Weekly Vulnerabilities Reports > March 9 to 15, 2015
Overview
138 new vulnerabilities reported during this period, including 46 critical vulnerabilities and 28 high severity vulnerabilities. This weekly summary report vulnerabilities in 121 products from 45 vendors including Microsoft, Apple, HP, Adobe, and Linux. Vulnerabilities are notably categorized as "Cross-site Scripting", "Resource Management Errors", "Information Exposure", "Improper Restriction of Operations within the Bounds of a Memory Buffer", and "Permissions, Privileges, and Access Controls".
- 118 reported vulnerabilities are remotely exploitables.
- 15 reported vulnerabilities have public exploit available.
- 36 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 126 reported vulnerabilities are exploitable by an anonymous user.
- Microsoft has the most reported vulnerabilities, with 54 reported vulnerabilities.
- Microsoft has the most reported critical vulnerabilities, with 30 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
46 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2015-03-14 | CVE-2014-7885 | Microfocus | Unspecified vulnerability in Microfocus Arcsight Enterprise Security Manager Multiple unspecified vulnerabilities in HP ArcSight Enterprise Security Manager (ESM) before 6.8c have unknown impact and remote attack vectors. | 10.0 |
2015-03-13 | CVE-2015-0342 | Adobe Linux Apple Microsoft | Use After Free Remote Code Execution vulnerability in Adobe Flash Player Use-after-free vulnerability in Adobe Flash Player before 13.0.0.277 and 14.x through 17.x before 17.0.0.134 on Windows and OS X and before 11.2.202.451 on Linux allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-0341. | 10.0 |
2015-03-13 | CVE-2015-0341 | Adobe Linux Apple Microsoft | Use After Free Remote Code Execution vulnerability in Adobe Flash Player Use-after-free vulnerability in Adobe Flash Player before 13.0.0.277 and 14.x through 17.x before 17.0.0.134 on Windows and OS X and before 11.2.202.451 on Linux allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-0342. | 10.0 |
2015-03-13 | CVE-2015-0339 | Adobe Linux Apple Microsoft | Resource Management Errors vulnerability in Adobe Flash Player Adobe Flash Player before 13.0.0.277 and 14.x through 17.x before 17.0.0.134 on Windows and OS X and before 11.2.202.451 on Linux allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-0332, CVE-2015-0333, and CVE-2015-0335. | 10.0 |
2015-03-13 | CVE-2015-0338 | Adobe Linux Apple Microsoft | Remote Integer Overflow vulnerability in Adobe Flash Player Integer overflow in Adobe Flash Player before 13.0.0.277 and 14.x through 17.x before 17.0.0.134 on Windows and OS X and before 11.2.202.451 on Linux allows attackers to execute arbitrary code via unspecified vectors. | 10.0 |
2015-03-13 | CVE-2015-0335 | Adobe Apple Microsoft Linux | Resource Management Errors vulnerability in Adobe Flash Player Adobe Flash Player before 13.0.0.277 and 14.x through 17.x before 17.0.0.134 on Windows and OS X and before 11.2.202.451 on Linux allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-0332, CVE-2015-0333, and CVE-2015-0339. | 10.0 |
2015-03-13 | CVE-2015-0333 | Adobe Apple Microsoft Linux | Resource Management Errors vulnerability in Adobe Flash Player Adobe Flash Player before 13.0.0.277 and 14.x through 17.x before 17.0.0.134 on Windows and OS X and before 11.2.202.451 on Linux allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-0332, CVE-2015-0335, and CVE-2015-0339. | 10.0 |
2015-03-13 | CVE-2015-0332 | Adobe Apple Microsoft Linux | Memory Corruption vulnerability in Adobe Flash Player Adobe Flash Player before 13.0.0.277 and 14.x through 17.x before 17.0.0.134 on Windows and OS X and before 11.2.202.451 on Linux allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-0333, CVE-2015-0335, and CVE-2015-0339. | 10.0 |
2015-03-13 | CVE-2015-0653 | Cisco | Improper Authentication vulnerability in Cisco products The management interface in Cisco TelePresence Video Communication Server (VCS) and Cisco Expressway before X7.2.4, X8 before X8.1.2, and X8.2 before X8.2.2 and Cisco TelePresence Conductor before X2.3.1 and XC2.4 before XC2.4.1 allows remote attackers to bypass authentication via crafted login parameters, aka Bug IDs CSCur02680 and CSCur05556. | 10.0 |
2015-03-12 | CVE-2015-1066 | Apple | Numeric Errors vulnerability in Apple mac OS X Off-by-one error in IOAcceleratorFamily in Apple OS X through 10.10.2 allows attackers to execute arbitrary code in a privileged context via a crafted app. | 10.0 |
2015-03-09 | CVE-2014-7898 | HP Microsoft | Unspecified vulnerability in HP OLE Point of Sale Driver 1.13.001 The OLE Point of Sale (OPOS) drivers before 1.13.003 on HP Point of Sale Windows PCs allow remote attackers to execute arbitrary code via unspecified vectors. | 10.0 |
2015-03-09 | CVE-2014-7897 | HP | Unspecified vulnerability in HP OLE Point of Sale Driver 1.13.001 The OLE Point of Sale (OPOS) drivers before 1.13.003 on HP Point of Sale Windows PCs allow remote attackers to execute arbitrary code via vectors involving OPOSScanner.ocx for Imaging Barcode scanners, Linear Barcode scanners, Presentation Barcode scanners, Retail Integrated Barcode scanners, Wireless Barcode scanners, and 2D Value Wireless scanners. | 10.0 |
2015-03-09 | CVE-2014-7895 | HP | Unspecified vulnerability in HP OLE Point of Sale Driver 1.13.001 The OLE Point of Sale (OPOS) drivers before 1.13.003 on HP Point of Sale Windows PCs allow remote attackers to execute arbitrary code via vectors involving OPOSCashDrawer.ocx for PUSB Thermal Receipt printers, SerialUSB Thermal Receipt printers, Hybrid POS printers with MICR, Value PUSB Receipt printers, Value Serial/USB Receipt printers, and USB Standard Duty cash drawers, aka ZDI-CAN-2505. | 10.0 |
2015-03-09 | CVE-2014-7894 | HP | Unspecified vulnerability in HP OLE Point of Sale Driver 1.13.001 The OLE Point of Sale (OPOS) drivers before 1.13.003 on HP Point of Sale Windows PCs allow remote attackers to execute arbitrary code via vectors involving OPOSPOSPrinter.ocx for PUSB Thermal Receipt printers, SerialUSB Thermal Receipt printers, Hybrid POS printers with MICR, Value PUSB Receipt printers, and Value Serial/USB Receipt printers, aka ZDI-CAN-2506. | 10.0 |
2015-03-09 | CVE-2014-7893 | HP | Unspecified vulnerability in HP OLE Point of Sale Driver 1.13.001 The OLE Point of Sale (OPOS) drivers before 1.13.003 on HP Point of Sale Windows PCs allow remote attackers to execute arbitrary code via vectors involving OPOSCheckScanner.ocx for PUSB Thermal Receipt printers, SerialUSB Thermal Receipt printers, Hybrid POS printers with MICR, Value PUSB Receipt printers, and Value Serial/USB Receipt printers, aka ZDI-CAN-2507. | 10.0 |
