Total
3761 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2014-2720 | 1 Izarc | 1 Izarc | 2014-05-29 | 6.8 MEDIUM | N/A |
| IZArc 4.1.8 displays a file's name on the basis of a ZIP archive's Central Directory entry, but launches this file on the basis of a ZIP archive's local file header, which allows user-assisted remote attackers to conduct file-extension spoofing attacks via a modified Central Directory, as demonstrated by unintended code execution prompted by a .jpg extension in the Central Directory and a .exe extension in the local file header. | |||||
| CVE-2013-4321 | 1 Typo3 | 1 Typo3 | 2014-05-21 | 6.5 MEDIUM | N/A |
| The File Abstraction Layer (FAL) in TYPO3 6.0.x before 6.0.8 and 6.1.x before 6.1.4 allows remote authenticated editors to execute arbitrary PHP code via unspecified characters in the file extension when renaming a file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4250. | |||||
| CVE-2014-3444 | 1 Realnetworks | 1 Realplayer | 2014-05-20 | 9.3 HIGH | N/A |
| The GetGUID function in codecs/dmp4.dll in RealNetworks RealPlayer 16.0.3.51 and earlier allows remote attackers to execute arbitrary code or cause a denial of service (write access violation and application crash) via a malformed .3gp file. | |||||
| CVE-2014-3453 | 1 Flag Module Project | 1 Flag | 2014-05-19 | 6.5 MEDIUM | N/A |
| Eval injection vulnerability in the flag_import_form_validate function in includes/flag.export.inc in the Flag module 7.x-3.0, 7.x-3.5, and earlier for Drupal allows remote authenticated administrators to execute arbitrary PHP code via the "Flag import code" text area to admin/structure/flags/import. NOTE: this issue could also be exploited by other attackers if the administrator ignores a security warning on the permissions assignment page. | |||||
| CVE-2014-1613 | 1 Dotclear | 1 Dotclear | 2014-05-16 | 7.5 HIGH | N/A |
| Dotclear before 2.6.2 allows remote attackers to execute arbitrary PHP code via a serialized object in the dc_passwd cookie to a password-protected page, which is not properly handled by (1) inc/public/lib.urlhandlers.php or (2) plugins/pages/_public.php. | |||||
| CVE-2014-2936 | 1 Caldera | 1 Caldera | 2014-05-16 | 7.5 HIGH | N/A |
| The directory manager in Caldera 9.20 allows remote attackers to conduct variable-injection attacks in the global scope via (1) the maindir_hotfolder parameter to dirmng/index.php, or an unspecified parameter to (2) PPD/index.php, (3) dirmng/docmd.php, or (4) dirmng/param.php. | |||||
| CVE-2013-4581 | 1 Gitlab | 2 Gitlab, Gitlab-shell | 2014-05-12 | 6.8 MEDIUM | N/A |
| GitLab 5.0 before 5.4.2, Community Edition before 6.2.4, Enterprise Edition before 6.2.1 and gitlab-shell before 1.7.8 allows remote attackers to execute arbitrary code via a crafted change using SSH. | |||||
| CVE-2013-0210 | 1 Theforeman | 1 Foreman | 2014-05-08 | 7.5 HIGH | N/A |
| The smart proxy Puppet run API in Foreman before 1.2.0 allows remote attackers to execute arbitrary commands via vectors related to escaping and Puppet commands. | |||||
| CVE-2013-0171 | 1 Theforeman | 1 Foreman | 2014-05-08 | 7.5 HIGH | N/A |
| Foreman before 1.1 allows remote attackers to execute arbitrary code via a crafted YAML object to the (1) fact or (2) report import API. | |||||
| CVE-2014-2558 | 1 Skyphe | 1 File-gallery | 2014-05-07 | 6.5 MEDIUM | N/A |
| The File Gallery plugin before 1.7.9.2 for WordPress does not properly escape strings, which allows remote administrators to execute arbitrary PHP code via a \' (backslash quote) in the setting fields to /wp-admin/options-media.php, related to the create_function function. | |||||
