Weekly Vulnerabilities Reports > July 6 to 12, 2015

Overview

94 new vulnerabilities reported during this period, including 31 critical vulnerabilities and 15 high severity vulnerabilities. This weekly summary report vulnerabilities in 89 products from 38 vendors including Adobe, Linux, Apple, Microsoft, and Cisco. Vulnerabilities are notably categorized as "Cross-site Scripting", "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Improper Access Control", "Cross-Site Request Forgery (CSRF)", and "SQL Injection".

  • 86 reported vulnerabilities are remotely exploitables.
  • 10 reported vulnerabilities have public exploit available.
  • 31 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 88 reported vulnerabilities are exploitable by an anonymous user.
  • Adobe has the most reported vulnerabilities, with 35 reported vulnerabilities.
  • Adobe has the most reported critical vulnerabilities, with 28 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

31 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2015-07-09 CVE-2015-5118 Adobe
Apple
Microsoft
Linux
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe products

Heap-based buffer overflow in Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-3135 and CVE-2015-4432.

10.0
2015-07-09 CVE-2015-5117 Adobe
Linux
Apple
Microsoft
Use After Free Remote Code Execution vulnerability in Adobe Flash Player and AIR

Use-after-free vulnerability in Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-3118, CVE-2015-3124, CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3131, CVE-2015-3132, CVE-2015-3136, CVE-2015-3137, CVE-2015-4428, and CVE-2015-4430.

10.0
2015-07-09 CVE-2015-4433 Adobe
Linux
Apple
Microsoft
Remote Code Execution vulnerability in Adobe Flash Player and AIR

Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allow attackers to execute arbitrary code by leveraging an unspecified "type confusion," a different vulnerability than CVE-2015-3119, CVE-2015-3120, CVE-2015-3121, and CVE-2015-3122.

10.0
2015-07-09 CVE-2015-4432 Adobe
Linux
Apple
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe products

Heap-based buffer overflow in Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-3135 and CVE-2015-5118.

10.0
2015-07-09 CVE-2015-4431 Adobe
Linux
Apple
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe products

Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-3117, CVE-2015-3123, CVE-2015-3130, CVE-2015-3133, and CVE-2015-3134.

10.0
2015-07-09 CVE-2015-4430 Adobe
Apple
Microsoft
Linux
Use After Free Remote Code Execution vulnerability in Adobe Flash Player and AIR

Use-after-free vulnerability in Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-3118, CVE-2015-3124, CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3131, CVE-2015-3132, CVE-2015-3136, CVE-2015-3137, CVE-2015-4428, and CVE-2015-5117.

10.0
2015-07-09 CVE-2015-4429 Adobe
Linux
Apple
Microsoft
Remote Denial of Service vulnerability in Adobe Flash Player and AIR

Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allow attackers to cause a denial of service (NULL pointer dereference) or possibly have unspecified other impact via unknown vectors, a different vulnerability than CVE-2015-3126.

10.0
2015-07-09 CVE-2015-4428 Adobe
Apple
Microsoft
Linux
Use After Free Remote Code Execution vulnerability in Adobe Flash Player and AIR

Use-after-free vulnerability in Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-3118, CVE-2015-3124, CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3131, CVE-2015-3132, CVE-2015-3136, CVE-2015-3137, CVE-2015-4430, and CVE-2015-5117.

10.0
2015-07-09 CVE-2015-3137 Adobe
Apple
Microsoft
Linux
Use After Free Remote Code Execution vulnerability in Adobe Flash Player and AIR

Use-after-free vulnerability in Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-3118, CVE-2015-3124, CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3131, CVE-2015-3132, CVE-2015-3136, CVE-2015-4428, CVE-2015-4430, and CVE-2015-5117.

10.0
2015-07-09 CVE-2015-3136 Adobe
Apple
Microsoft
Linux
Use After Free Remote Code Execution vulnerability in Adobe Flash Player and AIR

Use-after-free vulnerability in Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-3118, CVE-2015-3124, CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3131, CVE-2015-3132, CVE-2015-3137, CVE-2015-4428, CVE-2015-4430, and CVE-2015-5117.

