Weekly Vulnerabilities Reports > June 15 to 21, 2015

Overview

132 new vulnerabilities reported during this period, including 2 critical vulnerabilities and 12 high severity vulnerabilities. This weekly summary report vulnerabilities in 164 products from 102 vendors including Cisco, Opensuse, W1 FI, Fedoraproject, and WEB Dorado. Vulnerabilities are notably categorized as "Cross-site Scripting", "Cross-Site Request Forgery (CSRF)", "SQL Injection", "Improper Restriction of Operations within the Bounds of a Memory Buffer", and "Information Exposure".

  • 122 reported vulnerabilities are remotely exploitables.
  • 12 reported vulnerabilities have public exploit available.
  • 67 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 91 reported vulnerabilities are exploitable by an anonymous user.
  • Cisco has the most reported vulnerabilities, with 12 reported vulnerabilities.
  • EMC has the most reported critical vulnerabilities, with 1 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

2 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2015-06-19 CVE-2015-2797 Airties Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Airties AIR Firmware

Stack-based buffer overflow in AirTies Air 6372, 5760, 5750, 5650TT, 5453, 5444TT, 5443, 5442, 5343, 5342, 5341, and 5021 DSL modems with firmware 1.0.2.0 and earlier allows remote attackers to execute arbitrary code via a long string in the redirect parameter to cgi-bin/login.

10.0
2015-06-17 CVE-2015-0546 EMC Permissions, Privileges, and Access Controls vulnerability in EMC Unified Infrastructure Manager/Provisioning 4.1

EMC Unified Infrastructure Manager/Provisioning (UIM/P) 4.1 allows remote attackers to bypass LDAP authentication by providing a valid account name.

10.0

12 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2015-06-19 CVE-2015-4678 Persian CAR CMS Project SQL Injection vulnerability in Persian CAR CMS Project Persian CAR CMS 1.0

SQL injection vulnerability in Persian Car CMS 1.0 allows remote attackers to execute arbitrary SQL commands via the cat_id parameter to the default URI.

7.5
2015-06-19 CVE-2015-4675 Tinysrp Project Buffer Errors vulnerability in Tinysrp Project Tinysrp 0.7.5

Buffer overflow in the Tiny SRP library (aka TinySRP) allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted size value for the username field.

7.5
2015-06-18 CVE-2015-4658 Milw0Rm Project SQL Injection vulnerability in Milw0Rm Project Milw0Rm Clone Script 1.0

Multiple SQL injection vulnerabilities in admin/login.php in Milw0rm Clone Script 1.0 allow remote attackers to execute arbitrary SQL commands via the (1) usr or (2) pwd parameter.

7.5
2015-06-18 CVE-2015-4654 Joomla SQL Injection vulnerability in Joomla Joomla!

SQL injection vulnerability in the EQ Event Calendar component for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter to eqfullevent.

7.5
2015-06-17 CVE-2015-4454 Cacti
Fedoraproject
SQL Injection vulnerability in multiple products

SQL injection vulnerability in the get_hash_graph_template function in lib/functions.php in Cacti before 0.8.8d allows remote attackers to execute arbitrary SQL commands via the graph_template_id parameter to graph_templates.php.

7.5
2015-06-17 CVE-2015-4342 Cacti
Fedoraproject
SQL Injection vulnerability in multiple products

SQL injection vulnerability in Cacti before 0.8.8d allows remote attackers to execute arbitrary SQL commands via unspecified vectors involving a cdef id.

7.5
2015-06-16 CVE-2015-4607 Frontend User Upload Project Arbitrary File Upload vulnerability in Frontend User Upload Project Frontend User Upload 0.5.0

Unrestricted file upload vulnerability in the Frontend User Upload (feupload) extension 0.5.0 and earlier for TYPO3 allows remote attackers to execute arbitrary code by uploading a file with an executable extension using a frontend form, then accessing it via a direct request to the file in the fileadmin folder.

7.5
2015-06-16 CVE-2015-4606 JOB Fair Project Arbitrary File Upload vulnerability in JOB Fair Project JOB Fair 1.0.0

Unrestricted file upload vulnerability in the Job Fair (jobfair) extension before 1.0.1 for TYPO3, when using Apache with mod_mime, allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in the extension upload folder.

7.5
2015-06-16 CVE-2015-3205 Libmimedir Project Injection vulnerability in Libmimedir Project Libmimedir

libmimedir allows remote attackers to execute arbitrary code via a VCF file with two NULL bytes at the end of the file, related to "free" function calls in the "lexer's memory clean-up procedure."

7.5
2015-06-15 CVE-2015-3209 Qemu
Juniper
Canonical
Debian
Redhat
Fedoraproject
Suse
Out-Of-Bounds Write vulnerability in multiple products

Heap-based buffer overflow in the PCNET controller in QEMU allows remote attackers to execute arbitrary code by sending a packet with TXSTATUS_STARTPACKET set and then a crafted packet with TXSTATUS_DEVICEOWNS set.

7.5
2015-06-17 CVE-2015-4186 Cisco OS Command Injection vulnerability in Cisco Virtualization Experience Client 6000 Series Firmware 11.2(27.4)

The diagnostics subsystem in the administrative web interface on Cisco Virtualization Experience (aka VXC) Client 6215 devices with firmware 11.2(27.4) allows local users to gain privileges for OS command execution via a crafted option value, aka Bug ID CSCug54412.

7.2
2015-06-17 CVE-2015-4183 Cisco OS Command Injection vulnerability in Cisco Unified Computing System 1.2(1A)

Cisco UCS Central Software 1.2(1a) allows local users to gain privileges for OS command execution via a crafted CLI parameter, aka Bug ID CSCut32795.

7.2

88 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2015-06-19 CVE-2015-4677 Fiverrscript Cross-Site Request Forgery (CSRF) vulnerability in Fiverrscript 7.2

Cross-site request forgery (CSRF) vulnerability in FiverrScript (aka Fiverr Script) 7.2 allows remote attackers to hijack the authentication of administrators for requests that create a new admin via a request to administrator/admins_create.php.

6.8
2015-06-18 CVE-2015-4659 Labsmedia Cross-Site Request Forgery (CSRF) vulnerability in Labsmedia Clickheat 1.1.4

Cross-site request forgery (CSRF) vulnerability in ClickHeat 1.14 and earlier allows remote attackers to hijack the authentication of administrators for requests that change the administrator password via a config action to index.php.

