The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
ID | Description | Priority | Modified date |
---|---|---|---|
CVE-2014-4996 | lib/vlad/dba/mysql.rb in the VladTheEnterprising gem 0.2 for Ruby allows local users to write to arbitrary files via a symlink attack on /tmp/my.cnf.#{target_host}. | LOW | Jan 10, 2018 |
CVE-2014-4995 | Race condition in lib/vlad/dba/mysql.rb in the VladTheEnterprising gem 0.2 for Ruby allows local users to obtain sensitive information by reading the MySQL root password from a temporary file before it is removed. | LOW | Jan 10, 2018 |
CVE-2014-4994 | lib/gyazo/client.rb in the gyazo gem 1.0.0 for Ruby allows local users to write to arbitrary files via a symlink attack on a temporary file, related to time-based filenames. | LOW | Jan 10, 2018 |
CVE-2014-4993 | (1) lib/backup/cli/utility.rb in the backup-agoddard gem 3.0.28 and (2) lib/backup/cli/utility.rb in the backup_checksum gem 3.0.23 for Ruby place credentials on the openssl command line, which allows local users to obtain sensitive information by listing the process. | LOW | Jan 10, 2018 |
CVE-2014-4992 | lib/cap-strap/helpers.rb in the cap-strap gem 0.1.5 for Ruby places credentials on the useradd command line, which allows local users to obtain sensitive information by listing the process. | LOW | Jan 10, 2018 |
CVE-2014-4991 | (1) lib/dataset/database/mysql.rb and (2) lib/dataset/database/postgresql.rb in the codders-dataset gem 1.3.2.1 for Ruby place credentials on the mysqldump command line, which allows local users to obtain sensitive information by listing the process. | LOW | Jan 10, 2018 |
CVE-2014-4987 | server_user_groups.php in phpMyAdmin 4.1.x before 4.1.14.2 and 4.2.x before 4.2.6 allows remote authenticated users to bypass intended access restrictions and read the MySQL user list via a viewUsers request. | Medium | Jul 22, 2014 |
CVE-2014-4986 | Multiple cross-site scripting (XSS) vulnerabilities in js/functions.js in phpMyAdmin 4.0.x before 4.0.10.1, 4.1.x before 4.1.14.2, and 4.2.x before 4.2.6 allow remote authenticated users to inject arbitrary web script or HTML via a crafted (1) table name or (2) column name that is improperly handled during construction of an AJAX confirmation message. | Low | Jul 22, 2014 |
CVE-2014-4984 | Déjà Vu Crescendo Sales CRM has remote SQL Injection | HIGH | Jan 15, 2020 |
CVE-2014-4982 | LPAR2RRD ? 4.53 and ? 3.5 has arbitrary command injection on the application server. | HIGH | Jan 10, 2020 |
CVE-2014-4981 | LPAR2RRD in 3.5 and earlier allows remote attackers to execute arbitrary commands due to insufficient input sanitization of the web GUI parameters. | HIGH | Feb 20, 2020 |
CVE-2014-4980 | The /server/properties resource in Tenable Web UI before 2.3.5 for Nessus 5.2.3 through 5.2.7 allows remote attackers to obtain sensitive information via the token parameter. | Medium | Jul 24, 2014 |
CVE-2014-4979 | Apple QuickTime allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a malformed version number and flags in an mvhd atom. | High | Jul 28, 2014 |
CVE-2014-4978 | The rs_filter_graph function in librawstudio/rs-filter.c in rawstudio might allow local users to truncate arbitrary files via a symlink attack on (1) /tmp/rs-filter-graph.png or (2) /tmp/rs-filter-graph. | -- | Dec 29, 2017 |
CVE-2014-4977 | Multiple SQL injection vulnerabilities in Dell SonicWall Scrutinizer 11.0.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) selectedUserGroup parameter in a create new user request to cgi-bin/admin.cgi or the (2) user_id parameter in the changeUnit function, (3) methodDetail parameter in the methodDetail function, or (4) xcNetworkDetail parameter in the xcNetworkDetail function in d4d/exporters.php. | Medium | Jul 16, 2014 |
CVE-2014-4976 | Dell SonicWall Scrutinizer 11.0.1 allows remote authenticated users to change the change user passwords via the user ID in the savePrefs parameter in a change password request to cgi-bin/admin.cgi. | Medium | Jul 16, 2014 |
CVE-2014-4975 | Off-by-one error in the encodes function in pack.c in Ruby 1.9.3 and earlier, and 2.x through 2.1.2, when using certain format string specifiers, allows context-dependent attackers to cause a denial of service (segmentation fault) via vectors that trigger a stack-based buffer overflow. | Medium | Nov 17, 2014 |