10.0
2015-07-09 CVE-2015-3135 Adobe
Apple
Microsoft
Linux
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe products

Heap-based buffer overflow in Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-4432 and CVE-2015-5118.

10.0
2015-07-09 CVE-2015-3134 Adobe
Linux
Apple
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe products

Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-3117, CVE-2015-3123, CVE-2015-3130, CVE-2015-3133, and CVE-2015-4431.

10.0
2015-07-09 CVE-2015-3133 Adobe
Linux
Apple
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe products

Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-3117, CVE-2015-3123, CVE-2015-3130, CVE-2015-3134, and CVE-2015-4431.

10.0
2015-07-09 CVE-2015-3132 Adobe
Linux
Apple
Microsoft
Use After Free Remote Code Execution vulnerability in Adobe Flash Player and AIR

Use-after-free vulnerability in Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-3118, CVE-2015-3124, CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3131, CVE-2015-3136, CVE-2015-3137, CVE-2015-4428, CVE-2015-4430, and CVE-2015-5117.

10.0
2015-07-09 CVE-2015-3131 Adobe
Linux
Apple
Microsoft
Use After Free Remote Code Execution vulnerability in Adobe Flash Player and AIR

Use-after-free vulnerability in Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-3118, CVE-2015-3124, CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3132, CVE-2015-3136, CVE-2015-3137, CVE-2015-4428, CVE-2015-4430, and CVE-2015-5117.

10.0
2015-07-09 CVE-2015-3130 Adobe
Apple
Microsoft
Linux
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe products

Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-3117, CVE-2015-3123, CVE-2015-3133, CVE-2015-3134, and CVE-2015-4431.

10.0
2015-07-09 CVE-2015-3129 Adobe
Apple
Microsoft
Linux
Use After Free Remote Code Execution vulnerability in Adobe Flash Player and AIR

Use-after-free vulnerability in Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-3118, CVE-2015-3124, CVE-2015-3127, CVE-2015-3128, CVE-2015-3131, CVE-2015-3132, CVE-2015-3136, CVE-2015-3137, CVE-2015-4428, CVE-2015-4430, and CVE-2015-5117.

10.0
2015-07-09 CVE-2015-3128 Adobe
Apple
Microsoft
Linux
Use After Free Remote Code Execution vulnerability in Adobe Flash Player and AIR

Use-after-free vulnerability in Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-3118, CVE-2015-3124, CVE-2015-3127, CVE-2015-3129, CVE-2015-3131, CVE-2015-3132, CVE-2015-3136, CVE-2015-3137, CVE-2015-4428, CVE-2015-4430, and CVE-2015-5117.

10.0
2015-07-09 CVE-2015-3127 Adobe
Apple
Microsoft
Linux
Use After Free Remote Code Execution vulnerability in Adobe Flash Player and AIR

Use-after-free vulnerability in Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-3118, CVE-2015-3124, CVE-2015-3128, CVE-2015-3129, CVE-2015-3131, CVE-2015-3132, CVE-2015-3136, CVE-2015-3137, CVE-2015-4428, CVE-2015-4430, and CVE-2015-5117.

10.0
2015-07-09 CVE-2015-3124 Adobe
Apple
Microsoft
Linux
Use After Free Remote Code Execution vulnerability in Adobe Flash Player and AIR

Use-after-free vulnerability in Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-3118, CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3131, CVE-2015-3132, CVE-2015-3136, CVE-2015-3137, CVE-2015-4428, CVE-2015-4430, and CVE-2015-5117.

10.0
2015-07-09 CVE-2015-3123 Adobe
Linux
Apple
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe products

Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-3117, CVE-2015-3130, CVE-2015-3133, CVE-2015-3134, and CVE-2015-4431.

10.0
2015-07-09 CVE-2015-3122 Adobe
Apple
Microsoft
Linux
Remote Code Execution vulnerability in Adobe Flash Player and AIR

Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allow attackers to execute arbitrary code by leveraging an unspecified "type confusion," a different vulnerability than CVE-2015-3119, CVE-2015-3120, CVE-2015-3121, and CVE-2015-4433.

