Weekly Vulnerabilities Reports > April 27 to May 3, 2015

Overview

48 new vulnerabilities reported during this period, including 5 critical vulnerabilities and 4 high severity vulnerabilities. This weekly summary report vulnerabilities in 67 products from 31 vendors including IBM, Cisco, Debian, Canonical, and Magento. Vulnerabilities are notably categorized as "Resource Management Errors", "Permissions, Privileges, and Access Controls", "Information Exposure", "Cross-site Scripting", and "Improper Restriction of Operations within the Bounds of a Memory Buffer".

  • 41 reported vulnerabilities are remotely exploitables.
  • 3 reported vulnerabilities have public exploit available.
  • 13 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 36 reported vulnerabilities are exploitable by an anonymous user.
  • IBM has the most reported vulnerabilities, with 10 reported vulnerabilities.
  • IBM has the most reported critical vulnerabilities, with 1 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

5 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2015-05-01 CVE-2015-3435 Samsung Permissions, Privileges, and Access Controls vulnerability in Samsung Security Manager 1.30

Samsung Security Manager (SSM) before 1.31 allows remote attackers to execute arbitrary code by uploading a file with an HTTP (1) PUT or (2) MOVE request.

10.0
2015-04-29 CVE-2015-3459 Hospira Permissions, Privileges, and Access Controls vulnerability in Hospira products

The communication module on the Hospira LifeCare PCA Infusion System before 7.0 does not require authentication for root TELNET sessions, which allows remote attackers to modify the pump configuration via unspecified commands.

10.0
2015-05-01 CVE-2015-3446 Alienvault Code Injection vulnerability in Alienvault Unified Security Management 4.14

The Framework Daemon in AlienVault Unified Security Management before 4.15 allows remote attackers to execute arbitrary Python code via a crafted plugin configuration file (.cfg).

9.3
2015-04-27 CVE-2015-1885 IBM Permissions, Privileges, and Access Controls vulnerability in IBM Websphere Application Server

WebSphereOauth20SP.ear in IBM WebSphere Application Server (WAS) 7.0 before 7.0.0.39, 8.0 before 8.0.0.11, 8.5 Liberty Profile before 8.5.5.5, and 8.5 Full Profile before 8.5.5.6, when the OAuth grant type requires sending a password, allows remote attackers to gain privileges via unspecified vectors.

9.3
2015-04-27 CVE-2015-2116 HP Security vulnerability in HP Storage Data Protector

Unspecified vulnerability in HP Storage Data Protector 7.x before 7.03 build 107 allows remote authenticated users to execute arbitrary code or cause a denial of service via unknown vectors.

9.0

4 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2015-04-27 CVE-2015-1882 IBM Race Condition vulnerability in IBM Websphere Application Server

Multiple race conditions in IBM WebSphere Application Server (WAS) 8.5 Liberty Profile before 8.5.5.5 allow remote authenticated users to gain privileges by leveraging thread conflicts that result in Java code execution outside the context of the configured EJB Run-as user.

8.5
2015-04-27 CVE-2015-1886 IBM Resource Management Errors vulnerability in IBM Websphere Portal

The Remote Document Conversion Service (DCS) in IBM WebSphere Portal 6.1.0 through 6.1.0.6 CF27, 6.1.5 through 6.1.5.3 CF27, 7.0.0 through 7.0.0.2 CF29, 8.0.0 before 8.0.0.1 CF16, and 8.5.0 through CF05 allows remote attackers to cause a denial of service (memory consumption) via crafted requests.

7.8
2015-05-01 CVE-2015-0532 EMC Permissions, Privileges, and Access Controls vulnerability in EMC RSA Identity Management and Governance 6.9.0/6.9.1

EMC RSA Identity Management and Governance (IMG) 6.9 before P04 and 6.9.1 before P01 does not properly restrict password resets, which allows remote attackers to obtain access via crafted use of the reset process for an arbitrary valid account name, as demonstrated by a privileged account.

7.5
2015-04-27 CVE-2015-2117 HP Improper Authentication vulnerability in HP products

HP TippingPoint Security Management System (SMS) and TippingPoint Virtual Security Management System (vSMS) before 4.1 patch 3 and 4.2 before patch 1 do not require authentication for JBoss RMI requests, which allows remote attackers to execute arbitrary code by (1) uploading this code within an archive or (2) instantiating a class.

7.5

35 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2015-05-01 CVE-2015-2248 Sonicwall Cross-Site Request Forgery (CSRF) vulnerability in Sonicwall Remote Access Firmware

Cross-site request forgery (CSRF) vulnerability in the user portal in Dell SonicWALL Secure Remote Access (SRA) products with firmware before 7.5.1.0-38sv and 8.x before 8.0.0.1-16sv allows remote attackers to hijack the authentication of users for requests that create bookmarks via a crafted request to cgi-bin/editBookmark.

