Weekly Vulnerabilities Reports > August 17 to 23, 2015

Overview

182 new vulnerabilities reported during this period, including 16 critical vulnerabilities and 32 high severity vulnerabilities. This weekly summary report vulnerabilities in 141 products from 66 vendors including Apple, Cisco, EMC, IBM, and HP. Vulnerabilities are notably categorized as "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Cross-site Scripting", "Permissions, Privileges, and Access Controls", "Information Exposure", and "Improper Input Validation".

  • 162 reported vulnerabilities are remotely exploitables.
  • 10 reported vulnerabilities have public exploit available.
  • 54 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 134 reported vulnerabilities are exploitable by an anonymous user.
  • Apple has the most reported vulnerabilities, with 51 reported vulnerabilities.
  • Apple has the most reported critical vulnerabilities, with 6 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

16 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2015-08-22 CVE-2015-2137 HP Remote Code Execution vulnerability in HP Operations Manager i

Unspecified vulnerability in HP Operations Manager i (OMi) 9.22, 9.23, 9.24, 9.25, 10.00, and 10.01 allows remote attackers to execute arbitrary code via unknown vectors.

10.0
2015-08-19 CVE-2015-2502 Microsoft Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Microsoft Internet Explorer

Microsoft Internet Explorer 7 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Memory Corruption Vulnerability," as exploited in the wild in August 2015.

9.3
2015-08-17 CVE-2015-5784 Apple Permissions, Privileges, and Access Controls vulnerability in Apple mac OS X

runner in Install.framework in the Install Framework Legacy component in Apple OS X before 10.10.5 does not properly drop privileges, which allows attackers to execute arbitrary code in a privileged context via a crafted app.

9.3
2015-08-17 CVE-2015-5783 Apple Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple mac OS X

IOGraphics in Apple OS X before 10.10.5 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted app, a different vulnerability than CVE-2015-3770.

9.3
2015-08-17 CVE-2015-5757 Apple Buffer Errors vulnerability in Apple Iphone OS and mac OS X

libpthread in Apple iOS before 8.4.1 and OS X before 10.10.5 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via an app that uses a crafted syscall to interfere with locking.

9.3
2015-08-17 CVE-2015-5754 Apple Race Condition vulnerability in Apple mac OS X

Race condition in runner in Install.framework in the Install Framework Legacy component in Apple OS X before 10.10.5 allows attackers to execute arbitrary code in a privileged context via a crafted app that leverages incorrect privilege dropping associated with a locking error.

9.3
2015-08-17 CVE-2015-3799 Apple Credentials Management vulnerability in Apple mac OS X

The Apple ID OD plug-in in Apple OS X before 10.10.5 allows attackers to change arbitrary user passwords via a crafted app.

9.3
2015-08-17 CVE-2015-3795 Apple Buffer Errors vulnerability in Apple Iphone OS and mac OS X

libxpc in Apple iOS before 8.4.1 and OS X before 10.10.5 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app that sends a malformed XPC message.

9.3
2015-08-23 CVE-2015-2908 Mobile Devices Insufficient Verification of Data Authenticity vulnerability in Mobile Devices C4 Obd-Ii Dongle Firmware

** DISPUTED ** Mobile Devices (aka MDI) C4 OBD-II dongles with firmware 2.x and 3.4.x, as used in Metromile Pulse and other products, do not validate firmware updates, which allows remote attackers to execute arbitrary code by specifying an update server.

9.0
2015-08-23 CVE-2015-2907 Mobile Devices Unspecified vulnerability in Mobile Devices C4 Obd-Ii Dongle Firmware

** DISPUTED ** Mobile Devices (aka MDI) C4 OBD-II dongles with firmware 2.x and 3.4.x, as used in Metromile Pulse and other products, have hardcoded SSH credentials, which makes it easier for remote attackers to obtain access by leveraging knowledge of the required username and password.

9.0
2015-08-23 CVE-2015-2906 Mobile Devices Unspecified vulnerability in Mobile Devices C4 Obd-Ii Dongle Firmware

** DISPUTED ** Mobile Devices (aka MDI) C4 OBD-II dongles with firmware 2.x and 3.4.x, as used in Metromile Pulse and other products, store SSH private keys that are the same across different customers' installations, which makes it easier for remote attackers to obtain access by leveraging knowledge of a private key from another installation.

9.0
2015-08-22 CVE-2015-5406 HP Information Disclosure vulnerability in Multiple HP CentralView Products

HP CentralView Fraud Risk Management 11.1, 11.2, and 11.3; CentralView Revenue Leakage Control 4.1, 4.2, and 4.3; CentralView Dealer Performance Audit 2.0 and 2.1; CentralView Credit Risk Control 2.1, 2.2, and 2.3; CentralView Roaming Fraud Control 2.1, 2.2, and 2.3; and CentralView Subscription Fraud Prevention 2.0 and 2.1 allow remote attackers to obtain sensitive information via unspecified vectors, a different vulnerability than CVE-2015-5407 and CVE-2015-5408.

9.0
2015-08-20 CVE-2015-4534 EMC Improper Input Validation vulnerability in EMC Documentum Content Server

Java Method Server (JMS) in EMC Documentum Content Server before 6.7SP1 P32, 6.7SP2 before P25, 7.0 before P19, 7.1 before P16, and 7.2 before P02 allows remote authenticated users to execute arbitrary code by forging a signature for a query string that lacks the method_verb parameter.

9.0
2015-08-20 CVE-2015-4533 EMC Permissions, Privileges, and Access Controls vulnerability in EMC Documentum Content Server

EMC Documentum Content Server before 6.7SP1 P32, 6.7SP2 before P25, 7.0 before P19, 7.1 before P16, and 7.2 before P02 does not properly check authorization after creation of an object, which allows remote authenticated users to execute arbitrary code with super-user privileges via a custom script.

9.0
2015-08-20 CVE-2015-4532 EMC Permissions, Privileges, and Access Controls vulnerability in EMC Documentum Content Server

EMC Documentum Content Server before 6.7SP1 P32, 6.7SP2 before P25, 7.0 before P19, 7.1 before P16, and 7.2 before P02 does not properly check authorization and does not properly restrict object types, which allows remote authenticated users to run save RPC commands with super-user privileges, and consequently execute arbitrary code, via unspecified vectors.

9.0
2015-08-20 CVE-2015-4531 EMC Permissions, Privileges, and Access Controls vulnerability in EMC Documentum Content Server

EMC Documentum Content Server before 6.7SP1 P32, 6.7SP2 before P25, 7.0 before P19, 7.1 before P16, and 7.2 before P02 does not properly check authorization for subgroups of privileged groups, which allows remote authenticated sysadmins to gain super-user privileges, and bypass intended restrictions on data access and server actions, via unspecified vectors.

9.0

32 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2015-08-23 CVE-2015-2904 Actiontec Unspecified vulnerability in Actiontec Ncs01 Firmware

Actiontec GT784WN modems with firmware before NCS01-1.0.13 have hardcoded credentials, which makes it easier for remote attackers to obtain root access by connecting to the web administration interface.

8.3
2015-08-22 CVE-2014-1972 Apache Resource Management Errors vulnerability in Apache Tapestry 5.3.5

Apache Tapestry before 5.3.6 relies on client-side object storage without checking whether a client has modified an object, which allows remote attackers to cause a denial of service (resource consumption) or execute arbitrary code via crafted serialized data.

7.8
2015-08-20 CVE-2015-4535 EMC Permissions, Privileges, and Access Controls vulnerability in EMC Documentum Content Server

Java Method Server (JMS) in EMC Documentum Content Server before 6.7SP1 P32, 6.7SP2 before P25, 7.0 before P19, 7.1 before P16, and 7.2 before P02, when __debug_trace__ is configured, allows remote authenticated users to gain super-user privileges by leveraging the ability to read a log file containing a login ticket.

7.5
2015-08-20 CVE-2015-0537 EMC Numeric Errors vulnerability in EMC RSA Bsafe and RSA Bsafe Ssl-C

Integer underflow in the base64-decoding implementation in EMC RSA BSAFE Micro Edition Suite (MES) 4.0.x before 4.0.8 and 4.1.x before 4.1.3, RSA BSAFE Crypto-C Micro Edition (Crypto-C ME) before 4.0.4 and 4.1, and RSA BSAFE SSL-C 2.8.9 and earlier allows remote attackers to cause a denial of service (memory corruption or segmentation fault) or possibly have unspecified other impact via crafted base64 data, a similar issue to CVE-2015-0292.

7.5
2015-08-19 CVE-2015-6522 Wpsymposium SQL Injection vulnerability in Wpsymposium WP Symposium

SQL injection vulnerability in the WP Symposium plugin before 15.8 for WordPress allows remote attackers to execute arbitrary SQL commands via the size parameter to get_album_item.php.

7.5
2015-08-19 CVE-2015-5621 NET Snmp Data Processing Errors vulnerability in Net-Snmp

The snmp_pdu_parse function in snmp_api.c in net-snmp 5.7.2 and earlier does not remove the varBind variable in a netsnmp_variable_list item when parsing of the SNMP PDU fails, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted packet.

