Weekly Vulnerabilities Reports > July 6 to 12, 2015
Overview
94 new vulnerabilities reported during this period, including 31 critical vulnerabilities and 15 high severity vulnerabilities. This weekly summary report vulnerabilities in 89 products from 38 vendors including Adobe, Linux, Apple, Microsoft, and Cisco. Vulnerabilities are notably categorized as "Cross-site Scripting", "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Improper Access Control", "Cross-Site Request Forgery (CSRF)", and "SQL Injection".
- 86 reported vulnerabilities are remotely exploitables.
- 10 reported vulnerabilities have public exploit available.
- 31 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 88 reported vulnerabilities are exploitable by an anonymous user.
- Adobe has the most reported vulnerabilities, with 35 reported vulnerabilities.
- Adobe has the most reported critical vulnerabilities, with 28 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
31 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2015-07-09 | CVE-2015-5118 | Adobe Apple Microsoft Linux | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe products Heap-based buffer overflow in Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-3135 and CVE-2015-4432. | 10.0 |
2015-07-09 | CVE-2015-5117 | Adobe Linux Apple Microsoft | Use After Free Remote Code Execution vulnerability in Adobe Flash Player and AIR Use-after-free vulnerability in Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-3118, CVE-2015-3124, CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3131, CVE-2015-3132, CVE-2015-3136, CVE-2015-3137, CVE-2015-4428, and CVE-2015-4430. | 10.0 |
2015-07-09 | CVE-2015-4433 | Adobe Linux Apple Microsoft | Remote Code Execution vulnerability in Adobe Flash Player and AIR Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allow attackers to execute arbitrary code by leveraging an unspecified "type confusion," a different vulnerability than CVE-2015-3119, CVE-2015-3120, CVE-2015-3121, and CVE-2015-3122. | 10.0 |
2015-07-09 | CVE-2015-4432 | Adobe Linux Apple Microsoft | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe products Heap-based buffer overflow in Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-3135 and CVE-2015-5118. | 10.0 |
2015-07-09 | CVE-2015-4431 | Adobe Linux Apple Microsoft | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe products Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-3117, CVE-2015-3123, CVE-2015-3130, CVE-2015-3133, and CVE-2015-3134. | 10.0 |
2015-07-09 | CVE-2015-4430 | Adobe Apple Microsoft Linux | Use After Free Remote Code Execution vulnerability in Adobe Flash Player and AIR Use-after-free vulnerability in Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-3118, CVE-2015-3124, CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3131, CVE-2015-3132, CVE-2015-3136, CVE-2015-3137, CVE-2015-4428, and CVE-2015-5117. | 10.0 |
2015-07-09 | CVE-2015-4429 | Adobe Linux Apple Microsoft | Remote Denial of Service vulnerability in Adobe Flash Player and AIR Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allow attackers to cause a denial of service (NULL pointer dereference) or possibly have unspecified other impact via unknown vectors, a different vulnerability than CVE-2015-3126. | 10.0 |
2015-07-09 | CVE-2015-4428 | Adobe Apple Microsoft Linux | Use After Free Remote Code Execution vulnerability in Adobe Flash Player and AIR Use-after-free vulnerability in Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-3118, CVE-2015-3124, CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3131, CVE-2015-3132, CVE-2015-3136, CVE-2015-3137, CVE-2015-4430, and CVE-2015-5117. | 10.0 |
2015-07-09 | CVE-2015-3137 | Adobe Apple Microsoft Linux | Use After Free Remote Code Execution vulnerability in Adobe Flash Player and AIR Use-after-free vulnerability in Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-3118, CVE-2015-3124, CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3131, CVE-2015-3132, CVE-2015-3136, CVE-2015-4428, CVE-2015-4430, and CVE-2015-5117. | 10.0 |
