Weekly Vulnerabilities Reports > September 28 to October 4, 2015

Overview

110 new vulnerabilities reported during this period, including 29 critical vulnerabilities and 21 high severity vulnerabilities. This weekly summary report vulnerabilities in 86 products from 49 vendors including Google, IBM, Refbase, Cisco, and Canonical. Vulnerabilities are notably categorized as "Cross-site Scripting", "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Numeric Errors", "Permissions, Privileges, and Access Controls", and "Improper Input Validation".

  • 98 reported vulnerabilities are remotely exploitables.
  • 18 reported vulnerabilities have public exploit available.
  • 38 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 87 reported vulnerabilities are exploitable by an anonymous user.
  • Google has the most reported vulnerabilities, with 30 reported vulnerabilities.
  • Google has the most reported critical vulnerabilities, with 22 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

29 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2015-10-01 CVE-2015-6575 Google Numeric Errors vulnerability in Google Android

SampleTable.cpp in libstagefright in Android before 5.1.1 LMY48I does not properly consider integer promotion, which allows remote attackers to execute arbitrary code or cause a denial of service (integer overflow and memory corruption) via crafted atoms in MP4 data, aka internal bug 20139950, a different vulnerability than CVE-2015-1538.

10.0
2015-10-01 CVE-2015-3864 Google Numeric Errors vulnerability in Google Android

Integer underflow in the MPEG4Extractor::parseChunk function in MPEG4Extractor.cpp in libstagefright in mediaserver in Android before 5.1.1 LMY48M allows remote attackers to execute arbitrary code via crafted MPEG-4 data, aka internal bug 23034759.

10.0
2015-10-01 CVE-2015-3836 Google Numeric Errors vulnerability in Google Android

The Parse_wave function in arm-wt-22k/lib_src/eas_mdls.c in the Sonivox DLS-to-EAS converter in Android before 5.1.1 LMY48I does not reject a negative value for a certain size field, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow) via crafted XMF data, aka internal bug 21132860.

10.0
2015-10-01 CVE-2015-3834 Google Numeric Errors vulnerability in Google Android

Multiple integer overflows in the BnHDCP::onTransact function in media/libmedia/IHDCP.cpp in libstagefright in Android before 5.1.1 LMY48I allow attackers to execute arbitrary code via a crafted application that uses HDCP encryption, leading to a heap-based buffer overflow, aka internal bug 20222489.

10.0
2015-10-01 CVE-2015-3832 Google Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android

Multiple buffer overflows in MPEG4Extractor.cpp in libstagefright in Android before 5.1.1 LMY48I allow remote attackers to execute arbitrary code via invalid size values of NAL units in MP4 data, aka internal bug 19641538.

10.0
2015-10-01 CVE-2015-3829 Google Numeric Errors vulnerability in Google Android

Off-by-one error in the MPEG4Extractor::parseChunk function in MPEG4Extractor.cpp in libstagefright in Android before 5.1.1 LMY48I allows remote attackers to execute arbitrary code or cause a denial of service (integer overflow and memory corruption) via crafted MPEG-4 covr atoms with a size equal to SIZE_MAX, aka internal bug 20923261.

10.0
2015-10-01 CVE-2015-3828 Google Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android

The MPEG4Extractor::parse3GPPMetaData function in MPEG4Extractor.cpp in libstagefright in Android before 5.1.1 LMY48I does not enforce a minimum size for UTF-16 strings containing a Byte Order Mark (BOM), which allows remote attackers to execute arbitrary code or cause a denial of service (integer underflow and memory corruption) via crafted 3GPP metadata, aka internal bug 20923261, a related issue to CVE-2015-3826.

10.0
2015-10-01 CVE-2015-3824 Google Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android

The MPEG4Extractor::parseChunk function in MPEG4Extractor.cpp in libstagefright in Android before 5.1.1 LMY48I does not properly restrict size addition, which allows remote attackers to execute arbitrary code or cause a denial of service (integer overflow and memory corruption) via a crafted MPEG-4 tx3g atom, aka internal bug 20923261.

10.0
2015-10-01 CVE-2015-1539 Google Numeric Errors vulnerability in Google Android

Multiple integer underflows in the ESDS::parseESDescriptor function in ESDS.cpp in libstagefright in Android before 5.1.1 LMY48I allow remote attackers to execute arbitrary code via crafted ESDS atoms, aka internal bug 20139950, a related issue to CVE-2015-4493.

10.0
2015-10-01 CVE-2015-1538 Google Numeric Errors vulnerability in Google Android

Integer overflow in the SampleTable::setSampleToChunkParams function in SampleTable.cpp in libstagefright in Android before 5.1.1 LMY48I allows remote attackers to execute arbitrary code via crafted atoms in MP4 data that trigger an unchecked multiplication, aka internal bug 20139950, a related issue to CVE-2015-4496.

10.0
2015-09-28 CVE-2015-5957 Opensuse
Roaring Penguin
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products

Buffer overflow in the DumpSysVar function in var.c in Remind before 3.1.15 allows attackers to have unspecified impact via a long name.

10.0
2015-09-28 CVE-2015-5082 Endian Firewall Command Injection vulnerability in Endian Firewall Endian Firewall

Endian Firewall before 3.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) NEW_PASSWORD_1 or (2) NEW_PASSWORD_2 parameter to cgi-bin/chpasswd.cgi.

10.0
2015-10-02 CVE-2015-6602 Google Improper Input Validation vulnerability in Google Android

libutils in Android through 5.1.1 LMY48M allows remote attackers to execute arbitrary code via crafted metadata in a (1) MP3 or (2) MP4 file, as demonstrated by an attack against use of libutils by libstagefright in Android 5.x.