6.8
2015-04-29 CVE-2015-1321 Canonical
Oxide Project
Use After Free Remote Code Execution vulnerability in Ubuntu oxide-qt Package

Use-after-free vulnerability in the file picker implementation in Oxide before 1.6.5 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted webpage.

6.8
2015-04-29 CVE-2015-0709 Cisco Resource Management Errors vulnerability in Cisco IOS and IOS XE

Cisco IOS 15.5S and IOS XE allow remote authenticated users to cause a denial of service (device crash) by leveraging knowledge of the RADIUS secret and sending crafted RADIUS packets, aka Bug ID CSCur21348.

6.8
2015-04-28 CVE-2015-1774 Canonical
Debian
Apache
Fedoraproject
Redhat
Libreoffice
Out-of-bounds Write vulnerability in multiple products

The HWP filter in LibreOffice before 4.3.7 and 4.4.x before 4.4.2 and Apache OpenOffice before 4.1.2 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted HWP document, which triggers an out-of-bounds write.

6.8
2015-04-27 CVE-2015-2706 Mozilla Race Condition vulnerability in Mozilla Firefox

Race condition in the AsyncPaintWaitEvent::AsyncPaintWaitEvent function in Mozilla Firefox before 37.0.2 allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via a crafted plugin that does not properly complete initialization.

6.8
2015-04-27 CVE-2014-6090 IBM Cross-Site Request Forgery (CSRF) vulnerability in IBM Curam Social Program Management

Multiple cross-site request forgery (CSRF) vulnerabilities in the (1) DataMappingEditorCommands, (2) DatastoreEditorCommands, and (3) IEGEditorCommands servlets in IBM Curam Social Program Management (SPM) 5.2 SP6 before EP6, 6.0 SP2 before EP26, 6.0.3 before 6.0.3.0 iFix8, 6.0.4 before 6.0.4.5 iFix10, and 6.0.5 before 6.0.5.6 allow remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences.

6.8
2015-05-01 CVE-2015-0912 Kozos Arbitrary File Creation vulnerability in EasyCTF

EasyCTF before 1.4 allows remote authenticated users to write executable content to files via unspecified vectors.

6.5
2015-04-29 CVE-2015-3458 Magento Permissions, Privileges, and Access Controls vulnerability in Magento 1.14.1.0/1.9.1.0

The fetchView function in the Mage_Core_Block_Template_Zend class in Magento Community Edition (CE) 1.9.1.0 and Enterprise Edition (EE) 1.14.1.0 does not restrict the stream wrapper used in a template path, which allows remote administrators to include and execute arbitrary PHP files via the phar:// stream wrapper, related to the setScriptPath function.

6.5
2015-04-29 CVE-2015-1399 Magento Code Injection vulnerability in Magento 1.14.1.0/1.9.1.0

PHP remote file inclusion vulnerability in the fetchView function in the Mage_Core_Block_Template_Zend class in Magento Community Edition (CE) 1.9.1.0 and Enterprise Edition (EE) 1.14.1.0 allows remote administrators to execute arbitrary PHP code via a URL in unspecified vectors involving the setScriptPath function.

6.5
2015-04-29 CVE-2015-1398 Magento Path Traversal vulnerability in Magento 1.14.1.0/1.9.1.0

Multiple directory traversal vulnerabilities in Magento Community Edition (CE) 1.9.1.0 and Enterprise Edition (EE) 1.14.1.0 allow remote authenticated users to include and execute certain PHP files via (1) ..

6.5
2015-04-29 CVE-2015-1397 Magento SQL Injection vulnerability in Magento 1.14.1.0/1.9.1.0

SQL injection vulnerability in the getCsvFile function in the Mage_Adminhtml_Block_Widget_Grid class in Magento Community Edition (CE) 1.9.1.0 and Enterprise Edition (EE) 1.14.1.0 allows remote administrators to execute arbitrary SQL commands via the popularity[field_expr] parameter when the popularity[from] or popularity[to] parameter is set.

6.5
2015-04-29 CVE-2015-0710 Cisco Resource Management Errors vulnerability in Cisco IOS XE 3.10.0S/3.10S.01

The Overlay Transport Virtualization (OTV) implementation in Cisco IOS XE 3.10S allows remote attackers to cause a denial of service (device reload) via a series of packets that are considered oversized and trigger improper fragmentation handling, aka Bug IDs CSCup37676 and CSCup30335.

6.1
2015-04-29 CVE-2015-0708 Cisco Resource Management Errors vulnerability in Cisco IOS and IOS XE

Cisco IOS 15.4S, 15.4SN, and 15.5S and IOS XE 3.13S and 3.14S allow remote attackers to cause a denial of service (device crash) by including an IA_NA option in a DHCPv6 Solicit message on the local network, aka Bug ID CSCur29956.

