CVE Daily
← All years

All CVEs — 2015

Page 29/32.

Browse all CVEs by publication year. Use filters to refine.

CVSS ≥ 0.0
2015-02-03
High

CVE-2015-1441

SQL injection vulnerability in Piwigo before 2.5.6, 2.6.x before 2.6.5, and 2.7.x before 2.7.3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

CVSS: 7.5 CWE: CWE-89
Read more
Medium

CVE-2015-1433

program/lib/Roundcube/rcube_washtml.php in Roundcube before 1.0.5 does not properly quote strings, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the style attribute…

CVSS: 4.3 CWE: CWE-79
Read more
High

CVE-2015-1428

Multiple SQL injection vulnerabilities in Sefrengo before 1.6.2 allow (1) remote attackers to execute arbitrary SQL commands via the sefrengo cookie in a login to backend/main.php or (2) remote authe…

CVSS: 7.5 CWE: CWE-89
Read more
High

CVE-2015-1405

SQL injection vulnerability in the Content Rating Extbase extension 2.0.3 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

CVSS: 7.5 CWE: CWE-89
Read more
Medium

CVE-2015-1404

Cross-site scripting (XSS) vulnerability in the Content Rating Extbase extension 2.0.3 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVSS: 4.3 CWE: CWE-79
Read more
High

CVE-2015-1403

SQL injection vulnerability in the Content Rating extension 1.0.3 and earlier for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

CVSS: 7.5 CWE: CWE-89
Read more
Medium

CVE-2015-1402

Cross-site scripting (XSS) vulnerability in the Content Rating extension 1.0.3 and earlier for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVSS: 4.3 CWE: CWE-79
Read more
High

CVE-2015-1400

SQL injection vulnerability in search.php in NPDS Revolution 13 allows remote attackers to execute arbitrary SQL commands via the query parameter.

CVSS: 7.5 CWE: CWE-89
Read more
Medium

CVE-2015-1384

Cross-site scripting (XSS) vulnerability in the Banner Effect Header plugin before 1.2.8 for WordPress allows remote attackers to inject arbitrary web script or HTML via the banner_effect_divid param…

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2015-1382

parsers.c in Privoxy before 3.0.23 allows remote attackers to cause a denial of service (invalid read and crash) via vectors related to an HTTP time header.

CVSS: 5.0 CWE: CWE-20
Read more
Medium

CVE-2015-1380

jcc.c in Privoxy before 3.0.23 allows remote attackers to cause a denial of service (abort) via a crafted chunk-encoded body.

CVSS: 5.0 CWE: CWE-20
Read more
High

CVE-2015-1348

Heap-based buffer overflow in Aruba Instant (IAP) with firmware before 4.0.0.7 and 4.1.x before 4.1.1.2 allows remote attackers to cause a denial of service (crash or reset to factory default) via a…

CVSS: 7.8 CWE: CWE-119
Read more
Critical

CVE-2014-9574

Directory traversal vulnerability in install.php in FluxBB before 1.5.8 allows remote attackers to include and execute arbitrary local install.php files via a .. (dot dot) in the install_lang paramet…

CVSS: 9.3 CWE: CWE-22
Read more
Low

CVE-2014-9568

puppetlabs-rabbitmq 3.0 through 4.1 stores the RabbitMQ Erlang cookie value in the facts of a node, which allows local users to obtain sensitive information as demonstrated by using Facter.

CVSS: 2.1 CWE: CWE-200
Read more
Medium

CVE-2014-9559

Cross-site scripting (XSS) vulnerability in SnipSnap 0.5.2a, 1.0b1, and 1.0b2 allows remote attackers to inject arbitrary web script or HTML via the query parameter to /snipsnap-search.

CVSS: 4.3 CWE: CWE-79
Read more
High

CVE-2014-9328

ClamAV before 0.98.6 allows remote attackers to have unspecified impact via a crafted upack packer file, related to a "heap out of bounds condition."

