Unknown · CVSS Not scored
McAfee Network Data Loss Prevention (NDLP) before 9.3 stores the SSH key in cleartext, which allows local users to obtain sensitive information via unspecified vectors.
Published Oct 29, 2014 · Updated Sep 16, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in the Google Doubleclick for Publishers (DFP) module 7.x-1.x before 7.x-1.2 for Drupal allows remote authenticated users with the "administer dfp" permission to inject arbitrary web script or HTML via a slot name.
Published Oct 13, 2014 · Updated Sep 16, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in the sql_query function in cart.php in C97net Cart Engine before 4.0 allows remote attackers to execute arbitrary SQL commands via the item_id variable, as demonstrated by the (1) item_id[0] or (2) item_id[] parameter.
Published Oct 16, 2014 · Updated Sep 16, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in openSIS 4.5 through 5.3 allows remote attackers to execute arbitrary SQL commands via the Username and password to index.php.
Published Oct 20, 2014 · Updated Sep 16, 2024
Unknown · CVSS Not scored
Schrack Technik microControl with firmware before 1.7.0 (937) stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain access data for the ftp and telnet services via a direct request for ZTPUsrDtls.txt.
Published Oct 20, 2014 · Updated Sep 16, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in the context administration sub-panel in the Site Banner module before 7.x-4.1 for Drupal allows remote authenticated users with the "Administer contexts" Context UI module permission to inject arbitrary web script or HTML via vectors related to context settings.
Published Oct 21, 2014 · Updated Sep 16, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in ss_handler.php in the WordPress Spreadsheet (wpSS) plugin 0.62 for WordPress allows remote attackers to inject arbitrary web script or HTML via the ss_id parameter.
Published Oct 20, 2014 · Updated Sep 16, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in Splunk Web in Splunk Enterprise 6.1.x before 6.1.4, 6.0.x before 6.0.6, and 5.0.x before 5.0.10 allows remote attackers to inject arbitrary web script or HTML via vectors related to dashboard.
Published Oct 16, 2014 · Updated Sep 16, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in Voice Of Web AllMyGuests 0.4.1 allows remote attackers to inject arbitrary web script or HTML via the AMG_signin_topic parameter to index.php.
Published Oct 15, 2014 · Updated Sep 16, 2024
Unknown · CVSS Not scored
ntp_crypto.c in ntpd in NTP 4.x before 4.2.8p1, when Autokey Authentication is enabled, allows remote attackers to obtain sensitive information from process memory or cause a denial of service (daemon crash) via a packet containing an extension field with an invalid value for the length of its value field.
Published Oct 4, 2015 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The read_network_packet function in ntp_io.c in ntpd in NTP 4.x before 4.2.8p1 on Linux and OS X does not properly determine whether a source IP address is an IPv6 loopback address, which makes it easier for remote attackers to spoof restricted packets, and read or write to the runtime state, by leveraging the ability to reach the ntpd machine's network interface with a packet from the ::1 address.
Published Oct 4, 2015 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in FlexPaperViewer.swf in Flexpaper before 2.3.1 allows remote attackers to inject arbitrary web script or HTML via the Swfile parameter.
Published Oct 17, 2017 · Updated Aug 6, 2024
Unknown · CVSS Not scored
nw.js before 0.11.5 can simulate user input events in a normal frame, which allows remote attackers to have unspecified impact via unknown vectors.
Published Oct 17, 2017 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Huawei USG9560/9520/9580 before V300R001C01SPC300 allows remote attackers to cause a memory leak or denial of service (memory exhaustion, reboot and MPU switchover) via a crafted website.
Published Oct 17, 2017 · Updated Aug 6, 2024
Unknown · CVSS Not scored
FlexPaperViewer.swf in Flexpaper before 2.3.1 allows remote attackers to conduct content-spoofing attacks via the Swfile parameter.
Published Oct 17, 2017 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The gollum-grit_adapter Ruby gem dependency in gollum before 3.1.1 and the gollum-lib gem dependency in gollum-lib before 4.0.1 when the string "master" is in any of the wiki documents, allows remote authenticated users to execute arbitrary code via the -O or --open-files-in-pager flags.
Published Oct 17, 2017 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Buffer overflow in the mpfr_strtofr function in GNU MPFR before 3.1.2-p11 allows context-dependent attackers to have unspecified impact via vectors related to incorrect documentation for mpn_set_str.
