Search
Total
2412 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2015-2809 | 1 Synology | 1 Diskstation Manager | 2016-07-29 | 5.0 MEDIUM | N/A |
| The Multicast DNS (mDNS) responder in Synology DiskStation Manager (DSM) before 3.1 inadvertently responds to unicast queries with source addresses that are not link-local, which allows remote attackers to cause a denial of service (traffic amplification) or obtain potentially sensitive information via port-5353 UDP packets to the Avahi component. | |||||
| CVE-2014-8112 | 1 Fedoraproject | 2 389 Directory Server, Fedora | 2016-06-30 | 4.0 MEDIUM | N/A |
| 389 Directory Server 1.3.1.x, 1.3.2.x before 1.3.2.27, and 1.3.3.x before 1.3.3.9 stores "unhashed" passwords even when the nsslapd-unhashed-pw-switch option is set to off, which allows remote authenticated users to obtain sensitive information by reading the Changelog. | |||||
| CVE-2014-8105 | 1 Fedoraproject | 2 389 Directory Server, Fedora | 2016-06-30 | 5.0 MEDIUM | N/A |
| 389 Directory Server before 1.3.2.27 and 1.3.3.x before 1.3.3.9 does not properly restrict access to the "cn=changelog" LDAP sub-tree, which allows remote attackers to obtain sensitive information from the changelog via unspecified vectors. | |||||
| CVE-2014-2719 | 2 Asus, T-mobile | 10 Rt-ac66u Firmware, Rt-ac68u, Rt-ac68u Firmware and 7 more | 2016-06-30 | 6.3 MEDIUM | N/A |
| Advanced_System_Content.asp in the ASUS RT series routers with firmware before 3.0.0.4.374.5517, when an administrator session is active, allows remote authenticated users to obtain the administrator user name and password by reading the source code. | |||||
| CVE-2015-0844 | 2 Fedoraproject, Wesnoth | 2 Fedora, Battle For Wesnoth | 2016-06-28 | 5.0 MEDIUM | N/A |
| The WML/Lua API in Battle for Wesnoth 1.7.x through 1.11.x and 1.12.x before 1.12.2 allows remote attackers to read arbitrary files via a crafted (1) campaign or (2) map file. | |||||
| CVE-2014-9712 | 1 Websense | 1 V-series Appliances | 2016-06-23 | 4.0 MEDIUM | N/A |
| Websense TRITON V-Series appliances before 7.8.3 Hotfix 03 and 7.8.4 before Hotfix 01 allow remote administrators to read arbitrary files and obtain passwords via a crafted path. | |||||
| CVE-2014-3667 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2016-06-15 | 4.0 MEDIUM | N/A |
| Jenkins before 1.583 and LTS before 1.565.3 does not properly prevent downloading of plugins, which allows remote authenticated users with the Overall/READ permission to obtain sensitive information by reading the plugin code. | |||||
| CVE-2014-3680 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2016-06-15 | 4.0 MEDIUM | N/A |
| Jenkins before 1.583 and LTS before 1.565.3 allows remote authenticated users with the Job/READ permission to obtain the default value for the password field of a parameterized job by reading the DOM. | |||||
| CVE-2014-3662 | 2 Jenkins, Redhat | 2 Jenkins, Openshift | 2016-06-14 | 5.0 MEDIUM | N/A |
| Jenkins before 1.583 and LTS before 1.565.3 allows remote attackers to enumerate user names via vectors related to login attempts. | |||||
| CVE-2014-2064 | 1 Jenkins | 1 Jenkins | 2016-06-13 | 5.0 MEDIUM | N/A |
| The loadUserByUsername function in hudson/security/HudsonPrivateSecurityRealm.java in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to determine whether a user exists via vectors related to failed login attempts. | |||||
| CVE-2015-4345 | 1 Restful Web Services Project | 1 Restful Web Services | 2016-06-09 | 5.0 MEDIUM | N/A |
