Weekly Vulnerabilities Reports > February 9 to 15, 2015
Overview
124 new vulnerabilities reported during this period, including 38 critical vulnerabilities and 15 high severity vulnerabilities. This weekly summary report vulnerabilities in 89 products from 45 vendors including Microsoft, Cisco, IBM, Redhat, and Opensuse. Vulnerabilities are notably categorized as "Resource Management Errors", "Permissions, Privileges, and Access Controls", "Cross-site Scripting", "Information Exposure", and "Cross-Site Request Forgery (CSRF)".
- 104 reported vulnerabilities are remotely exploitables.
- 9 reported vulnerabilities have public exploit available.
- 21 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 112 reported vulnerabilities are exploitable by an anonymous user.
- Microsoft has the most reported vulnerabilities, with 56 reported vulnerabilities.
- Microsoft has the most reported critical vulnerabilities, with 36 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
38 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2015-02-13 | CVE-2014-8385 | Advantech | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Advantech Eki-1200 Gateway Series Firmware Buffer overflow on Advantech EKI-1200 gateways with firmware before 1.63 allows remote attackers to execute arbitrary code via unspecified vectors. | 10.0 |
2015-02-11 | CVE-2015-0068 | Microsoft | Resource Management Errors vulnerability in Microsoft Internet Explorer 10/11 Microsoft Internet Explorer 10 and 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2015-0027, CVE-2015-0035, CVE-2015-0039, and CVE-2015-0052. | 9.3 |
2015-02-11 | CVE-2015-0067 | Microsoft | Resource Management Errors vulnerability in Microsoft Internet Explorer Microsoft Internet Explorer 6 through 9 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." | 9.3 |
2015-02-11 | CVE-2015-0066 | Microsoft | Resource Management Errors vulnerability in Microsoft Internet Explorer 11 Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2015-0018, CVE-2015-0037, and CVE-2015-0040. | 9.3 |
2015-02-11 | CVE-2015-0065 | Microsoft | Resource Management Errors vulnerability in Microsoft Word 2007 Microsoft Word 2007 SP3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted Office document, aka "OneTableDocumentStream Remote Code Execution Vulnerability." | 9.3 |
2015-02-11 | CVE-2015-0064 | Microsoft | Resource Management Errors vulnerability in Microsoft products Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word Automation Services in SharePoint Server 2010, Web Applications 2010 SP2, Word Viewer, and Office Compatibility Pack SP3 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted Office document, aka "Office Remote Code Execution Vulnerability." | 9.3 |
2015-02-11 | CVE-2015-0053 | Microsoft | Resource Management Errors vulnerability in Microsoft Internet Explorer 6/7/8 Microsoft Internet Explorer 6 through 8 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2015-0045. | 9.3 |
2015-02-11 | CVE-2015-0052 | Microsoft | Resource Management Errors vulnerability in Microsoft Internet Explorer 10/11 Microsoft Internet Explorer 10 and 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2015-0027, CVE-2015-0035, CVE-2015-0039, and CVE-2015-0068. | 9.3 |
2015-02-11 | CVE-2015-0050 | Microsoft | Resource Management Errors vulnerability in Microsoft Internet Explorer 8/9 Microsoft Internet Explorer 8 and 9 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-8967 and CVE-2015-0044. | 9.3 |
2015-02-11 | CVE-2015-0049 | Microsoft | Resource Management Errors vulnerability in Microsoft Internet Explorer 10/8 Microsoft Internet Explorer 8 and 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." | 9.3 |
2015-02-11 | CVE-2015-0048 | Microsoft | Resource Management Errors vulnerability in Microsoft Internet Explorer 9 Microsoft Internet Explorer 9 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2015-0028. | 9.3 |
2015-02-11 | CVE-2015-0046 | Microsoft | Resource Management Errors vulnerability in Microsoft Internet Explorer 10/11/9 Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2015-0038 and CVE-2015-0042. | 9.3 |
2015-02-11 | CVE-2015-0045 | Microsoft | Resource Management Errors vulnerability in Microsoft Internet Explorer 6/7/8 Microsoft Internet Explorer 6 through 8 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2015-0053. | 9.3 |
2015-02-11 | CVE-2015-0044 | Microsoft | Resource Management Errors vulnerability in Microsoft Internet Explorer 8/9 Microsoft Internet Explorer 8 and 9 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-8967 and CVE-2015-0050. | 9.3 |
2015-02-11 | CVE-2015-0043 | Microsoft | Resource Management Errors vulnerability in Microsoft Internet Explorer Microsoft Internet Explorer 8 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." | 9.3 |
2015-02-11 | CVE-2015-0042 | Microsoft | Resource Management Errors vulnerability in Microsoft Internet Explorer 10/11/9 Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2015-0038 and CVE-2015-0046. | 9.3 |
2015-02-11 | CVE-2015-0041 | Microsoft | Resource Management Errors vulnerability in Microsoft Internet Explorer Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2015-0017, CVE-2015-0020, CVE-2015-0022, CVE-2015-0026, CVE-2015-0030, CVE-2015-0031, and CVE-2015-0036. | 9.3 |
2015-02-11 | CVE-2015-0040 | Microsoft | Resource Management Errors vulnerability in Microsoft Internet Explorer 11 Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2015-0018, CVE-2015-0037, and CVE-2015-0066. | 9.3 |