2015-07-09 | CVE-2015-3136 | Adobe Apple Microsoft Linux | Use After Free Remote Code Execution vulnerability in Adobe Flash Player and AIR Use-after-free vulnerability in Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-3118, CVE-2015-3124, CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3131, CVE-2015-3132, CVE-2015-3137, CVE-2015-4428, CVE-2015-4430, and CVE-2015-5117. | 10.0 |
2015-07-09 | CVE-2015-3135 | Adobe Apple Microsoft Linux | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe products Heap-based buffer overflow in Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-4432 and CVE-2015-5118. | 10.0 |
2015-07-09 | CVE-2015-3134 | Adobe Linux Apple Microsoft | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe products Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-3117, CVE-2015-3123, CVE-2015-3130, CVE-2015-3133, and CVE-2015-4431. | 10.0 |
2015-07-09 | CVE-2015-3133 | Adobe Linux Apple Microsoft | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe products Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-3117, CVE-2015-3123, CVE-2015-3130, CVE-2015-3134, and CVE-2015-4431. | 10.0 |
2015-07-09 | CVE-2015-3132 | Adobe Linux Apple Microsoft | Use After Free Remote Code Execution vulnerability in Adobe Flash Player and AIR Use-after-free vulnerability in Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-3118, CVE-2015-3124, CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3131, CVE-2015-3136, CVE-2015-3137, CVE-2015-4428, CVE-2015-4430, and CVE-2015-5117. | 10.0 |
2015-07-09 | CVE-2015-3131 | Adobe Linux Apple Microsoft | Use After Free Remote Code Execution vulnerability in Adobe Flash Player and AIR Use-after-free vulnerability in Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-3118, CVE-2015-3124, CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3132, CVE-2015-3136, CVE-2015-3137, CVE-2015-4428, CVE-2015-4430, and CVE-2015-5117. | 10.0 |
2015-07-09 | CVE-2015-3130 | Adobe Apple Microsoft Linux | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe products Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-3117, CVE-2015-3123, CVE-2015-3133, CVE-2015-3134, and CVE-2015-4431. | 10.0 |
2015-07-09 | CVE-2015-3129 | Adobe Apple Microsoft Linux | Use After Free Remote Code Execution vulnerability in Adobe Flash Player and AIR Use-after-free vulnerability in Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-3118, CVE-2015-3124, CVE-2015-3127, CVE-2015-3128, CVE-2015-3131, CVE-2015-3132, CVE-2015-3136, CVE-2015-3137, CVE-2015-4428, CVE-2015-4430, and CVE-2015-5117. | 10.0 |
2015-07-09 | CVE-2015-3128 | Adobe Apple Microsoft Linux | Use After Free Remote Code Execution vulnerability in Adobe Flash Player and AIR Use-after-free vulnerability in Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-3118, CVE-2015-3124, CVE-2015-3127, CVE-2015-3129, CVE-2015-3131, CVE-2015-3132, CVE-2015-3136, CVE-2015-3137, CVE-2015-4428, CVE-2015-4430, and CVE-2015-5117. | 10.0 |
2015-07-09 | CVE-2015-3127 | Adobe Apple Microsoft Linux | Use After Free Remote Code Execution vulnerability in Adobe Flash Player and AIR Use-after-free vulnerability in Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-3118, CVE-2015-3124, CVE-2015-3128, CVE-2015-3129, CVE-2015-3131, CVE-2015-3132, CVE-2015-3136, CVE-2015-3137, CVE-2015-4428, CVE-2015-4430, and CVE-2015-5117. | 10.0 |
2015-07-09 | CVE-2015-3124 | Adobe Apple Microsoft Linux | Use After Free Remote Code Execution vulnerability in Adobe Flash Player and AIR Use-after-free vulnerability in Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-3118, CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3131, CVE-2015-3132, CVE-2015-3136, CVE-2015-3137, CVE-2015-4428, CVE-2015-4430, and CVE-2015-5117. | 10.0 |
2015-07-09 | CVE-2015-3123 | Adobe Linux Apple Microsoft | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe products Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-3117, CVE-2015-3130, CVE-2015-3133, CVE-2015-3134, and CVE-2015-4431. | 10.0 |
2015-07-09 | CVE-2015-3122 | Adobe Apple Microsoft Linux | Remote Code Execution vulnerability in Adobe Flash Player and AIR Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allow attackers to execute arbitrary code by leveraging an unspecified "type confusion," a different vulnerability than CVE-2015-3119, CVE-2015-3120, CVE-2015-3121, and CVE-2015-4433. | 10.0 |
