LiveActive security incident?Get immediate response
CVE archive

December 2014

Browse CVE records published in December 2014, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 626 matching CVEs · Page 2 of 13.

Unknown · CVSS Not scored

CVE-2014-9395: Multiple cross-site request forgery (CSRF) vulnerabilities in the Simplelife plugin 1.2 and earlier for Wor...

Multiple cross-site request forgery (CSRF) vulnerabilities in the Simplelife plugin 1.2 and earlier for WordPress allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the (1) simplehoverback, (2) simplehovertext, (3) flickrback, or (4) simple_flimit parameter in the simplelife.php page to wp-admin/options-general.php.

Published Dec 31, 2014 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2014-9365: The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka P...

The HTTP clients in the (1) httplib, (2) urllib, (3) urllib2, and (4) xmlrpclib libraries in CPython (aka Python) 2.x before 2.7.9 and 3.x before 3.4.3, when accessing an HTTPS URL, do not (a) check the certificate against a trust store or verify that the server hostname matches a domain name in the subject's (b) Common Name or (c) subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Published Dec 12, 2014 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2014-9337: Multiple cross-site request forgery (CSRF) vulnerabilities in the Mikiurl Wordpress Eklentisi plugin 2.0 an...

Multiple cross-site request forgery (CSRF) vulnerabilities in the Mikiurl Wordpress Eklentisi plugin 2.0 and earlier for WordPress allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the (1) twitter_kullanici or (2) twitter_sifre parameter in a kaydet action in the mikiurl.php page to wp-admin/options-general.php.

Published Dec 19, 2014 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2014-9399: Cross-site request forgery (CSRF) vulnerability in the TweetScribe plugin 1.1 and earlier for WordPress all...

Cross-site request forgery (CSRF) vulnerability in the TweetScribe plugin 1.1 and earlier for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the tweetscribe_username parameter in a save action in the tweetscribe.php page to wp-admin/options-general.php.

Published Dec 31, 2014 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2014-9414: The W3 Total Cache plugin before 0.9.4.1 for WordPress does not properly handle empty nonces, which allows...

The W3 Total Cache plugin before 0.9.4.1 for WordPress does not properly handle empty nonces, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and hijack the authentication of administrators for requests that change the mobile site redirect URI via the mobile_groups[*][redirect] parameter and an empty _wpnonce parameter in the w3tc_mobile page to wp-admin/admin.php.

Published Dec 24, 2014 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2014-9397: Cross-site request forgery (CSRF) vulnerability in the twimp-wp plugin for WordPress allows remote attacker...

Cross-site request forgery (CSRF) vulnerability in the twimp-wp plugin for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the message_format parameter in the twimp-wp.php page to wp-admin/options-general.php.

Published Dec 31, 2014 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2014-9419: The __switch_to function in arch/x86/kernel/process_64.c in the Linux kernel through 3.18.1 does not ensure...

The __switch_to function in arch/x86/kernel/process_64.c in the Linux kernel through 3.18.1 does not ensure that Thread Local Storage (TLS) descriptors are loaded before proceeding with other steps, which makes it easier for local users to bypass the ASLR protection mechanism via a crafted application that reads a TLS base address.

Published Dec 26, 2014 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2014-9412: Multiple cross-site scripting (XSS) vulnerabilities in NetIQ Access Manager (NAM) 4.x before 4.1 allow remo...

Multiple cross-site scripting (XSS) vulnerabilities in NetIQ Access Manager (NAM) 4.x before 4.1 allow remote attackers to inject arbitrary web script or HTML via (1) an arbitrary parameter to roma/jsp/debug/debug.jsp or (2) an arbitrary parameter in a debug.DumpAll action to nps/servlet/webacc, a different issue than CVE-2014-5216.

Published Dec 23, 2014 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2014-9396: Multiple cross-site request forgery (CSRF) vulnerabilities in the SimpleFlickr plugin 3.0.3 and earlier for...

Multiple cross-site request forgery (CSRF) vulnerabilities in the SimpleFlickr plugin 3.0.3 and earlier for WordPress allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the (1) simpleflickr_width, (2) simpleflickr_bgcolor, or (3) simpleflickr_xmldatapath parameter in the simpleFlickr.php page to wp-admin/options-general.php.

Published Dec 31, 2014 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2014-9401: Cross-site request forgery (CSRF) vulnerability in the WP Limit Posts Automatically plugin 0.7 and earlier...

Cross-site request forgery (CSRF) vulnerability in the WP Limit Posts Automatically plugin 0.7 and earlier for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the lpa_post_letters parameter in the wp-limit-posts-automatically.php page to wp-admin/options-general.php.

Published Dec 31, 2014 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2014-9376: Integer underflow in Ettercap 0.8.1 allows remote attackers to cause a denial of service (out-of-bounds wri...

Integer underflow in Ettercap 0.8.1 allows remote attackers to cause a denial of service (out-of-bounds write) and possibly execute arbitrary code via a small (1) size variable value in the dissector_dhcp function in dissectors/ec_dhcp.c, (2) length value to the dissector_gg function in dissectors/ec_gg.c, or (3) string length to the get_decode_len function in ec_utils.c or a request without a (4) username or (5) password to the dissector_TN3270 function in dissectors/ec_TN3270.c.

Published Dec 19, 2014 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2014-9413: Multiple cross-site request forgery (CSRF) vulnerabilities in the IP Ban (simple-ip-ban) plugin 1.2.3 for W...

