CVEs from 2014
Total
7,865
critical
critical 837
high
high 1,288
medium
medium 4,980
low
low 583
% Critical
10.6%
% with KEV
0.4%
% with exploit
9.8%
Top vendors
Top products
- chrome 3,804
- moodle 1,668
- flash_player 1,397
- firefox 1,239
- mediawiki 1,130
- ffmpeg 998
- acrobat 966
- acrobat_reader 944
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2014-0476 | low | — | 4.7 | 12y ago | The slapper function in chkrootkit before 0.50 does not properly quote file paths, which allows local users to execute arbitrary code via a Trojan horse executable. NOTE: this is only a vulnerabilit… | |||
| CVE-2014-2477 | low | — | 4.6 | 12y ago | Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 3.2.24, 4.0.26, 4.1.34, 4.2.26, and 4.3.12 allows local users to affect integrity and availa… | |||
| CVE-2014-9311 | low | — | 4.5 | 11y ago | Cross-site scripting (XSS) vulnerability in admin.php in the Shareaholic plugin before 7.6.1.0 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the location[… | |||
| CVE-2014-9224 | low | — | 4.5 | 12y ago | Cross-site scripting (XSS) vulnerability in the ajaxswing webui in the Management Console server in the management server in Symantec Critical System Protection (SCSP) 5.2.9 through MP6 and Symantec … | |||
| CVE-2014-9434 | low | — | 4.5 | 12y ago | Cross-site scripting (XSS) vulnerability in admin/managerrelated.php in the administrative backend in Absolut Engine 1.73 allows remote authenticated users to inject arbitrary web script or HTML via … | |||
| CVE-2014-9098 | low | — | 4.5 | 12y ago | Multiple cross-site scripting (XSS) vulnerabilities in the Apptha WordPress Video Gallery (contus-video-gallery) plugin 2.5, possibly before 2014-07-23, for WordPress allow remote authenticated users… | |||
| CVE-2014-2021 | low | — | 4.5 | 12y ago | Cross-site scripting (XSS) vulnerability in admincp/apilog.php in vBulletin 4.2.2 and earlier, and 5.0.x through 5.0.5 allows remote authenticated users to inject arbitrary web script or HTML via a c… | |||
| CVE-2014-5276 | low | — | 4.5 | 12y ago | Multiple cross-site scripting (XSS) vulnerabilities in Pro Chat Rooms Text Chat Rooms 8.2.0 allow remote authenticated users to inject arbitrary web script or HTML via (1) an uploaded profile picture… | |||
| CVE-2014-2995 | low | — | 4.5 | 12y ago | Multiple cross-site scripting (XSS) vulnerabilities in twitget.php in the Twitget plugin before 3.3.3 for WordPress allow remote authenticated administrators to inject arbitrary web script or HTML vi… | |||
| CVE-2014-3740 | low | — | 4.5 | 12y ago | Cross-site scripting (XSS) vulnerability in SpiceWorks before 7.2.00195 allows remote authenticated users to inject arbitrary web script or HTML via the Summary field in a ticket request to the porta… | |||
| CVE-2014-3544 | low | — | 4.5 | 12y ago | Moodle cross-site scripting (XSS) vulnerability | |||
| CVE-2014-0894 | low | — | 4.5 | 12y ago | RICOS in IBM Algo Credit Limits (aka ACLM) 4.5.0 through 4.7.0 before 4.7.0.03 FP5 in IBM Algorithmics allows context-dependent attackers to discover database credentials by reading the DbUser and Db… | |||
| CVE-2014-0910 | low | — | 4.5 | 12y ago | Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 6.1.0.0 through 6.1.0.6 CF27, 6.1.5.0 through 6.1.5.3 CF27, and 7.0.0 through 7.0.0.2 CF28 allows remote authenticated users to inject… | |||
| CVE-2014-3840 | low | — | 4.5 | 12y ago | Mayan EDMS multiple cross-site scripting (XSS) vulnerabilities | |||
| CVE-2014-2091 | low | — | 4.5 | 12y ago | Cross-site scripting (XSS) vulnerability in mods/_standard/forums/admin/forum_add.php in ATutor 2.1.1 allows remote authenticated administrators to inject arbitrary web script or HTML via the title p… | |||
| CVE-2014-2090 | low | — | 4.5 | 12y ago | Multiple cross-site scripting (XSS) vulnerabilities in ilias.php in ILIAS 4.4.1 allow remote authenticated users to inject arbitrary web script or HTML via the (1) tar, (2) tar_val, or (3) title para… | |||
| CVE-2014-0334 | low | — | 4.5 | 12y ago | Multiple cross-site scripting (XSS) vulnerabilities in CMS Made Simple allow remote authenticated users to inject arbitrary web script or HTML via (1) the group parameter to admin/addgroup.php, (2) t… | |||
| CVE-2014-3566 | low | 3.4 | 4.4 | 12y ago | The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a pad… | |||
| CVE-2014-8607 | low | — | 3.1 | 11y ago | The XCloner plugin 3.1.1 for WordPress and 3.5.1 for Joomla! provides the MySQL username and password on the command line, which allows local users to obtain sensitive information via the ps command. | |||
| CVE-2014-100039 | low | — | 3.1 | 12y ago | mbae.sys in Malwarebytes Anti-Exploit before 1.05.1.2014 allows local users to cause a denial of service (crash) via a crafted size in an unspecified IOCTL call, which triggers an out-of-bounds read.… | |||
| CVE-2014-9418 | low | — | 3.1 | 12y ago | The eSpace Meeting ActiveX control (eSpaceStatusCtrl.dll) in Huawei eSpace Desktop before V200R001C03 allows local users to cause a denial of service (memory overflow) via unspecified vectors. | |||
| CVE-2014-9417 | low | — | 3.1 | 12y ago | The Meeting component in Huawei eSpace Desktop before V100R001C03 allows local users to cause a denial of service (program exit) via a crafted image. | |||
