| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
51 |
CVE-2014-4153 |
200 |
|
+Info |
2014-06-18 |
2014-06-19 |
7.8 |
None |
Remote |
Low |
Not required |
Complete |
None |
None |
|
The av-centerd SOAP service in AlienVault OSSIM before 4.8.0 allows remote attackers to read arbitrary files via a crafted get_file request. |
|
52 |
CVE-2014-4152 |
94 |
|
Exec Code |
2014-06-18 |
2014-06-19 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
The av-centerd SOAP service in AlienVault OSSIM before 4.8.0 allows remote attackers to execute arbitrary code via a crafted remote_task request, related to injecting an ssh public key. |
|
53 |
CVE-2014-4151 |
94 |
|
Exec Code |
2014-06-18 |
2014-06-19 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
The av-centerd SOAP service in AlienVault OSSIM before 4.8.0 allows remote attackers to create arbitrary files and execute arbitrary code via a crafted set_file request. |
|
54 |
CVE-2014-4049 |
119 |
|
DoS Exec Code Overflow |
2014-06-18 |
2018-10-30 |
5.1 |
None |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
|
Heap-based buffer overflow in the php_parserr function in ext/standard/dns.c in PHP 5.6.0beta4 and earlier allows remote servers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted DNS TXT record, related to the dns_get_record function. |
|
55 |
CVE-2014-4048 |
|
|
DoS |
2014-06-17 |
2018-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The PJSIP Channel Driver in Asterisk Open Source before 12.3.1 allows remote attackers to cause a denial of service (deadlock) by terminating a subscription request before it is complete, which triggers a SIP transaction timeout. |
|
56 |
CVE-2014-4047 |
|
|
DoS |
2014-06-17 |
2018-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Asterisk Open Source 1.8.x before 1.8.28.1, 11.x before 11.10.1, and 12.x before 12.3.1 and Certified Asterisk 1.8.15 before 1.8.15-cert6 and 11.6 before 11.6-cert3 allows remote attackers to cause a denial of service (connection consumption) via a large number of (1) inactive or (2) incomplete HTTP connections. |
|
57 |
CVE-2014-4046 |
|
|
Exec Code |
2014-06-17 |
2018-10-09 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
Asterisk Open Source 11.x before 11.10.1 and 12.x before 12.3.1 and Certified Asterisk 11.6 before 11.6-cert3 allows remote authenticated Manager users to execute arbitrary shell commands via a MixMonitor action. |
|
58 |
CVE-2014-4045 |
189 |
|
DoS |
2014-06-17 |
2018-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The Publish/Subscribe Framework in the PJSIP channel driver in Asterisk Open Source 12.x before 12.3.1, when sub_min_expiry is set to zero, allows remote attackers to cause a denial of service (assertion failure and crash) via an unsubscribe request when not subscribed to the device. |
|
59 |
CVE-2014-4044 |
119 |
|
DoS Overflow |
2014-06-17 |
2014-06-21 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
OpenAFS 1.6.8 does not properly clear the fields in the host structure, which allows remote attackers to cause a denial of service (uninitialized memory access and crash) via unspecified vectors related to TMAY requests. |
|
60 |
CVE-2014-4040 |
310 |
|
+Info |
2014-06-17 |
2015-03-12 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
snap in powerpc-utils 1.2.20 produces an archive with fstab and yaboot.conf files potentially containing cleartext passwords, and lacks a warning about reviewing this archive to detect included passwords, which might allow remote attackers to obtain sensitive information by leveraging access to a technical-support data stream. |
|
61 |
CVE-2014-4039 |
264 |
|
+Info |
2014-06-17 |
2017-01-07 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
ppc64-diag 2.6.1 uses 0775 permissions for /tmp/diagSEsnap and does not properly restrict permissions for /tmp/diagSEsnap/snapH.tar.gz, which allows local users to obtain sensitive information by reading files in this archive, as demonstrated by /var/log/messages and /etc/yaboot.conf. |