| The RESTWS Basic Auth submodule in the RESTful Web Services module 7.x-1.x before 7.x-1.5 and 7.x-2.x before 7.x-2.3 for Drupal caches pages for authenticated requests, which allows remote attackers to obtain sensitive information via unspecified vectors. | |||||
| CVE-2015-4395 | 1 Hybridauth Social Login Project | 1 Hybridauth Social Login | 2016-06-09 | 3.5 LOW | N/A |
| The HybridAuth Social Login module 7.x-2.x before 7.x-2.10 for Drupal stores passwords in plaintext when the "Ask user for a password when registering" option is enabled, which allows remote authenticated users with certain permissions to obtain sensitive information by leveraging access to the database. | |||||
| CVE-2014-1571 | 2 Fedoraproject, Mozilla | 2 Fedora, Bugzilla | 2016-04-07 | 4.0 MEDIUM | N/A |
| Bugzilla 2.x through 4.0.x before 4.0.15, 4.1.x and 4.2.x before 4.2.11, 4.3.x and 4.4.x before 4.4.6, and 4.5.x before 4.5.6 allows remote authenticated users to obtain sensitive private-comment information by leveraging a role as a flag recipient, related to Bug.pm, Flag.pm, and a mail template. | |||||
| CVE-2014-8762 | 1 Dokuwiki | 1 Dokuwiki | 2016-04-04 | 5.0 MEDIUM | N/A |
| The ajax_mediadiff function in DokuWiki before 2014-05-05a allows remote attackers to access arbitrary images via a crafted namespace in the ns parameter. | |||||
| CVE-2014-9252 | 1 Zenoss | 1 Zenoss Core | 2016-03-21 | 2.1 LOW | N/A |
| Zenoss Core through 5 Beta 3 stores cleartext passwords in the session database, which might allow local users to obtain sensitive information by reading database entries, aka ZEN-15416. | |||||
| CVE-2014-9250 | 1 Zenoss | 1 Zenoss Core | 2016-03-21 | 5.0 MEDIUM | N/A |
| Zenoss Core through 5 Beta 3 does not include the HTTPOnly flag in a Set-Cookie header for the authentication cookie, which makes it easier for remote attackers to obtain credential information via script access to this cookie, aka ZEN-10418. | |||||
| CVE-2014-9247 | 1 Zenoss | 1 Zenoss Core | 2016-03-21 | 4.0 MEDIUM | N/A |
| Zenoss Core through 5 Beta 3 allows remote authenticated users to obtain sensitive (1) user account, (2) e-mail address, and (3) role information by visiting the ZenUsers (aka User Manager) page, aka ZEN-15389. | |||||
| CVE-2014-9245 | 1 Zenoss | 1 Zenoss Core | 2016-03-21 | 5.0 MEDIUM | N/A |
| Zenoss Core through 5 Beta 3 allows remote attackers to obtain sensitive information by attempting a product-rename action with an invalid new name and then reading a stack trace, as demonstrated by internal URL information, aka ZEN-15382. | |||||
| CVE-2014-1317 | 1 Apple | 1 Mac Os X | 2015-12-22 | 2.1 LOW | N/A |
| iBooks Commerce in Apple OS X before 10.9.4 places Apple ID credentials in the iBooks log, which allows local users to obtain sensitive information by reading this file. | |||||
| CVE-2015-7908 | 1 Honeywell | 4 Midas, Midas Black, Midas Black Firmware and 1 more | 2015-12-21 | 9.3 HIGH | N/A |
| Honeywell Midas gas detectors before 1.13b3 and Midas Black gas detectors before 2.13b3 allow remote attackers to discover cleartext passwords by sniffing the network. | |||||
| CVE-2014-4669 | 1 Hp | 1 Enterprise Maps | 2015-12-18 | 3.5 LOW | N/A |
| HP Enterprise Maps 1.00 allows remote authenticated users to read arbitrary files via a WSDL document containing an XML external entity declaration in conjunction with an entity reference within a GetQuote operation, related to an XML External Entity (XXE) issue. | |||||