CVSS: 7.5 CWE: CWE-119
Read more
Medium

CVE-2014-5360

Cross-site scripting (XSS) vulnerability in the admin interface in LANDESK Management Suite before 9.6 SP1 allows remote attackers to inject arbitrary web script or HTML via the AMTVersion parameter…

CVSS: 4.3 CWE: CWE-79
Read more
2015-02-02
Critical

CVE-2015-0313

Use-after-free vulnerability in Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0.0.305 on Windows and OS X and before 11.2.202.442 on Linux allows remote attackers to execute ar…

CVSS: 9.8 CWE: CWE-416
Read more
Low

CVE-2015-1451

Multiple cross-site scripting (XSS) vulnerabilities in Fortinet FortiOS 5.0 Patch 7 build 4457 allow remote authenticated users to inject arbitrary web script or HTML via the (1) WTP Name or (2) WTP…

CVSS: 3.5 CWE: CWE-79
Read more
High

CVE-2015-1450

SQL injection vulnerability in Restaurant Biller allows remote attackers to execute arbitrary SQL commands via the cid parameter in a category action to index.php.

CVSS: 7.5 CWE: CWE-89
Read more
Critical

CVE-2015-1449

Buffer overflow in the integrated web server on Siemens Ruggedcom WIN51xx devices with firmware before SS4.4.4624.35, WIN52xx devices with firmware before SS4.4.4624.35, WIN70xx devices with firmware…

CVSS: 10.0 CWE: CWE-119
Read more
Medium

CVE-2015-1393

SQL injection vulnerability in the Photo Gallery plugin before 1.2.11 for WordPress allows remote authenticated users to execute arbitrary SQL commands via the asc_or_desc parameter in a create galle…

CVSS: 6.5 CWE: CWE-89
Read more
Medium

CVE-2015-1385

Cross-site scripting (XSS) vulnerability in the Blubrry PowerPress Podcasting plugin before 6.0.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the cat parameter in…

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2015-1383

Cross-site scripting (XSS) vulnerability in the geo search widget in the Geo Mashup plugin before 1.8.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via the search key.

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2015-1357

Siemens Ruggedcom WIN51xx devices with firmware before SS4.4.4624.35, WIN52xx devices with firmware before SS4.4.4624.35, WIN70xx devices with firmware before BS4.4.4621.32, and WIN72xx devices with…

CVSS: 5.0 CWE: CWE-200
Read more
Medium

CVE-2015-1049

The web server on Siemens SCALANCE X-200IRT switches with firmware before 5.2.0 allows remote attackers to hijack sessions via unspecified vectors.

CVSS: 6.8 CWE: CWE-20
Read more
Medium

CVE-2015-0866

Multiple cross-site scripting (XSS) vulnerabilities in Zoho ManageEngine SupportCenter Plus 7.9 before hotfix 7941 allow remote attackers to inject arbitrary web script or HTML via the (1) fromCustom…

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2015-0597

The Forgot Password feature in Cisco WebEx Meetings Server 1.5(.1.131) and earlier allows remote attackers to enumerate administrative accounts via crafted packets, aka Bug IDs CSCuj67166 and CSCuj67…

CVSS: 5.0 CWE: CWE-20
Read more
Medium

CVE-2015-0596

Cross-site request forgery (CSRF) vulnerability in Cisco WebEx Meetings Server 1.5(.1.131) and earlier allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCuj67163.

CVSS: 6.8 CWE: CWE-352
Read more
Medium

CVE-2015-0595

The XMLAPI in Cisco WebEx Meetings Server 1.5(.1.131) and earlier allows remote attackers to obtain sensitive information by reading return messages from crafted GET requests, aka Bug ID CSCuj67079.

