CVE Daily
← All years

Uncategorized 2015

Page 3/23.

CVEs without a recognized CWE (not present in the CWE map or marked as N/A).

CVSS ≥ 0.0
2015-11-26
High

CVE-2015-6857

Unspecified vulnerability in Virtual Table Server (VTS) in HP LoadRunner 11.52, 12.00, 12.01, 12.02, and 12.50 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-3138.

CVSS: 7.2CWE: N/A
Read more
Medium

CVE-2015-6382

Cisco ASR 5000 devices with software 16.0(900) allow remote attackers to cause a denial of service (telnetd process restart) via a TELNET connection, aka Bug ID CSCuv25815.

CVSS: 5.0CWE: CWE-399
Read more
2015-11-25
Medium

CVE-2015-5324

Jenkins before 1.638 and LTS before 1.625.2 allow remote attackers to obtain sensitive information via a direct request to queue/api.

CVSS: 5.0CWE: CWE-264
Read more
Medium

CVE-2015-5323

Jenkins before 1.638 and LTS before 1.625.2 do not properly restrict access to API tokens which might allow remote administrators to gain privileges and run scripts by using an API token of another u…

CVSS: 6.5CWE: CWE-264
Read more
Medium

CVE-2015-5319

XML external entity (XXE) vulnerability in the create-job CLI command in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to read arbitrary files via a crafted job configuration th…

CVSS: 5.0CWE: N/A
Read more
Medium

CVE-2015-5306

OpenStack Ironic Inspector (aka ironic-inspector or ironic-discoverd), when debug mode is enabled, might allow remote attackers to access the Flask console and execute arbitrary Python code by trigge…

CVSS: 6.8CWE: CWE-254
Read more
Medium

CVE-2014-3665

Jenkins before 1.587 and LTS before 1.580.1 do not properly ensure trust separation between a master and slaves, which might allow remote attackers to execute arbitrary code on the master by leveragi…

CVSS: 6.8CWE: CWE-264
Read more
Medium

CVE-2015-7288

CSL DualCom GPRS CS2300-R devices with firmware 1.25 through 3.53 allow remote attackers to modify the configuration via a command in an SMS message, as demonstrated by a "4 2" command.

CVSS: 4.3CWE: CWE-254
Read more
High

CVE-2015-7287

CSL DualCom GPRS CS2300-R devices with firmware 1.25 through 3.53 use the same 001984 default PIN across different customers' installations, which allows remote attackers to execute commands by lever…

CVSS: 7.5CWE: CWE-255
Read more
Medium

CVE-2015-7286

CSL DualCom GPRS CS2300-R devices with firmware 1.25 through 3.53 rely on a polyalphabetic substitution cipher with hardcoded keys, which makes it easier for remote attackers to defeat a cryptographi…

CVSS: 6.4CWE: CWE-310
Read more
Medium

CVE-2015-6379

The XML parser in the management interface in Cisco Adaptive Security Appliance (ASA) Software 8.4 allows remote authenticated users to cause a denial of service (device crash) via a crafted XML docu…

CVSS: 6.8CWE: CWE-399
Read more
2015-11-24
Medium

CVE-2015-8329

SAP Manufacturing Integration and Intelligence (aka MII, formerly xMII) uses weak encryption (Base64 and DES), which allows attackers to conduct downgrade attacks and decrypt passwords via unspecifie…

CVSS: 5.0CWE: CWE-310
Read more
Medium

CVE-2015-7869

Multiple integer overflows in the kernel mode driver for the NVIDIA GPU graphics driver R340 before 341.92, R352 before 354.35, and R358 before 358.87 on Windows and R304 before 304.131, R340 before…

CVSS: 6.6CWE: CWE-189
Read more
High

CVE-2015-7866

Unquoted Windows search path vulnerability in the Smart Maximize Helper (nvSmartMaxApp.exe) in the Control Panel in the NVIDIA GPU graphics driver R340 before 341.92, R352 before 354.35, and R358 bef…

CVSS: 7.2CWE: N/A
Read more
High

CVE-2015-7496

GNOME Display Manager (gdm) before 3.18.2 allows physically proximate attackers to bypass the lock screen by holding the Escape key.

