Vulnerabilities (CVE)

Filtered by CWE-94
Total 6503 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2014-2720 1 Izarc 1 Izarc 2026-06-17 6.8 MEDIUM N/A
IZArc 4.1.8 displays a file's name on the basis of a ZIP archive's Central Directory entry, but launches this file on the basis of a ZIP archive's local file header, which allows user-assisted remote attackers to conduct file-extension spoofing attacks via a modified Central Directory, as demonstrated by unintended code execution prompted by a .jpg extension in the Central Directory and a .exe extension in the local file header.
CVE-2014-2639 1 Hp 1 Mpio Device Specific Module Manager 2026-06-17 4.6 MEDIUM N/A
Unspecified vulnerability in HP MPIO Device Specific Module Manager before 4.02.00 allows local users to gain privileges via unknown vectors.
CVE-2014-2558 1 Skyphe 1 File-gallery 2026-06-17 6.5 MEDIUM N/A
The File Gallery plugin before 1.7.9.2 for WordPress does not properly escape strings, which allows remote administrators to execute arbitrary PHP code via a \' (backslash quote) in the setting fields to /wp-admin/options-media.php, related to the create_function function.
CVE-2014-2378 1 Sensysnetworks 4 Trafficdot, Vds, Vsn240-f and 1 more 2026-06-17 6.5 MEDIUM N/A
Sensys Networks VSN240-F and VSN240-T sensors VDS before 2.10.1 and TrafficDOT before 2.10.3 do not verify the integrity of downloaded updates, which allows remote attackers to execute arbitrary code via a Trojan horse update.
CVE-2014-2331 1 Check Mk Project 1 Check Mk 2026-06-17 8.5 HIGH N/A
Check_MK 1.2.2p2, 1.2.2p3, and 1.2.3i5 allows remote authenticated users to execute arbitrary Python code via a crafted rules.mk file in a snapshot. NOTE: this can be exploited by remote attackers by leveraging CVE-2014-2330.
CVE-2014-2302 1 Webedition 1 Webedition Cms 2026-06-17 7.5 HIGH 9.8 CRITICAL
The installer script in webEdition CMS before 6.2.7-s1 and 6.3.x before 6.3.8-s1 allows remote attackers to conduct PHP Object Injection attacks by intercepting a request to update.webedition.org.
CVE-2014-2293 1 Zikula 1 Zikula Application Framework 2026-06-17 7.5 HIGH 9.8 CRITICAL
Zikula Application Framework before 1.3.7 build 11 allows remote attackers to conduct PHP object injection attacks and delete arbitrary files or execute arbitrary PHP code via crafted serialized data in the (1) authentication_method_ser or (2) authentication_info_ser parameter to index.php, or (3) zikulaMobileTheme parameter to index.php.
CVE-2014-2223 1 Plogger 1 Plogger 2026-06-17 7.5 HIGH N/A
Unrestricted file upload vulnerability in plog-admin/plog-upload.php in Plogger 1.0 RC1 and earlier allows remote authenticated users to execute arbitrary code by uploading a ZIP file that contains a PHP file and a non-zero length PNG file, then accessing the PHP file via a direct request to it in plog-content/uploads/archive/.
CVE-2014-2208 1 Facebook 1 Hiphop Virtual Machine 2026-06-17 7.5 HIGH N/A
CRLF injection vulnerability in the LightProcess protocol implementation in hphp/util/light-process.cpp in Facebook HipHop Virtual Machine (HHVM) before 2.4.2 allows remote attackers to execute arbitrary commands by entering a \n (newline) character before the end of a string.
CVE-2014-2196 1 Cisco 1 Wide Area Application Services 2026-06-17 9.3 HIGH N/A
Cisco Wide Area Application Services (WAAS) 5.1.1 before 5.1.1e, when SharePoint prefetch optimization is enabled, allows remote SharePoint servers to execute arbitrary code via a malformed response, aka Bug ID CSCue18479.