2015-02-11 | CVE-2015-0039 | Microsoft | Resource Management Errors vulnerability in Microsoft Internet Explorer 10/11 Microsoft Internet Explorer 10 and 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2015-0027, CVE-2015-0035, CVE-2015-0052, and CVE-2015-0068. | 9.3 |
2015-02-11 | CVE-2015-0038 | Microsoft | Resource Management Errors vulnerability in Microsoft Internet Explorer 10/11/9 Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2015-0042 and CVE-2015-0046. | 9.3 |
2015-02-11 | CVE-2015-0037 | Microsoft | Resource Management Errors vulnerability in Microsoft Internet Explorer 11 Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2015-0018, CVE-2015-0040, and CVE-2015-0066. | 9.3 |
2015-02-11 | CVE-2015-0036 | Microsoft | Resource Management Errors vulnerability in Microsoft Internet Explorer Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2015-0017, CVE-2015-0020, CVE-2015-0022, CVE-2015-0026, CVE-2015-0030, CVE-2015-0031, and CVE-2015-0041. | 9.3 |
2015-02-11 | CVE-2015-0035 | Microsoft | Resource Management Errors vulnerability in Microsoft Internet Explorer 10/11 Microsoft Internet Explorer 10 and 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2015-0027, CVE-2015-0039, CVE-2015-0052, and CVE-2015-0068. | 9.3 |
2015-02-11 | CVE-2015-0031 | Microsoft | Resource Management Errors vulnerability in Microsoft Internet Explorer Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2015-0017, CVE-2015-0020, CVE-2015-0022, CVE-2015-0026, CVE-2015-0030, CVE-2015-0036, and CVE-2015-0041. | 9.3 |
2015-02-11 | CVE-2015-0030 | Microsoft | Resource Management Errors vulnerability in Microsoft Internet Explorer Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2015-0017, CVE-2015-0020, CVE-2015-0022, CVE-2015-0026, CVE-2015-0031, CVE-2015-0036, and CVE-2015-0041. | 9.3 |
2015-02-11 | CVE-2015-0029 | Microsoft | Resource Management Errors vulnerability in Microsoft Internet Explorer 6/7/8 Microsoft Internet Explorer 6 and 8 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." | 9.3 |
2015-02-11 | CVE-2015-0028 | Microsoft | Resource Management Errors vulnerability in Microsoft Internet Explorer 9 Microsoft Internet Explorer 9 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2015-0048. | 9.3 |
2015-02-11 | CVE-2015-0027 | Microsoft | Resource Management Errors vulnerability in Microsoft Internet Explorer 10/11 Microsoft Internet Explorer 10 and 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2015-0035, CVE-2015-0039, CVE-2015-0052, and CVE-2015-0068. | 9.3 |
2015-02-11 | CVE-2015-0026 | Microsoft | Resource Management Errors vulnerability in Microsoft Internet Explorer Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2015-0017, CVE-2015-0020, CVE-2015-0022, CVE-2015-0030, CVE-2015-0031, CVE-2015-0036, and CVE-2015-0041. | 9.3 |
2015-02-11 | CVE-2015-0025 | Microsoft | Resource Management Errors vulnerability in Microsoft Internet Explorer 10 Microsoft Internet Explorer 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2015-0023. | 9.3 |
2015-02-11 | CVE-2015-0023 | Microsoft | Resource Management Errors vulnerability in Microsoft Internet Explorer 10 Microsoft Internet Explorer 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2015-0025. | 9.3 |
2015-02-11 | CVE-2015-0022 | Microsoft | Resource Management Errors vulnerability in Microsoft Internet Explorer Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2015-0017, CVE-2015-0020, CVE-2015-0026, CVE-2015-0030, CVE-2015-0031, CVE-2015-0036, and CVE-2015-0041. | 9.3 |
2015-02-11 | CVE-2015-0021 | Microsoft | Resource Management Errors vulnerability in Microsoft Internet Explorer Microsoft Internet Explorer 6 through 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." | 9.3 |
2015-02-11 | CVE-2015-0020 | Microsoft | Resource Management Errors vulnerability in Microsoft Internet Explorer Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2015-0017, CVE-2015-0022, CVE-2015-0026, CVE-2015-0030, CVE-2015-0031, CVE-2015-0036, and CVE-2015-0041. | 9.3 |
2015-02-11 | CVE-2015-0019 | Microsoft | Resource Management Errors vulnerability in Microsoft Internet Explorer 10/9 Microsoft Internet Explorer 9 and 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." | 9.3 |
2015-02-11 | CVE-2015-0018 | Microsoft | Resource Management Errors vulnerability in Microsoft Internet Explorer 11 Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2015-0037, CVE-2015-0040, and CVE-2015-0066. | 9.3 |
2015-02-11 | CVE-2015-0017 | Microsoft | Resource Management Errors vulnerability in Microsoft Internet Explorer Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2015-0020, CVE-2015-0022, CVE-2015-0026, CVE-2015-0030, CVE-2015-0031, CVE-2015-0036, and CVE-2015-0041. | 9.3 |
2015-02-14 | CVE-2015-0518 | EMC | Permissions, Privileges, and Access Controls vulnerability in EMC Documentum D2 The Properties service in the D2FS web-service component in EMC Documentum D2 3.1 through SP1, 4.0 and 4.1 before 4.1 P22, and 4.2 before P11 allows remote authenticated users to obtain superuser privileges via an unspecified method call that modifies group permissions. | 9.0 |
15 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2015-02-11 | CVE-2015-0008 | Microsoft | Improper Access Control vulnerability in Microsoft products The UNC implementation in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not include authentication from the server to the client, which allows remote attackers to execute arbitrary code by making crafted data available on a UNC share, as demonstrated by Group Policy data from a spoofed domain controller, aka "Group Policy Remote Code Execution Vulnerability." | 8.3 |