|
62 |
CVE-2014-4038 |
59 |
|
|
2014-06-17 |
2017-01-07 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
ppc64-diag 2.6.1 allows local users to overwrite arbitrary files via a symlink attack related to (1) rtas_errd/diag_support.c and /tmp/get_dt_files, (2) scripts/ppc64_diag_mkrsrc and /tmp/diagSEsnap/snapH.tar.gz, or (3) lpd/test/lpd_ela_test.sh and /var/tmp/ras. |
|
63 |
CVE-2014-4037 |
79 |
|
XSS |
2014-06-11 |
2015-08-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php in FCKeditor before 2.6.11 and earlier allows remote attackers to inject arbitrary web script or HTML via an array key in the textinputs[] parameter, a different issue than CVE-2012-4000. |
|
64 |
CVE-2014-4036 |
79 |
|
XSS |
2014-06-11 |
2014-06-12 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in modules/system/admin.php in ImpressCMS 1.3.6.1 allows remote attackers to inject arbitrary web script or HTML via the query parameter in a listimg action. |
|
65 |
CVE-2014-4035 |
79 |
|
XSS |
2014-06-11 |
2019-08-12 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in booking_details.php in Best Soft Inc. (BSI) Advance Hotel Booking System 2.0 allows remote attackers to inject arbitrary web script or HTML via the title parameter. |
|
66 |
CVE-2014-4034 |
89 |
1
|
Exec Code Sql |
2014-06-11 |
2017-08-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in zero_view_article.php in ZeroCMS 1.0 allows remote attackers to execute arbitrary SQL commands via the article_id parameter. |
|
67 |
CVE-2014-4033 |
79 |
1
|
XSS |
2014-06-11 |
2014-06-12 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in libraries/includes/personal/profile.php in Epignosis eFront 3.6.14.4 allows remote attackers to inject arbitrary web script or HTML via the surname parameter to student.php. |
|
68 |
CVE-2014-4032 |
79 |
|
XSS |
2014-06-11 |
2014-06-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in apps/app_comment/form_comment.php in Fiyo CMS 1.5.7 allows remote attackers to inject arbitrary web script or HTML via the Nama field. |
|
69 |
CVE-2014-4030 |
352 |
|
CSRF |
2014-06-25 |
2014-06-26 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in the JW Player plugin before 2.1.4 for WordPress allows remote attackers to hijack the authentication of administrators for requests that remove players via a delete action to wp-admin/admin.php. |
|
70 |
CVE-2014-4027 |
200 |
|
+Info |
2014-06-23 |
2020-08-21 |
2.3 |
None |
Local Network |
Medium |
??? |
Partial |
None |
None |
|
The rd_build_device_space function in drivers/target/target_core_rd.c in the Linux kernel before 3.14 does not properly initialize a certain data structure, which allows local users to obtain sensitive information from ramdisk_mcp memory by leveraging access to a SCSI initiator. |
|
71 |
CVE-2014-4021 |
119 |
|
Overflow +Info |
2014-06-18 |
2018-10-30 |
2.7 |
None |
Local Network |
Low |
??? |
Partial |
None |
None |
|
Xen 3.2.x through 4.4.x does not properly clean memory pages recovered from guests, which allows local guest OS users to obtain sensitive information via unspecified vectors. |
|
72 |
CVE-2014-4020 |
189 |
|
DoS |
2014-06-18 |
2017-12-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The dissect_frame function in epan/dissectors/packet-frame.c in the frame metadissector in Wireshark 1.10.x before 1.10.8 interprets a negative integer as a length value even though it was intended to represent an error condition, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. |
|
73 |
CVE-2014-4017 |
79 |
|
XSS |
2014-06-10 |
2014-07-22 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Conversion Ninja plugin for WordPress allows remote attackers to inject arbitrary web script or HTML via the id parameter to lp/index.php. |
|
74 |
CVE-2014-4014 |
264 |
1
|
Bypass |
2014-06-23 |
2018-12-18 |
6.2 |
None |
Local |
High |
Not required |
Complete |
Complete |
Complete |
|