CVE-2014-2177 1 Cisco 7 Rv120w, Rv120w Firmware, Rv180 and 4 more 2026-06-17 9.0 HIGH N/A
The network-diagnostics administration interface in the Cisco RV router firmware on RV220W devices, before 1.0.5.9 on RV120W devices, and before 1.0.4.14 on RV180 and RV180W devices allows remote authenticated users to execute arbitrary commands via a crafted HTTP request, aka Bug ID CSCuh87126.
CVE-2014-2170 1 Cisco 2 Telepresence Tc Software, Telepresence Te Software 2026-06-17 9.0 HIGH N/A
Cisco TelePresence TC Software 4.x and 5.x before 5.1.7 and 6.x before 6.0.1 and TE Software 4.x and 6.0 allow remote authenticated users to execute arbitrary commands by using the commands as arguments to tshell (aka tcsh) scripts, aka Bug ID CSCue60202.
CVE-2014-2089 1 Ilias 1 Ilias 2026-06-17 6.8 MEDIUM N/A
ILIAS 4.4.1 allows remote attackers to execute arbitrary PHP code via an e-mail attachment that leads to creation of a .php file with a certain client_id pathname.
CVE-2014-2051 1 Owncloud 1 Owncloud Server 2026-06-17 7.5 HIGH N/A
ownCloud Server before 5.0.15 and 6.0.x before 6.0.2 allows remote attackers to conduct an LDAP injection attack via unspecified vectors, as demonstrated using a "login query."
CVE-2014-2044 1 Owncloud 2 Owncloud, Owncloud Server 2026-06-17 7.5 HIGH N/A
Incomplete blacklist vulnerability in ajax/upload.php in ownCloud before 5.0, when running on Windows, allows remote authenticated users to bypass intended access restrictions, upload files with arbitrary names, and execute arbitrary code via an Alternate Data Stream (ADS) syntax in the filename parameter, as demonstrated using .htaccess::$DATA to upload a PHP program.
CVE-2014-2027 1 Egroupware 1 Egroupware 2026-06-17 7.5 HIGH N/A
eGroupware before 1.8.006.20140217 allows remote attackers to conduct PHP object injection attacks, delete arbitrary files, and possibly execute arbitrary code via the (1) addr_fields or (2) trans parameter to addressbook/csv_import.php, (3) cal_fields or (4) trans parameter to calendar/csv_import.php, (5) info_fields or (6) trans parameter to csv_import.php in (a) projectmanager/ or (b) infolog/, or (7) processed parameter to preferences/inc/class.uiaclprefs.inc.php.
CVE-2014-1999 1 Fuelphp 1 Fuelphp 2026-06-17 7.5 HIGH N/A
The auto-format feature in the Request_Curl class in FuelPHP 1.1 through 1.7.1 allows remote attackers to execute arbitrary code via a crafted response.
CVE-2014-1979 2 Google, Nttdocomo 2 Android, Spmode Mail Android 2026-06-17 6.8 MEDIUM N/A
The NTT DOCOMO sp mode mail application 5900 through 6300 for Android 4.0.x and 6000 through 6620 for Android 4.1 through 4.4 allows remote attackers to execute arbitrary Java methods via Deco-mail emoticon POP data in an e-mail message.
CVE-2014-1939 2 Google, Lenovo 2 Android, Shareit 2026-06-17 7.5 HIGH N/A
java/android/webkit/BrowserFrame.java in Android before 4.4 uses the addJavascriptInterface API in conjunction with creating an object of the SearchBoxImpl class, which allows attackers to execute arbitrary Java code by leveraging access to the searchBoxJavaBridge_ interface at certain Android API levels.
CVE-2014-1824 1 Microsoft 8 Windows 7, Windows 8, Windows 8.1 and 5 more 2026-06-17 9.3 HIGH N/A
Windows Journal in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via a crafted Journal (aka .JNT) file, aka "Windows Journal Remote Code Execution Vulnerability."