CVE-2014-4974 | The ESET Personal Firewall NDIS filter (EpFwNdis.sys) kernel mode driver, aka Personal Firewall module before Build 1212 (20140609), as used in multiple ESET products 5.0 through 7.0, allows local users to obtain sensitive information from kernel memory via crafted IOCTL calls. | Low | Nov 5, 2014 |
CVE-2014-4973 | The ESET Personal Firewall NDIS filter (EpFwNdis.sys) driver in the Firewall Module Build 1183 (20140214) and earlier in ESET Smart Security and ESET Endpoint Security products 5.0 through 7.0 allows local users to gain privileges via a crafted argument to a 0x830020CC IOCTL call. | Medium | Sep 24, 2014 |
CVE-2014-4972 | Unrestricted file upload vulnerability in the Gravity Upload Ajax plugin 1.1 and earlier for WordPress allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file under wp-content/uploads/gravity_forms. | HIGH | Jan 8, 2018 |
CVE-2014-4971 | Microsoft Windows XP SP3 does not validate addresses in certain IRP handler routines, which allows local users to write data to arbitrary memory locations, and consequently gain privileges, via a crafted address in an IOCTL call, related to (1) the MQAC.sys driver in the MQ Access Control subsystem and (2) the BthPan.sys driver in the Bluetooth Personal Area Networking subsystem.CWE-123: Write-what-where Condition <a href=http://cwe.mitre.org/data/definitions/123.html>CWE-123: Write-what-where Condition</a> | High | Jul 28, 2014 |
CVE-2014-4968 | The WebView class and use of the WebView.addJavascriptInterface method in the Boat Browser application 8.0 and 8.0.1 for Android allow remote attackers to execute arbitrary code via a crafted web site, a related issue to CVE-2012-6636. | MEDIUM | Feb 12, 2020 |
CVE-2014-4967 | Multiple argument injection vulnerabilities in Ansible before 1.6.7 allow remote attackers to execute arbitrary code by leveraging access to an Ansible managed host and providing a crafted fact, as demonstrated by a fact with (1) a trailing src= clause, (2) a trailing temp= clause, or (3) a trailing validate= clause accompanied by a shell command. | HIGH | Feb 26, 2020 |
CVE-2014-4966 | Ansible before 1.6.7 does not prevent inventory data with {{ and lookup substrings, and does not prevent remote data with {{ substrings, which allows remote attackers to execute arbitrary code via (1) crafted lookup(\'pipe\') calls or (2) crafted Jinja2 data. | HIGH | Feb 26, 2020 |
CVE-2014-4965 | Multiple cross-site scripting (XSS) vulnerabilities in Shopizer 1.1.5 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) customername parameter to central/orders/searchcriteria.action; (2) productname, (3) availability, or (4) status parameter to central/catalog/productlist.action; or unspecified vectors in (5) WebContent/orders/orderlist.jsp. | Medium | Jul 18, 2014 |
CVE-2014-4964 | Multiple cross-site request forgery (CSRF) vulnerabilities in Shopizer 1.1.5 and earlier allow remote attackers to hijack the authentication of users for requests that (1) modify customer settings or hijack the authentication of administrators for requests that change (2) customer passwords, (3) shop configuration, or (4) product details, as demonstrated by (5) modify a product's price via a crafted request to central/catalog/saveproduct.action or (6) creating a product review via a crafted request to shop/product/createReview.action. | Medium | Jul 18, 2014 |
CVE-2014-4963 | Shopizer 1.1.5 and earlier allows remote attackers to modify the account settings of arbitrary users via the customer.customerId parameter to shop/profile/register.action. | Medium | Jul 16, 2014 |
CVE-2014-4962 | Shopizer 1.1.5 and earlier allows remote attackers to reduce the total cost of their shopping cart via a negative number in the productQuantity parameter, which causes the price of the item to be subtracted from the total cost. | Medium | Jul 16, 2014 |
CVE-2014-4960 | Multiple SQL injection vulnerabilities in modelsgallery.php in Youtube Gallery (com_youtubegallery) component 4.x through 4.1.7, and possibly 3.x, for Joomla! allow remote attackers to execute arbitrary SQL commands via the (1) listid or (2) themeid parameter to index.php. | High | Jul 22, 2014 |
CVE-2014-4959 | **DISPUTED** SQL injection vulnerability in SQLiteDatabase.java in the SQLi Api in Android allows remote attackers to execute arbitrary SQL commands via the delete method. | HIGH | Apr 23, 2018 |
CVE-2014-4958 | Cross-site scripting (XSS) vulnerability in Telerik UI for ASP.NET AJAX RadEditor control 2014.1.403.35, 2009.3.1208.20, and other versions allows remote attackers to inject arbitrary web script or HTML via CSS expressions in style attributes. | Medium | Oct 4, 2014 |