The capabilities implementation in the Linux kernel before 3.14.8 does not properly consider that namespaces are inapplicable to inodes, which allows local users to bypass intended chmod restrictions by first creating a user namespace, as demonstrated by setting the setgid bit on a file with group ownership of root. |
|
75 |
CVE-2014-4012 |
255 |
|
|
2014-06-09 |
2014-06-18 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
SAP Open Hub Service has hardcoded credentials, which makes it easier for remote attackers to obtain access via unspecified vectors. |
|
76 |
CVE-2014-4011 |
255 |
|
|
2014-06-09 |
2014-06-18 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
SAP Capacity Leveling has hardcoded credentials, which makes it easier for remote attackers to obtain access via unspecified vectors. |
|
77 |
CVE-2014-4010 |
255 |
|
|
2014-06-09 |
2014-06-18 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
SAP Transaction Data Pool has hardcoded credentials, which makes it easier for remote attackers to obtain access via unspecified vectors. |
|
78 |
CVE-2014-4009 |
255 |
|
|
2014-06-09 |
2014-06-18 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
SAP CCMS Monitoring (BC-CCM-MON) has hardcoded credentials, which makes it easier for remote attackers to obtain access via unspecified vectors. |
|
79 |
CVE-2014-4008 |
255 |
|
|
2014-06-09 |
2014-06-18 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
SAP Web Services Tool (CA-WUI-WST) has hardcoded credentials, which makes it easier for remote attackers to obtain access via unspecified vectors. |
|
80 |
CVE-2014-4007 |
255 |
|
|
2014-06-09 |
2014-06-18 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The SAP Upgrade tools for ABAP has hardcoded credentials, which makes it easier for remote attackers to obtain access via unspecified vectors. |
|
81 |
CVE-2014-4006 |
255 |
|
|
2014-06-09 |
2014-06-18 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The SAP Trader's and Scheduler's Workbench (TSW) for SAP Oil & Gas has hardcoded credentials, which makes it easier for remote attackers to obtain access via unspecified vectors. |
|
82 |
CVE-2014-4005 |
255 |
|
|
2014-06-09 |
2014-06-18 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
SAP Brazil add-on has hardcoded credentials, which makes it easier for remote attackers to obtain access via unspecified vectors. |
|
83 |
CVE-2014-4004 |
255 |
|
|
2014-06-09 |
2014-06-18 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The (1) Structures and (2) Project-Oriented Procurement components in SAP Project System has hardcoded credentials, which makes it easier for remote attackers to obtain access via unspecified vectors. |
|
84 |
CVE-2014-4003 |
264 |
|
|
2014-06-09 |
2018-10-09 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The System Landscape Directory (SLD) in SAP NetWeaver allows remote attackers to modify information via vectors related to adding a system. |
|
85 |
CVE-2014-3995 |
79 |
|
XSS |
2014-06-16 |
2014-06-17 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in gravatars/templatetags/gravatars.py in Djblets before 0.7.30 and 0.8.x before 0.8.3 for Django allows remote attackers to inject arbitrary web script or HTML via a user display name. |
|
86 |
CVE-2014-3994 |
79 |
|
XSS |
2014-06-16 |
2016-08-23 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in util/templatetags/djblets_js.py in Djblets before 0.7.30 and 0.8.x before 0.8.3 for Django, as used in Review Board, allows remote attackers to inject arbitrary web script or HTML via a JSON object, as demonstrated by the name field when changing a user name. |
|
87 |
CVE-2014-3986 |
59 |
|
|
2014-06-08 |
2014-06-09 |
3.3 |
None |
Local |
Medium |
Not required |
None |
Partial |
Partial |
|
include/tests_webservers in Lynis before 1.5.5 allows local users to overwrite arbitrary files via a symlink attack on a /tmp/lynis.*.unsorted file with an easily determined name. |
|
88 |
CVE-2014-3984 |
|
|
|
2014-06-06 |