7.5
2015-08-18 CVE-2015-6519 Arabportal SQL Injection vulnerability in Arabportal Arab Portal 3.0

SQL injection vulnerability in Arab Portal 3 allows remote attackers to execute arbitrary SQL commands via the showemail parameter in a signup action to members.php.

7.5
2015-08-18 CVE-2015-5504 Novalnet SQL Injection vulnerability in Novalnet Payment Module Ubercart-

SQL injection vulnerability in the Novalnet Payment Module Ubercart module for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

7.5
2015-08-18 CVE-2015-5502 Storage API Project Improper Access Control vulnerability in Storage API Project Storage API

The Storage API module 7.x-1.x before 7.x-1.8 for Drupal does not properly restrict access to Storage API fields attached to entities that are not nodes, which allows remote attackers to have unspecified impact via unknown vectors.

7.5
2015-08-18 CVE-2015-5501 Aegirproject 7PK - Security Features vulnerability in Aegirproject Hostmaster

The Hostmaster (Aegir) module 6.x-2.x before 6.x-2.4 and 7.x-3.x before 7.x-3.0-beta2 for Drupal allows remote attackers to execute arbitrary PHP code via a crafted file in the directory used to write Apache vhost files for hosted sites in a multi-site environment.

7.5
2015-08-18 CVE-2015-4426 Pimcore SQL Injection vulnerability in Pimcore

SQL injection vulnerability in pimcore before build 3473 allows remote attackers to execute arbitrary SQL commands via the filter parameter to admin/asset/grid-proxy.

7.5
2015-08-18 CVE-2015-6513 J2Store SQL Injection vulnerability in J2Store

Multiple SQL injection vulnerabilities in the J2Store (com_j2store) extension before 3.1.7 for Joomla! allow remote attackers to execute arbitrary SQL commands via the (1) sortby or (2) manufacturer_ids[] parameter to index.php.

7.5
2015-08-18 CVE-2015-5681 Wpslideshow Unspecified vulnerability in Wpslideshow Powerplay Gallery 3.3

Unrestricted file upload vulnerability in upload.php in the Powerplay Gallery plugin 3.3 for WordPress allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in *_uploadfolder/big/.

7.5
2015-08-18 CVE-2015-5599 Powerplay Gallery Project SQL Injection vulnerability in Powerplay Gallery Project Powerplay Gallery 3.3

Multiple SQL injection vulnerabilities in upload.php in the Powerplay Gallery plugin 3.3 for WordPress allow remote attackers to execute arbitrary SQL commands via the (1) albumid or (2) name parameter.

7.5
2015-08-17 CVE-2015-5779 Apple Buffer Errors vulnerability in Apple Quicktime 7.0

QuickTime 7 in Apple OS X before 10.10.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted file, a different vulnerability than CVE-2015-3765, CVE-2015-3779, CVE-2015-3788, CVE-2015-3789, CVE-2015-3790, CVE-2015-3791, CVE-2015-3792, CVE-2015-5751, and CVE-2015-5753.

7.5
2015-08-17 CVE-2015-5776 Apple Buffer Errors vulnerability in Apple Iphone OS and mac OS X

Libinfo in Apple iOS before 8.4.1 and OS X before 10.10.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) by leveraging use of an AF_INET6 socket.

7.5
2015-08-17 CVE-2015-5775 Apple Buffer Errors vulnerability in Apple Iphone OS and mac OS X

FontParser in Apple iOS before 8.4.1 and OS X before 10.10.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted font file, a different vulnerability than CVE-2015-3804 and CVE-2015-5756.

7.5
2015-08-17 CVE-2015-5750 Apple Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple mac OS X

Data Detectors Engine in Apple OS X before 10.10.5 allows attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted series of Unicode characters.

7.5
2015-08-17 CVE-2015-3804 Apple Buffer Errors vulnerability in Apple Iphone OS and mac OS X

FontParser in Apple iOS before 8.4.1 and OS X before 10.10.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted font file, a different vulnerability than CVE-2015-5756 and CVE-2015-5775.

7.5
2015-08-17 CVE-2015-3798 Apple Buffer Errors vulnerability in Apple Iphone OS and mac OS X

The TRE library in Libc in Apple iOS before 8.4.1 and OS X before 10.10.5 allows context-dependent attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted regular expression, a different vulnerability than CVE-2015-3796 and CVE-2015-3797.

7.5
2015-08-17 CVE-2015-3797 Apple Buffer Errors vulnerability in Apple Iphone OS and mac OS X

The TRE library in Libc in Apple iOS before 8.4.1 and OS X before 10.10.5 allows context-dependent attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted regular expression, a different vulnerability than CVE-2015-3796 and CVE-2015-3798.

7.5
2015-08-17 CVE-2015-3796 Apple Buffer Errors vulnerability in Apple Iphone OS and mac OS X

The TRE library in Libc in Apple iOS before 8.4.1 and OS X before 10.10.5 allows context-dependent attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted regular expression, a different vulnerability than CVE-2015-3797 and CVE-2015-3798.

7.5
2015-08-23 CVE-2015-1992 IBM Local Privilege Escalation vulnerability in IBM Systems Director

IBM Systems Director 5.2.x, 6.1.x, 6.2.0.x, 6.2.1.x, 6.3.0.0, 6.3.1.x, 6.3.2.x, 6.3.3.x, 6.3.5.0, and 6.3.6.0 improperly processes events, which allows local users to gain privileges via unspecified vectors.

7.2
2015-08-20 CVE-2015-4327 Cisco Improper Input Validation vulnerability in Cisco Telepresence Video Communication Server Software X8.5.2

The CLI in Cisco TelePresence Video Communication Server (VCS) Expressway X8.5.2 allows local users to obtain root privileges by writing script arguments to an unspecified file, aka Bug ID CSCuv12542.

7.2
2015-08-17 CVE-2015-5774 Apple Buffer Errors vulnerability in Apple Iphone OS and mac OS X

Buffer overflow in IOHIDFamily in Apple iOS before 8.4.1 and OS X before 10.10.5 allows local users to gain privileges via unspecified vectors.

7.2
2015-08-17 CVE-2015-5763 Apple Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple mac OS X

ntfs in Apple OS X before 10.10.5 allows local users to gain privileges or cause a denial of service (memory corruption) via unspecified vectors.

7.2
2015-08-17 CVE-2015-3806 Apple Improper Access Control vulnerability in Apple Iphone OS and mac OS X

Apple iOS before 8.4.1 and OS X before 10.10.5 allow local users to bypass a code-signing protection mechanism by appending code to a crafted executable file.

7.2
2015-08-17 CVE-2015-3805 Apple Improper Input Validation vulnerability in Apple Iphone OS and mac OS X

Apple iOS before 8.4.1 and OS X before 10.10.5 allow local users to bypass a code-signing protection mechanism via a crafted Mach-O file, a different vulnerability than CVE-2015-3802.

7.2
2015-08-17 CVE-2015-3803 Apple Improper Input Validation vulnerability in Apple Iphone OS and mac OS X

Apple iOS before 8.4.1 and OS X before 10.10.5 allow local users to bypass a code-signing protection mechanism via a crafted multi-architecture executable file.

7.2
2015-08-17 CVE-2015-3802 Apple Improper Input Validation vulnerability in Apple Iphone OS and mac OS X

Apple iOS before 8.4.1 and OS X before 10.10.5 allow local users to bypass a code-signing protection mechanism via a crafted Mach-O file, a different vulnerability than CVE-2015-3805.

7.2
2015-08-17 CVE-2015-3800 Apple Buffer Errors vulnerability in Apple Iphone OS and mac OS X

The DiskImages component in Apple iOS before 8.4.1 and OS X before 10.10.5 allows local users to gain privileges or cause a denial of service (memory corruption and application crash) via a malformed DMG image.

7.2
2015-08-17 CVE-2015-5769 Apple Multiple Security vulnerability in Apple iOS APPLE-SA-2015-08-13-3

The MSVDX driver in Apple iOS before 8.4.1 allows remote attackers to cause a denial of service (device crash) via a crafted video.

7.1

116 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2015-08-23 CVE-2015-2905 Actiontec Cross-Site Request Forgery (CSRF) vulnerability in Actiontec Ncs01 Firmware

Cross-site request forgery (CSRF) vulnerability on Actiontec GT784WN modems with firmware before NCS01-1.0.13 allows remote attackers to hijack the authentication or intranet connectivity of arbitrary users.

6.8
2015-08-22 CVE-2015-2983 PHP Kobo Cross-Site Request Forgery (CSRF) vulnerability in PHP Kobo Photo Gallery CMS Free 1.0.0/1.0.1

Cross-site request forgery (CSRF) vulnerability in admin.php in PHP Kobo Photo Gallery CMS for PC, smartphone and feature phone 1.0.1 Free and earlier allows remote attackers to hijack the authentication of arbitrary users.