2015-07-09 | CVE-2015-3121 | Adobe Linux Apple Microsoft | Remote Code Execution vulnerability in Adobe Flash Player and AIR Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allow attackers to execute arbitrary code by leveraging an unspecified "type confusion," a different vulnerability than CVE-2015-3119, CVE-2015-3120, CVE-2015-3122, and CVE-2015-4433. | 10.0 |
2015-07-09 | CVE-2015-3120 | Adobe Linux Apple Microsoft | Incorrect Type Conversion or Cast vulnerability in Adobe products Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allow attackers to execute arbitrary code by leveraging an unspecified "type confusion," a different vulnerability than CVE-2015-3119, CVE-2015-3121, CVE-2015-3122, and CVE-2015-4433. | 10.0 |
2015-07-09 | CVE-2015-3119 | Adobe Linux Apple Microsoft | Remote Code Execution vulnerability in Adobe Flash Player and AIR Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allow attackers to execute arbitrary code by leveraging an unspecified "type confusion," a different vulnerability than CVE-2015-3120, CVE-2015-3121, CVE-2015-3122, and CVE-2015-4433. | 10.0 |
2015-07-09 | CVE-2015-3118 | Adobe Apple Microsoft Linux | Use After Free Remote Code Execution vulnerability in Adobe Flash Player and AIR Use-after-free vulnerability in Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-3124, CVE-2015-3127, CVE-2015-3128, CVE-2015-3129, CVE-2015-3131, CVE-2015-3132, CVE-2015-3136, CVE-2015-3137, CVE-2015-4428, CVE-2015-4430, and CVE-2015-5117. | 10.0 |
2015-07-09 | CVE-2015-3117 | Adobe Linux Apple Microsoft | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe products Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-3123, CVE-2015-3130, CVE-2015-3133, CVE-2015-3134, and CVE-2015-4431. | 10.0 |
2015-07-06 | CVE-2015-3955 | Hospira | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Hospira Lifecare Pcainfusion Firmware 5.0 Stack-based buffer overflow in Hospira LifeCare PCA Infusion System 5.0 and earlier, and possibly other versions, allows remote attackers to execute arbitrary code via unspecified vectors. | 10.0 |
2015-07-06 | CVE-2015-5371 | Solarwinds | Remote Code Execution vulnerability in SolarWinds Storage Manager The AuthenticationFilter class in SolarWinds Storage Manager allows remote attackers to upload and execute arbitrary scripts via unspecified vectors. | 10.0 |
2015-07-08 | CVE-2015-5119 | Adobe Redhat Suse Opensuse | Use After Free vulnerability in multiple products Use-after-free vulnerability in the ByteArray class in the ActionScript 3 (AS3) implementation in Adobe Flash Player 13.x through 13.0.0.296 and 14.x through 18.0.0.194 on Windows and OS X and 11.x through 11.2.202.468 on Linux allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted Flash content that overrides a valueOf function, as exploited in the wild in July 2015. | 9.8 |
2015-07-06 | CVE-2014-5406 | Hospira | Insufficient Verification of Data Authenticity vulnerability in Hospira Lifecare Pcainfusion Firmware 5.0 The Hospira LifeCare PCA Infusion System before 7.0 does not validate network traffic associated with sending a (1) drug library, (2) software update, or (3) configuration change, which allows remote attackers to modify settings or medication data via packets on the (a) TELNET, (b) HTTP, (c) HTTPS, or (d) UPNP port. | 9.3 |
15 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2015-07-06 | CVE-2015-4034 | Samsung | Improper Access Control vulnerability in Samsung Galaxy S5 The createFromParcel method in the com.absolute.android.persistence.MethodSpec class in Samsung Galaxy S5s allows remote attackers to execute arbitrary files via a crafted Parcelable object in a serialized MethodSpec object. | 7.9 |
2015-07-08 | CVE-2015-4620 | ISC | Code vulnerability in ISC Bind name.c in named in ISC BIND 9.7.x through 9.9.x before 9.9.7-P1 and 9.10.x before 9.10.2-P2, when configured as a recursive resolver with DNSSEC validation, allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit) by constructing crafted zone data and then making a query for a name in that zone. | 7.8 |