CVSS: 7.2CWE: CWE-264
Read more
Low

CVE-2015-5281

The grub2 package before 2.02-0.29 in Red Hat Enterprise Linux (RHEL) 7, when used on UEFI systems, allows local users to bypass intended Secure Boot restrictions and execute non-verified code via a…

CVSS: 2.6CWE: CWE-264
Read more
Medium

CVE-2015-0856

daemon/Greeter.cpp in sddm before 0.13.0 does not properly disable the KDE crash handler, which allows local users to gain privileges by crashing a greeter when using certain themes, as demonstrated…

CVSS: 4.6CWE: CWE-264
Read more
High

CVE-2015-6377

Cisco Virtual Topology System (VTS) 2.0(0) and 2.0(1) allows remote attackers to cause a denial of service (CPU and memory consumption, and TCP port outage) via a flood of crafted TCP packets, aka Bu…

CVSS: 7.8CWE: CWE-399
Read more
2015-11-23
Medium

CVE-2015-8320

Apache Cordova-Android before 3.7.0 improperly generates random values for BridgeSecret data, which makes it easier for attackers to conduct bridge hijacking attacks by predicting a value.

CVSS: 5.0CWE: N/A
Read more
Medium

CVE-2015-5256

Apache Cordova-Android before 4.1.0, when an application relies on a remote server, improperly implements a JavaScript whitelist protection mechanism, which allows attackers to bypass intended access…

CVSS: 4.3CWE: CWE-264
Read more
2015-11-22
Medium

CVE-2015-5787

The kernel in Apple iOS before 8.4.1 does not properly restrict debugging features, which allows attackers to bypass background-execution limitations via a crafted app.

CVSS: 4.3CWE: CWE-264
Read more
2015-11-21
High

CVE-2015-7913

ag_server_service.exe in the AggreGate Server Service in Tibbo AggreGate before 5.30.06 allows local users to execute arbitrary Java code with SYSTEM privileges by using the Apache Axis AdminService…

CVSS: 7.2CWE: N/A
Read more
Critical

CVE-2015-7912

The Ice Faces servlet in ag_server_service.exe in the AggreGate Server Service in Tibbo AggreGate before 5.30.06 allows remote attackers to upload and execute arbitrary Java code via a crafted XML do…

CVSS: 10.0CWE: N/A
Read more
Critical

CVE-2015-7289

Arris DG860A, TG862A, and TG862G devices with firmware TS0703128_100611 through TS0705125D_031115 have a hardcoded administrator password derived from a serial number, which makes it easier for remot…

CVSS: 9.3CWE: CWE-255
Read more
Medium

CVE-2009-5149

Arris DG860A, TG862A, and TG862G devices with firmware TS0703128_100611 through TS0705125D_031115 have predictable technician passwords, which makes it easier for remote attackers to obtain access vi…

CVSS: 4.3CWE: CWE-255
Read more
2015-11-20
Medium

CVE-2015-7773

Unrestricted file upload vulnerability in the Panel component in Bastian Allgeier Kirby before 2.1.2 allows remote authenticated users to execute arbitrary PHP code by uploading a file that lacks an…

CVSS: 6.5CWE: N/A
Read more
2015-11-19
Medium

CVE-2015-8087

Huawei NE20E-S, NE40E-M, and NE40E-M2 routers with software before V800R007C10SPC100 and NE40E and NE80E routers with software before V800R007C00SPC100 allows remote attackers to send packets to othe…

CVSS: 5.0CWE: CWE-399
Read more
Critical

CVE-2015-8236

Arista EOS before 4.11.12, 4.12 before 4.12.11, 4.13 before 4.13.14M, 4.14 before 4.14.5FX.5, and 4.15 before 4.15.0FX1.1 allows remote attackers to execute arbitrary code as root by leveraging manag…

CVSS: 10.0CWE: CWE-264
Read more
Medium

CVE-2015-4112

The Management Console in BlackBerry Enterprise Server (BES) 12 before 12.2 does not properly restrict use of FRAME elements, which makes it easier for remote attackers to conduct clickjacking attack…

CVSS: 4.3CWE: CWE-254
Read more
2015-11-18
Critical

CVE-2015-8051

The Adobe Premiere Clip app before 1.2.1 for iOS mishandles unspecified input, which has unknown impact and attack vectors.