| CVE-2015-8601 | 1 Chat Room Project | 1 Chat Room | 2015-12-18 | 5.0 MEDIUM | N/A |
| The Chat Room module 7.x-2.x before 7.x-2.2 for Drupal does not properly check permissions when setting up a websocket for chat messages, which allows remote attackers to bypass intended access restrictions and read messages from arbitrary Chat Rooms via unspecified vectors. | |||||
| CVE-2015-8602 | 1 Token Insert Entity Project | 1 Token Insert Entity | 2015-12-18 | 3.5 LOW | N/A |
| The Token Insert Entity module 7.x-1.x before 7.x-1.1 for Drupal does not properly check permissions, which allows remote authenticated users with certain permissions to bypass intended access restrictions and possibly obtain sensitive information by inserting a token, which embeds a rendered entity in the main node. | |||||
| CVE-2015-6556 | 1 Symantec | 1 Endpoint Encryption | 2015-12-18 | 2.3 LOW | N/A |
| EACommunicatorSrv.exe in the Framework Service in the client in Symantec Endpoint Encryption (SEE) before 11.1.0 allows remote authenticated users to discover credentials by triggering a memory dump. | |||||
| CVE-2015-6625 | 1 Google | 1 Android | 2015-12-09 | 4.3 MEDIUM | N/A |
| System Server in Android 6.0 before 2015-12-01 allows attackers to obtain sensitive information and consequently gain privileges via a crafted application, aka internal bug 23936840. | |||||
| CVE-2015-6624 | 1 Google | 1 Android | 2015-12-09 | 4.3 MEDIUM | N/A |
| System Server in Android 6.0 before 2015-12-01 allows attackers to obtain sensitive information via a crafted application, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 23999740. | |||||
| CVE-2015-6629 | 1 Google | 1 Android | 2015-12-09 | 5.0 MEDIUM | N/A |
| Wi-Fi in Android 5.x before 5.1.1 LMY48Z allows attackers to obtain sensitive information via unspecified vectors, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 22667667. | |||||
| CVE-2015-5859 | 1 Apple | 2 Iphone Os, Mac Os X | 2015-11-30 | 4.3 MEDIUM | N/A |
| The CFNetwork HTTPProtocol component in Apple iOS before 9 and OS X before 10.11 does not properly recognize the HSTS preload list during a Safari private-browsing session, which makes it easier for remote attackers to obtain sensitive information by sniffing the network. | |||||
| CVE-2015-1112 | 1 Apple | 2 Iphone Os, Safari | 2015-11-30 | 5.0 MEDIUM | N/A |
| Apple Safari before 6.2.5, 7.x before 7.1.5, and 8.x before 8.0.5, as used on iOS before 8.3 and other platforms, does not properly delete browsing-history data from the history.plist file, which allows attackers to obtain sensitive information by reading this file. | |||||
| CVE-2015-0680 | 1 Cisco | 1 Unified Callmanager | 2015-11-30 | 4.0 MEDIUM | N/A |
| Cisco Unified Call Manager (CM) 9.1(2.1000.28) does not properly restrict resource requests, which allows remote authenticated users to read arbitrary files via unspecified vectors, aka Bug ID CSCuq44439. | |||||
| CVE-2015-0174 | 1 Ibm | 1 Websphere Application Server | 2015-11-30 | 4.0 MEDIUM | N/A |
| The SNMP implementation in IBM WebSphere Application Server (WAS) 8.5 before 8.5.5.5 does not properly handle configuration data, which allows remote authenticated users to obtain sensitive information via unspecified vectors. | |||||
| CVE-2014-4499 | 1 Apple | 1 Mac Os X | 2015-11-30 | 2.1 LOW | N/A |
| The App Store process in CommerceKit Framework in Apple OS X before 10.10.2 places Apple ID credentials in App Store logs, which allows local users to obtain sensitive information by reading a file. | |||||