10.0
2015-07-09 CVE-2015-3121 Adobe
Linux
Apple
Microsoft
Remote Code Execution vulnerability in Adobe Flash Player and AIR

Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allow attackers to execute arbitrary code by leveraging an unspecified "type confusion," a different vulnerability than CVE-2015-3119, CVE-2015-3120, CVE-2015-3122, and CVE-2015-4433.

10.0
2015-07-09 CVE-2015-3120 Adobe
Linux
Apple
Microsoft
Incorrect Type Conversion or Cast vulnerability in Adobe products

Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allow attackers to execute arbitrary code by leveraging an unspecified "type confusion," a different vulnerability than CVE-2015-3119, CVE-2015-3121, CVE-2015-3122, and CVE-2015-4433.

10.0
2015-07-09 CVE-2015-3119 Adobe
Linux
Apple
Microsoft
Remote Code Execution vulnerability in Adobe Flash Player and AIR

Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allow attackers to execute arbitrary code by leveraging an unspecified "type confusion," a different vulnerability than CVE-2015-3120, CVE-2015-3121, CVE-2015-3122, and CVE-2015-4433.

10.0
2015-07-09 CVE-2015-3118 Adobe
Apple
Microsoft
Linux
Use After Free Remote Code Execution vulnerability in Adobe Flash Player and AIR

Use-after-free vulnerability in Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-3124, CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3131, CVE-2015-3132, CVE-2015-3136, CVE-2015-3137, CVE-2015-4428, CVE-2015-4430, and CVE-2015-5117.

10.0
2015-07-09 CVE-2015-3117 Adobe
Linux
Apple
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe products

Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-3123, CVE-2015-3130, CVE-2015-3133, CVE-2015-3134, and CVE-2015-4431.

10.0
2015-07-06 CVE-2015-3955 Hospira Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Hospira Lifecare Pcainfusion Firmware 5.0

Stack-based buffer overflow in Hospira LifeCare PCA Infusion System 5.0 and earlier, and possibly other versions, allows remote attackers to execute arbitrary code via unspecified vectors.

10.0
2015-07-06 CVE-2015-5371 Solarwinds Remote Code Execution vulnerability in SolarWinds Storage Manager

The AuthenticationFilter class in SolarWinds Storage Manager allows remote attackers to upload and execute arbitrary scripts via unspecified vectors.

10.0
2015-07-08 CVE-2015-5119 Adobe
Redhat
Suse
Opensuse
Use After Free vulnerability in multiple products

Use-after-free vulnerability in the ByteArray class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13.x through 13.0.0.296 and 14.x through 18.0.0.194 on Windows and OS X and 11.x through 11.2.202.468 on Linux allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content that overrides a valueOf function, as exploited in the wild in July 2015.

9.8
2015-07-06 CVE-2014-5406 Hospira Insufficient Verification of Data Authenticity vulnerability in Hospira Lifecare Pcainfusion Firmware 5.0

The Hospira LifeCare PCA Infusion System before 7.0 does not validate network traffic associated with sending a (1) drug library, (2) software update, or (3) configuration change, which allows remote attackers to modify settings or medication data via packets on the (a) TELNET, (b) HTTP, (c) HTTPS, or (d) UPNP port.

9.3

15 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2015-07-06 CVE-2015-4034 Samsung Improper Access Control vulnerability in Samsung Galaxy S5

The createFromParcel method in the com.absolute.android.persistence.MethodSpec class in Samsung Galaxy S5s allows remote attackers to execute arbitrary files via a crafted Parcelable object in a serialized MethodSpec object.

7.9
2015-07-08 CVE-2015-4620 ISC Code vulnerability in ISC Bind

name.c in named in ISC BIND 9.7.x through 9.9.x before 9.9.7-P1 and 9.10.x before 9.10.2-P2, when configured as a recursive resolver with DNSSEC validation, allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit) by constructing crafted zone data and then making a query for a name in that zone.

7.8
2015-07-06 CVE-2015-3958 Hospira Data Processing Errors vulnerability in Hospira Lifecare Pcainfusion Firmware 5.0

Hospira LifeCare PCA Infusion System 5.0 and earlier, and possibly other versions, allows remote attackers to cause a denial of service (forced manual reboot) via a flood of TCP packets.