9.3
2015-10-02 CVE-2015-3876 Google Improper Input Validation vulnerability in Google Android

libstagefright in Android through 5.1.1 LMY48M allows remote attackers to execute arbitrary code via crafted metadata in a (1) MP3 or (2) MP4 file.

9.3
2015-10-01 CVE-2015-3863 Google Numeric Errors vulnerability in Google Android

Multiple integer overflows in the Blob class in keystore/keystore.cpp in Keystore in Android before 5.1.1 LMY48M allow attackers to execute arbitrary code and read arbitrary Keystore keys via an application that uses a crafted blob in an insert operation, aka internal bug 22802399.

9.3
2015-10-01 CVE-2015-3858 Google Permissions, Privileges, and Access Controls vulnerability in Google Android

The checkDestination function in internal/telephony/SMSDispatcher.java in Android before 5.1.1 LMY48M relies on an obsolete permission name for an authorization check, which allows attackers to bypass an intended user-confirmation requirement for SMS short-code messaging via a crafted application, aka internal bug 22314646.

9.3
2015-10-01 CVE-2015-3849 Google Permissions, Privileges, and Access Controls vulnerability in Google Android

The Region_createFromParcel function in core/jni/android/graphics/Region.cpp in Region in Android before 5.1.1 LMY48M does not check the return values of certain read operations, which allows attackers to execute arbitrary code via an application that sends a crafted message to a service, aka internal bug 21585255.

9.3
2015-10-01 CVE-2015-3843 Google Permissions, Privileges, and Access Controls vulnerability in Google Android

The SIM Toolkit (STK) framework in Android before 5.1.1 LMY48I allows attackers to (1) intercept or (2) emulate unspecified Telephony STK SIM commands via an application that sends a crafted Intent, related to com/android/internal/telephony/cat/AppInterface.java, aka internal bug 21697171.

9.3
2015-10-01 CVE-2015-3842 Google Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android

Multiple heap-based buffer overflows in libeffects in the Audio Policy Service in mediaserver in Android before 5.1.1 LMY48I allow attackers to execute arbitrary code via a crafted application, aka internal bug 21953516.

9.3
2015-10-01 CVE-2015-3837 Google Improper Input Validation vulnerability in Google Android

The OpenSSLX509Certificate class in org/conscrypt/OpenSSLX509Certificate.java in Android before 5.1.1 LMY48I improperly includes certain context data during serialization and deserialization, which allows attackers to execute arbitrary code via an application that sends a crafted Intent, aka internal bug 21437603.

9.3
2015-10-01 CVE-2015-3835 Google Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android

Buffer overflow in the OMXNodeInstance::emptyBuffer function in omx/OMXNodeInstance.cpp in libstagefright in Android before 5.1.1 LMY48I allows attackers to execute arbitrary code via a crafted application, aka internal bug 20634516.

9.3
2015-10-01 CVE-2015-3831 Google Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android

Buffer overflow in the readAt function in BpMediaHTTPConnection in media/libmedia/IMediaHTTPConnection.cpp in the mediaserver service in Android before 5.1.1 LMY48I allows attackers to execute arbitrary code via a crafted application, aka internal bug 19400722.

9.3
2015-10-01 CVE-2015-3827 Google Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android

The MPEG4Extractor::parseChunk function in MPEG4Extractor.cpp in libstagefright in Android before 5.1.1 LMY48I does not validate the relationship between chunk sizes and skip sizes, which allows remote attackers to execute arbitrary code or cause a denial of service (integer underflow and memory corruption) via crafted MPEG-4 covr atoms, aka internal bug 20923261.

9.3
2015-10-01 CVE-2015-1528 Google Numeric Errors vulnerability in Google Android

Integer overflow in the native_handle_create function in libcutils/native_handle.c in Android before 5.1.1 LMY48M allows attackers to obtain a different application's privileges or cause a denial of service (Binder heap memory corruption) via a crafted application, aka internal bug 19334482.

9.3
2015-09-28 CVE-2015-6280 Cisco Improper Authentication vulnerability in Cisco IOS and IOS XE

The SSHv2 functionality in Cisco IOS 15.2, 15.3, 15.4, and 15.5 and IOS XE 3.6E before 3.6.3E, 3.7E before 3.7.1E, 3.10S before 3.10.6S, 3.11S before 3.11.4S, 3.12S before 3.12.3S, 3.13S before 3.13.3S, and 3.14S before 3.14.1S does not properly implement RSA authentication, which allows remote attackers to obtain login access by leveraging knowledge of a username and the associated public key, aka Bug ID CSCus73013.

9.3
2015-10-04 CVE-2015-4930 IBM Command Injection vulnerability in IBM Qradar Security Information and Event Manager

IBM QRadar SIEM 7.1 MR2 before Patch 11 IF02 and 7.2.x before 7.2.5 Patch 4 allows remote authenticated users to execute arbitrary commands with root privileges by leveraging admin access.

9.0
2015-10-04 CVE-2015-2016 IBM Command Execution vulnerability in IBM QRadar Security Information and Event Manager

Unspecified vulnerability in IBM QRadar SIEM 7.1 MR2 before Patch 11 IF02 and 7.2.x before 7.2.5 Patch 4 allows remote authenticated users to execute arbitrary commands with root privileges via unknown vectors.