6.8
2015-08-20 CVE-2015-4530 EMC Cross-Site Request Forgery (CSRF) vulnerability in EMC products

Cross-site request forgery (CSRF) vulnerability in EMC Documentum WebTop before 6.8P01, Documentum Administrator through 7.2, Documentum Digital Assets Manager through 6.5SP6, Documentum Web Publishers through 6.5SP7, and Documentum Task Space through 6.7SP2 allows remote attackers to hijack the authentication of arbitrary users.

6.8
2015-08-20 CVE-2015-0542 EMC Cross-Site Request Forgery (CSRF) vulnerability in EMC RSA Archer Egrc 5.5

Multiple cross-site request forgery (CSRF) vulnerabilities in EMC RSA Archer GRC 5.5 SP1 before P3 allow remote attackers to hijack the authentication of arbitrary users.

6.8
2015-08-19 CVE-2015-6523 Portfolio Project Cross-Site Request Forgery (CSRF) vulnerability in Portfolio Project Portfolio 1.0

Cross-site request forgery (CSRF) vulnerability in the Portfolio plugin before 1.05 for WordPress allows remote attackers to hijack the authentication of administrators for requests that have unspecified impact via a request to the instagram-portfolio page in wp-admin/options-general.php.

6.8
2015-08-19 CVE-2015-4308 Cisco Information Exposure vulnerability in Cisco Edge Bluebird Operating System 1.2

The webGUI configuration-export feature in Cisco Edge Bluebird Operating System 1.2 on Edge 340 devices allows remote authenticated users to obtain sensitive information via unspecified vectors, aka Bug ID CSCuu43968.

6.8
2015-08-19 CVE-2015-4301 Cisco Resource Management Errors vulnerability in Cisco Nx-Os 11.1(1C)

Cisco NX-OS on Nexus 9000 devices 11.1(1c) allows remote authenticated users to cause a denial of service (device hang) via large files that are copied to a device's filesystem, aka Bug ID CSCuu77225.

6.8
2015-08-18 CVE-2015-6517 Phpliteadmin Project Cross-Site Request Forgery (CSRF) vulnerability in PHPliteadmin Project PHPliteadmin 1.1

Cross-site request forgery (CSRF) vulnerability in phpLiteAdmin 1.1 allows remote attackers to hijack the authentication of users for requests that drop database tables via the droptable parameter to phpliteadmin.php.

6.8
2015-08-18 CVE-2015-5505 Codfront Labs Code vulnerability in Codfront Labs Http Strict Transport Security

The HTTP Strict Transport Security (HSTS) module 6.x-1.x before 6.x-1.1 and 7.x-1.x before 7.x-1.2 for Drupal does not properly implement the "include subdomains" directive, which causes the HSTS policy to not be applied to subdomains and allows man-in-the-middle attackers to have unspecified impact via unknown vectors.

6.8
2015-08-17 CVE-2015-5778 Apple Buffer Errors vulnerability in Apple Iphone OS and mac OS X

CoreMedia Playback in Apple iOS before 8.4.1 and OS X before 10.10.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted movie file, a different vulnerability than CVE-2015-5777.

6.8
2015-08-17 CVE-2015-5777 Apple Buffer Errors vulnerability in Apple Iphone OS and mac OS X

CoreMedia Playback in Apple iOS before 8.4.1 and OS X before 10.10.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted movie file, a different vulnerability than CVE-2015-5778.

6.8
2015-08-17 CVE-2015-5773 Apple Buffer Errors vulnerability in Apple Iphone OS and mac OS X

QL Office in Apple iOS before 8.4.1 and OS X before 10.10.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted office document.

6.8
2015-08-17 CVE-2015-5772 Apple Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple mac OS X

Heap-based buffer overflow in SceneKit in Apple OS X before 10.10.5 allows remote attackers to execute arbitrary code via a crafted Collada file.

6.8
2015-08-17 CVE-2015-5771 Apple Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple mac OS X

Quartz Composer Framework in Apple OS X before 10.10.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted QuickTime file.

6.8
2015-08-17 CVE-2015-5761 Apple Buffer Errors vulnerability in Apple Iphone OS, Itunes and mac OS X

CoreText in Apple iOS before 8.4.1 and OS X before 10.10.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted font file, a different vulnerability than CVE-2015-5755.

6.8
2015-08-17 CVE-2015-5758 Apple Buffer Errors vulnerability in Apple Iphone OS and mac OS X

ImageIO in Apple iOS before 8.4.1 and OS X before 10.10.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted TIFF image.

6.8
2015-08-17 CVE-2015-5756 Apple Buffer Errors vulnerability in Apple Iphone OS and mac OS X

FontParser in Apple iOS before 8.4.1 and OS X before 10.10.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted font file, a different vulnerability than CVE-2015-3804 and CVE-2015-5775.

6.8
2015-08-17 CVE-2015-5755 Apple Buffer Errors vulnerability in Apple Iphone OS, Itunes and mac OS X

CoreText in Apple iOS before 8.4.1 and OS X before 10.10.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted font file, a different vulnerability than CVE-2015-5761.

6.8
2015-08-17 CVE-2015-5753 Apple Buffer Errors vulnerability in Apple Quicktime 7.0.0

QuickTime 7 in Apple OS X before 10.10.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted file, a different vulnerability than CVE-2015-3765, CVE-2015-3779, CVE-2015-3788, CVE-2015-3789, CVE-2015-3790, CVE-2015-3791, CVE-2015-3792, CVE-2015-5751, and CVE-2015-5779.

6.8
2015-08-17 CVE-2015-5751 Apple Buffer Errors vulnerability in Apple Quicktime 7.0.0

QuickTime 7 in Apple OS X before 10.10.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted file, a different vulnerability than CVE-2015-3765, CVE-2015-3779, CVE-2015-3788, CVE-2015-3789, CVE-2015-3790, CVE-2015-3791, CVE-2015-3792, CVE-2015-5753, and CVE-2015-5779.

6.8
2015-08-17 CVE-2015-3794 Apple Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple mac OS X

The Speech UI in Apple OS X before 10.10.5, when speech alerts are enabled, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted Unicode string.

6.8
2015-08-17 CVE-2015-3792 Apple Buffer Errors vulnerability in Apple Quicktime 7.0.0

QuickTime 7 in Apple OS X before 10.10.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted file, a different vulnerability than CVE-2015-3765, CVE-2015-3779, CVE-2015-3788, CVE-2015-3789, CVE-2015-3790, CVE-2015-3791, CVE-2015-5751, CVE-2015-5753, and CVE-2015-5779.

6.8
2015-08-17 CVE-2015-3791 Apple Buffer Errors vulnerability in Apple Quicktime 7.0.0

QuickTime 7 in Apple OS X before 10.10.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted file, a different vulnerability than CVE-2015-3765, CVE-2015-3779, CVE-2015-3788, CVE-2015-3789, CVE-2015-3790, CVE-2015-3792, CVE-2015-5751, CVE-2015-5753, and CVE-2015-5779.

6.8
2015-08-17 CVE-2015-3790 Apple Buffer Errors vulnerability in Apple Quicktime 7.0.0

QuickTime 7 in Apple OS X before 10.10.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted file, a different vulnerability than CVE-2015-3765, CVE-2015-3779, CVE-2015-3788, CVE-2015-3789, CVE-2015-3791, CVE-2015-3792, CVE-2015-5751, CVE-2015-5753, and CVE-2015-5779.

6.8
2015-08-17 CVE-2015-3789 Apple Buffer Errors vulnerability in Apple Quicktime 7.0.0

QuickTime 7 in Apple OS X before 10.10.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted file, a different vulnerability than CVE-2015-3765, CVE-2015-3779, CVE-2015-3788, CVE-2015-3790, CVE-2015-3791, CVE-2015-3792, CVE-2015-5751, CVE-2015-5753, and CVE-2015-5779.

6.8
2015-08-20 CVE-2015-4329 Cisco Improper Input Validation vulnerability in Cisco Telepresence Video Communication Server Software X8.5.2

The administrator web interface in Cisco TelePresence Video Communication Server (VCS) X8.5.2 allows remote authenticated users to execute arbitrary OS commands via crafted HTTP requests, aka Bug ID CSCuv11796.

6.5
2015-08-20 CVE-2015-4303 Cisco Permissions, Privileges, and Access Controls vulnerability in Cisco Telepresence Video Communication Server Software X8.5.2

Cisco TelePresence Video Communication Server (VCS) X8.5.2 allows remote authenticated users to execute arbitrary commands in the context of the nobody user account via an unspecified web-page parameter, aka Bug ID CSCuv12333.

6.5
2015-08-19 CVE-2015-4298 Cisco Improper Access Control vulnerability in Cisco Unified web and E-Mail Interaction Manager 11.0(1)/9.0(2)

Cisco Unified Web and E-Mail Interaction Manager 9.0(2) and 11.0(1) improperly performs authorization, which allows remote authenticated users to read or write to stored data via unspecified vectors, aka Bug ID CSCuo89056.

