LiveActive security incident?Get immediate response
CVE archive

January 2014

Browse CVE records published in January 2014, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 895 matching CVEs · Page 1 of 18.

Critical · CVSS 10

CVE-2014-5419: GE Multilink Use of Hard-coded Cryptographic Key

GE Multilink ML800, ML1200, ML1600, and ML2400 switches with firmware 4.2.1 and earlier and Multilink ML810, ML3000, and ML3100 switches with firmware 5.2.0 and earlier use the same RSA private key across different customers' installations, which makes it easier for remote attackers to obtain the cleartext content of network traffic by reading this key from a firmware image and then sniffing the network.

Published Jan 17, 2015 · Updated Nov 4, 2025

Medium · CVSS 5

CVE-2014-5418: GE Multilink Uncontrolled Resource Consumption

GE Multilink ML800, ML1200, ML1600, and ML2400 switches with firmware 4.2.1 and earlier and Multilink ML810, ML3000, and ML3100 switches with firmware 5.2.0 and earlier allow remote attackers to cause a denial of service (resource consumption or reboot) via crafted packets.

Published Jan 17, 2015 · Updated Nov 4, 2025

High · CVSS 8 · CISA KEV

CVE-2014-100005: Multiple cross-site request forgery (CSRF) vulnerabilities in D-Link DIR-600 router (rev.

Multiple cross-site request forgery (CSRF) vulnerabilities in D-Link DIR-600 router (rev. Bx) with firmware before 2.17b02 allow remote attackers to hijack the authentication of administrators for requests that (1) create an administrator account or (2) enable remote management via a crafted configuration module to hedwig.cgi, (3) activate new configuration settings via a SETCFG,SAVE,ACTIVATE action to pigwidgeon.cgi, or (4) send a ping via a ping action to diagnostic.php.

Published Jan 13, 2015 · Updated Oct 22, 2025

Medium · CVSS 6.6

CVE-2014-2355: GE Proficy HMI/SCADA CIMPLICITY CimView

The (1) CimView and (2) CimEdit components in GE Proficy HMI/SCADA-CIMPLICITY 8.2 and earlier allow remote attackers to gain privileges via a crafted CIMPLICITY screen (aka .CIM) file.

Published Jan 17, 2015 · Updated Oct 3, 2025

High · CVSS 7.8

CVE-2014-0753: Ecava IntegraXor Stack-based Buffer Overflow

Stack-based buffer overflow in the SCADA server in Ecava IntegraXor before 4.1.4390 allows remote attackers to cause a denial of service (system crash) by triggering access to DLL code located in the IntegraXor directory.

Published Jan 21, 2014 · Updated Aug 25, 2025

High · CVSS 7.5

CVE-2014-0750: GE Proficy HMI/SCADA Path Traversal

Directory traversal vulnerability in gefebt.exe in the WebView CimWeb components in GE Intelligent Platforms Proficy HMI/SCADA - CIMPLICITY through 8.2 SIM 24, and Proficy Process Systems with CIMPLICITY, allows remote attackers to execute arbitrary code via a crafted HTTP request, aka ZDI-CAN-1622.

Published Jan 25, 2014 · Updated Aug 22, 2025

Medium · CVSS 6.8

CVE-2014-0751: GE Proficy HMI/SCADA Path Traversal

The CIMPLICITY Web-based access component, CimWebServer, does not check the location of shell files being loaded into the system. By modifying the source location, an attacker could send shell code to the CimWebServer which would deploy the nefarious files as part of any SCADA project. This could allow the attacker to execute arbitrary code.

Published Jan 25, 2014 · Updated Aug 22, 2025

Medium · CVSS 5.5

CVE-2014-125041: Miccighel PR-CWT sql injection

A vulnerability classified as critical was found in Miccighel PR-CWT. This vulnerability affects unknown code. The manipulation leads to sql injection. The patch is identified as e412127d07004668e5a213932c94807d87067a1f. It is recommended to apply a patch to fix this issue. VDB-217486 is the identifier assigned to this vulnerability.

Published Jan 5, 2023 · Updated May 27, 2025

Medium · CVSS 5.5

CVE-2014-125046: Seiji42 cub-scout-tracker databaseAccessFunctions.js sql injection

A vulnerability, which was classified as critical, was found in Seiji42 cub-scout-tracker. This affects an unknown part of the file databaseAccessFunctions.js. The manipulation leads to sql injection. The patch is named b4bc1a328b1f59437db159f9d136d9ed15707e31. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-217551.