CVSS: 5.0 CWE: CWE-200
Read more
Medium

CVE-2014-6170

The HTTPInput node in IBM WebSphere Message Broker 7.0 before 7.0.0.8 and 8.0 before 8.0.0.6 and IBM Integration Bus 9.0 before 9.0.0.4 allows remote attackers to obtain sensitive information by trig…

CVSS: 5.0 CWE: CWE-200
Read more
2015-02-01
High

CVE-2014-9200

Stack-based buffer overflow in an unspecified DLL file in a DTM development kit in Schneider Electric Unity Pro, SoMachine, SoMove, SoMove Lite, Modbus Communication Library 2.2.6 and earlier, CANope…

CVSS: 7.5 CWE: CWE-119
Read more
Medium

CVE-2014-8630

Bugzilla before 4.0.16, 4.1.x and 4.2.x before 4.2.12, 4.3.x and 4.4.x before 4.4.7, and 5.x before 5.0rc1 allows remote authenticated users to execute arbitrary commands by leveraging the editcompon…

CVSS: 6.5 CWE: CWE-77
Read more
Medium

CVE-2014-7270

Cross-site request forgery (CSRF) vulnerability on ASUS JAPAN RT-AC87U routers with firmware 3.0.0.4.378.3754 and earlier, RT-AC68U routers with firmware 3.0.0.4.376.3715 and earlier, RT-AC56S router…

CVSS: 6.8 CWE: CWE-352
Read more
Medium

CVE-2014-7269

ASUS JAPAN RT-AC87U routers with firmware 3.0.0.4.378.3754 and earlier, RT-AC68U routers with firmware 3.0.0.4.376.3715 and earlier, RT-AC56S routers with firmware 3.0.0.4.376.3715 and earlier, RT-N6…

CVSS: 6.5 CWE: CWE-78
Read more
Medium

CVE-2015-0926

Labtech before 100.237 on Linux uses world-writable permissions for root-executed scripts, which allows local users to gain privileges by modifying a script file.

CVSS: 6.8 CWE: CWE-284
Read more
Medium

CVE-2015-0870

Cross-site scripting (XSS) vulnerability in hb.cgi in Nishishi Factory Fumy News Clipper 2.x before 2.5.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2014-8267

Cross-site scripting (XSS) vulnerability in QPR Portal 2014.1.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the RID parameter.

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2014-8266

Multiple cross-site scripting (XSS) vulnerabilities in the note-creation page in QPR Portal 2014.1.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) title or (2)…

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2014-7287

The key-management component in Symantec PGP Universal Server and Encryption Management Server before 3.3.2 MP7 allows remote attackers to trigger unintended content in outbound e-mail messages via a…

CVSS: 5.0 CWE: CWE-74
Read more
2015-01-30
Critical

CVE-2014-9161

CoolType.dll in Adobe Reader and Acrobat 10.x before 10.1.13 and 11.x before 11.0.10 on Windows, and 10.x through 10.1.13 and 11.x through 11.0.10 on OS X, allows remote attackers to cause a denial o…

CVSS: 9.3 CWE: CWE-119
Read more
Medium

CVE-2014-8839

Spotlight in Apple OS X before 10.10.2 does not enforce the Mail "Load remote content in messages" configuration, which allows remote attackers to discover recipient IP addresses by including an inli…

CVSS: 5.0 CWE: CWE-200
Read more
Critical

CVE-2014-8836

The Bluetooth driver in Apple OS X before 10.10.2 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (arbitrary-size bzero of kernel memory) via a crafted…

CVSS: 10.0 CWE: CWE-20
Read more
Low

CVE-2014-8834

UserAccountUpdater in Apple OS X 10.10 before 10.10.2 stores a PDF document's password in a printing preference file, which allows local users to obtain sensitive information by reading a file.