CVSS: 10.0CWE: N/A
Read more
Low

CVE-2015-8035

The xz_decomp function in xzlib.c in libxml2 2.9.1 does not properly detect compression errors, which allows context-dependent attackers to cause a denial of service (process hang) via crafted XML da…

CVSS: 2.6CWE: CWE-399
Read more
Medium

CVE-2015-5253

The SAML Web SSO module in Apache CXF before 2.7.18, 3.0.x before 3.0.7, and 3.1.x before 3.1.3 allows remote authenticated users to bypass authentication via a crafted SAML response with a valid sig…

CVSS: 4.0CWE: CWE-264
Read more
2015-11-17
Medium

CVE-2015-8222

The lxd-unix.socket systemd unit file in the Ubuntu lxd package before 0.20-0ubuntu4.1 uses world-readable permissions for /var/lib/lxd/unix.socket, which allows local users to gain privileges via un…

CVSS: 4.6CWE: CWE-264
Read more
Medium

CVE-2015-7995

The xsltStylePreCompute function in preproc.c in libxslt 1.1.28 does not check if the parent node is an element, which allows attackers to cause a denial of service via a crafted XML file, related to…

CVSS: 5.0CWE: N/A
Read more
Medium

CVE-2015-7812

The hypercall_create_continuation function in arch/arm/domain.c in Xen 4.4.x through 4.6.x allows local guest users to cause a denial of service (host crash) via a preemptible hypercall to the multic…

CVSS: 4.9CWE: CWE-254
Read more
High

CVE-2015-5602

sudoedit in Sudo before 1.8.15 allows local users to gain privileges via a symlink attack on a file whose full path is defined using multiple wildcards in /etc/sudoers, as demonstrated by "/home/*/*/…

CVSS: 7.2CWE: CWE-264
Read more
Medium

CVE-2015-5301

providers/saml2/admin.py in the Identity Provider (IdP) server in Ipsilon 0.1.0 before 1.0.2 and 1.1.x before 1.1.1 does not properly check permissions, which allows remote authenticated users to cau…

CVSS: 5.5CWE: CWE-264
Read more
Medium

CVE-2015-5217

providers/saml2/admin.py in the Identity Provider (IdP) server in Ipsilon 0.1.0 before 1.0.1 does not properly check permissions to update the SAML2 Service Provider (SP) owner, which allows remote a…

CVSS: 4.0CWE: CWE-264
Read more
Medium

CVE-2015-0272

GNOME NetworkManager allows remote attackers to cause a denial of service (IPv6 traffic disruption) via a crafted MTU value in an IPv6 Router Advertisement (RA) message, a different vulnerability tha…

CVSS: 5.0CWE: N/A
Read more
High

CVE-2015-8216

The ljpeg_decode_yuv_scan function in libavcodec/mjpegdec.c in FFmpeg before 2.8.2 omits certain width and height checks, which allows remote attackers to cause a denial of service (out-of-bounds arr…

CVSS: 7.5CWE: CWE-17
Read more
2015-11-16
High

CVE-2015-7816

The DisplayTopKeywords function in plugins/Referrers/Controller.php in Piwik before 2.15.0 allows remote attackers to conduct PHP object injection attacks, conduct Server-Side Request Forgery (SSRF)…

CVSS: 7.5CWE: N/A
Read more
Medium

CVE-2015-7712

Multiple eval injection vulnerabilities in mods/_standard/gradebook/edit_marks.php in ATutor 2.2 and earlier allow remote authenticated users with the AT_PRIV_GRADEBOOK privilege to execute arbitrary…

CVSS: 6.5CWE: N/A
Read more
Medium

CVE-2014-9752

Unrestricted file upload vulnerability in mods/_core/properties/lib/course.inc.php in ATutor before 2.2 patch 6 allows remote authenticated users to execute arbitrary PHP code by uploading a file wit…

CVSS: 6.5CWE: N/A
Read more
Critical

CVE-2015-8104

The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x through 4.6.x, allows guest OS users to cause a denial of service (host OS panic or hang) by triggering many #DB (aka Debug) excepti…

CVSS: 10.0CWE: CWE-399
Read more
Medium

CVE-2015-5307

The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x through 4.6.x, allows guest OS users to cause a denial of service (host OS panic or hang) by triggering many #AC (aka Alignment Chec…

CVSS: 4.9CWE: CWE-399
Read more
Medium

CVE-2015-5257

drivers/usb/serial/whiteheat.c in the Linux kernel before 4.2.4 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and OOPS) or possibly have unspecified oth…

CVSS: 4.9CWE: N/A
Read more
Medium

CVE-2015-2925

The prepend_path function in fs/dcache.c in the Linux kernel before 4.2.4 does not properly handle rename actions inside a bind mount, which allows local users to bypass an intended container protect…

CVSS: 6.9CWE: N/A
Read more
2015-11-14
High

CVE-2015-7419

IBM WebSphere Portal 8.0.0.1 before CF19 and 8.5.0 before CF09 allows remote attackers to cause a denial of service (memory consumption) via crafted requests.