9.0
2015-10-04 CVE-2015-2011 IBM Command Injection vulnerability in IBM Qradar Security Information and Event Manager

The xmlrpc.cgi Webmin script in IBM QRadar SIEM 7.1 MR2 before Patch 11 IF02 and 7.2.x before 7.2.5 Patch 4 allows remote authenticated users to execute arbitrary commands with root privileges via unspecified vectors.

9.0
2015-09-28 CVE-2015-3974 Easyio Credentials Management vulnerability in Easyio Easyio-30P-Sf and Easyio-30P-Sf Firmware

EasyIO EasyIO-30P-SF controllers with firmware before 0.5.21 and 2.x before 2.0.5.21, as used in Accutrol, Bar-Tech Automation, Infocon/EasyIO, Honeywell Automation India, Johnson Controls, SyxthSENSE, Transformative Wave Technologies, Tridium Asia Pacific, and Tridium Europe products, have a hardcoded password, which makes it easier for remote attackers to obtain access via unspecified vectors.

9.0

21 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2015-10-01 CVE-2015-1536 Google Numeric Errors vulnerability in Google Android

Integer overflow in the Bitmap_createFromParcel function in core/jni/android/graphics/Bitmap.cpp in Android before 5.1.1 LMY48I allows attackers to cause a denial of service (system_server crash) or obtain sensitive system_server memory-content information via a crafted application that leverages improper unmarshalling of bitmaps, aka internal bug 19666945.

8.5
2015-10-02 CVE-2015-4546 EMC Path Traversal vulnerability in EMC RSA Certificate Manager and RSA Onestep

Directory traversal vulnerability in EMC RSA OneStep 6.9 before build 559, as used in RSA Certificate Manager and RSA Registration Manager through 6.9 build 558 and other products, allows remote attackers to read arbitrary files via a crafted KCSOSC_ERROR_PAGE parameter.

7.8
2015-09-29 CVE-2015-7603 Konicaminolta Path Traversal vulnerability in Konicaminolta FTP Utility 1.0

Directory traversal vulnerability in Konica Minolta FTP Utility 1.0 allows remote attackers to read arbitrary files via a ..\ (dot dot backslash) in a RETR command.

7.8
2015-09-29 CVE-2015-7602 Bisonware Path Traversal vulnerability in Bisonware Bisonftp 3.5

Directory traversal vulnerability in BisonWare BisonFTP 3.5 allows remote attackers to read arbitrary files via a ../ (dot dot slash) in a RETR command.

7.8
2015-09-29 CVE-2015-7601 Pcman S FTP Server Project Path Traversal vulnerability in Pcman'S FTP Server Project Pcman'S FTP Server 2.0.7

Directory traversal vulnerability in PCMan's FTP Server 2.0.7 allows remote attackers to read arbitrary files via a ..// (dot dot double slash) in a RETR command.

7.8
2015-09-28 CVE-2015-6279 Cisco Improper Input Validation vulnerability in Cisco IOS and IOS XE

The IPv6 snooping functionality in the first-hop security subsystem in Cisco IOS 12.2, 15.0, 15.1, 15.2, 15.3, 15.4, and 15.5 and IOS XE 3.2SE, 3.3SE, 3.3XO, 3.4SG, 3.5E, and 3.6E before 3.6.3E; 3.7E before 3.7.2E; 3.9S and 3.10S before 3.10.6S; 3.11S before 3.11.4S; 3.12S and 3.13S before 3.13.3S; and 3.14S before 3.14.2S allows remote attackers to cause a denial of service (device reload) via a malformed ND packet with the Cryptographically Generated Address (CGA) option, aka Bug ID CSCuo04400.

7.8
2015-09-28 CVE-2015-6278 Cisco Improper Input Validation vulnerability in Cisco IOS and IOS XE

The IPv6 snooping functionality in the first-hop security subsystem in Cisco IOS 12.2, 15.0, 15.1, 15.2, 15.3, 15.4, and 15.5 and IOS XE 3.2SE, 3.3SE, 3.3XO, 3.4SG, 3.5E, and 3.6E before 3.6.3E; 3.7E before 3.7.2E; 3.9S and 3.10S before 3.10.6S; 3.11S before 3.11.4S; 3.12S and 3.13S before 3.13.3S; and 3.14S before 3.14.2S does not properly implement the Control Plane Protection (aka CPPr) feature, which allows remote attackers to cause a denial of service (device reload) via a flood of ND packets, aka Bug ID CSCus19794.

7.8
2015-10-02 CVE-2015-5653 Canarylabs Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Canarylabs Trendweb

Buffer overflow in Canary Labs Trend Web Server before 9.5.2 allows remote attackers to execute arbitrary code via a crafted TCP packet.

7.5
2015-10-02 CVE-2015-2858 Datalex Authorization Bypass vulnerability in Datalex

Datalex airline booking software before 2015-09-03 allows remote attackers to read or write to arbitrary user data via a modified profileId parameter to (1) ValidateFormAction.do or (2) ProfileConfirmEditAddressAction.do.

7.5
2015-10-01 CVE-2015-7236 Rpcbind Project
Canonical
Debian
Oracle
Use-after-free vulnerability in xprt_set_caller in rpcb_svc_com.c in rpcbind 0.2.1 and earlier allows remote attackers to cause a denial of service (daemon crash) via crafted packets, involving a PMAP_CALLIT code.
7.5
2015-09-29 CVE-2015-7319 Codepeople SQL Injection vulnerability in Codepeople Appointment Booking Calendar

SQL injection vulnerability in cpabc_appointments_admin_int_calendar_list.inc.php in the Appointment Booking Calendar plugin before 1.1.8 for WordPress allows remote attackers to execute arbitrary SQL commands via unspecified vectors related to updating the username.

