CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In October 2014

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1001 CVE-2014-5410 399 DoS 2014-10-03 2014-10-06
7.1
None Remote Medium Not required None None Complete
The DNP3 feature on Rockwell Automation Allen-Bradley MicroLogix 1400 1766-Lxxxxx A FRN controllers 7 and earlier and 1400 1766-Lxxxxx B FRN controllers before 15.001 allows remote attackers to cause a denial of service (process disruption) via malformed packets over (1) an Ethernet network or (2) a serial line.
1002 CVE-2014-5389 89 Exec Code Sql 2014-10-06 2015-11-02
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in content-audit-schedule.php in the Content Audit plugin before 1.6.1 for WordPress allows remote attackers to execute arbitrary SQL commands via the "Audited content types" option in the content-audit page to wp-admin/options-general.php.
1003 CVE-2014-5376 20 2014-10-08 2018-10-09
4.0
None Remote Low ??? None Partial None
Adaptive Computing Moab before 7.2.9 and 8 before 8.0.0, when a pre-generated key is used, does not validate that the requesting user matches the actor in the message, which allows remote authenticated users to impersonate arbitrary users via the actor field in a message.
1004 CVE-2014-5375 20 2014-10-08 2018-10-09
4.0
None Remote Low ??? None Partial None
The server in Adaptive Computing Moab before 7.2.9 and 8 before 8.0.0 does not properly validate the message owner matches the submitting user, which allows remote authenticated users to impersonate arbitrary users via the UserId and Owner tags.
1005 CVE-2014-5351 255 2014-10-10 2020-01-21
2.1
None Remote High ??? Partial None None
The kadm5_randkey_principal_3 function in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5 (aka krb5) before 1.13 sends old keys in a response to a -randkey -keepold request, which allows remote authenticated users to forge tickets by leveraging administrative access.
1006 CVE-2014-5331 79 XSS 2014-10-19 2015-07-29
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Aflax allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
1007 CVE-2014-5330 79 XSS 2014-10-19 2015-07-29
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in BirdBlog allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
1008 CVE-2014-5328 399 DoS Overflow 2014-10-12 2014-10-15
6.8
None Remote Low ??? None None Complete
Buffer overflow in the Webserver component on the Huawei E5332 router before 21.344.27.00.1080 allows remote authenticated users to cause a denial of service (reboot) via a long parameter in an API service request message.
1009 CVE-2014-5327 399 DoS Overflow 2014-10-12 2014-10-15
6.8
None Remote Low ??? None None Complete
Buffer overflow in the Webserver component on the Huawei E5332 router before 21.344.27.00.1080 allows remote authenticated users to cause a denial of service (reboot) via a long URI.
1010 CVE-2014-5308 89 1 Exec Code Sql 2014-10-08 2014-10-09
9.0
None Remote Low ??? Complete Complete Complete
Multiple SQL injection vulnerabilities in TestLink 1.9.11 allow remote authenticated users to execute arbitrary SQL commands via the (1) name parameter in a Search action to lib/project/projectView.php or (2) id parameter to lib/events/eventinfo.php.
1011 CVE-2014-5300 287 1 Exec Code Bypass 2014-10-08 2018-10-09
5.0
None Remote Low Not required None Partial None
Adaptive Computing Moab before 7.2.9 and 8 before 8.0.0 allows remote attackers to bypass the signature check, impersonate arbitrary users, and execute commands via a message without a signature.
1012 CVE-2014-5298 264 Bypass 2014-10-10 2018-10-09
5.0
None Remote Low Not required None None Partial
FileUploadsFilter.php in X2Engine 4.1.7 and earlier, when running on case-insensitive file systems, allows remote attackers to bypass the upload blacklist and conduct unrestricted file upload attacks by uploading a file with an executable extension that contains uppercase letters, as demonstrated using a PHP program.
1013 CVE-2014-5297 94 2014-10-10 2018-10-09
7.5
None Remote Low Not required Partial Partial Partial
The actionSendErrorReport method in protected/controllers/SiteController.php in X2Engine 2.8 through 4.1.7 allows remote attackers to conduct PHP object injection and Server-Side Request Forgery (SSRF) attacks via crafted serialized data in the report parameter.
1014 CVE-2014-5276 79 1 XSS 2014-10-20 2017-09-08
3.5
None Remote Medium ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Pro Chat Rooms Text Chat Rooms 8.2.0 allow remote authenticated users to inject arbitrary web script or HTML via (1) an uploaded profile picture or (2) the edit parameter to profiles/index.php.
1015 CVE-2014-5275 89 1 Exec Code Sql 2014-10-20 2017-09-08
6.5
None Remote Low ??? Partial Partial Partial
Multiple SQL injection vulnerabilities in includes/functions.php in Pro Chat Rooms Text Chat Rooms 8.2.0 allow remote authenticated users to execute arbitrary SQL commands via the (1) password, (2) email, or (3) id parameter.