2015-03-09 | CVE-2014-7892 | HP | Unspecified vulnerability in HP OLE Point of Sale Driver 1.13.001 The OLE Point of Sale (OPOS) drivers before 1.13.003 on HP Point of Sale Windows PCs allow remote attackers to execute arbitrary code via vectors involving OPOSMSR.ocx for Mini MSR magnetic stripe readers, Retail Integrated Dual-Head MSR magnetic stripe readers, Integrated Single Head MSR w/o SRED magnetic stripe readers, Integrated Single Head w/o MSR SRED magnetic stripe readers, RP7 Single Head MSR w/o SRED magnetic stripe readers, POS keyboards, and POS keyboards with MSR, aka ZDI-CAN-2508. | 10.0 |
2015-03-09 | CVE-2014-7891 | HP | Unspecified vulnerability in HP OLE Point of Sale Driver 1.13.001 The OLE Point of Sale (OPOS) drivers before 1.13.003 on HP Point of Sale Windows PCs allow remote attackers to execute arbitrary code via vectors involving OPOSPOSKeyboard.ocx for POS keyboards and POS keyboards with MSR, aka ZDI-CAN-2509. | 10.0 |
2015-03-09 | CVE-2014-7890 | HP | Unspecified vulnerability in HP OLE Point of Sale Driver 1.13.001 The OLE Point of Sale (OPOS) drivers before 1.13.003 on HP Point of Sale Windows PCs allow remote attackers to execute arbitrary code via vectors involving OPOSToneIndicator.ocx for POS keyboards and POS keyboards with MSR, aka ZDI-CAN-2510. | 10.0 |
2015-03-09 | CVE-2014-7889 | HP | Unspecified vulnerability in HP OLE Point of Sale Driver 1.13.001 The OLE Point of Sale (OPOS) drivers before 1.13.003 on HP Point of Sale Windows PCs allow remote attackers to execute arbitrary code via vectors involving OPOSLineDisplay.ocx for Retail RP7 VFD Customer Display monitors, Retail Integrated 2x20 Display monitors, Retail Integrated 2x20 Complex monitors, POS Pole Display monitors, Graphical POS Pole Display monitors, and LCD Pole Display monitors, aka ZDI-CAN-2511. | 10.0 |
2015-03-09 | CVE-2014-7888 | HP | Unspecified vulnerability in HP OLE Point of Sale Driver 1.13.001 The OLE Point of Sale (OPOS) drivers before 1.13.003 on HP Point of Sale Windows PCs allow remote attackers to execute arbitrary code via vectors involving OPOSMICR.ocx for PUSB Thermal Receipt printers, SerialUSB Thermal Receipt printers, Hybrid POS printers with MICR, Value PUSB Receipt printers, and Value Serial/USB Receipt printers, aka ZDI-CAN-2512. | 10.0 |
2015-03-13 | CVE-2015-0336 | Adobe Apple Microsoft Linux | Type Confusion Remote Code Execution vulnerability in Adobe Flash Player Adobe Flash Player before 13.0.0.277 and 14.x through 17.x before 17.0.0.134 on Windows and OS X and before 11.2.202.451 on Linux allows attackers to execute arbitrary code by leveraging an unspecified "type confusion," a different vulnerability than CVE-2015-0334. | 9.3 |
2015-03-13 | CVE-2015-0334 | Adobe Apple Microsoft Linux | Type Confusion Remote Code Execution vulnerability in Adobe Flash Player Adobe Flash Player before 13.0.0.277 and 14.x through 17.x before 17.0.0.134 on Windows and OS X and before 11.2.202.451 on Linux allows attackers to execute arbitrary code by leveraging an unspecified "type confusion," a different vulnerability than CVE-2015-0336. | 9.3 |
2015-03-12 | CVE-2015-1061 | Apple | Code Injection vulnerability in Apple Iphone OS, mac OS X and Tvos IOSurface in Apple iOS before 8.2, Apple OS X through 10.10.2, and Apple TV before 7.1 allows attackers to execute arbitrary code in a privileged context via a crafted app that leverages "type confusion" during serialized-object handling. | 9.3 |
2015-03-11 | CVE-2015-1634 | Microsoft | Resource Management Errors vulnerability in Microsoft Internet Explorer Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2015-1625. | 9.3 |
2015-03-11 | CVE-2015-1626 | Microsoft | Resource Management Errors vulnerability in Microsoft Internet Explorer 11 Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2015-0056 and CVE-2015-1623. | 9.3 |
2015-03-11 | CVE-2015-1625 | Microsoft | Resource Management Errors vulnerability in Microsoft Internet Explorer Microsoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2015-1634. | 9.3 |
2015-03-11 | CVE-2015-1624 | Microsoft | Resource Management Errors vulnerability in Microsoft Internet Explorer Microsoft Internet Explorer 8 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." | 9.3 |
2015-03-11 | CVE-2015-1623 | Microsoft | Resource Management Errors vulnerability in Microsoft Internet Explorer 11 Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2015-0056 and CVE-2015-1626. | 9.3 |
2015-03-11 | CVE-2015-1622 | Microsoft | Resource Management Errors vulnerability in Microsoft Internet Explorer 10/11 Microsoft Internet Explorer 10 and 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." | 9.3 |
2015-03-11 | CVE-2015-0100 | Microsoft | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Microsoft Internet Explorer 8 Microsoft Internet Explorer 8 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." | 9.3 |
2015-03-11 | CVE-2015-0099 | Microsoft | Resource Management Errors vulnerability in Microsoft Internet Explorer 10 Microsoft Internet Explorer 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." | 9.3 |
2015-03-11 | CVE-2015-0097 | Microsoft | Data Processing Errors vulnerability in Microsoft Excel, Powerpoint and Word Microsoft Excel 2007 SP3, PowerPoint 2007 SP3, Word 2007 SP3, Excel 2010 SP2, PowerPoint 2010 SP2, and Word 2010 SP2 allow remote attackers to execute arbitrary code via a crafted Office document, aka "Microsoft Word Local Zone Remote Code Execution Vulnerability." | 9.3 |
2015-03-11 | CVE-2015-0096 | Microsoft | Untrusted Search Path vulnerability in Microsoft products Untrusted search path vulnerability in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges via a Trojan horse DLL in the current working directory, leading to DLL loading during Windows Explorer access to the icon of a crafted shortcut, aka "DLL Planting Remote Code Execution Vulnerability." | 9.3 |
2015-03-11 | CVE-2015-0093 | Microsoft | Code Injection vulnerability in Microsoft products Adobe Font Driver in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via a crafted (1) web site or (2) file, aka "Adobe Font Driver Remote Code Execution Vulnerability," a different vulnerability than CVE-2015-0088, CVE-2015-0090, CVE-2015-0091, and CVE-2015-0092. | 9.3 |
