LiveActive security incident?Get immediate response
CVE archive

April 2014

Browse CVE records published in April 2014, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 648 matching CVEs · Page 1 of 13.

Medium · CVSS 6.8

CVE-2014-5400: Hospira MedNet Password in Configuration File

The installation component in Hospira MedNet before 6.1 places cleartext credentials in configuration files, which allows local users to obtain sensitive information by reading a file.

Published Apr 3, 2015 · Updated Nov 3, 2025

Critical · CVSS 9

CVE-2014-5405: Hospira MedNet Use of Hard-coded Password

Hospira MedNet before 6.1 uses a hardcoded cleartext password to control SQL database authorization, which allows remote authenticated users to bypass intended access restrictions by leveraging knowledge of this password.

Published Apr 3, 2015 · Updated Nov 3, 2025

Medium · CVSS 6.8

CVE-2014-5403: Hospira MedNet Use of Hard-coded Cryptographic Key

Hospira MedNet before 6.1 uses hardcoded cryptographic keys for protection of data transmission from infusion pumps, which allows remote attackers to obtain sensitive information by sniffing the network.

Published Apr 3, 2015 · Updated Nov 3, 2025

High · CVSS 7.5

CVE-2014-0160: The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Ex...

The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.

Published Apr 7, 2014 · Updated Oct 22, 2025

Critical · CVSS 9.8 · CISA KEV

CVE-2014-0780: InduSoft Web Studio Path Traversal

Directory traversal vulnerability in NTWebServer in InduSoft Web Studio 7.1 before SP2 Patch 4 allows remote attackers to read administrative passwords in APP files, and consequently execute arbitrary code, via unspecified web requests.

Published Apr 25, 2014 · Updated Oct 22, 2025

Critical · CVSS 9.8 · CISA KEV

CVE-2014-1776: Use-after-free vulnerability in Microsoft Internet Explorer 6 through 11 allows remote attackers to execute...

Use-after-free vulnerability in Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via vectors related to the CMarkup::IsConnectedToPrimaryMarkup function, as exploited in the wild in April 2014. NOTE: this issue originally emphasized VGX.DLL, but Microsoft clarified that "VGX.DLL does not contain the vulnerable code leveraged in this exploit. Disabling VGX.DLL is an exploit-specific workaround that provides an immediate, effective workaround to help block known attacks."

Published Apr 27, 2014 · Updated Oct 22, 2025

Medium · CVSS 5

CVE-2014-0789: Schneider Electric OPC Factory Server Buffer Overflow

Multiple buffer overflows in the OPC Automation 2.0 Server Object ActiveX control in Schneider Electric OPC Factory Server (OFS) TLXCDSUOFS33 3.5 and earlier, TLXCDSTOFS33 3.5 and earlier, TLXCDLUOFS33 3.5 and earlier, TLXCDLTOFS33 3.5 and earlier, and TLXCDLFOFS33 3.5 and earlier allow remote attackers to cause a denial of service via long arguments to unspecified functions.

Published Apr 4, 2014 · Updated Sep 25, 2025

High · CVSS 8.3

CVE-2014-0777: OServer Out of Bounds Read

The Modbus slave/outstation driver in the OPC Drivers 1.0.20 and earlier in IOServer OPC Server allows remote attackers to cause a denial of service (out-of-bounds read and daemon crash) via a crafted packet.

Published Apr 11, 2014 · Updated Sep 24, 2025

Medium · CVSS 5

CVE-2014-0772: Advantech WebAccess File and Directory Information Exposure

The BWOCXRUN.BwocxrunCtrl.1 control contains a method named OpenUrlToBufferTimeout. This method takes a URL as a parameter and returns its contents to the caller in JavaScript. The URLs are accessed in the security context of the current browser session. The control does not perform any URL validation and allows file:// URLs that access the local disk. The method can be used to open a URL (including file URLs) and read the URLs through JavaScript. This method could also be used to reach any arbitrary URL to which the browser has access.