2015-02-13 | CVE-2014-6154 | IBM Linux Microsoft | Path Traversal vulnerability in IBM Optim Performance Manager 4.1.1/4.1.1.1/5.1.0 Directory traversal vulnerability in IBM Optim Performance Manager for DB2 4.1.0.1 through 4.1.1 on Linux, UNIX, and Windows and IBM InfoSphere Optim Performance Manager for DB2 5.1 through 5.3.1 on Linux, UNIX, and Windows allows remote attackers to access arbitrary files via a .. | 7.8 |
2015-02-12 | CVE-2015-0592 | Cisco | Resource Management Errors vulnerability in Cisco IOS The Zone-Based Firewall implementation in Cisco IOS 15.4(2)T3 and earlier allows remote attackers to cause a denial of service (device reload) via crafted network traffic that triggers incorrect kernel-timer handling, aka Bug ID CSCuh25672. | 7.8 |
2015-02-12 | CVE-2015-1471 | Pragyan CMS Project | SQL Injection vulnerability in Pragyan CMS Project Pragyan CMS 3.0 SQL injection vulnerability in userprofile.lib.php in Pragyan CMS 3.0 allows remote attackers to execute arbitrary SQL commands via the user parameter to the default URI. | 7.5 |
2015-02-11 | CVE-2015-1576 | Yuba | SQL Injection vulnerability in Yuba U5Cms 3.9.3 Multiple SQL injection vulnerabilities in u5CMS before 3.9.4 allow remote attackers to execute arbitrary SQL commands via the name parameter to (1) copy2.php, (2) localize.php, (3) metai.php, (4) nc.php, (5) new2.php, or (6) rename2.php in u5admin/; (7) c parameter to u5admin/editor.php; (8) typ parameter to u5admin/meta2.php; or (9) newname parameter to u5admin/rename2.php. | 7.5 |
2015-02-11 | CVE-2015-1518 | Redaxscript | SQL Injection vulnerability in Redaxscript 2.2.0 SQL injection vulnerability in the search_post function in includes/search.php in Redaxscript before 2.3.0 allows remote attackers to execute arbitrary SQL commands via the search_terms parameter. | 7.5 |
2015-02-11 | CVE-2015-1172 | Holding Pattern Project | Arbitrary File Upload vulnerability in Holding Pattern Project Holding Pattern 0.6 Unrestricted file upload vulnerability in admin/upload-file.php in the Holding Pattern theme (aka holding_pattern) 0.6 and earlier for WordPress allows remote attackers to execute arbitrary PHP code by uploading a file with a PHP extension, then accessing it via a direct request to the file in an unspecified directory. | 7.5 |
2015-02-10 | CVE-2015-1169 | Apereo | Injection vulnerability in Apereo Central Authentication Service Apereo Central Authentication Service (CAS) Server before 3.5.3 allows remote attackers to conduct LDAP injection attacks via a crafted username, as demonstrated by using a wildcard and a valid password to bypass LDAP authentication. | 7.5 |
2015-02-10 | CVE-2015-1031 | Privoxy | Use After Free Remote Code Execution vulnerability in Privoxy Multiple use-after-free vulnerabilities in Privoxy before 3.0.22 allow remote attackers to have unspecified impact via vectors related to (1) the unmap function in list.c or (2) "two additional unconfirmed use-after-free complaints made by Coverity scan." NOTE: some of these details are obtained from third party information. | 7.5 |
2015-02-13 | CVE-2014-6185 | IBM | Permissions, Privileges, and Access Controls vulnerability in IBM Tivoli Storage Manager dsmtca in the client in IBM Tivoli Storage Manager (TSM) 6.3 before 6.3.2.3, 6.4 before 6.4.2.2, and 7.1 before 7.1.1.3 does not properly restrict shared-library loading, which allows local users to gain privileges via a crafted DSO file. | 7.2 |
2015-02-11 | CVE-2015-0062 | Microsoft | Permissions, Privileges, and Access Controls vulnerability in Microsoft products Microsoft Windows Server 2008 R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allow local users to gain privileges via a crafted application that leverages incorrect impersonation handling in a process that uses the SeAssignPrimaryTokenPrivilege privilege, aka "Windows Create Process Elevation of Privilege Vulnerability." | 7.2 |
2015-02-11 | CVE-2015-0058 | Microsoft | Double Free vulnerability in Microsoft Windows 8.1, Windows RT 8.1 and Windows Server 2012 Double free vulnerability in win32k.sys in the kernel-mode drivers in Microsoft Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1 allows local users to gain privileges via a crafted application, aka "Windows Cursor Object Double Free Vulnerability." | 7.2 |
2015-02-11 | CVE-2015-0057 | Microsoft | Permissions, Privileges, and Access Controls vulnerability in Microsoft products win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges via a crafted application, aka "Win32k Elevation of Privilege Vulnerability." | 7.2 |
2015-02-13 | CVE-2015-0593 | Cisco | Resource Management Errors vulnerability in Cisco IOS 15.4(1.12)T/15.4(1.19)T The Zone-Based Firewall implementation in Cisco IOS 12.4(122)T and earlier does not properly manage session-object structures, which allows remote attackers to cause a denial of service (device reload) via crafted network traffic, aka Bug ID CSCul65003. | 7.1 |
2015-02-12 | CVE-2015-0608 | Cisco | Race Condition vulnerability in Cisco IOS Race condition in the Measurement, Aggregation, and Correlation Engine (MACE) implementation in Cisco IOS 15.4(2)T3 and earlier allows remote attackers to cause a denial of service (device reload) via crafted network traffic that triggers improper handling of the timing of process switching and Cisco Express Forwarding (CEF) switching, aka Bug ID CSCul48736. | 7.1 |
