The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
ID | Description | Priority | Modified date |
---|---|---|---|
CVE-2014-8417 | ConfBridge in Asterisk 11.x before 11.14.1, 12.x before 12.7.1, and 13.x before 13.0.1 and Certified Asterisk 11.6 before 11.6-cert8 allows remote authenticated users to (1) gain privileges via vectors related to an external protocol to the CONFBRIDGE dialplan function or (2) execute arbitrary system commands via a crafted ConfbridgeStartRecord AMI action. | Medium | Nov 25, 2014 |
CVE-2014-8416 | Use-after-free vulnerability in the PJSIP channel driver in Asterisk Open Source 12.x before 12.7.1 and 13.x before 13.0.1, when using the res_pjsip_refer module, allows remote attackers to cause a denial of service (crash) via an in-dialog INVITE with Replaces message, which triggers the channel to be hung up. | Medium | Nov 25, 2014 |
CVE-2014-8415 | Race condition in the chan_pjsip channel driver in Asterisk Open Source 12.x before 12.7.1 and 13.x before 13.0.1 allows remote attackers to cause a denial of service (assertion failure and crash) via a cancel request for a SIP session with a queued action to (1) answer a session or (2) send ringing. | Medium | Nov 25, 2014 |
CVE-2014-8414 | ConfBridge in Asterisk 11.x before 11.14.1 and Certified Asterisk 11.6 before 11.6-cert8 does not properly handle state changes, which allows remote attackers to cause a denial of service (channel hang and memory consumption) by causing transitions to be delayed, which triggers a state change from hung up to waiting for media. | Medium | Nov 25, 2014 |
CVE-2014-8413 | The res_pjsip_acl module in Asterisk Open Source 12.x before 12.7.1 and 13.x before 13.0.1 does properly create and load ACLs defined in pjsip.conf at startup, which allows remote attackers to bypass intended PJSIP ACL rules. | High | Nov 25, 2014 |
CVE-2014-8412 | The (1) VoIP channel drivers, (2) DUNDi, and (3) Asterisk Manager Interface (AMI) in Asterisk Open Source 1.8.x before 1.8.32.1, 11.x before 11.14.1, 12.x before 12.7.1, and 13.x before 13.0.1 and Certified Asterisk 1.8.28 before 1.8.28-cert3 and 11.6 before 11.6-cert8 allows remote attackers to bypass the ACL restrictions via a packet with a source IP that does not share the address family as the first ACL entry. | Medium | Nov 25, 2014 |
CVE-2014-8399 | The default configuration in systemd-shim 8 enables the Abandon debugging clause, which allows local users to cause a denial of service via unspecified vectors. | Low | Nov 3, 2014 |
CVE-2014-8398 | Multiple untrusted search path vulnerabilities in Corel FastFlick allow local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse (1) igfxcmrt32.dll, (2) ipl.dll, (3) MSPStyleLib.dll, (4) uFioUtil.dll, (5) uhDSPlay.dll, (6) uipl.dll, (7) uvipl.dll, (8) VC1DecDll.dll, or (9) VC1DecDll_SSE3.dll file that is located in the same folder as the file being processed.<a href=http://cwe.mitre.org/data/definitions/426.html>CWE-426: Untrusted Search Path</a> | Medium | Jan 16, 2015 |
CVE-2014-8397 | Untrusted search path vulnerability in Corel VideoStudio PRO X7 or FastFlick allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse u32ZLib.dll file that is located in the same folder as the file being processed.<a href=http://cwe.mitre.org/data/definitions/426.html>CWE-426: Untrusted Search Path</a> | Medium | Jan 16, 2015 |
CVE-2014-8396 | Untrusted search path vulnerability in Corel PDF Fusion allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse quserex.dll file that is located in the same folder as the file being processed.<a href=http://cwe.mitre.org/data/definitions/426.html>CWE-426: Untrusted Search Path</a> | Medium | Jan 16, 2015 |
