Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 6.8

    MEDIUM
    CVE-2011-4953

    The set_mgmt_parameters function in item.py in cobbler before 2.2.2 allows context-dependent attackers to execute arbitrary code via vectors related to the use of the yaml.load function instead of the yaml.safe_load function, as demonstrated using Puppet.... Read more

    Affected Products : cobbler cobbler
    • Published: Oct. 27, 2014
    • Modified: Apr. 12, 2025

  • 7.5

    HIGH
    CVE-2011-4104

    The from_yaml method in serializers.py in Django Tastypie before 0.9.10 does not properly deserialize YAML data, which allows remote attackers to execute arbitrary Python code via vectors related to the yaml.load method.... Read more

    Affected Products : tastypie
    • Published: Oct. 27, 2014
    • Modified: Apr. 12, 2025

  • 7.5

    HIGH
    CVE-2011-4103

    emitters.py in Django Piston before 0.2.3 and 0.2.x before 0.2.2.1 does not properly deserialize YAML data, which allows remote attackers to execute arbitrary Python code via vectors related to the yaml.load method.... Read more

    Affected Products : piston
    • Published: Oct. 27, 2014
    • Modified: Apr. 12, 2025

  • 4.4

    MEDIUM
    CVE-2010-4820

    Untrusted search path vulnerability in Ghostscript 8.62 allows local users to execute arbitrary PostScript code via a Trojan horse Postscript library file in Encoding/ under the current working directory, a different vulnerability than CVE-2010-2055.... Read more

    Affected Products : ghostscript
    • Published: Oct. 27, 2014
    • Modified: Apr. 12, 2025

  • 4.3

    MEDIUM
    CVE-2014-6635

    Cross-site scripting (XSS) vulnerability in Exponent CMS 2.3.0 allows remote attackers to inject arbitrary web script or HTML via the src parameter in the search action to index.php.... Read more

    Affected Products : exponent_cms
    • Published: Oct. 26, 2014
    • Modified: Apr. 12, 2025

  • 7.5

    HIGH
    CVE-2014-5520

    SQL injection vulnerability in XRMS CRM, possibly 1.99.2, allows remote attackers to execute arbitrary SQL commands via the user_id parameter to plugins/webform/new-form.php, which is not properly handled by plugins/useradmin/fingeruser.php.... Read more

    Affected Products : xrms_crm
    • Published: Oct. 26, 2014
    • Modified: Apr. 12, 2025

  • 4.6

    MEDIUM
    CVE-2014-5148

    Xen 4.4.x, when running on an ARM system and "handling an unknown system register access from 64-bit userspace," returns to an instruction of the trap handler for kernel space faults instead of an instruction that is associated with faults in 64-bit users... Read more

    Affected Products : xen xen
    • Published: Oct. 26, 2014
    • Modified: Apr. 12, 2025

  • 6.5

    MEDIUM
    CVE-2014-3520

    OpenStack Identity (Keystone) before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2 allows remote authenticated trustees to gain access to an unauthorized project for which the trustor has certain roles via the project ID in a V2 API trust token... Read more

    Affected Products : keystone
    • Published: Oct. 26, 2014
    • Modified: Apr. 12, 2025

  • 7.5

    HIGH
    CVE-2013-7408

    F5 BIG-IP Analytics 11.x before 11.4.0 uses a predictable session cookie, which makes it easier for remote attackers to have unspecified impact by guessing the value.... Read more

    Affected Products : big-ip_analytics
    • Published: Oct. 26, 2014
    • Modified: Apr. 12, 2025

  • 5.0

    MEDIUM
    CVE-2013-6796

    The SMTP server in DeepOfix 3.3 and earlier allows remote attackers to bypass authentication via an empty password, which triggers an LDAP anonymous bind.... Read more

    Affected Products : deepofix
    • Published: Oct. 26, 2014
    • Modified: Apr. 12, 2025