59 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2015-02-13 | CVE-2014-4813 | IBM Linux | Race Condition vulnerability in IBM Tivoli Storage Manager Race condition in the client in IBM Tivoli Storage Manager (TSM) 5.4.0.0 through 5.4.3.6, 5.5.0.0 through 5.5.4.3, 6.1.0.0 through 6.1.5.6, 6.2 before 6.2.5.4, 6.3 before 6.3.2.3, 6.4 before 6.4.2.1, and 7.1 before 7.1.1 on UNIX and Linux allows local users to obtain root privileges via unspecified vectors. | 6.9 |
2015-02-11 | CVE-2015-0059 | Microsoft | Permissions, Privileges, and Access Controls vulnerability in Microsoft products win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2008 R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges via a crafted TrueType font, aka "TrueType Font Parsing Remote Code Execution Vulnerability." | 6.9 |
2015-02-11 | CVE-2015-0012 | Microsoft | Permissions, Privileges, and Access Controls vulnerability in Microsoft Virtual Machine Manager 2012 Microsoft System Center Virtual Machine Manager (VMM) 2012 R2 Update Rollup 4 does not properly validate the roles of users, which allows local users to obtain server and virtual-machine administrative privileges by establishing a server session with Active Directory credentials, aka "Virtual Machine Manager Elevation of Privilege Vulnerability." | 6.9 |
2015-02-11 | CVE-2015-0003 | Microsoft | NULL Pointer Dereference vulnerability in Microsoft products win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges or cause a denial of service (NULL pointer dereference) via a crafted application, aka "Win32k Elevation of Privilege Vulnerability." | 6.9 |
2015-02-14 | CVE-2015-0931 | Ektron | Injection vulnerability in Ektron Content Management System 8.5.0/8.7.0/8.9.0 Ektron Content Management System (CMS) 8.5 and 8.7 before 8.7sp2 and 9.0 before sp1, when the Saxon XSLT parser is used, allows remote attackers to execute arbitrary code via a crafted XSLT document, related to a "resource injection" issue. | 6.8 |
2015-02-12 | CVE-2014-2152 | Cisco | Cross-Site Request Forgery (CSRF) vulnerability in Cisco Prime Infrastructure Cross-site request forgery (CSRF) vulnerability in the INSERT page in Cisco Prime Infrastructure (PI) allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCun21868. | 6.8 |
2015-02-11 | CVE-2015-1581 | Mobile Domain Project | Cross-Site Request Forgery (CSRF) vulnerability in Mobile Domain Project Mobile Domain 1.5.2 Multiple cross-site request forgery (CSRF) vulnerabilities in the Mobile Domain plugin 1.5.2 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) change plugin settings or conduct cross-site scripting (XSS) attacks via the (2) domain, (3) text, (4) font, (5) fontcolor, (6) color, or (7) padding parameter in an add-domain action in the mobile-domain page to wp-admin/options-general.php. | 6.8 |
2015-02-11 | CVE-2015-1580 | Redirection Project | Cross-Site Request Forgery (CSRF) vulnerability in Redirection Project Redirection 1.2 Multiple cross-site request forgery (CSRF) vulnerabilities in the Redirection Page plugin 1.2 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) change plugin settings or conduct cross-site scripting (XSS) attacks via the (2) source or (3) redir parameter in an add action in the redirection-page to wp-admin/options-general.php. | 6.8 |
2015-02-10 | CVE-2015-1559 | Epignosis | Cross-Site Request Forgery (CSRF) vulnerability in Epignosis Efront 3.6.15.2 Multiple cross-site request forgery (CSRF) vulnerabilities in administrator.php in Epignosis eFront Open Source Edition before 3.6.15.3 build 18022 allow remote attackers to hijack the authentication of administrators for requests that (1) delete modules via the delete_module parameter, (2) deactivate modules via the deactivate_module parameter, (3) activate modules via the activate_module parameter, (4) delete users via the delete_user parameter, (5) deactivate users via the deactivate_user parameter, (6) activate users via the activate_user parameter, (7) activate themes via the set_theme parameter, (8) deactivate themes via the set_theme parameter, (9) delete themes via the delete parameter, (10) deactivate events (user registration or email activation) via the deactivate_notification parameter, (11) activate events via the activate_notification parameter, (12) delete events via the delete_notification parameter, (13) deactivate language settings via the deactivate_language parameter, (14) activate language settings via the activate_language parameter, (15) delete language settings via the delete_language parameter, or (16) activate or deactivate the autologin feature for a user via a crafted maintenance request. | 6.8 |
2015-02-10 | CVE-2015-1432 | Phpbb | Cross-Site Request Forgery (CSRF) vulnerability in PHPbb The message_options function in includes/ucp/ucp_pm_options.php in phpBB before 3.0.13 does not properly validate the form key, which allows remote attackers to conduct CSRF attacks and change the full folder setting via unspecified vectors. | 6.8 |
2015-02-09 | CVE-2015-1568 | Studio GD | Cross-Site Request Forgery (CSRF) vulnerability in Studio.Gd GD Infinite Scroll 7.X1.3 Cross-site request forgery (CSRF) vulnerability in the GD Infinite Scroll module before 7.x-1.4 for Drupal allows remote attackers to hijack the authentication of users with the "edit gd infinite scroll settings" permission for requests that delete settings via unspecified vectors. | 6.8 |