CVSS: 2.1 CWE: CWE-200
Read more
Low

CVE-2014-8833

SpotlightIndex in Apple OS X before 10.10.2 does not properly perform deserialization during access to a permission cache, which allows local users to read search results associated with other users'…

CVSS: 2.1 CWE: CWE-284
Read more
Medium

CVE-2014-8832

The indexing functionality in Spotlight in Apple OS X before 10.10.2 writes memory contents to an external hard drive, which allows local users to obtain sensitive information by reading from this dr…

CVSS: 4.9 CWE: CWE-200
Read more
Medium

CVE-2014-8830

Heap-based buffer overflow in SceneKit in Apple OS X before 10.10.2 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted accessor element i…

CVSS: 6.8 CWE: CWE-119
Read more
High

CVE-2014-8829

SceneKit in Apple OS X before 10.10.2 allows attackers to execute arbitrary code or cause a denial of service (out-of-bounds write) via a crafted app.

CVSS: 7.5 CWE: CWE-119
Read more
Low

CVE-2014-8827

LoginWindow in Apple OS X before 10.10.2 does not transition to the lock-screen state immediately upon being woken from sleep, which allows physically proximate attackers to obtain sensitive informat…

CVSS: 2.1 CWE: CWE-284
Read more
High

CVE-2014-8825

The kernel in Apple OS X before 10.10.2 does not properly perform identitysvc validation of certain directory-service functionality, which allows local users to gain privileges or spoof directory-ser…

CVSS: 7.2 CWE: CWE-20
Read more
Critical

CVE-2014-8824

The kernel in Apple OS X before 10.10.2 does not properly validate IODataQueue object metadata fields, which allows attackers to execute arbitrary code in a privileged context via a crafted app.

CVSS: 10.0 CWE: CWE-20
Read more
Low

CVE-2014-4499

The App Store process in CommerceKit Framework in Apple OS X before 10.10.2 places Apple ID credentials in App Store logs, which allows local users to obtain sensitive information by reading a file.

CVSS: 2.1 CWE: CWE-200
Read more
Medium

CVE-2014-4494

Springboard in Apple iOS before 8.1.3 does not properly validate signatures when determining whether to solicit an app trust decision from the user, which allows attackers to bypass intended first-la…

CVSS: 6.8 CWE: CWE-20
Read more
Medium

CVE-2014-4491

The extension APIs in the kernel in Apple iOS before 8.1.3, Apple OS X before 10.10.2, and Apple TV before 7.0.3 do not prevent the presence of addresses within an OSBundleMachOHeaders key in a respo…

CVSS: 5.0 CWE: CWE-200
Read more
Critical

CVE-2014-4487

Buffer overflow in IOHIDFamily in Apple iOS before 8.1.3, Apple OS X before 10.10.2, and Apple TV before 7.0.3 allows attackers to execute arbitrary code in a privileged context via a crafted app.

CVSS: 10.0 CWE: CWE-119
Read more
High

CVE-2014-4485

Buffer overflow in the XML parser in Foundation in Apple iOS before 8.1.3, Apple OS X before 10.10.2, and Apple TV before 7.0.3 allows remote attackers to execute arbitrary code or cause a denial of…

CVSS: 7.5 CWE: CWE-119
Read more
Medium

CVE-2014-4483

Buffer overflow in FontParser in Apple iOS before 8.1.3, Apple OS X before 10.10.2, and Apple TV before 7.0.3 allows remote attackers to execute arbitrary code or cause a denial of service (applicati…

CVSS: 6.8 CWE: CWE-119
Read more
Critical

CVE-2014-4480

Directory traversal vulnerability in afc in AppleFileConduit in Apple iOS before 8.1.3 and Apple TV before 7.0.3 allows attackers to access unintended filesystem locations by creating a symlink.