6.8
2015-06-18 CVE-2015-4140 WP Smiley Project Cross-Site Request Forgery (CSRF) vulnerability in WP Smiley Project WP Smiley 1.4.1

Cross-site request forgery (CSRF) vulnerability in the WP Smiley plugin 1.4.1 for WordPress allows remote attackers to hijack the authentication of editors for requests that conduct cross-site scripting (XSS) attacks via the s4w-more parameter to the smilies4wp.php page to wp-admin/options-general.php.

6.8
2015-06-18 CVE-2015-2861 Vestacp Cross-Site Request Forgery (CSRF) vulnerability in Vestacp Vesta Control Panel

Cross-site request forgery (CSRF) vulnerability in Vesta Control Panel before 0.9.8-14 allows remote attackers to hijack the authentication of arbitrary users.

6.8
2015-06-16 CVE-2015-3395 Canonical
Ffmpeg
Libav
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

The msrle_decode_pal4 function in msrledec.c in Libav before 10.7 and 11.x before 11.4 and FFmpeg before 2.0.7, 2.2.x before 2.2.15, 2.4.x before 2.4.8, 2.5.x before 2.5.6, and 2.6.x before 2.6.2 allows remote attackers to have unspecified impact via a crafted image, related to a pixel pointer, which triggers an out-of-bounds array access.

6.8
2015-06-16 CVE-2015-2805 Alcatel Lucent Cross-Site Request Forgery (CSRF) vulnerability in Alcatel-Lucent Omniswitch Firmware

Cross-site request forgery (CSRF) vulnerability in sec/content/sec_asa_users_local_db_add.html in the management web interface in Alcatel-Lucent OmniSwitch 6450, 6250, 6850E, 9000E, 6400, 6855, 6900, 10K, and 6860 with firmware 6.4.5.R02, 6.4.6.R01, 6.6.4.R01, 6.6.5.R02, 7.3.2.R01, 7.3.3.R01, 7.3.4.R01, and 8.1.1.R01 allows remote attackers to hijack the authentication of administrators for requests that create users via a crafted request.

6.8
2015-06-15 CVE-2015-4119 Ispconfig Cross-Site Request Forgery (CSRF) vulnerability in Ispconfig 3.0.5.4

Multiple cross-site request forgery (CSRF) vulnerabilities in ISPConfig before 3.0.5.4p7 allow remote attackers to hijack the authentication of (1) administrators for requests that create an administrator account via a request to admin/users_edit.php or (2) arbitrary users for requests that conduct SQL injection attacks via the server parameter to monitor/show_sys_state.php.

6.8
2015-06-15 CVE-2015-4397 Node Template Project Cross-Site Request Forgery (CSRF) vulnerability in Node Template Project Node Template

Cross-site request forgery (CSRF) vulnerability in the Node Template module for Drupal allows remote attackers to hijack the authentication of users with the "access node template" permission for requests that delete node templates via unspecified vectors.

6.8
2015-06-15 CVE-2015-4391 Civicrm Cross-Site Request Forgery (CSRF) vulnerability in Civicrm Private Report

Cross-site request forgery (CSRF) vulnerability in the CiviCRM private report module 6.x-1.x before 6.x-1.2 and 7.x-1.x before 7.x-1.3 for Drupal allows remote attackers to hijack the authentication of users for requests that delete reports via unspecified vectors.

6.8
2015-06-15 CVE-2015-4390 User Import Project Cross-Site Request Forgery (CSRF) vulnerability in User Import Project User Import

Multiple cross-site request forgery (CSRF) vulnerabilities in the User Import module 6.x-4.x before 6.x-4.4 and 7.x-2.x before 7.x-2.3 for Drupal allow remote attackers to hijack the authentication of administrators for requests that (1) continue or (2) delete an ongoing import via unspecified vectors.

6.8
2015-06-15 CVE-2015-4383 Decisions Project Cross-Site Request Forgery (CSRF) vulnerability in Decisions Project Decisions 6.X1.1

Cross-site request forgery (CSRF) vulnerability in the Decisions module for Drupal allows remote attackers to hijack the authentication of arbitrary users for requests that remove individual voters via unspecified vectors.

6.8
2015-06-15 CVE-2015-4382 Invoice Project Cross-Site Request Forgery (CSRF) vulnerability in Invoice Project Invoice 6.X1.1/7.X1.Xdev

Multiple cross-site request forgery (CSRF) vulnerabilities in the Invoice module 6.x-1.x before 6.x-1.2 and 7.x-1.x before 7.x-1.3 for Drupal allow remote attackers to hijack the authentication of arbitrary users for requests that (1) create, (2) delete, or (3) alter invoices via unspecified vectors.

6.8
2015-06-15 CVE-2015-4379 Webform Multiple File Upload Project Cross-Site Request Forgery (CSRF) vulnerability in Webform multiple File Upload Project Webform multiple File Upload

Cross-site request forgery (CSRF) vulnerability in the Webform Multiple File Upload module 6.x-1.x before 6.x-1.3 and 7.x-1.x before 7.x-1.3 for Drupal allows remote attackers to hijack the authentication of certain users for requests that delete files via unspecified vectors.

6.8
2015-06-15 CVE-2015-4364 Campaign Monitor Project Cross-Site Request Forgery (CSRF) vulnerability in Campaign Monitor Project Campaign Monitor 7.X1.0

Multiple cross-site request forgery (CSRF) vulnerabilities in includes/campaignmonitor_lists.admin.inc in the Campaign Monitor module 7.x-1.0 for Drupal allow remote attackers to hijack the authentication of users for requests that (1) enable list subscriptions via a request to admin/config/services/campaignmonitor/lists/%/enable or (2) disable list subscriptions via a request to admin/config/services/campaignmonitor/lists/%/disable.

6.8
2015-06-15 CVE-2015-4362 Tracking Code Project Cross-Site Request Forgery (CSRF) vulnerability in Tracking Code Project Tracking Code 7.X1.X

Cross-site request forgery (CSRF) vulnerability in tracking_code.admin.inc in the Tracking Code module 7.x-1.x before 7.x-1.6 for Drupal allows remote attackers to hijack the authentication of administrators for requests that disable tracking codes via unspecified vectors.