Published Jan 6, 2023 · Updated Apr 10, 2025

Low · CVSS 3.1

CVE-2014-125057: mrobit robitailletheknot CSRF Token filters.php comparison

A vulnerability was found in mrobit robitailletheknot. It has been classified as problematic. This affects an unknown part of the file app/filters.php of the component CSRF Token Handler. The manipulation of the argument _token leads to incorrect comparison. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The patch is named 6b2813696ccb88d0576dfb305122ee880eb36197. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-217599.

Published Jan 7, 2023 · Updated Apr 9, 2025

Medium · CVSS 5.5

CVE-2014-125079: agy pontifex.http Http.coffee sql injection

A vulnerability was found in agy pontifex.http. It has been declared as critical. This vulnerability affects unknown code of the file lib/Http.coffee. The manipulation leads to sql injection. Upgrading to version 0.1.0 is able to address this issue. The name of the patch is e52a758f96861dcef2dabfecb9da191bb2e07761. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-218356.

Published Jan 15, 2023 · Updated Apr 8, 2025

Medium · CVSS 6.3

CVE-2014-125030: taoeffect Empress hard-coded password

A vulnerability, which was classified as critical, has been found in taoeffect Empress. Affected by this issue is some unknown functionality. The manipulation leads to use of hard-coded password. The patch is identified as 557e177d8a309d6f0f26de46efb38d43e000852d. It is recommended to apply a patch to fix this issue. VDB-217154 is the identifier assigned to this vulnerability.

Published Jan 1, 2023 · Updated Nov 25, 2024

Medium · CVSS 5.5

CVE-2014-125038: IS_Projecto2 NewsBean.java sql injection

A vulnerability has been found in IS_Projecto2 and classified as critical. This vulnerability affects unknown code of the file Cnn-EJB/ejbModule/ejbs/NewsBean.java. The manipulation of the argument date leads to sql injection. The name of the patch is aa128b2c9c9fdcbbf5ecd82c1e92103573017fe0. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-217192.

Published Jan 2, 2023 · Updated Nov 25, 2024

Medium · CVSS 5.5

CVE-2014-125050: ScottTZhang voter-js main.js sql injection

A vulnerability was found in ScottTZhang voter-js and classified as critical. Affected by this issue is some unknown functionality of the file main.js. The manipulation leads to sql injection. The patch is identified as 6317c67a56061aeeaeed3cf9ec665fd9983d8044. It is recommended to apply a patch to fix this issue. VDB-217562 is the identifier assigned to this vulnerability.

Published Jan 6, 2023 · Updated Nov 25, 2024

Medium · CVSS 5.5

CVE-2014-125071: lukehutch Gribbit HttpRequestHandler.java messageReceived missing origin validation in websockets

A vulnerability was found in lukehutch Gribbit. It has been classified as problematic. Affected is the function messageReceived of the file src/gribbit/request/HttpRequestHandler.java. The manipulation leads to missing origin validation in websockets. The name of the patch is 620418df247aebda3dd4be1dda10fe229ea505dd. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-217716.

Published Jan 9, 2023 · Updated Nov 25, 2024

Medium · CVSS 5.5

CVE-2014-125073: mapoor voteapp app.py show_refresh sql injection

A vulnerability was found in mapoor voteapp. It has been rated as critical. Affected by this issue is the function create_poll/do_poll/show_poll/show_refresh of the file app.py. The manipulation leads to sql injection. The patch is identified as b290c21a0d8bcdbd55db860afd3cadec97388e72. It is recommended to apply a patch to fix this issue. VDB-217790 is the identifier assigned to this vulnerability.

Published Jan 10, 2023 · Updated Nov 25, 2024

Medium · CVSS 5.5

CVE-2014-125063: ada-l0velace Bid sql injection

A vulnerability was found in ada-l0velace Bid and classified as critical. This issue affects some unknown processing. The manipulation leads to sql injection. The identifier of the patch is abd71140b8219fa8741d0d8a57ab27d5bfd34222. It is recommended to apply a patch to fix this issue. The identifier VDB-217625 was assigned to this vulnerability.