Published Oct 9, 2017 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The getid3 library in MediaWiki before 1.24.1, 1.23.8, 1.22.15 and 1.19.23 allows remote attackers to read arbitrary files, cause a denial of service, or possibly have other impact via an XML External Entity (XXE) attack. NOTE: Related to CVE-2014-2053.
Published Oct 17, 2017 · Updated Aug 6, 2024
Unknown · CVSS Not scored
libjpeg-turbo before 1.3.1 allows remote attackers to cause a denial of service (crash) via a crafted JPEG file, related to the Exif marker.
Published Oct 10, 2017 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Fiyo CMS 2.0.1.8 allows remote attackers to obtain sensitive information via a direct request to the database backup file in .backup/.
Published Oct 16, 2017 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Fiyo CMS 2.0.1.8 allows remote attackers to bypass intended access restrictions and execute the (1) "Install and Update" or (2) Backup super administrator function via the view parameter in a direct request to fiyo/dapur.
Published Oct 16, 2017 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The web administrative portal in Zhone zNID GPON 2426A before S3.0.501 allows remote attackers to execute arbitrary commands via shell metacharacters in the ipAddr parameter to zhnping.cmd.
Published Oct 17, 2017 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in OpenKM before 6.4.19 allows remote authenticated users to inject arbitrary web script or HTML via the Tasks parameter.
Published Oct 6, 2017 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in IBM OpenPages GRC Platform 6.2 before IF7, 6.2.1 before 6.2.1.1 IF5, 7.0 before FP4, and 7.1 before FP1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL, a different vulnerability than CVE-2015-0144.
Published Oct 3, 2015 · Updated Aug 6, 2024
Unknown · CVSS Not scored
IBM WebSphere Portal 6.1.0 through 6.1.0.6 CF27, 6.1.5 through 6.1.5.3 CF27, 7.0.0 through 7.0.0.2 CF29, 8.0.0 through 8.0.0.1 CF18, and 8.5.0 before CF08 improperly restricts resource access, which allows remote attackers to obtain sensitive information via unspecified vectors, as demonstrated by configuration information.
Published Oct 28, 2015 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Race condition in the VMware driver in OpenStack Compute (Nova) before 2014.1.4 and 2014.2 before 2014.2rc1 allows remote authenticated users to access unintended consoles by spawning an instance that triggers the same VNC port to be allocated to two different instances.
Published Oct 15, 2014 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Panasonic Network Camera View 3 and 4 allows remote attackers to execute arbitrary code via a crafted page, which triggers an invalid pointer dereference, related to "the ability to nullify an arbitrary address in memory."
Published Oct 17, 2014 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The NcrCtl4.NcrNet.1 control in Panasonic Network Camera Recorder before 4.04R03 allows remote attackers to execute arbitrary code via a crafted GetVOLHeader method call, which writes null bytes to an arbitrary address.
Published Oct 17, 2014 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Multiple cross-site scripting (XSS) vulnerabilities in the Maestro module 7.x-1.x before 7.x-1.4 for Drupal allow remote authenticated users with certain permissions to inject arbitrary web script or HTML via a (1) Role or (2) Organic Group name.
Published Oct 13, 2014 · Updated Aug 6, 2024
Unknown · CVSS Not scored
DokuWiki before 2014-05-05b, when using Active Directory for LDAP authentication, allows remote attackers to bypass authentication via a password starting with a null (\0) character and a valid user name, which triggers an unauthenticated bind.
Published Oct 22, 2014 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in the Drupal Commons module 7.x-3.x before 7.x-3.9 for Drupal allows remote attackers to inject arbitrary web script or HTML via vectors related to content creation and activity stream messages.
Published Oct 13, 2014 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in the Skeleton theme 7.x-1.2 through 7.x-1.3 before 7.x-1.4, for Drupal allows remote authenticated users with the "administer themes" permission to inject arbitrary web script or HTML via vectors related to theme settings.
Published Oct 13, 2014 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The ajax_mediadiff function in DokuWiki before 2014-05-05a allows remote attackers to access arbitrary images via a crafted namespace in the ns parameter.
Published Oct 22, 2014 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in the Nivo Slider module 7.x-2.x before 7.x-1.11 for Drupal allows remote authenticated users with the "administer nivo slider" permission to inject arbitrary web script or HTML via an image title.
Published Oct 13, 2014 · Updated Aug 6, 2024
Unknown · CVSS Not scored
ejabberd before 2.1.13 does not enforce the starttls_required setting when compression is used, which causes clients to establish connections without encryption.