7.8
2015-07-06 CVE-2015-4230 Cisco Resource Management Errors vulnerability in Cisco Headend System Release

Memory leak in Cisco Headend System Release allows remote attackers to cause a denial of service (memory consumption) via unspecified vectors, aka Bug ID CSCus91854.

7.8
2015-07-09 CVE-2015-3126 Adobe
Linux
Apple
Microsoft
Remote Denial of Service vulnerability in Adobe Flash Player and AIR

Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allow attackers to cause a denial of service (NULL pointer dereference) or possibly have unspecified other impact via unknown vectors, a different vulnerability than CVE-2015-4429.

7.5
2015-07-08 CVE-2015-4614 Easy2Map Project SQL Injection vulnerability in Easy2Map Project Easy2Map

Multiple SQL injection vulnerabilities in includes/Function.php in the Easy2Map plugin before 1.2.5 for WordPress allow remote attackers to execute arbitrary SQL commands via the mapName parameter in an e2m_img_save_map_name action to wp-admin/admin-ajax.php and other unspecified vectors.

7.5
2015-07-08 CVE-2015-5457 Pivotx Improper Input Validation vulnerability in Pivotx

PivotX before 2.3.11 does not validate the new file extension when renaming a file with multiple extensions, which allows remote attackers to execute arbitrary code by uploading a crafted file, as demonstrated by a file named foo.php.php.

7.5
2015-07-08 CVE-2015-5452 Watchguard SQL Injection vulnerability in Watchguard XCS 10.0/9.2

SQL injection vulnerability in Watchguard XCS 9.2 and 10.0 before build 150522 allows remote attackers to execute arbitrary SQL commands via the sid cookie, as demonstrated by a request to borderpost/imp/compose.php3.

7.5
2015-07-08 CVE-2015-2866 Grandstream SQL Injection vulnerability in Grandstream Gxv3611 HD Firmware

SQL injection vulnerability on the Grandstream GXV3611_HD camera with firmware before 1.0.3.9 beta allows remote attackers to execute arbitrary SQL commands by attempting to establish a TELNET session with a crafted username.

7.5
2015-07-07 CVE-2015-2849 Antlabs SQL Injection vulnerability in Antlabs products

SQL injection vulnerability in main.ant in the ANTlabs InnGate firmware on IG 3100, InnGate 3.01 E, InnGate 3.10 E, InnGate 3.10 M, SG 4, and SSG 4 devices, when https is used, allows remote attackers to execute arbitrary SQL commands via the ppli parameter.

7.5
2015-07-06 CVE-2015-4648 Panasonic Improper Input Validation vulnerability in Panasonic Security API Activex SDK

Stack-based buffer overflow in the Ipropsapi.ipropsapiCtrl.1 ActiveX control in ipropsapivideo in Panasonic Security API (PS-API) ActiveX SDK before 8.10.18 allows remote attackers to execute arbitrary code via a long string to the MulticastAddr method.

7.5
2015-07-10 CVE-2015-4526 EMC Improper Access Control vulnerability in EMC Recoverpoint for Virtual Machines 4.2

EMC RecoverPoint for Virtual Machines (VMs) 4.2 allows local users to obtain root-shell access by bypassing the Installation Manager Boxmgmt CLI interface.

7.2
2015-07-10 CVE-2015-3650 Vmware Improper Access Control vulnerability in VMWare Horizon View Client, Player and Workstation

vmware-vmx.exe in VMware Workstation 7.x through 10.x before 10.0.7 and 11.x before 11.1.1, VMware Player 5.x and 6.x before 6.0.7 and 7.x before 7.1.1, and VMware Horizon Client 5.x local-mode before 5.4.2 on Windows does not provide a valid DACL pointer during the setup of the vprintproxy.exe process, which allows host OS users to gain host OS privileges by injecting a thread.

7.2
2015-07-10 CVE-2015-4244 Cisco OS Command Injection vulnerability in Cisco ASR 5000 Series Software 14.0

The boot implementation on Cisco ASR 5000 and 5500 devices with software 14.0 allows local users to execute arbitrary Linux commands by leveraging administrative privileges for storage of these commands in a Compact Flash (CF) file, aka Bug ID CSCuu75278.