CVSS: 7.8CWE: CWE-399
Read more
High

CVE-2015-6367

Cisco Aironet 1800 devices with software 8.1(131.0) allow remote attackers to cause a denial of service (CPU consumption) by improperly establishing many SSHv2 connections, aka Bug ID CSCux13374.

CVSS: 7.8CWE: CWE-399
Read more
Low

CVE-2013-5229

The Remote Desktop full-screen feature in Apple OS X before 10.9 and Apple Remote Desktop before 3.7 sends dialog-box text to a connected remote host upon being woken from sleep, which allows physica…

CVSS: 3.7CWE: CWE-254
Read more
2015-11-13
Critical

CVE-2015-6045

Use-after-free vulnerability in the CElement object implementation in Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption)…

CVSS: 9.3CWE: N/A
Read more
2015-11-12
High

CVE-2015-8113

Untrusted search path vulnerability in the client in Symantec Endpoint Protection (SEP) 12.1 before 12.1-RU6-MP3 allows local users to gain privileges via a Trojan horse DLL in a client install packa…

CVSS: 7.2CWE: N/A
Read more
Medium

CVE-2015-7819

The DB service in IBM System Networking Switch Center (SNSC) before 7.3.1.5 and Lenovo Switch Center before 8.1.2.0 allows remote attackers to obtain sensitive administrator-account information via a…

CVSS: 5.0CWE: CWE-255
Read more
High

CVE-2015-7818

The administration-panel web service in IBM System Networking Switch Center (SNSC) before 7.3.1.5 and Lenovo Switch Center before 8.1.2.0 allows local users to execute arbitrary JSP code with SYSTEM…

CVSS: 7.2CWE: CWE-264
Read more
2015-11-11
Critical

CVE-2015-8046

Use-after-free vulnerability in Adobe Flash Player before 18.0.0.261 and 19.x before 19.0.0.245 on Windows and OS X and before 11.2.202.548 on Linux, Adobe AIR before 19.0.0.241, Adobe AIR SDK before…

CVSS: 10.0CWE: N/A
Read more
Critical

CVE-2015-8044

Use-after-free vulnerability in Adobe Flash Player before 18.0.0.261 and 19.x before 19.0.0.245 on Windows and OS X and before 11.2.202.548 on Linux, Adobe AIR before 19.0.0.241, Adobe AIR SDK before…

CVSS: 10.0CWE: N/A
Read more
Critical

CVE-2015-8043

Use-after-free vulnerability in Adobe Flash Player before 18.0.0.261 and 19.x before 19.0.0.245 on Windows and OS X and before 11.2.202.548 on Linux, Adobe AIR before 19.0.0.241, Adobe AIR SDK before…

CVSS: 10.0CWE: N/A
Read more
Critical

CVE-2015-8042

Use-after-free vulnerability in Adobe Flash Player before 18.0.0.261 and 19.x before 19.0.0.245 on Windows and OS X and before 11.2.202.548 on Linux, Adobe AIR before 19.0.0.241, Adobe AIR SDK before…

CVSS: 9.3CWE: N/A
Read more
Critical

CVE-2015-7663

Use-after-free vulnerability in Adobe Flash Player before 18.0.0.261 and 19.x before 19.0.0.245 on Windows and OS X and before 11.2.202.548 on Linux, Adobe AIR before 19.0.0.241, Adobe AIR SDK before…

CVSS: 10.0CWE: N/A
Read more
High

CVE-2015-7662

Adobe Flash Player before 18.0.0.261 and 19.x before 19.0.0.245 on Windows and OS X and before 11.2.202.548 on Linux, Adobe AIR before 19.0.0.241, Adobe AIR SDK before 19.0.0.241, and Adobe AIR SDK &…