| CVE-2014-2170 | 1 Cisco | 2 Telepresence Tc Software, Telepresence Te Software | 2014-05-02 | 9.0 HIGH | N/A |
| Cisco TelePresence TC Software 4.x and 5.x before 5.1.7 and 6.x before 6.0.1 and TE Software 4.x and 6.0 allow remote authenticated users to execute arbitrary commands by using the commands as arguments to tshell (aka tcsh) scripts, aka Bug ID CSCue60202. | |||||
| CVE-2013-7284 | 1 Malcolm Nooning | 1 Pirpc | 2014-04-30 | 6.8 MEDIUM | N/A |
| The PlRPC module, possibly 0.2020 and earlier, for Perl uses the Storable module, which allows remote attackers to execute arbitrary code via a crafted request, which is not properly handled when it is deserialized. | |||||
| CVE-2014-2921 | 1 Pimcore | 1 Pimcore | 2014-04-22 | 7.5 HIGH | N/A |
| The getObjectByToken function in Newsletter.php in the Pimcore_Tool_Newsletter module in pimcore 1.4.9 through 2.0.0 does not properly handle an object obtained by unserializing Lucene search data, which allows remote attackers to conduct PHP object injection attacks and execute arbitrary code via vectors involving a Zend_Pdf_ElementFactory_Proxy object and a pathname with a trailing \0 character. | |||||
| CVE-2014-2866 | 1 Paperthin | 1 Commonspot Content Server | 2014-04-16 | 10.0 HIGH | N/A |
| PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 relies on client JavaScript code for access restrictions, which allows remote attackers to perform unspecified operations by modifying this code. | |||||
| CVE-2013-7362 | 1 Sap | 1 Ccms Agent | 2014-04-11 | 7.5 HIGH | N/A |
| An unspecified RFC function in SAP CCMS Agent allows remote attackers to execute arbitrary commands via unknown vectors. | |||||
| CVE-2013-6468 | 1 Redhat | 3 Jboss Bpm Suite, Jboss Drools, Jboss Enterprise Brms Platform | 2014-04-11 | 6.5 MEDIUM | N/A |
| JBoss Drools, Red Hat JBoss BRMS before 6.0.1, and Red Hat JBoss BPM Suite before 6.0.1 allows remote authenticated users to execute arbitrary Java code via a (1) MVFLEX Expression Language (MVEL) or (2) Drools expression. | |||||
| CVE-2014-1691 | 1 Horde | 1 Horde Application Framework | 2014-04-02 | 7.5 HIGH | N/A |
| The framework/Util/lib/Horde/Variables.php script in the Util library in Horde before 5.1.1 allows remote attackers to conduct object injection attacks and execute arbitrary PHP code via a crafted serialized object in the _formvars form. | |||||
| CVE-2013-1777 | 2 Apache, Ibm | 2 Geronimo, Websphere Application Server | 2014-04-01 | 10.0 HIGH | N/A |
| The JMX Remoting functionality in Apache Geronimo 3.x before 3.0.1, as used in IBM WebSphere Application Server (WAS) Community Edition 3.0.0.3 and other products, does not properly implement the RMI classloader, which allows remote attackers to execute arbitrary code by using the JMX connector to send a crafted serialized object. | |||||
| CVE-2014-1979 | 2 Google, Nttdocomo | 2 Android, Spmode Mail Android | 2014-03-20 | 6.8 MEDIUM | N/A |
| The NTT DOCOMO sp mode mail application 5900 through 6300 for Android 4.0.x and 6000 through 6620 for Android 4.1 through 4.4 allows remote attackers to execute arbitrary Java methods via Deco-mail emoticon POP data in an e-mail message. | |||||
| CVE-2013-6943 | 1 Citrix | 1 Netscaler Application Delivery Controller Firmware | 2014-03-11 | 5.0 MEDIUM | N/A |
| Citrix NetScaler Application Delivery Controller (ADC) 9.3.x before 9.3-64.4, 10.0 before 10.0-77.5, and 10.1 before 10.1-118.7 allows remote attackers to conduct an LDAP injection attack via vectors related to SSH and Web management usernames. | |||||