| CVE-2014-4818 | 1 Ibm | 1 Tivoli Storage Manager | 2015-11-30 | 2.1 LOW | N/A |
| dsmtca in the client in IBM Tivoli Storage Manager (TSM) 5.4.x, 5.5.x, 6.x before 6.4.3, and 7.1.x before 7.1.2 allows local users to discover the backup/restore encryption-key password via unspecified vectors. | |||||
| CVE-2015-8090 | 1 Tibco | 1 Loglogic Unity | 2015-11-19 | 4.0 MEDIUM | N/A |
| The Web Server component in TIBCO LogLogic Unity before 1.1.1 allows remote authenticated users to gain privileges, and consequently obtain sensitive information, via an HTTP request. | |||||
| CVE-2015-7910 | 1 Exemys | 1 Telemetry Web Server | 2015-11-19 | 7.8 HIGH | N/A |
| Exemys Telemetry Web Server relies on an HTTP Location header to indicate that a client is unauthorized, which allows remote attackers to bypass intended access restrictions by disregarding this header and processing the response body. | |||||
| CVE-2015-7404 | 2 Ibm, Microsoft | 4 Tivoli Storage Flashcopy Manager, Tivoli Storage Manager For Databases Data Protection For Microsoft Sql Server, Tivoli Storage Manager For Mail Data Protection For Microsoft Exchange Server and 1 more | 2015-11-19 | 1.9 LOW | N/A |
| IBM Tivoli Storage Manager for Databases: Data Protection for Microsoft SQL Server (aka Spectrum Protect for Databases) 5.5 before 5.5.6.2, 6.3 before 6.3.1.6, 6.4 before 6.4.1.8, and 7.1 before 7.1.4; Tivoli Storage Manager for Mail: Data Protection for Microsoft Exchange Server (aka Spectrum Protect for Mail) 5.5 before 5.5.1.1, 6.1 and 6.3 before 6.3.1.6, 6.4 before 6.4.1.8, and 7.1 before 7.1.4; and Tivoli Storage FlashCopy Manager for Windows (aka Spectrum Protect Snapshot) 2.x and 3.1 before 3.1.1.6, 3.2 before 3.2.1.8, and 4.1 before 4.1.4, when application tracing is configured, write cleartext passwords during changetsmpassword command execution, which allows local users to obtain sensitive information by reading the application trace output. | |||||
| CVE-2015-6371 | 1 Cisco | 1 Firepower Extensible Operating System | 2015-11-19 | 4.0 MEDIUM | N/A |
| Cisco Firepower Extensible Operating System 1.1(1.160) on Firepower 9000 devices allows remote authenticated users to read arbitrary files via crafted parameters to unspecified scripts, aka Bug ID CSCux10621. | |||||
| CVE-2015-6368 | 1 Cisco | 1 Firepower Extensible Operating System | 2015-11-19 | 5.0 MEDIUM | N/A |
| Cisco Firepower Extensible Operating System 1.1(1.160) on Firepower 9000 devices allows remote attackers to read files via a crafted HTTP request, aka Bug ID CSCux10608. | |||||
| CVE-2015-1306 | 1 Sympa | 1 Sympa | 2015-11-19 | 5.0 MEDIUM | N/A |
| The newsletter posting area in the web interface in Sympa 6.0.x before 6.0.10 and 6.1.x before 6.1.24 allows remote attackers to read arbitrary files via unspecified vectors. | |||||
| CVE-2015-8232 | 1 Uc Profile Project | 1 Uc Profile | 2015-11-18 | 4.3 MEDIUM | N/A |
| The UC Profile module 6.x-1.x before 6.x-1.3 for Drupal does not properly check access to profiles in certain circumstances, which might allow remote attackers to obtain sensitive information from the anonymous user profile via unspecified vectors. | |||||
| CVE-2014-5447 | 1 Zarafa | 2 Webapp, Zarafa | 2015-11-17 | 2.1 LOW | N/A |
| Zarafa WebAccess 7.1.10 and WebApp 1.6 beta uses weak permissions (644) for config.php, which allows local users to obtain sensitive information by reading the PHP session files. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0103. | |||||