CVSS: 10.0 CWE: CWE-59
Read more
Medium

CVE-2014-4479

WebKit, as used in Apple iOS before 8.1.3; Apple Safari before 6.2.3, 7.x before 7.1.3, and 8.x before 8.0.3; and Apple TV before 7.0.3, allows remote attackers to execute arbitrary code or cause a d…

CVSS: 6.8 CWE: CWE-119
Read more
Medium

CVE-2014-4477

WebKit, as used in Apple iOS before 8.1.3; Apple Safari before 6.2.3, 7.x before 7.1.3, and 8.x before 8.0.3; and Apple TV before 7.0.3, allows remote attackers to execute arbitrary code or cause a d…

CVSS: 6.8 CWE: CWE-119
Read more
Medium

CVE-2014-4476

WebKit, as used in Apple iOS before 8.1.3; Apple Safari before 6.2.3, 7.x before 7.1.3, and 8.x before 8.0.3; and Apple TV before 7.0.3, allows remote attackers to execute arbitrary code or cause a d…

CVSS: 6.8 CWE: CWE-119
Read more
2015-01-29
Low

CVE-2015-1043

The Host Guest File System (HGFS) in VMware Workstation 10.x before 10.0.5, VMware Player 6.x before 6.0.5, and VMware Fusion 6.x before 6.0.5 and 7.x before 7.0.1 allows guest OS users to cause a gu…

CVSS: 3.3 CWE: CWE-20
Read more
Medium

CVE-2015-1424

Cross-site request forgery (CSRF) vulnerability in Gecko CMS 2.2 and 2.3 allows remote attackers to hijack the authentication of administrators for requests that add an administrator user via a newus…

CVSS: 6.8 CWE: CWE-352
Read more
Medium

CVE-2015-1423

Multiple SQL injection vulnerabilities in Gecko CMS 2.2 and 2.3 allow remote administrators to execute arbitrary SQL commands via the (1) jak_delete_log[] or (2) ssp parameter to admin/index.php.

CVSS: 6.5 CWE: CWE-89
Read more
Medium

CVE-2015-1422

Multiple cross-site scripting (XSS) vulnerabilities in Gecko CMS 2.2 and 2.3 allow remote attackers to inject arbitrary web script or HTML via the (1) horder[], (2) jak_catid, (3) jak_content, (4) ja…

CVSS: 4.3 CWE: CWE-79
Read more
Low

CVE-2015-0236

libvirt before 1.2.12 allow remote authenticated users to obtain the VNC password by using the VIR_DOMAIN_XML_SECURE flag with a crafted (1) snapshot to the virDomainSnapshotGetXMLDesc interface or (…

CVSS: 3.5 CWE: CWE-200
Read more
Low

CVE-2014-8893

Multiple cross-site scripting (XSS) vulnerabilities in (1) mainpage.jsp and (2) GetImageServlet.img in IBM TRIRIGA Application Platform 3.2.1.x, 3.3.2 before 3.3.2.3, and 3.4.1 before 3.4.1.1 allow r…

CVSS: 3.5 CWE: CWE-79
Read more
2015-01-28
Critical

CVE-2015-0312

Double free vulnerability in Adobe Flash Player before 13.0.0.264 and 14.x through 16.x before 16.0.0.296 on Windows and OS X and before 11.2.202.440 on Linux allows attackers to execute arbitrary co…

CVSS: 9.3 CWE: CWE-415
Read more
High

CVE-2014-8920

Buffer overflow in the Data Transfer Program in IBM i Access 5770-XE1 5R4, 6.1, and 7.1 on Windows allows local users to gain privileges via unspecified vectors.

CVSS: 7.2 CWE: CWE-119
Read more
Medium

CVE-2014-8917

Multiple cross-site scripting (XSS) vulnerabilities in (1) dojox/form/resources/uploader.swf (aka upload.swf), (2) dojox/form/resources/fileuploader.swf (aka fileupload.swf), (3) dojox/av/resources/a…

CVSS: 4.3 CWE: CWE-79
Read more
Critical

CVE-2015-0235

Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18, allows context-dependent attackers to execute arbitrary code via vectors relate…

CVSS: 10.0 CWE: CWE-787
Read more
Medium

CVE-2015-1376

pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress does not validate hostnames, which allows remote authenticated users to write to arbitrary files via an upload URL with a host…

CVSS: 4.0 CWE: CWE-284
Read more
2015-01-27
High

CVE-2014-8154

The Gst.MapInfo function in Vala 0.26.0 and 0.26.1 uses an incorrect buffer length declaration for the Gstreamer bindings, which allows context-dependent attackers to cause a denial of service (crash…

CVSS: 7.5 CWE: CWE-119
Read more
Medium

CVE-2014-5211

Stack-based buffer overflow in the Attachmate Reflection FTP Client before 14.1.433 allows remote FTP servers to execute arbitrary code via a large PWD response.

