Vulnerabilities > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2016-04-12 | CVE-2015-8537 | Information Exposure vulnerability in multiple products app/views/journals/index.builder in Redmine before 2.6.9, 3.0.x before 3.0.7, and 3.1.x before 3.1.3 allows remote attackers to obtain sensitive information by viewing an Atom feed. | 5.0 |
| 2016-04-12 | CVE-2015-8474 | Open Redirection vulnerability in Redmine Open redirect vulnerability in the valid_back_url function in app/controllers/application_controller.rb in Redmine before 2.6.7, 3.0.x before 3.0.5, and 3.1.x before 3.1.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a crafted back_url parameter, as demonstrated by "@attacker.com," a different vulnerability than CVE-2014-1985. | 5.8 |
| 2016-04-12 | CVE-2015-8473 | Information Exposure vulnerability in multiple products The Issues API in Redmine before 2.6.8, 3.0.x before 3.0.6, and 3.1.x before 3.1.2 allows remote authenticated users to obtain sensitive information in changeset messages by leveraging permission to read issues with related changesets from other projects. | 4.0 |
| 2016-04-12 | CVE-2015-8346 | Information Management Errors vulnerability in multiple products app/views/timelog/_form.html.erb in Redmine before 2.6.8, 3.0.x before 3.0.6, and 3.1.x before 3.1.2 allows remote attackers to obtain sensitive information about subjects of issues by viewing the time logging form. | 5.0 |
| 2016-04-12 | CVE-2015-8021 | Improper Access Control vulnerability in F5 products Incomplete blacklist vulnerability in the Configuration utility in F5 BIG-IP LTM, Analytics, APM, ASM, GTM, Link Controller, and PSM 11.x before 11.2.1 HF11, 11.3.x, 11.4.0 before HF8, and 11.4.1 before HF6; BIG-IP AAM 11.4.0 before HF8 and 11.4.1 before HF6; BIG-IP AFM and PEM 11.3.x, 11.4.0 before HF8, and 11.4.1 before HF6; and BIG-IP Edge Gateway, WebAccelerator, and WOM 11.x before 11.2.1 HF11 and 11.3.0 allows remote authenticated users to upload files via uploadImage.php. | 4.0 |
| 2016-04-12 | CVE-2015-5167 | Permissions, Privileges, and Access Controls vulnerability in Apache Ranger 0.4.0/0.4.1/0.5.0 The Policy Admin Tool in Apache Ranger before 0.5.1 allows remote authenticated users to bypass intended access restrictions via the REST API. | 6.5 |
| 2016-04-12 | CVE-2015-3268 | Cross-site Scripting vulnerability in Apache Ofbiz Cross-site scripting (XSS) vulnerability in the DisplayEntityField.getDescription method in ModelFormField.java in Apache OFBiz before 12.04.06 and 13.07.x before 13.07.03 allows remote attackers to inject arbitrary web script or HTML via the description attribute of a display-entity element. | 4.3 |
| 2016-04-12 | CVE-2016-1885 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Freebsd 10.1/10.2/9.3 Integer signedness error in the amd64_set_ldt function in sys/amd64/amd64/sys_machdep.c in FreeBSD 9.3 before p39, 10.1 before p31, and 10.2 before p14 allows local users to cause a denial of service (kernel panic) via an i386_set_ldt system call, which triggers a heap-based buffer overflow. | 4.9 |
| 2016-04-12 | CVE-2015-8108 | 7PK - Security Features vulnerability in Lenovo EMC Firmware 4.1.204.33661 The management interface in LenovoEMC EZ Media & Backup (hm3), ix2/ix2-dl, ix4-300d, px12-400r/450r, px6-300d, px2-300d, px4-300r, px4-400d, px4-400r, and px4-300d NAS devices with firmware before 4.1.204.33661 allows remote attackers to obtain sensitive device information via unspecified vectors. | 5.0 |
| 2016-04-11 | CVE-2015-8604 | SQL Injection vulnerability in Cacti SQL injection vulnerability in the host_new_graphs function in graphs_new.php in Cacti 0.8.8f and earlier allows remote authenticated users to execute arbitrary SQL commands via the cg_g parameter in a save action. | 6.5 |