| CVE-2015-7427 | 1 Ibm | 1 Datapower Gateway | 2015-11-16 | 5.0 MEDIUM | N/A |
| IBM DataPower Gateway appliances with firmware 6.x before 6.0.0.17, 6.0.1.x before 6.0.1.17, 7.x before 7.0.0.10, 7.1.0.x before 7.1.0.7, and 7.2.x before 7.2.0.1 do not set the secure flag for unspecified cookies in an https session, which makes it easier for remote attackers to capture these cookies by intercepting their transmission within an http session. | |||||
| CVE-2014-5233 | 2 Apple, Siemens | 2 Iphone Os, Simatic Wincc Sm\@rtclient | 2015-11-13 | 1.9 LOW | N/A |
| The Siemens SIMATIC WinCC Sm@rtClient app before 1.0.2 for iOS allows physically proximate attackers to discover Sm@rtServer credentials by leveraging an error in the credential-processing mechanism. | |||||
| CVE-2014-5231 | 2 Apple, Siemens | 2 Iphone Os, Simatic Wincc Sm\@rtclient | 2015-11-13 | 2.1 LOW | N/A |
| The Siemens SIMATIC WinCC Sm@rtClient app before 1.0.2 for iOS allows physically proximate attackers to extract the password from storage via unspecified vectors. | |||||
| CVE-2014-5213 | 1 Novell | 1 Edirectory | 2015-11-13 | 4.0 MEDIUM | N/A |
| nds/files/opt/novell/eDirectory/lib64/ndsimon/public/images in iMonitor in Novell eDirectory before 8.8 SP8 Patch 4 allows remote authenticated users to obtain sensitive information from process memory via a direct request. | |||||
| CVE-2015-7991 | 1 Sap | 1 Hana | 2015-11-12 | 5.0 MEDIUM | N/A |
| The Web Dispatcher service in SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) allows remote attackers to read web dispatcher and security trace files and possibly obtain passwords via unspecified vectors, aka SAP Security Note 2148854. | |||||
| CVE-2013-3647 | 1 Cybozu | 1 Cybozu Live | 2015-11-10 | 6.8 MEDIUM | N/A |
| The WebView class in the Cybozu Live application before 2.0.1 for Android allows attackers to execute arbitrary JavaScript code, and obtain sensitive information, via a crafted application that places this code into a local file associated with a file: URL. NOTE: this vulnerability exists because of a CVE-2012-4009 regression. | |||||
| CVE-2012-4006 | 3 Google, Gree, Kddi \& Gree | 9 Android, Gree, Haconiwa and 6 more | 2015-11-10 | 4.3 MEDIUM | N/A |
| The GREE application before 1.4.0, GREE Tanken Dorirando application before 1.0.7, GREE Tsurisuta application before 1.5.0, GREE Monpura application before 1.1.1, GREE Kaizokuoukoku Columbus application before 1.3.5, GREE haconiwa application before 1.1.0, GREE Seisen Cerberus application before 1.1.0, and KDDI&GREE GREE Market application before 2.1.2 for Android do not properly implement the WebView class, which allows remote attackers to obtain sensitive information via a crafted application. | |||||
| CVE-2015-8007 | 1 Echo Project | 1 Echo | 2015-11-10 | 4.0 MEDIUM | N/A |
| The Echo extension for MediWiki does not properly implement the hideuser functionality, which allows remote authenticated users to see hidden usernames in "non-revision based" notifications, as demonstrated by viewing a hidden username in a Thanks notification. | |||||
| CVE-2015-8095 | 2 Drupal, Monster Menus Module Project | 2 Drupal, Monster Menus | 2015-11-10 | 5.0 MEDIUM | N/A |
| The recycle bin feature in the Monster Menus module 7.x-1.21 before 7.x-1.24 for Drupal does not properly remove nodes from view, which allows remote attackers to obtain sensitive information via an unspecified URL pattern. | |||||