Weekly Vulnerabilities Reports > May 4 to 10, 2015
Overview
18 new vulnerabilities reported during this period, including 2 critical vulnerabilities and 0 high severity vulnerabilities. This weekly summary report vulnerabilities in 14 products from 9 vendors including Apple, Cisco, Owncloud, IBM, and Debian. Vulnerabilities are notably categorized as "Cross-site Scripting", "Permissions, Privileges, and Access Controls", "Information Exposure", "SQL Injection", and "Command Injection".
- 17 reported vulnerabilities are remotely exploitables.
- 7 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 13 reported vulnerabilities are exploitable by an anonymous user.
- Apple has the most reported vulnerabilities, with 5 reported vulnerabilities.
- Cisco has the most reported critical vulnerabilities, with 1 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
2 Critical Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2015-05-07 | CVE-2015-0701 | Cisco | Improper Input Validation vulnerability in Cisco Unified Computing System Central Software Cisco UCS Central Software before 1.3(1a) allows remote attackers to execute arbitrary commands via a crafted HTTP request, aka Bug ID CSCut46961. | 10.0 |
| 2015-05-07 | CVE-2015-0538 | EMC | Command Injection vulnerability in EMC Autostart 5.5.0 ftagent.exe in EMC AutoStart 5.4.x and 5.5.x before 5.5.0.508 HF4 allows remote attackers to execute arbitrary commands via crafted packets. | 9.3 |
0 High Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|
15 Medium Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2015-05-08 | CVE-2015-1154 | Apple | Memory Corruption vulnerability in WebKit WebKit, as used in Apple Safari before 6.2.6, 7.x before 7.1.6, and 8.x before 8.0.6, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than CVE-2015-1152 and CVE-2015-1153. | 6.8 |
| 2015-05-08 | CVE-2015-1153 | Apple | Memory Corruption vulnerability in Apple Iphone OS, Itunes and Safari WebKit, as used in Apple Safari before 6.2.6, 7.x before 7.1.6, and 8.x before 8.0.6, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than CVE-2015-1152 and CVE-2015-1154. | 6.8 |
| 2015-05-08 | CVE-2015-1152 | Apple | Memory Corruption vulnerability in Apple Iphone OS, Itunes and Safari WebKit, as used in Apple Safari before 6.2.6, 7.x before 7.1.6, and 8.x before 8.0.6, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than CVE-2015-1153 and CVE-2015-1154. | 6.8 |
| 2015-05-07 | CVE-2015-0716 | Cisco | Cross-Site Request Forgery (CSRF) vulnerability in Cisco Unity Connection 11.0(0.98000.225)/11.0(0.98000.332) Cross-site request forgery (CSRF) vulnerability in the CUCReports page in Cisco Unity Connection 11.0(0.98000.225) and 11.0(0.98000.332) allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCut33659. | 6.8 |
| 2015-05-07 | CVE-2015-0715 | Cisco | SQL Injection vulnerability in Cisco Unity Connection 11.0(0.98000.225) SQL injection vulnerability in the administrative web interface in Cisco Unified Communications Manager 11.0(0.98000.225) allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, aka Bug IDs CSCut33447 and CSCut33608. | 6.5 |
| 2015-05-08 | CVE-2015-3013 | Owncloud | Injection vulnerability in Owncloud ownCloud Server before 5.0.19, 6.x before 6.0.7, and 7.x before 7.0.5 allows remote authenticated users to bypass the file blacklist and upload arbitrary files via a file path with UTF-8 encoding, as demonstrated by uploading a .htaccess file. | 6.0 |
| 2015-05-07 | CVE-2015-3610 | Siemens | Cryptographic Issues vulnerability in Siemens Homecontrol for Room Automation 2.0.0 The Siemens HomeControl for Room Automation application before 2.0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information or modify data via a crafted certificate. | 5.4 |
| 2015-05-07 | CVE-2015-0531 | EMC | Improper Access Control vulnerability in EMC Sourceone Email Management 7.1 EMC SourceOne Email Management before 7.2 does not have a lockout mechanism for invalid login attempts, which makes it easier for remote attackers to obtain access via a brute-force attack. | 5.0 |
| 2015-05-08 | CVE-2015-3012 | Debian Kogmbh Owncloud | Cross-site Scripting vulnerability in multiple products Multiple cross-site scripting (XSS) vulnerabilities in WebODF before 0.5.5, as used in ownCloud, allow remote attackers to inject arbitrary web script or HTML via a (1) style or (2) font name or (3) javascript or (4) data URI. | 4.3 |
| 2015-05-08 | CVE-2015-2347 | Huawei | Cross-site Scripting vulnerability in Huawei SEQ Analyst Cross-site scripting (XSS) vulnerability in Huawei SEQ Analyst before V200R002C03LG0001CP0022 allows remote attackers to inject arbitrary web script or HTML via the command XML element in the req parameter to flexdata.action in (1) common/, (2) monitor/, or (3) psnpm/ or the (4) module XML element in the req parameter to flexdata.action in monitor/. | 4.3 |
| 2015-05-08 | CVE-2014-9716 | Kogmbh | Cross-site Scripting vulnerability in Kogmbh Webodf Cross-site scripting (XSS) vulnerability in WebODF before 0.5.4 allows remote attackers to inject arbitrary web script or HTML via a file name. | 4.3 |
| 2015-05-08 | CVE-2015-1156 | Apple | Permissions, Privileges, and Access Controls vulnerability in Apple Iphone OS and Safari The page-loading implementation in WebKit, as used in Apple Safari before 6.2.6, 7.x before 7.1.6, and 8.x before 8.0.6, does not properly handle the rel attribute in an A element, which allows remote attackers to bypass the Same Origin Policy for a link's target, and spoof the user interface, via a crafted web site. | 4.3 |
| 2015-05-08 | CVE-2015-1155 | Apple | Permissions, Privileges, and Access Controls vulnerability in Apple Iphone OS and Safari The history implementation in WebKit, as used in Apple Safari before 6.2.6, 7.x before 7.1.6, and 8.x before 8.0.6, allows remote attackers to bypass the Same Origin Policy and read arbitrary files via a crafted web site. | 4.3 |
| 2015-05-08 | CVE-2015-1907 | IBM | Information Exposure vulnerability in IBM Rational License KEY Server The Administration and Reporting Tool in IBM Rational License Key Server (RLKS) 8.1.4 before 8.1.4.7 allows remote authenticated users to read cookies via unspecified vectors. | 4.0 |
| 2015-05-08 | CVE-2014-0919 | IBM | Information Exposure vulnerability in IBM DB2 IBM DB2 9.5 through 10.5 on Linux, UNIX, and Windows stores passwords during the processing of certain SQL statements by the monitoring and audit facilities, which allows remote authenticated users to obtain sensitive information via commands associated with these facilities. | 4.0 |
1 Low Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2015-05-08 | CVE-2015-3011 | Owncloud Debian | Cross-site Scripting vulnerability in multiple products Multiple cross-site scripting (XSS) vulnerabilities in the contacts application in ownCloud Server Community Edition before 5.0.19, 6.x before 6.0.7, and 7.x before 7.0.5 allow remote authenticated users to inject arbitrary web script or HTML via a crafted contact. | 3.5 |