
5.0
None Remote Low Not required Partial None None
The ieee80211_fragment function in net/mac80211/tx.c in the Linux kernel before 3.13.5 does not properly maintain a certain tail pointer, which allows remote attackers to obtain sensitive cleartext information by reading packets.
88 CVE-2014-8683 79 XSS 2014-11-21 2018-10-09
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in models/issue.go in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.x before 0.5.8 allows remote attackers to inject arbitrary web script or HTML via the text parameter to api/v1/markdown.
89 CVE-2014-8682 89 1 Exec Code Sql 2014-11-21 2018-10-09
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.x before 0.5.6.1105 Beta allow remote attackers to execute arbitrary SQL commands via the q parameter to (1) api/v1/repos/search, which is not properly handled in models/repo.go, or (2) api/v1/users/search, which is not properly handled in models/user.go.
90 CVE-2014-8681 89 1 Exec Code Sql 2014-11-21 2017-09-08
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the GetIssues function in models/issue.go in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.6.x before 0.5.6.1025 Beta allows remote attackers to execute arbitrary SQL commands via the label parameter to user/repos/issues.
91 CVE-2014-8678 200 +Info 2014-11-25 2015-02-17
7.8
None Remote Low Not required Complete None None
The ConfigSaveServlet servlet in ManageEngine OpUtils before build 71024 allows remote attackers to "disclose" files via a crafted filename, related to "saveFile."
92 CVE-2014-8672 79 XSS 2014-11-07 2015-05-12
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the RewardingYourself application for Android and BlackBerry OS allows remote attackers to inject arbitrary web script or HTML via a crafted QR code.
93 CVE-2014-8671 79 XSS 2014-11-07 2015-10-28
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the GWT Mobile PhoneGap Showcase application for Android allows remote attackers to inject arbitrary web script or HTML via a crafted Bluetooth Device Name field.
94 CVE-2014-8670 2014-11-06 2017-09-08
5.8
None Remote Medium Not required Partial Partial None
Open redirect vulnerability in go.php in vBulletin 4.2.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter.
95 CVE-2014-8669 94 Exec Code 2014-11-06 2014-11-07
10.0
None Remote Low Not required Complete Complete Complete
The SAP Promotion Guidelines (CRM-MKT-MPL-TPM-PPG) module for SAP CRM allows remote attackers to execute arbitrary code via unspecified vectors.
96 CVE-2014-8668 89 Exec Code Sql 2014-11-06 2017-09-08
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in SAP Contract Accounting allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
97 CVE-2014-8667 79 XSS 2014-11-06 2014-11-07
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in SAP HANA Web-based Development Workbench allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
98 CVE-2014-8666 200 +Info 2014-11-06 2014-11-07
5.0
None Remote Low Not required Partial None None
The User & Server configuration, InfoView refresh, user rights (BI-BIP-ADM) component in SAP Business Intellignece allows remote attackers to obtain audit event details via unspecified vectors.
99 CVE-2014-8665 200 +Info 2014-11-06 2014-11-07
5.0
None Remote Low Not required Partial None None
The SAP Business Intelligence Development Workbench allows remote attackers to obtain sensitive information by reading unspecified files.
100 CVE-2014-8664 89 Exec Code Sql 2014-11-06 2017-09-08
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in Product Safety (EHS-SAF) component in SAP Environment, Health, and Safety Management allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
Total number of vulnerabilities : 501   Page : 1 2 (This Page)3 4 5 6 7 8 9 10 11
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.