2015-03-11 | CVE-2015-0092 | Microsoft | Code Injection vulnerability in Microsoft products Adobe Font Driver in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via a crafted (1) web site or (2) file, aka "Adobe Font Driver Remote Code Execution Vulnerability," a different vulnerability than CVE-2015-0088, CVE-2015-0090, CVE-2015-0091, and CVE-2015-0093. | 9.3 |
2015-03-11 | CVE-2015-0091 | Microsoft | Code Injection vulnerability in Microsoft products Adobe Font Driver in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via a crafted (1) web site or (2) file, aka "Adobe Font Driver Remote Code Execution Vulnerability," a different vulnerability than CVE-2015-0088, CVE-2015-0090, CVE-2015-0092, and CVE-2015-0093. | 9.3 |
2015-03-11 | CVE-2015-0090 | Microsoft | Code Injection vulnerability in Microsoft products Adobe Font Driver in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via a crafted (1) web site or (2) file, aka "Adobe Font Driver Remote Code Execution Vulnerability," a different vulnerability than CVE-2015-0088, CVE-2015-0091, CVE-2015-0092, and CVE-2015-0093. | 9.3 |
2015-03-11 | CVE-2015-0088 | Microsoft | Code Injection vulnerability in Microsoft products Adobe Font Driver in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via a crafted (1) web site or (2) file, aka "Adobe Font Driver Remote Code Execution Vulnerability," a different vulnerability than CVE-2015-0090, CVE-2015-0091, CVE-2015-0092, and CVE-2015-0093. | 9.3 |
2015-03-11 | CVE-2015-0086 | Microsoft | Resource Management Errors vulnerability in Microsoft products Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 Gold and SP1, Word 2013 RT Gold and SP1, Word Viewer, Office Compatibility Pack SP3, Word Automation Services on SharePoint Server 2010 SP2, Word Automation Services on SharePoint Server 2013 Gold and SP1, Web Applications 2010 SP2, and Web Apps Server 2013 Gold and SP1 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted RTF document, aka "Microsoft Office Memory Corruption Vulnerability." | 9.3 |
2015-03-11 | CVE-2015-0085 | Microsoft | Use After Free Remote Code Execution vulnerability in Microsoft Office Use-after-free vulnerability in Microsoft Office 2007 SP3, Excel 2007 SP3, PowerPoint 2007 SP3, Word 2007 SP3, Office 2010 SP2, Excel 2010 SP2, PowerPoint 2010 SP2, Word 2010 SP2, Office 2013 Gold and SP1, Word 2013 Gold and SP1, Office 2013 RT Gold and SP1, Word 2013 RT Gold and SP1, Excel Viewer, Office Compatibility Pack SP3, Word Automation Services on SharePoint Server 2010 SP2, Excel Services on SharePoint Server 2013 Gold and SP1, Word Automation Services on SharePoint Server 2013 Gold and SP1, Web Applications 2010 SP2, Office Web Apps Server 2010 SP2, Web Apps Server 2013 Gold and SP1, SharePoint Server 2007 SP3, Windows SharePoint Services 3.0 SP3, SharePoint Foundation 2010 SP2, SharePoint Server 2010 SP2, SharePoint Foundation 2013 Gold and SP1, and SharePoint Server 2013 Gold and SP1 allows remote attackers to execute arbitrary code via a crafted Office document, aka "Microsoft Office Component Use After Free Vulnerability." <a href="http://cwe.mitre.org/data/definitions/416.html">CWE-416: Use After Free</a> | 9.3 |
2015-03-11 | CVE-2015-0081 | Microsoft | Data Processing Errors vulnerability in Microsoft products Windows Text Services (WTS) in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via a crafted (1) web site or (2) file, aka "WTS Remote Code Execution Vulnerability." | 9.3 |
2015-03-11 | CVE-2015-0056 | Microsoft | Resource Management Errors vulnerability in Microsoft Internet Explorer 11 Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2015-1623 and CVE-2015-1626. | 9.3 |
2015-03-11 | CVE-2015-0032 | Microsoft | Resource Management Errors vulnerability in Microsoft Internet Explorer and Vbscript vbscript.dll in Microsoft VBScript 5.6 through 5.8, as used with Internet Explorer 8 through 11 and other products, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "VBScript Memory Corruption Vulnerability." | 9.3 |
2015-03-14 | CVE-2015-0980 | Scadaengine | Improper Input Validation vulnerability in Scadaengine Bacnet OPC Server Format string vulnerability in BACnOPCServer.exe in the SOAP web interface in SCADA Engine BACnet OPC Server before 2.1.371.24 allows remote attackers to execute arbitrary code via format string specifiers in a request. | 9.0 |
2015-03-14 | CVE-2015-0979 | Scadaengine | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Scadaengine Bacnet OPC Server Heap-based buffer overflow in the SOAP web interface in SCADA Engine BACnet OPC Server before 2.1.371.24 allows remote attackers to execute arbitrary code via a crafted packet. | 9.0 |
2015-03-14 | CVE-2014-7884 | HP | Multiple Remote Security vulnerability in HP Arcsight Logger 6.0 Multiple unspecified vulnerabilities in HP ArcSight Logger before 6.0P1 have unknown impact and remote authenticated attack vectors. | 9.0 |
28 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2015-03-13 | CVE-2015-0652 | Cisco | Improper Input Validation vulnerability in Cisco products The Session Description Protocol (SDP) implementation in Cisco TelePresence Video Communication Server (VCS) and Cisco Expressway before X8.2 and Cisco TelePresence Conductor before XC2.4 allows remote attackers to cause a denial of service (mishandled exception and device reload) via a crafted media description, aka Bug IDs CSCus96593 and CSCun73192. | 7.8 |
2015-03-12 | CVE-2015-1063 | Apple | NULL Pointer Dereference Denial of Service vulnerability in Apple IOS CoreTelephony in Apple iOS before 8.2 allows remote attackers to cause a denial of service (NULL pointer dereference and device restart) via a Class 0 SMS message. | 7.8 |
2015-03-12 | CVE-2015-0523 | EMC | Improper Input Validation vulnerability in EMC RSA Certificate Manager and RSA Registration Manager EMC RSA Certificate Manager (RCM) before 6.9 build 558 and RSA Registration Manager (RRM) before 6.9 build 558 allow remote attackers to cause an Administration Server denial of service via an invalid MIME e-mail message with a multipart/* Content-Type header. | 7.8 |
2015-03-11 | CVE-2015-0079 | Microsoft | Resource Management Errors vulnerability in Microsoft products The Remote Desktop Protocol (RDP) implementation in Microsoft Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 allows remote attackers to cause a denial of service (memory consumption and RDP outage) by establishing many RDP sessions that do not properly free allocated memory, aka "Remote Desktop Protocol (RDP) Denial of Service Vulnerability." | 7.8 |
