Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 4.3

    MEDIUM
    CVE-2014-9174

    Cross-site scripting (XSS) vulnerability in the Google Analytics by Yoast (google-analytics-for-wordpress) plugin before 5.1.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via the "Manually enter your UA code" (manual_ua_co... Read more

    Affected Products : google_analytics
    • Published: Dec. 02, 2014
    • Modified: Apr. 12, 2025

  • 7.5

    HIGH
    CVE-2014-9173

    SQL injection vulnerability in view.php in the Google Doc Embedder plugin before 2.5.15 for WordPress allows remote attackers to execute arbitrary SQL commands via the gpid parameter.... Read more

    • Published: Dec. 02, 2014
    • Modified: Apr. 12, 2025

  • 5.0

    MEDIUM
    CVE-2014-9116

    The write_one_header function in mutt 1.5.23 does not properly handle newline characters at the beginning of a header, which allows remote attackers to cause a denial of service (crash) via a header with an empty body, which triggers a heap-based buffer o... Read more

    • Published: Dec. 02, 2014
    • Modified: Apr. 12, 2025

  • 7.2

    HIGH
    CVE-2014-9113

    CCH Wolters Kluwer ProSystem fx Engagement (aka PFX Engagement) 7.1 and earlier uses weak permissions (Authenticated Users: Modify and Write) for the (1) Pfx.Engagement.WcfServices, (2) PFXEngDesktopService, (3) PFXSYNPFTService, and (4) P2EWinService ser... Read more

    Affected Products : prosystem_fx_engagement
    • Published: Dec. 02, 2014
    • Modified: Apr. 12, 2025

  • 5.0

    MEDIUM
    CVE-2014-9112

    Heap-based buffer overflow in the process_copy_in function in GNU Cpio 2.11 allows remote attackers to cause a denial of service via a large block value in a cpio archive.... Read more

    Affected Products : debian_linux cpio
    • Published: Dec. 02, 2014
    • Modified: Apr. 12, 2025

  • 5.0

    MEDIUM
    CVE-2014-8874

    The ke_questionnaire extension 2.5.2 and earlier for TYPO3 uses predictable names for the questionnaire answer forms, which makes it easier for remote attackers to obtain sensitive information via a direct request.... Read more

    Affected Products : ke_questionnaire
    • Published: Dec. 02, 2014
    • Modified: Apr. 12, 2025

  • 6.5

    MEDIUM
    CVE-2014-8789

    GleamTech FileVista before 6.1 allows remote authenticated users to create arbitrary files and possibly execute arbitrary code via a crafted path in a zip archive, which is not properly handled during extraction.... Read more

    Affected Products : filevista
    • Published: Dec. 02, 2014
    • Modified: Apr. 12, 2025

  • 4.0

    MEDIUM
    CVE-2014-8788

    GleamTech FileVista before 6.1 allows remote authenticated users to obtain sensitive information via a crafted path when saving a zip file, which reveals the installation path in an error message.... Read more

    Affected Products : filevista
    • Published: Dec. 02, 2014
    • Modified: Apr. 12, 2025

  • 5.8

    MEDIUM
    CVE-2014-8754

    Open redirect vulnerability in track-click.php in the Ad-Manager plugin 1.1.2 for WordPress allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the out parameter.... Read more

    Affected Products : ad-manager
    • Published: Dec. 02, 2014
    • Modified: Apr. 12, 2025

  • 7.5

    HIGH
    CVE-2014-8728

    SQL injection vulnerability in the login page (login/login) in Subex ROC Fraud Management (aka Fraud Management System and FMS) 7.4 and earlier allows remote attackers to execute arbitrary SQL commands via the ranger_user[name] parameter.... Read more

    Affected Products : roc_fraud_management_system
    • Published: Dec. 02, 2014
    • Modified: Apr. 12, 2025

  • 6.0

    MEDIUM
    CVE-2014-8791

    project/register.php in Tuleap before 7.7, when sys_create_project_in_one_step is disabled, allows remote authenticated users to conduct PHP object injection attacks and execute arbitrary PHP code via the data parameter.... Read more

