LiveActive security incident?Get immediate response
CVE archive

November 2014

Browse CVE records published in November 2014, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 515 matching CVEs · Page 2 of 11.

Unknown · CVSS Not scored

CVE-2014-9021: Multiple cross-site scripting (XSS) vulnerabilities in ZTE ZXDSL 831 allow remote attackers to inject arbit...

Multiple cross-site scripting (XSS) vulnerabilities in ZTE ZXDSL 831 allow remote attackers to inject arbitrary web script or HTML via the (1) tr69cAcsURL, (2) tr69cAcsUser, (3) tr69cAcsPwd, (4) tr69cConnReqPwd, or (5) tr69cDebugEnable parameter to the TR-069 client page (tr69cfg.cgi); the (6) timezone parameter to the Time and date page (sntpcfg.sntp); or the (7) hostname parameter in a save action to the Quick Stats page (psilan.cgi). NOTE: this issue was SPLIT from CVE-2014-9020 per ADT1 due to different affected products and codebases.

Published Nov 20, 2014 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2014-9060: The LTI module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 doe...

The LTI module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 does not properly restrict the parameters used in a return URL, which allows remote attackers to trigger the generation of arbitrary messages via a modified URL, related to mod/lti/locallib.php and mod/lti/return.php.

Published Nov 24, 2014 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2014-9020: Cross-site scripting (XSS) vulnerability in the Quick Stats page (psilan.cgi) in ZTE ZXDSL 831 and 831CII a...

Cross-site scripting (XSS) vulnerability in the Quick Stats page (psilan.cgi) in ZTE ZXDSL 831 and 831CII allows remote attackers to inject arbitrary web script or HTML via the domainname parameter in a save action. NOTE: this issue was SPLIT from CVE-2014-9021 per ADT1 due to different affected products and codebases.

Published Nov 20, 2014 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2014-9019: Multiple cross-site request forgery (CSRF) vulnerabilities in ZTE ZXDSL 831CII allow remote attackers to hi...

Multiple cross-site request forgery (CSRF) vulnerabilities in ZTE ZXDSL 831CII allow remote attackers to hijack the authentication of administrators for requests that (1) change the admin user name or (2) conduct cross-site scripting (XSS) attacks via the sysUserName parameter in a save action to adminpasswd.cgi or (3) change the admin user password via the sysPassword parameter in a save action to adminpasswd.cgi.

Published Nov 20, 2014 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2014-9027: Multiple cross-site request forgery (CSRF) vulnerabilities in ZTE ZXDSL 831CII allow remote attackers to hi...

Multiple cross-site request forgery (CSRF) vulnerabilities in ZTE ZXDSL 831CII allow remote attackers to hijack the authentication of administrators for requests that disable modem lan ports via the (1) enblftp, (2) enblhttp, (3) enblsnmp, (4) enbltelnet, (5) enbltftp, (6) enblicmp, or (7) enblssh parameter to accesslocal.cmd.

Published Nov 20, 2014 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2014-8949: The iMember360 plugin 3.8.012 through 3.9.001 for WordPress allows remote authenticated administrators to e...

The iMember360 plugin 3.8.012 through 3.9.001 for WordPress allows remote authenticated administrators to execute arbitrary commands via shell metacharacters in the i4w_trace parameter. NOTE: this can be leveraged with CVE-2014-8948 to allow remote attackers to execute code. NOTE: it is not clear whether this issue itself crosses privileges.

Published Nov 16, 2014 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2014-8952: Multiple unspecified vulnerabilities in Check Point Security Gateway R75.40VS, R75.45, R75.46, R75.47, R76,...

Multiple unspecified vulnerabilities in Check Point Security Gateway R75.40VS, R75.45, R75.46, R75.47, R76, R77, and R77.10, when the (1) IPS blade, (2) IPsec Remote Access, (3) Mobile Access / SSL VPN blade, (4) SSL Network Extender, (5) Identify Awareness blade, (6) HTTPS Inspection, (7) UserCheck, or (8) Data Leak Prevention blade module is enabled, allow remote attackers to cause a denial of service ("stability issue") via an unspecified "traffic condition."

Published Nov 16, 2014 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2014-8988: MantisBT before 1.2.18 allows remote authenticated users to bypass the $g_download_attachments_threshold an...

MantisBT before 1.2.18 allows remote authenticated users to bypass the $g_download_attachments_threshold and $g_view_attachments_threshold restrictions and read attachments for private projects by leveraging access to a project that does not restrict access to attachments and a request to the download URL.

Published Nov 24, 2014 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2014-8958: Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.6, 4.1.x before 4.1.1...

Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.6, 4.1.x before 4.1.14.7, and 4.2.x before 4.2.12 allow remote authenticated users to inject arbitrary web script or HTML via a crafted (1) database, (2) table, or (3) column name that is improperly handled during rendering of the table browse page; a crafted ENUM value that is improperly handled during rendering of the (4) table print view or (5) zoom search page; or (6) a crafted pma_fontsize cookie that is improperly handled during rendering of the home page.

Published Nov 30, 2014 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2014-8989: The Linux kernel through 3.17.4 does not properly restrict dropping of supplemental group memberships in ce...

The Linux kernel through 3.17.4 does not properly restrict dropping of supplemental group memberships in certain namespace scenarios, which allows local users to bypass intended file permissions by leveraging a POSIX ACL containing an entry for the group category that is more restrictive than the entry for the other category, aka a "negative groups" issue, related to kernel/groups.c, kernel/uid16.c, and kernel/user_namespace.c.

Published Nov 30, 2014 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2014-8986: Cross-site scripting (XSS) vulnerability in the selection list in the filters in the Configuration Report p...

Cross-site scripting (XSS) vulnerability in the selection list in the filters in the Configuration Report page (adm_config_report.php) in MantisBT 1.2.13 through 1.2.17 allows remote administrators to inject arbitrary web script or HTML via a crafted config option, a different vulnerability than CVE-2014-8987.

Published Nov 24, 2014 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2014-8951: Unspecified vulnerability in Check Point Security Gateway R75, R76, R77, and R77.10, when UserCheck is enab...

Unspecified vulnerability in Check Point Security Gateway R75, R76, R77, and R77.10, when UserCheck is enabled and the (1) Application Control, (2) URL Filtering, (3) DLP, (4) Threat Emulation, (5) Anti-Bot, or (6) Anti-Virus blade is used, allows remote attackers to cause a denial of service (fwk0 process crash, core dump, and restart) via a redirect to the UserCheck page.

Published Nov 16, 2014 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2014-8948: Cross-site request forgery (CSRF) vulnerability in the iMember360 plugin 3.8.012 through 3.9.001 for WordPr...

Cross-site request forgery (CSRF) vulnerability in the iMember360 plugin 3.8.012 through 3.9.001 for WordPress allows remote attackers to hijack the authentication of administrators for requests that with an unspecified impact via the i4w_trace parameter. NOTE: this can be leveraged with CVE-2014-8948 to execute arbitrary commands.

Published Nov 16, 2014 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2014-8953: Multiple cross-site request forgery (CSRF) vulnerabilities in Php Scriptlerim Who's Who script allow remote...

Multiple cross-site request forgery (CSRF) vulnerabilities in Php Scriptlerim Who's Who script allow remote attackers to hijack the authentication of administrators or requests that (1) add an admin account via a request to filepath/yonetim/plugin/adminsave.php or have unspecified impact via a request to (2) ayarsave.php, (3) uyesave.php, (4) slaytadd.php, or (5) slaytsave.php.

Published Nov 17, 2014 · Updated Aug 6, 2024