6.5
2015-08-18 CVE-2015-6516 Cygnux SQL Injection vulnerability in Cygnux Syspass

SQL injection vulnerability in cygnux.org sysPass 1.0.9 and earlier allows remote authenticated users to execute arbitrary SQL commands via the search parameter to ajax/ajax_search.php.

6.5
2015-08-19 CVE-2015-4302 Cisco Improper Access Control vulnerability in Cisco Firesight System Software 5.3.1.4

The web interface in Cisco FireSIGHT Management Center 5.3.1.4 allows remote attackers to delete arbitrary system policies via modified parameters in a POST request, aka Bug ID CSCuu25390.

6.4
2015-08-18 CVE-2015-4670 Devexpress Path Traversal vulnerability in Devexpress Ajax Control Toolkit 15.0

Directory traversal vulnerability in the AjaxFileUpload control in DevExpress AJAX Control Toolkit (aka AjaxControlToolkit) before 15.1 allows remote attackers to write to arbitrary files via a ..

6.4
2015-08-19 CVE-2015-4323 Cisco Buffer Errors vulnerability in Cisco MDS 9000 Nx-Os and Nx-Os

Buffer overflow in Cisco NX-OS on Nexus 1000V devices for VMware vSphere 7.3(0)ZN(0.9); Nexus 3000 devices 6.0(2)U5(1.41), 7.0(3)I2(0.373), and 7.3(0)ZN(0.83); Nexus 4000 devices 4.1(2)E1(1b); Nexus 7000 devices 6.2(14)S1; Nexus 9000 devices 7.3(0)ZN(0.9); and MDS 9000 devices 6.2 (13) and 7.1(0)ZN(91.99) and MDS SAN-OS 7.1(0)ZN(91.99) allows remote attackers to cause a denial of service (device outage) via a crafted ARP packet, related to incorrect MTU validation, aka Bug IDs CSCuv71933, CSCuv61341, CSCuv61321, CSCuu78074, CSCut37060, CSCuv61266, CSCuv61351, CSCuv61358, and CSCuv61366.

6.1
2015-08-19 CVE-2015-4324 Cisco Buffer Errors vulnerability in Cisco Nx-Os 4.1(2)E1(1C)/7.2(0)N1(0.1)/7.3(0)Zn(0.81)

Buffer overflow in Cisco NX-OS on Nexus 1000V devices for VMware vSphere 7.3(0)ZN(0.81), Nexus 3000 devices 7.3(0)ZN(0.81), Nexus 4000 devices 4.1(2)E1(1c), Nexus 7000 devices 7.2(0)N1(0.1), and Nexus 9000 devices 7.3(0)ZN(0.81) allows remote attackers to cause a denial of service (IGMP process restart) via a malformed IGMPv3 packet that is mishandled during memory allocation, aka Bug IDs CSCuv69713, CSCuv69717, CSCuv69723, CSCuv69732, and CSCuv48908.

6.1
2015-08-22 CVE-2015-5408 HP Local Unspecified Information Disclosure vulnerability in Multiple HP CentralView Products

HP CentralView Fraud Risk Management 11.1, 11.2, and 11.3; CentralView Revenue Leakage Control 4.1, 4.2, and 4.3; CentralView Dealer Performance Audit 2.0 and 2.1; CentralView Credit Risk Control 2.1, 2.2, and 2.3; CentralView Roaming Fraud Control 2.1, 2.2, and 2.3; and CentralView Subscription Fraud Prevention 2.0 and 2.1 allow remote attackers to obtain sensitive information via unspecified vectors, a different vulnerability than CVE-2015-5406 and CVE-2015-5407.

6.0
2015-08-22 CVE-2015-5407 HP Local Unspecified Information Disclosure vulnerability in Multiple HP CentralView Products

HP CentralView Fraud Risk Management 11.1, 11.2, and 11.3; CentralView Revenue Leakage Control 4.1, 4.2, and 4.3; CentralView Dealer Performance Audit 2.0 and 2.1; CentralView Credit Risk Control 2.1, 2.2, and 2.3; CentralView Roaming Fraud Control 2.1, 2.2, and 2.3; and CentralView Subscription Fraud Prevention 2.0 and 2.1 allow remote attackers to obtain sensitive information via unspecified vectors, a different vulnerability than CVE-2015-5406 and CVE-2015-5408.

6.0
2015-08-18 CVE-2015-5509 Administration Views Project Permissions, Privileges, and Access Controls vulnerability in Administration Views Project Administration Views

The Administration Views module 7.x-1.x before 7.x-1.4 for Drupal, when used with other unspecified modules, does not properly grant access to administration pages, which allows remote administrators to bypass intended restrictions via unspecified vectors.

6.0
2015-08-17 CVE-2015-6254 Picketlink Code vulnerability in Picketlink

The (1) Service Provider (SP) and (2) Identity Provider (IdP) in PicketLink before 2.7.0 does not ensure that the Destination attribute in a Response element in a SAML assertion matches the location from which the message was received, which allows remote attackers to have unspecified impact via unknown vectors.

6.0
2015-08-17 CVE-2015-0277 Picketlink Improper Access Control vulnerability in Picketlink

The Service Provider (SP) in PicketLink before 2.7.0 does not ensure that it is a member of an Audience element when an AudienceRestriction is specified, which allows remote attackers to log in to other users' accounts via a crafted SAML assertion.

6.0
2015-08-23 CVE-2015-2014 IBM Cross-Site Scripting vulnerability in IBM Domino

Open redirect vulnerability in the web server in IBM Domino 8.5 before 8.5.3 FP6 IF9 and 9.0 before 9.0.1 FP4 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or cross-site scripting (XSS) attacks via a crafted URL, aka SPR SJAR9DNGDA.

5.8
2015-08-19 CVE-2015-4297 Cisco Open Redirection vulnerability in Cisco WebEx Node for MCS

Open redirect vulnerability in Cisco WebEx Node for Media Convergence Server (MCS) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via crafted HTTP request parameters, aka Bug ID CSCuv32136.

5.8
2015-08-18 CVE-2015-5510 Content Construction KIT Project Unspecified vulnerability in Content Construction KIT Project Content Construction KIT

Open redirect vulnerability in the Content Construction Kit (CCK) 6.x-2.x before 6.x-2.10 for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the destinations parameter, related to administration pages.

5.8
2015-08-18 CVE-2015-5503 Chamilo Integration Project Unspecified vulnerability in Chamilo Integration Project Chamilo Integration 7.X1.0/7.X1.1

Open redirect vulnerability in the Chamilo integration module 7.x-1.x before 7.x-1.2 for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified parameters.

5.8
2015-08-17 CVE-2015-5770 Apple Permissions, Privileges, and Access Controls vulnerability in Apple Iphone OS

MobileInstallation in Apple iOS before 8.4.1 does not ensure the uniqueness of universal provisioning profile bundle IDs, which allows attackers to replace arbitrary extensions via a crafted enterprise app.

5.8
2015-08-23 CVE-2015-2873 Trend Micro Authentication Bypass vulnerability in Trend Micro Deep Discovery Inspector

Trend Micro Deep Discovery Inspector (DDI) on Deep Discovery Threat appliances with software before 3.5.1477, 3.6.x before 3.6.1217, 3.7.x before 3.7.1248, 3.8.x before 3.8.1263, and other versions allows remote attackers to obtain sensitive information or change the configuration via a direct request to the (1) system log URL, (2) whitelist URL, or (3) blacklist URL.

5.5
2015-08-20 CVE-2015-4319 Cisco Credentials Management vulnerability in Cisco Telepresence Video Communication Server Software X8.5.1

The password-change feature in the administrative web interface in Cisco TelePresence Video Communication Server (VCS) Expressway X8.5.1 improperly performs authorization, which allows remote authenticated users to reset arbitrary active-user passwords via unspecified vectors, aka Bug ID CSCuv12338.

5.5
2015-08-20 CVE-2015-4316 Cisco Improper Input Validation vulnerability in Cisco Telepresence Video Communication Server Software X8.5.2

The Mobile and Remote Access (MRA) endpoint-validation feature in Cisco TelePresence Video Communication Server (VCS) Expressway X8.5.2 improperly validates the phone line used for registration, which allows remote authenticated users to conduct impersonation attacks via a crafted registration, aka Bug ID CSCuv40396.

5.5
2015-08-20 CVE-2015-4315 Cisco Improper Input Validation vulnerability in Cisco Telepresence Video Communication Server Software X8.5.3

The Call Policy Configuration page in Cisco TelePresence Video Communication Server (VCS) Expressway X8.5.3 improperly validates external DTDs, which allows remote authenticated users to read arbitrary files or cause a denial of service via a crafted XML document, aka Bug ID CSCuv31853.

