Vulnerabilities > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2015-04-05 | CVE-2015-0951 | Permissions, Privileges, and Access Controls vulnerability in Qualiteam X-Cart X-Cart before 5.1.11 allows remote authenticated users to read or delete address data of arbitrary accounts via a modified (1) update or (2) remove request. | 6.5 |
| 2015-04-05 | CVE-2015-0950 | Cross-site Scripting vulnerability in Qualiteam X-Cart Cross-site scripting (XSS) vulnerability in admin.php in X-Cart 5.1.6 through 5.1.10 allows remote attackers to inject arbitrary web script or HTML via the substring parameter. | 4.3 |
| 2015-04-05 | CVE-2015-0529 | Credentials Management vulnerability in EMC Powerpath Virtual Appliance 1.2 EMC PowerPath Virtual Appliance (aka vApp) before 2.0 has default passwords for the (1) emcupdate and (2) svcuser accounts, which makes it easier for remote attackers to obtain potentially sensitive information via a login session. | 5.0 |
| 2015-04-03 | CVE-2015-2841 | Improper Access Control vulnerability in Citrix Netscaler 10.5 Citrix NetScaler AppFirewall, as used in NetScaler 10.5, allows remote attackers to bypass intended firewall restrictions via a crafted Content-Type header, as demonstrated by the application/octet-stream and text/xml Content-Types. | 5.0 |
| 2015-04-03 | CVE-2015-2840 | Cross-site Scripting vulnerability in Citrix Netscaler 10.5 Cross-site scripting (XSS) vulnerability in help/rt/large_search.html in Citrix NetScaler before 10.5 build 52.3nc allows remote attackers to inject arbitrary web script or HTML via the searchQuery parameter. | 4.3 |
| 2015-04-03 | CVE-2015-2839 | Cross-site Scripting vulnerability in Citrix Netscaler 10.5 The Nitro API in Citrix NetScaler before 10.5 build 52.3nc uses an incorrect Content-Type when returning an error message, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the file_name JSON member in params/xen_hotfix/0 to nitro/v1/config/xen_hotfix. | 4.3 |
| 2015-04-03 | CVE-2015-2838 | Cross-Site Request Forgery (CSRF) vulnerability in Citrix Netscaler 10.5 Cross-site request forgery (CSRF) vulnerability in Nitro API in Citrix NetScaler before 10.5 build 52.3nc allows remote attackers to hijack the authentication of administrators for requests that execute arbitrary commands as nsroot via shell metacharacters in the file_name JSON member in params/xen_hotfix/0 to nitro/v1/config/xen_hotfix. | 6.8 |
| 2015-04-03 | CVE-2015-0995 | Credentials Management vulnerability in Inductiveautomation Ignition 7.7.2 Inductive Automation Ignition 7.7.2 uses MD5 password hashes, which makes it easier for context-dependent attackers to obtain access via a brute-force attack. | 5.0 |
| 2015-04-03 | CVE-2015-0994 | 7PK - Security Features vulnerability in Inductiveautomation Ignition 7.7.2 Inductive Automation Ignition 7.7.2 allows remote authenticated users to bypass a brute-force protection mechanism by using different session ID values in a series of HTTP requests. | 4.0 |
| 2015-04-03 | CVE-2015-0993 | 7PK - Security Features vulnerability in Inductiveautomation Ignition 7.7.2 Inductive Automation Ignition 7.7.2 does not terminate a session upon a logout action, which allows remote attackers to bypass intended access restrictions by leveraging an unattended workstation. | 6.4 |