Search
Total
194 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2015-4418 | 1 Zohocorp | 1 Manageengine Netflow Analyzer | 2016-12-31 | 5.0 MEDIUM | N/A |
| Zoho NetFlow Analyzer build 10250 and earlier does not have an off autocomplete attribute for a password field, which makes it easier for remote attackers to obtain access by leveraging an unattended workstation. | |||||
| CVE-2013-7293 | 1 Asus | 1 Wl-330nul | 2016-12-31 | 5.0 MEDIUM | N/A |
| The ASUS WL-330NUL router has a configuration process that relies on accessing the 192.168.1.1 IP address, but the documentation advises users to instead access a DNS hostname that does not always resolve to 192.168.1.1, which makes it easier for remote attackers to hijack the configuration traffic by controlling the server associated with that hostname. | |||||
| CVE-2015-4050 | 1 Sensiolabs | 1 Symfony | 2016-12-31 | 4.3 MEDIUM | N/A |
| FragmentListener in the HttpKernel component in Symfony 2.3.19 through 2.3.28, 2.4.9 through 2.4.10, 2.5.4 through 2.5.11, and 2.6.0 through 2.6.7, when ESI or SSI support enabled, does not check if the _controller attribute is set, which allows remote attackers to bypass URL signing and security rules by including (1) no hash or (2) an invalid hash in a request to /_fragment. | |||||
| CVE-2015-2959 | 1 Zohocorp | 1 Manageengine Netflow Analyzer | 2016-12-31 | 7.5 HIGH | N/A |
| Zoho NetFlow Analyzer build 10250 and earlier does not check for administrative authorization, which allows remote attackers to obtain sensitive information, modify passwords, or remove accounts by leveraging the guest role. | |||||
| CVE-2015-4051 | 1 Beckhoff | 1 Ipc Diagnostics | 2016-12-31 | 9.0 HIGH | N/A |
| Beckhoff IPC Diagnostics before 1.8 does not properly restrict access to functions in /config, which allows remote attackers to cause a denial of service (reboot or shutdown), create arbitrary users, or possibly have unspecified other impact via a crafted request, as demonstrated by a beckhoff.com:service:cxconfig:1#Write SOAP action to /upnpisapi. | |||||
| CVE-2015-4271 | 1 Cisco | 1 Telepresence Tc Software | 2016-12-28 | 6.4 MEDIUM | N/A |
| Cisco TelePresence TC before 7.3.4 on Integrator C devices allows remote attackers to bypass authentication via vectors involving multiple request parameters, aka Bug ID CSCuv00604. | |||||
| CVE-2015-4298 | 1 Cisco | 1 Unified Web And E-mail Interaction Manager | 2016-12-28 | 6.5 MEDIUM | N/A |
| Cisco Unified Web and E-Mail Interaction Manager 9.0(2) and 11.0(1) improperly performs authorization, which allows remote authenticated users to read or write to stored data via unspecified vectors, aka Bug ID CSCuo89056. | |||||
| CVE-2015-4302 | 1 Cisco | 1 Firesight System Software | 2016-12-28 | 6.4 MEDIUM | N/A |
| The web interface in Cisco FireSIGHT Management Center 5.3.1.4 allows remote attackers to delete arbitrary system policies via modified parameters in a POST request, aka Bug ID CSCuu25390. | |||||
| CVE-2015-4299 | 1 Cisco | 1 Unified Web And E-mail Interaction Manager | 2016-12-28 | 5.5 MEDIUM | N/A |
| Cisco Unified Web and E-Mail Interaction Manager 9.0(2) improperly performs authorization, which allows remote authenticated users to remove default messaging-queue system folders via unspecified vectors, aka Bug ID CSCuo89046. | |||||
| CVE-2015-4526 | 1 Emc | 1 Recoverpoint For Virtual Machines | 2016-12-28 | 7.2 HIGH | N/A |
| EMC RecoverPoint for Virtual Machines (VMs) 4.2 allows local users to obtain root-shell access by bypassing the Installation Manager Boxmgmt CLI interface. | |||||
| CVE-2015-3644 | 1 Stunnel | 1 Stunnel | 2016-12-28 | 5.8 MEDIUM | N/A |
| Stunnel 5.00 through 5.13, when using the redirect option, does not redirect client connections to the expected server after the initial connection, which allows remote attackers to bypass authentication. | |||||