2015-07-06 | CVE-2015-3958 | Hospira | Data Processing Errors vulnerability in Hospira Lifecare Pcainfusion Firmware 5.0 Hospira LifeCare PCA Infusion System 5.0 and earlier, and possibly other versions, allows remote attackers to cause a denial of service (forced manual reboot) via a flood of TCP packets. | 7.8 |
2015-07-06 | CVE-2015-4230 | Cisco | Resource Management Errors vulnerability in Cisco Headend System Release Memory leak in Cisco Headend System Release allows remote attackers to cause a denial of service (memory consumption) via unspecified vectors, aka Bug ID CSCus91854. | 7.8 |
2015-07-09 | CVE-2015-3126 | Adobe Linux Apple Microsoft | Remote Denial of Service vulnerability in Adobe Flash Player and AIR Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allow attackers to cause a denial of service (NULL pointer dereference) or possibly have unspecified other impact via unknown vectors, a different vulnerability than CVE-2015-4429. | 7.5 |
2015-07-08 | CVE-2015-4614 | Easy2Map Project | SQL Injection vulnerability in Easy2Map Project Easy2Map Multiple SQL injection vulnerabilities in includes/Function.php in the Easy2Map plugin before 1.2.5 for WordPress allow remote attackers to execute arbitrary SQL commands via the mapName parameter in an e2m_img_save_map_name action to wp-admin/admin-ajax.php and other unspecified vectors. | 7.5 |
2015-07-08 | CVE-2015-5457 | Pivotx | Improper Input Validation vulnerability in Pivotx PivotX before 2.3.11 does not validate the new file extension when renaming a file with multiple extensions, which allows remote attackers to execute arbitrary code by uploading a crafted file, as demonstrated by a file named foo.php.php. | 7.5 |
2015-07-08 | CVE-2015-5452 | Watchguard | SQL Injection vulnerability in Watchguard XCS 10.0/9.2 SQL injection vulnerability in Watchguard XCS 9.2 and 10.0 before build 150522 allows remote attackers to execute arbitrary SQL commands via the sid cookie, as demonstrated by a request to borderpost/imp/compose.php3. | 7.5 |
2015-07-08 | CVE-2015-2866 | Grandstream | SQL Injection vulnerability in Grandstream Gxv3611 HD Firmware SQL injection vulnerability on the Grandstream GXV3611_HD camera with firmware before 1.0.3.9 beta allows remote attackers to execute arbitrary SQL commands by attempting to establish a TELNET session with a crafted username. | 7.5 |
2015-07-07 | CVE-2015-2849 | Antlabs | SQL Injection vulnerability in Antlabs products SQL injection vulnerability in main.ant in the ANTlabs InnGate firmware on IG 3100, InnGate 3.01 E, InnGate 3.10 E, InnGate 3.10 M, SG 4, and SSG 4 devices, when https is used, allows remote attackers to execute arbitrary SQL commands via the ppli parameter. | 7.5 |
2015-07-06 | CVE-2015-4648 | Panasonic | Improper Input Validation vulnerability in Panasonic Security API Activex SDK Stack-based buffer overflow in the Ipropsapi.ipropsapiCtrl.1 ActiveX control in ipropsapivideo in Panasonic Security API (PS-API) ActiveX SDK before 8.10.18 allows remote attackers to execute arbitrary code via a long string to the MulticastAddr method. | 7.5 |
2015-07-10 | CVE-2015-4526 | EMC | Improper Access Control vulnerability in EMC Recoverpoint for Virtual Machines 4.2 EMC RecoverPoint for Virtual Machines (VMs) 4.2 allows local users to obtain root-shell access by bypassing the Installation Manager Boxmgmt CLI interface. | 7.2 |
2015-07-10 | CVE-2015-3650 | Vmware | Improper Access Control vulnerability in VMWare Horizon View Client, Player and Workstation vmware-vmx.exe in VMware Workstation 7.x through 10.x before 10.0.7 and 11.x before 11.1.1, VMware Player 5.x and 6.x before 6.0.7 and 7.x before 7.1.1, and VMware Horizon Client 5.x local-mode before 5.4.2 on Windows does not provide a valid DACL pointer during the setup of the vprintproxy.exe process, which allows host OS users to gain host OS privileges by injecting a thread. | 7.2 |