Published Jan 7, 2023 · Updated Oct 15, 2024

Medium · CVSS 5.5

CVE-2014-125083: Anant Labs google-enterprise-connector-dctm sql injection

A vulnerability has been found in Anant Labs google-enterprise-connector-dctm up to 3.2.3 and classified as critical. Affected by this vulnerability is an unknown functionality. The manipulation of the argument username/domain leads to sql injection. The patch is named 6fba04f18ab7764002a1da308e7cd9712b501cb7. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-218911.

Published Jan 19, 2023 · Updated Oct 15, 2024

Unknown · CVSS Not scored

CVE-2014-9509: The frontend rendering component in TYPO3 4.5.x before 4.5.39, 4.6.x through 6.2.x before 6.2.9, and 7.x be...

The frontend rendering component in TYPO3 4.5.x before 4.5.39, 4.6.x through 6.2.x before 6.2.9, and 7.x before 7.0.2, when config.prefixLocalAnchors is set to all or cached, allows remote attackers to have an unspecified impact (possibly resource consumption) via a "Cache Poisoning" attack using a URL with arbitrary arguments, which triggers a reload of the page.

Published Jan 4, 2015 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2014-10027: Multiple cross-site request forgery (CSRF) vulnerabilities in D-Link DAP-1360 router with firmware 2.5.4 an...

Multiple cross-site request forgery (CSRF) vulnerabilities in D-Link DAP-1360 router with firmware 2.5.4 and earlier allow remote attackers to hijack the authentication of unspecified users for requests that (1) change the MAC filter restrict mode, (2) add a MAC address to the filter, or (3) remove a MAC address from the filter via a crafted request to index.cgi.

Published Jan 13, 2015 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2014-10024: Multiple integer signedness errors in DirectShowDemuxFilter, as used in Divx Web Player, Divx Player, and o...

Multiple integer signedness errors in DirectShowDemuxFilter, as used in Divx Web Player, Divx Player, and other Divx plugins, allow remote attackers to execute arbitrary code via a (1) negative or (2) large value in a Stream Format (STRF) chunk in an AVI file, which triggers a heap-based buffer overflow.

Published Jan 13, 2015 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2014-9524: Multiple cross-site request forgery (CSRF) vulnerabilities in the Facebook Like Box (cardoza-facebook-like-...

Multiple cross-site request forgery (CSRF) vulnerabilities in the Facebook Like Box (cardoza-facebook-like-box) plugin before 2.8.3 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) change plugin settings via unspecified vectors or conduct cross-site scripting (XSS) attacks via the (2) frm_title, (3) frm_url, (4) frm_border_color, (5) frm_width, or (6) frm_height parameter in the slug_for_fb_like_box page to wp-admin/admin.php.

Published Jan 5, 2015 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2014-9596: Panasonic Arbitrator Back-End Server (BES) MK 2.0 VPU before 9.3.1 build 4.08.003.0, when USB Wi-Fi or Dire...

Panasonic Arbitrator Back-End Server (BES) MK 2.0 VPU before 9.3.1 build 4.08.003.0, when USB Wi-Fi or Direct LAN is enabled, and MK 3.0 VPU before 9.3.1 build 5.06.000.0, when Embedded Wi-Fi or Direct LAN is enabled, does not use encryption, which allows remote attackers to obtain sensitive information by sniffing the network for client-server traffic, as demonstrated by Active Directory credential information.

Published Jan 15, 2015 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2014-9523: Multiple cross-site request forgery (CSRF) vulnerabilities in the Our Team Showcase (our-team-enhanced) plu...

Multiple cross-site request forgery (CSRF) vulnerabilities in the Our Team Showcase (our-team-enhanced) plugin before 1.3 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) change plugin settings via unspecified vectors or (2) conduct cross-site scripting (XSS) attacks via the sc_our_team_member_count parameter in the sc_team_settings page to wp-admin/edit.php.

Published Jan 5, 2015 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2014-9521: Unrestricted file upload vulnerability in uploadScript.php in InfiniteWP Admin Panel before 2.4.4, when the...

Unrestricted file upload vulnerability in uploadScript.php in InfiniteWP Admin Panel before 2.4.4, when the allWPFiles query parameter is set, allows remote attackers to execute arbitrary code by uploading a file with a double extension, then accessing it via a direct request to the file in the uploads directory, as demonstrated by the .php.swp filename.

Published Jan 5, 2015 · Updated Sep 16, 2024