7.5
2015-09-29 CVE-2015-5074 X2Engine Improper Input Validation vulnerability in X2Engine X2Crm

Incomplete blacklist vulnerability in the FileUploadsFilter class in protected/components/filters/FileUploadsFilter.php in X2Engine X2CRM before 5.0.9 allows remote authenticated users to execute arbitrary PHP code by uploading a file with a .pht extension.

7.5
2015-09-28 CVE-2015-3203 H5Ai Project Unspecified vulnerability in H5Ai Project H5Ai 0.24.1

Unrestricted file upload vulnerability in h5ai before 0.25.0 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in the directory specified by the href parameter.

7.5
2015-09-28 CVE-2015-7387 Zohocorp SQL Injection vulnerability in Zohocorp Manageengine Eventlog Analyzer

ZOHO ManageEngine EventLog Analyzer 10.6 build 10060 and earlier allows remote attackers to bypass intended restrictions and execute arbitrary SQL commands via an allowed query followed by a disallowed one in the query parameter to event/runQuery.do, as demonstrated by "SELECT 1;INSERT INTO." Fixed in Build 11200.

7.5
2015-09-28 CVE-2015-7382 Refbase SQL Injection vulnerability in Refbase

SQL injection vulnerability in install.php in Web Reference Database (aka refbase) through 0.9.6 allows remote attackers to execute arbitrary SQL commands via the defaultCharacterSet parameter, a different issue than CVE-2015-6009.

7.5
2015-09-28 CVE-2015-7381 Refbase Code Injection vulnerability in Refbase

Multiple PHP remote file inclusion vulnerabilities in install.php in Web Reference Database (aka refbase) through 0.9.6 allow remote attackers to execute arbitrary PHP code via the (1) pathToMYSQL or (2) databaseStructureFile parameter, a different issue than CVE-2015-6008.

7.5
2015-09-28 CVE-2015-6009 Refbase SQL Injection vulnerability in Refbase

Multiple SQL injection vulnerabilities in Web Reference Database (aka refbase) through 0.9.6 allow remote attackers to execute arbitrary SQL commands via (1) the where parameter to rss.php or (2) the sqlQuery parameter to search.php, a different issue than CVE-2015-7382.

7.5
2015-09-28 CVE-2015-6008 Refbase OS Command Injection vulnerability in Refbase

install.php in Web Reference Database (aka refbase) through 0.9.6 allows remote attackers to execute arbitrary commands via the adminPassword parameter, a different issue than CVE-2015-7381.

7.5
2015-10-01 CVE-2015-1338 Apport Project
Canonical
Link Following vulnerability in multiple products

kernel_crashdump in Apport before 2.19 allows local users to cause a denial of service (disk consumption) or possibly gain privileges via a (1) symlink or (2) hard link attack on /var/crash/vmcore.log.

7.2
2015-10-01 CVE-2015-1335 Linuxcontainers
Canonical
Link Following vulnerability in multiple products

lxc-start in lxc before 1.0.8 and 1.1.x before 1.1.4 allows local container administrators to escape AppArmor confinement via a symlink attack on a (1) mount target or (2) bind mount source.

7.2
2015-10-01 CVE-2015-3860 Google Improper Access Control vulnerability in Google Android

packages/Keyguard/res/layout/keyguard_password_view.xml in Lockscreen in Android 5.x before 5.1.1 LMY48M does not restrict the number of characters in the passwordEntry input field, which allows physically proximate attackers to bypass intended access restrictions via a long password that triggers a SystemUI crash, aka internal bug 22214934.

7.2

47 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2015-09-30 CVE-2015-5950 Nvidia
Microsoft
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Nvidia Display Driver and GPU Driver

The NVIDIA display driver R352 before 353.82 and R340 before 341.81 on Windows; R304 before 304.128, R340 before 340.93, and R352 before 352.41 on Linux; and R352 before 352.46 on GRID vGPU and vSGA allows local users to write to an arbitrary kernel memory location and consequently gain privileges via a crafted ioctl call.

6.9
2015-09-28 CVE-2014-9202 Advantech Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Advantech Webaccess 8.0

Multiple stack-based buffer overflows in an unspecified DLL file in Advantech WebAccess before 8.0_20150816 allow remote attackers to execute arbitrary code via a crafted file that triggers long string arguments to functions.

6.9
2015-10-03 CVE-2015-0145 IBM Cross-Site Request Forgery (CSRF) vulnerability in IBM Openpages GRC Platform

Cross-site request forgery (CSRF) vulnerability in IBM OpenPages GRC Platform 6.2 before IF7, 6.2.1 before 6.2.1.1 IF5, 7.0 before FP4, and 7.1 before FP1 allows remote authenticated users to hijack the authentication of arbitrary users for requests that insert XSS sequences.

6.8
2015-10-02 CVE-2015-6309 Cisco Resource Management Errors vulnerability in Cisco products

Cisco Email Security Appliance (ESA) 8.5.6-106 and 9.6.0-042 allows remote authenticated users to cause a denial of service (file-descriptor consumption and device reload) via crafted HTTP requests, aka Bug ID CSCuw32211.

6.8
2015-10-01 CVE-2015-7612 Mcafee Cross-Site Request Forgery (CSRF) vulnerability in Mcafee vulnerability Manager 7.0.11/7.5.4/7.5.5

Multiple cross-site request forgery (CSRF) vulnerabilities in the Organizations page in Enterprise Manager in McAfee Vulnerability Manager (MVM) 7.5.9 and earlier allow remote attackers to hijack the authentication of administrators for requests that have unspecified impact via unknown vectors.