Published Apr 12, 2014 · Updated Sep 19, 2025

High · CVSS 7.5

CVE-2014-0773: Advantech WebAccess Command Injection

The BWOCXRUN.BwocxrunCtrl.1 control contains a method named “CreateProcess.” This method contains validation to ensure an attacker cannot run arbitrary command lines. After validation, the values supplied in the HTML are passed to the Windows CreateProcessA API. The validation can be bypassed allowing for running arbitrary command lines. The command line can specify running remote files (example: UNC command line). A function exists at offset 100019B0 of bwocxrun.ocx. Inside this function, there are 3 calls to strstr to check the contents of the user specified command line. If “\setup.exe,” “\bwvbprt.exe,” or “\bwvbprtl.exe” are contained in the command line (strstr returns nonzero value), the command line passes validation and is then passed to CreateProcessA.

Published Apr 12, 2014 · Updated Sep 19, 2025

High · CVSS 7.5

CVE-2014-0771: Advantech WebAccess File and Directory Information Exposure

The BWOCXRUN.BwocxrunCtrl.1 control contains a method named “OpenUrlToBuffer.” This method takes a URL as a parameter and returns its contents to the caller in JavaScript. The URLs are accessed in the security context of the current browser session. The control does not perform any URL validation and allows “file://” URLs that access the local disk. The method can be used to open a URL (including file URLs) and read file URLs through JavaScript. This method could also be used to reach any arbitrary URL to which the browser has access.

Published Apr 12, 2014 · Updated Sep 19, 2025

High · CVSS 7.5

CVE-2014-0770: Advantech WebAccess Stack-based Buffer Overflow

By providing an overly long string to the UserName parameter, an attacker may be able to overflow the static stack buffer. The attacker may then execute code on the target device remotely.

Published Apr 12, 2014 · Updated Sep 19, 2025

High · CVSS 7.5

CVE-2014-0767: Advantech WebAccess Stack-based Buffer Overflow

An attacker may exploit this vulnerability by passing an overly long value from the AccessCode argument to the control. This will overflow the static stack buffer. The attacker may then execute code on the target device remotely.

Published Apr 12, 2014 · Updated Sep 19, 2025

High · CVSS 7.5

CVE-2014-0766: Advantech WebAccess Stack-based Buffer Overflow

An attacker can exploit this vulnerability by copying an overly long NodeName2 argument into a statically sized buffer on the stack to overflow the static stack buffer. An attacker may use this vulnerability to remotely execute arbitrary code.

Published Apr 12, 2014 · Updated Sep 19, 2025

High · CVSS 7.5

CVE-2014-0765: Advantech WebAccess Stack-based Buffer Overflow

To exploit this vulnerability, the attacker sends data from the GotoCmd argument to control. If the value of the argument is overly long, the static stack buffer can be overflowed. This will allow the attacker to execute arbitrary code remotely.

Published Apr 12, 2014 · Updated Sep 19, 2025

High · CVSS 7.5

CVE-2014-0764: Advantech WebAccess Stack-based Buffer Overflow

By providing an overly long string to the NodeName parameter, an attacker may be able to overflow the static stack buffer. The attacker may then execute code on the target device remotely.

Published Apr 12, 2014 · Updated Sep 19, 2025

High · CVSS 7.5

CVE-2014-0763: Advantech WebAccess SQL Injection

An attacker using SQL injection may use arguments to construct queries without proper sanitization. The DBVisitor.dll is exposed through SOAP interfaces, and the exposed functions are vulnerable to SOAP injection. This may allow unexpected SQL action and access to records in the table of the software database or execution of arbitrary code.

Published Apr 12, 2014 · Updated Sep 19, 2025

Critical · CVSS 9.3

CVE-2014-0760: Festo CECX-X-(C1/M1) Controller Improper Authentication

The Festo CECX-X-C1 Modular Master Controller with CoDeSys and CECX-X-M1 Modular Controller with CoDeSys and SoftMotion provide an undocumented access method involving the FTP protocol, which could allow a remote attacker to execute arbitrary code or cause a denial of service (application crash) via unspecified vectors.