Multiple cross-site request forgery (CSRF) vulnerabilities in the IP Ban (simple-ip-ban) plugin 1.2.3 for WordPress allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the (1) ip_list, (2) user_agent_list, or (3) redirect_url parameter in the simple-ip-ban page to wp-admin/options-general.php.

Published Dec 24, 2014 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2014-9391: Multiple cross-site request forgery (CSRF) vulnerabilities in the gSlideShow plugin 0.1 and earlier for Wor...

Multiple cross-site request forgery (CSRF) vulnerabilities in the gSlideShow plugin 0.1 and earlier for WordPress allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the (1) rss, (2) display_time or (3) transistion_time parameter in the gslideshow.php page to wp-admin/options-general.php.

Published Dec 31, 2014 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2014-9378: Ettercap 0.8.1 does not validate certain return values, which allows remote attackers to cause a denial of...

Ettercap 0.8.1 does not validate certain return values, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted (1) name to the parse_line function in mdns_spoof/mdns_spoof.c or (2) base64 encoded password to the dissector_imap function in dissectors/ec_imap.c.

Published Dec 19, 2014 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2014-9335: Multiple cross-site request forgery (CSRF) vulnerabilities in the DandyID Services plugin 1.5.9 and earlier...

Multiple cross-site request forgery (CSRF) vulnerabilities in the DandyID Services plugin 1.5.9 and earlier for WordPress allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the (1) email_address or (2) sidebarTitle parameter in the dandyid-services.php page to wp-admin/options-general.php.

Published Dec 19, 2014 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2014-9394: Multiple cross-site request forgery (CSRF) vulnerabilities in the PWGRandom plugin 1.11 and earlier for Wor...

Multiple cross-site request forgery (CSRF) vulnerabilities in the PWGRandom plugin 1.11 and earlier for WordPress allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the (1) pwgrandom_title or (2) pwgrandom_category parameter in the pwgrandom page to wp-admin/options-general.php.

Published Dec 31, 2014 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2014-9325: Multiple cross-site scripting (XSS) vulnerabilities in TWiki 6.0.1 allow remote attackers to inject arbitra...

Multiple cross-site scripting (XSS) vulnerabilities in TWiki 6.0.1 allow remote attackers to inject arbitrary web script or HTML via the (1) QUERYSTRING variable in lib/TWiki.pm or (2) QUERYPARAMSTRING variable in lib/TWiki/UI/View.pm, as demonstrated by the QUERY_STRING to do/view/Main/TWikiPreferences.

Published Dec 31, 2014 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2014-9368: Cross-site request forgery (CSRF) vulnerability in the twitterDash plugin 2.1 and earlier for WordPress all...

Cross-site request forgery (CSRF) vulnerability in the twitterDash plugin 2.1 and earlier for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the username_twitterDash parameter in the twitterDash.php page to wp-admin/options-general.php.

Published Dec 19, 2014 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2014-9403: The CWebAdminMod::ChanPage function in modules/webadmin.cpp in ZNC before 1.4 allows remote authenticated u...

The CWebAdminMod::ChanPage function in modules/webadmin.cpp in ZNC before 1.4 allows remote authenticated users to cause a denial of service (NULL pointer dereference and crash) by adding a channel with the same name as an existing channel but without the leading # character, related to a "use-after-delete" error.

Published Dec 19, 2014 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2014-9318: The raw_decode function in libavcodec/rawdec.c in FFMpeg before 2.1.6, 2.2.x through 2.3.x, and 2.4.x befor...

The raw_decode function in libavcodec/rawdec.c in FFMpeg before 2.1.6, 2.2.x through 2.3.x, and 2.4.x before 2.4.4 allows remote attackers to cause a denial of service (out-of-bounds heap access) and possibly have other unspecified impact via a crafted .cine file that triggers the avpicture_get_size function to return a negative frame size.

Published Dec 9, 2014 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2014-9346: Multiple cross-site scripting (XSS) vulnerabilities in the Hierarchical Select module 6.x-3.x before 6.x-3....

Multiple cross-site scripting (XSS) vulnerabilities in the Hierarchical Select module 6.x-3.x before 6.x-3.9 for Drupal allow remote authenticated users with certain permissions to inject arbitrary web script or HTML via vectors related to the (1) taxonomy term title for instances with Save term lineage enabled or (2) entity type fields.

Published Dec 8, 2014 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2014-9336: Multiple cross-site request forgery (CSRF) vulnerabilities in the iTwitter plugin 0.04 and earlier for Word...

Multiple cross-site request forgery (CSRF) vulnerabilities in the iTwitter plugin 0.04 and earlier for WordPress allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the (1) itex_t_twitter_username or (2) itex_t_twitter_userpass parameter in the iTwitter.php page to wp-admin/options-general.php.

Published Dec 19, 2014 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2014-9278: The OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7 and when running in a Kerberos environ...

The OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7 and when running in a Kerberos environment, allows remote authenticated users to log in as another user when they are listed in the .k5users file of that user, which might bypass intended authentication requirements that would force a local login.

Published Dec 6, 2014 · Updated Aug 6, 2024

Unknown · CVSS Not scored

CVE-2014-9393: Multiple cross-site request forgery (CSRF) vulnerabilities in the Post to Twitter plugin 0.7 and earlier fo...

Multiple cross-site request forgery (CSRF) vulnerabilities in the Post to Twitter plugin 0.7 and earlier for WordPress allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the (1) idptt_twitter_username or (2) idptt_tweet_prefix parameter to wp-admin/options-general.php.

Published Dec 31, 2014 · Updated Aug 6, 2024