7.2
2015-07-06 CVE-2015-2126 HP Permissions, Privileges, and Access Controls vulnerability in HP Hp-Ux 11.11Iv2/11.11Iv3

Unspecified vulnerability in pppoec in HP HP-UX 11iv2 and 11iv3 allows local users to gain privileges by leveraging setuid permissions.

7.2

45 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2015-07-10 CVE-2015-4254 Cisco Cross-Site Request Forgery (CSRF) vulnerability in Cisco Telepresence Advanced Media Gateway 1.1(1.40)

Cross-site request forgery (CSRF) vulnerability on Cisco TelePresence Advanced Media Gateway devices with software 1.1(1.40) allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCuu90732.

6.8
2015-07-10 CVE-2015-4258 Cisco Cross-Site Request Forgery (CSRF) vulnerability in Cisco Telepresence MSE 8000 Series

Cross-site request forgery (CSRF) vulnerability on Cisco TelePresence MSE 8000 devices allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCuu90444.

6.8
2015-07-10 CVE-2015-4257 Cisco Cross-Site Request Forgery (CSRF) vulnerability in Cisco Telepresence MCU Software 4.5(1.55)

Cross-site request forgery (CSRF) vulnerability on Cisco TelePresence MCU 4500 devices with software 4.5(1.55) allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCuu90710.

6.8
2015-07-10 CVE-2015-4256 Cisco Cross-Site Request Forgery (CSRF) vulnerability in Cisco Telepresence IP VCR 3.0 1.27

Cross-site request forgery (CSRF) vulnerability on Cisco TelePresence IP VCR devices with software 3.0(1.27) allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCuu90736.

6.8
2015-07-10 CVE-2015-4255 Cisco Cross-Site Request Forgery (CSRF) vulnerability in Cisco Telepresence IP Gateway 2.0.3.34

Cross-site request forgery (CSRF) vulnerability on Cisco TelePresence IP Gateway devices with software 2.0(3.34) allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCuu90734.

6.8
2015-07-10 CVE-2015-4253 Cisco Cross-Site Request Forgery (CSRF) vulnerability in Cisco Telepresence Serial Gateway 1.0.1.42

Cross-site request forgery (CSRF) vulnerability on Cisco TelePresence Serial Gateway devices with software 1.0(1.42) allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCuu90728.

6.8
2015-07-10 CVE-2015-4252 Cisco Cross-Site Request Forgery (CSRF) vulnerability in Cisco Telepresence Isdn GW 3241 2.2(1.106)

Cross-site request forgery (CSRF) vulnerability on Cisco TelePresence ISDN Gateway devices with software 2.2(1.106) allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCuu90724.

6.8
2015-07-08 CVE-2015-5458 Pivotx Unspecified vulnerability in Pivotx

Session fixation vulnerability in fileupload.php in PivotX before 2.3.11 allows remote attackers to hijack web sessions via the sess parameter.

6.8
2015-07-08 CVE-2015-4242 Cisco Cross-Site Request Forgery (CSRF) vulnerability in Cisco Firesight System Software 5.4.1.2/6.0.0

Cross-site request forgery (CSRF) vulnerability in Cisco FireSIGHT System Software 5.4.1.2 and 6.0.0 in FireSIGHT Management Center allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCuu94721.

6.8
2015-07-06 CVE-2015-4647 Panasonic Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Panasonic Security API Activex SDK

Multiple stack-based buffer overflows in Ipropsapi in Panasonic Security API (PS-API) ActiveX SDK before 8.10.18 allow remote attackers to execute arbitrary code via a long string in the (1) FilePassword property or to the (2) GetStringInfo method.

6.8
2015-07-09 CVE-2015-1793 Oracle
Openssl
7PK - Security Features vulnerability in multiple products

The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly process X.509 Basic Constraints cA values during identification of alternative certificate chains, which allows remote attackers to spoof a Certification Authority role and trigger unintended certificate verifications via a valid leaf certificate.

6.5
2015-07-08 CVE-2015-5459 Zohocorp SQL Injection vulnerability in Zohocorp Manageengine Password Manager PRO

SQL injection vulnerability in the AdvanceSearch.class in AdventNetPassTrix.jar in ManageEngine Password Manager Pro (PMP) before 8.1 Build 8101 allows remote authenticated users to execute arbitrary SQL commands via the ANDOR parameter, as demonstrated by a request to STATE_ID/1425543888647/SQLAdvancedALSearchResult.cc.