2015-03-14 | CVE-2015-0982 | Schneider Electric | Classic Buffer Overflow vulnerability in Schneider-Electric Pelco Ds-Nv Buffer overflow in an unspecified DLL in Schneider Electric Pelco DS-NVs before 7.8.90 allows remote attackers to execute arbitrary code via unspecified vectors. | 7.5 |
2015-03-14 | CVE-2015-0981 | Scadaengine | Permissions, Privileges, and Access Controls vulnerability in Scadaengine Bacnet OPC Server The SOAP web interface in SCADA Engine BACnet OPC Server before 2.1.371.24 allows remote attackers to bypass authentication and read or write to arbitrary database fields via unspecified vectors. | 7.5 |
2015-03-12 | CVE-2015-2237 | Betster Project | SQL Injection vulnerability in Betster Project Betster 1.0.4 Multiple SQL injection vulnerabilities in Betster (aka PHP Betoffice) 1.0.4 allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) showprofile.php or (2) categoryedit.php or (3) username parameter in a login to index.php. | 7.5 |
2015-03-12 | CVE-2015-2208 | Avinu | Command Injection vulnerability in Avinu PHPmoadmin 1.1.2 The saveObject function in moadmin.php in phpMoAdmin 1.1.2 allows remote attackers to execute arbitrary commands via shell metacharacters in the object parameter. | 7.5 |
2015-03-12 | CVE-2015-0525 | EMC | OS Command Injection vulnerability in EMC Secure Remote Services 3.02/3.03 The Gateway Provisioning service in EMC Secure Remote Services Virtual Edition (ESRS VE) 3.02 and 3.03 allows remote attackers to execute arbitrary OS commands via unspecified vectors. | 7.5 |
2015-03-12 | CVE-2015-0524 | EMC | SQL Injection vulnerability in EMC Secure Remote Services 3.02/3.03 SQL injection vulnerability in the Gateway Provisioning service in EMC Secure Remote Services Virtual Edition (ESRS VE) 3.02 and 3.03 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | 7.5 |
2015-03-11 | CVE-2015-1875 | Palosanto | SQL Injection vulnerability in Palosanto Elastix 2.5.0 SQL injection vulnerability in a2billing/customer/iridium_threed.php in Elastix 2.5.0 and earlier allows remote attackers to execute arbitrary SQL commands via the transactionID parameter. | 7.5 |
2015-03-10 | CVE-2015-2183 | Zeuscart | SQL Injection vulnerability in Zeuscart 4.0 Multiple SQL injection vulnerabilities in the administrative backend in ZeusCart 4 allow remote administrators to execute arbitrary SQL commands via the id parameter in a (1) disporders detail or (2) subadminmgt edit action or (3) cid parameter in an editcurrency action to admin/. | 7.5 |
2015-03-10 | CVE-2014-9566 | Solarwinds | SQL Injection vulnerability in Solarwinds products Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwinds Orion Platform 2015.1, as used in Network Performance Monitor (NPM) before 11.5, NetFlow Traffic Analyzer (NTA) before 4.1, Network Configuration Manager (NCM) before 7.3.2, IP Address Manager (IPAM) before 4.3, User Device Tracker (UDT) before 3.2, VoIP & Network Quality Manager (VNQM) before 4.2, Server & Application Manager (SAM) before 6.2, Web Performance Monitor (WPM) before 2.2, and possibly other Solarwinds products, allow remote authenticated users to execute arbitrary SQL commands via the (1) dir or (2) sort parameter to the (a) GetAccounts or (b) GetAccountGroups endpoint. | 7.5 |
2015-03-09 | CVE-2015-2243 | Webshophun | Path Traversal vulnerability in Webshophun Webshop HUN 1.062S Directory traversal vulnerability in Webshop hun 1.062S allows remote attackers to have unspecified impact via directory traversal sequences in the mappa parameter to index.php. | 7.5 |
2015-03-09 | CVE-2015-2242 | Webshophun | SQL Injection vulnerability in Webshophun Webshop HUN 1.062S Multiple SQL injection vulnerabilities in Webshop hun 1.062S allow remote attackers to execute arbitrary SQL commands via the (1) termid or (2) nyelv_id parameter to index.php. | 7.5 |
2015-03-09 | CVE-2015-2097 | Webgate | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Webgate Embedded Standard Protocol SDK Multiple buffer overflows in WebGate Embedded Standard Protocol (WESP) SDK allow remote attackers to execute arbitrary code via unspecified vectors to the (1) LoadImage or (2) LoadImageEx function in the WESPMonitor.WESPMonitorCtrl.1 control, (3) ChangePassword function in the WESPCONFIGLib.UserItem control, Connect function in the (4) WESPSerialPort.WESPSerialPortCtrl.1 or (5) WESPPLAYBACKLib.WESPPlaybackCtrl control, or (6) AddID function in the WESPCONFIGLib.IDList control or a (7) long string to the second argument to the ConnectEx3 function in the WESPPLAYBACKLib.WESPPlaybackCtrl control. | 7.5 |
2015-03-09 | CVE-2015-2094 | Webgateinc | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Webgateinc Winrds Stack-based buffer overflow in the WESPPlayback.WESPPlaybackCtrl.1 control in WebGate WinRDS allows remote attackers to execute arbitrary code via unspecified vectors to the (1) PrintSiteImage, (2) PlaySiteAllChannel, (3) StopSiteAllChannel, or (4) SaveSiteImage function. | 7.5 |
2015-03-09 | CVE-2015-2092 | Agilent Technologies | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Agilent Technologies Feature Extraction The AnnotationX.AnnList.1 ActiveX control in Agilent Technologies Feature Extraction allows remote attackers to execute arbitrary code via a crafted object parameter in the Insert function, related to "Index Out-Of-Bounds." | 7.5 |
2015-03-09 | CVE-2015-2061 | PTC | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in PTC Creo View Heap-based buffer overflow in the browser plugin for PTC Creo View allows remote attackers to execute arbitrary code via vectors involving setting a large buffer to an unspecified attribute. | 7.5 |
2015-03-09 | CVE-2015-2238 | Canonical | Multiple unspecified vulnerabilities in Google V8 before 4.1.0.21, as used in Google Chrome before 41.0.2272.76, allow attackers to cause a denial of service or possibly have other impact via unknown vectors. | 7.5 |
2015-03-14 | CVE-2015-0660 | Cisco | Improper Access Control vulnerability in Cisco Telepresence Server Software Cisco Virtual TelePresence Server Software does not properly restrict use of the serial port, which allows local users to execute arbitrary OS commands as root by leveraging vSphere controller administrative privileges, aka Bug ID CSCus61123. | 7.2 |
2015-03-12 | CVE-2015-2285 | Ubuntu | Data Processing Errors vulnerability in Ubuntu Upstart and Vivid The logrotation script (/etc/cron.daily/upstart) in the Ubuntu Upstart package before 1.13.2-0ubuntu9, as used in Ubuntu Vivid 15.04, allows local users to execute arbitrary commands and gain privileges via a crafted file in /run/user/*/upstart/sessions/. | 7.2 |