2015-02-12 | CVE-2015-0611 | Cisco | Permissions, Privileges, and Access Controls vulnerability in Cisco Telepresence System Software IX 8.0.0/8.0.1 The administrative web-management portal in Cisco IX 8 (.0.1) and earlier on Cisco TelePresence IX5000 devices does not properly restrict the device-recovery account's access, which allows remote authenticated users to obtain HelpDesk-equivalent privileges by leveraging device-recovery authentication, aka Bug ID CSCus74174. | 6.5 |
2015-02-12 | CVE-2015-0580 | Cisco | SQL Injection vulnerability in Cisco Secure Access Control System Multiple SQL injection vulnerabilities in the ACS View reporting interface pages in Cisco Secure Access Control System (ACS) before 5.5 patch 7 allow remote authenticated administrators to execute arbitrary SQL commands via crafted HTTPS requests, aka Bug ID CSCuq79027. | 6.5 |
2015-02-11 | CVE-2015-0071 | Microsoft | Unspecified vulnerability in Microsoft Internet Explorer 10/11/9 Microsoft Internet Explorer 9 through 11 allows remote attackers to bypass the ASLR protection mechanism via a crafted web site, aka "Internet Explorer ASLR Bypass Vulnerability." | 6.5 |
2015-02-13 | CVE-2015-0255 | X ORG Opensuse | Information Exposure vulnerability in multiple products X.Org Server (aka xserver and xorg-server) before 1.16.3 and 1.17.x before 1.17.1 allows remote attackers to obtain sensitive information from process memory or cause a denial of service (crash) via a crafted string length value in a XkbSetGeometry request. | 6.4 |
2015-02-12 | CVE-2014-9512 | Samba Opensuse Oracle | Link Following vulnerability in multiple products rsync 3.1.1 allows remote attackers to write to arbitrary files via a symlink attack on a file in the synchronization path. | 6.4 |
2015-02-11 | CVE-2015-1577 | Yuba | Path Traversal vulnerability in Yuba U5Cms 3.9.3 Directory traversal vulnerability in u5admin/deletefile.php in u5CMS before 3.9.4 allows remote attackers to write to arbitrary files via a (1) .. | 6.4 |
2015-02-11 | CVE-2015-1578 | Yuba | Open Redirection vulnerability in Yuba U5Cms 3.9.3 Multiple open redirect vulnerabilities in u5CMS before 3.9.4 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) pidvesa cookie to u5admin/pidvesa.php or (2) uri parameter to u5admin/meta2.php. | 5.8 |
2015-02-10 | CVE-2015-1042 | Mantisbt | Unspecified vulnerability in Mantisbt The string_sanitize_url function in core/string_api.php in MantisBT 1.2.0a3 through 1.2.18 uses an incorrect regular expression, which allows remote attackers to conduct open redirect and phishing attacks via a URL with a ":/" (colon slash) separator in the return parameter to login_page.php, a different vulnerability than CVE-2014-6316. | 5.8 |
2015-02-15 | CVE-2015-1574 | Data Processing Errors vulnerability in Google Email 4.2.2.0200 The Google Email application 4.2.2.0200 for Android allows remote attackers to cause a denial of service (persistent application crash) via a "Content-Disposition: ;" header in an e-mail message. | 5.0 | |
2015-02-15 | CVE-2014-7883 | HP | Information Exposure vulnerability in HP Universal Configuration Management Database 10.01/10.11/9.05 HP Universal CMDB (UCMDB) Probe 9.05, 10.01, and 10.11 enables the HTTP TRACE method, which allows remote attackers to obtain sensitive information by reading the headers of a response. | 5.0 |
2015-02-14 | CVE-2015-0923 | Ektron | Unspecified vulnerability in Ektron Content Management System 8.5.0/8.7.0/8.9.0 The ContentBlockEx method in Workarea/ServerControlWS.asmx in Ektron Content Management System (CMS) 8.5 and 8.7 before 8.7sp2 and 9.0 before sp1 allows remote attackers to read arbitrary files via an external entity declaration in conjunction with an entity reference within an XML document named in the xslt parameter, related to an XML External Entity (XXE) issue. | 5.0 |
2015-02-13 | CVE-2014-4781 | IBM | Information Exposure vulnerability in IBM Infosphere Biginsights 2.1.2.0/3.0.0.0/3.0.0.1 The alert module in IBM InfoSphere BigInsights 2.1.2 and 3.x before 3.0.0.2 allows remote attackers to obtain sensitive Alert management-services API information via a network-tracing attack. | 5.0 |
2015-02-12 | CVE-2015-0227 | Apache | Permissions, Privileges, and Access Controls vulnerability in Apache Wss4J Apache WSS4J before 1.6.17 and 2.x before 2.0.2 allows remote attackers to bypass the requireSignedEncryptedDataElements configuration via a vectors related to "wrapping attacks." | 5.0 |
2015-02-11 | CVE-2015-1579 | Elegant Themes | Path Traversal vulnerability in Elegant Themes Divi Directory traversal vulnerability in the Elegant Themes Divi theme for WordPress allows remote attackers to read arbitrary files via a .. | 5.0 |
2015-02-10 | CVE-2015-1548 | Acme | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Acme Mini Httpd 1.21 mini_httpd 1.21 and earlier allows remote attackers to obtain sensitive information from process memory via an HTTP request with a long protocol string, which triggers an incorrect response size calculation and an out-of-bounds read. | 5.0 |
2015-02-12 | CVE-2015-0606 | Cisco | Improper Input Validation vulnerability in Cisco IOS The IOS Shell in Cisco IOS allows local users to cause a denial of service (device crash) via unspecified commands, aka Bug ID CSCur59696. | 4.9 |
2015-02-10 | CVE-2015-1377 | Webmin | Link Following vulnerability in Webmin The Read Mail module in Webmin 1.720 allows local users to read arbitrary files via a symlink attack on an unspecified file. | 4.9 |