    Affected Products : tuleap
    • Published: Dec. 02, 2014
    • Modified: Apr. 12, 2025

  • 7.2

    HIGH
    CVE-2014-5284

    host-deny.sh in OSSEC before 2.8.1 writes to temporary files with predictable filenames without verifying ownership, which allows local users to modify access restrictions in hosts.deny and gain root privileges by creating the temporary files before autom... Read more

    Affected Products : ossec
    • Published: Dec. 02, 2014
    • Modified: Apr. 12, 2025

  • 5.0

    MEDIUM
    CVE-2014-3703

    OpenStack PackStack 2012.2.1, when the Open vSwitch (OVS) monolithic plug-in is not used, does not properly set the libvirt_vif_driver configuration option when generating the nova.conf configuration, which causes the firewall to be disabled and allows re... Read more

    Affected Products : packstack
    • Published: Dec. 02, 2014
    • Modified: Apr. 12, 2025

  • 6.4

    MEDIUM
    CVE-2014-3068

    IBM Java Runtime Environment (JRE) 7 R1 before SR1 FP1 (7.1.1.1), 7 before SR7 FP1 (7.0.7.1), 6 R1 before SR8 FP1 (6.1.8.1), 6 before SR16 FP1 (6.0.16.1), and before 5.0 SR16 FP7 (5.0.16.7) allows attackers to obtain the private key from a Certificate Man... Read more

    Affected Products : java
    • Published: Dec. 02, 2014
    • Modified: Apr. 12, 2025

  • 6.9

    MEDIUM
    CVE-2014-3065

    Unspecified vulnerability in IBM Java Runtime Environment (JRE) 7 R1 before SR2 (7.1.2.0), 7 before SR8 (7.0.8.0), 6 R1 before SR8 FP2 (6.1.8.2), 6 before SR16 FP2 (6.0.16.2), and before SR16 FP8 (5.0.16.8) allows local users to execute arbitrary code via... Read more

    Affected Products : java
    • Published: Dec. 02, 2014
    • Modified: Apr. 12, 2025

  • 2.1

    LOW
    CVE-2013-6494

    fedup 0.9.0 in Fedora 19, 20, and 21 uses a temporary directory with a static name for its download cache, which allows local users to cause a denial of service (prevention of system updates).... Read more

    Affected Products : fedora fedup
    • Published: Dec. 02, 2014
    • Modified: Apr. 12, 2025

  • 4.0

    MEDIUM
    CVE-2014-9156

    The FileField module 6.x-3.x before 6.x-3.13 for Drupal does not properly check permissions to view files, which allows remote authenticated users with permission to create or edit content to read private files by attaching an uploaded file.... Read more

    Affected Products : filefield
    • Published: Dec. 01, 2014
    • Modified: Apr. 12, 2025

  • 4.0

    MEDIUM
    CVE-2014-9155

    Directory traversal vulnerability in the Avatar Uploader module 6.x-1.x before 6.x-1.2 and 7.x-1.x before 7.x-1.0-beta6 for Drupal allows remote authenticated users to read arbitrary files via a .. (dot dot) in the path of a cropped picture in the uploade... Read more

    Affected Products : avatar_uploader
    • Published: Dec. 01, 2014
    • Modified: Apr. 12, 2025

  • 4.0

    MEDIUM
    CVE-2014-9154

    The Notify module 7.x-1.x before 7.x-1.1 for Drupal does not properly restrict access to (1) new or (2) modified nodes or (3) their fields, which allows remote authenticated users to obtain node titles, teasers, and fields by reading a notification email.... Read more

    Affected Products : notify
    • Published: Dec. 01, 2014
    • Modified: Apr. 12, 2025

  • 4.3

    MEDIUM
    CVE-2014-9153

    Cross-site scripting (XSS) vulnerability in the Services module 7.x-3.x before 7.x-3.10 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via the callback parameter in a JSONP response.... Read more

    Affected Products : services
    • Published: Dec. 01, 2014
    • Modified: Apr. 12, 2025
Showing 20 of 293634 Results