CVE-2014-8395 | Untrusted search path vulnerability in Corel Painter 2015 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse wacommt.dll file that is located in the same folder as the file being processed.<a href=http://cwe.mitre.org/data/definitions/426.html>CWE-426: Untrusted Search Path</a> | Medium | Jan 16, 2015 |
CVE-2014-8394 | Multiple untrusted search path vulnerabilities in Corel CAD 2014 allow local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse (1) FxManagedCommands_3.08_9.tx or (2) TD_Mgd_3.08_9.dll file in the current working directory.<a href=http://cwe.mitre.org/data/definitions/426.html>CWE-426: Untrusted Search Path</a> | Medium | Jan 15, 2015 |
CVE-2014-8393 | DLL Hijacking vulnerability in CorelDRAW X7, Corel Photo-Paint X7, Corel PaintShop Pro X7, Corel Painter 2015, and Corel PDF Fusion. | MEDIUM | Aug 28, 2017 |
CVE-2014-8391 | The Web interface in Sendio before 7.2.4 does not properly handle sessions, which allows remote authenticated users to obtain sensitive information from other users' sessions via a large number of request. | Medium | Jun 3, 2015 |
CVE-2014-8390 | Multiple buffer overflows in Schneider Electric VAMPSET before 2.2.168 allow local users to gain privileges via malformed disturbance-recording data in a (1) CFG or (2) DAT file. | Medium | Apr 9, 2015 |
CVE-2014-8389 | cgi-bin/mft/wireless_mft.cgi in AirLive BU-2015 with firmware 1.03.18 16.06.2014, AirLive BU-3026 with firmware 1.43 21.08.2014, AirLive MD-3025 with firmware 1.81 21.08.2014, AirLive WL-2000CAM with firmware LM.1.6.18 14.10.2011, and AirLive POE-200CAM v2 with firmware LM.1.6.17.01 uses hard-coded credentials in the embedded Boa web server, which allows remote attackers to obtain user credentials via crafted HTTP requests. | -- | Dec 27, 2017 |
CVE-2014-8388 | Stack-based buffer overflow in Advantech WebAccess, formerly BroadWin WebAccess, before 8.0 allows remote attackers to execute arbitrary code via a crafted ip_address parameter in an HTML document. | High | Nov 24, 2014 |
CVE-2014-8387 | cgi/utility.cgi in Advantech EKI-6340 2.05 Wi-Fi Mesh Access Point allows remote authenticated users to execute arbitrary commands via shell metacharacters in the pinghost parameter to ping.cgi. | High | Nov 20, 2014 |
CVE-2014-8386 | Multiple stack-based buffer overflows in Advantech AdamView 4.3 and earlier allow remote attackers to execute arbitrary code via a crafted (1) display properties or (2) conditional bitmap parameter in a GNI file. | High | Jan 21, 2015 |
CVE-2014-8385 | Buffer overflow on Advantech EKI-1200 gateways with firmware before 1.63 allows remote attackers to execute arbitrary code via unspecified vectors. | High | Feb 13, 2015 |
CVE-2014-8384 | The InFocus IN3128HD projector with firmware 0.26 does not restrict access to cgi-bin/webctrl.cgi.elf, which allows remote attackers to modify the DHCP server and device IP configuration, reboot the device, change the device name, and have other unspecified impact via a crafted request.<a href=http://cwe.mitre.org/data/definitions/306.html>Missing Authentication for Critical Function</a> | High | May 19, 2015 |
CVE-2014-8383 | The InFocus IN3128HD projector with firmware 0.26 allows remote attackers to bypass authentication via a direct request to main.html.<a href=http://cwe.mitre.org/data/definitions/306.html>Missing Authentication for Critical Function</a> | High | May 19, 2015 |
CVE-2014-8381 | Multiple cross-site scripting (XSS) vulnerabilities in Megapolis.Portal Manager allow remote attackers to inject arbitrary web script or HTML via the (1) dateFrom or (2) dateTo parameter. | Medium | Oct 23, 2014 |