2015-07-10 | CVE-2015-4244 | Cisco | OS Command Injection vulnerability in Cisco ASR 5000 Series Software 14.0 The boot implementation on Cisco ASR 5000 and 5500 devices with software 14.0 allows local users to execute arbitrary Linux commands by leveraging administrative privileges for storage of these commands in a Compact Flash (CF) file, aka Bug ID CSCuu75278. | 7.2 |
2015-07-06 | CVE-2015-2126 | HP | Permissions, Privileges, and Access Controls vulnerability in HP Hp-Ux 11.11Iv2/11.11Iv3 Unspecified vulnerability in pppoec in HP HP-UX 11iv2 and 11iv3 allows local users to gain privileges by leveraging setuid permissions. | 7.2 |
45 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2015-07-10 | CVE-2015-4254 | Cisco | Cross-Site Request Forgery (CSRF) vulnerability in Cisco Telepresence Advanced Media Gateway 1.1(1.40) Cross-site request forgery (CSRF) vulnerability on Cisco TelePresence Advanced Media Gateway devices with software 1.1(1.40) allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCuu90732. | 6.8 |
2015-07-10 | CVE-2015-4258 | Cisco | Cross-Site Request Forgery (CSRF) vulnerability in Cisco Telepresence MSE 8000 Series Cross-site request forgery (CSRF) vulnerability on Cisco TelePresence MSE 8000 devices allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCuu90444. | 6.8 |
2015-07-10 | CVE-2015-4257 | Cisco | Cross-Site Request Forgery (CSRF) vulnerability in Cisco Telepresence MCU Software 4.5(1.55) Cross-site request forgery (CSRF) vulnerability on Cisco TelePresence MCU 4500 devices with software 4.5(1.55) allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCuu90710. | 6.8 |
2015-07-10 | CVE-2015-4256 | Cisco | Cross-Site Request Forgery (CSRF) vulnerability in Cisco Telepresence IP VCR 3.0 1.27 Cross-site request forgery (CSRF) vulnerability on Cisco TelePresence IP VCR devices with software 3.0(1.27) allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCuu90736. | 6.8 |
2015-07-10 | CVE-2015-4255 | Cisco | Cross-Site Request Forgery (CSRF) vulnerability in Cisco Telepresence IP Gateway 2.0.3.34 Cross-site request forgery (CSRF) vulnerability on Cisco TelePresence IP Gateway devices with software 2.0(3.34) allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCuu90734. | 6.8 |
2015-07-10 | CVE-2015-4253 | Cisco | Cross-Site Request Forgery (CSRF) vulnerability in Cisco Telepresence Serial Gateway 1.0.1.42 Cross-site request forgery (CSRF) vulnerability on Cisco TelePresence Serial Gateway devices with software 1.0(1.42) allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCuu90728. | 6.8 |
2015-07-10 | CVE-2015-4252 | Cisco | Cross-Site Request Forgery (CSRF) vulnerability in Cisco Telepresence Isdn GW 3241 2.2(1.106) Cross-site request forgery (CSRF) vulnerability on Cisco TelePresence ISDN Gateway devices with software 2.2(1.106) allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCuu90724. | 6.8 |
2015-07-08 | CVE-2015-5458 | Pivotx | Unspecified vulnerability in Pivotx Session fixation vulnerability in fileupload.php in PivotX before 2.3.11 allows remote attackers to hijack web sessions via the sess parameter. | 6.8 |
2015-07-08 | CVE-2015-4242 | Cisco | Cross-Site Request Forgery (CSRF) vulnerability in Cisco Firesight System Software 5.4.1.2/6.0.0 Cross-site request forgery (CSRF) vulnerability in Cisco FireSIGHT System Software 5.4.1.2 and 6.0.0 in FireSIGHT Management Center allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCuu94721. | 6.8 |
2015-07-06 | CVE-2015-4647 | Panasonic | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Panasonic Security API Activex SDK Multiple stack-based buffer overflows in Ipropsapi in Panasonic Security API (PS-API) ActiveX SDK before 8.10.18 allow remote attackers to execute arbitrary code via a long string in the (1) FilePassword property or to the (2) GetStringInfo method. | 6.8 |
2015-07-09 | CVE-2015-1793 | Oracle Openssl | 7PK - Security Features vulnerability in multiple products The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly process X.509 Basic Constraints cA values during identification of alternative certificate chains, which allows remote attackers to spoof a Certification Authority role and trigger unintended certificate verifications via a valid leaf certificate. | 6.5 |