5.5
2015-08-19 CVE-2015-4322 Cisco Permissions, Privileges, and Access Controls vulnerability in Cisco Content Security Management Appliance 8.3.6039/9.1.0103/9.1.031

Cisco Content Security Management Appliance (SMA) 8.3.6-039, 9.1.0-31, and 9.1.0-103 improperly restricts the privileges available after LDAP authentication, which allows remote authenticated users to read or write to an arbitrary user's Spam Quarantine folder by visiting a spam-notification URL, aka Bug ID CSCuv65894.

5.5
2015-08-19 CVE-2015-4299 Cisco Improper Access Control vulnerability in Cisco Unified web and E-Mail Interaction Manager 9.0(2)

Cisco Unified Web and E-Mail Interaction Manager 9.0(2) improperly performs authorization, which allows remote authenticated users to remove default messaging-queue system folders via unspecified vectors, aka Bug ID CSCuo89046.

5.5
2015-08-18 CVE-2015-5508 THE Extensible Catalog Drupal Toolkit Project Cross-Site Request Forgery (CSRF) vulnerability in the Extensible Catalog Drupal Toolkit Project the Extensible Catalog Drupal Toolkit

Cross-site request forgery (CSRF) vulnerability in the XC NCIP Provider module in the eXtensible Catalog (XC) Drupal Toolkit allows remote attackers to hijack the authentication of users with the "administer ncip providers" permission for requests that alter NCIP providers via a crafted request.

5.1
2015-08-22 CVE-2015-4938 IBM Spoofing vulnerability in IBM WebSphere Application Server

IBM WebSphere Application Server 7.x before 7.0.0.39, 8.0.x before 8.0.0.11, and 8.5.x before 8.5.5.7 allows remote attackers to spoof servlets and obtain sensitive information via unspecified vectors.

5.0
2015-08-22 CVE-2015-1932 IBM Information Exposure vulnerability in IBM products

IBM WebSphere Application Server 7.x before 7.0.0.39, 8.0.x before 8.0.0.11, and 8.5.x before 8.5.5.7 and WebSphere Virtual Enterprise before 7.0.0.7 allow remote attackers to obtain potentially sensitive information about the proxy-server software by reading the HTTP Via header.

5.0
2015-08-22 CVE-2015-2984 Iodata Permissions, Privileges, and Access Controls vulnerability in Iodata Wn-G54/R2 Firmware

I-O DATA DEVICE WN-G54/R2 routers with firmware before 1.03 and NP-BBRS routers allow remote attackers to cause a denial of service (SSDP reflection) via UPnP requests.

5.0
2015-08-22 CVE-2015-6258 Cisco Improper Input Validation vulnerability in Cisco Wireless LAN Controller Software 8.1.104.37

The Internet Access Point Protocol (IAPP) module on Cisco Wireless LAN Controller (WLC) devices with software 8.1(104.37) allows remote attackers to trigger incorrect traffic forwarding via crafted IPv6 packets, aka Bug ID CSCuv40033.

5.0
2015-08-22 CVE-2015-6256 Cisco Improper Input Validation vulnerability in Cisco ASR 5000 Series Software 19.0.M0.60828

Cisco ASR 5000 devices with software 19.0.M0.60828 allow remote attackers to cause a denial of service (OSPF process restart) via crafted length fields in headers of OSPF packets, aka Bug ID CSCuv62820.

5.0
2015-08-20 CVE-2015-4318 Cisco Resource Management Errors vulnerability in Cisco Telepresence Video Communication Server Software X8.5.2

Cisco TelePresence Video Communication Server (VCS) Expressway X8.5.2 allows remote attackers to cause a denial of service via invalid variables in a GET request, aka Bug ID CSCuv40528.

5.0
2015-08-20 CVE-2015-4321 Cisco Improper Input Validation vulnerability in Cisco Adaptive Security Appliance Software

The Unicast Reverse Path Forwarding (uRPF) implementation in Cisco Adaptive Security Appliance (ASA) Software 9.3(1.50), 9.3(2.100), 9.3(3), and 9.4(1) mishandles cases where an IP address belongs to an internal interface but is also in the ASA routing table, which allows remote attackers to bypass uRPF validation via spoofed packets, aka Bug ID CSCuv60724.

5.0
2015-08-20 CVE-2015-0534 EMC Permissions, Privileges, and Access Controls vulnerability in EMC RSA Bsafe, RSA Bsafe Ssl-C and RSA Bsafe Ssl-J

EMC RSA BSAFE Micro Edition Suite (MES) 4.0.x before 4.0.8 and 4.1.x before 4.1.3, RSA BSAFE Crypto-J before 6.2, RSA BSAFE SSL-J before 6.2, and RSA BSAFE SSL-C 2.8.9 and earlier do not enforce certain constraints on certificate data, which allows remote attackers to defeat a fingerprint-based certificate-blacklist protection mechanism by including crafted data within a certificate's unsigned portion, a similar issue to CVE-2014-8275.

5.0
2015-08-20 CVE-2015-4317 Cisco Resource Management Errors vulnerability in Cisco Telepresence Video Communication Server Software X8.5.2

Cisco TelePresence Video Communication Server (VCS) Expressway X8.5.2 allows remote attackers to cause a denial of service via invalid variables in an authentication packet, aka Bug ID CSCuv40469.

5.0
2015-08-19 CVE-2015-4296 Cisco Resource Management Errors vulnerability in Cisco Nx-Os 6.0(2)A6(1)

Nexus Data Broker (NDB) on Cisco Nexus 3000 devices with software 6.0(2)A6(1) allows remote attackers to cause a denial of service (Java process restart) via crafted connections to the Java application, aka Bug ID CSCut87006.

5.0
2015-08-19 CVE-2015-1830 Apache
Microsoft
Path Traversal vulnerability in Apache Activemq

Directory traversal vulnerability in the fileserver upload/download functionality for blob messages in Apache ActiveMQ 5.x before 5.11.2 for Windows allows remote attackers to create JSP files in arbitrary directories via unspecified vectors.

5.0
2015-08-18 CVE-2015-5512 ME Aliases Project Improper Access Control vulnerability in ME Aliases Project ME Aliases

The me aliases module 6.x-2.x before 6.x-2.10 and 7.x-1.x before 7.x-1.2 for Drupal allows remote attackers to access Views using the "me" user argument handler by substituting "me" for a user id in a URL.

5.0
2015-08-18 CVE-2015-5511 Hybridauth Social Login Project Permissions, Privileges, and Access Controls vulnerability in Hybridauth Social Login Project Hybridauth Social Login

The HybridAuth Social Login module 7.x-2.x before 7.x-2.13 for Drupal allows remote attackers to bypass the user registration by administrator only configuration and create an account via a social login.

5.0
2015-08-18 CVE-2015-5506 Apache Solr Real Time Project Information Exposure vulnerability in Apache Solr Real-Time Project Apache Solr Real-Time 7.X1.0/7.X1.1

The Apache Solr Real-Time module 7.x-1.x before 7.x-1.2 for Drupal does not check the status of an entity when indexing, which allows remote attackers to obtain information about unpublished content via a search.

5.0
2015-08-18 CVE-2015-5498 Shipwire API Project Permissions, Privileges, and Access Controls vulnerability in Shipwire API Project Shipwire API 7.X1.0/7.X1.01/7.X1.02

The Shipwire API module 7.x-1.x before 7.x-1.03 for Drupal does not check the view permission for the shipments overview (admin/shipwire/shipments), which allows remote attackers to obtain sensitive information via a request to the page.

5.0
2015-08-18 CVE-2015-5496 Pass2Pdf Project Permissions, Privileges, and Access Controls vulnerability in Pass2Pdf Project Pass2Pdf

The pass2pdf module for Drupal does not restrict access to generated PDF files, which allows remote attackers to obtain user passwords via unspecified vectors.

5.0
2015-08-18 CVE-2015-5493 Entityform Block Project Permissions, Privileges, and Access Controls vulnerability in Entityform Block Project Entityform Block

The Entityform Block module 7.x-1.x before 7.x-1.3 for Drupal does not properly check permissions when a form is locked to a role, which allows remote attackers to obtain access to certain entityforms via unspecified vectors.

5.0
2015-08-18 CVE-2015-5490 Views Project Information Exposure vulnerability in Views Project Views

The _views_fetch_data method in includes/cache.inc in the Views module 7.x-3.5 through 7.x-3.10 for Drupal does not rebuild the full cache if the static cache is not empty, which allows remote attackers to bypass intended filters and obtain access to hidden content via unspecified vectors.

5.0
2015-08-18 CVE-2015-6512 Codelogic SQL Injection vulnerability in Codelogic Freichat 9.6

SQL injection vulnerability in the get_messages function in server/plugins/chatroom/chatroom.php in FreiChat 9.6 allows remote attackers to execute arbitrary SQL commands via the time parameter to server/freichat.php.

5.0
2015-08-17 CVE-2015-5531 Elasticsearch Path Traversal vulnerability in Elasticsearch

Directory traversal vulnerability in Elasticsearch before 1.6.1 allows remote attackers to read arbitrary files via unspecified vectors related to snapshot API calls.