6.5
2015-07-08 CVE-2015-5453 Watchguard Command Injection vulnerability in Watchguard XCS 10.0/9.2

Watchguard XCS 9.2 and 10.0 before build 150522 allow remote authenticated users to execute arbitrary commands via shell metacharacters in the id parameter to ADMIN/mailqueue.spl.

6.5
2015-07-10 CVE-2015-2970 Lemon S PHP Path Traversal vulnerability in Lemon-S PHP Simple Oekaki

index.php in LEMON-S PHP Simple Oekaki BBS before 1.21 allows remote attackers to delete arbitrary files via the oekakis parameter.

6.4
2015-07-08 CVE-2015-5461 Stageshow Project Unspecified vulnerability in Stageshow Project Stageshow

Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for WordPress allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter.

6.4
2015-07-08 CVE-2015-4243 Cisco Resource Management Errors vulnerability in Cisco IOS XE 3.5.0S

The PPPoE establishment implementation in Cisco IOS XE 3.5.0S on ASR 1000 devices allows remote attackers to cause a denial of service (device reload) by sending malformed PPPoE Active Discovery Request (PADR) packets on the local network, aka Bug ID CSCty94202.

6.1
2015-07-08 CVE-2014-8175 Redhat Permissions, Privileges, and Access Controls vulnerability in Redhat Jboss Fuse 6.0.0/6.1.0

Red Hat JBoss Fuse before 6.2.0 allows remote authenticated users to bypass intended restrictions and access the HawtIO console by leveraging an account defined in the users.properties file.

6.0
2015-07-06 CVE-2014-9737 Language Switcher Dropdown Project Unspecified vulnerability in Language Switcher Dropdown Project Language Switcher Dropdown

Open redirect vulnerability in the Language Switcher Dropdown module 7.x-1.x before 7.x-1.4 for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in a block.

5.8
2015-07-09 CVE-2015-5116 Adobe
Apple
Microsoft
Linux
Improper Access Control vulnerability in Adobe products

Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allow remote attackers to bypass the Same Origin Policy via unspecified vectors, a different vulnerability than CVE-2014-0578, CVE-2015-3115, CVE-2015-3116, and CVE-2015-3125.

5.0
2015-07-09 CVE-2015-3125 Adobe
Linux
Apple
Microsoft
Improper Access Control vulnerability in Adobe products

Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allow remote attackers to bypass the Same Origin Policy via unspecified vectors, a different vulnerability than CVE-2014-0578, CVE-2015-3115, CVE-2015-3116, and CVE-2015-5116.

5.0
2015-07-09 CVE-2015-3116 Adobe
Apple
Microsoft
Linux
Improper Access Control vulnerability in Adobe products

Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allow remote attackers to bypass the Same Origin Policy via unspecified vectors, a different vulnerability than CVE-2014-0578, CVE-2015-3115, CVE-2015-3125, and CVE-2015-5116.

5.0
2015-07-09 CVE-2015-3115 Adobe
Linux
Apple
Microsoft
Improper Access Control vulnerability in Adobe products

Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allow remote attackers to bypass the Same Origin Policy via unspecified vectors, a different vulnerability than CVE-2014-0578, CVE-2015-3116, CVE-2015-3125, and CVE-2015-5116.

5.0
2015-07-09 CVE-2015-3114 Adobe
Linux
Apple
Microsoft
Improper Access Control vulnerability in Adobe products

Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allow attackers to bypass intended access restrictions and obtain sensitive information via unspecified vectors.

5.0
2015-07-09 CVE-2014-0578 Adobe
Linux
Apple
Microsoft
Improper Access Control vulnerability in Adobe products

Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allow remote attackers to bypass the Same Origin Policy via unspecified vectors, a different vulnerability than CVE-2015-3115, CVE-2015-3116, CVE-2015-3125, and CVE-2015-5116.

