LiveActive security incident?Get immediate response
CVE archive

February 2014

Browse CVE records published in February 2014, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 506 matching CVEs · Page 3 of 11.

Unknown · CVSS Not scored

CVE-2014-9042: Cross-site scripting (XSS) vulnerability in the import functionality in the bookmarks application in ownClo...

Cross-site scripting (XSS) vulnerability in the import functionality in the bookmarks application in ownCloud before 5.0.18, 6.x before 6.0.6, and 7.x before 7.0.3 allows remote authenticated users to inject arbitrary web script or HTML by importing a link with an unspecified protocol. NOTE: this can be leveraged by remote attackers using CVE-2014-9041.

Published Feb 4, 2015 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2014-8985: Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of servi...

Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-2810, CVE-2014-2811, CVE-2014-2822, CVE-2014-2823, CVE-2014-4057, and CVE-2014-4145.

Published Feb 8, 2018 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2014-8630: Bugzilla before 4.0.16, 4.1.x and 4.2.x before 4.2.12, 4.3.x and 4.4.x before 4.4.7, and 5.x before 5.0rc1...

Bugzilla before 4.0.16, 4.1.x and 4.2.x before 4.2.12, 4.3.x and 4.4.x before 4.4.7, and 5.x before 5.0rc1 allows remote authenticated users to execute arbitrary commands by leveraging the editcomponents privilege and triggering crafted input to a two-argument Perl open call, as demonstrated by shell metacharacters in a product name.

Published Feb 1, 2015 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2014-8739: Unrestricted file upload vulnerability in server/php/UploadHandler.php in the jQuery File Upload Plugin 6.4...

Unrestricted file upload vulnerability in server/php/UploadHandler.php in the jQuery File Upload Plugin 6.4.4 for jQuery, as used in the Creative Solutions Creative Contact Form (formerly Sexy Contact Form) before 1.0.0 for WordPress and before 2.0.1 for Joomla!, allows remote attackers to execute arbitrary code by uploading a PHP file with an PHP extension, then accessing it via a direct request to the file in files/, as exploited in the wild in October 2014.

Published Feb 8, 2020 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2014-8690: Multiple cross-site scripting (XSS) vulnerabilities in Exponent CMS before 2.1.4 patch 6, 2.2.x before 2.2....

Multiple cross-site scripting (XSS) vulnerabilities in Exponent CMS before 2.1.4 patch 6, 2.2.x before 2.2.3 patch 9, and 2.3.x before 2.3.1 patch 4 allow remote attackers to inject arbitrary web script or HTML via the (1) PATH_INFO, the (2) src parameter in a none action to index.php, or the (3) "First Name" or (4) "Last Name" field to users/edituser.

Published Feb 19, 2015 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2014-8612: Multiple array index errors in the Stream Control Transmission Protocol (SCTP) module in FreeBSD 10.1 befor...

Multiple array index errors in the Stream Control Transmission Protocol (SCTP) module in FreeBSD 10.1 before p5, 10.0 before p17, 9.3 before p9, and 8.4 before p23 allow local users to (1) gain privileges via the stream id to the setsockopt function, when setting the SCTIP_SS_VALUE option, or (2) read arbitrary kernel memory via the stream id to the getsockopt function, when getting the SCTP_SS_PRIORITY option.

Published Feb 2, 2015 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2014-8023: Cisco Adaptive Security Appliance (ASA) Software 9.2(.3) and earlier, when challenge-response authenticatio...

Cisco Adaptive Security Appliance (ASA) Software 9.2(.3) and earlier, when challenge-response authentication is used, does not properly select tunnel groups, which allows remote authenticated users to bypass intended resource-access restrictions via a crafted tunnel-group parameter, aka Bug ID CSCtz48533.

Published Feb 17, 2015 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2014-7922: The GoogleAuthUtil.getToken method in the Google Play services SDK before 2015 sets parameters in OAuth tok...

The GoogleAuthUtil.getToken method in the Google Play services SDK before 2015 sets parameters in OAuth token requests upon finding a corresponding _opt_ parameter in the Bundle extras argument, which allows attackers to bypass an intended consent dialog and retrieve tokens for arbitrary OAuth scopes including the SID and LSID scopes, and consequently obtain access to a Google account, via a crafted application, as demonstrated by setting the has_permission=1 parameter value upon finding _opt_has_permission in that argument.

Published Feb 23, 2015 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2014-7864: Multiple SQL injection vulnerabilities in the FailOverHelperServlet (aka FailServlet) servlet in ZOHO Manag...

Multiple SQL injection vulnerabilities in the FailOverHelperServlet (aka FailServlet) servlet in ZOHO ManageEngine OpManager 8 through 11.5 build 11400 and IT360 10.5 and earlier allow remote attackers and remote authenticated users to execute arbitrary SQL commands via the (1) customerName or (2) serverRole parameter in a standbyUpdateInCentral operation to servlet/com.adventnet.me.opmanager.servlet.FailOverHelperServlet.

Published Feb 4, 2015 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2014-7849: The Role Based Access Control (RBAC) implementation in JBoss Enterprise Application Platform (EAP) 6.2.0 th...

The Role Based Access Control (RBAC) implementation in JBoss Enterprise Application Platform (EAP) 6.2.0 through 6.3.2 does not properly verify authorization conditions, which allows remote authenticated users to add, modify, and undefine otherwise restricted attributes by leveraging the Maintainer role.

Published Feb 13, 2015 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2014-7863: The FailOverHelperServlet (aka FailServlet) servlet in ZOHO ManageEngine Applications Manager before 11.9 b...

The FailOverHelperServlet (aka FailServlet) servlet in ZOHO ManageEngine Applications Manager before 11.9 build 11912, OpManager 8 through 11.5 build 11400, and IT360 10.5 and earlier does not properly restrict access, which allows remote attackers and remote authenticated users to (1) read arbitrary files via the fileName parameter in a copyfile operation or (2) obtain sensitive information via a directory listing in a listdirectory operation to servlet/FailOverHelperServlet.

Published Feb 8, 2020 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2014-7827: The org.jboss.security.plugins.mapping.JBossMappingManager implementation in JBoss Security in Red Hat JBos...

The org.jboss.security.plugins.mapping.JBossMappingManager implementation in JBoss Security in Red Hat JBoss Enterprise Application Platform (EAP) before 6.3.3 uses the default security domain when a security domain is undefined, which allows remote authenticated users to bypass intended access restrictions by leveraging credentials on the default domain for a role that is also on the application domain.

Published Feb 13, 2015 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2014-7853: The JBoss Application Server (WildFly) JacORB subsystem in Red Hat JBoss Enterprise Application Platform (E...

The JBoss Application Server (WildFly) JacORB subsystem in Red Hat JBoss Enterprise Application Platform (EAP) before 6.3.3 does not properly assign socket-binding-ref sensitivity classification to the security-domain attribute, which allows remote authenticated users to obtain sensitive information by leveraging access to the security-domain attribute.

Published Feb 13, 2015 · Updated Aug 6, 2024