6.8
2015-06-15 CVE-2015-4361 Registration Codes Project Cross-Site Request Forgery (CSRF) vulnerability in Registration Codes Project Registration Codes

Cross-site request forgery (CSRF) vulnerability in the Registration codes module before 6.x-1.6 for Drupal allows remote attackers to hijack the authentication of administrators for requests that delete registration codes via unspecified vectors.

6.8
2015-06-15 CVE-2015-4360 Registration Codes Project Cross-Site Request Forgery (CSRF) vulnerability in Registration Codes Project Registration Codes

Cross-site request forgery (CSRF) vulnerability in the Registration codes module before 6.x-1.6, 6.x-2.x before 6.x-2.8, and 7.x-1.x before 7.x-1.2 for Drupal allows remote attackers to hijack the authentication of administrators for requests that delete role-rules via unspecified vectors.

6.8
2015-06-15 CVE-2015-4355 Watchdog Aggregator Project Cross-Site Request Forgery (CSRF) vulnerability in Watchdog Aggregator Project Watchdog Aggregator

Cross-site request forgery (CSRF) vulnerability in the Watchdog Aggregator module for Drupal allows remote attackers to hijack the authentication of administrators for requests that enable or disable monitoring sites via unspecified vectors.

6.8
2015-06-15 CVE-2015-4350 WEB Dorado Cross-Site Request Forgery (CSRF) vulnerability in Web-Dorado Spider Catalog

Multiple cross-site request forgery (CSRF) vulnerabilities in the Spider Catalog module for Drupal allow remote attackers to hijack the authentication of administrators for requests that delete (1) products, (2) ratings, or (3) categories via unspecified vectors.

6.8
2015-06-19 CVE-2015-4676 Aftab SQL Injection vulnerability in Aftab Tickfa 1.0.1

SQL injection vulnerability in ticket.php in TickFa 1.x allows remote authenticated users to execute arbitrary SQL commands via the tid parameter in a read action.

6.5
2015-06-18 CVE-2015-4628 Limesurvey SQL Injection vulnerability in Limesurvey

SQL injection vulnerability in application/controllers/admin/questiongroups.php in LimeSurvey before 2.06+ Build 150618 allows remote authenticated administrators to execute arbitrary SQL commands via the sid parameter.

6.5
2015-06-17 CVE-2015-4338 Xcloner Code Injection vulnerability in Xcloner 3.1.2

Static code injection vulnerability in the XCloner plugin 3.1.2 for WordPress allows remote authenticated users to inject arbitrary PHP code into the language files via a Translation LM_FRONT_* field for a language, as demonstrated by language/italian.php.

6.5
2015-06-17 CVE-2015-4336 Xcloner Command Injection vulnerability in Xcloner 3.1.2

cloner.functions.php in the XCloner plugin 3.1.2 for WordPress allows remote authenticated users to execute arbitrary commands via a file containing filenames with shell metacharacters, as demonstrated by using the backup comments feature to create the file.

6.5
2015-06-16 CVE-2015-4613 Developer LOG Project SQL Injection vulnerability in Developer LOG Project Developer LOG 2.11.3

SQL injection vulnerability in the backend module in the Developer Log (devlog) extension before 2.11.4 for TYPO3 allows remote editors to execute arbitrary SQL commands via unspecified vectors.

6.5
2015-06-16 CVE-2015-4612 FAQ Frequenty Asked Questions Project SQL Injection vulnerability in Faq-Frequenty Asked Questions Project Faq-Frequently Asked Questions 1.2.0

SQL injection vulnerability in the "FAQ - Frequently Asked Questions" (js_faq) extension before 1.2.1 for TYPO3 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.

6.5
2015-06-16 CVE-2015-4611 Smoelenboek Project SQL Injection vulnerability in Smoelenboek Project Smoelenboek 1.0.8

SQL injection vulnerability in the Smoelenboek (ncgov_smoelenboek) extension before 1.0.9 for TYPO3 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.

6.5
2015-06-16 CVE-2015-4610 Store Locator Project SQL Injection vulnerability in Store Locator Project Store Locator 3.3.0

SQL injection vulnerability in the Store Locator (locator) extension before 3.3.1 for TYPO3 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.

6.5
2015-06-16 CVE-2015-4609 WT Directory Project SQL Injection vulnerability in WT Directory Project WT Directory 1.4.1

SQL injection vulnerability in the wt_directory extension before 1.4.2 for TYPO3 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.

6.5
2015-06-15 CVE-2015-4118 Ispconfig SQL Injection vulnerability in Ispconfig 3.0.5.4

SQL injection vulnerability in monitor/show_sys_state.php in ISPConfig before 3.0.5.4p7 allows remote authenticated users with monitor permissions to execute arbitrary SQL commands via the server parameter.

6.5
2015-06-19 CVE-2015-4641 Swiftkey
Samsung
Path Traversal vulnerability in Swiftkey SDK

Directory traversal vulnerability in the SwiftKey language-pack update implementation on Samsung Galaxy S4, S4 Mini, S5, and S6 devices allows remote web servers to write to arbitrary files, and consequently execute arbitrary code in a privileged context, by leveraging control of the skslm.swiftkey.net domain name and providing a ..

6.4
2015-06-15 CVE-2015-4152 Elastic Path Traversal vulnerability in Elastic Logstash

Directory traversal vulnerability in the file output plugin in Elasticsearch Logstash before 1.4.3 allows remote attackers to write to arbitrary files via vectors related to dynamic field references in the path option.

6.4
2015-06-20 CVE-2015-4197 Cisco Improper Input Validation vulnerability in Cisco Nx-Os 5.2(5)

Cisco NX-OS 5.2(5) on Nexus 7000 devices allows remote attackers to cause a denial of service (device crash) by sending a malformed LLDP packet on the local network, aka Bug ID CSCud89415.

6.1
2015-06-17 CVE-2015-2803 Akronymmanager Project SQL Injection vulnerability in Akronymmanager Project Akronymmanager

SQL injection vulnerability in mod1/index.php in the Akronymmanager (sb_akronymmanager) extension before 7.0.0 for TYPO3 allows remote authenticated users with permission to maintain acronyms to execute arbitrary SQL commands via the id parameter.

