LiveActive security incident?Get immediate response
CVE archive

May 2014

Browse CVE records published in May 2014, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 441 matching CVEs · Page 1 of 9.

Medium · CVSS 6.2

CVE-2014-2349: Emerson DeltaV Use of Improper Authorization

Emerson DeltaV 10.3.1, 11.3, 11.3.1, and 12.3 uses hardcoded credentials for diagnostic services, which allows remote attackers to bypass intended access restrictions via a TCP session, as demonstrated by a session that uses the telnet program.

Published May 22, 2014 · Updated Oct 31, 2025

Low · CVSS 2.4

CVE-2014-2350: Emerson DeltaV Use of Hard-coded Credentials

Emerson DeltaV 10.3.1, 11.3, 11.3.1, and 12.3 uses hardcoded credentials for diagnostic services, which allows remote attackers to bypass intended access restrictions via a TCP session, as demonstrated by a session that uses the telnet program.

Published May 22, 2014 · Updated Oct 31, 2025

High · CVSS 7.5 · CISA KEV

CVE-2014-0130: Directory traversal vulnerability in actionpack/lib/abstract_controller/base.rb in the implicit-render impl...

Directory traversal vulnerability in actionpack/lib/abstract_controller/base.rb in the implicit-render implementation in Ruby on Rails before 3.2.18, 4.0.x before 4.0.5, and 4.1.x before 4.1.1, when certain route globbing configurations are enabled, allows remote attackers to read arbitrary files via a crafted request.

Published May 7, 2014 · Updated Oct 22, 2025

Medium · CVSS 5.5 · CISA KEV

CVE-2014-0196: The n_tty_write function in drivers/tty/n_tty.c in the Linux kernel through 3.14.3 does not properly manage...

The n_tty_write function in drivers/tty/n_tty.c in the Linux kernel through 3.14.3 does not properly manage tty driver access in the "LECHO & !OPOST" case, which allows local users to cause a denial of service (memory corruption and system crash) or gain privileges by triggering a race condition involving read and write operations with long strings.

Published May 7, 2014 · Updated Oct 22, 2025

High · CVSS 8.8 · CISA KEV

CVE-2014-1812: The Group Policy implementation in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows...

The Group Policy implementation in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 does not properly handle distribution of passwords, which allows remote authenticated users to obtain sensitive credential information and consequently gain privileges by leveraging access to the SYSVOL share, as exploited in the wild in May 2014, aka "Group Policy Preferences Password Elevation of Privilege Vulnerability."

Published May 14, 2014 · Updated Oct 22, 2025

High · CVSS 7.5

CVE-2014-0786: Ecava IntegraXor Information Exposure

Ecava IntegraXor before 4.1.4393 allows remote attackers to read cleartext credentials for administrative accounts via SELECT statements that leverage the guest role.

Published May 1, 2014 · Updated Oct 13, 2025

High · CVSS 7.8

CVE-2014-2352: Cogent DataHub Path Traversal

The directory specifier can include designators that can be used to traverse the directory path. Exploiting this vulnerability may enable an attacker to access a limited number of hardcoded file types. Further exploitation of this vulnerability may allow an attacker to cause the web server component to enter a denial-of-service condition.

Published May 30, 2014 · Updated Oct 3, 2025

High · CVSS 7.1

CVE-2014-2353: Cogent DataHub XSS

Cross-site scripting (XSS) vulnerability in Cogent DataHub before 7.3.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Published May 30, 2014 · Updated Oct 3, 2025

High · CVSS 7.5

CVE-2014-2351: CSWorks SQL Injection

SQL injection vulnerability in the LiveData service in CSWorks before 2.5.5233.0 allows remote attackers to execute arbitrary SQL commands via vectors related to pathnames contained in web API requests.

Published May 20, 2014 · Updated Oct 3, 2025

High · CVSS 7

CVE-2014-2347: AMTELCO miSecure Information Exposure

Amtelco miSecureMessages (aka MSM) 6.2 does not properly manage sessions, which allows remote authenticated users to obtain sensitive information via a modified message request.