5.0
2015-08-17 CVE-2015-5766 Apple Path Traversal vulnerability in Apple Iphone OS

Directory traversal vulnerability in Air Traffic in Apple iOS before 8.4.1 allows attackers to access arbitrary filesystem locations via vectors related to asset handling.

5.0
2015-08-17 CVE-2015-5759 Apple 7PK - Security Features vulnerability in Apple Iphone OS

WebKit in Apple iOS before 8.4.1 allows remote attackers to spoof clicks via a crafted web site that leverages tap events.

5.0
2015-08-17 CVE-2015-5752 Apple Link Following vulnerability in Apple Iphone OS

Backup in Apple iOS before 8.4.1 allows attackers to bypass intended restrictions on filesystem access via a crafted app that creates a symlink.

5.0
2015-08-17 CVE-2015-5746 Apple Improper Access Control vulnerability in Apple Iphone OS

AppleFileConduit in Apple iOS before 8.4.1 allows attackers to bypass intended restrictions on filesystem access via an afc command that leverages symlink mishandling.

5.0
2015-08-19 CVE-2015-4277 Cisco Resource Management Errors vulnerability in Cisco Nx-Os 5.1.3/5.3.0

The global-configuration implementation on Cisco ASR 9000 devices with software 5.1.3 and 5.3.0 improperly closes vty sessions after a commit/end operation, which allows local users to cause a denial of service (tmp/*config file creation, memory consumption, and device hang) via unspecified vectors, aka Bug ID CSCut93842.

4.9
2015-08-18 CVE-2015-5515 Views Bulk Operations Project Permissions, Privileges, and Access Controls vulnerability in Views Bulk Operations Project Views Bulk Operations

The Views Bulk Operations (VBO) module 6.x-1.x and 7.x-3.x before 7.x-3.3 for Drupal, when the bulk operation for changing Roles is enabled, allows remote authenticated users to edit user accounts and add arbitrary roles to the accounts by leveraging access to a user account listing view with VBO enabled.

4.9
2015-08-18 CVE-2015-4425 Pimcore Path Traversal vulnerability in Pimcore

Directory traversal vulnerability in pimcore before build 3473 allows remote authenticated users with the "assets" permission to create or write to arbitrary files via a ..

4.9
2015-08-17 CVE-2015-5747 Apple Resource Management Errors vulnerability in Apple mac OS X

The fasttrap driver in the kernel in Apple OS X before 10.10.5 allows local users to cause a denial of service (resource consumption) via unspecified vectors.

4.9
2015-08-22 CVE-2015-2132 HP Local Privilege Escalation vulnerability in HP-UX

Unspecified vulnerability in the execve system-call implementation in HP HP-UX B.11.11, B.11.23, and B.11.31 allows local users to gain privileges via unknown vectors.

4.4
2015-08-23 CVE-2015-2872 Trend Micro Cross-Site Scripting vulnerability in Trend Micro Deep Discovery Inspector

Multiple cross-site scripting (XSS) vulnerabilities in Trend Micro Deep Discovery Inspector (DDI) on Deep Discovery Threat appliances with software before 3.5.1477, 3.6.x before 3.6.1217, 3.7.x before 3.7.1248, 3.8.x before 3.8.1263, and other versions allow remote attackers to inject arbitrary web script or HTML via (1) crafted input to index.php that is processed by certain Internet Explorer 7 configurations or (2) crafted input to the widget feature.

4.3
2015-08-23 CVE-2015-2015 IBM Cross-Site Scripting vulnerability in IBM Domino

Cross-site scripting (XSS) vulnerability in pubnames.ntf (aka the Directory template) in the web server in IBM Domino before 9.0.0 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka SPR KLYH8WBPRN.

4.3
2015-08-22 CVE-2015-2982 PHP Kobo Cross-Site Scripting vulnerability in PHP Kobo Photo Gallery CMS Free 1.0.0/1.0.1

Cross-site scripting (XSS) vulnerability in jquery.lightbox-0.5.min.js in PHP Kobo Photo Gallery CMS for PC, smartphone and feature phone 1.0.1 Free and earlier allows remote authenticated users to inject arbitrary web script or HTML via unspecified input to admin.php.

4.3
2015-08-20 CVE-2015-6530 Opentext Cross-Site Scripting vulnerability in Opentext Secure MFT 2013 and Secure MFT 2014

Cross-site scripting (XSS) vulnerability in OpenText Secure MFT 2013 before 2013 R3 P6 and 2014 before 2014 R2 P2 allows remote attackers to inject arbitrary web script or HTML via the querytext parameter to userdashboard.jsp.

4.3
2015-08-20 CVE-2015-6529 Phpipam Cross-Site Scripting vulnerability in PHPipam 1.1.010

Multiple cross-site scripting (XSS) vulnerabilities in phpipam 1.1.010 allow remote attackers to inject arbitrary web script or HTML via the (1) section parameter to site/error.php or (2) ip parameter to site/tools/searchResults.php.

4.3
2015-08-20 CVE-2015-6528 Coppermine Gallery Cross-Site Scripting vulnerability in Coppermine-Gallery Coppermine Photo Gallery 1.5.36

Multiple cross-site scripting (XSS) vulnerabilities in install_classic.php in Coppermine Photo Gallery (CPG) 1.5.36 allow remote attackers to inject arbitrary web script or HTML via the (1) admin_username, (2) admin_password, (3) admin_email, (4) dbserver, (5) dbname, (6) dbuser, (7) dbpass, (8) table_prefix, or (9) impath parameter.

4.3
2015-08-20 CVE-2015-3219 Debian
Openstack
Oracle
Cross-Site Scripting vulnerability in multiple products

Cross-site scripting (XSS) vulnerability in the Orchestration/Stack section in OpenStack Dashboard (Horizon) 2014.2 before 2014.2.4 and 2015.1.x before 2015.1.1 allows remote attackers to inject arbitrary web script or HTML via the description parameter in a heat template, which is not properly handled in the help_text attribute in the Field class.

4.3
2015-08-20 CVE-2015-0535 EMC Improper Access Control vulnerability in EMC RSA Bsafe and RSA Bsafe Ssl-C

EMC RSA BSAFE Micro Edition Suite (MES) 4.0.x before 4.0.8 and 4.1.x before 4.1.3 and RSA BSAFE SSL-C 2.8.9 and earlier do not properly restrict TLS state transitions, which makes it easier for remote attackers to conduct cipher-downgrade attacks to EXPORT_RSA ciphers via crafted TLS traffic, related to the "FREAK" issue, a similar issue to CVE-2015-0204.

4.3
2015-08-20 CVE-2015-0533 EMC Cryptographic Issues vulnerability in EMC RSA Bsafe and RSA Bsafe Ssl-C

EMC RSA BSAFE Micro Edition Suite (MES) 4.0.x before 4.0.8 and 4.1.x before 4.1.3 and RSA BSAFE SSL-C 2.8.9 and earlier allow remote SSL servers to conduct ECDHE-to-ECDH downgrade attacks and trigger a loss of forward secrecy by omitting the ServerKeyExchange message, a similar issue to CVE-2014-3572.

4.3
2015-08-19 CVE-2015-4310 Cisco Cross-Site Scripting vulnerability in Cisco Finesse 10.5(1)Base

Multiple cross-site scripting (XSS) vulnerabilities in Cisco Finesse 10.5(1) allow remote attackers to inject arbitrary web script or HTML via unspecified parameters in a (1) GET or (2) POST request, aka Bug IDs CSCuq82322, CSCut95853, and CSCuq73975.

4.3
2015-08-19 CVE-2015-6255 Cisco Cross-Site Scripting vulnerability in Cisco Unified web and E-Mail Interaction Manager 9.0(2)

Cross-site scripting (XSS) vulnerability in Cisco Unified Web and E-Mail Interaction Manager 9.0(2) allows remote attackers to inject arbitrary web script or HTML via a crafted chat message, aka Bug ID CSCuo89051.

4.3
2015-08-18 CVE-2015-6518 Phpliteadmin Cross-Site Scripting vulnerability in PHPliteadmin 1.1

Multiple cross-site scripting (XSS) vulnerabilities in phpLiteAdmin 1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) PATH_INFO, (2) droptable parameter, or (3) table parameter to phpliteadmin.php.

4.3
2015-08-18 CVE-2015-5507 Inline Entity Form Project Cross-Site Scripting vulnerability in Inline Entity Form Project Inline Entity Form

Cross-site scripting (XSS) vulnerability in the Inline Entity Form module 7.x-1.x before 7.x-1.6 for Drupal allows remote authenticated users with permission to create or edit fields to inject arbitrary web script or HTML via unspecified vectors.