2015-03-12 | CVE-2015-2151 | Fedoraproject Debian XEN | Permissions, Privileges, and Access Controls vulnerability in multiple products The x86 emulator in Xen 3.2.x through 4.5.x does not properly ignore segment overrides for instructions with register operands, which allows local guest users to obtain sensitive information, cause a denial of service (memory corruption), or possibly execute arbitrary code via unspecified vectors. | 7.2 |
2015-03-11 | CVE-2015-0078 | Microsoft | Permissions, Privileges, and Access Controls vulnerability in Microsoft products win32k.sys in the kernel-mode drivers in Microsoft Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not properly validate the token of a calling thread, which allows local users to gain privileges via a crafted application, aka "Win32k Elevation of Privilege Vulnerability." | 7.2 |
2015-03-11 | CVE-2015-0075 | Microsoft | Permissions, Privileges, and Access Controls vulnerability in Microsoft products The kernel in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 does not properly constrain impersonation levels, which allows local users to gain privileges via a crafted application, aka "Impersonation Level Check Elevation of Privilege Vulnerability." | 7.2 |
2015-03-11 | CVE-2015-0073 | Microsoft | Permissions, Privileges, and Access Controls vulnerability in Microsoft products The Windows Registry Virtualization feature in the kernel in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not properly restrict changes to virtual stores, which allows local users to gain privileges via a crafted application, aka "Registry Virtualization Elevation of Privilege Vulnerability." | 7.2 |
2015-03-13 | CVE-2015-0654 | Cisco | Race Condition vulnerability in Cisco Intrusion Prevention System 7.2(1)E4/7.2(2)E4/7.3(2)E4 Race condition in the TLS implementation in MainApp in the management interface in Cisco Intrusion Prevention System (IPS) Software before 7.3(3)E4 allows remote attackers to cause a denial of service (process hang) by establishing many HTTPS sessions, aka Bug ID CSCuq40652. | 7.1 |
2015-03-09 | CVE-2014-9472 | Debian Fedoraproject Bestpractical | Resource Management Errors vulnerability in multiple products The email gateway in RT (aka Request Tracker) 3.0.0 through 4.x before 4.0.23 and 4.2.x before 4.2.10 allows remote attackers to cause a denial of service (CPU and disk consumption) via a crafted email. | 7.1 |
48 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2015-03-14 | CVE-2015-0978 | Elipse | Unspecified vulnerability in Elipse E3 4.5/4.6 Multiple untrusted search path vulnerabilities in (1) EQATEC.Analytics.Monitor.Win32_vc100.dll and (2) EQATEC.Analytics.Monitor.Win32_vc100-x64.dll in Elipse E3 4.5.232 through 4.6.161 allow local users to gain privileges via a Trojan horse DLL in an unspecified directory. | 6.9 |
2015-03-14 | CVE-2014-9207 | Cimon | DLL Loading Arbitrary Code Execution vulnerability in Cimon CmnView Untrusted search path vulnerability in CmnView.exe in CIMON CmnView 2.14.0.1 and 3.x before UltimateAccess 3.02 allows local users to gain privileges via a Trojan horse DLL in the current working directory. | 6.9 |
2015-03-14 | CVE-2014-9206 | Schneider Electric | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Schneider-Electric Device Type Manager 3.1.6 Stack-based buffer overflow in Device Type Manager (DTM) 3.1.6 and earlier for Schneider Electric Invensys SRD Control Valve Positioner devices 960 and 991 allows local users to gain privileges via a malformed DLL file. | 6.9 |
2015-03-13 | CVE-2015-2264 | Telerik | Unspecified vulnerability in Telerik Analytics Monitor Library 3.2.122 Multiple untrusted search path vulnerabilities in (1) EQATEC.Analytics.Monitor.Win32_vc100.dll and (2) EQATEC.Analytics.Monitor.Win32_vc100-x64.dll in Telerik Analytics Monitor Library before 3.2.125 allow local users to gain privileges via a Trojan horse (a) csunsapi.dll, (b) swift.dll, (c) nfhwcrhk.dll, or (d) surewarehook.dll file in an unspecified directory. | 6.9 |
2015-03-14 | CVE-2015-2107 | HP SAP | Improper Access Control vulnerability in HP Operations Manager I Management Pack 1.0 HP Operations Manager i Management Pack 1.x before 1.01 for SAP allows local users to execute OS commands by leveraging SAP administrative privileges. | 6.8 |
2015-03-13 | CVE-2014-6214 | IBM | Cross-Site Request Forgery (CSRF) vulnerability in IBM Websphere Portal 8.0.0.0/8.0.0.1/8.5.0.0 Cross-site request forgery (CSRF) vulnerability in IBM WebSphere Portal 8.0.0 through 8.0.0.1 CF15 and 8.5.0 before CF05 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences. | 6.8 |
2015-03-09 | CVE-2015-1874 | Cfdbplugin | Cross-Site Request Forgery (CSRF) vulnerability in Cfdbplugin Contact Form DB 2.8.31 Cross-site request forgery (CSRF) vulnerability in the Contact Form DB (aka CFDB and contact-form-7-to-database-extension) plugin before 2.8.32 for WordPress allows remote attackers to hijack the authentication of administrators for requests that delete all plugin records via a request in the CF7DBPluginSubmissions page to wp-admin/admin.php. | 6.8 |
2015-03-09 | CVE-2015-2096 | Webgateinc | ActiveX Control Remote Code Execution vulnerability in Webgateinc Edvr Manager 2.6.4 Use-after-free vulnerability in the Connect function in the WESPMonitor.WESPMonitorCtrl.1 ActiveX control in WebGate eDVR Manager allows remote attackers to execute arbitrary code via an invalid IP address and a page reload. | 6.8 |
2015-03-09 | CVE-2015-2095 | Webgateinc | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Webgateinc Edvr Manager 2.6.4 Heap-based buffer overflow in the SetConnectInfo function in the WESPPTZ.WESPPTZCtrl.1 ActiveX control in WebGate eDVR Manager allows remote attackers to execute arbitrary code via crafted arguments. | 6.8 |
2015-03-09 | CVE-2015-2093 | Webgateinc | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Webgateinc Webeyeaudio Stack-based buffer overflow in the Connect function in the WebGate WebEyeAudio ActiveX control allows remote attackers to execute arbitrary code via a crafted value. | 6.8 |
2015-03-09 | CVE-2015-1464 | Fedoraproject Bestpractical | Improper Access Control vulnerability in multiple products RT (aka Request Tracker) before 4.0.23 and 4.2.x before 4.2.10 allows remote attackers to hijack sessions via an RSS feed URL. | 6.4 |