6.8
2015-10-01 CVE-2015-3845 Google Permissions, Privileges, and Access Controls vulnerability in Google Android

The Parcel::appendFrom function in libs/binder/Parcel.cpp in Binder in Android before 5.1.1 LMY48M does not consider parcel boundaries during identification of binder objects in an append operation, which allows attackers to obtain a different application's privileges via a crafted application, aka internal bug 17312693.

6.8
2015-10-01 CVE-2015-3844 Google Permissions, Privileges, and Access Controls vulnerability in Google Android

The getProcessRecordLocked method in services/core/java/com/android/server/am/ActivityManagerService.java in ActivityManager in Android before 5.1.1 LMY48I allows attackers to trigger incorrect process loading via a crafted application, as demonstrated by interfering with use of the Settings application, aka internal bug 21669445.

6.8
2015-09-29 CVE-2015-7337 Ipython
Jupyter
Improper Input Validation vulnerability in multiple products

The editor in IPython Notebook before 3.2.2 and Jupyter Notebook 4.0.x before 4.0.5 allows remote attackers to execute arbitrary JavaScript code via a crafted file, which triggers a redirect to files/, related to MIME types.

6.8
2015-09-29 CVE-2015-5075 X2Engine Cross-Site Request Forgery (CSRF) vulnerability in X2Engine X2Crm

Cross-site request forgery (CSRF) vulnerability in X2Engine X2CRM before 5.2 allows remote attackers to hijack the authentication of administrators for requests that create an administrative account via a crafted request to index.php/users/create.

6.8
2015-09-28 CVE-2015-5400 Fedoraproject
Debian
Squid Cache
Permissions, Privileges, and Access Controls vulnerability in multiple products

Squid before 3.5.6 does not properly handle CONNECT method peer responses when configured with cache_peer, which allows remote attackers to bypass intended restrictions and gain access to a backend proxy via a CONNECT request.

6.8
2015-09-28 CVE-2015-6928 Cubecart Improper Access Control vulnerability in Cubecart

classes/admin.class.php in CubeCart 5.2.12 through 5.2.16 and 6.x before 6.0.7 does not properly validate that a password reset request was made, which allows remote attackers to change the administrator password via a recovery request with a space character in the validate parameter and the administrator email in the email parameter.

6.8
2015-09-28 CVE-2015-6007 Refbase Cross-Site Request Forgery (CSRF) vulnerability in Refbase

Cross-site request forgery (CSRF) vulnerability in Web Reference Database (aka refbase) through 0.9.6 allows remote attackers to hijack the authentication of arbitrary users.

6.8
2015-09-28 CVE-2015-5703 Open Xchange OX Guard SQL Injection vulnerability in Open-Xchange OX Guard Open-Xchange OX Guard

SQL injection vulnerability in the public key discovery API call in Open-Xchange OX Guard before 2.0.0-rev8 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.

6.5
2015-09-28 CVE-2015-6307 Cisco Resource Management Errors vulnerability in Cisco Firepower 5.4.0.1

Cisco FirePOWER (formerly Sourcefire) 7000 and 8000 devices with software 5.4.0.1 allow remote attackers to cause a denial of service (inspection-engine outage) via crafted packets, aka Bug ID CSCuu10871.

6.1
2015-10-04 CVE-2015-2026 IBM Cross-Site Request Forgery (CSRF) vulnerability in IBM Websphere Extreme Scale 7.1.0/7.1.0.2/7.1.1

Cross-site request forgery (CSRF) vulnerability in IBM WebSphere eXtreme Scale 7.1.0 before 7.1.0.3 and 7.1.1 before 7.1.1.1 allows remote authenticated users to hijack the authentication of arbitrary users for requests that insert XSS sequences.

6.0
2015-09-28 CVE-2015-6463 Codewrights
Endress Hauser
CodeWrights HART Comm DTM components, as used with Endress+Hauser FieldCare, allow remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via a longtag XML schema containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
5.8
2015-09-28 CVE-2015-6012 Refbase Unspecified vulnerability in Refbase

Multiple open redirect vulnerabilities in Web Reference Database (aka refbase) through 0.9.6 and bleeding-edge before 2015-01-08 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the referrer parameter.

5.8
2015-10-04 CVE-2015-2030 IBM Security Bypass vulnerability in IBM Websphere Extreme Scale 7.1.0/7.1.0.2/7.1.1

IBM WebSphere eXtreme Scale 7.1.0 before 7.1.0.3 and 7.1.1 before 7.1.1.1 has an improper account-lockout setting, which makes it easier for remote attackers to obtain access via a brute-force attack.

5.0
2015-10-04 CVE-2015-1934 IBM Cryptographic Issues vulnerability in IBM products

IBM Maximo Asset Management 7.1 through 7.1.1.13, 7.5.0 before 7.5.0.8 IFIX002, and 7.6.0 before 7.6.0.1 IFIX001; Maximo Asset Management 7.5.x before 7.5.0.8 IFIX002 and 7.6.0 before 7.6.0.1 IFIX001 for SmartCloud Control Desk; and Maximo Asset Management 7.1 through 7.1.1.13 and 7.2 for Tivoli IT Asset Management for IT and certain other products do not properly encrypt passwords, which makes it easier for context-dependent attackers to determine cleartext passwords by leveraging access to a password file.