4.3
2015-08-18 CVE-2015-5492 Video Consultation Project Cross-Site Scripting vulnerability in Video Consultation Project Video Consultation

Cross-site scripting (XSS) vulnerability in the Video Consultation module for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2015-08-18 CVE-2015-5487 Techsmith Cross-Site Scripting vulnerability in Techsmith Camtasia Relay

Cross-site scripting (XSS) vulnerability in the Camtasia Relay module 6.x-2.x before 6.x-3.2 and 7.x-2.x before 7.x-1.3 for Drupal allows remote authenticated users with the "view meta information" permission to inject arbitrary web script or HTML via unspecified vectors related to the meta access tab.

4.3
2015-08-18 CVE-2015-5481 Dev4Press Cross-Site Scripting vulnerability in Dev4Press GD Bbpress Attachments

Cross-site scripting (XSS) vulnerability in forms/panels.php in the GD bbPress Attachments plugin before 2.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via the tab parameter in the gdbbpress_attachments page to wp-admin/edit.php.

4.3
2015-08-18 CVE-2015-6515 Splunk Cross-Site Scripting vulnerability in Splunk

Cross-site scripting (XSS) vulnerability in Splunk Web in Splunk Enterprise 6.2.x before 6.2.4, 6.1.x before 6.1.8, 6.0.x before 6.0.9, and 5.0.x before 5.0.13 and Splunk Light 6.2.x before 6.2.4 allows remote attackers to inject arbitrary web script or HTML via a header.

4.3
2015-08-18 CVE-2015-6514 Splunk Cross-Site Scripting vulnerability in Splunk

Cross-site scripting (XSS) vulnerability in the Dashboard in Splunk Enterprise 6.2.x before 6.2.4 and Splunk Light 6.2.x before 6.2.4 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

4.3
2015-08-18 CVE-2015-6511 Netgate Cross-Site Scripting vulnerability in Netgate Pfsense

Cross-site scripting (XSS) vulnerability in pfSense before 2.2.3 allows remote attackers to inject arbitrary web script or HTML via the server[] parameter to services_ntpd.php.

4.3
2015-08-18 CVE-2015-6510 Netgate Cross-Site Scripting vulnerability in Netgate Pfsense

Multiple cross-site scripting (XSS) vulnerabilities in pfSense before 2.2.3 allow remote attackers to inject arbitrary web script or HTML via the (1) srctrack, (2) use_mfs_tmp_size, or (3) use_mfs_var_size parameter to system_advanced_misc.php; the (4) port, (5) snaplen, or (6) count parameter to diag_packet_capture.php; the (7) pppoe_resethour, (8) pppoe_resetminute, (9) wpa_group_rekey, or (10) wpa_gmk_rekey parameter to interfaces.php; the (11) pppoe_resethour or (12) pppoe_resetminute parameter to interfaces_ppps_edit.php; the (13) member[] parameter to interfaces_qinq_edit.php; the (14) port or (15) retry parameter to load_balancer_pool_edit.php; the (16) pkgrepourl parameter to pkg_mgr_settings.php; the (17) zone parameter to services_captiveportal.php; the port parameter to (18) services_dnsmasq.php or (19) services_unbound.php; the (20) cache_max_ttl or (21) cache_min_ttl parameter to services_unbound_advanced.php; the (22) sshport parameter to system_advanced_admin.php; the (23) id, (24) tunable, (25) descr, or (26) value parameter to system_advanced_sysctl.php; the (27) firmwareurl, (28) repositoryurl, or (29) branch parameter to system_firmware_settings.php; the (30) pfsyncpeerip, (31) synchronizetoip, (32) username, or (33) passwordfld parameter to system_hasync.php; the (34) maxmss parameter to vpn_ipsec_settings.php; the (35) ntp_server1, (36) ntp_server2, (37) wins_server1, or (38) wins_server2 parameter to vpn_openvpn_csc.php; or unspecified parameters to (39) load_balancer_relay_action.php, (40) load_balancer_relay_action_edit.php, (41) load_balancer_relay_protocol.php, or (42) load_balancer_relay_protocol_edit.php.

4.3
2015-08-18 CVE-2015-6509 Netgate Cross-Site Scripting vulnerability in Netgate Pfsense

Multiple cross-site scripting (XSS) vulnerabilities in pfSense before 2.2.3 allow remote attackers to inject arbitrary web script or HTML via the (1) proxypass parameter to system_advanced_misc.php; (2) adaptiveend, (3) adaptivestart, (4) maximumstates, (5) maximumtableentries, or (6) aliasesresolveinterval parameter to system_advanced_firewall.php; (7) proxyurl, (8) proxyuser, or (9) proxyport parameter to system_advanced_misc.php; or (10) name, (11) notification_name, (12) ipaddress, (13) password, (14) smtpipaddress, (15) smtpport, (16) smtpfromaddress, (17) smtpnotifyemailaddress, (18) smtpusername, or (19) smtppassword parameter to system_advanced_notifications.php.

4.3
2015-08-18 CVE-2015-6508 Netgate Cross-Site Scripting vulnerability in Netgate Pfsense

Cross-site scripting (XSS) vulnerability in pfSense before 2.2.3 allows remote attackers to inject arbitrary web script or HTML via the descr parameter in a "new" action to system_authservers.php.

4.3
2015-08-18 CVE-2015-5485 Theeventscalendar Cross-Site Scripting vulnerability in Theeventscalendar Eventbrite Tickets

Cross-site scripting (XSS) vulnerability in the Event Import page (import-eventbrite-events.php) in the Modern Tribe Eventbrite Tickets plugin before 3.10.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the "error" parameter to wp-admin/edit.php.

4.3
2015-08-18 CVE-2015-4029 Netgate Cross-Site Scripting vulnerability in Netgate Pfsense

Cross-site scripting (XSS) vulnerability in the WebGUI in pfSense before 2.2.3 allows remote attackers to inject arbitrary web script or HTML via the zone parameter in a del action to services_captiveportal_zones.php.

4.3
2015-08-17 CVE-2014-9743 Videolan Cross-Site Scripting vulnerability in Videolan VLC Media Player

Cross-site scripting (XSS) vulnerability in the httpd_HtmlError function in network/httpd.c in the web interface in VideoLAN VLC Media Player before 2.2.0 allows remote attackers to inject arbitrary web script or HTML via the path info.

4.3
2015-08-17 CVE-2015-5782 Apple Information Exposure vulnerability in Apple Iphone OS and mac OS X

ImageIO in Apple iOS before 8.4.1 and OS X before 10.10.5 does not properly initialize an unspecified data structure, which allows remote attackers to obtain sensitive information from process memory via a crafted TIFF image.

4.3
2015-08-17 CVE-2015-5781 Apple Information Exposure vulnerability in Apple Iphone OS and mac OS X

ImageIO in Apple iOS before 8.4.1 and OS X before 10.10.5 does not properly initialize an unspecified data structure, which allows remote attackers to obtain sensitive information from process memory via a crafted PNG image.

4.3
2015-08-17 CVE-2015-5768 Apple Information Exposure vulnerability in Apple mac OS X

AppleGraphicsControl in Apple OS X before 10.10.5 allows attackers to obtain sensitive kernel memory-layout information via a crafted app.

4.3
2015-08-17 CVE-2015-5749 Apple Information Exposure vulnerability in Apple Iphone OS

The Sandbox_profiles component in Apple iOS before 8.4.1 allows attackers to bypass the third-party app-sandbox protection mechanism and read arbitrary managed preferences via a crafted app.

4.3
2015-08-17 CVE-2015-3807 Apple Buffer Errors vulnerability in Apple Iphone OS, mac OS X and Tvos

libxml2 in Apple iOS before 8.4.1 and OS X before 10.10.5 allows remote attackers to obtain sensitive information from process memory or cause a denial of service (memory corruption) via a crafted XML document.

4.3
2015-08-17 CVE-2015-3793 Apple Permissions, Privileges, and Access Controls vulnerability in Apple Iphone OS

CFPreferences in Apple iOS before 8.4.1 allows attackers to bypass the third-party app-sandbox protection mechanism and read arbitrary managed preferences via a crafted app.

4.3
2015-08-23 CVE-2015-4950 IBM Information Exposure vulnerability in IBM products

The mailbox-restore feature in IBM Tivoli Storage Manager for Mail: Data Protection for Microsoft Exchange Server 6.1 before 6.1.3.6, 6.3 before 6.3.1.3, 6.4 before 6.4.1.4, and 7.1 before 7.1.0.2; Tivoli Storage FlashCopy Manager: FlashCopy Manager for Microsoft Exchange Server 2.1, 2.2, 3.1 before 3.1.1.5, 3.2 before 3.2.1.7, and 4.1 before 4.1.1; and Tivoli Storage Manager FastBack for Microsoft Exchange 6.1 before 6.1.5.4 does not ensure that the correct mailbox is selected, which allows remote authenticated users to obtain sensitive information via a duplicate alias name.

4.0
2015-08-20 CVE-2015-4328 Cisco Improper Input Validation vulnerability in Cisco Telepresence Video Communication Server Software X8.5.2

Cisco TelePresence Video Communication Server (VCS) Expressway X8.5.2 improperly checks for a user account's read-only attribute, which allows remote authenticated users to execute arbitrary OS commands via crafted HTTP requests, as demonstrated by read or write operations on the Unified Communications lookup page, aka Bug ID CSCuv12552.