6.0
2015-06-15 CVE-2015-4393 Services Project Improper Input Validation vulnerability in Services Project Services

The resource/endpoint for uploading files in the Services module 7.x-3.x before 7.x-3.12 for Drupal allows remote authenticated users with the "Save file information" permission to execute arbitrary code via a crafted filename.

6.0
2015-06-15 CVE-2015-4348 Spider Contacts Project SQL Injection vulnerability in Spider Contacts Project Spider Contacts

SQL injection vulnerability in the Spider Contacts module for Drupal allows remote authenticated users with the "access Spider Contacts category administration" permission to execute arbitrary SQL commands via unspecified vectors.

6.0
2015-06-16 CVE-2015-4398 Chaos Tool Suite Project Unspecified vulnerability in Chaos Tool Suite Project Ctools

Open redirect vulnerability in the Chaos tool suite (ctools) module before 6.x-1.12 and 7.x-1.x before 7.x-1.7 for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors involving processing confirmation delete pages.

5.8
2015-06-15 CVE-2015-4371 Perfecto Project Open Redirection vulnerability in Drupal Perfecto Module

Open redirect vulnerability in the Perfecto module before 7.x-1.2 for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in an unspecified parameter.

5.8
2015-06-15 CVE-2015-4363 Finder Project Unspecified vulnerability in Finder Project Finder

Open redirect vulnerability in the finder_form_goto function in the Finder module for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.

5.8
2015-06-15 CVE-2015-4353 Osscube Cross-Site Request Forgery (CSRF) vulnerability in Osscube Custom Sitemap

Cross-site request forgery (CSRF) vulnerability in the Custom Sitemap module for Drupal allows remote attackers to hijack the authentication of administrators for requests that delete sitemaps via unspecified vectors.

5.8
2015-06-15 CVE-2015-4352 WEB Dorado Cross-Site Request Forgery (CSRF) vulnerability in Web-Dorado Spider Video Player

Cross-site request forgery (CSRF) vulnerability in the Spider Video Player module for Drupal allows remote attackers to hijack the authentication of administrators for requests that delete videos via unspecified vectors.

5.8
2015-06-15 CVE-2015-4349 Spider Contacts Project Cross-Site Request Forgery (CSRF) vulnerability in Spider Contacts Project Spider Contacts

Cross-site request forgery (CSRF) vulnerability in the Spider Contacts module for Drupal allows remote attackers to hijack the authentication of administrators for requests that delete contact categories via unspecified vectors.

5.8
2015-06-15 CVE-2015-4396 Keyword Research Project Cross-Site Request Forgery (CSRF) vulnerability in Keyword Research Project Keyword Research 6.X1.0

Multiple cross-site request forgery (CSRF) vulnerabilities in the Keyword Research module 6.x-1.x before 6.x-1.2 for Drupal allow remote attackers to hijack the authentication of users with the "kwresearch admin site keywords" permission for requests that (1) create, (2) delete, or (3) set priorities to keywords via unspecified vectors.

5.1
2015-06-20 CVE-2015-4202 Cisco Information Exposure vulnerability in Cisco IOS 12.2(33)Sch/12.2Sch

Cisco IOS 12.2SCH on uBR10000 router Cable Modem Termination Systems (CMTS) does not properly restrict access to the IP Detail Record (IPDR) service, which allows remote attackers to obtain potentially sensitive MAC address and network-utilization information via crafted IPDR packets, aka Bug ID CSCua39203.

5.0
2015-06-20 CVE-2015-4201 Cisco Improper Input Validation vulnerability in Cisco ASR 5000 Series Software 17.2.0.59184/18.0.L059219

The Gateway General Packet Radio Service Support Node (GGSN) component on Cisco ASR 5000 devices with software 17.2.0.59184 and 18.0.L0.59219 allows remote attackers to cause a denial of service (Session Manager restart) via an invalid TCP/IP header, aka Bug ID CSCut68058.

5.0
2015-06-19 CVE-2015-4194 Cisco Information Exposure vulnerability in Cisco Webex Meeting Center

The web-based administrative interface in Cisco WebEx Meeting Center provides different error messages for failed login attempts depending on whether the username exists or corresponds to a privileged account, which allows remote attackers to enumerate account names and obtain sensitive information via a series of requests, aka Bug ID CSCuf28861.

5.0
2015-06-19 CVE-2015-4191 Cisco Resource Management Errors vulnerability in Cisco IOS XR 5.2.1

Cisco IOS XR 5.2.1 allows remote attackers to cause a denial of service (ipv6_io service reload) via a malformed IPv6 packet, aka Bug ID CSCuq95565.

5.0
2015-06-18 CVE-2015-3897 Bonitasoft Path Traversal vulnerability in Bonitasoft Bonita BPM Portal

Directory traversal vulnerability in Bonita BPM Portal before 6.5.3 allows remote attackers to read arbitrary files via a ..

5.0
2015-06-17 CVE-2015-4414 SE Html5 Album Audio Player Project Path Traversal vulnerability in SE Html5 Album Audio Player Project SE Html5 Album Audio Player 1.1.0

Directory traversal vulnerability in download_audio.php in the SE HTML5 Album Audio Player (se-html5-album-audio-player) plugin 1.1.0 and earlier for WordPress allows remote attackers to read arbitrary files via a ..

5.0
2015-06-17 CVE-2015-4188 Cisco SQL Injection vulnerability in Cisco Prime Collaboration 10.5(1)

SQL injection vulnerability in the Manager interface in Cisco Prime Collaboration 10.5(1) allows remote attackers to execute arbitrary SQL commands via a crafted URL, aka Bug IDs CSCuu29910, CSCuu29928, and CSCuu59104.

5.0
2015-06-15 CVE-2015-4146 W1 FI
Opensuse
The EAP-pwd peer implementation in hostapd and wpa_supplicant 1.0 through 2.4 does not clear the L (Length) and M (More) flags before determining if a response should be fragmented, which allows remote attackers to cause a denial of service (crash) via a crafted message.
5.0
2015-06-15 CVE-2015-4145 W1 FI
Opensuse
Resource Management Errors vulnerability in multiple products

The EAP-pwd server and peer implementation in hostapd and wpa_supplicant 1.0 through 2.4 does not validate a fragment is already being processed, which allows remote attackers to cause a denial of service (memory leak) via a crafted message.