5.0
2015-10-01 CVE-2015-3861 Google Numeric Errors vulnerability in Google Android

Multiple integer overflows in the addVorbisCodecInfo function in matroska/MatroskaExtractor.cpp in libstagefright in mediaserver in Android before 5.1.1 LMY48M allow remote attackers to cause a denial of service (device inoperability) via crafted Matroska data, aka internal bug 21296336.

5.0
2015-10-01 CVE-2015-3826 Google Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android

The MPEG4Extractor::parse3GPPMetaData function in MPEG4Extractor.cpp in libstagefright in Android before 5.1.1 LMY48I does not enforce a minimum size for UTF-16 strings containing a Byte Order Mark (BOM), which allows remote attackers to cause a denial of service (integer underflow, buffer over-read, and mediaserver process crash) via crafted 3GPP metadata, aka internal bug 20923261, a related issue to CVE-2015-3828.

5.0
2015-09-29 CVE-2015-0852 Freeimage Project Numeric Errors vulnerability in Freeimage Project Freeimage 3.17.0

Multiple integer underflows in PluginPCX.cpp in FreeImage 3.17.0 and earlier allow remote attackers to cause a denial of service (heap memory corruption) via vectors related to the height and width of a window.

5.0
2015-09-28 CVE-2015-6806 GNU Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in GNU Screen

The MScrollV function in ansi.c in GNU screen 4.3.1 and earlier does not properly limit recursion, which allows remote attackers to cause a denial of service (stack consumption) via an escape sequence with a large repeat count value.

5.0
2015-09-28 CVE-2015-5185 Opensuse
Standards Based Linux Instrumentation
Denial of Service vulnerability in SBLIM-SFCB 'lookupProviders()' Function

The lookupProviders function in providerMgr.c in sblim-sfcb 1.3.4 and 1.3.18 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty className in a packet.

5.0
2015-09-28 CVE-2015-5372 Adnovum Improper Authentication vulnerability in Adnovum Nevisauth

The SAML 2.0 implementation in AdNovum nevisAuth 4.13.0.0 before 4.18.3.1, when using SAML POST-Binding, does not match all attributes of the X.509 certificate embedded in the assertion against the certificate from the identity provider (IdP), which allows remote attackers to inject arbitrary SAML assertions via a crafted certificate.

5.0
2015-09-28 CVE-2015-6011 Refbase Unspecified vulnerability in Refbase

Web Reference Database (aka refbase) through 0.9.6 and bleeding-edge before 2015-01-08 allows remote attackers to conduct XML injection attacks via (1) the id parameter to unapi.php or (2) the stylesheet parameter to sru.php.

5.0
2015-09-29 CVE-2015-5442 HP Local Privilege Escalation vulnerability in HP Software Update

Unspecified vulnerability in HP Software Update before 5.005.002.002 allows local users to gain privileges via unknown vectors.

4.6
2015-10-04 CVE-2015-2029 IBM Session Hijacking vulnerability in IBM Websphere Extreme Scale 7.1.0/7.1.0.2/7.1.1

Session fixation vulnerability in IBM WebSphere eXtreme Scale 7.1.0 before 7.1.0.3 and 7.1.1 before 7.1.1.1 allows remote attackers to hijack web sessions via a session identifier.

4.3
2015-10-04 CVE-2015-2028 IBM HTTP Response Splitting vulnerability in IBM Websphere Extreme Scale 7.1.0/7.1.0.2/7.1.1

CRLF injection vulnerability in IBM WebSphere eXtreme Scale 7.1.0 before 7.1.0.3 and 7.1.1 before 7.1.1.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL.

4.3
2015-10-04 CVE-2015-2025 IBM Information Exposure vulnerability in IBM Websphere Extreme Scale 7.1.0/7.1.0.2/7.1.1

IBM WebSphere eXtreme Scale 7.1.0 before 7.1.0.3 and 7.1.1 before 7.1.1.1 does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.

4.3
2015-10-03 CVE-2015-5651 Dotclear Cross-site Scripting vulnerability in Dotclear

Cross-site scripting (XSS) vulnerability in Dotclear before 2.8.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2015-10-03 CVE-2015-0195 IBM Cross-site Scripting vulnerability in IBM Content Template Catalog 4.0

Cross-site scripting (XSS) vulnerability in IBM Content Template Catalog 4.x before 4.1.4 for WebSphere Portal 8.0.x and 4.x before 4.3.1 for WebSphere Portal 8.5.x allows remote attackers to inject arbitrary web script or HTML via a crafted URL.

4.3
2015-10-01 CVE-2015-3833 Google Improper Access Control vulnerability in Google Android

The getRunningAppProcesses function in services/core/java/com/android/server/am/ActivityManagerService.java in Android before 5.1.1 LMY48I allows attackers to bypass intended getRecentTasks restrictions and discover the name of the foreground application via a crafted application, aka internal bug 20034603.

4.3
2015-10-01 CVE-2015-1541 Google Improper Access Control vulnerability in Google Android

The AppWidgetServiceImpl implementation in com/android/server/appwidget/AppWidgetServiceImpl.java in the Settings application in Android before 5.1.1 LMY48I allows attackers to obtain a URI permission via an application that sends an Intent with a (1) FLAG_GRANT_READ_URI_PERMISSION or (2) FLAG_GRANT_WRITE_URI_PERMISSION flag, as demonstrated by bypassing intended restrictions on reading contacts, aka internal bug 19618745.