| CVE-2014-4703 | low | — | 3.1 | 12y ago | lib/parse_ini.c in Nagios Plugins 2.0.2 allows local users to obtain sensitive information via a symlink attack on the configuration file in the extra-opts flag. NOTE: this vulnerability exists beca… | |||
| CVE-2014-1739 | low | — | 3.1 | 12y ago | The media_device_enum_entities function in drivers/media/media-device.c in the Linux kernel before 3.14.6 does not initialize a certain data structure, which allows local users to obtain sensitive in… | |||
| CVE-2014-9415 | low | — | 2.9 | 12y ago | Huawei eSpace Desktop before V100R001C03 allows local users to cause a denial of service (program exit) via a crafted QES file. | |||
| CVE-2014-6278 | unknown | — | 2.5 | 8mo ago | GNU Bash contains an OS command injection vulnerability which allows remote attackers to execute arbitrary commands via a crafted environment. | |||
| CVE-2014-0497 | unknown | — | 2.5 | 2y ago | Adobe Flash Player contains an integer underflow vulnerability that allows a remote attacker to execute arbitrary code. | |||
| CVE-2014-100005 | unknown | — | 2.5 | 2y ago | D-Link DIR-600 routers contain a cross-site request forgery (CSRF) vulnerability that allows an attacker to change router configurations by hijacking an existing administrator session. | |||
| CVE-2014-8361 | unknown | — | 2.5 | 3y ago | Realtek SDK contains an improper input validation vulnerability in the miniigd SOAP service that allows remote attackers to execute malicious code via a crafted NewInternalClient request. | |||
| CVE-2014-0196 | unknown | — | 2.5 | 3y ago | Linux Kernel contains a race condition vulnerability within the n_tty_write function that allows local users to cause a denial-of-service (DoS) or gain privileges via read and write operations with l… | |||
| CVE-2014-3153 | unknown | — | 2.5 | 4y ago | The futex_requeue function in kernel/futex.c in Linux kernel does not ensure that calls have two different futex addresses, which allows local users to gain privileges. | |||
| CVE-2014-3120 | unknown | — | 2.5 | 4y ago | Elasticsearch enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code. | |||
| CVE-2014-0322 | unknown | — | 2.5 | 4y ago | Use-after-free vulnerability in Microsoft Internet Explorer allows remote attackers to execute code. | |||
| CVE-2014-4113 | unknown | — | 2.5 | 4y ago | Microsoft Win32k contains an unspecified vulnerability that allows for privilege escalation. | |||
| CVE-2014-0160 | unknown | — | 2.5 | 4y ago | The TLS and DTLS implementations in OpenSSL do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information. | |||
| CVE-2014-0780 | unknown | — | 2.5 | 4y ago | InduSoft Web Studio NTWebServer contains a directory traversal vulnerability that allows remote attackers to read administrative passwords in APP files, allowing for remote code execution. | |||
| CVE-2014-6324 | unknown | — | 2.5 | 4y ago | The Kerberos Key Distribution Center (KDC) in Microsoft allows remote authenticated domain users to obtain domain administrator privileges. | |||
| CVE-2014-6332 | unknown | — | 2.5 | 4y ago | OleAut32.dll in OLE in Microsoft Windows allows remote attackers to remotely execute code via a crafted web site. | |||
| CVE-2014-6287 | unknown | — | 2.5 | 4y ago | The findMacroMarker function in parserLib.pas in Rejetto HTTP File Server (HFS or HttpFileServer) allows remote attackers to execute arbitrary programs. | |||
| CVE-2014-4114 | unknown | — | 2.5 | 4y ago | A vulnerability exists in Windows Object Linking & Embedding (OLE) that could allow remote code execution if a user opens a file that contains a specially crafted OLE object. | |||
| CVE-2014-6352 | unknown | — | 2.5 | 4y ago | Microsoft Windows allow remote attackers to execute arbitrary code via a crafted OLE object. | |||
| CVE-2014-1761 | unknown | — | 2.5 | 4y ago | Microsoft Word contains a memory corruption vulnerability which when exploited could allow for remote code execution. | |||
| CVE-2014-4404 | unknown | — | 2.5 | 4y ago | Heap-based buffer overflow in IOHIDFamily in Apple OS X, which affects, iOS before 8 and Apple TV before 7, allows attackers to execute arbitrary code in a privileged context. | |||
| CVE-2014-6271 | unknown | — | 2.5 | 4y ago | GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute code. | |||
| CVE-2014-7169 | unknown | — | 2.5 | 4y ago | GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute code. This CVE correctly remediates the vul… | |||
| CVE-2014-1812 | unknown | — | 2.5 | 5y ago | Microsoft Windows Active Directory contains a privilege escalation vulnerability due to the way it distributes passwords that are configured using Group Policy preferences. An authenticated attacker … | |||
| CVE-2014-2030 | unknown | — | 1.0 | — | Stack-based buffer overflow in the WritePSDImage function in coders/psd.c in ImageMagick, possibly 6.8.8-5, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary… | |||
| CVE-2014-1947 | unknown | — | 1.0 | — | Stack-based buffer overflow in the WritePSDImage function in coders/psd.c in ImageMagick 6.5.4 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary … | |||
| CVE-2014-9390 | unknown | — | 1.0 | 4y ago | Git before 1.8.5.6, 1.9.x before 1.9.5, 2.0.x before 2.0.5, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 on Windows and OS X; Mercurial before 3.2.3 on Windows and OS X; Apple Xcode before 6.2 beta 3; … |