Weekly Vulnerabilities Reports > April 20 to 26, 2015
Overview
84 new vulnerabilities reported during this period, including 4 critical vulnerabilities and 10 high severity vulnerabilities. This weekly summary report vulnerabilities in 93 products from 69 vendors including Canonical, Debian, Cisco, Apple, and Haxx. Vulnerabilities are notably categorized as "Cross-site Scripting", "Cross-Site Request Forgery (CSRF)", "Information Exposure", "Improper Restriction of Operations within the Bounds of a Memory Buffer", and "Permissions, Privileges, and Access Controls".
- 81 reported vulnerabilities are remotely exploitables.
- 4 reported vulnerabilities have public exploit available.
- 34 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 54 reported vulnerabilities are exploitable by an anonymous user.
- Canonical has the most reported vulnerabilities, with 8 reported vulnerabilities.
- IBM has the most reported critical vulnerabilities, with 1 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
4 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2015-04-21 | CVE-2015-0135 | IBM | Numeric Errors vulnerability in IBM Domino IBM Domino 8.5 before 8.5.3 FP6 IF4 and 9.0 before 9.0.1 FP3 IF2 allows remote attackers to execute arbitrary code or cause a denial of service (integer truncation and application crash) via a crafted GIF image, aka SPR KLYH9T7NT9. | 10.0 |
2015-04-24 | CVE-2015-3144 | Oracle Haxx Canonical Debian | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products The fix_hostname function in cURL and libcurl 7.37.0 through 7.41.0 does not properly calculate an index, which allows remote attackers to cause a denial of service (out-of-bounds read or write and crash) or possibly have other unspecified impact via a zero-length host name, as demonstrated by "http://:80" and ":80." The previous CVSS assessment 7.5 (AV:N/AC:L/AU:N/C:P/I:P/A:P) was provided at the time of initial analysis based on the best available published information at that time. | 9.0 |
2015-04-24 | CVE-2015-0297 | Redhat | Improper Access Control vulnerability in Redhat Jboss Operations Network 3.3.1 Red Hat JBoss Operations Network 3.3.1 does not properly restrict access to certain APIs, which allows remote attackers to execute arbitrary Java methods via the (1) ServerInvokerServlet or (2) SchedulerService or (3) cause a denial of service (disk consumption) via the ContentManager. | 9.0 |
2015-04-21 | CVE-2015-0702 | Cisco | Improper Input Validation vulnerability in Cisco Unified Meetingplace 8.6(1.9) Unrestricted file upload vulnerability in the Custom Prompts upload implementation in Cisco Unified MeetingPlace 8.6(1.9) allows remote authenticated users to execute arbitrary code by using the languageShortName parameter to upload a file that provides shell access, aka Bug ID CSCus95712. | 9.0 |
10 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2015-04-21 | CVE-2015-1701 | Microsoft | Unspecified vulnerability in Microsoft products Win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Vista SP2, and Server 2008 SP2 allows local users to gain privileges via a crafted application, as exploited in the wild in April 2015, aka "Win32k Elevation of Privilege Vulnerability." | 7.8 |
2015-04-24 | CVE-2015-3416 | Canonical Sqlite Debian Apple PHP | Integer Overflow or Wraparound vulnerability in multiple products The sqlite3VXPrintf function in printf.c in SQLite before 3.8.9 does not properly handle precision and width values during floating-point conversions, which allows context-dependent attackers to cause a denial of service (integer overflow and stack-based buffer overflow) or possibly have unspecified other impact via large integers in a crafted printf function call in a SELECT statement. | 7.5 |
2015-04-24 | CVE-2015-3415 | Apple Debian Canonical Sqlite PHP | Improper Resource Shutdown or Release vulnerability in multiple products The sqlite3VdbeExec function in vdbe.c in SQLite before 3.8.9 does not properly implement comparison operators, which allows context-dependent attackers to cause a denial of service (invalid free operation) or possibly have unspecified other impact via a crafted CHECK clause, as demonstrated by CHECK(0&O>O) in a CREATE TABLE statement. | 7.5 |