5.0
2015-06-15 CVE-2015-4144 Opensuse
W1 FI
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

The EAP-pwd server and peer implementation in hostapd and wpa_supplicant 1.0 through 2.4 does not validate that a message is long enough to contain the Total-Length field, which allows remote attackers to cause a denial of service (crash) via a crafted message.

5.0
2015-06-15 CVE-2015-4143 W1 FI
Opensuse
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

The EAP-pwd server and peer implementation in hostapd and wpa_supplicant 1.0 through 2.4 allows remote attackers to cause a denial of service (out-of-bounds read and crash) via a crafted (1) Commit or (2) Confirm message payload.

5.0
2015-06-15 CVE-2015-4394 Services Project Permissions, Privileges, and Access Controls vulnerability in Services Project Services

The Services module 7.x-3.x before 7.x-3.12 for Drupal allows remote attackers to bypass the field_access restriction and obtain sensitive private field information via unspecified vectors.

5.0
2015-06-15 CVE-2015-4368 Commerce Ogone Project Unspecified vulnerability in Commerce Ogone Project Commerce Ogone

The Commerce Ogone module 7.x-1.x before 7.x-1.5 for Drupal allows remote attackers to complete the checkout for an order without paying via unspecified vectors.

5.0
2015-06-15 CVE-2015-4345 Restful WEB Services Project Information Exposure vulnerability in Restful web Services Project Restful web Services

The RESTWS Basic Auth submodule in the RESTful Web Services module 7.x-1.x before 7.x-1.5 and 7.x-2.x before 7.x-2.3 for Drupal caches pages for authenticated requests, which allows remote attackers to obtain sensitive information via unspecified vectors.

5.0
2015-06-15 CVE-2015-4344 Services Basic Authentication Project Permissions, Privileges, and Access Controls vulnerability in Services Basic Authentication Project Services Basic Authentication

The Services Basic Authentication module 7.x-1.x through 7.x-1.3 for Drupal allows remote attackers to bypass intended resource restrictions via vectors related to page caching.

5.0
2015-06-15 CVE-2015-4164 XEN Resource Management Errors vulnerability in XEN

The compat_iret function in Xen 3.1 through 4.5 iterates the wrong way through a loop, which allows local 32-bit PV guest administrators to cause a denial of service (large loop and system hang) via a hypercall_iret call with EFLAGS.VM set.

4.9
2015-06-15 CVE-2015-4163 XEN Local Denial of Service vulnerability in Xen

GNTTABOP_swap_grant_ref in Xen 4.2 through 4.5 does not check the grant table operation version, which allows local guest domains to cause a denial of service (NULL pointer dereference) via a hypercall without a GNTTABOP_setup_table or GNTTABOP_set_version.

4.9
2015-06-15 CVE-2015-4351 WEB Dorado Permissions, Privileges, and Access Controls vulnerability in Web-Dorado Spider Video Player

The Spider Video Player module for Drupal allows remote authenticated users with the "access Spider Video Player administration" permission to delete arbitrary files via a crafted URL.

4.9
2015-06-17 CVE-2015-3318 CA Improper Input Validation vulnerability in CA products

CA Common Services, as used in CA Client Automation r12.5 SP01, r12.8, and r12.9; CA Network and Systems Management r11.0, r11.1, and r11.2; CA NSM Job Management Option r11.0, r11.1, and r11.2; CA Universal Job Management Agent; CA Virtual Assurance for Infrastructure Managers (aka SystemEDGE) 12.6, 12.7, 12.8, and 12.9; and CA Workload Automation AE r11, r11.3, r11.3.5, and r11.3.6 on UNIX, does not properly validate an unspecified variable, which allows local users to gain privileges via unknown vectors.

4.6
2015-06-17 CVE-2015-3317 CA Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in CA products

CA Common Services, as used in CA Client Automation r12.5 SP01, r12.8, and r12.9; CA Network and Systems Management r11.0, r11.1, and r11.2; CA NSM Job Management Option r11.0, r11.1, and r11.2; CA Universal Job Management Agent; CA Virtual Assurance for Infrastructure Managers (aka SystemEDGE) 12.6, 12.7, 12.8, and 12.9; and CA Workload Automation AE r11, r11.3, r11.3.5, and r11.3.6 on UNIX, does not properly perform bounds checking, which allows local users to gain privileges via unspecified vectors.

4.6
2015-06-17 CVE-2015-3316 Broadcom
CA
CA Common Services, as used in CA Client Automation r12.5 SP01, r12.8, and r12.9; CA Network and Systems Management r11.0, r11.1, and r11.2; CA NSM Job Management Option r11.0, r11.1, and r11.2; CA Universal Job Management Agent; CA Virtual Assurance for Infrastructure Managers (aka SystemEDGE) 12.6, 12.7, 12.8, and 12.9; and CA Workload Automation AE r11, r11.3, r11.3.5, and r11.3.6 on UNIX, allows local users to gain privileges via an unspecified environment variable.
4.6
2015-06-20 CVE-2015-4198 Cisco Cross-Site Scripting vulnerability in Cisco web Security Appliance 8.5.0497

Cross-site scripting (XSS) vulnerability in the web framework on Cisco Web Security Appliance (WSA) devices with software 8.5.0-497 allows remote attackers to inject arbitrary web script or HTML via an unspecified HTTP header, aka Bug ID CSCuu24409.

4.3
2015-06-19 CVE-2015-4679 Airties Cross-Site Scripting vulnerability in Airties Rt-210 Firmware

Multiple cross-site scripting (XSS) vulnerabilities in the web interface in Airties RT-210 allow remote attackers to inject arbitrary web script or HTML via the (1) ddns_domainame or (2) ddns_account parameter to ddns.stm.

4.3
2015-06-18 CVE-2015-4661 Getsymphony Cross-Site Scripting vulnerability in Getsymphony Symphony

Cross-site scripting (XSS) vulnerability in Symphony CMS 2.6.2 allows remote attackers to inject arbitrary web script or HTML via the sort parameter to system/authors.

4.3
2015-06-18 CVE-2015-4660 Eliacom Cross-Site Scripting vulnerability in Eliacom Enhanced SQL Portal 5.0.7961

Cross-site scripting (XSS) vulnerability in Enhanced SQL Portal 5.0.7961 allows remote attackers to inject arbitrary web script or HTML via the id parameter to iframe.php.