CVSS: 6.8 CWE: CWE-119
Read more
Medium

CVE-2015-1374

Multiple cross-site request forgery (CSRF) vulnerabilities in admin.php in ferretCMS 1.0.4-alpha allow remote attackers to hijack the authentication of administrators for requests that conduct (1) cr…

CVSS: 6.8 CWE: CWE-352
Read more
Medium

CVE-2015-1373

Multiple cross-site scripting (XSS) vulnerabilities in admin.php in ferretCMS 1.0.4-alpha allow remote attackers to inject arbitrary web script or HTML via the (1) action parameter in a search reques…

CVSS: 4.3 CWE: CWE-79
Read more
High

CVE-2015-1372

SQL injection vulnerability in ferretCMS 1.0.4-alpha allows remote attackers to execute arbitrary SQL commands via the p parameter in an update action to admin.php.

CVSS: 7.5 CWE: CWE-89
Read more
High

CVE-2015-1371

Unrestricted file upload vulnerability in ferretCMS 1.0.4-alpha allows remote administrators to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct…

CVSS: 7.5 CWE: CWE-20
Read more
High

CVE-2015-1369

SQL injection vulnerability in Sequelize before 2.0.0-rc7 for Node.js allows remote attackers to execute arbitrary SQL commands via the order parameter.

CVSS: 7.5 CWE: CWE-89
Read more
Medium

CVE-2015-1368

Multiple cross-site scripting (XSS) vulnerabilities in Ansible Tower (aka Ansible UI) before 2.0.5 allow remote attackers to inject arbitrary web script or HTML via the (1) order_by parameter to cred…

CVSS: 4.3 CWE: CWE-79
Read more
High

CVE-2015-1367

SQL injection vulnerability in index.php in CatBot 0.4.2 allows remote attackers to execute arbitrary SQL commands via the lastcatbot parameter.

CVSS: 7.5 CWE: CWE-89
Read more
Medium

CVE-2015-1366

Cross-site scripting (XSS) vulnerability in pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress allows remote attackers to inject arbitrary web script or HTML via the image_user…

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2015-1365

Directory traversal vulnerability in pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress allows remote attackers to write to arbitrary files via a .. (dot dot) in the q parameter.

CVSS: 5.0 CWE: CWE-22
Read more
High

CVE-2015-1364

SQL injection vulnerability in the getProfile function in system/profile.functions.php in Free Reprintables ArticleFR 3.0.5 allows remote attackers to execute arbitrary SQL commands via the username…

CVSS: 7.5 CWE: CWE-89
Read more
Medium

CVE-2015-1363

Cross-site scripting (XSS) vulnerability in Free Reprintables ArticleFR 3.0.5 allows remote attackers to inject arbitrary web script or HTML via the q parameter to search/v/.

CVSS: 4.3 CWE: CWE-79
Read more
High

CVE-2015-1362

Buffer overflow in the Customize 35mm tab in Two Pilots Exif Pilot 4.7.2 allows remote attackers to execute arbitrary code via a long string in the maker element in an XML file.