2015-04-24 | CVE-2015-3414 | Sqlite Apple Debian Canonical PHP | Use of Uninitialized Resource vulnerability in multiple products SQLite before 3.8.9 does not properly implement the dequoting of collation-sequence names, which allows context-dependent attackers to cause a denial of service (uninitialized memory access and application crash) or possibly have unspecified other impact via a crafted COLLATE clause, as demonstrated by COLLATE"""""""" at the end of a SELECT statement. | 7.5 |
2015-04-24 | CVE-2015-3145 | Fedoraproject Canonical Debian Haxx Apple Oracle HP Opensuse | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products The sanitize_cookie_path function in cURL and libcurl 7.31.0 through 7.41.0 does not properly calculate an index, which allows remote attackers to cause a denial of service (out-of-bounds write and crash) or possibly have other unspecified impact via a cookie path containing only a double-quote character. | 7.5 |
2015-04-22 | CVE-2015-3035 | TP Link | Path Traversal vulnerability in Tp-Link products Directory traversal vulnerability in TP-LINK Archer C5 (1.2) with firmware before 150317, C7 (2.0) with firmware before 150304, and C8 (1.0) with firmware before 150316, Archer C9 (1.0), TL-WDR3500 (1.0), TL-WDR3600 (1.0), and TL-WDR4300 (1.0) with firmware before 150302, TL-WR740N (5.0) and TL-WR741ND (5.0) with firmware before 150312, and TL-WR841N (9.0), TL-WR841N (10.0), TL-WR841ND (9.0), and TL-WR841ND (10.0) with firmware before 150310 allows remote attackers to read arbitrary files via a .. | 7.5 |
2015-04-21 | CVE-2014-8125 | Redhat | XML External Entity Information Disclosure vulnerability in jBPM and Drools XML external entity (XXE) vulnerability in Drools and jBPM before 6.2.0 allows remote attackers to read arbitrary files or possibly have other unspecified impact via a crafted BPMN2 file. | 7.5 |
2015-04-21 | CVE-2015-3346 | Wikiwiki Project | SQL Injection vulnerability in Wikiwiki Project Wikiwiki 6.X1.1 SQL injection vulnerability in the WikiWiki module before 6.x-1.2 for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | 7.5 |
2015-04-21 | CVE-2015-2825 | Simple ADS Manager Project | Unspecified vulnerability in Simple ADS Manager Project Simple ADS Manager 2.5.94 Unrestricted file upload vulnerability in sam-ajax-admin.php in the Simple Ads Manager plugin before 2.5.96 for WordPress allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in the directory specified by the path parameter. | 7.5 |
2015-04-21 | CVE-2014-5370 | NEW Atlanta | Path Traversal vulnerability in NEW Atlanta Bluedragon 7.1.1 Directory traversal vulnerability in the CFChart servlet (com.naryx.tagfusion.cfm.cfchartServlet) in New Atlanta BlueDragon before 7.1.1.18527 allows remote attackers to read or possibly delete arbitrary files via a .. | 7.5 |
47 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2015-04-22 | CVE-2015-1484 | Symantec | Local Privilege Escalation vulnerability in Symantec Workspace Streaming 6.1/7.5 Unquoted Windows search path vulnerability in the agent in Symantec Workspace Streaming (SWS) 6.1 before SP8 MP2 HF7 and 7.5 before SP1 HF4, when AppMgrService.exe is configured as a service, allows local users to gain privileges via a Trojan horse executable file in the %SYSTEMDRIVE% directory, as demonstrated by program.exe. | 6.9 |
2015-04-24 | CVE-2012-2930 | Tinywebgallery | Cross-Site Request Forgery (CSRF) vulnerability in Tinywebgallery Multiple cross-site request forgery (CSRF) vulnerabilities in TinyWebGallery (TWG) before 1.8.8 allow remote attackers to hijack the authentication of administrators for requests that (1) add a user via an adduser action to admin/index.php or (2) conduct static PHP code injection attacks in .htusers.php via the user parameter to admin/index.php. | 6.8 |