2015-02-11 | CVE-2015-0060 | Microsoft | Data Processing Errors vulnerability in Microsoft products The font mapper in win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not properly scale fonts, which allows local users to cause a denial of service (system hang) via a crafted application, aka "Windows Font Driver Denial of Service Vulnerability." | 4.7 |
2015-02-13 | CVE-2013-2027 | Opensuse Jython Project | Permissions, Privileges, and Access Controls vulnerability in multiple products Jython 2.2.1 uses the current umask to set the privileges of the class cache files, which allows local users to bypass intended access restrictions via unspecified vectors. | 4.6 |
2015-02-14 | CVE-2014-8911 | IBM | Cross-site Scripting vulnerability in IBM Content Navigator 2.0.0/2.0.1/2.0.3 Cross-site scripting (XSS) vulnerability in IBM Content Navigator 2.0.0 and 2.0.1 before 2.0.1.2 FP002 IF003 and 2.0.3 before 2.0.3.2 FP002 allows remote attackers to inject arbitrary web script or HTML via the Accept-Language HTTP header. | 4.3 |
2015-02-14 | CVE-2014-4804 | IBM | Information Exposure vulnerability in IBM Curam Social Program Management Curam Universal Access in IBM Curam Social Program Management 5.2 before SP6 EP6, 6.0 SP2 before EP26, 6.0.4.5 before iFix007, 6.0.5.4 before iFix005, and 6.0.5.5 before iFix003, when SPI inclusion is enabled, allows remote attackers to obtain sensitive user data by visiting an unspecified page. | 4.3 |
2015-02-13 | CVE-2014-8122 | Redhat | Race Condition vulnerability in Redhat Jboss Weld 2.2.7/3.0.0 Race condition in JBoss Weld before 2.2.8 and 3.x before 3.0.0 Alpha3 allows remote attackers to obtain information from a previous conversation via vectors related to a stale thread state. | 4.3 |
2015-02-13 | CVE-2015-0873 | Homepage Decorator | Cross-site Scripting vulnerability in Homepage Decorator Perltreebbs 2.30 Cross-site scripting (XSS) vulnerability in Homepage Decorator PerlTreeBBS 2.30 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
2015-02-12 | CVE-2015-0610 | Cisco | Race Condition vulnerability in Cisco IOS Race condition in the object-group ACL feature in Cisco IOS 15.5(2)T and earlier allows remote attackers to bypass intended access restrictions via crafted network traffic that triggers improper handling of the timing of process switching and Cisco Express Forwarding (CEF) switching, aka Bug ID CSCun21071. | 4.3 |
2015-02-12 | CVE-2014-3365 | Cisco | Cross-site Scripting vulnerability in Cisco Prime Security Manager Multiple cross-site scripting (XSS) vulnerabilities in Cisco Prime Security Manager (PRSM) 9.2(.1-2) and earlier allow remote attackers to inject arbitrary web script or HTML via crafted input to the (1) Dashboard or (2) Configure Realm page, aka Bug ID CSCuo94808. | 4.3 |
2015-02-12 | CVE-2014-2153 | Cisco | Cross-site Scripting vulnerability in Cisco Prime Infrastructure Multiple cross-site scripting (XSS) vulnerabilities in INSERT pages in Cisco Prime Infrastructure allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCun21869. | 4.3 |
2015-02-12 | CVE-2014-2147 | Cisco | Improper Input Validation vulnerability in Cisco Prime Infrastructure The web interface in Cisco Prime Infrastructure 2.1 and earlier does not properly restrict use of IFRAME elements, which makes it easier for remote attackers to conduct clickjacking attacks and unspecified other attacks via a crafted web site, related to a "cross-frame scripting (XFS)" issue, aka Bug ID CSCuj42444. | 4.3 |
2015-02-11 | CVE-2015-1582 | WEB Dorado | Cross-site Scripting vulnerability in Web-Dorado Spider Facebook 1.0.10 Multiple cross-site scripting (XSS) vulnerabilities in the Spider Facebook plugin before 1.0.11 for WordPress allow (1) remote attackers to inject arbitrary web script or HTML via the appid parameter in a registration task to the default URI or remote administrators to inject arbitrary web script or HTML via the (2) asc_or_desc, (3) order_by, (4) page_number, (5) serch_or_not, or (6) search_events_by_title parameter in (a) the Spider_Facebook_manage page to wp-admin/admin.php or a (b) selectpagesforfacebook or (c) selectpostsforfacebook action to wp-admin/admin-ajax.php. | 4.3 |
2015-02-11 | CVE-2015-1575 | Yuba | Cross-site Scripting vulnerability in Yuba U5Cms 3.9.3 Multiple cross-site scripting (XSS) vulnerabilities in u5CMS before 3.9.4 allow remote attackers to inject arbitrary web script or HTML via the (1) c, (2) i, (3) l, or (4) p parameter to index.php; the (5) a or (6) b parameter to u5admin/cookie.php; the name parameter to (7) copy.php or (8) delete.php in u5admin/; the (9) f or (10) typ parameter to u5admin/deletefile.php; the (11) n parameter to u5admin/done.php; the (12) c parameter to u5admin/editor.php; the (13) uri parameter to u5admin/meta2.php; the (14) n parameter to u5admin/notdone.php; the (15) newname parameter to u5admin/rename2.php; the (16) l parameter to u5admin/sendfile.php; the (17) s parameter to u5admin/characters.php; the (18) page parameter to u5admin/savepage.php; or the (19) name parameter to u5admin/new2.php. | 4.3 |
2015-02-11 | CVE-2015-0070 | Microsoft | Information Exposure vulnerability in Microsoft Internet Explorer Microsoft Internet Explorer 6 through 11 allows remote attackers to read content from a different (1) domain or (2) zone via a crafted web site, aka "Internet Explorer Cross-domain Information Disclosure Vulnerability." | 4.3 |
2015-02-11 | CVE-2015-0069 | Microsoft | Permissions, Privileges, and Access Controls vulnerability in Microsoft Internet Explorer 10/11 Microsoft Internet Explorer 10 and 11 allows remote attackers to bypass the ASLR protection mechanism via a crafted web site, aka "Internet Explorer ASLR Bypass Vulnerability." | 4.3 |