5.0
2015-07-08 CVE-2015-4616 Easy2Map Project Path Traversal vulnerability in Easy2Map Project Easy2Map

Directory traversal vulnerability in includes/MapPinImageSave.php in the Easy2Map plugin before 1.2.5 for WordPress allows remote attackers to create arbitrary files via a ..

5.0
2015-07-08 CVE-2015-4240 Cisco Resource Management Errors vulnerability in Cisco IP Communicator 8.6(4)

Cisco IP Communicator 8.6(4) allows remote attackers to cause a denial of service (service outage) via an unspecified URL in a GET request, aka Bug ID CSCuu37656.

5.0
2015-07-06 CVE-2015-1011 Hospira Information Exposure vulnerability in Hospira Lifecare Pcainfusion Firmware 5.0

Hospira LifeCare PCA Infusion System before 7.0 has hardcoded credentials, which makes it easier for remote attackers to obtain access via unspecified vectors.

5.0
2015-07-06 CVE-2015-3957 Hospira Credentials Management vulnerability in Hospira products

Hospira LifeCare PCA Infusion System before 7.0 stores private keys and certificates, which has unspecified impact and attack vectors.

4.6
2015-07-10 CVE-2015-4236 Cisco Resource Management Errors vulnerability in Cisco products

Cisco AsyncOS on Email Security Appliance (ESA) devices with software 8.5.6-073, 8.5.6-074, and 9.0.0-461, when clustering is enabled, allows remote attackers to cause a denial of service (clustering and SSH outage) via a packet flood, aka Bug IDs CSCur13704 and CSCuq05636.

4.3
2015-07-10 CVE-2015-2963 Thoughtbot Cross-site Scripting vulnerability in Thoughtbot Paperclip

The thoughtbot paperclip gem before 4.2.2 for Ruby does not consider the content-type value during media-type validation, which allows remote attackers to upload HTML documents and conduct cross-site scripting (XSS) attacks via a spoofed value, as demonstrated by image/jpeg.

4.3
2015-07-10 CVE-2015-4259 Cisco Cryptographic Issues vulnerability in Cisco Unified Computing System 1.5(3)/1.6(0.16)

The Integrated Management Controller on Cisco Unified Computing System (UCS) C servers with software 1.5(3) and 1.6(0.16) has a default SSL certificate, which makes it easier for man-in-the-middle attackers to bypass cryptographic protection mechanisms by leveraging knowledge of a private key, aka Bug IDs CSCum56133 and CSCum56177.

4.3
2015-07-10 CVE-2015-2969 Lemon S PHP Cross-site Scripting vulnerability in Lemon-S PHP Simple Oekaki BBS 1.20

Cross-site scripting (XSS) vulnerability in index.php in LEMON-S PHP Simple Oekaki BBS before 1.21 allows remote attackers to inject arbitrary web script or HTML via the oekakis parameter.

4.3
2015-07-10 CVE-2015-2967 Cacti Cross-site Scripting vulnerability in Cacti

Cross-site scripting (XSS) vulnerability in settings.php in Cacti before 0.8.8d allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2015-07-10 CVE-2015-4260 Cisco Cross-site Scripting vulnerability in Cisco Hosted Collaboration Solution 10.6(1)Base

Cross-site scripting (XSS) vulnerability in Cisco Hosted Collaboration Solution 10.6(1) allows remote attackers to inject arbitrary web script or HTML via a crafted value in a URL, aka Bug ID CSCuu14862.

4.3
2015-07-08 CVE-2015-5460 Snorby Project Cross-site Scripting vulnerability in Snorby Project Snorby 2.6.2

Cross-site scripting (XSS) vulnerability in app/views/events/_menu.html.erb in Snorby 2.6.2 allows remote attackers to inject arbitrary web script or HTML via the title (cls.name variable) when creating a classification.

4.3
2015-07-08 CVE-2015-5456 Pivotx Cross-site Scripting vulnerability in Pivotx

Cross-site scripting (XSS) vulnerability in the form method in modules/formclass.php in PivotX before 2.3.11 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO, related to the "PHP_SELF" variable and form actions.

4.3
2015-07-08 CVE-2015-5455 Qualiteam Cross-site Scripting vulnerability in Qualiteam X-Cart

Cross-site scripting (XSS) vulnerability in X-Cart 4.5.0 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors to install/.