2015-04-22 | CVE-2015-0705 | Cisco | Cross-Site Request Forgery (CSRF) vulnerability in Cisco Unified Meetingplace 8.6(1.9) Cross-site request forgery (CSRF) vulnerability in the SOAP API endpoints of the web-services directory in Cisco Unified MeetingPlace 8.6(1.9) allows remote attackers to hijack the authentication of administrators for requests that create administrative accounts, aka Bug ID CSCus97494. | 6.8 |
2015-04-22 | CVE-2015-0704 | Cisco | Cross-Site Request Forgery (CSRF) vulnerability in Cisco Unified Meetingplace 8.6(1.9) Multiple cross-site request forgery (CSRF) vulnerabilities in API features in Cisco Unified MeetingPlace 8.6(1.9) allow remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCus95884. | 6.8 |
2015-04-21 | CVE-2015-3370 | Node Invite Project | Cross-Site Request Forgery (CSRF) vulnerability in Node Invite Project Node Invite 6.X2.3 Cross-site request forgery (CSRF) vulnerability in the Node Invite module before 6.x-2.5 for Drupal allows remote attackers to hijack the authentication of users with the "node_invite_can_manage_invite" permission for requests that re-enable node invitations via unspecified vectors. | 6.8 |
2015-04-21 | CVE-2015-3367 | Patterns | Cross-Site Request Forgery (CSRF) vulnerability in Patterns 7.X2.1 Multiple cross-site request forgery (CSRF) vulnerabilities in the Patterns module before 7.x-2.2 for Drupal allow remote attackers to hijack the authentication of administrators for requests that (1) restore, (2) publish, or (3) unpublish a pattern via unspecified vectors. | 6.8 |
2015-04-21 | CVE-2015-3363 | Joshics | Cross-Site Request Forgery (CSRF) vulnerability in Joshics Contact Form Fields 6.X2.2 Cross-site request forgery (CSRF) vulnerability in the Contact Form Fields module before 6.x-2.3 for Drupal allows remote attackers to hijack the authentication of administrators for requests that delete fields via unspecified vectors. | 6.8 |
2015-04-21 | CVE-2015-3356 | Tadaa Project | Cross-Site Request Forgery (CSRF) vulnerability in Tadaa! Project Tadaa! 7.X1.3 Multiple cross-site request forgery (CSRF) vulnerabilities in the Tadaa! module before 7.x-1.4 for Drupal allow remote attackers to hijack the authentication of arbitrary users for requests that (1) enable or (2) disable modules or (3) change variables via unspecified vectors. | 6.8 |
2015-04-21 | CVE-2015-3355 | Batch Jobs Project | Cross-Site Request Forgery (CSRF) vulnerability in Batch Jobs Project Batch Jobs 7.X1.1 Multiple cross-site request forgery (CSRF) vulnerabilities in the Batch Jobs module before 7.x-1.2 for Drupal allow remote attackers to hijack the authentication of certain users for requests that (1) delete a batch job record or (2) execute a task via unspecified vectors. | 6.8 |
2015-04-21 | CVE-2015-3352 | Jammer Project | Cross-Site Request Forgery (CSRF) vulnerability in Jammer Project Jammer Multiple cross-site request forgery (CSRF) vulnerabilities in the Jammer module before 6.x-1.8 and 7.x-1.x before 7.x-1.4 for Drupal allow remote attackers to hijack the authentication of administrators for requests that delete a setting for (1) hidden form elements or (2) status messages via unspecified vectors, related to "report administration." | 6.8 |
2015-04-21 | CVE-2015-3351 | LOG Watcher Project | Cross-Site Request Forgery (CSRF) vulnerability in LOG Watcher Project LOG Watcher Multiple cross-site request forgery (CSRF) vulnerabilities in the Log Watcher module before 6.x-1.2 for Drupal allow remote attackers to hijack the authentication of administrators for requests that (1) enable, (2) disable, or (3) delete a report via unspecified vectors. | 6.8 |
2015-04-21 | CVE-2015-3350 | Todo Filter Project | Cross-Site Request Forgery (CSRF) vulnerability in Todo Filter Project Todo Filter 6.X1.0/7.X1.0/7.X1.Xdev Cross-site request forgery (CSRF) vulnerability in the Todo Filter module before 6.x-1.1 and 7.x-1.x before 7.x-1.1 for Drupal allows remote attackers to hijack the authentication of arbitrary users for requests that toggle a task via unspecified vectors. | 6.8 |
2015-04-21 | CVE-2015-3349 | Htaccess Project | Cross-Site Request Forgery (CSRF) vulnerability in Htaccess Project Htaccess Multiple cross-site request forgery (CSRF) vulnerabilities in the Htaccess module before 7.x-2.3 for Drupal allow remote attackers to hijack the authentication of administrators for requests that (1) deploy or (2) delete an .htaccess file via unspecified vectors. | 6.8 |