1016 CVE-2014-5270 200 +Info 2014-10-10 2017-11-04
2.1
None Local Low Not required Partial None None
Libgcrypt before 1.5.4, as used in GnuPG and other products, does not properly perform ciphertext normalization and ciphertext randomization, which makes it easier for physically proximate attackers to conduct key-extraction attacks by leveraging the ability to collect voltage data from exposed metal, a different vector than CVE-2013-4576.
1017 CVE-2014-5169 79 XSS 2014-10-20 2014-10-24
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the Date module before 7.x-2.8 for Drupal allows remote authenticated users with the permission to create a date field to inject arbitrary web script or HTML via the date field title.
1018 CVE-2014-5148 119 DoS Overflow +Priv 2014-10-26 2017-08-29
4.6
None Local Low Not required Partial Partial Partial
Xen 4.4.x, when running on an ARM system and "handling an unknown system register access from 64-bit userspace," returns to an instruction of the trap handler for kernel space faults instead of an instruction that is associated with faults in 64-bit userspace, which allows local guest users to cause a denial of service (crash) and possibly gain privileges via a crafted process.
1019 CVE-2014-5098 79 XSS 2014-10-20 2018-10-09
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the Search module before 1.2.2 in Jamroom allows remote attackers to inject arbitrary web script or HTML via the query string to search/results/.
1020 CVE-2014-5094 200 +Info 2014-10-20 2017-08-29
5.0
None Remote Low Not required Partial None None
Status2k allows remote attackers to obtain configuration information via a phpinfo action in a request to status/index.php, which calls the phpinfo function.
1021 CVE-2014-5075 310 2014-10-25 2016-11-28
6.8
None Remote Medium Not required Partial Partial Partial
The Ignite Realtime Smack XMPP API 4.x before 4.0.2, and 3.x and 2.x when a custom SSLContext is used, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
1022 CVE-2014-5026 79 XSS 2014-10-20 2018-10-30
3.5
None Remote Medium ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Cacti 0.8.8b allow remote authenticated users with console access to inject arbitrary web script or HTML via a (1) Graph Tree Title in a delete or (2) edit action; (3) CDEF Name, (4) Data Input Method Name, or (5) Host Templates Name in a delete action; (6) Data Source Title; (7) Graph Title; or (8) Graph Template Name in a delete or (9) duplicate action.
1023 CVE-2014-5025 79 XSS 2014-10-20 2018-10-30
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in data_sources.php in Cacti 0.8.8b allows remote authenticated users with console access to inject arbitrary web script or HTML via the name_cache parameter in a ds_edit action.
1024 CVE-2014-5006 22 1 Exec Code Dir. Trav. 2014-10-21 2020-01-17
7.5
None Remote Low Not required Partial Partial Partial
Directory traversal vulnerability in ZOHO ManageEngine Desktop Central (DC) before 9 build 90055 allows remote attackers to execute arbitrary code via a .. (dot dot) in the fileName parameter to mdm/mdmLogUploader.
1025 CVE-2014-5005 22 1 Exec Code Dir. Trav. 2014-10-21 2020-01-17
7.5
None Remote Low Not required Partial Partial Partial
Directory traversal vulnerability in ZOHO ManageEngine Desktop Central (DC) before 9 build 90055 allows remote attackers to execute arbitrary code via a .. (dot dot) in the fileName parameter in an LFU action to statusUpdate.