4.3
2015-07-08 CVE-2015-5454 Nucleuscms Cross-site Scripting vulnerability in Nucleuscms Nucleus CMS 3.65/3.70

Cross-site scripting (XSS) vulnerability in Nucleus CMS allows remote attackers to inject arbitrary web script or HTML via the title parameter when adding a new item.

4.3
2015-07-08 CVE-2015-1796 Shibboleth 7PK - Security Features vulnerability in Shibboleth Identity Provider and Opensaml Java

The PKIX trust engines in Shibboleth Identity Provider before 2.4.4 and OpenSAML Java (OpenSAML-J) before 2.6.5 trust candidate X.509 credentials when no trusted names are available for the entityID, which allows remote attackers to impersonate an entity via a certificate issued by a shibmd:KeyAuthority trust anchor.

4.3
2015-07-07 CVE-2015-2850 Antlabs Cross-site Scripting vulnerability in Antlabs products

Cross-site scripting (XSS) vulnerability in index-login.ant in the ANTlabs InnGate firmware on IG 3100, InnGate 3.01 E, InnGate 3.10 E, InnGate 3.10 M, SG 4, and SSG 4 devices allows remote attackers to inject arbitrary web script or HTML via the msg parameter.

4.3
2015-07-07 CVE-2015-3216 Redhat
Openssl
Race Condition vulnerability in multiple products

Race condition in a certain Red Hat patch to the PRNG lock implementation in the ssleay_rand_bytes function in OpenSSL, as distributed in openssl-1.0.1e-25.el7 in Red Hat Enterprise Linux (RHEL) 7 and other products, allows remote attackers to cause a denial of service (application crash) by establishing many TLS sessions to a multithreaded server, leading to use of a negative value for a certain length field.

4.3
2015-07-06 CVE-2014-9738 Tournament Project Cross-site Scripting vulnerability in Tournament Project Tournament 7.X1.0/7.X1.1

Multiple cross-site scripting (XSS) vulnerabilities in the Tournament module 7.x-1.x before 7.x-1.2 for Drupal allow remote authenticated users with certain permissions to inject arbitrary web script or HTML via an (1) account username, a (2) node title, or a (3) team entity title.

4.3
2015-07-06 CVE-2014-3653 Theforeman Cross-site Scripting vulnerability in Theforeman Foreman

Cross-site scripting (XSS) vulnerability in the template preview function in Foreman before 1.6.1 allows remote attackers to inject arbitrary web script or HTML via a crafted provisioning template.

4.3
2015-07-06 CVE-2015-2742 Oracle
Mozilla
Information Exposure vulnerability in multiple products

Mozilla Firefox before 39.0 on OS X includes native key press information during the logging of crashes, which allows remote attackers to obtain sensitive information by leveraging access to a crash-reporting data stream.

4.3
2015-07-10 CVE-2015-4263 Cisco Information Exposure vulnerability in Cisco Mobility Services Engine 10.0(0.1)

The Control and Provisioning functionality in Cisco Mobility Services Engine (MSE) 10.0(0.1) allows remote authenticated users to obtain sensitive information by reading log files, aka Bug ID CSCut36851.

4.0

3 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2015-07-06 CVE-2014-9739 Node Field Project Cross-site Scripting vulnerability in Node Field Project Node Field

Cross-site scripting (XSS) vulnerability in the Node Field module 7.x-2.x before 7.x-2.45 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via unspecified vectors involving internal fields.

3.5
2015-07-06 CVE-2015-4033 Samsung Information Exposure vulnerability in Samsung S-Beam

Samsung SBeam allows remote attackers to read arbitrary images by leveraging an NFC connection to access the HTTP server on port 15000.

3.3
2015-07-06 CVE-2014-9740 Rules Link Project Cross-site Scripting vulnerability in Rules Link Project Rules Link 7.X1.0

Cross-site scripting (XSS) vulnerability in the Rules Link module 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with the "administer rules links" permission to inject arbitrary web script or HTML via unspecified vectors, which are not properly handled in the (1) question and (2) description strings in a confirmation form for a triggering Rules link.

2.1