2015-03-11 | CVE-2015-0095 | Microsoft | NULL Pointer Dereference vulnerability in Microsoft products The kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allow local users to cause a denial of service (NULL pointer dereference and blue screen), or obtain sensitive information from kernel memory and possibly bypass the ASLR protection mechanism, via a crafted application, aka "Microsoft Windows Kernel Memory Disclosure Vulnerability." | 5.6 |
2015-03-12 | CVE-2015-1065 | Apple | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Apple Iphone OS and mac OS X Multiple buffer overflows in iCloud Keychain in Apple iOS before 8.2 and Apple OS X through 10.10.2 allow man-in-the-middle attackers to execute arbitrary code by modifying the client-server data stream during keychain recovery. | 5.4 |
2015-03-14 | CVE-2014-5409 | GE | Predictable Random Number Generator Weakness in General Electric (GE) Hydran M2 The 17046 Ethernet card before 94450214LFMT100SEM-L.R3-CL for the GE Digital Energy Hydran M2 does not properly generate random values for TCP Initial Sequence Numbers (ISNs), which makes it easier for remote attackers to spoof packets by predicting these values. | 5.0 |
2015-03-13 | CVE-2015-0340 | Adobe Linux Apple Microsoft | File Upload Restriction Security Bypass vulnerability in Adobe Flash Player Adobe Flash Player before 13.0.0.277 and 14.x through 17.x before 17.0.0.134 on Windows and OS X and before 11.2.202.451 on Linux allows remote attackers to bypass intended file-upload restrictions via unspecified vectors. | 5.0 |
2015-03-13 | CVE-2015-0337 | Adobe Linux Apple Microsoft | Permissions, Privileges, and Access Controls vulnerability in Adobe Flash Player Adobe Flash Player before 13.0.0.277 and 14.x through 17.x before 17.0.0.134 on Windows and OS X and before 11.2.202.451 on Linux allows remote attackers to bypass the Same Origin Policy via unspecified vectors. | 5.0 |
2015-03-13 | CVE-2015-2091 | Apache | Cryptographic Issues vulnerability in Apache Mod-Gnutls The authentication hook (mgs_hook_authz) in mod-gnutls 0.5.10 and earlier does not validate client certificates when "GnuTLSClientVerify require" is set, which allows remote attackers to spoof clients via a crafted certificate. | 5.0 |
2015-03-13 | CVE-2015-0133 | IBM | Unspecified vulnerability in IBM Websphere Commerce 7.0 IBM WebSphere Commerce 7.0 Feature Pack 4 through 8 allows remote attackers to read arbitrary files and possibly obtain administrative privileges via an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. | 5.0 |
2015-03-12 | CVE-2015-1062 | Apple | Data Processing Errors vulnerability in Apple Iphone OS and Tvos MobileStorageMounter in Apple iOS before 8.2 and Apple TV before 7.1 does not delete invalid disk-image folders, which allows attackers to create folders in arbitrary filesystem locations via a crafted app. | 5.0 |
2015-03-11 | CVE-2015-1631 | Microsoft | Improper Access Control vulnerability in Microsoft Exchange Server 2013 Microsoft Exchange Server 2013 SP1 and Cumulative Update 7 allows remote attackers to spoof meeting organizers via unspecified vectors, aka "Exchange Forged Meeting Request Spoofing Vulnerability." | 5.0 |
2015-03-11 | CVE-2015-0089 | Microsoft | Information Exposure vulnerability in Microsoft products Adobe Font Driver in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to obtain sensitive information from kernel memory, and possibly bypass the KASLR protection mechanism, via a crafted font, aka "Adobe Font Driver Information Disclosure Vulnerability," a different vulnerability than CVE-2015-0087. | 5.0 |
2015-03-11 | CVE-2015-0087 | Microsoft | Information Exposure vulnerability in Microsoft products Adobe Font Driver in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to obtain sensitive information from kernel memory, and possibly bypass the KASLR protection mechanism, via a crafted font, aka "Adobe Font Driver Information Disclosure Vulnerability," a different vulnerability than CVE-2015-0089. | 5.0 |
2015-03-10 | CVE-2015-2184 | Ajsquare | Information Exposure vulnerability in Ajsquare Zeuscart 4.0 ZeusCart 4 allows remote attackers to obtain configuration information via a getphpinfo action to admin/, which calls the phpinfo function. | 5.0 |
2015-03-10 | CVE-2015-0201 | Pivotal Software Vmware | 7PK - Security Features vulnerability in multiple products The Java SockJS client in Pivotal Spring Framework 4.1.x before 4.1.5 generates predictable session ids, which allows remote attackers to send messages to other sessions via unspecified vectors. | 5.0 |
2015-03-09 | CVE-2015-2206 | Fedoraproject Phpmyadmin | Information Exposure vulnerability in multiple products libraries/select_lang.lib.php in phpMyAdmin 4.0.x before 4.0.10.9, 4.2.x before 4.2.13.2, and 4.3.x before 4.3.11.1 includes invalid language values in unknown-language error responses that contain a CSRF token and may be sent with HTTP compression, which makes it easier for remote attackers to conduct a BREACH attack and determine this token via a series of crafted requests. | 5.0 |
2015-03-09 | CVE-2015-1165 | Debian Fedoraproject Bestpractical | Information Exposure vulnerability in multiple products RT (aka Request Tracker) 3.8.8 through 4.x before 4.0.23 and 4.2.x before 4.2.10 allows remote attackers to obtain sensitive RSS feed URLs and ticket data via unspecified vectors. | 5.0 |
2015-03-09 | CVE-2014-9689 | Permissions, Privileges, and Access Controls vulnerability in Google Chrome content/renderer/device_sensors/device_orientation_event_pump.cc in Google Chrome before 41.0.2272.76 does not properly restrict access to high-rate gyroscope data, which makes it easier for remote attackers to obtain speech signals from a device's physical environment via a crafted web site that listens for ondeviceorientation events, a different vulnerability than CVE-2015-1231. | 5.0 | |
2015-03-09 | CVE-2011-5319 | Permissions, Privileges, and Access Controls vulnerability in Google Chrome content/renderer/device_sensors/device_motion_event_pump.cc in Google Chrome before 41.0.2272.76 does not properly restrict access to high-rate accelerometer data, which makes it easier for remote attackers to capture keystrokes via a crafted web site that listens for ondevicemotion events, a different vulnerability than CVE-2015-1231. | 5.0 | |
2015-03-12 | CVE-2015-2275 | Wotlab | Cross-site Scripting vulnerability in Wotlab Community Gallery 2.0 Cross-site scripting (XSS) vulnerability in WoltLab Community Gallery 2.0 before 2014-12-26 allows remote attackers to inject arbitrary web script or HTML via the parameters[data][7][title] parameter in a saveImageData action to index.php/AJAXProxy. | 4.3 |