CVE-2014-8380 | Cross-site scripting (XSS) vulnerability in Splunk 6.1.1 allows remote attackers to inject arbitrary web script or HTML via the HTTP Referer Header in a 404 Not Found response. NOTE: this vulnerability might exist because of a CVE-2010-2429 regression. | Medium | Oct 24, 2014 |
CVE-2014-8379 | Multiple cross-site scripting (XSS) vulnerabilities in the Marketo MA module before 7.x-1.5 for Drupal allow remote authenticated users with certain permissions to inject arbitrary web script or HTML via vectors related to field titles to the (1) Webform or (2) User sub-modules. | Low | Oct 23, 2014 |
CVE-2014-8378 | Cross-site scripting (XSS) vulnerability in the TableField module 7.x-2.x before 7.x-2.3 allows remote authenticated users with the administer content types or administer taxonomy permission to inject arbitrary web script or HTML via vectors related to the field help text in an entity edit form. | Low | Oct 23, 2014 |
CVE-2014-8377 | Cross-site scripting (XSS) vulnerability in Webasyst Shop-Script 5.2.2.30933 allows remote attackers to inject arbitrary web script or HTML via the phone number field in a new contact to phpecom/index.php/webasyst/contacts/. | Medium | Oct 24, 2014 |
CVE-2014-8376 | Cross-site scripting (XSS) vulnerability in the context administration sub-panel in the Site Banner module before 7.x-4.1 for Drupal allows remote authenticated users with the Administer contexts Context UI module permission to inject arbitrary web script or HTML via vectors related to context settings. | Low | Oct 24, 2014 |
CVE-2014-8375 | SQL injection vulnerability in GBgallery.php in the GB Gallery Slideshow plugin 1.5 for WordPress allows remote administrators to execute arbitrary SQL commands via the selected_group parameter in a gb_ajax_get_group action to wp-admin/admin-ajax.php. | Medium | Oct 24, 2014 |
CVE-2014-8374 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2014. Notes: none | -- | Nov 7, 2023 |
CVE-2014-8373 | The VMware Remote Console (VMRC) function in VMware vCloud Automation Center (vCAC) 6.0.1 through 6.1.1 allows remote authenticated users to gain privileges via vectors involving the Connect (by) Using VMRC function. | High | Dec 12, 2014 |
CVE-2014-8372 | AirWatch by VMware On-Premise 7.3.x before 7.3.3.0 (FP3) allows remote authenticated users to obtain the organizational information and statistics from arbitrary tenants via vectors involving a direct object reference. | Medium | Dec 12, 2014 |
CVE-2014-8371 | VMware vCenter Server Appliance (vCSA) 5.5 before Update 2, 5.1 before Update 3, and 5.0 before Update 3c does not properly validate certificates when connecting to a CIM Server on an ESXi host, which allows man-in-the-middle attackers to spoof CIM servers via a crafted certificate. | Medium | Dec 8, 2014 |
CVE-2014-8370 | VMware Workstation 10.x before 10.0.5, VMware Player 6.x before 6.0.5, VMware Fusion 6.x before 6.0.5, and VMware ESXi 5.0 through 5.5 allow host OS users to gain host OS privileges or cause a denial of service (arbitrary write to a file) by modifying a configuration file. | MEDIUM | Jan 29, 2015 |
CVE-2014-8369 | The kvm_iommu_map_pages function in virt/kvm/iommu.c in the Linux kernel through 3.17.2 miscalculates the number of pages during the handling of a mapping failure, which allows guest OS users to cause a denial of service (host OS page unpinning) or possibly have unspecified other impact by leveraging guest OS privileges. NOTE: this vulnerability exists because of an incorrect fix for CVE-2014-3601. | Medium | Nov 10, 2014 |