4.3
2015-06-18 CVE-2015-4657 Mailbird Cross-Site Scripting vulnerability in Mailbird 2.0.16.0

Cross-site scripting (XSS) vulnerability in Mailbird 2.0.16.0 and earlier allows remote attackers to inject arbitrary web script or HTML via an e-mail message body with a crafted URL.

4.3
2015-06-18 CVE-2015-4656 Synology Cross-Site Scripting vulnerability in Synology Photo Station

Multiple cross-site scripting (XSS) vulnerabilities in Synology Photo Station before 6.3-2945 allow remote attackers to inject arbitrary web script or HTML via the (1) success parameter to login.php or (2) crafted URL parameters to index.php, as demonstrated by the t parameter to photo/.

4.3
2015-06-18 CVE-2015-4655 Synology Cross-Site Scripting vulnerability in Synology Diskstation Manager

Cross-site scripting (XSS) vulnerability in Synology DiskStation Manager (DSM) before 5.2-5565 Update 1 allows remote attackers to inject arbitrary web script or HTML via the "compound" parameter to entry.cgi.

4.3
2015-06-18 CVE-2015-4587 Alcatel Lucent Cross-Site Scripting vulnerability in Alcatel-Lucent Cellpipe 7130 Router Firmware 1.0.0.20H.Hol

Cross-site scripting (XSS) vulnerability in the Alcatel-Lucent CellPipe 7130 router with firmware 1.0.0.20h.HOL allows remote attackers to inject arbitrary web script or HTML via the "Custom application" field in the "port triggering" menu.

4.3
2015-06-18 CVE-2015-4420 Opsview Cross-Site Scripting vulnerability in Opsview

Multiple cross-site scripting (XSS) vulnerabilities in Opsview 4.6.2 and earlier allow remote attackers to inject arbitrary web script or HTML via a (1) crafted check plugin, the (2) description in a host profile, or the (3) plugin_args parameter to a Test service check page.

4.3
2015-06-18 CVE-2015-3422 Searchblox Cross-Site Scripting vulnerability in Searchblox

Cross-site scripting (XSS) vulnerability in SearchBlox before 8.2.1 allows remote attackers to inject arbitrary web script or HTML via the menu2 parameter to admin/main.jsp.

4.3
2015-06-17 CVE-2015-3429 Automattic
Wordpress
Debian
Cross-Site Scripting vulnerability in multiple products

Cross-site scripting (XSS) vulnerability in example.html in Genericons before 3.3.1, as used in WordPress before 4.2.2, allows remote attackers to inject arbitrary web script or HTML via a fragment identifier.

4.3
2015-06-17 CVE-2015-2665 Cacti
Fedoraproject
Cross-Site Scripting vulnerability in multiple products

Cross-site scripting (XSS) vulnerability in Cacti before 0.8.8d allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2015-06-17 CVE-2012-6692 Yoast Cross-Site Scripting vulnerability in Yoast Wordpress SEO

Cross-site scripting (XSS) vulnerability in js/wp-seo-metabox.js in the WordPress SEO by Yoast plugin before 2.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the post_title parameter to wp-admin/post-new.php, which is not properly handled in the snippet preview functionality.

4.3
2015-06-17 CVE-2015-4550 Cisco Cryptographic Issues vulnerability in Cisco Adaptive Security Appliance Software 9.3(3)/9.4(1.1)

The Cavium cryptographic-module firmware on Cisco Adaptive Security Appliance (ASA) devices with software 9.3(3) and 9.4(1.1) does not verify the AES-GCM Integrity Check Value (ICV) octets, which makes it easier for man-in-the-middle attackers to spoof IPSec and IKEv2 traffic by modifying packet data, aka Bug ID CSCuu66218.

4.3
2015-06-17 CVE-2015-4190 Cisco Man in the Middle Security Bypass vulnerability in Cisco Prime Service Catalog 9.4.1Vortex

Cisco Cloud Portal in Cisco Prime Service Catalog 9.4.1_vortex on Cloud Portal appliances allows man-in-the-middle attackers to modify data via unspecified vectors, aka Bug ID CSCuh19683.

4.3
2015-06-16 CVE-2015-2804 Alcatel Lucent Information Exposure vulnerability in Alcatel-Lucent Omniswitch Firmware

The management web interface in Alcatel-Lucent OmniSwitch 6450, 6250, 6850E, 9000E, 6400, and 6855 with firmware before 6.6.4.309.R01 and 6.6.5.x before 6.6.5.80.R02 generates weak session identifiers, which allows remote attackers to hijack arbitrary sessions via a brute force attack.

4.3
2015-06-15 CVE-2015-4559 Mcafee Cross-Site Scripting vulnerability in Mcafee Epolicy Orchestrator

Cross-site scripting (XSS) vulnerability in the product deployment feature in the Java core web services in Intel McAfee ePolicy Orchestrator (ePO) before 5.1.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2015-06-15 CVE-2015-4142 W1 FI
Redhat
Opensuse
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

Integer underflow in the WMM Action frame parser in hostapd 0.5.5 through 2.4 and wpa_supplicant 0.7.0 through 2.4, when used for AP mode MLME/SME functionality, allows remote attackers to cause a denial of service (crash) via a crafted frame, which triggers an out-of-bounds read.

4.3
2015-06-15 CVE-2015-4141 W1 FI
Opensuse
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

The WPS UPnP function in hostapd, when using WPS AP, and wpa_supplicant, when using WPS external registrar (ER), 0.7.0 through 2.4 allows remote attackers to cause a denial of service (crash) via a negative chunk length, which triggers an out-of-bounds read or heap-based buffer overflow.

4.3
2015-06-15 CVE-2015-4093 Elastic Cross-Site Scripting vulnerability in Elastic Kibana 4.0.0/4.0.1/4.0.2

Cross-site scripting (XSS) vulnerability in Elasticsearch Kibana 4.x before 4.0.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2015-06-15 CVE-2015-4386 Entitybulkdelete Project Cross-Site Scripting vulnerability in Entitybulkdelete Project Entitybulkdelete 7.X1.0

Multiple cross-site scripting (XSS) vulnerabilities in unspecified administration pages in the EntityBulkDelete module 7.x-1.0 for Drupal allow remote attackers to inject arbitrary web script or HTML via unknown vectors involving creating or editing (1) comments, (2) taxonomy terms, or (3) nodes.