CVSS: 7.8CWE: CWE-264
Read more
Critical

CVE-2015-7661

Use-after-free vulnerability in Adobe Flash Player before 18.0.0.261 and 19.x before 19.0.0.245 on Windows and OS X and before 11.2.202.548 on Linux, Adobe AIR before 19.0.0.241, Adobe AIR SDK before…

CVSS: 9.3CWE: N/A
Read more
Critical

CVE-2015-7660

Use-after-free vulnerability in Adobe Flash Player before 18.0.0.261 and 19.x before 19.0.0.245 on Windows and OS X and before 11.2.202.548 on Linux, Adobe AIR before 19.0.0.241, Adobe AIR SDK before…

CVSS: 9.3CWE: N/A
Read more
Critical

CVE-2015-7659

Adobe Flash Player before 18.0.0.261 and 19.x before 19.0.0.245 on Windows and OS X and before 11.2.202.548 on Linux, Adobe AIR before 19.0.0.241, Adobe AIR SDK before 19.0.0.241, and Adobe AIR SDK &…

CVSS: 9.3CWE: N/A
Read more
Critical

CVE-2015-7658

Use-after-free vulnerability in Adobe Flash Player before 18.0.0.261 and 19.x before 19.0.0.245 on Windows and OS X and before 11.2.202.548 on Linux, Adobe AIR before 19.0.0.241, Adobe AIR SDK before…

CVSS: 9.3CWE: N/A
Read more
Critical

CVE-2015-7657

Use-after-free vulnerability in Adobe Flash Player before 18.0.0.261 and 19.x before 19.0.0.245 on Windows and OS X and before 11.2.202.548 on Linux, Adobe AIR before 19.0.0.241, Adobe AIR SDK before…

CVSS: 9.3CWE: N/A
Read more
Critical

CVE-2015-7656

Use-after-free vulnerability in Adobe Flash Player before 18.0.0.261 and 19.x before 19.0.0.245 on Windows and OS X and before 11.2.202.548 on Linux, Adobe AIR before 19.0.0.241, Adobe AIR SDK before…

CVSS: 9.3CWE: N/A
Read more
Critical

CVE-2015-7655

Use-after-free vulnerability in Adobe Flash Player before 18.0.0.261 and 19.x before 19.0.0.245 on Windows and OS X and before 11.2.202.548 on Linux, Adobe AIR before 19.0.0.241, Adobe AIR SDK before…

CVSS: 9.3CWE: N/A
Read more
Critical

CVE-2015-7654

Use-after-free vulnerability in Adobe Flash Player before 18.0.0.261 and 19.x before 19.0.0.245 on Windows and OS X and before 11.2.202.548 on Linux, Adobe AIR before 19.0.0.241, Adobe AIR SDK before…

CVSS: 9.3CWE: N/A
Read more
Critical

CVE-2015-7653

Use-after-free vulnerability in Adobe Flash Player before 18.0.0.261 and 19.x before 19.0.0.245 on Windows and OS X and before 11.2.202.548 on Linux, Adobe AIR before 19.0.0.241, Adobe AIR SDK before…

CVSS: 9.3CWE: N/A
Read more
Critical

CVE-2015-7652

Use-after-free vulnerability in Adobe Flash Player before 18.0.0.261 and 19.x before 19.0.0.245 on Windows and OS X and before 11.2.202.548 on Linux, Adobe AIR before 19.0.0.241, Adobe AIR SDK before…

CVSS: 9.3CWE: N/A
Read more
Critical

CVE-2015-7651

Use-after-free vulnerability in Adobe Flash Player before 18.0.0.261 and 19.x before 19.0.0.245 on Windows and OS X and before 11.2.202.548 on Linux, Adobe AIR before 19.0.0.241, Adobe AIR SDK before…

CVSS: 9.3CWE: N/A
Read more
Low

CVE-2015-6113

The kernel in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, and Windows 10 Gold and…

CVSS: 2.1CWE: CWE-254
Read more
Medium

CVE-2015-6111

IPSec in Microsoft Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, and Windows 10 Gold and 1511 mishandles encryption negotiation, which allows remote authenticated…

CVSS: 6.8CWE: CWE-399
Read more
Medium

CVE-2015-6101

The kernel in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, and Windows 10 Gold and…

CVSS: 6.9CWE: CWE-264
Read more
Medium

CVE-2015-6100

The kernel in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, and Windows 10 Gold and…