2015-02-11 | CVE-2015-0061 | Microsoft | Information Exposure vulnerability in Microsoft products Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 do not properly initialize memory for TIFF images, which allows remote attackers to obtain sensitive information from process memory via a crafted image file, aka "TIFF Processing Information Disclosure Vulnerability." | 4.3 |
2015-02-11 | CVE-2015-0055 | Microsoft | Permissions, Privileges, and Access Controls vulnerability in Microsoft Internet Explorer 10/11 Microsoft Internet Explorer 10 and 11 allows remote attackers to gain privileges via a crafted web site, aka "Internet Explorer Elevation of Privilege Vulnerability." | 4.3 |
2015-02-11 | CVE-2015-0054 | Microsoft | Permissions, Privileges, and Access Controls vulnerability in Microsoft Internet Explorer 10/11 Microsoft Internet Explorer 7 through 11 allows remote attackers to gain privileges via a crafted web site, aka "Internet Explorer Elevation of Privilege Vulnerability." | 4.3 |
2015-02-11 | CVE-2015-0051 | Microsoft | Permissions, Privileges, and Access Controls vulnerability in Microsoft Internet Explorer 8 Microsoft Internet Explorer 8 allows remote attackers to bypass the ASLR protection mechanism via a crafted web site, aka "Internet Explorer ASLR Bypass Vulnerability." | 4.3 |
2015-02-11 | CVE-2014-6362 | Microsoft | ASLR Security Bypass vulnerability in Microsoft Office 2007/2010/2013 Use-after-free vulnerability in Microsoft Office 2007 SP3, 2010 SP2, and 2013 Gold and SP1 allows remote attackers to bypass the ASLR protection mechanism via a crafted document, aka "Microsoft Office Component Use After Free Vulnerability." <a href="http://cwe.mitre.org/data/definitions/416.html">CWE-416: Use After Free</a> | 4.3 |
2015-02-10 | CVE-2015-1570 | Fortinet | Cryptographic Issues vulnerability in Fortinet Forticlient 5.2.028/5.2.3.091 The Endpoint Control protocol implementation in Fortinet FortiClient 5.2.3.091 for Android and 5.2.028 for iOS does not validate certificates, which makes it easier for man-in-the-middle attackers to spoof servers via a crafted certificate. | 4.3 |
2015-02-10 | CVE-2015-1569 | Fortinet | Cryptographic Issues vulnerability in Fortinet Forticlient 5.2.028 Fortinet FortiClient 5.2.028 for iOS does not validate certificates, which makes it easier for man-in-the-middle attackers to spoof SSL VPN servers via a crafted certificate. | 4.3 |
2015-02-10 | CVE-2015-1431 | Phpbb | Cross-site Scripting vulnerability in PHPbb Cross-site scripting (XSS) vulnerability in includes/startup.php in phpBB before 3.0.13 allows remote attackers to inject arbitrary web script or HTML via vectors related to "Relative Path Overwrite." | 4.3 |
2015-02-09 | CVE-2015-1567 | Studio GD | Cross-site Scripting vulnerability in Studio.Gd GD Infinite Scroll 7.X1.3 Cross-site scripting (XSS) vulnerability in the admin page in the GD Infinite Scroll module before 7.x-1.4 for Drupal allows remote authenticated users with the "edit gd infinite scroll settings" permission to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
2015-02-09 | CVE-2015-1566 | Dotnetnuke | Cross-site Scripting vulnerability in Dotnetnuke Cross-site scripting (XSS) vulnerability in DotNetNuke (DNN) before 7.4.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
2015-02-09 | CVE-2015-1565 | Hitachi Microsoft Novell Redhat | Cross-site Scripting vulnerability in Hitachi products Cross-site scripting (XSS) vulnerability in the online help in Hitachi Device Manager, Tiered Storage Manager, Replication Manager, and Global Link Manager before 8.1.2-00, and Compute Systems Manager before 7.6.1-08 and 8.x before 8.1.2-00, as used in Hitachi Command Suite, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
2015-02-09 | CVE-2015-1564 | Plainblack | Cross-site Scripting vulnerability in Plainblack Webgui Cross-site scripting (XSS) vulnerability in style-underground/search in Plain Black WebGUI 7.10.29 and earlier allows remote attackers to inject arbitrary web script or HTML via the Search field. | 4.3 |
2015-02-09 | CVE-2015-1562 | Saurus | Cross-site Scripting vulnerability in Saurus CMS 4.7.0 Multiple cross-site scripting (XSS) vulnerabilities in Saurus CMS 4.7.0 allow remote attackers to inject arbitrary web script or HTML via the (1) search parameter to admin/user_management.php, (2) data_search parameter to /admin/profile_data.php, or (3) filter parameter to error_log.php. | 4.3 |
2015-02-14 | CVE-2015-0517 | EMC | Information Exposure vulnerability in EMC Documentum D2 The D2-API component in EMC Documentum D2 3.1 through SP1, 4.0 and 4.1 before 4.1 P22, and 4.2 before P11 places the MD5 hash of an encryption passphrase in log files, which allows remote authenticated users to obtain sensitive information by reading a file. | 4.0 |
2015-02-13 | CVE-2014-7853 | Redhat | Information Exposure vulnerability in Redhat products The JBoss Application Server (WildFly) JacORB subsystem in Red Hat JBoss Enterprise Application Platform (EAP) before 6.3.3 does not properly assign socket-binding-ref sensitivity classification to the security-domain attribute, which allows remote authenticated users to obtain sensitive information by leveraging access to the security-domain attribute. | 4.0 |