4.3
2015-09-29 CVE-2015-7604 Splunk Cross-site Scripting vulnerability in Splunk

Cross-site scripting (XSS) vulnerability in Splunk Web in Splunk Enterprise 6.2.x before 6.2.6 and Splunk Light 6.2.x before 6.2.6 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2015-09-29 CVE-2015-7320 Codepeople Cross-site Scripting vulnerability in Codepeople Appointment Booking Calendar

Multiple cross-site scripting (XSS) vulnerabilities in cpabc_appointments_admin_int_bookings_list.inc.php in the Appointment Booking Calendar plugin before 1.1.8 for WordPress allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2015-09-29 CVE-2015-5076 X2Engine Cross-site Scripting vulnerability in X2Engine X2Crm

Multiple cross-site scripting (XSS) vulnerabilities in X2Engine X2CRM before 5.0.9 allow remote attackers to inject arbitrary web script or HTML via the (1) version parameter in protected/views/admin/formEditor.php; the (2) importId parameter in protected/views/admin/rollbackImport.php; the (3) bc, (4) fg, (5) bgc, or (6) font parameter in protected/views/site/listener.php; the (7) Services[*] parameter in protected/components/views/webForm.php; the (8) file parameter in protected/components/TranslationManager.php; the (9) x2_key parameter in protected/tests/webscripts/x2WebTrackingTestPages/customWebLeadCaptureScriptTest.php; the (10) id parameter in protected/modules/contacts/controllers/ContactsController.php; or the (11) lastEventId parameter to index.php/profile/getEvents.

4.3
2015-09-28 CVE-2015-5375 Open Xchange Cross-site Scripting vulnerability in Open-Xchange Appsuite and Open-Xchange Server

Cross-site scripting (XSS) vulnerability in unspecified dialogs for printing content in the Front End in Open-Xchange Server 6 and OX App Suite before 6.22.8-rev8, 6.22.9 before 6.22.9-rev15m, 7.x before 7.6.1-rev25, and 7.6.2 before 7.6.2-rev20 allows remote attackers to inject arbitrary web script or HTML via unknown vectors related to object properties.

4.3
2015-09-28 CVE-2015-7383 Refbase Cross-site Scripting vulnerability in Refbase

Multiple cross-site scripting (XSS) vulnerabilities in Web Reference Database (aka refbase) through 0.9.6 and bleeding-edge through 2015-04-28 allow remote attackers to inject arbitrary web script or HTML via the (1) adminUserName, (2) pathToMYSQL, (3) databaseStructureFile, or (4) pathToBibutils parameter to install.php or the (5) adminUserName parameter to update.php.

4.3
2015-09-28 CVE-2015-6010 Refbase Cross-site Scripting vulnerability in Refbase

Multiple cross-site scripting (XSS) vulnerabilities in Web Reference Database (aka refbase) through 0.9.6 and bleeding-edge before 2015-01-08 allow remote attackers to inject arbitrary web script or HTML via the (1) errorNo or (2) errorMsg parameter to error.php; the (3) viewType parameter to duplicate_manager.php; the (4) queryAction, (5) displayType, (6) citeOrder, (7) sqlQuery, (8) showQuery, (9) showLinks, (10) showRows, or (11) queryID parameter to query_manager.php; the (12) sourceText or (13) sourceIDs parameter to import.php; or the (14) typeName or (15) fileName parameter to modify.php.

4.3
2015-10-03 CVE-2015-0143 IBM Information Exposure vulnerability in IBM Openpages GRC Platform

IBM OpenPages GRC Platform 6.2 before IF7, 6.2.1 before 6.2.1.1 IF5, 7.0 before FP4, and 7.1 before FP1 allows remote authenticated users to obtain sensitive information by reading error messages.

4.0
2015-10-03 CVE-2015-0142 IBM Permissions, Privileges, and Access Controls vulnerability in IBM Openpages GRC Platform

IBM OpenPages GRC Platform 6.2 before IF7, 6.2.1 before 6.2.1.1 IF5, 7.0 before FP4, and 7.1 before FP1 allows remote authenticated users to cause a denial of service (maintenance-mode transition and data-storage outage) by calling the System Administration Mode function.

4.0
2015-10-03 CVE-2015-0141 IBM Improper Access Control vulnerability in IBM Openpages GRC Platform

IBM OpenPages GRC Platform 6.2 before IF7, 6.2.1 before 6.2.1.1 IF5, 7.0 before FP4, and 7.1 before FP1 allows remote authenticated users to modify arbitrary user filters via a JSON request.

4.0
2015-10-02 CVE-2015-6308 Cisco Resource Management Errors vulnerability in Cisco Nx-Os 6.0(2)U6(0.46)

Cisco NX-OS 6.0(2)U6(0.46) on N3K devices allows remote authenticated users to cause a denial of service (temporary SNMP outage) via an SNMP request for an OID that does not exist, aka Bug ID CSCuw36684.

4.0
2015-09-30 CVE-2015-5435 HP Remote Denial of Service vulnerability in HP products

Unspecified vulnerability in HP Integrated Lights-Out (iLO) firmware 3 before 1.85 and 4 before 2.22 allows remote authenticated users to cause a denial of service via unknown vectors.

4.0
2015-09-29 CVE-2015-0299 Open Source Point OF Sale Project Cross-site Scripting vulnerability in Open Source Point of Sale Project Open Source Point of Sale 2.3.1

Multiple cross-site scripting (XSS) vulnerabilities in Open Source Point of Sale 2.3.1 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

4.0
2015-09-29 CVE-2015-5711 Tibco Information Exposure vulnerability in Tibco products

TIBCO Managed File Transfer Internet Server before 7.2.5, Managed File Transfer Command Center before 7.2.5, Slingshot before 1.9.4, and Vault before 2.0.1 allow remote authenticated users to obtain sensitive information via a crafted HTTP request.