Published Oct 25, 2014 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Multiple SQL injection vulnerabilities in Allomani Weblinks 1.0 allow remote attackers to execute arbitrary SQL commands via the (1) cat parameter in a browse action to index.php or (2) unspecified parameters to admin.php.
Published Oct 14, 2014 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in the Custom Search module 6.x-1.x before 6.x-1.13 and 7.x-1.x before 7.x-1.15 for Drupal allows remote authenticated users with the "administer taxonomy" permission to inject arbitrary web script or HTML via a taxonomy vocabulary label.
Published Oct 13, 2014 · Updated Aug 6, 2024
Unknown · CVSS Not scored
inc/template.php in DokuWiki before 2014-05-05a only checks for access to the root namespace, which allows remote attackers to access arbitrary images via a media file details ajax call.
Published Oct 22, 2014 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Cross-site scripting (XSS) vulnerability in Best Gallery Albums Plugin before 3.0.70for WordPress allows remote attackers to inject arbitrary web script or HTML via the order_id parameter in the gallery_album_sorting page to wp-admin/admin.php.
Published Oct 6, 2017 · Updated Aug 6, 2024
Unknown · CVSS Not scored
DokuWiki 2014-05-05a and earlier, when using Active Directory for LDAP authentication, allows remote attackers to bypass authentication via a user name and password starting with a null (\0) character, which triggers an anonymous bind.
Published Oct 22, 2014 · Updated Aug 6, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in the Store Locator plugin 2.3 through 3.11 for WordPress allows remote attackers to execute arbitrary SQL commands via the sl_custom_field parameter to sl-xml.php.
Published Oct 16, 2017 · Updated Aug 6, 2024
Unknown · CVSS Not scored
McAfee Network Data Loss Prevention (NDLP) before 9.2.2 allows local users to obtain sensitive information by reading unspecified error messages.
Published Oct 29, 2014 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The lazy_bdecode function in BitTorrent bootstrap-dht (aka Bootstrap) allows remote attackers to execute arbitrary code via a crafted packet, which triggers an out-of-bounds read, related to "Improper Indexing."
Published Oct 31, 2014 · Updated Aug 6, 2024
Unknown · CVSS Not scored
McAfee Network Data Loss Prevention (NDLP) before 9.3 does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.
Published Oct 29, 2014 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Multiple SQL injection vulnerabilities in Etiko CMS allow remote attackers to execute arbitrary SQL commands via the (1) page_id parameter to loja/index.php or (2) article_id parameter to index.php.
Published Oct 28, 2014 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Multiple cross-site scripting (XSS) vulnerabilities in Croogo before 2.1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) data[Contact][title] parameter to admin/contacts/contacts/add page; (2) data[Block][title] or (3) data[Block][alias] parameter to admin/blocks/blocks/edit page; (4) data[Region][title] parameter to admin/blocks/regions/add page; (5) data[Menu][title] or (6) data[Menu][alias] parameter to admin/menus/menus/add page; or (7) data[Link][title] parameter to admin/menus/links/add/menu page.
Published Oct 31, 2014 · Updated Aug 6, 2024
Unknown · CVSS Not scored
The (1) Removable Media and (2) CD and DVD encryption offsite access options (formerly Endpoint Encryption for Removable Media or EERM) in McAfee File and Removable Media Protection (FRP) 4.3.0.x, and Endpoint Encryption for Files and Folders (EEFF) 3.2.x through 4.2.x, uses a hard-coded salt, which makes it easier for local users to obtain passwords via a brute force attack.
Published Oct 29, 2014 · Updated Aug 6, 2024
Unknown · CVSS Not scored
SQL injection vulnerability in GBgallery.php in the GB Gallery Slideshow plugin 1.5 for WordPress allows remote administrators to execute arbitrary SQL commands via the selected_group parameter in a gb_ajax_get_group action to wp-admin/admin-ajax.php.
Published Oct 21, 2014 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Citrix XenMobile MDX Toolkit before 9.0.4, when used to wrap iOS 8 applications, does not properly encrypt cached application data, which allows context-dependent attackers to obtain sensitive information by reading the cache.
Published Oct 31, 2014 · Updated Aug 6, 2024
Unknown · CVSS Not scored
Multiple cross-site scripting (XSS) vulnerabilities in Etiko CMS allow remote attackers to inject arbitrary web script or HTML via the (1) page_id parameter to loja/index.php or (2) article_id parameter to index.php.
Published Oct 28, 2014 · Updated Aug 6, 2024