Vulnerabilities (CVE)

Filtered by CWE-74
Total 980 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2014-8910 1 Ibm 1 Db2 2024-11-21 4.0 MEDIUM N/A
IBM DB2 9.7 through FP10, 9.8 through FP5, 10.1 before FP5, and 10.5 through FP5 on Linux, UNIX, and Windows allows remote authenticated users to read arbitrary text files via a crafted XML/XSLT function in a SELECT statement.
CVE-2014-8423 1 Arris 1 Vap2500 Firmware 2024-11-21 10.0 HIGH N/A
Unspecified vulnerability in the management portal in ARRIS VAP2500 before FW08.41 allows remote attackers to execute arbitrary commands via unknown vectors.
CVE-2014-7952 1 Google 1 Android 2024-11-21 4.6 MEDIUM 7.8 HIGH
The backup mechanism in the adb tool in Android might allow attackers to inject additional applications (APKs) and execute arbitrary code by leveraging failure to filter application data streams.
CVE-2014-7844 3 Bsd Mailx Project, Debian, Redhat 8 Bsd Mailx, Debian Linux, Enterprise Linux Desktop and 5 more 2024-11-21 7.2 HIGH 7.8 HIGH
BSD mailx 8.1.2 and earlier allows remote attackers to execute arbitrary commands via a crafted email address.
CVE-2014-7287 1 Symantec 2 Encryption Management Server, Pgp Universal Server 2024-11-21 5.0 MEDIUM N/A
The key-management component in Symantec PGP Universal Server and Encryption Management Server before 3.3.2 MP7 allows remote attackers to trigger unintended content in outbound e-mail messages via a crafted key UID value in an inbound e-mail message, as demonstrated by the outbound Subject header.
CVE-2014-7236 1 Twiki 1 Twiki 2024-11-21 6.4 MEDIUM 9.1 CRITICAL
Eval injection vulnerability in lib/TWiki/Plugins.pm in TWiki before 6.0.1 allows remote attackers to execute arbitrary Perl code via the debugenableplugins parameter to do/view/Main/WebHome.
CVE-2014-5287 1 Kemptechnologies 1 Loadmaster 2024-11-21 6.8 MEDIUM 8.8 HIGH
A Bash script injection vulnerability exists in Kemp Load Master 7.1-16 and earlier due to a failure to sanitize input in the Web User Interface (WUI).
CVE-2014-5086 3 Sphider, Sphider-plus, Sphiderpro 3 Sphider, Sphider-plus, Sphider Pro 2024-11-21 6.5 MEDIUM 8.8 HIGH
A Command Execution vulnerability exists in Sphider Pro, and Sphider Plus 3.2 due to insufficient sanitization of fwrite to conf.php, which could let a remote malicious user execute arbitrary code. CVE-2014-5086 pertains to instances of fwrite in Sphider Pro and Sphider Plus only, but don’t exist in Sphider.
CVE-2014-5085 1 Sphider-plus 1 Sphider-plus 2024-11-21 6.5 MEDIUM 8.8 HIGH
A Command Execution vulnerability exists in Sphider Plus 3.2 due to insufficient sanitization of fwrite to conf.php, which could let a remote malicious user execute arbitrary code. CVE-2014-5085 pertains to instances of fwrite in Sphider Plus, but do not exist in either Sphider or Sphider Pro.
CVE-2014-5084 1 Sphiderpro 1 Sphider Pro 2024-11-21 6.5 MEDIUM 8.8 HIGH
A Command Execution vulnerability exists in Sphider Pro 3.2 due to insufficient sanitization of fwrite, which could let a remote malicious user execute arbitrary code. CVE-2014-5084 pertains to instances of fwrite in Sphider Pro only, but do not exist in either Sphider or Sphider Plus.
CVE-2014-5083 1 Sphider 1 Sphider 2024-11-21 6.5 MEDIUM 8.8 HIGH
A Command Execution vulnerability exists in Sphider before 1.3.6 due to insufficient sanitization of fwrite to conf.php, which could let a remote malicious user execute arbitrary code. CVE-2014-5083 pertains to instances of fwrite in Sphider.
CVE-2014-4967 1 Redhat 1 Ansible 2024-11-21 7.5 HIGH 9.8 CRITICAL
Multiple argument injection vulnerabilities in Ansible before 1.6.7 allow remote attackers to execute arbitrary code by leveraging access to an Ansible managed host and providing a crafted fact, as demonstrated by a fact with (1) a trailing " src=" clause, (2) a trailing " temp=" clause, or (3) a trailing " validate=" clause accompanied by a shell command.
CVE-2014-4966 1 Redhat 1 Ansible 2024-11-21 7.5 HIGH 9.8 CRITICAL
Ansible before 1.6.7 does not prevent inventory data with "{{" and "lookup" substrings, and does not prevent remote data with "{{" substrings, which allows remote attackers to execute arbitrary code via (1) crafted lookup('pipe') calls or (2) crafted Jinja2 data.
CVE-2014-4678 2 Debian, Redhat 2 Debian Linux, Ansible 2024-11-21 7.5 HIGH 9.8 CRITICAL
The safe_eval function in Ansible before 1.6.4 does not properly restrict the code subset, which allows remote attackers to execute arbitrary code via crafted instructions. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-4657.
CVE-2014-4172 3 Apereo, Debian, Fedoraproject 5 .net Cas Client, Java Cas Client, Phpcas and 2 more 2024-11-21 7.5 HIGH 9.8 CRITICAL
A URL parameter injection vulnerability was found in the back-channel ticket validation step of the CAS protocol in Jasig Java CAS Client before 3.3.2, .NET CAS Client before 1.0.2, and phpCAS before 1.3.3 that allow remote attackers to inject arbitrary web script or HTML via the (1) service parameter to validation/AbstractUrlBasedTicketValidator.java or (2) pgtUrl parameter to validation/Cas20ServiceTicketValidator.java.
CVE-2014-3700 1 Redhat 2 Edeploy, Jboss Enterprise Web Server 2024-11-21 7.5 HIGH 9.8 CRITICAL
eDeploy through at least 2014-10-14 has remote code execution due to eval() of untrusted data
CVE-2014-2294 1 Openwebanalytics 1 Open Web Analytics 2024-11-21 7.5 HIGH 9.8 CRITICAL
Open Web Analytics (OWA) before 1.5.7 allows remote attackers to conduct PHP object injection attacks via a crafted serialized object in the owa_event parameter to queue.php.
CVE-2014-10394 1 Saschart 1 Rich Counter 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
The rich-counter plugin before 1.2.0 for WordPress has JavaScript injection via a User-Agent header.
CVE-2014-10391 1 Wpsupportplus 1 Wp Support Plus Responsive Ticket System 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
The wp-support-plus-responsive-ticket-system plugin before 4.1 for WordPress has JavaScript injection.
CVE-2014-10386 1 3cx 1 Live Chat 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
The wp-live-chat-support plugin before 4.1.0 for WordPress has JavaScript injections.