6.1
2015-04-28 CVE-2015-1863 Canonical
W1 FI
Redhat
Debian
Opensuse
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products

Heap-based buffer overflow in wpa_supplicant 1.0 through 2.4 allows remote attackers to cause a denial of service (crash), read memory, or possibly execute arbitrary code via crafted SSID information in a management frame when creating or updating P2P entries.

5.8
2015-04-27 CVE-2015-0175 IBM Permissions, Privileges, and Access Controls vulnerability in IBM Websphere Application Server

IBM WebSphere Application Server (WAS) 8.5 Liberty Profile before 8.5.5.5 does not properly implement authData elements, which allows remote authenticated users to gain privileges via unspecified vectors.

5.5
2015-05-01 CVE-2015-3633 Foxitsoftware Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Foxitsoftware Enterprise Reader, Foxit Reader and Phantompdf

Foxit Reader, Enterprise Reader, and PhantomPDF before 7.1.5 allow remote attackers to cause a denial of service (memory corruption and crash) via vectors related to digital signatures.

5.0
2015-05-01 CVE-2015-3153 Oracle
Haxx
Canonical
Apple
Debian
Information Exposure vulnerability in multiple products

The default configuration for cURL and libcurl before 7.42.1 sends custom HTTP headers to both the proxy and destination server, which might allow remote proxy servers to obtain sensitive information by reading the header contents.

5.0
2015-05-01 CVE-2014-3598 Opensuse
Python
Resource Management Errors vulnerability in multiple products

The Jpeg2KImagePlugin plugin in Pillow before 2.5.3 allows remote attackers to cause a denial of service via a crafted image.

5.0
2015-05-01 CVE-2015-0914 Kozos Improper Access Control vulnerability in Kozos Easyctf

EasyCTF before 1.4 does not validate the session ID, which allows remote attackers to obtain access via a crafted HTTP request.

5.0
2015-05-01 CVE-2015-0712 Cisco Resource Management Errors vulnerability in Cisco Staros

The session-manager service in Cisco StarOS 12.0, 12.2(300), 14.0, and 14.0(600) on ASR 5000 devices allows remote attackers to cause a denial of service (service reload and packet loss) via malformed HTTP packets, aka Bug ID CSCud14217.

5.0
2015-04-29 CVE-2015-3457 Magento Improper Authentication vulnerability in Magento 1.14.1.0/1.9.1.0

Magento Community Edition (CE) 1.9.1.0 and Enterprise Edition (EE) 1.14.1.0 allow remote attackers to bypass authentication via the forwarded parameter.

5.0
2015-04-29 CVE-2015-3026 Xiph
Debian
Opensuse
Remote Denial of Service vulnerability in Icecast

Icecast before 2.4.2, when a stream_auth handler is defined for URL authentication, allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a request without login credentials, as demonstrated by a request to "admin/killsource?mount=/test.ogg." <a href="http://cwe.mitre.org/data/definitions/476.html">CWE-476: NULL Pointer Dereference</a>

5.0
2015-04-29 CVE-2015-0711 Cisco Resource Management Errors vulnerability in Cisco Staros 18.1.0.59776

The hamgr service in the IPv6 Proxy Mobile (PM) implementation in Cisco StarOS 18.1.0.59776 on ASR 5000 devices allows remote attackers to cause a denial of service (service reload and call-processing outage) via malformed PM packets, aka Bug ID CSCut94711.

5.0
2015-04-28 CVE-2015-1151 Apple Improper Access Control vulnerability in Apple OS X Server

Wiki Server in Apple OS X Server before 4.1 allows remote attackers to bypass intended restrictions on Activity and People pages by connecting from an iPad client.

5.0
2015-04-28 CVE-2015-1150 Apple Code vulnerability in Apple OS X Server

The Firewall component in Apple OS X Server before 4.1 uses an incorrect pathname in configuration files, which allows remote attackers to bypass network-access restrictions by sending packets for which custom-rule blocking was intended.

5.0
2015-04-27 CVE-2015-0113 IBM Information Exposure vulnerability in IBM products

The Jazz help system in IBM Rational Collaborative Lifecycle Management 4.0 through 5.0.2, Rational Quality Manager 4.0 through 4.0.7 and 5.0 through 5.0.2, Rational Team Concert 4.0 through 4.0.7 and 5.0 through 5.0.2, Rational Requirements Composer 4.0 through 4.0.7, Rational DOORS Next Generation 4.0 through 4.0.7 and 5.0 through 5.0.2, Rational Engineering Lifecycle Manager 4.0.3 through 4.0.7 and 5.0 through 5.0.2, Rational Rhapsody Design Manager 4.0 through 4.0.7 and 5.0 through 5.0.2, and Rational Software Architect Design Manager 4.0 through 4.0.7 and 5.0 through 5.0.2 allows remote attackers to read JSP source code via a crafted request.