4.0
2015-08-20 CVE-2015-4320 Cisco Information Exposure vulnerability in Cisco Telepresence Video Communication Server Software X8.5.2

The Configuration Log File component in Cisco TelePresence Video Communication Server (VCS) Expressway X8.5.2 allows remote authenticated users to obtain sensitive information by reading a log file, aka Bug ID CSCuv12340.

4.0
2015-08-20 CVE-2015-4314 Cisco Information Exposure vulnerability in Cisco Telepresence Video Communication Server Software X8.5.1

The System Snapshot feature in Cisco TelePresence Video Communication Server (VCS) Expressway X8.5.1 allows remote authenticated users to obtain sensitive password-hash information by reading the snapshot file, aka Bug ID CSCuv40422.

4.0
2015-08-18 CVE-2015-5499 Navigate Project Permissions, Privileges, and Access Controls vulnerability in Navigate Project Navigate

The Navigate module for Drupal does not properly check permissions, which allows remote authenticated users to modify custom widgets and create widget database records by leveraging the "navigate view" permission.

4.0
2015-08-18 CVE-2015-5482 Dev4Press Path Traversal vulnerability in Dev4Press GD Bbpress Attachments

Directory traversal vulnerability in the GD bbPress Attachments plugin before 2.3 for WordPress allows remote administrators to include and execute arbitrary local files via a ..

4.0

18 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2015-08-23 CVE-2015-2018 IBM Information Exposure vulnerability in IBM Integration BUS and Websphere Message Broker

IBM Integration Bus 9 and 10 before 10.0.0.1 and WebSphere Message Broker 7 before 7.0.0.8 and 8 before 8.0.0.7 do not ensure that the correct security profile is selected, which allows remote authenticated users to obtain sensitive information via unspecified vectors.

3.5
2015-08-22 CVE-2015-4537 EMC Information Exposure vulnerability in EMC Documentum D2

Lockbox in EMC Documentum D2 before 4.5 uses a hardcoded passphrase when a server lacks a D2.Lockbox file, which makes it easier for remote authenticated users to decrypt admin tickets by locating this passphrase in a decompiled D2 JAR archive.

3.5
2015-08-22 CVE-2015-4331 Cisco Permissions, Privileges, and Access Controls vulnerability in Cisco Prime Infrastructure

Cisco Prime Infrastructure (PI) 1.4(0.45) and earlier, when AAA authentication is used, allows remote authenticated users to bypass intended access restrictions via a username with a modified composition of lowercase and uppercase characters, aka Bug ID CSum59958.

3.5
2015-08-20 CVE-2015-4536 EMC Information Exposure vulnerability in EMC Documentum Content Server 7.0/7.1/7.2

EMC Documentum Content Server before 7.0 P20, 7.1 before P18, and 7.2 before P02, when RPC tracing is configured, stores certain obfuscated password data in a log file, which allows remote authenticated users to obtain sensitive information by reading this file.

3.5
2015-08-19 CVE-2015-5163 Openstack Information Exposure vulnerability in Openstack Glance 2015.1.0/2015.1.1

The import task action in OpenStack Image Service (Glance) 2015.1.x before 2015.1.2 (kilo), when using the V2 API, allows remote authenticated users to read arbitrary files via a crafted backing file for a qcow2 image.

3.5
2015-08-18 CVE-2015-5500 Navigate Project Cross-Site Scripting vulnerability in Navigate Project Navigate

Cross-site scripting (XSS) vulnerability in the Navigate module for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via unspecified vectors.

3.5
2015-08-18 CVE-2015-5497 WEB Links Project Cross-Site Scripting vulnerability in web Links Project web Links

Cross-site scripting (XSS) vulnerability in the Web Links module 6.x-2.x before 6.x-2.6 and 7.x-1.x before 7.x-1.0 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via unspecified vectors.

3.5
2015-08-18 CVE-2015-5494 Webform Matrix Component Project Cross-Site Scripting vulnerability in Webform Matrix Component Project Webform Matrix Component 7.X4.0/7.X4.11/7.X4.12

Cross-site scripting (XSS) vulnerability in the Webform Matrix Component module 7.x-4.x before 7.x-4.13 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via unspecified vectors.

3.5
2015-08-18 CVE-2015-5491 Dynamic Display Block Project Information Exposure vulnerability in Dynamic Display Block Project Dynamic Display Block 7.X1.0/7.X1.X

The Dynamic display block module 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users to bypass intended access restrictions and read sensitive titles by leveraging the "administer ddblock" permission.

3.5
2015-08-18 CVE-2015-5489 Smart Trim Project Cross-Site Scripting vulnerability in Smart Trim Project Smart Trim

Cross-site scripting (XSS) vulnerability in the Smart Trim module 7.x-1.x before 7.x-1.5 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via vectors involving the field settings form.

3.5
2015-08-20 CVE-2015-0536 EMC Numeric Errors vulnerability in EMC RSA Bsafe and RSA Bsafe Ssl-C

EMC RSA BSAFE Micro Edition Suite (MES) 4.0.x before 4.0.8 and 4.1.x before 4.1.3 and RSA BSAFE SSL-C 2.8.9 and earlier, when client authentication and an ephemeral Diffie-Hellman ciphersuite are enabled, allow remote attackers to cause a denial of service (daemon crash) via a ClientKeyExchange message with a length of zero, a similar issue to CVE-2015-1787.

2.6
2015-08-18 CVE-2015-5514 Migrate Project Cross-Site Scripting vulnerability in Migrate Project Migrate

Cross-site scripting (XSS) vulnerability in the Migrate module 7.x-2.x before 7.x-2.8 for Drupal, when the migrate_ui submodule is enabled, allows user-assisted remote attackers to inject arbitrary web script or HTML via a destination field label.

2.6
2015-08-23 CVE-2015-6557 IBM Information Exposure vulnerability in IBM products

IBM Tivoli Storage Manager for Databases: Data Protection for Microsoft SQL Server 5.5 before 5.5.6.1, 6.3 before 6.3.1.5, 6.4 before 6.4.1.7, and 7.1 before 7.1.2; Tivoli Storage Manager for Mail: Data Protection for Microsoft Exchange Server 5.5 before 5.5.1.1, 6.1 before 6.1.3.7, 6.3 before 6.3.1.5, 6.4 before 6.4.1.7, and 7.1 before 7.1.2; and Tivoli Storage FlashCopy Manager 3.1 before 3.1.1.5, 3.2 before 3.2.1.7, and 4.1 before 4.1.2, when application tracing is used, place cleartext passwords in exception messages, which allows physically proximate attackers to obtain sensitive information by reading trace output, a different vulnerability than CVE-2015-4949.

2.1
2015-08-23 CVE-2015-4949 IBM Information Exposure vulnerability in IBM products

IBM Tivoli Storage Manager for Databases: Data Protection for Microsoft SQL Server 7.1 before 7.1.2, Tivoli Storage Manager for Mail: Data Protection for Microsoft Exchange Server 7.1 before 7.1.2, and Tivoli Storage FlashCopy Manager 4.1 before 4.1.2 place cleartext passwords in exception messages, which allows physically proximate attackers to obtain sensitive information by reading GUI pop-up windows, a different vulnerability than CVE-2015-6557.

2.1
2015-08-18 CVE-2015-5513 Niif Cross-Site Scripting vulnerability in Niif Shibboleth Authentication

Cross-site scripting (XSS) vulnerability in the Shibboleth authentication module 6.x-4.x before 6.x-4.2 and 7.x-4.x before 7.x-4.2 for Drupal allows remote authenticated users with the "Administer blocks" permission to inject arbitrary web script or HTML via unspecified vectors related to a login link.

2.1
2015-08-18 CVE-2015-5495 Mobile Sliding Menu Project Cross-Site Scripting vulnerability in Mobile Sliding Menu Project Mobile Sliding Menu 7.X2.Xdev

Cross-site scripting (XSS) vulnerability in the Mobile sliding menu module 7.x-2.x before 7.x-2.1 for Drupal allows remote authenticated users with the "administer menu" permission to inject arbitrary web script or HTML via unspecified vectors.

2.1
2015-08-18 CVE-2015-5488 Thinkshout Cross-Site Scripting vulnerability in Thinkshout Mailchimp 7.X3.0/7.X3.1/7.X3.2

Cross-site scripting (XSS) vulnerability in the MailChimp Signup submodule in the MailChimp module 7.x-3.x before 7.x-3.3 for Drupal allows remote authenticated users with the "administer mailchimp" permission to inject arbitrary web script or HTML via unspecified vectors.

2.1
2015-08-17 CVE-2015-5748 Apple Code vulnerability in Apple Iphone OS, mac OS X and Safari

The kernel in Apple OS X before 10.10.5 does not properly mount HFS volumes, which allows local users to cause a denial of service via a crafted volume.

2.1