2015-07-08 | CVE-2015-5459 | Zohocorp | SQL Injection vulnerability in Zohocorp Manageengine Password Manager PRO SQL injection vulnerability in the AdvanceSearch.class in AdventNetPassTrix.jar in ManageEngine Password Manager Pro (PMP) before 8.1 Build 8101 allows remote authenticated users to execute arbitrary SQL commands via the ANDOR parameter, as demonstrated by a request to STATE_ID/1425543888647/SQLAdvancedALSearchResult.cc. | 6.5 |
2015-07-08 | CVE-2015-5453 | Watchguard | Command Injection vulnerability in Watchguard XCS 10.0/9.2 Watchguard XCS 9.2 and 10.0 before build 150522 allow remote authenticated users to execute arbitrary commands via shell metacharacters in the id parameter to ADMIN/mailqueue.spl. | 6.5 |
2015-07-10 | CVE-2015-2970 | Lemon S PHP | Path Traversal vulnerability in Lemon-S PHP Simple Oekaki index.php in LEMON-S PHP Simple Oekaki BBS before 1.21 allows remote attackers to delete arbitrary files via the oekakis parameter. | 6.4 |
2015-07-08 | CVE-2015-5461 | Stageshow Project | Unspecified vulnerability in Stageshow Project Stageshow Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for WordPress allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter. | 6.4 |
2015-07-08 | CVE-2015-4243 | Cisco | Resource Management Errors vulnerability in Cisco IOS XE 3.5.0S The PPPoE establishment implementation in Cisco IOS XE 3.5.0S on ASR 1000 devices allows remote attackers to cause a denial of service (device reload) by sending malformed PPPoE Active Discovery Request (PADR) packets on the local network, aka Bug ID CSCty94202. | 6.1 |
2015-07-08 | CVE-2014-8175 | Redhat | Permissions, Privileges, and Access Controls vulnerability in Redhat Jboss Fuse 6.0.0/6.1.0 Red Hat JBoss Fuse before 6.2.0 allows remote authenticated users to bypass intended restrictions and access the HawtIO console by leveraging an account defined in the users.properties file. | 6.0 |
2015-07-06 | CVE-2014-9737 | Language Switcher Dropdown Project | Unspecified vulnerability in Language Switcher Dropdown Project Language Switcher Dropdown Open redirect vulnerability in the Language Switcher Dropdown module 7.x-1.x before 7.x-1.4 for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in a block. | 5.8 |
2015-07-09 | CVE-2015-5116 | Adobe Apple Microsoft Linux | Improper Access Control vulnerability in Adobe products Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allow remote attackers to bypass the Same Origin Policy via unspecified vectors, a different vulnerability than CVE-2014-0578, CVE-2015-3115, CVE-2015-3116, and CVE-2015-3125. | 5.0 |
2015-07-09 | CVE-2015-3125 | Adobe Linux Apple Microsoft | Improper Access Control vulnerability in Adobe products Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allow remote attackers to bypass the Same Origin Policy via unspecified vectors, a different vulnerability than CVE-2014-0578, CVE-2015-3115, CVE-2015-3116, and CVE-2015-5116. | 5.0 |
2015-07-09 | CVE-2015-3116 | Adobe Apple Microsoft Linux | Improper Access Control vulnerability in Adobe products Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allow remote attackers to bypass the Same Origin Policy via unspecified vectors, a different vulnerability than CVE-2014-0578, CVE-2015-3115, CVE-2015-3125, and CVE-2015-5116. | 5.0 |
2015-07-09 | CVE-2015-3115 | Adobe Linux Apple Microsoft | Improper Access Control vulnerability in Adobe products Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allow remote attackers to bypass the Same Origin Policy via unspecified vectors, a different vulnerability than CVE-2014-0578, CVE-2015-3116, CVE-2015-3125, and CVE-2015-5116. | 5.0 |
2015-07-09 | CVE-2015-3114 | Adobe Linux Apple Microsoft | Improper Access Control vulnerability in Adobe products Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allow attackers to bypass intended access restrictions and obtain sensitive information via unspecified vectors. | 5.0 |
2015-07-09 | CVE-2014-0578 | Adobe Linux Apple Microsoft | Improper Access Control vulnerability in Adobe products Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allow remote attackers to bypass the Same Origin Policy via unspecified vectors, a different vulnerability than CVE-2015-3115, CVE-2015-3116, CVE-2015-3125, and CVE-2015-5116. | 5.0 |