5.0
2015-04-27 CVE-2014-6092 IBM Code vulnerability in IBM Curam Social Program Management

IBM Curam Social Program Management (SPM) 5.2 before SP6 EP6, 6.0 SP2 before EP26, 6.0.4 before 6.0.4.6, and 6.0.5 before 6.0.5.6 requires failed-login handling for web-service accounts to have the same lockout policy as for standard user accounts, which makes it easier for remote attackers to cause a denial of service (web-service outage) by making many login attempts with a valid caseworker account name.

5.0
2015-04-29 CVE-2015-1322 Canonical
Ubuntu
Path Traversal vulnerability in multiple products

Directory traversal vulnerability in the Ubuntu network-manager package for Ubuntu (vivid) before 0.9.10.0-4ubuntu15.1, Ubuntu 14.10 before 0.9.8.8-0ubuntu28.1, and Ubuntu 14.04 LTS before 0.9.8.8-0ubuntu7.1 allows local users to change the modem device configuration or read arbitrary files via a ..

4.6
2015-05-02 CVE-2015-0714 Cisco Cross-site Scripting vulnerability in Cisco Finesse

Multiple cross-site scripting (XSS) vulnerabilities in Cisco Finesse Server 10.0(1), 10.5(1), 10.6(1), and 11.0(1) allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCut53595.

4.3
2015-05-01 CVE-2015-3632 Foxitsoftware Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Foxitsoftware Enterprise Reader, Foxit Reader and Phantompdf

Foxit Reader, Enterprise Reader, and PhantomPDF before 7.1.5 allow remote attackers to cause a denial of service (memory corruption and crash) via a crafted GIF in a PDF file.

4.3
2015-05-01 CVE-2015-3337 Elasticsearch Path Traversal vulnerability in Elasticsearch

Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, allows remote attackers to read arbitrary files via unspecified vectors.

4.3
2015-04-29 CVE-2015-3447 Sonicwall Cross-site Scripting vulnerability in Sonicwall Sonicos 6.2.2.0/7.5.0.12

Multiple cross-site scripting (XSS) vulnerabilities in macIpSpoofView.html in Dell SonicWall SonicOS 7.5.0.12 and 6.x allow remote attackers to inject arbitrary web script or HTML via the (1) searchSpoof or (2) searchSpoofIpDet parameter.

4.3
2015-04-27 CVE-2015-1908 IBM Cross-site Scripting vulnerability in IBM Websphere Portal

Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 6.1.0 through 6.1.0.6 CF27, 6.1.5 through 6.1.5.3 CF27, 7.0.0 through 7.0.0.2 CF29, 8.0.0 before 8.0.0.1 CF16, and 8.5.0 through CF05, as used in Web Content Manager and other products, allows remote attackers to inject arbitrary web script or HTML via a crafted URL.

4.3
2015-04-27 CVE-2015-0176 IBM Cross-site Scripting vulnerability in IBM Websphere MQ

Cross-site scripting (XSS) vulnerability in MQ XR WebSockets Listener in WMQ Telemetry in IBM WebSphere MQ 8.0 before 8.0.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted URI that is included in an error response.

4.3
2015-04-27 CVE-2015-0174 IBM Information Exposure vulnerability in IBM Websphere Application Server

The SNMP implementation in IBM WebSphere Application Server (WAS) 8.5 before 8.5.5.5 does not properly handle configuration data, which allows remote authenticated users to obtain sensitive information via unspecified vectors.

4.0

4 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2015-05-01 CVE-2015-0913 Kozos Cross-site Scripting vulnerability in Kozos Easyctf

Cross-site scripting (XSS) vulnerability in EasyCTF before 1.4 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

3.5
2015-04-28 CVE-2015-3340 XEN
Suse
Fedoraproject
Debian
Opensuse
Information Exposure vulnerability in multiple products

Xen 4.2.x through 4.5.x does not initialize certain fields, which allows certain remote service domains to obtain sensitive information from memory via a (1) XEN_DOMCTL_gettscinfo or (2) XEN_SYSCTL_getdomaininfolist request.

2.9
2015-04-27 CVE-2015-2115 HP Remote Information Disclosure vulnerability in HP Capture and Route Software 1.3/1.4

Unspecified vulnerability in HP Capture and Route Software (HPCR) 1.3 before Patch 7, 1.3 FP1 before Patch 1, and 1.4 before Patch 1 allows remote authenticated users to obtain sensitive information via unknown vectors.

2.7
2015-04-29 CVE-2015-3448 Rest Client Project Information Exposure vulnerability in Rest-Client Project Rest-Client

REST client for Ruby (aka rest-client) before 1.7.3 logs usernames and passwords, which allows local users to obtain sensitive information by reading the log.

2.1