CVE-2014-4955 | Cross-site scripting (XSS) vulnerability in the PMA_TRI_getRowForList function in libraries/rte/rte_list.lib.php in phpMyAdmin 4.0.x before 4.0.10.1, 4.1.x before 4.1.14.2, and 4.2.x before 4.2.6 allows remote authenticated users to inject arbitrary web script or HTML via a crafted trigger name that is improperly handled on the database triggers page. | Low | Jul 22, 2014 |
CVE-2014-4954 | Cross-site scripting (XSS) vulnerability in the PMA_getHtmlForActionLinks function in libraries/structure.lib.php in phpMyAdmin 4.2.x before 4.2.6 allows remote authenticated users to inject arbitrary web script or HTML via a crafted table comment that is improperly handled during construction of a database structure page. | Low | Jul 23, 2014 |
CVE-2014-4953 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2014. Notes: none | -- | Nov 7, 2023 |
CVE-2014-4952 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2014. Notes: none | -- | Nov 7, 2023 |
CVE-2014-4951 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2014. Notes: none | -- | Nov 7, 2023 |
CVE-2014-4950 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2014. Notes: none | -- | Nov 7, 2023 |
CVE-2014-4949 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2014. Notes: none | -- | Nov 7, 2023 |
CVE-2014-4948 | Unspecified vulnerability in Citrix XenServer 6.2 Service Pack 1 and earlier allows attackers to cause a denial of service and obtain sensitive information by modifying the guest virtual hard disk (VHD). | Medium | Aug 1, 2014 |
CVE-2014-4947 | Buffer overflow in the HVM graphics console support in Citrix XenServer 6.2 Service Pack 1 and earlier has unspecified impact and attack vectors. | High | Aug 1, 2014 |
CVE-2014-4946 | Multiple cross-site scripting (XSS) vulnerabilities in Horde Internet Mail Program (IMP) before 6.1.8, as used in Horde Groupware Webmail Edition before 5.1.5, allow remote attackers to inject arbitrary web script or HTML via (1) unspecified flags or (2) a mailbox name in the dynamic mailbox view. | Medium | Jul 14, 2014 |
CVE-2014-4945 | Multiple cross-site scripting (XSS) vulnerabilities in Horde Internet Mail Program (IMP) before 6.1.8, as used in Horde Groupware Webmail Edition before 5.1.5, allow remote attackers to inject arbitrary web script or HTML via an unspecified flag in the basic (1) mailbox or (2) message view. | Medium | Jul 14, 2014 |
CVE-2014-4944 | Multiple SQL injection vulnerabilities in inc/bsk-pdf-dashboard.php in the BSK PDF Manager plugin 1.3.2 for WordPress allow remote authenticated users to execute arbitrary SQL commands via the (1) categoryid or (2) pdfid parameter to wp-admin/admin.php. | Medium | Jul 14, 2014 |
CVE-2014-4943 | The PPPoL2TP feature in net/l2tp/l2tp_ppp.c in the Linux kernel through 3.15.6 allows local users to gain privileges by leveraging data-structure differences between an l2tp socket and an inet socket. | Medium | Aug 1, 2014 |
CVE-2014-4942 | The EasyCart (wp-easycart) plugin before 2.0.6 for WordPress allows remote attackers to obtain configuration information via a direct request to inc/admin/phpinfo.php, which calls the phpinfo function. | Medium | Jul 14, 2014 |
CVE-2014-4941 | Absolute path traversal vulnerability in Cross-RSS (wp-cross-rss) plugin 1.7 for WordPress allows remote attackers to read arbitrary files via a full pathname in the rss parameter to proxy.php. | Medium | Jul 14, 2014 |
CVE-2014-4940 | Multiple directory traversal vulnerabilities in Tera Charts (tera-charts) plugin 0.1 for WordPress allow remote attackers to read arbitrary files via a .. (dot dot) in the fn parameter to (1) charts/treemap.php or (2) charts/zoomabletreemap.php. | Medium | Jul 14, 2014 |
CVE-2014-4939 | SQL injection vulnerability in the ENL Newsletter (enl-newsletter) plugin 1.0.1 for WordPress allows remote authenticated administrators to execute arbitrary SQL commands via the id parameter in the enl-add-new page to wp-admin/admin.php. | Medium | Jul 14, 2014 |
CVE-2014-4938 | SQL injection vulnerability in the WP Rss Poster (wp-rss-poster) plugin 1.0.0 for WordPress allows remote attackers to execute arbitrary SQL commands via the id parameter in the wrp-add-new page to wp-admin/admin.php. | High | Jul 14, 2014 |
CVE-2014-4937 | Directory traversal vulnerability in includes/bookx_export.php BookX plugin 1.7 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter. | Medium | Jul 14, 2014 |