4.3
2015-06-15 CVE-2015-4375 Chaos Tool Suite Project Information Exposure vulnerability in Chaos Tool Suite Project Ctools

The Chaos tool suite (ctools) module 7.x-1.x before 7.x-1.7 for Drupal allows remote attackers to obtain sensitive node titles via (1) an autocomplete search on custom entities without an access query tag or (2) leveraging knowledge of the ID of an entity.

4.3
2015-06-15 CVE-2015-4347 Inlinks Project Cross-Site Scripting vulnerability in Inlinks Project Inlinks

Cross-site scripting (XSS) vulnerability in the inLinks Integration module for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified path arguments.

4.3
2015-06-19 CVE-2015-4195 Cisco Resource Management Errors vulnerability in Cisco IOS XR 5.1.1.K9Sec

Cisco IOS XR 5.1.1.K9SEC allows remote authenticated users to cause a denial of service (vty error, and SSH and TELNET outage) via a crafted disconnect action within an SSH session, aka Bug ID CSCul63127.

4.0
2015-06-15 CVE-2015-4389 Open Graph Importer Project Permissions, Privileges, and Access Controls vulnerability in Open Graph Importer Project Open Graph Importer 7.X1.0

The Open Graph Importer (og_tag_importer) 7.x-1.x for Drupal does not properly check the create permission for content types created during import, which allows remote authenticated users to bypass intended restrictions by leveraging the "import og_tag_importer" permission.

4.0

30 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2015-06-18 CVE-2015-4139 WP Smiley Project Cross-Site Scripting vulnerability in WP Smiley Project WP Smiley 1.4.1

Cross-site scripting (XSS) vulnerability in smilies4wp.php in the WP Smiley plugin 1.4.1 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the s4w-more parameter to wp-admin/options-general.php.

3.5
2015-06-17 CVE-2015-4337 Xcloner Cross-Site Scripting vulnerability in Xcloner 3.1.2

Cross-site scripting (XSS) vulnerability in the XCloner plugin 3.1.2 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the excl_manual parameter in the xcloner_show page to wpadmin/plugins.php.

3.5
2015-06-16 CVE-2015-4374 Webform Project Cross-Site Scripting vulnerability in Webform Project Webform

Cross-site scripting (XSS) vulnerability in the Webform module before 6.x-3.23, 7.x-3.x before 7.x-3.23, and 7.x-4.x before 7.x-4.5 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via a component name in the recipient (To) address of an email.

3.5
2015-06-16 CVE-2015-4608 BE User LOG Project Cross-Site Scripting vulnerability in BE User LOG Project BE User LOG 1.1.1

Cross-site scripting (XSS) vulnerability in the BE User Log (beko_beuserlog) extension 1.1.1 and earlier for TYPO3 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

3.5
2015-06-15 CVE-2015-4395 Hybridauth Social Login Project Information Exposure vulnerability in Hybridauth Social Login Project Hybridauth Social Login

The HybridAuth Social Login module 7.x-2.x before 7.x-2.10 for Drupal stores passwords in plaintext when the "Ask user for a password when registering" option is enabled, which allows remote authenticated users with certain permissions to obtain sensitive information by leveraging access to the database.

3.5
2015-06-15 CVE-2015-4392 Display Suite Project Cross-Site Scripting vulnerability in Display Suite Project Display Suite 7X2.7

Cross-site scripting (XSS) vulnerability in the Display Suite module 7.x-2.7 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors related to field display settings.

3.5
2015-06-15 CVE-2015-4384 Ubercart Webform Checkout Pane Project Cross-Site Scripting vulnerability in Ubercart Webform Checkout Pane Project Ubercart Webform Checkout Pane 6.X3.X/7.X3.X

Cross-site scripting (XSS) vulnerability in the Ubercart Webform Checkout Pane module 6.x-3.x before 6.x-3.10 and 7.x-3.x before 7.x-3.11 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via unspecified vectors.

3.5
2015-06-15 CVE-2015-4381 Invoice Project Cross-Site Scripting vulnerability in Invoice Project Invoice 6.X1.1/7.X1.Xdev

Cross-site scripting (XSS) vulnerability in the Invoice module 6.x-1.x before 6.x-1.2 and 7.x-1.x before 7.x-1.3 for Drupal allows remote authenticated users with the "Administer own invoices" permission to inject arbitrary web script or HTML via unspecified vectors involving nodes of the "Invoice" content type.

3.5
2015-06-15 CVE-2015-4380 Linear Case Project Cross-Site Scripting vulnerability in Linear Case Project Linear Case

Cross-site scripting (XSS) vulnerability in the Linear Case module 6.x-1.x before 6.x-1.3 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via unspecified vectors.

3.5
2015-06-15 CVE-2015-4376 Profile2 Privacy Project Cross-Site Scripting vulnerability in Profile2 Privacy Project Profile2 Privacy

Cross-site scripting (XSS) vulnerability in the Profile2 Privacy module 7.x-1.x before 7.x-1.5 for Drupal allows remote authenticated users with the "Administer Profile2 Privacy Levels" permission to inject arbitrary web script or HTML via unspecified vectors.

3.5
2015-06-15 CVE-2015-4373 OG Tabs Project Cross-Site Scripting vulnerability in OG Tabs Project OG Tabs 7.X1.0

Cross-site scripting (XSS) vulnerability in the OG tabs module before 7.x-1.1 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via vectors related to nodes posted in an Organic Groups group.

3.5
2015-06-15 CVE-2015-4372 Image Title Project Cross-Site Scripting vulnerability in Image Title Project Image Title 7.X1.0

Cross-site scripting (XSS) vulnerability in the Image Title module before 7.x-1.1 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via unspecified vectors.

3.5
2015-06-15 CVE-2015-4370 Site Documentation Project Cross-Site Scripting vulnerability in Site Documentation Project Site Documentation

Cross-site scripting (XSS) vulnerability in the Site Documentation module before 6.x-1.5 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via vectors related to taxonomy terms.

3.5
2015-06-15 CVE-2015-4369 Trick Question Project Cross-Site Scripting vulnerability in Trick Question Project Trick Question

Cross-site scripting (XSS) vulnerability in the Trick Question module before 6.x-1.5 and 7.x-1.x before 7.x-1.5 for Drupal allows remote authenticated users with the "Administer Trick Question" permission to inject arbitrary web script or HTML via unspecified vectors.