CVSS: 7.5 CWE: CWE-119
Read more
High

CVE-2015-1360

Skia, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via crafted data that is improper…

CVSS: 7.5 CWE: CWE-119
Read more
Medium

CVE-2014-9649

Cross-site scripting (XSS) vulnerability in the management plugin in RabbitMQ 2.1.0 through 3.4.x before 3.4.1 allows remote attackers to inject arbitrary web script or HTML via the path info to api/…

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2014-9648

components/navigation_interception/intercept_navigation_resource_throttle.cc in Google Chrome before 40.0.2214.91 on Android does not properly restrict use of intent: URLs to open an application afte…

CVSS: 4.3 CWE: CWE-284
Read more
High

CVE-2014-9197

The Schneider Electric ETG3000 FactoryCast HMI Gateway with firmware before 1.60 IR 04 stores rde.jar under the web root with insufficient access control, which allows remote attackers to obtain sens…

CVSS: 7.8 CWE: CWE-284
Read more
2015-01-26
Medium

CVE-2015-1308

kde-workspace 4.2.0 and plasma-workspace before 5.1.95 allows remote attackers to obtain input events, and consequently obtain passwords, by leveraging access to the X server when the screen is locke…

CVSS: 4.3 CWE: CWE-200
Read more
Medium

CVE-2015-1307

plasma-workspace before 5.1.95 allows remote attackers to obtain passwords via a Trojan horse Look and Feel package.

CVSS: 4.3 CWE: CWE-284
Read more
Medium

CVE-2015-1179

Multiple cross-site scripting (XSS) vulnerabilities in data_point_details.shtm in Mango Automation 2.4.0 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) dpid, (2…

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2015-1178

Multiple cross-site scripting (XSS) vulnerabilities in cart.php in X-Cart 5.1.8 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) product_id or (2) category_id par…

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2014-9573

SQL injection vulnerability in manage_user_page.php in MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 allows remote administrators with FILE privileges to execute arbitrary SQL commands via the…

CVSS: 6.0 CWE: CWE-89
Read more
High

CVE-2014-9572

MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 does not properly restrict access to /*/install.php, which allows remote attackers to obtain database credentials via the install parameter with t…

CVSS: 7.5 CWE: CWE-284
Read more
Medium

CVE-2014-9571

Cross-site scripting (XSS) vulnerability in admin/install.php in MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 allows remote attackers to inject arbitrary web script or HTML via the (1) admin_…

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2014-8158

Multiple stack-based buffer overflows in jpc_qmfb.c in JasPer 1.900.1 and earlier allow remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted JPEG 200…

CVSS: 6.8 CWE: CWE-119
Read more
2015-01-23
Critical

CVE-2015-0310

Adobe Flash Player before 13.0.0.262 and 14.x through 16.x before 16.0.0.287 on Windows and OS X and before 11.2.202.438 on Linux does not properly restrict discovery of memory addresses, which allow…

CVSS: 9.8 CWE: CWE-200
Read more
Medium

CVE-2015-1347

Cross-site scripting (XSS) vulnerability in client.inc.php in osTicket before 1.9.5.1 allows remote attackers to inject arbitrary web script or HTML via the lang parameter.

CVSS: 4.3 CWE: CWE-79
Read more
Low

CVE-2015-1200

Race condition in pxz 4.999.99 Beta 3 uses weak file permissions for the output file when compressing a file before changing the permission to match the original file, which allows local users to byp…

CVSS: 2.1 CWE: CWE-362
Read more
Medium

CVE-2015-1180

Cross-site scripting (XSS) vulnerability in the Web Reports in EventSentry 3.1.0 allows remote attackers to inject arbitrary web script or HTML via the pageId parameter to networktile/bullet.

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2015-1176

Cross-site scripting (XSS) vulnerability in upload/scp/tickets.php in osTicket before 1.9.5 allows remote attackers to inject arbitrary web script or HTML via the status parameter in a search action.

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2014-9640

oggenc/oggenc.c in vorbis-tools 1.4.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted raw file.