2015-04-21 | CVE-2015-3347 | Cloudwords | Cross-Site Request Forgery (CSRF) vulnerability in Cloudwords for Multilingual 7.X2.2 Cross-site request forgery (CSRF) vulnerability in the Cloudwords for Multilingual Drupal module before 7.x-2.3 for Drupal allows remote attackers to hijack the authentication of unspecified victims via an unknown menu callback. | 6.8 |
2015-04-21 | CVE-2015-3343 | Opac Project | Cross-Site Request Forgery (CSRF) vulnerability in Opac Project Opac 7.X2.0 Cross-site request forgery (CSRF) vulnerability in the OPAC module before 7.x-2.3 for Drupal allows remote attackers to hijack the authentication of unspecified victims for requests that remove a mapping via unknown vectors. | 6.8 |
2015-04-21 | CVE-2014-5361 | Landesk | Cross-Site Request Forgery (CSRF) vulnerability in Landesk Management Suite 8.7/8.8/9.6 Multiple cross-site request forgery (CSRF) vulnerabilities in Landesk Management Suite 9.6 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) start, (2) stop, or (3) restart services via a request to remote/serverServices.aspx. | 6.8 |
2015-04-22 | CVE-2015-1889 | IBM | SQL Injection vulnerability in IBM Infosphere Biginsights 3.0.0.0/3.0.0.1/3.0.0.2 The Big SQL component in IBM InfoSphere BigInsights 3.0 through 3.0.0.2 allows remote authenticated users to bypass intended HDFS data-access restrictions via (1) a crafted CREATE HADOOP TABLE statement referencing the data of an arbitrary user or (2) an import of a certain Hive table definition with the HCAT_SYNC_OBJECTS procedure. | 6.5 |
2015-04-21 | CVE-2015-3345 | Phplist Integration Project | SQL Injection vulnerability in PHPlist Integration Project PHPlist Integration 6.X1.6 SQL injection vulnerability in the PHPlist Integration Module before 6.x-1.7 for Drupal allows remote administrators to execute arbitrary SQL commands via unspecified vectors, related to the "phpList database." | 6.5 |
2015-04-24 | CVE-2011-4403 | ZEN Cart | Cross-Site Request Forgery (CSRF) vulnerability in Zen-Cart ZEN Cart 1.3.9H Multiple cross-site request forgery (CSRF) vulnerabilities in Zen Cart 1.3.9h allow remote attackers to hijack the authentication of administrators for requests that (1) delete a product via a delete_product_confirm action to product.php or (2) disable a product via a setflag action to categories.php. | 5.8 |
2015-04-23 | CVE-2015-0706 | Cisco | HTTP Open Redirection vulnerability in Cisco Firesight System Software 5.3.1.1/5.3.1.2/6.0.0 Open redirect vulnerability in Cisco FireSIGHT System Software 5.3.1.1, 5.3.1.2, and 6.0.0 in FireSIGHT Management Center allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a crafted HTTP header, aka Bug IDs CSCut06060, CSCut06056, and CSCus98966. | 5.8 |
2015-04-21 | CVE-2015-3393 | Fibonacciorange | Unspecified vulnerability in Fibonacciorange Wedeal 7.X1.2 Open redirect vulnerability in the Commerce WeDeal module before 7.x-1.3 for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via an unspecified parameter. | 5.8 |
2015-04-21 | CVE-2015-3388 | Balanced | Cross-Site Request Forgery (CSRF) vulnerability in Balanced Commerce Balanced Payments 7.X1.2 Cross-site request forgery (CSRF) vulnerability in the Commerce Balanced Payments module for Drupal allows remote attackers to hijack the authentication of arbitrary users for requests that delete the user's configured bank accounts via unspecified vectors. | 5.8 |
2015-04-21 | CVE-2015-3383 | Insite | Cross-Site Scripting and Cross Site Request Forgery vulnerability in Insite Node Basket 7.X1.0 Open redirect vulnerability in the Node basket module for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. | 5.8 |
2015-04-21 | CVE-2015-3382 | Insite | Cross-Site Request Forgery (CSRF) vulnerability in Insite Node Basket 7.X1.0 Multiple cross-site request forgery (CSRF) vulnerabilities in the Node basket module for Drupal allow remote attackers to hijack the authentication of arbitrary users for requests that (1) add or (2) remove nodes from a basket via unspecified vectors. | 5.8 |