3.5
2015-06-15 CVE-2015-4367 Simple Subscription Project Cross-Site Scripting vulnerability in Simple Subscription Project Simple Subscription 6.X1.0/7.X1.0

Cross-site scripting (XSS) vulnerability in the Simple Subscription module before 6.x-1.1 and 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with the "administer blocks" permission to inject arbitrary web script or HTML via vectors related to block content.

3.5
2015-06-15 CVE-2015-4366 Mover Project Cross-Site Scripting vulnerability in Mover Project Mover 6.X1.0

Cross-site scripting (XSS) vulnerability in the Mover module 6.x-1.0 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via unspecified vectors.

3.5
2015-06-15 CVE-2015-4365 Taxonomy Accordion Project Cross-Site Scripting vulnerability in Taxonomy Accordion Project Taxonomy Accordion

Cross-site scripting (XSS) vulnerability in the Taxonomy Accordion module for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via vectors related to taxonomy terms.

3.5
2015-06-15 CVE-2015-4359 Registration Codes Project Cross-Site Scripting vulnerability in Registration Codes Project Registration Codes

Multiple cross-site scripting (XSS) vulnerabilities in the Registration codes module before 6.x-1.6, 6.x-2.x before 6.x-2.8, and 7.x-1.x before 7.x-1.2 for Drupal allow remote authenticated users with permission to create or edit taxonomy terms or nodes to inject arbitrary web script or HTML via unspecified vectors.

3.5
2015-06-15 CVE-2015-4358 Ubercart Discount Coupons Project Cross-Site Scripting vulnerability in Ubercart Discount Coupons Project Ubercart Discount Coupons

Cross-site scripting (XSS) vulnerability in unspecified administration pages in the Ubercart Discount Coupons module 6.x-1.x before 6.x-1.8 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via vectors related to taxonomy terms.

3.5
2015-06-15 CVE-2015-4357 Webform Project Cross-Site Scripting vulnerability in Webform Project Webform

Cross-site scripting (XSS) vulnerability in the Webform module before 6.x-3.22, 7.x-3.x before 7.x-3.22, and 7.x-4.x before 7.x-4.4 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via a node title, which is used as the default title of a webform block.

3.5
2015-06-15 CVE-2015-4356 Webform Project Cross-Site Scripting vulnerability in Webform Project Webform

Cross-site scripting (XSS) vulnerability in the view-based webform results table in the Webform module 7.x-4.x before 7.x-4.4 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via a webform.

3.5
2015-06-15 CVE-2015-4354 Ubercart Webform Integration Project Cross-Site Scripting vulnerability in Ubercart Webform Integration Project Ubercart Webform Integration 6.X1.0/7.X1.0/7.X2.0

Cross-site scripting (XSS) vulnerability in the Ubercart Webform Integration module before 6.x-1.8 and 7.x before 7.x-2.4 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via unspecified vectors.

3.5
2015-06-19 CVE-2015-4640 Swiftkey
Samsung
7PK - Security Features vulnerability in Swiftkey SDK

The SwiftKey language-pack update implementation on Samsung Galaxy S4, S4 Mini, S5, and S6 devices relies on an HTTP connection to the skslm.swiftkey.net server, which allows man-in-the-middle attackers to write to language-pack files by modifying an HTTP response.

2.9
2015-06-15 CVE-2015-4388 Current Search Links Project Cross-Site Scripting vulnerability in Current Search Links Project Current Search Links 7.X1.0/7.X1.Xdev

Cross-site scripting (XSS) vulnerability in the Current Search Links module 7.x-1.x before 7.x-1.1 for Drupal, when the "Append the keywords passed by the user to the list" option is disabled, allows remote attackers to inject arbitrary web script or HTML via a crafted search query.

2.6
2015-06-15 CVE-2015-4387 Password Policy Project Cross-Site Scripting vulnerability in Password Policy Project Password Policy

Cross-site scripting (XSS) vulnerability in unspecified administration pages in the Password Policy module 6.x-1.x before 6.x-1.11 and 7.x-1.x before 7.x-1.11 for Drupal, when a site has a policy that uses the username constraint, allows remote attackers to inject arbitrary web script or HTML via a crafted username that is imported from an external source.

2.6
2015-06-15 CVE-2015-4346 SMS Framework Project Cross-Site Scripting vulnerability in SMS Framework Project SMS Framework

Cross-site scripting (XSS) vulnerability in the SMS Framework module 6.x-1.x before 6.x-1.1 for Drupal, when the "Send to phone" submodule is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to message previews.

2.6
2015-06-16 CVE-2015-3010 Ceph Information Exposure vulnerability in Ceph Ceph-Deploy 1.5.22

ceph-deploy before 1.5.23 uses weak permissions (644) for ceph/ceph.client.admin.keyring, which allows local users to obtain sensitive information by reading the file.

2.1
2015-06-15 CVE-2015-4385 Imagefield Info Project Cross-Site Scripting vulnerability in Imagefield Info Project Imagefield Info 7.X1.0/7.X1.1/7.X1.Xdev

Cross-site scripting (XSS) vulnerability in unspecified administration pages in the Imagefield Info module 7.x-1.x before 7.x-1.2 for Drupal allows remote authenticated users with the "Administer image styles" permission to inject arbitrary web script or HTML via unspecified vectors.

2.1
2015-06-15 CVE-2015-4378 Crumbs Project Cross-Site Scripting vulnerability in Crumbs Project Crumbs 7.X2.0/7.X2.1/7.X2.2

Cross-site scripting (XSS) vulnerability in the Crumbs module 7.x-2.x before 7.x-2.3 for Drupal allows remote authenticated users with the "Administer Crumbs" permission to inject arbitrary web script or HTML via a custom breadcrumb separator.

2.1
2015-06-15 CVE-2015-4377 Petition Project Cross-Site Scripting vulnerability in Petition Project Petition 6.X1.0/6.X1.1/6.X1.2

Cross-site scripting (XSS) vulnerability in unspecified administration pages in the Petition module 6.x-1.x before 6.x-1.3 for Drupal allows remote authenticated users with the "create petition" permission to inject arbitrary web script or HTML via unknown vectors.

2.1