2015-07-08 | CVE-2015-4616 | Easy2Map Project | Path Traversal vulnerability in Easy2Map Project Easy2Map Directory traversal vulnerability in includes/MapPinImageSave.php in the Easy2Map plugin before 1.2.5 for WordPress allows remote attackers to create arbitrary files via a .. | 5.0 |
2015-07-08 | CVE-2015-4240 | Cisco | Resource Management Errors vulnerability in Cisco IP Communicator 8.6(4) Cisco IP Communicator 8.6(4) allows remote attackers to cause a denial of service (service outage) via an unspecified URL in a GET request, aka Bug ID CSCuu37656. | 5.0 |
2015-07-06 | CVE-2015-1011 | Hospira | Information Exposure vulnerability in Hospira Lifecare Pcainfusion Firmware 5.0 Hospira LifeCare PCA Infusion System before 7.0 has hardcoded credentials, which makes it easier for remote attackers to obtain access via unspecified vectors. | 5.0 |
2015-07-06 | CVE-2015-3957 | Hospira | Credentials Management vulnerability in Hospira products Hospira LifeCare PCA Infusion System before 7.0 stores private keys and certificates, which has unspecified impact and attack vectors. | 4.6 |
2015-07-10 | CVE-2015-4236 | Cisco | Resource Management Errors vulnerability in Cisco products Cisco AsyncOS on Email Security Appliance (ESA) devices with software 8.5.6-073, 8.5.6-074, and 9.0.0-461, when clustering is enabled, allows remote attackers to cause a denial of service (clustering and SSH outage) via a packet flood, aka Bug IDs CSCur13704 and CSCuq05636. | 4.3 |
2015-07-10 | CVE-2015-2963 | Thoughtbot | Cross-site Scripting vulnerability in Thoughtbot Paperclip The thoughtbot paperclip gem before 4.2.2 for Ruby does not consider the content-type value during media-type validation, which allows remote attackers to upload HTML documents and conduct cross-site scripting (XSS) attacks via a spoofed value, as demonstrated by image/jpeg. | 4.3 |
2015-07-10 | CVE-2015-4259 | Cisco | Cryptographic Issues vulnerability in Cisco Unified Computing System 1.5(3)/1.6(0.16) The Integrated Management Controller on Cisco Unified Computing System (UCS) C servers with software 1.5(3) and 1.6(0.16) has a default SSL certificate, which makes it easier for man-in-the-middle attackers to bypass cryptographic protection mechanisms by leveraging knowledge of a private key, aka Bug IDs CSCum56133 and CSCum56177. | 4.3 |
2015-07-10 | CVE-2015-2969 | Lemon S PHP | Cross-site Scripting vulnerability in Lemon-S PHP Simple Oekaki BBS 1.20 Cross-site scripting (XSS) vulnerability in index.php in LEMON-S PHP Simple Oekaki BBS before 1.21 allows remote attackers to inject arbitrary web script or HTML via the oekakis parameter. | 4.3 |
2015-07-10 | CVE-2015-2967 | Cacti | Cross-site Scripting vulnerability in Cacti Cross-site scripting (XSS) vulnerability in settings.php in Cacti before 0.8.8d allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
2015-07-10 | CVE-2015-4260 | Cisco | Cross-site Scripting vulnerability in Cisco Hosted Collaboration Solution 10.6(1)Base Cross-site scripting (XSS) vulnerability in Cisco Hosted Collaboration Solution 10.6(1) allows remote attackers to inject arbitrary web script or HTML via a crafted value in a URL, aka Bug ID CSCuu14862. | 4.3 |
2015-07-08 | CVE-2015-5460 | Snorby Project | Cross-site Scripting vulnerability in Snorby Project Snorby 2.6.2 Cross-site scripting (XSS) vulnerability in app/views/events/_menu.html.erb in Snorby 2.6.2 allows remote attackers to inject arbitrary web script or HTML via the title (cls.name variable) when creating a classification. | 4.3 |
2015-07-08 | CVE-2015-5456 | Pivotx | Cross-site Scripting vulnerability in Pivotx Cross-site scripting (XSS) vulnerability in the form method in modules/formclass.php in PivotX before 2.3.11 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO, related to the "PHP_SELF" variable and form actions. | 4.3 |
2015-07-08 | CVE-2015-5455 | Qualiteam | Cross-site Scripting vulnerability in Qualiteam X-Cart Cross-site scripting (XSS) vulnerability in X-Cart 4.5.0 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors to install/. | 4.3 |