2015-04-21 | CVE-2015-3380 | Funnymonkey | Cross-Site Request Forgery (CSRF) vulnerability in Funnymonkey Feature SET 7.X1.0Beta1 Multiple cross-site request forgery (CSRF) vulnerabilities in the Feature Set module for Drupal allow remote attackers to hijack the authentication of administrators for requests that (1) enable or (2) disable a module via unspecified vectors. | 5.8 |
2015-04-21 | CVE-2015-3375 | Niif | Cross-Site Request Forgery (CSRF) vulnerability in Niif Shibboleth Authentication 6.X4.0/7.X4.0 Cross-site request forgery (CSRF) vulnerability in the Shibboleth Authentication module before 6.x-4.1 and 7.x-4.x before 7.x-4.1 for Drupal allows remote attackers to hijack the authentication of administrators for requests that delete user role matching rules via unspecified vectors. | 5.8 |
2015-04-21 | CVE-2015-3374 | Corner Project | Cross-Site Request Forgery (CSRF) vulnerability in Corner Project Corner Multiple cross-site request forgery (CSRF) vulnerabilities in the Corner module for Drupal allow remote attackers to hijack the authentication of administrators for requests that (1) enable or (2) disable corners via unspecified vectors. | 5.8 |
2015-04-21 | CVE-2015-3371 | Node Invite Project | Input Validation vulnerability in Node Invite Project Node Invite 6.X2.3 Open redirect vulnerability in the Node Invite module before 6.x-2.5 for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the destination parameter. | 5.8 |
2015-04-21 | CVE-2015-3366 | Alfresco | Cross-Site Request Forgery (CSRF) vulnerability in Alfresco 6.X1.2 Cross-site request forgery (CSRF) vulnerability in the Alfresco module before 6.x-1.3 for Drupal allows remote attackers to hijack the authentication of arbitrary users for requests that delete an alfresco node via unspecified vectors. | 5.8 |
2015-04-21 | CVE-2015-3358 | Tadaa Project | Cross-Site Request Forgery vulnerability in Tadaa! Project Tadaa! 7.X1.3 Multiple open redirect vulnerabilities in the Tadaa! module before 7.x-1.4 for Drupal allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in a destination parameter, related to callbacks that (1) enable and disable modules or (2) change variables. | 5.8 |
2015-04-21 | CVE-2015-3354 | Wishlist Project | Cross-Site Request Forgery (CSRF) vulnerability in Wishlist Project Wishlist 7.X2.5/7.X2.6/7.X2.Xdev Cross-site request forgery (CSRF) vulnerability in the Wishlist module before 6.x-2.7 and 7.x-2.x before 7.x-2.7 for Drupal allows remote attackers to hijack the authentication of arbitrary users for requests that delete wishlist purchase intentions via unspecified vectors. | 5.8 |
2015-04-21 | CVE-2015-3342 | Ubercart Currency Conversion Project | Unspecified vulnerability in Ubercart Currency Conversion Project Ubercart Currency Conversion 6.X1.1 Open redirect vulnerability in the Ubercart Currency Conversion module before 6.x-1.2 for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the destination query parameter. | 5.8 |
2015-04-24 | CVE-2015-3148 | Fedoraproject Canonical Debian Apple Haxx HP Opensuse | Improper Access Control vulnerability in multiple products cURL and libcurl 7.10.6 through 7.41.0 do not properly re-use authenticated Negotiate connections, which allows remote attackers to connect as other users via a request. | 5.0 |
2015-04-24 | CVE-2015-3143 | Haxx Canonical Debian HP Apple | Permissions, Privileges, and Access Controls vulnerability in multiple products cURL and libcurl 7.10.6 through 7.41.0 does not properly re-use NTLM connections, which allows remote attackers to connect as other users via an unauthenticated request, a similar issue to CVE-2014-0015. | 5.0 |
2015-04-24 | CVE-2015-0846 | Django Markupfield Project | Information Exposure vulnerability in Django-Markupfield Project Django-Markupfield 1.3.1 django-markupfield before 1.3.2 uses the default docutils RESTRUCTUREDTEXT_FILTER_SETTINGS settings, which allows remote attackers to include and read arbitrary files via unspecified vectors. | 5.0 |