CVSS: 6.9CWE: CWE-264
Read more
Medium

CVE-2015-6095

Kerberos in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, and Windows 10 Gold and 1…

CVSS: 4.9CWE: CWE-255
Read more
Critical

CVE-2015-2503

Microsoft Access 2007 SP3, Excel 2007 SP3, InfoPath 2007 SP3, OneNote 2007 SP3, PowerPoint 2007 SP3, Project 2007 SP3, Publisher 2007 SP3, Visio 2007 SP3, Word 2007 SP3, Office 2007 IME (Japanese) SP…

CVSS: 9.3CWE: CWE-264
Read more
High

CVE-2015-2478

Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, and Windows 10 Gold and 1511 allow lo…

CVSS: 7.2CWE: CWE-264
Read more
2015-11-10
Low

CVE-2015-8025

driver/subprocs.c in XScreenSaver before 5.34 does not properly perform an internal consistency check, which allows physically proximate attackers to bypass the lock screen by hot swapping monitors.

CVSS: 2.1CWE: CWE-264
Read more
Medium

CVE-2015-5213

Integer overflow in LibreOffice before 4.4.5 and Apache OpenOffice before 4.1.2 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbi…

CVSS: 6.8CWE: CWE-189
Read more
Medium

CVE-2015-6362

The web GUI in Cisco Connected Grid Network Management System (CG-NMS) 3.0(0.35) and 3.0(0.54) allows remote authenticated users to bypass intended access restrictions and modify the configuration by…

CVSS: 4.0CWE: CWE-264
Read more
Medium

CVE-2015-5655

The Adways Party Track SDK before 1.6.6 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a c…

CVSS: 5.8CWE: CWE-310
Read more
2015-11-09
Medium

CVE-2015-8004

MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25.3 does not properly restrict access to revisions, which allows remote authenticated users with the viewsuppressed user right to…

CVSS: 4.0CWE: CWE-264
Read more
Medium

CVE-2015-8003

MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25.3 does not throttle file uploads, which allows remote authenticated users to have unspecified impact via multiple file uploads.

CVSS: 6.8CWE: CWE-399
Read more
Medium

CVE-2015-8002

The chunked upload API (ApiUpload) in MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25.3 allows remote authenticated users to cause a denial of service (disk consumption) via a…

CVSS: 6.8CWE: CWE-399
Read more
Medium

CVE-2015-8041

Multiple integer overflows in the NDEF record parser in hostapd before 2.5 and wpa_supplicant before 2.5 allow remote attackers to cause a denial of service (process crash or infinite loop) via a lar…

CVSS: 5.0CWE: CWE-189
Read more
Medium

CVE-2015-3240

The pluto IKE daemon in libreswan before 3.15 and Openswan before 2.6.45, when built with NSS, allows remote attackers to cause a denial of service (assertion failure and daemon restart) via a zero D…

CVSS: 4.3CWE: CWE-189
Read more
High

CVE-2015-2696

lib/gssapi/krb5/iakerb.c in MIT Kerberos 5 (aka krb5) before 1.14 relies on an inappropriate context handle, which allows remote attackers to cause a denial of service (incorrect pointer read and pro…

CVSS: 7.1CWE: CWE-18
Read more
2015-11-08
High

CVE-2015-5043

diag in IBM Security Guardium 8.2 before p6015, 9.0 before p6015, 9.1, 9.5, and 10.0 before p6015 allows local users to obtain root access via unspecified key sequences.

CVSS: 7.2CWE: CWE-264
Read more
Medium

CVE-2015-5019

IBM Sterling Integrator 5.1 before 5010004_8 and Sterling B2B Integrator 5.2 before 5020500_9 allow remote authenticated users to read or upload files by leveraging a password-change requirement.

CVSS: 5.5CWE: CWE-264
Read more
High

CVE-2015-5005

CSPOC in IBM PowerHA SystemMirror on AIX 6.1 and 7.1 allows remote authenticated users to perform an "su root" action by leveraging presence on the cluster-wide password-change list.