CVSS: 5.0 CWE: CWE-119
Read more
2015-01-22
Medium

CVE-2014-7947

OpenJPEG before r2944, as used in PDFium in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted PDF document, related to j2k.c,…

CVSS: 5.0 CWE: CWE-119
Read more
Medium

CVE-2014-7946

The RenderTable::simplifiedNormalFlowLayout function in core/rendering/RenderTable.cpp in Blink, as used in Google Chrome before 40.0.2214.91, skips captions during table layout in certain situations…

CVSS: 5.0 CWE: CWE-119
Read more
Medium

CVE-2014-7945

OpenJPEG before r2908, as used in PDFium in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted PDF document, related to j2k.c,…

CVSS: 5.0 CWE: CWE-119
Read more
Medium

CVE-2014-7944

The sycc422_to_rgb function in fxcodec/codec/fx_codec_jpx_opj.cpp in PDFium, as used in Google Chrome before 40.0.2214.91, does not properly handle odd values of image width, which allows remote atta…

CVSS: 5.0 CWE: CWE-119
Read more
Medium

CVE-2014-7943

Skia, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors.

CVSS: 5.0 CWE: CWE-119
Read more
Medium

CVE-2014-7941

The SelectionOwner::ProcessTarget function in ui/base/x/selection_owner.cc in the UI implementation in Google Chrome before 40.0.2214.91 uses an incorrect data type for a certain length value, which…

CVSS: 5.0 CWE: CWE-119
Read more
High

CVE-2014-7938

The Fonts implementation in Google Chrome before 40.0.2214.91 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors.

CVSS: 7.5 CWE: CWE-119
Read more
High

CVE-2014-7937

Multiple off-by-one errors in libavcodec/vorbisdec.c in FFmpeg before 2.4.2, as used in Google Chrome before 40.0.2214.91, allow remote attackers to cause a denial of service (use-after-free) or poss…

CVSS: 7.5 CWE: CWE-119
Read more
Critical

CVE-2015-1311

The Extended Application Services (XS) in SAP HANA allows remote attackers to inject arbitrary ABAP code via unspecified vectors, aka SAP Note 2098906. NOTE: the provenance of this information is un…

CVSS: 10.0 CWE: CWE-94
Read more
High

CVE-2015-1310

SQL injection vulnerability in SAP Adaptive Server Enterprise (Sybase ASE) allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Note 2113333. NOTE: the provenan…

CVSS: 7.5 CWE: CWE-89
Read more
Medium

CVE-2015-1175

Cross-site scripting (XSS) vulnerability in blocklayered-ajax.php in the blocklayered module in PrestaShop 1.6.0.9 and earlier allows remote attackers to inject arbitrary web script or HTML via the l…

CVSS: 4.3 CWE: CWE-79
Read more
Medium

CVE-2015-1306

The newsletter posting area in the web interface in Sympa 6.0.x before 6.0.10 and 6.1.x before 6.1.24 allows remote attackers to read arbitrary files via unspecified vectors.

CVSS: 5.0 CWE: CWE-200
Read more
Critical

CVE-2015-0925

The client in iPass Open Mobile before 2.4.5 on Windows allows remote authenticated users to execute arbitrary code via a DLL pathname in a crafted Unicode string that is improperly handled by a subp…

CVSS: 9.0 CWE: CWE-94
Read more
Medium

CVE-2014-8008

Absolute path traversal vulnerability in the Real-Time Monitoring Tool (RTMT) API in Cisco Unified Communications Manager (CUCM) allows remote authenticated users to read arbitrary files via a full p…

CVSS: 6.8 CWE: CWE-200
Read more
2015-01-21
Medium

CVE-2015-1196

GNU patch 2.7.1 allows remote attackers to write to arbitrary files via a symlink attack in a patch file.

CVSS: 4.3 CWE: CWE-59
Read more
Medium

CVE-2015-1195

The V2 API in OpenStack Image Registry and Delivery Service (Glance) before 2014.1.4 and 2014.2.x before 2014.2.2 allows remote authenticated users to read or delete arbitrary files via a full pathna…

CVSS: 6.5 CWE: CWE-22
Read more