2015-04-24 | CVE-2012-5451 | Tvmobili | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Tvmobili Multiple stack-based buffer overflows in HttpUtils.dll in TVMOBiLi before 2.1.0.3974 allow remote attackers to cause a denial of service (tvMobiliService service crash) via a long string in a (1) GET or (2) HEAD request to TCP port 30888. | 5.0 |
2015-04-24 | CVE-2015-0911 | Dounokouno | Path Traversal vulnerability in Dounokouno Transmitmail Directory traversal vulnerability in TAGAWA Takao TransmitMail 1.0.11 through 1.5.8 allows remote attackers to read arbitrary files via vectors related to attachment handling. | 5.0 |
2015-04-21 | CVE-2015-3391 | Path Breadcrumbs Project | Information Exposure vulnerability in Path Breadcrumbs Project Path Breadcrumbs 7.X3.0/7.X3.1 The Path Breadcrumbs module before 7.x-3.2 for Drupal allows remote attackers to bypass intended access restrictions and obtain sensitive node titles by reading a 403 Not Found page. | 5.0 |
2015-04-21 | CVE-2015-3373 | Amazon AWS Project | Information Exposure vulnerability in Amazon AWS Project Amazon AWS 7.X1.2 The Amazon AWS module before 7.x-1.3 for Drupal uses the base URL and AWS access key to generate the access token, which makes it easier for remote attackers to guess the token value and create backups via a crafted URL. | 5.0 |
2015-04-21 | CVE-2015-3378 | Views Project | Unspecified vulnerability in Views Project Views Open redirect vulnerability in the Views module before 6.x-2.18, 6.x-3.x before 6.x-3.2, and 7.x-3.x before 7.x-3.10 for Drupal, when the Views UI submodule is enabled, allows remote authenticated users to redirect users to arbitrary web sites and conduct phishing attacks via vectors related to the break lock page for edited views. | 4.9 |
2015-04-24 | CVE-2015-3310 | Canonical Debian Point TO Point Protocol Project | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products Buffer overflow in the rc_mksid function in plugins/radius/util.c in Paul's PPP Package (ppp) 2.4.6 and earlier, when the PID for pppd is greater than 65535, allows remote attackers to cause a denial of service (crash) via a start accounting message to the RADIUS server. | 4.3 |
2015-04-24 | CVE-2012-2932 | Tinywebgallery | Cross-site Scripting vulnerability in Tinywebgallery Multiple cross-site scripting (XSS) vulnerabilities in TinyWebGallery (TWG) before 1.8.8 allow remote attackers to inject arbitrary web script or HTML via the selitems[] parameter in a (1) copy, (2) chmod, or (3) arch action to admin/index.php or (4) searchitem parameter in a search action to admin/index.php. | 4.3 |
2015-04-24 | CVE-2015-0910 | Dounokouno | Cross-site Scripting vulnerability in Dounokouno Transmitmail Cross-site scripting (XSS) vulnerability in TAGAWA Takao TransmitMail 1.0.11 through 1.5.8 allows remote attackers to inject arbitrary web script or HTML via a crafted filename. | 4.3 |
2015-04-21 | CVE-2015-3364 | Levelteninteractive | Cross-site Scripting vulnerability in Levelteninteractive Content Analysis 6.X1.6 Cross-site scripting (XSS) vulnerability in the Content Analysis module before 6.x-1.7 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, which are not properly handled in a log message. | 4.3 |
2015-04-21 | CVE-2015-0703 | Cisco | Cross-site Scripting vulnerability in Cisco Unified Meetingplace 8.6(1.9) Cross-site scripting (XSS) vulnerability in the administrative web interface in Cisco Unified MeetingPlace 8.6(1.9) allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka Bug ID CSCus95857. | 4.3 |
2015-04-22 | CVE-2015-3404 | Certify Project | Information Exposure vulnerability in Certify Project Certify 6.X2.2 The Certify module before 6.x-2.3 for Drupal does not properly perform node access checks, which allows remote authenticated users to bypass intended access restrictions and obtain sensitive PDF certificate information via vectors related to "showing (and creating) the PDF certificates." | 4.0 |
2015-04-21 | CVE-2015-3379 | Views Project | Permissions, Privileges, and Access Controls vulnerability in Views Project Views The Views module before 6.x-2.18, 6.x-3.x before 6.x-3.2, and 7.x-3.x before 7.x-3.10 for Drupal does not properly restrict access to the default views configurations, which allows remote authenticated users to obtain sensitive information via unspecified vectors. | 4.0 |