CVSS: 8.5CWE: CWE-264
Read more
Medium

CVE-2015-4966

IBM Maximo Asset Management 7.1 through 7.1.1.13, 7.5.0 before 7.5.0.9 FP009, and 7.6.0 before 7.6.0.2 IFIX001; Maximo Asset Management 7.5.0 before 7.5.0.9 FP009, 7.5.1, and 7.6.0 before 7.6.0.2 IFI…

CVSS: 6.5CWE: CWE-255
Read more
High

CVE-2015-4963

IBM Security Access Manager for Web 7.x before 7.0.0.16 and 8.x before 8.0.1.3 mishandles WebSEAL HTTPTransformation requests, which allows remote attackers to read or write to arbitrary files via un…

CVSS: 7.5CWE: CWE-17
Read more
Medium

CVE-2015-2017

CRLF injection vulnerability in IBM WebSphere Application Server (WAS) 6.1 through 6.1.0.47, 7.0 before 7.0.0.39, 8.0 before 8.0.0.12, and 8.5 before 8.5.5.8 allows remote attackers to inject arbitra…

CVSS: 4.3CWE: N/A
Read more
Medium

CVE-2015-1993

IBM Security QRadar Incident Forensics 7.2.x before 7.2.5 Patch 5 does not set the secure flag for unspecified cookies in an https session, which makes it easier for remote attackers to capture these…

CVSS: 5.0CWE: N/A
Read more
2015-11-07
Critical

CVE-2015-6476

Advantech EKI-122x-BE devices with firmware before 1.65, EKI-132x devices with firmware before 1.98, and EKI-136x devices with firmware before 1.27 have hardcoded SSH keys, which makes it easier for…

CVSS: 10.0CWE: N/A
Read more
2015-11-06
High

CVE-2015-8082

The Login Disable module 6.x-1.x before 6.x-1.1 and 7.x-1.x before 7.x-1.2 for Drupal does not properly load the user_logout function, which allows remote attackers to bypass the logout protection me…

CVSS: 7.5CWE: CWE-17
Read more
Medium

CVE-2015-7809

The displayBlock function Template.php in Sensio Labs Twig before 1.20.0, when Sandbox mode is enabled, allows remote attackers to execute arbitrary code via the _self variable in a template.

CVSS: 6.8CWE: CWE-264
Read more
Medium

CVE-2014-9749

Squid 3.4.4 through 3.4.11 and 3.5.0.1 through 3.5.1, when Digest authentication is used, allow remote authenticated users to retain access by leveraging a stale nonce, aka "Nonce replay vulnerabilit…

CVSS: 4.0CWE: CWE-264
Read more
Medium

CVE-2015-7697

Info-ZIP UnZip 6.0 allows remote attackers to cause a denial of service (infinite loop) via empty bzip2 data in a ZIP archive.

CVSS: 4.3CWE: CWE-399
Read more
Critical

CVE-2015-7394

The datastor kernel module in F5 BIG-IP Analytics, APM, ASM, Link Controller, and LTM 11.1.0 before 12.0.0, BIG-IP AAM 11.4.0 before 12.0.0, BIG-IP AFM, PEM 11.3.0 before 12.0.0, BIG-IP Edge Gateway,…

CVSS: 9.0CWE: CWE-264
Read more
Medium

CVE-2015-6316

The default configuration of sshd_config in Cisco Mobility Services Engine (MSE) through 8.0.120.7 allows logins by the oracle account, which makes it easier for remote attackers to obtain access by…

CVSS: 6.5CWE: CWE-255
Read more
High

CVE-2015-6292

The proxy-cache implementation in Cisco AsyncOS 8.0.x before 8.0.7-151, 8.1.x and 8.5.x before 8.5.2-004, 8.6.x and 8.7.x before 8.7.0-171-LD, and 8.8.x before 8.8.0-085 on Web Security Appliance (WS…

CVSS: 7.8CWE: CWE-399
Read more
Medium

CVE-2015-4282

Cisco Mobility Services Engine (MSE) through 8.0.120.7 uses weak permissions for unspecified binary files, which allows local users to obtain root privileges by writing to a file, aka Bug ID CSCuv405…

CVSS: 6.9CWE: CWE-264
Read more
High

CVE-2015-6321

Cisco AsyncOS before 8.5.7-042, 9.x before 9.1.0-032, 9.1.x before 9.1.1-023, and 9.5.x and 9.6.x before 9.6.0-042 on Email Security Appliance (ESA) devices; before 9.1.0-032, 9.1.1 before 9.1.1-005,…