Published Apr 25, 2014 · Updated Jul 2, 2025

Critical · CVSS 9.3

CVE-2014-0769: Festo CECX-X-(C1/M1) Controller Improper Authentication

The Festo CECX-X-C1 Modular Master Controller with CoDeSys and CECX-X-M1 Modular Controller with CoDeSys and SoftMotion do not require authentication for connections to certain TCP ports, which allows remote attackers to (1) modify the configuration via a request to the debug service on port 4000 or (2) delete log entries via a request to the log service on port 4001.

Published Apr 25, 2014 · Updated Jul 2, 2025

Unknown · CVSS Not scored

CVE-2014-0181: The Netlink implementation in the Linux kernel through 3.14.1 does not provide a mechanism for authorizing...

The Netlink implementation in the Linux kernel through 3.14.1 does not provide a mechanism for authorizing socket operations based on the opener of a socket, which allows local users to bypass intended access restrictions and modify network configurations by using a Netlink socket for the (1) stdout or (2) stderr of a setuid program.

Published Apr 27, 2014 · Updated Feb 13, 2025

Medium · CVSS 5

CVE-2014-125098: Dart http_server Directory Listing virtual_directory.dart VirtualDirectory cross site scripting

A vulnerability was found in Dart http_server up to 0.9.5 and classified as problematic. Affected by this issue is the function VirtualDirectory of the file lib/src/virtual_directory.dart of the component Directory Listing Handler. The manipulation of the argument request.uri.path leads to cross site scripting. The attack may be launched remotely. Upgrading to version 0.9.6 is able to address this issue. The name of the patch is 27c1cbd8125bb0369e675eb72e48218496e48ffb. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-225356.

Published Apr 10, 2023 · Updated Feb 7, 2025

Medium · CVSS 4

CVE-2014-125094: phpMiniAdmin cross site scripting

A vulnerability classified as problematic was found in phpMiniAdmin up to 1.8.120510. Affected by this vulnerability is an unknown functionality. The manipulation leads to cross site scripting. The attack can be launched remotely. Upgrading to version 1.9.140405 is able to address this issue. It is recommended to upgrade the affected component. The identifier VDB-225001 was assigned to this vulnerability.

Published Apr 6, 2023 · Updated Nov 22, 2024

Unknown · CVSS Not scored

CVE-2014-9998: In Android before 2018-04-05 or earlier security patch level on Qualcomm Snapdragon Automobile, Snapdragon...

In Android before 2018-04-05 or earlier security patch level on Qualcomm Snapdragon Automobile, Snapdragon Mobile, and Snapdragon Wear IPQ4019, IPQ8064, MDM9206, MDM9607, MDM9635M, MDM9640, MDM9650, QCA4531, QCA6174A, QCA6574AU, QCA6584, QCA6584AU, QCA9377, QCA9378, QCA9379, QCA9558, QCA9880, QCA9886, QCA9980, SD 210/SD 212/SD 205, SD 425, SD 625, SD 808, SD 810, SD 820, and SDX20, while processing firmware image signature, the internal buffer may overflow if the firmware signature size is large.

Published Apr 18, 2018 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2014-10057: In Android before 2018-04-05 or earlier security patch level on Qualcomm Snapdragon Mobile MDM9615, MDM9625...

In Android before 2018-04-05 or earlier security patch level on Qualcomm Snapdragon Mobile MDM9615, MDM9625, MDM9635M, MDM9640, MDM9650, SD 210/SD 212/SD 205, SD 400, SD 425, SD 430, SD 435, SD 617, SD 625, and Snapdragon_High_Med_2016, binary Calibration files under data/misc/audio have 777 permissions.

Published Apr 18, 2018 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2014-10043: In Android before 2018-04-05 or earlier security patch level on Qualcomm Snapdragon Mobile and Snapdragon W...

In Android before 2018-04-05 or earlier security patch level on Qualcomm Snapdragon Mobile and Snapdragon Wear MSM8909W, SD 210/SD 212/SD 205, SD 400, SD 410/12, and SD 800, while reading PlayReady rights string information from command buffer (which is sent from non-secure side), if length of rights string is very large, a buffer over read occurs, exposing TZ App memory to non-secure side.