  • 7.5

    HIGH
    CVE-2014-6037

    Directory traversal vulnerability in the agentUpload servlet in ZOHO ManageEngine EventLog Analyzer 9.0 build 9002 and 8.2 build 8020 allows remote attackers to execute arbitrary code by uploading a ZIP file which contains an executable file with .. (dot ... Read more

    Affected Products : manageengine_eventlog_analyzer
    • Published: Oct. 26, 2014
    • Modified: Apr. 12, 2025

  • 2.1

    LOW
    CVE-2014-6133

    IBM API Management 3.x before 3.0.1.0 allows local users to obtain sensitive ciphertext information via unspecified vectors.... Read more

    Affected Products : api_management
    • Published: Oct. 26, 2014
    • Modified: Apr. 12, 2025

  • 5.0

    MEDIUM
    CVE-2014-6099

    The Change Password feature in IBM Sterling B2B Integrator 5.2.x through 5.2.4 does not have a lockout protection mechanism for invalid login requests, which makes it easier for remote attackers to obtain admin access via a brute-force approach.... Read more

    Affected Products : sterling_b2b_integrator
    • Published: Oct. 26, 2014
    • Modified: Apr. 12, 2025

  • 1.8

    LOW
    CVE-2014-4812

    The installer in IBM Security AppScan Source 8.x and 9.x through 9.0.1 has an open network port for a debug service, which allows remote attackers to obtain sensitive information by connecting to this port.... Read more

    Affected Products : security_appscan_source
    • Published: Oct. 26, 2014
    • Modified: Apr. 12, 2025

  • 6.8

    MEDIUM
    CVE-2014-2987

    Multiple cross-site request forgery (CSRF) vulnerabilities in EGroupware Enterprise Line (EPL) before 1.1.20140505, EGroupware Community Edition before 1.8.007.20140506, and EGroupware before 14.1 beta allow remote attackers to hijack the authentication o... Read more

    Affected Products : egroupware
    • Published: Oct. 26, 2014
    • Modified: Apr. 12, 2025

  • 7.8

    HIGH
    CVE-2013-1641

    Directory traversal vulnerability in the zip download functionality in QuiXplorer before 2.5.5 allows remote attackers to read arbitrary files via a .. (dot dot) in the selitems[] parameter in a download_selected action to index.php.... Read more

    Affected Products : quixplorer
    • Published: Oct. 26, 2014
    • Modified: Apr. 12, 2025

  • 6.8

    MEDIUM
    CVE-2014-3137

    Bottle 0.10.x before 0.10.12, 0.11.x before 0.11.7, and 0.12.x before 0.12.6 does not properly limit content types, which allows remote attackers to bypass intended access restrictions via an accepted Content-Type followed by a ; (semi-colon) and a Conten... Read more

    Affected Products : bottle
    • Published: Oct. 25, 2014
    • Modified: Apr. 12, 2025

  • 3.7

    LOW
    CVE-2014-0476

    The slapper function in chkrootkit before 0.50 does not properly quote file paths, which allows local users to execute arbitrary code via a Trojan horse executable. NOTE: this is only a vulnerability when /tmp is not mounted with the noexec option.... Read more

    Affected Products : ubuntu_linux chkrootkit
    • Published: Oct. 25, 2014
    • Modified: Apr. 12, 2025

  • 4.3

    MEDIUM
    CVE-2013-4594

    The Payment for Webform module 7.x-1.x before 7.x-1.5 for Drupal does not restrict access by anonymous users, which allows remote anonymous users to use the payment of other anonymous users when submitting a form that requires payment.... Read more

    Affected Products : payment_for_webform
    • Published: Oct. 25, 2014
    • Modified: Apr. 12, 2025

  • 6.8

    MEDIUM
    CVE-2014-5075

    The Ignite Realtime Smack XMPP API 4.x before 4.0.2, and 3.x and 2.x when a custom SSLContext is used, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which... Read more

    Affected Products : jboss_fuse smack smack_api
    • Published: Oct. 25, 2014
    • Modified: Apr. 12, 2025
Showing 20 of 294129 Results