4.0

13 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2015-10-01 CVE-2015-7311 XEN Code vulnerability in XEN

libxl in Xen 4.1.x through 4.6.x does not properly handle the readonly flag on disks when using the qemu-xen device model, which allows local guest users to write to a read-only disk image.

3.6
2015-09-28 CVE-2015-6927 Openvz Link Following vulnerability in Openvz Vzctl

vzctl before 4.9.4 determines the virtual environment (VE) layout based on the presence of root.hdd/DiskDescriptor.xml in the VE private directory, which allows local simfs container (CT) root users to change the root password for arbitrary ploop containers, as demonstrated by a symlink attack on the ploop container root.hdd file and then access a control panel.

3.6
2015-10-04 CVE-2015-2031 IBM Cross-site Scripting vulnerability in IBM Websphere Extreme Scale 7.1.0/7.1.0.2/7.1.1

Cross-site scripting (XSS) vulnerability in IBM WebSphere eXtreme Scale 7.1.0 before 7.1.0.3 and 7.1.1 before 7.1.1.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.

3.5
2015-10-04 CVE-2015-1988 IBM Cross-site Scripting vulnerability in IBM products

Cross-site scripting (XSS) vulnerability in IBM Tivoli Storage Manger for Virtual Environments: Data Protection for VMware 6.3 before 6.3.2.5, 6.4 before 6.4.3.1, and 7.1 before 7.1.3 and Tivoli Storage FlashCopy Manager for VMware 3.1 before 3.1.1.3, 3.2 before 3.2.0.6, and 4.1 before 4.1.3.0 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.

3.5
2015-10-04 CVE-2015-1983 IBM Cross-site Scripting vulnerability in IBM Urbancode Build 6.1.0.0/6.1.0.1/6.1.0.2

Cross-site scripting (XSS) vulnerability in the Projects page in IBM UrbanCode Build 6.1.x before 6.1.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.

3.5
2015-10-04 CVE-2015-1969 IBM Cross-site Scripting vulnerability in IBM Tivoli Common Reporting

Cross-site scripting (XSS) vulnerability in IBM Tivoli Common Reporting (TCR) 2.1 before IF13 and 2.1.1 before IF21, and TCR 3.1.x as used in Cognos Business Intelligence before 10.2 IF0015 and other products, allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.

3.5
2015-10-03 CVE-2015-4955 IBM Cross-site Scripting vulnerability in IBM Business Process Manager

Cross-site scripting (XSS) vulnerability in IBM Business Process Manager (BPM) 8.0.x through 8.0.1.3, 8.5.0 through 8.5.0.1, 8.5.5 through 8.5.5.0, and 8.5.6 before 8.5.6.0 CF1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.

3.5
2015-10-03 CVE-2015-1888 IBM Cross-site Scripting vulnerability in IBM Content Navigator 2.0.2/2.0.3

Cross-site scripting (XSS) vulnerability in IBM Content Navigator 2.0.2 before 2.0.2-ICN-FP007 and 2.0.3 before 2.0.3-ICN-FP003, as used in Content Manager, FileNet Content Manager, Content Foundation, Content Manager OnDemand, and other products, allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.

3.5
2015-10-03 CVE-2015-0144 IBM Cross-site Scripting vulnerability in IBM Openpages GRC Platform

Cross-site scripting (XSS) vulnerability in IBM OpenPages GRC Platform 6.2 before IF7, 6.2.1 before 6.2.1.1 IF5, 7.0 before FP4, and 7.1 before FP1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL, a different vulnerability than CVE-2014-8916.

3.5
2015-10-03 CVE-2014-8916 IBM Cross-site Scripting vulnerability in IBM Openpages GRC Platform

Cross-site scripting (XSS) vulnerability in IBM OpenPages GRC Platform 6.2 before IF7, 6.2.1 before 6.2.1.1 IF5, 7.0 before FP4, and 7.1 before FP1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL, a different vulnerability than CVE-2015-0144.

3.5
2015-09-28 CVE-2015-7386 Ghozylab Cross-site Scripting vulnerability in Ghozylab Gallery - Photo Albums - Portfolio 1.3.47

Multiple cross-site scripting (XSS) vulnerabilities in includes/metaboxes.php in the Gallery - Photo Albums - Portfolio plugin 1.3.47 for WordPress allow remote authenticated users to inject arbitrary web script or HTML via the (1) Media Title or (2) Media Subtitle fields.

3.5
2015-10-04 CVE-2015-2027 IBM Permissions, Privileges, and Access Controls vulnerability in IBM Websphere Extreme Scale 7.1.0/7.1.0.2/7.1.1

IBM WebSphere eXtreme Scale 7.1.0 before 7.1.0.3 and 7.1.1 before 7.1.1.1 improperly performs logout actions, which allows remote attackers to bypass intended access restrictions by leveraging an unattended workstation.

2.1
2015-10-04 CVE-2015-1933 IBM Information Exposure vulnerability in IBM products

IBM Maximo Asset Management 7.1 through 7.1.1.13, 7.5.0 before 7.5.0.8 IFIX001, and 7.6.0 before 7.6.0.1 IFIX001; Maximo Asset Management 7.5.x before 7.5.0.8 IFIX001 and 7.6.0 before 7.6.0.1 IFIX001 for SmartCloud Control Desk; and Maximo Asset Management 7.1 through 7.1.1.13 and 7.2 for Tivoli IT Asset Management for IT and certain other products do not have an off autocomplete attribute for the password field, which makes it easier for remote attackers to obtain access by leveraging an unattended workstation.

2.1