Published May 6, 2014 · Updated Oct 2, 2025

High · CVSS 8.3

CVE-2014-0782: Yokogawa CENTUM CS 3000 Stack-based Buffer Overflow

Stack-based buffer overflow in BKESimmgr.exe in the Expanded Test Functions package in Yokogawa CENTUM CS 1000, CENTUM CS 3000 Entry Class R3.09.50 and earlier, CENTUM VP R5.03.00 and earlier, CENTUM VP Entry Class R5.03.00 and earlier, Exaopc R3.71.02 and earlier, B/M9000CS R5.05.01 and earlier, and B/M9000 VP R7.03.01 and earlier allows remote attackers to execute arbitrary code via a crafted packet.

Published May 16, 2014 · Updated Sep 25, 2025

High · CVSS 7.1

CVE-2014-1745: Use-after-free vulnerability in the SVG implementation in Blink, as used in Google Chrome before 35.0.1916....

Use-after-free vulnerability in the SVG implementation in Blink, as used in Google Chrome before 35.0.1916.114, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger removal of an SVGFontFaceElement object, related to core/svg/SVGFontFaceElement.cpp.

Published May 21, 2014 · Updated Jun 4, 2025

Medium · CVSS 4.3

CVE-2014-125102: Bestwebsoft Relevant Plugin Thumbnail information disclosure

A vulnerability classified as problematic was found in Bestwebsoft Relevant Plugin up to 1.0.7 on WordPress. Affected by this vulnerability is an unknown functionality of the component Thumbnail Handler. The manipulation leads to information disclosure. The attack can be launched remotely. Upgrading to version 1.0.8 is able to address this issue. The identifier of the patch is 860d1891025548cf0f5f97364c1f51a888f523c3. It is recommended to upgrade the affected component. The identifier VDB-230113 was assigned to this vulnerability.

Published May 29, 2023 · Updated Mar 5, 2025

Low · CVSS 3.3

CVE-2014-125103: BestWebSoft Twitter Plugin twitter.php twttr_settings_page cross site scripting

A vulnerability was found in BestWebSoft Twitter Plugin up to 1.3.2 on WordPress. It has been declared as problematic. Affected by this vulnerability is the function twttr_settings_page of the file twitter.php. The manipulation of the argument twttr_url_twitter/bws_license_key/bws_license_plugin leads to cross site scripting. The attack can be launched remotely. Upgrading to version 1.3.7 is able to address this issue. The patch is named e04d59ab578316ffeb204cf32dc71c0d0e1ff77c. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-230155.

Published May 31, 2023 · Updated Mar 5, 2025

Unknown · CVSS Not scored

CVE-2014-3845: Cross-site request forgery (CSRF) vulnerability in the TinyMCE Color Picker plugin before 1.2 for WordPress...

Cross-site request forgery (CSRF) vulnerability in the TinyMCE Color Picker plugin before 1.2 for WordPress allows remote attackers to hijack the authentication of unspecified users for requests that change plugin settings via unknown vectors. NOTE: some of these details are obtained from third party information.

Published May 22, 2014 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2014-3455: Multiple cross-site request forgery (CSRF) vulnerabilities in the (1) CreateProperty, (2) CreateTemplate, (...

Multiple cross-site request forgery (CSRF) vulnerabilities in the (1) CreateProperty, (2) CreateTemplate, (3) CreateForm, and (4) CreateClass special pages in the SemanticForms extension for MediaWiki before 1.19.10, 1.2x before 1.21.4, and 1.22.x before 1.22.1 allow remote attackers to hijack the authentication of users for requests that have unspecified impact and vectors.

Published May 12, 2014 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2014-10064: The qs module before 1.0.0 does not have an option or default for specifying object depth and when parsing...