2015-07-08 | CVE-2015-5454 | Nucleuscms | Cross-site Scripting vulnerability in Nucleuscms Nucleus CMS 3.65/3.70 Cross-site scripting (XSS) vulnerability in Nucleus CMS allows remote attackers to inject arbitrary web script or HTML via the title parameter when adding a new item. | 4.3 |
2015-07-08 | CVE-2015-1796 | Shibboleth | 7PK - Security Features vulnerability in Shibboleth Identity Provider and Opensaml Java The PKIX trust engines in Shibboleth Identity Provider before 2.4.4 and OpenSAML Java (OpenSAML-J) before 2.6.5 trust candidate X.509 credentials when no trusted names are available for the entityID, which allows remote attackers to impersonate an entity via a certificate issued by a shibmd:KeyAuthority trust anchor. | 4.3 |
2015-07-07 | CVE-2015-2850 | Antlabs | Cross-site Scripting vulnerability in Antlabs products Cross-site scripting (XSS) vulnerability in index-login.ant in the ANTlabs InnGate firmware on IG 3100, InnGate 3.01 E, InnGate 3.10 E, InnGate 3.10 M, SG 4, and SSG 4 devices allows remote attackers to inject arbitrary web script or HTML via the msg parameter. | 4.3 |
2015-07-07 | CVE-2015-3216 | Redhat Openssl | Race Condition vulnerability in multiple products Race condition in a certain Red Hat patch to the PRNG lock implementation in the ssleay_rand_bytes function in OpenSSL, as distributed in openssl-1.0.1e-25.el7 in Red Hat Enterprise Linux (RHEL) 7 and other products, allows remote attackers to cause a denial of service (application crash) by establishing many TLS sessions to a multithreaded server, leading to use of a negative value for a certain length field. | 4.3 |
2015-07-06 | CVE-2014-9738 | Tournament Project | Cross-site Scripting vulnerability in Tournament Project Tournament 7.X1.0/7.X1.1 Multiple cross-site scripting (XSS) vulnerabilities in the Tournament module 7.x-1.x before 7.x-1.2 for Drupal allow remote authenticated users with certain permissions to inject arbitrary web script or HTML via an (1) account username, a (2) node title, or a (3) team entity title. | 4.3 |
2015-07-06 | CVE-2014-3653 | Theforeman | Cross-site Scripting vulnerability in Theforeman Foreman Cross-site scripting (XSS) vulnerability in the template preview function in Foreman before 1.6.1 allows remote attackers to inject arbitrary web script or HTML via a crafted provisioning template. | 4.3 |
2015-07-06 | CVE-2015-2742 | Oracle Mozilla | Information Exposure vulnerability in multiple products Mozilla Firefox before 39.0 on OS X includes native key press information during the logging of crashes, which allows remote attackers to obtain sensitive information by leveraging access to a crash-reporting data stream. | 4.3 |
2015-07-10 | CVE-2015-4263 | Cisco | Information Exposure vulnerability in Cisco Mobility Services Engine 10.0(0.1) The Control and Provisioning functionality in Cisco Mobility Services Engine (MSE) 10.0(0.1) allows remote authenticated users to obtain sensitive information by reading log files, aka Bug ID CSCut36851. | 4.0 |
3 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2015-07-06 | CVE-2014-9739 | Node Field Project | Cross-site Scripting vulnerability in Node Field Project Node Field Cross-site scripting (XSS) vulnerability in the Node Field module 7.x-2.x before 7.x-2.45 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via unspecified vectors involving internal fields. | 3.5 |
2015-07-06 | CVE-2015-4033 | Samsung | Information Exposure vulnerability in Samsung S-Beam Samsung SBeam allows remote attackers to read arbitrary images by leveraging an NFC connection to access the HTTP server on port 15000. | 3.3 |
2015-07-06 | CVE-2014-9740 | Rules Link Project | Cross-site Scripting vulnerability in Rules Link Project Rules Link 7.X1.0 Cross-site scripting (XSS) vulnerability in the Rules Link module 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with the "administer rules links" permission to inject arbitrary web script or HTML via unspecified vectors, which are not properly handled in the (1) question and (2) description strings in a confirmation form for a triggering Rules link. | 2.1 |