1026 CVE-2014-4906 310 +Info 2014-10-21 2014-11-14
5.4
None Local Network Medium Not required Partial Partial Partial
The Brisbane & Queensland Alert (aka com.queensland.alert) application 2.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
1027 CVE-2014-4905 310 +Info 2014-10-21 2014-11-14
5.4
None Local Network Medium Not required Partial Partial Partial
The Clean Internet Browser (aka com.cleantab.browsesecure) application 1.36 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
1028 CVE-2014-4904 310 +Info 2014-10-21 2014-11-14
5.4
None Local Network Medium Not required Partial Partial Partial
The Crossmo Calendar (aka com.crossmo.calendar) application 1.7.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
1029 CVE-2014-4903 310 +Info 2014-10-21 2014-11-14
5.4
None Local Network Medium Not required Partial Partial Partial
The Kakao Bingo Garden (aka com.mocoga.bingogarden) application 1.0.14 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
1030 CVE-2014-4901 310 +Info 2014-10-21 2014-11-14
5.4
None Local Network Medium Not required Partial Partial Partial
The Bond Trading (aka com.appmakr.app613309) application 197705 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
1031 CVE-2014-4900 310 +Info 2014-10-21 2014-11-14
5.4
None Local Network Medium Not required Partial Partial Partial
The migme (aka com.projectgoth) application 4.03.002 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
1032 CVE-2014-4899 310 +Info 2014-10-21 2014-11-14
5.4
None Local Network Medium Not required Partial Partial Partial
The Indian Cement Review (aka com.magzter.indiancementreview) application 3.01 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
1033 CVE-2014-4898 310 +Info 2014-10-21 2014-11-14
5.4
None Local Network Medium Not required Partial Partial Partial
The Harivijay (aka com.upasanhar.marathi.harivijay) application 4.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
1034 CVE-2014-4897 310 +Info 2014-10-21 2014-11-14
5.4
None Local Network Medium Not required Partial Partial Partial
The Touriosity Travelmag (aka com.magzter.touriositytravelmag) application 3.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
1035 CVE-2014-4896 310 +Info 2014-10-21 2014-11-14
5.4
None Local Network Medium Not required Partial Partial Partial
The Parque Imperial (aka com.a792139893520606f84b2188a.a23428594a) application 1.02 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
1036 CVE-2014-4895 310 +Info 2014-10-21 2014-11-14
5.4
None Local Network Medium Not required Partial Partial Partial
The Herpin Time Radio (aka com.herpin.time.radio) application 2.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
1037 CVE-2014-4894 310 +Info 2014-10-21 2014-11-14
5.4
None Local Network Medium Not required Partial Partial Partial
The MyMetro (aka com.myrippleapps.mymetro) application 2.4.7 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
1038 CVE-2014-4892 310 +Info 2014-10-21 2014-11-14
5.4
None Local Network Medium Not required Partial Partial Partial
The uControl Smart Home Automation (aka de.ucontrol) application 1.2 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
1039 CVE-2014-4891 310 +Info 2014-10-21 2014-11-14
5.4
None Local Network Medium Not required Partial Partial Partial
The CT iHub (aka com.concursive.ctihub) application 1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
1040 CVE-2014-4890 310 +Info 2014-10-21 2014-11-14
5.4
None Local Network Medium Not required Partial Partial Partial
The Nano Digest (aka com.magzter.nanodigest) application 3.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
1041 CVE-2014-4889 310 +Info 2014-10-21 2014-11-14
5.4
None Local Network Medium Not required Partial Partial Partial
The Diabetic Diet Guide (aka com.wDiabeticDietGuide) application 2.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
1042 CVE-2014-4888 310 +Info 2014-10-21 2014-11-14
5.4
None Local Network Medium Not required Partial Partial Partial
The BattleFriends at Sea GOLD (aka com.tequilamobile.warshipslivegold) application 1.1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
1043 CVE-2014-4887 310 +Info 2014-10-21 2014-11-14
5.4
None Local Network Medium Not required Partial Partial Partial
The Joint Radio Blues (aka com.nobexinc.wls_69685189.rc) application 3.2.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
1044 CVE-2014-4885 310 +Info 2014-10-21 2014-11-10
5.4
None Local Network Medium Not required Partial Partial Partial
The CPWORLD Close Protection World (aka com.tapatalk.closeprotectionworldcom) application 3.4.4 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
1045 CVE-2014-4884 310 +Info 2014-10-21 2014-11-10
5.4
None Local Network Medium Not required Partial Partial Partial
The Conrad Hotel (aka com.wConradHotel) application 0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
1046 CVE-2014-4881 310 +Info 2014-10-16 2014-11-14
5.4
None Local Network Medium Not required Partial Partial Partial
The PartyTrack library for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
1047 CVE-2014-4877 22 Exec Code Dir. Trav. 2014-10-29 2017-02-17
9.3
None Remote Medium Not required Complete Complete Complete
Absolute path traversal vulnerability in GNU Wget before 1.16, when recursion is enabled, allows remote FTP servers to write to arbitrary files, and consequently execute arbitrary code, via a LIST response that references the same filename within two entries, one of which indicates that the filename is for a symlink.
1048 CVE-2014-4874 200 +Info 2014-10-10 2016-06-28
4.0
None Remote Low ??? Partial None None
BMC Track-It! 11.3.0.355 allows remote authenticated users to read arbitrary files by visiting the TrackItWeb/Attachment page.
1049 CVE-2014-4873 89 Exec Code Sql 2014-10-10 2015-09-10
6.5
None Remote Low ??? Partial Partial Partial
SQL injection vulnerability in TrackItWeb/Grid/GetData in BMC Track-It! 11.3.0.355 allows remote authenticated users to execute arbitrary SQL commands via crafted POST data.
1050 CVE-2014-4872 287 Exec Code +Info 2014-10-10 2016-06-29
7.5
None Remote Low Not required Partial Partial Partial
BMC Track-It! 11.3.0.355 does not require authentication on TCP port 9010, which allows remote attackers to upload arbitrary files, execute arbitrary code, or obtain sensitive credential and configuration information via a .NET Remoting request to (1) FileStorageService or (2) ConfigurationService.
Total number of vulnerabilities : 1414   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 (This Page)22 23 24 25 26 27 28 29
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.