23 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2015-04-23 | CVE-2015-0707 | Cisco | Cross-site Scripting vulnerability in Cisco Firesight System Software 5.3.1.1/6.0.0 Cross-site scripting (XSS) vulnerability in Cisco FireSIGHT System Software 5.3.1.1 and 6.0.0 in FireSIGHT Management Center allows remote authenticated users to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCus85425. | 3.5 |
2015-04-21 | CVE-2015-3392 | Ajax Timeline Project | Cross-site Scripting vulnerability in Ajax Timeline Project Ajax Timeline 7.X1.0 Cross-site scripting (XSS) vulnerability in the Ajax Timeline module before 7.x-1.1 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via a node title. | 3.5 |
2015-04-21 | CVE-2015-3390 | Facebook Album Fetcher Project | Cross-site Scripting vulnerability in Facebook Album Fetcher Project Facebook Album Fetcher 7.X1.Xdev Cross-site scripting (XSS) vulnerability in the Facebook Album Fetcher module for Drupal allows remote authenticated users with the "access administration pages" permission to inject arbitrary web script or HTML via unspecified vectors. | 3.5 |
2015-04-21 | CVE-2015-3389 | Public Download Count Project | Cross-site Scripting vulnerability in Public Download Count Project Public Download Count 7.X1.Xdev Cross-site scripting (XSS) vulnerability in the Download counts report page in the Public Download Count module (pubdlcnt) 7.x-1.x-dev and earlier for Drupal allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. | 3.5 |
2015-04-21 | CVE-2015-3387 | Taxonomy Tools Project | Cross-site Scripting vulnerability in Taxonomy Tools Project Taxonomy Tools Multiple cross-site scripting (XSS) vulnerabilities in the Taxonomy Tools module before 7.x-1.4 for Drupal allow remote authenticated users to inject arbitrary web script or HTML via a (1) node or (2) taxonomy term title. | 3.5 |
2015-04-21 | CVE-2015-3386 | Node Access Product Project | Cross-site Scripting vulnerability in Node Access Product Project Node Access Product 7.X1.0 Cross-site scripting (XSS) vulnerability in the Node Access Product module for Drupal allows remote authenticated users to inject arbitrary web script or HTML via a node title. | 3.5 |
2015-04-21 | CVE-2015-3385 | Taxonomy Path Project | Cross-site Scripting vulnerability in Taxonomy Path Project Taxonomy Path 7.X1.1 Cross-site scripting (XSS) vulnerability in the Taxonomy Path module before 7.x-1.2 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via the "Link to path" field formatter. | 3.5 |
2015-04-21 | CVE-2015-3384 | Commerce Balanced Payments Project | Cross-site Scripting vulnerability in Commerce Balanced Payments Project Commerce Balanced Payments 7.X1.2 Cross-site scripting (XSS) vulnerability in the Bank Account Listing Page in the Commerce Balanced Payments module for Drupal allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. | 3.5 |
2015-04-21 | CVE-2015-3381 | Insite | Cross-site Scripting vulnerability in Insite Node Basket 7.X1.0 Cross-site scripting (XSS) vulnerability in the Node basket module for Drupal allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. | 3.5 |
2015-04-21 | CVE-2015-3376 | Quizzler Project | Cross-site Scripting vulnerability in Quizzler Project Quizzler 7.X1.15 Cross-site scripting (XSS) vulnerability in the Quizzler module before 7-x.1.16 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via a node title. | 3.5 |
2015-04-21 | CVE-2015-3372 | Node Invite Project | Cross-site Scripting vulnerability in Node Invite Project Node Invite 6.X2.3 Cross-site scripting (XSS) vulnerability in the Node Invite module before 6.x-2.5 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via a node title. | 3.5 |
2015-04-21 | CVE-2015-3369 | Taxonews Project | Cross-site Scripting vulnerability in Taxonews Project Taxonews 6.X1.1/7.X1.0 Cross-site scripting (XSS) vulnerability in the Taxonews module before 6.x-1.2 and 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with the "administer taxonomy" permission to inject arbitrary web script or HTML via a term name in a block. | 3.5 |