CVE-2014-8368 | The web interface in Aruba Networks AirWave before 7.7.14 and 8.x before 8.0.5 allows remote authenticated users to gain privileges and execute arbitrary commands via unspecified vectors. | High | Nov 26, 2014 |
CVE-2014-8367 | SQL injection vulnerability in Aruba Networks ClearPass Policy Manager (CPPM) 6.2.x, 6.3.x before 6.3.6, and 6.4.x before 6.4.2 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | High | Nov 26, 2014 |
CVE-2014-8366 | SQL injection vulnerability in openSIS 4.5 through 5.3 allows remote attackers to execute arbitrary SQL commands via the Username and password to index.php. | High | Oct 24, 2014 |
CVE-2014-8365 | Multiple cross-site scripting (XSS) vulnerabilities in Xornic Contact Us allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) email parameter to contact.php or (3) PATH_INFO to setup.php, related to the PHP_SELF variable. | Medium | Oct 24, 2014 |
CVE-2014-8364 | Cross-site scripting (XSS) vulnerability in ss_handler.php in the WordPress Spreadsheet (wpSS) plugin 0.62 for WordPress allows remote attackers to inject arbitrary web script or HTML via the ss_id parameter. | Medium | Oct 24, 2014 |
CVE-2014-8363 | SQL injection vulnerability in ss_handler.php in the WordPress Spreadsheet (wpSS) plugin 0.62 for WordPress allows remote attackers to execute arbitrary SQL commands via the ss_id parameter. | High | Oct 24, 2014 |
CVE-2014-8362 | Vivint Sky Control Panel 1.1.1.9926 allows remote attackers to enable and disable the alarm system and modify other security settings via the Web-enabled interface. | High | Jan 25, 2017 |
CVE-2014-8361 | The miniigd SOAP service in Realtek SDK allows remote attackers to execute arbitrary code via a crafted NewInternalClient request. | HIGH | May 1, 2015 |
CVE-2014-8360 | Directory traversal vulnerability in inc/autoload.function.php in GLPI before 0.84.8 allows remote attackers to include and execute arbitrary local files via a .._ (dot dot underscore) in an item type to the getItemForItemtype, as demonstrated by the itemtype parameter in ajax/common.tabs.php. | HIGH | Apr 14, 2015 |
CVE-2014-8359 | Untrusted search path vulnerability in Huawei Mobile Partner for Windows 23.009.05.03.1014 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse wintab32.dll in the Mobile Partner directory.Per http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-376152.htm, the Access Vector is Network | High | Nov 13, 2014 |
CVE-2014-8358 | Huawei EC156, EC176, and EC177 USB Modem products with software before UTPS-V200R003B015D02SP07C1014 (23.015.02.07.1014) and before V200R003B015D02SP08C1014 (23.015.02.08.1014) use a weak ACL for the Mobile Partner directory, which allows remote attackers to gain SYSTEM privileges by compromising a low privilege account and modifying Mobile Partner.exe. | -- | Dec 11, 2017 |
CVE-2014-8357 | backupsettings.html in the web administrative portal in Zhone zNID GPON 2426A before S3.0.501 places a session key in a URL, which allows remote attackers to obtain arbitrary user passwords via the sessionKey parameter in a getConfig action to backupsettings.conf. | -- | Oct 17, 2017 |
CVE-2014-8356 | The web administrative portal in Zhone zNID 2426A before S3.0.501 allows remote authenticated users to bypass intended access restrictions via a modified server response, related to an insecure direct object reference. | MEDIUM | Nov 22, 2019 |
CVE-2014-8355 | PCX parser code in ImageMagick before 6.8.9-9 allows remote attackers to cause a denial of service (out-of-bounds read). | Medium | Apr 17, 2017 |
CVE-2014-8354 | The HorizontalFilter function in resize.c in ImageMagick before 6.8.9-9 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted image file. | Medium | Apr 17, 2017 |