2015-03-12 | CVE-2015-2241 | Djangoproject | Cross-site Scripting vulnerability in Djangoproject Django Cross-site scripting (XSS) vulnerability in the contents function in admin/helpers.py in Django before 1.7.6 and 1.8 before 1.8b2 allows remote attackers to inject arbitrary web script or HTML via a model attribute in ModelAdmin.readonly_fields, as demonstrated by a @property. | 4.3 |
2015-03-12 | CVE-2015-0522 | EMC | Cross-site Scripting vulnerability in EMC RSA Certificate Manager and RSA Registration Manager Cross-site scripting (XSS) vulnerability in EMC RSA Certificate Manager (RCM) before 6.9 build 558 and RSA Registration Manager (RRM) before 6.9 build 558 allows remote attackers to inject arbitrary web script or HTML via vectors related to the email address parameter. | 4.3 |
2015-03-11 | CVE-2015-2182 | Ajsquare | Cross-site Scripting vulnerability in Ajsquare Zeuscart 4.0 Multiple cross-site scripting (XSS) vulnerabilities in ZeusCart 4 allow remote attackers to inject arbitrary web script or HTML via the (1) schltr parameter in a brands action or (2) brand parameter in a viewbrands action to index.php. | 4.3 |
2015-03-11 | CVE-2015-1026 | Zohocorp | Cross-site Scripting vulnerability in Zohocorp Manageengine Admanager Plus 6.2 Multiple cross-site scripting (XSS) vulnerabilities in ZOHO ManageEngine ADManager Plus before 6.2 Build 6270 allow remote attackers to inject arbitrary web script or HTML via the (1) technicianSearchText parameter to the Help Desk Technician page or (2) rolesSearchText parameter to the Help Desk Roles. | 4.3 |
2015-03-11 | CVE-2010-5322 | Ajsquare | Cross-site Scripting vulnerability in Ajsquare Zeuscart Cross-site scripting (XSS) vulnerability in ZeusCart 4.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the search parameter in a search action to index.php. | 4.3 |
2015-03-11 | CVE-2015-1632 | Microsoft | Cross-site Scripting vulnerability in Microsoft Exchange Server 2013 Cross-site scripting (XSS) vulnerability in errorfe.aspx in Outlook Web App (OWA) in Microsoft Exchange Server 2013 SP1 and Cumulative Update 7 allows remote attackers to inject arbitrary web script or HTML via the msgParam parameter in an authError action, aka "Exchange Error Message Cross Site Scripting Vulnerability." | 4.3 |
2015-03-11 | CVE-2015-1630 | Microsoft | Cross-site Scripting vulnerability in Microsoft Exchange Server 2013 Cross-site scripting (XSS) vulnerability in Outlook Web App (OWA) in Microsoft Exchange Server 2013 SP1 and Cumulative Update 7 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka "Audit Report Cross Site Scripting Vulnerability." | 4.3 |
2015-03-11 | CVE-2015-1629 | Microsoft | Cross-site Scripting vulnerability in Microsoft Exchange Server 2013 Cross-site scripting (XSS) vulnerability in Outlook Web App (OWA) in Microsoft Exchange Server 2013 SP1 and Cumulative Update 7 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka "ExchangeDLP Cross Site Scripting Vulnerability." | 4.3 |
2015-03-11 | CVE-2015-1628 | Microsoft | Cross-site Scripting vulnerability in Microsoft Exchange Server 2013 Cross-site scripting (XSS) vulnerability in Outlook Web App (OWA) in Microsoft Exchange Server 2013 SP1 and Cumulative Update 7 allows remote attackers to inject arbitrary web script or HTML via a crafted X-OWA-Canary cookie in an AD.RecipientType.User action, aka "OWA Modified Canary Parameter Cross Site Scripting Vulnerability." | 4.3 |
2015-03-11 | CVE-2015-1627 | Microsoft | Permissions, Privileges, and Access Controls vulnerability in Microsoft Internet Explorer Microsoft Internet Explorer 7 through 11 allows remote attackers to gain privileges via a crafted web site, aka "Internet Explorer Elevation of Privilege Vulnerability." | 4.3 |
2015-03-11 | CVE-2015-0080 | Microsoft | Information Exposure vulnerability in Microsoft products Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 do not properly initialize memory for rendering of malformed PNG images, which allows remote attackers to obtain sensitive information from process memory via a crafted web site, aka "Malformed PNG Parsing Information Disclosure Vulnerability." | 4.3 |
2015-03-11 | CVE-2015-0076 | Microsoft | Information Exposure vulnerability in Microsoft products The photo-decoder implementation in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not properly initialize memory for rendering of JXR images, which allows remote attackers to obtain sensitive information from process memory via a crafted web site, aka "JPEG XR Parser Information Disclosure Vulnerability." | 4.3 |
2015-03-11 | CVE-2015-0074 | Microsoft | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Microsoft products Adobe Font Driver in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not properly allocate memory, which allows remote attackers to cause a denial of service via a crafted (1) web site or (2) file, aka "Adobe Font Driver Denial of Service Vulnerability." | 4.3 |
2015-03-11 | CVE-2015-0005 | Microsoft | 7PK - Security Features vulnerability in Microsoft products The NETLOGON service in Microsoft Windows Server 2003 SP2, Windows Server 2008 SP2 and R2 SP1, and Windows Server 2012 Gold and R2, when a Domain Controller is configured, allows remote attackers to spoof the computer name of a secure channel's endpoint, and obtain sensitive session information, by running a crafted application and leveraging the ability to sniff network traffic, aka "NETLOGON Spoofing Vulnerability." | 4.3 |
2015-03-11 | CVE-2015-1067 | Apple | Cryptographic Issues vulnerability in Apple Iphone OS, mac OS X and Tvos Secure Transport in Apple iOS before 8.2, Apple OS X through 10.10.2, and Apple TV before 7.1 does not properly restrict TLS state transitions, which makes it easier for remote attackers to conduct cipher-downgrade attacks to EXPORT_RSA ciphers via crafted TLS traffic, related to the "FREAK" issue, a different vulnerability than CVE-2015-0204 and CVE-2015-1637. | 4.3 |
2015-03-10 | CVE-2015-2217 | Myupb | Cross-site Scripting vulnerability in Myupb Ultimate PHP Board 2.2.7 Multiple cross-site scripting (XSS) vulnerabilities in Ultimate PHP Board (aka myUPB) before 2.2.8 allow remote attackers to inject arbitrary web script or HTML via the (1) q parameter to search.php or (2) avatar parameter to profile.php. | 4.3 |
2015-03-09 | CVE-2015-2244 | Webshophun | Cross-site Scripting vulnerability in Webshophun Webshop HUN 1.062S Multiple cross-site scripting (XSS) vulnerabilities in Webshop hun 1.062S allow remote attackers to inject arbitrary web script or HTML via the (1) param, (2) center, (3) lap, (4) termid, or (5) nyelv_id parameter to index.php. | 4.3 |