2015-02-13 | CVE-2014-7849 | Redhat | Permissions, Privileges, and Access Controls vulnerability in Redhat Jboss Enterprise Application Platform The Role Based Access Control (RBAC) implementation in JBoss Enterprise Application Platform (EAP) 6.2.0 through 6.3.2 does not properly verify authorization conditions, which allows remote authenticated users to add, modify, and undefine otherwise restricted attributes by leveraging the Maintainer role. | 4.0 |
2015-02-13 | CVE-2014-6139 | IBM | Permissions, Privileges, and Access Controls vulnerability in IBM Business Process Manager 8.0.1.3/8.5.0.1/8.5.5.0 The Search REST API in IBM Business Process Manager 8.0.1.3, 8.5.0.1, and 8.5.5.0 allows remote authenticated users to bypass intended access restrictions and perform task-instance and process-instance searches by specifying a false value for the filterByCurrentUser parameter. | 4.0 |
12 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2015-02-13 | CVE-2014-7827 | Redhat | Permissions, Privileges, and Access Controls vulnerability in Redhat Jboss Enterprise Application Platform The org.jboss.security.plugins.mapping.JBossMappingManager implementation in JBoss Security in Red Hat JBoss Enterprise Application Platform (EAP) before 6.3.3 uses the default security domain when a security domain is undefined, which allows remote authenticated users to bypass intended access restrictions by leveraging credentials on the default domain for a role that is also on the application domain. | 3.5 |
2015-02-13 | CVE-2014-8909 | IBM | Cross-site Scripting vulnerability in IBM Websphere Portal Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 6.1.0.x through 6.1.0.6 CF27, 6.1.5.x through 6.1.5.3 CF27, 7.0.0.x through 7.0.0.2 CF29, 8.0.0.x before 8.0.0.1 CF15, and 8.5.0 before CF05 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL. | 3.5 |
2015-02-13 | CVE-2014-4803 | IBM | CRLF Injection vulnerability in IBM Curam Social Program Management CRLF injection vulnerability in the Universal Access implementation in IBM Curam Social Program Management 6.0 SP2 before EP26, 6.0.4 before 6.0.4.5 iFix007, and 6.0.5 before 6.0.5.5 iFix003, when WebSphere Application Server is not used, allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via an unspecified parameter. | 3.5 |
2015-02-13 | CVE-2014-4771 | IBM | Resource Management Errors vulnerability in IBM Websphere MQ IBM WebSphere MQ 7.0.1 before 7.0.1.13, 7.1 before 7.1.0.6, 7.5 before 7.5.0.5, and 8 before 8.0.0.1 allows remote authenticated users to cause a denial of service (queue-slot exhaustion) by leveraging PCF query privileges for a crafted query. | 3.5 |
2015-02-09 | CVE-2015-1558 | Digium | Resource Management Errors vulnerability in Digium Asterisk Asterisk Open Source 12.x before 12.8.1 and 13.x before 13.1.1, when using the PJSIP channel driver, does not properly reclaim RTP ports, which allows remote authenticated users to cause a denial of service (file descriptor consumption) via an SDP offer containing only incompatible codecs. | 3.5 |
2015-02-11 | CVE-2015-0009 | Microsoft | 7PK - Security Features vulnerability in Microsoft products The Group Policy Security Configuration policy implementation in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows man-in-the-middle attackers to disable a signing requirement and trigger a revert-to-default action by spoofing domain-controller responses, aka "Group Policy Security Feature Bypass Vulnerability." | 3.3 |
2015-02-14 | CVE-2015-0519 | EMC | Information Exposure vulnerability in EMC Captiva Capture 7.0/7.1 The InputAccel Database (IADB) installation process in EMC Captiva Capture 7.0 before patch 25 and 7.1 before patch 13 places a cleartext InputAccel (IA) SQL password in a DAL log file, which allows local users to obtain sensitive information by reading a file. | 2.1 |
2015-02-12 | CVE-2015-1345 | GNU Opensuse | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products The bmexec_trans function in kwset.c in grep 2.19 through 2.21 allows local users to cause a denial of service (out-of-bounds heap read and crash) via crafted input when using the -F option. | 2.1 |
2015-02-10 | CVE-2014-8733 | Cloudera | Information Exposure vulnerability in Cloudera Manager 5.2.0/5.2.1/5.3.0 Cloudera Manager 5.2.0, 5.2.1, and 5.3.0 stores the LDAP bind password in plaintext in unspecified world-readable files under /etc/hadoop, which allows local users to obtain this password. | 2.1 |
2015-02-09 | CVE-2015-1563 | XEN Fedoraproject | Resource Management Errors vulnerability in multiple products The ARM GIC distributor virtualization in Xen 4.4.x and 4.5.x allows local guests to cause a denial of service by causing a large number messages to be logged. | 2.1 |
2015-02-11 | CVE-2015-0010 | Microsoft | Cryptographic Issues vulnerability in Microsoft products The CryptProtectMemory function in cng.sys (aka the Cryptography Next Generation driver) in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1, when the CRYPTPROTECTMEMORY_SAME_LOGON option is used, does not check an impersonation token's level, which allows local users to bypass intended decryption restrictions by leveraging a service that (1) has a named-pipe planting vulnerability or (2) uses world-readable shared memory for encrypted data, aka "CNG Security Feature Bypass Vulnerability" or MSRC ID 20707. | 1.9 |
2015-02-15 | CVE-2015-0875 | OKB CO JP | Information Exposure vulnerability in Okb.Co.Jp Smartphone Passbook 1.00 The Ogaki Kyoritsu Bank Smartphone Passbook application 1.0.0 for Android creates a log file containing input data from the user, which allows attackers to obtain sensitive information by reading a file. | 1.8 |