2015-04-21 | CVE-2015-3368 | Osinet | Cross-site Scripting vulnerability in Osinet Classified ADS 6.X3.1/7.X3.1 Cross-site scripting (XSS) vulnerability in the administration user interface in the Classified Ads module before 6.x-3.1 and 7.x-3.x before 7.x-3.1 for Drupal allows remote authenticated users with the "administer taxonomy" permission to inject arbitrary web script or HTML via a category name. | 3.5 |
2015-04-21 | CVE-2015-3365 | Nodeauthor Project | Cross-site Scripting vulnerability in Nodeauthor Project Nodeauthor Cross-site scripting (XSS) vulnerability in the nodeauthor module for Drupal allows remote authenticated users to inject arbitrary web script or HTML via a Profile2 field in a provided block. | 3.5 |
2015-04-21 | CVE-2015-3362 | Video Project | Cross-site Scripting vulnerability in Video Project Video 7.X2.10 Cross-site scripting (XSS) vulnerability in the Video module before 7.x-2.11 for Drupal, when using the video WYSIWYG plugin, allows remote authenticated users to inject arbitrary web script or HTML via a node title. | 3.5 |
2015-04-21 | CVE-2015-3360 | Term Merge Project | Cross-site Scripting vulnerability in Term Merge Project Term Merge 7.X1.1 Cross-site scripting (XSS) vulnerability in the Term Merge module before 7.x-1.2 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. | 3.5 |
2015-04-21 | CVE-2015-3359 | Room Reservations Project | Cross-site Scripting vulnerability in Room Reservations Project Room Reservations 7.X1.0 Multiple cross-site scripting (XSS) vulnerabilities in the Room Reservations module before 7.x-1.1 for Drupal allow remote authenticated users with the "Administer the room reservations system" permission to inject arbitrary web script or HTML via the (1) node title of a "Room Reservations Category" or (2) body of a "Room Reservations Room" node. | 3.5 |
2015-04-21 | CVE-2015-3357 | Wishlist Project | Cross-site Scripting vulnerability in Wishlist Project Wishlist 7.X2.5/7.X2.6/7.X2.Xdev Cross-site scripting (XSS) vulnerability in the Wishlist module before 6.x-2.7 and 7.x-2.x before 7.x-2.7 for Drupal allows remote authenticated users with the "access wishlists" permission to inject arbitrary web script or HTML via unspecified vectors, which are not properly handled in a log message. | 3.5 |
2015-04-21 | CVE-2015-3353 | Field Display Label Project | Cross-site Scripting vulnerability in Field Display Label Project Field Display Label 7.X1.2 Cross-site scripting (XSS) vulnerability in the Field Display Label module before 7.x-1.3 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via the alternate field label in content types settings. | 3.5 |
2015-04-21 | CVE-2015-3348 | Cloudwords | Cross-site Scripting vulnerability in Cloudwords for Multilingual 7.X2.2 Cross-site scripting (XSS) vulnerability in the Cloudwords for Multilingual Drupal module before 7.x-2.3 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via a node title. | 3.5 |
2015-04-21 | CVE-2015-3344 | DLC Solutions | Cross-site Scripting vulnerability in DLC Solutions Course Cross-site scripting (XSS) vulnerability in the Course module 6.x-1.x before 6.x-1.2 and 7.x-1.x before 7.x-1.4 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via a node title. | 3.5 |
2015-04-21 | CVE-2014-3586 | Redhat | Permissions, Privileges, and Access Controls vulnerability in Redhat Jboss Enterprise Application Platform The default configuration for the Command Line Interface in Red Hat Enterprise Application Platform before 6.4.0 and WildFly (formerly JBoss Application Server) uses weak permissions for .jboss-cli-history, which allows local users to obtain sensitive information via unspecified vectors. | 2.1 |
2015-04-21 | CVE-2015-3361 | Linkit Project | Cross-site Scripting vulnerability in Linkit Project Linkit Cross-site scripting (XSS) vulnerability in the Linkit module before 7.x-2.7 and 7.x-3.x before 7.x-3.3 for Drupal, when the node search plugin is enabled, allows remote authenticated users to inject arbitrary web script or HTML via a node title. | 2.1 |