2015-03-09 | CVE-2015-2063 | Winace | Numeric Errors vulnerability in Winace Unace 1.2B Integer overflow in unace 1.2b allows remote attackers to cause a denial of service (crash) via a small file header in an ace archive, which triggers a buffer overflow. | 4.3 |
2015-03-09 | CVE-2015-2239 | Data Processing Errors vulnerability in Google Chrome Google Chrome before 41.0.2272.76, when Instant Extended mode is used, does not properly consider the interaction between the "1993 search" features and restore-from-disk RELOAD transitions, which makes it easier for remote attackers to spoof the address bar for a search-results page by leveraging (1) a compromised search engine or (2) an XSS vulnerability in a search engine, a different vulnerability than CVE-2015-1231. | 4.3 |
16 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2015-03-13 | CVE-2015-0177 | IBM | Cross-site Scripting vulnerability in IBM Websphere Portal 8.5.0.0 Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 8.5.0 before CF05 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL. | 3.5 |
2015-03-13 | CVE-2015-0139 | IBM | Cross-site Scripting vulnerability in IBM Websphere Portal 8.0.0.0/8.0.0.1/8.5.0.0 Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 8.0.0 through 8.0.0.1 CF15 and 8.5.0 before CF05 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL. | 3.5 |
2015-03-13 | CVE-2015-0129 | IBM | Cross-site Scripting vulnerability in IBM Rational Quality Manager Cross-site scripting (XSS) vulnerability in IBM Rational Quality Manager (RQM) 4.x before 4.0.7 iFix3 and 5.x before 5.0.2 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL. | 3.5 |
2015-03-13 | CVE-2015-0123 | IBM | Cross-site Scripting vulnerability in IBM Rational Team Concert Cross-site scripting (XSS) vulnerability in IBM Rational Team Concert 2.x and 3.x before 3.0.1.6 iFix 5, 4.x before 4.0.7 iFix3, and 5.x before 5.0.2 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL, a different vulnerability than CVE-2015-0122. | 3.5 |
2015-03-13 | CVE-2015-0122 | IBM | Cross-site Scripting vulnerability in IBM Rational Team Concert Cross-site scripting (XSS) vulnerability in IBM Rational Team Concert 2.x and 3.x before 3.0.1.6 iFix 5, 4.x before 4.0.7 iFix3, and 5.x before 5.0.2 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL, a different vulnerability than CVE-2015-0123. | 3.5 |
2015-03-13 | CVE-2014-6144 | IBM | Cross-site Scripting vulnerability in IBM Rational Quality Manager Cross-site scripting (XSS) vulnerability in IBM Rational Quality Manager (RQM) 2.x and 3.x before 3.0.1.6 iFix 5, 4.x before 4.0.7 iFix3, and 5.x before 5.0.2 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL. | 3.5 |
2015-03-12 | CVE-2015-0521 | EMC | Cross-site Scripting vulnerability in EMC RSA Certificate Manager and RSA Registration Manager Cross-site scripting (XSS) vulnerability in EMC RSA Certificate Manager (RCM) before 6.9 build 558 and RSA Registration Manager (RRM) before 6.9 build 558 allows remote authenticated users to inject arbitrary web script or HTML via vectors related to the CMP shared secret parameter. | 3.5 |
2015-03-11 | CVE-2014-9017 | Openkm | Cross-site Scripting vulnerability in Openkm 6.4.18 Cross-site scripting (XSS) vulnerability in OpenKM before 6.4.19 (build 23338) allows remote authenticated users to inject arbitrary web script or HTML via the Subject field in a Task to frontend/index.jsp. | 3.5 |
2015-03-11 | CVE-2015-1636 | Microsoft | Cross-site Scripting vulnerability in Microsoft Sharepoint Foundation and Sharepoint Server Cross-site scripting (XSS) vulnerability in Microsoft SharePoint Foundation 2013 Gold and SP1 and SharePoint Server 2013 Gold and SP1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted request, aka "Microsoft SharePoint XSS Vulnerability." | 3.5 |
2015-03-11 | CVE-2015-1633 | Microsoft | Cross-site Scripting vulnerability in Microsoft Sharepoint Foundation and Sharepoint Server Cross-site scripting (XSS) vulnerability in Microsoft SharePoint Foundation 2010 SP2, SharePoint Server 2010 SP2, SharePoint Foundation 2013 Gold and SP1, and SharePoint Server 2013 Gold and SP1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted request, aka "Microsoft SharePoint XSS Vulnerability." | 3.5 |
2015-03-12 | CVE-2015-2045 | XEN Fedoraproject Debian | Information Exposure vulnerability in multiple products The HYPERVISOR_xen_version hypercall in Xen 3.2.x through 4.5.x does not properly initialize data structures, which allows local guest users to obtain sensitive information via unspecified vectors. | 2.1 |
2015-03-12 | CVE-2015-2044 | XEN | Information Exposure vulnerability in XEN The emulation routines for unspecified X86 devices in Xen 3.2.x through 4.5.x does not properly initialize data, which allow local HVM guest users to obtain sensitive information via vectors involving an unsupported access size. | 2.1 |
2015-03-11 | CVE-2015-0094 | Microsoft | Information Exposure vulnerability in Microsoft products The kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 do not properly restrict the availability of address information during a function call, which makes it easier for local users to bypass the ASLR protection mechanism via a crafted application, aka "Microsoft Windows Kernel Memory Disclosure Vulnerability." | 2.1 |
2015-03-11 | CVE-2015-0084 | Microsoft | 7PK - Security Features vulnerability in Microsoft products The Task Scheduler in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not properly constrain impersonation levels, which allows local users to bypass intended restrictions on launching executable files via a crafted task, aka "Task Scheduler Security Feature Bypass Vulnerability." | 2.1 |
2015-03-11 | CVE-2015-0077 | Microsoft | Information Exposure vulnerability in Microsoft products The kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 do not properly initialize function buffers, which allows local users to obtain sensitive information from kernel memory, and possibly bypass the ASLR protection mechanism, via a crafted application, aka "Microsoft Windows Kernel Memory Disclosure Vulnerability." | 2.1 |
2015-03-12 | CVE-2015-1064 | Apple | Information Exposure vulnerability in Apple Iphone OS Springboard in Apple iOS before 8.2 allows physically proximate attackers to bypass an intended activation requirement and read the home screen by leveraging an application crash during the activation process. | 1.9 |