CVSS: 7.8CWE: CWE-399
Read more
High

CVE-2015-6293

Cisco AsyncOS 8.x before 8.0.8-113, 8.1.x and 8.5.x before 8.5.3-051, 8.6.x and 8.7.x before 8.7.0-171-LD, and 8.8.x before 8.8.0-085 on Web Security Appliance (WSA) devices allows remote attackers t…

CVSS: 7.8CWE: CWE-399
Read more
2015-11-05
High

CVE-2015-7200

The CryptoKey interface implementation in Mozilla Firefox before 42.0 and Firefox ESR 38.x before 38.4 lacks status checking, which allows attackers to have an unspecified impact via vectors related…

CVSS: 7.5CWE: CWE-17
Read more
Medium

CVE-2015-7197

Mozilla Firefox before 42.0 and Firefox ESR 38.x before 38.4 improperly control the ability of a web worker to create a WebSocket object, which allows remote attackers to bypass intended mixed-conten…

CVSS: 5.0CWE: CWE-264
Read more
Medium

CVE-2015-7196

Mozilla Firefox before 42.0 and Firefox ESR 38.x before 38.4, when a Java plugin is enabled, allow remote attackers to cause a denial of service (incorrect garbage collection and application crash) o…

CVSS: 6.8CWE: CWE-17
Read more
High

CVE-2015-7193

Mozilla Firefox before 42.0 and Firefox ESR 38.x before 38.4 improperly follow the CORS cross-origin request algorithm for the POST method in situations involving an unspecified Content-Type header m…

CVSS: 7.5CWE: CWE-254
Read more
High

CVE-2015-7192

The accessibility-tools feature in Mozilla Firefox before 42.0 on OS X improperly interacts with the implementation of the TABLE element, which allows remote attackers to cause a denial of service (a…

CVSS: 7.5CWE: CWE-17
Read more
High

CVE-2015-7188

Mozilla Firefox before 42.0 and Firefox ESR 38.x before 38.4 allow remote attackers to bypass the Same Origin Policy for an IP address origin, and conduct cross-site scripting (XSS) attacks, by appen…

CVSS: 7.5CWE: CWE-254
Read more
Medium

CVE-2015-7187

The Add-on SDK in Mozilla Firefox before 42.0 misinterprets a "script: false" panel setting, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via inline JavaSc…

CVSS: 4.3CWE: CWE-254
Read more
Medium

CVE-2015-7185

Mozilla Firefox before 42.0 on Android does not ensure that the address bar is restored upon fullscreen-mode exit, which allows remote attackers to spoof the address bar via crafted JavaScript code.

CVSS: 4.3CWE: CWE-254
Read more
2015-11-04
High

CVE-2015-6030

HP ArcSight Logger 6.0.0.7307.1, ArcSight Command Center 6.8.0.1896.0, and ArcSight Connector Appliance 6.4.0.6881.3 use the root account to execute files owned by the arcsight user, which might allo…

CVSS: 7.2CWE: CWE-264
Read more
Medium

CVE-2015-6029

HP ArcSight Logger before 6.0 P2 does not limit attempts to authenticate to the SOAP interface, which makes it easier for remote attackers to obtain access via a brute-force approach.

CVSS: 5.0CWE: CWE-254
Read more
Medium

CVE-2015-5021

IBM InfoSphere Information Server 11.3 and 11.5 allows remote authenticated DataStage users to bypass intended job-execution restrictions or obtain sensitive information via unspecified vectors.

CVSS: 5.5CWE: CWE-264
Read more
High

CVE-2015-4927

The Reporting and Monitoring component in Tivoli Monitoring in IBM Tivoli Storage Manager 6.3 before 6.3.6 and 7.1 before 7.1.3 on Linux and AIX uses world-writable permissions for unspecified files,…

CVSS: 7.2CWE: CWE-264
Read more
Medium

CVE-2015-2903

The CWSAPI SOAP service in HP ArcSight SmartConnectors before 7.1.6 has a hardcoded password, which makes it easier for remote attackers to obtain administrative access by leveraging knowledge of thi…

CVSS: 6.9CWE: N/A
Read more
Medium

CVE-2015-2902

HP ArcSight SmartConnectors before 7.1.6 do not verify X.509 certificates from Logger devices, which allows man-in-the-middle attackers to spoof devices and obtain sensitive information via a crafted…

CVSS: 6.8CWE: CWE-310
Read more
>