2017-12-29 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Multiple unspecified vulnerabilities in Libav before 0.8.12 allow remote attackers to have unknown impact and vectors. |
|
89 |
CVE-2014-3982 |
59 |
|
|
2014-06-08 |
2014-06-09 |
3.3 |
None |
Local |
Medium |
Not required |
None |
Partial |
Partial |
|
include/tests_webservers in Lynis before 1.5.5 on AIX allows local users to overwrite arbitrary files via a symlink attack on a /tmp/lynis.##### file. |
|
90 |
CVE-2014-3981 |
59 |
|
|
2014-06-08 |
2017-01-07 |
3.3 |
None |
Local |
Medium |
Not required |
None |
Partial |
Partial |
|
acinclude.m4, as used in the configure script in PHP 5.5.13 and earlier, allows local users to overwrite arbitrary files via a symlink attack on the /tmp/phpglibccheck file. |
|
91 |
CVE-2014-3980 |
264 |
|
+Priv |
2014-06-11 |
2014-06-12 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
libfep 0.0.5 before 0.1.0 does not properly use UNIX domain sockets in the abstract namespace, which allows local users to gain privileges via unspecified vectors. |
|
92 |
CVE-2014-3977 |
59 |
1
|
|
2014-06-08 |
2021-08-31 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
libodm.a in IBM AIX 6.1 and 7.1, and VIOS 2.2.x, allows local users to overwrite arbitrary files via a symlink attack on a temporary file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-2179. |
|
93 |
CVE-2014-3976 |
119 |
1
|
DoS Exec Code Overflow |
2014-06-05 |
2015-09-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Buffer overflow in A10 Networks Advanced Core Operating System (ACOS) before 2.7.0-p6 and 2.7.1 before 2.7.1-P1_55 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long session id in the URI to sys_reboot.html. NOTE: some of these details are obtained from third party information. |
|
94 |
CVE-2014-3975 |
22 |
1
|
Dir. Trav. |
2014-06-05 |
2014-06-06 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Absolute path traversal vulnerability in filemanager.php in AuraCMS 3.0 allows remote attackers to list a directory via a full pathname in the viewdir parameter. |
|
95 |
CVE-2014-3974 |
79 |
1
|
XSS |
2014-06-05 |
2014-06-06 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in filemanager.php in AuraCMS 3.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the viewdir parameter. |
|
96 |
CVE-2014-3973 |
89 |
|
Exec Code Sql |
2014-06-05 |
2014-06-06 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Multiple SQL injection vulnerabilities in FrontAccounting (FA) before 2.3.21 allow remote attackers to execute arbitrary SQL commands via unspecified vectors. |
|
97 |
CVE-2014-3970 |
|
|
DoS |
2014-06-11 |
2017-01-07 |
2.9 |
None |
Local Network |
Medium |
Not required |
None |
None |
Partial |
|
The pa_rtp_recv function in modules/rtp/rtp.c in the module-rtp-recv module in PulseAudio 5.0 and earlier allows remote attackers to cause a denial of service (assertion failure and abort) via an empty UDP packet. |
|
98 |
CVE-2014-3969 |
264 |
|
+Priv |
2014-06-05 |
2018-10-30 |
7.4 |
None |
Local Network |
Medium |
??? |
Complete |
Complete |
Complete |
|
Xen 4.4.x, when running on an ARM system, does not properly check write permissions on virtual addresses, which allows local guest administrators to gain privileges via unspecified vectors. |
|
99 |
CVE-2014-3968 |
|
|
DoS |
2014-06-05 |
2018-10-30 |
5.5 |
None |
Local Network |
Low |
??? |
None |
None |
Complete |
|
The HVMOP_inject_msi function in Xen 4.2.x, 4.3.x, and 4.4.x allows local guest HVM administrators to cause a denial of service (host crash) via a large number of crafted requests, which trigger an error messages to be logged. |
|
100 |
CVE-2014-3967 |
|
|
DoS |
2014-06-05 |
2018-10-30 |
5.5 |
None |
Local Network |
Low |
??? |
None |
None |
Complete |
|
The HVMOP_inject_msi function in Xen 4.2.x, 4.3.x, and 4.4.x does not properly check the return value from the IRQ setup check, which allows local HVM guest administrators to cause a denial of service (NULL pointer dereference and crash) via unspecified vectors. |