The qs module before 1.0.0 does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time. An attacker could leverage this to cause a temporary denial-of-service condition, for example, in a web application, other requests would not be processed while this blocking is occurring.

Published May 31, 2018 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2014-3923: Multiple cross-site scripting (XSS) vulnerabilities in the Digital Zoom Studio (DZS) Video Gallery plugin f...

Multiple cross-site scripting (XSS) vulnerabilities in the Digital Zoom Studio (DZS) Video Gallery plugin for WordPress allow remote attackers to inject arbitrary web script or HTML via the logoLink parameter to (1) preview.swf, (2) preview_skin_rouge.swf, (3) preview_allchars.swf, or (4) preview_skin_overlay.swf in deploy/.

Published May 30, 2014 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2014-10067: paypal-ipn before 3.0.0 uses the `test_ipn` parameter (which is set by the PayPal IPN simulator) to determi...

paypal-ipn before 3.0.0 uses the `test_ipn` parameter (which is set by the PayPal IPN simulator) to determine if it should use the production PayPal site or the sandbox. With a bit of time, an attacker could craft a request using the simulator that would fool any application which does not explicitly check for test_ipn in production.

Published May 29, 2018 · Updated Sep 17, 2024

Medium · CVSS 5.9

CVE-2014-1423: Online Accounts Signon daemon gives out all oauth tokens to any app

signond before 8.57+15.04.20141127.1-0ubuntu1, as used in Ubuntu Touch, did not properly restrict applications from querying oath tokens due to incorrect checks and the missing installation of the signon-apparmor-extension. An attacker could use this create a malicious click app that collects oauth tokens for other applications, exposing sensitive information.

Published May 7, 2020 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2014-3760: Multiple cross-site request forgery (CSRF) vulnerabilities in D-Link DAP 1150 with firmware 1.2.94 allow re...

Multiple cross-site request forgery (CSRF) vulnerabilities in D-Link DAP 1150 with firmware 1.2.94 allow remote attackers to hijack the authentication of administrators for requests that (1) enable or (2) disable the DMZ in the Firewall/DMZ section via a request to index.cgi or (3) add, (4) modify, or (5) delete URL-filter settings in the Control/URL-filter section via a request to index.cgi, as demonstrated by adding a rule that blocks access to google.com.

Published May 16, 2014 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2014-3792: Cross-site request forgery (CSRF) vulnerability in Beetel 450TC2 Router with firmware TX6-0Q-005_retail all...

Cross-site request forgery (CSRF) vulnerability in Beetel 450TC2 Router with firmware TX6-0Q-005_retail allows remote attackers to hijack the authentication of administrators for requests that change the administrator password via the uiViewTools_Password and uiViewTools_PasswordConfirm parameters to Forms/tools_admin_1.

Published May 20, 2014 · Updated Sep 16, 2024

Medium · CVSS 4

CVE-2014-125100: BestWebSoft Job Board Plugin cross site scripting

A vulnerability classified as problematic was found in BestWebSoft Job Board Plugin 1.0.0 on WordPress. This vulnerability affects unknown code. The manipulation leads to cross site scripting. The attack can be initiated remotely. Upgrading to version 1.0.1 is able to address this issue. The name of the patch is dbb71deee071422ce3e663fbcdce3ad24886f940. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-227764.

Published May 2, 2023 · Updated Aug 6, 2024

Medium · CVSS 6.5

CVE-2014-125101: Portfolio Gallery Plugin sql injection

A vulnerability classified as critical has been found in Portfolio Gallery Plugin up to 1.1.8 on WordPress. This affects an unknown part. The manipulation leads to sql injection. It is possible to initiate the attack remotely. Upgrading to version 1.1.9 is able to address this issue. The identifier of the patch is 58ed88243e17df766036f4857041edaf358076d3. It is recommended to upgrade the affected component. The identifier VDB-230085 was assigned to this vulnerability.

Published May 28, 2023 · Updated Aug 6, 2024