Published Apr 18, 2018 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2014-10046: In Android before 2018-04-05 or earlier security patch level on Qualcomm Snapdragon Mobile MDM9615, MDM9625...

In Android before 2018-04-05 or earlier security patch level on Qualcomm Snapdragon Mobile MDM9615, MDM9625, MDM9635M, SD 210/SD 212/SD 205, SD 400, SD 410/12, SD 615/16/SD 415, SD 800, SD 808, and SD 810, use after free vulnerability when the PDN throttle info block is freed without clearing the corresponding active timer.

Published Apr 18, 2018 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2014-9990: In Android before 2018-04-05 or earlier security patch level on Qualcomm Snapdragon Mobile and Snapdragon W...

In Android before 2018-04-05 or earlier security patch level on Qualcomm Snapdragon Mobile and Snapdragon Wear MDM9206, MDM9607, MDM9615, MDM9625, MDM9635M, MSM8909W, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 430, SD 600, SD 615/16/SD 415, SD 625, SD 650/52, SD 808, SD 810, and SD 450, lack of input validation could lead to an out of bound array access.

Published Apr 18, 2018 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2014-9997: In Android before 2018-04-05 or earlier security patch level on Qualcomm Snapdragon Mobile and Snapdragon W...

In Android before 2018-04-05 or earlier security patch level on Qualcomm Snapdragon Mobile and Snapdragon Wear MDM9206, MDM9625, MDM9635M, MSM8909W, SD 210/SD 212/SD 205, SD 400, SD 410/12, SD 425, SD 430, SD 615/16/SD 415, SD 450, SD 625, SD 650/52, SD 808, and SD 810, lack of input validation in PRDiagMaintenanceHandler can leads to buffer over read.

Published Apr 18, 2018 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2014-10054: In Android before 2018-04-05 or earlier security patch level on Qualcomm Snapdragon Automobile, Snapdragon...

In Android before 2018-04-05 or earlier security patch level on Qualcomm Snapdragon Automobile, Snapdragon Mobile, and Snapdragon Wear MDM9206, MDM9607, MDM9635M, MDM9640, MDM9650, MSM8909W, QCA6174A, QCA6574AU, QCA9377, QCA9379, SD 210/SD 212/SD 205, SD 400, SD 450, SD 410/12, SD 425, SD 430, SD 600, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 800, SD 808, SD 810, SD 820, and SDX20, lack of input validation on BT HCI commands processing allows privilege escalation.

Published Apr 18, 2018 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2014-2829: Erlang Solutions MongooseIM through 1.3.1 rev.

Erlang Solutions MongooseIM through 1.3.1 rev. 2 does not properly restrict the processing of compressed XML elements, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XMPP stream, aka an "xmppbomb" attack.

Published Apr 11, 2014 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2014-10062: In Android before 2018-04-05 or earlier security patch level on Qualcomm Snapdragon Mobile and Snapdragon W...

In Android before 2018-04-05 or earlier security patch level on Qualcomm Snapdragon Mobile and Snapdragon Wear MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, SD 210/SD 212/SD 205, SD 400, SD 410/12, SD 425, SD 430, SD 450, SD 600, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 800, SD 808, SD 810, SD 820, SD 835, and SDX20, LocationService is being exported, which is a way for a service to expose its methods to other services. This makes it possible for any other services to import LocationService and call into the exposed method for bringing up a data connection.

Published Apr 18, 2018 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2014-9987: In Android before 2018-04-05 or earlier security patch level on Qualcomm Snapdragon Automobile, Snapdragon...

In Android before 2018-04-05 or earlier security patch level on Qualcomm Snapdragon Automobile, Snapdragon Mobile, and Snapdragon Wear MDM9206, MDM9650, SD 210/SD 212/SD 205, SD 410/12, SD 425, SD 430, SD 450, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 808, SD 810, SD 820, SD 820A, SD 835, SD 845, and SD 850, a buffer over-read can occur in a DRM API.

Published Apr 18, 2018 · Updated Sep 17, 2024