| CVE-2015-3650 | 1 Vmware | 3 Horizon View Client, Player, Workstation | 2016-12-28 | 7.2 HIGH | N/A |
| vmware-vmx.exe in VMware Workstation 7.x through 10.x before 10.0.7 and 11.x before 11.1.1, VMware Player 5.x and 6.x before 6.0.7 and 7.x before 7.1.1, and VMware Horizon Client 5.x local-mode before 5.4.2 on Windows does not provide a valid DACL pointer during the setup of the vprintproxy.exe process, which allows host OS users to gain host OS privileges by injecting a thread. | |||||
| CVE-2015-1959 | 1 Ibm | 1 Tivoli Directory Server | 2016-12-28 | 4.6 MEDIUM | N/A |
| IBM Tivoli Security Directory Server 6.0 before iFix 75, 6.1 before iFix 68, 6.2 before iFix 44, 6.3 before iFix 37, 6.3.1 before iFix 11, and 6.4 before iFix 2 does not properly restrict encrypted files, which allows local users to obtain sensitive information or possibly have unspecified other impact via a (1) download or (2) upload action. | |||||
| CVE-2015-3806 | 1 Apple | 2 Iphone Os, Mac Os X | 2016-12-24 | 7.2 HIGH | N/A |
| Apple iOS before 8.4.1 and OS X before 10.10.5 allow local users to bypass a code-signing protection mechanism by appending code to a crafted executable file. | |||||
| CVE-2014-8912 | 1 Ibm | 1 Websphere Portal | 2016-12-24 | 5.0 MEDIUM | N/A |
| IBM WebSphere Portal 6.1.0 through 6.1.0.6 CF27, 6.1.5 through 6.1.5.3 CF27, 7.0.0 through 7.0.0.2 CF29, 8.0.0 through 8.0.0.1 CF18, and 8.5.0 before CF08 improperly restricts resource access, which allows remote attackers to obtain sensitive information via unspecified vectors, as demonstrated by configuration information. | |||||
| CVE-2015-7184 | 1 Mozilla | 1 Firefox | 2016-12-24 | 6.8 MEDIUM | N/A |
| The fetch API implementation in Mozilla Firefox before 41.0.2 does not restrict access to the HTTP response body in certain situations where user credentials are supplied but the CORS cross-origin request algorithm is improperly followed, which allows remote attackers to bypass the Same Origin Policy via a crafted web site. | |||||
| CVE-2015-1304 | 1 Google | 1 Chrome | 2016-12-24 | 7.5 HIGH | N/A |
| object-observe.js in Google V8, as used in Google Chrome before 45.0.2454.101, does not properly restrict method calls on access-checked objects, which allows remote attackers to bypass the Same Origin Policy via a (1) observe or (2) getNotifier call. | |||||
| CVE-2015-5746 | 1 Apple | 1 Iphone Os | 2016-12-24 | 5.0 MEDIUM | N/A |
| AppleFileConduit in Apple iOS before 8.4.1 allows attackers to bypass intended restrictions on filesystem access via an afc command that leverages symlink mishandling. | |||||
| CVE-2015-5826 | 1 Apple | 2 Iphone Os, Safari | 2016-12-22 | 4.3 MEDIUM | N/A |
| WebKit in Apple iOS before 9 does not properly select the cases in which a Cascading Style Sheets (CSS) document is required to have the text/css content type, which allows remote attackers to bypass the Same Origin Policy via a crafted web site. | |||||
| CVE-2015-5838 | 1 Apple | 1 Iphone Os | 2016-12-22 | 4.3 MEDIUM | N/A |
| SpringBoard in Apple iOS before 9 does not properly restrict access to privileged API calls, which allows attackers to spoof the dialog windows of an arbitrary app via a crafted app. | |||||
| CVE-2015-5861 | 1 Apple | 1 Iphone Os | 2016-12-22 | 2.1 LOW | N/A |
| SpringBoard in Apple iOS before 9 allows physically proximate attackers to bypass a lock-screen preview-disabled setting, and reply to an audio message, via unspecified vectors. | |||||
| CVE-2015-5882 | 1 Apple | 3 Iphone Os, Mac Os X, Watchos | 2016-12-22 | 7.2 HIGH | N/A |
| The processor_set_tasks API implementation in Apple iOS before 9 allows local users to bypass an entitlement protection mechanism and obtain access to the task ports of arbitrary processes by leveraging root privileges. | |||||
| CVE-2015-6675 | 1 Siemens | 1 Ruggedcom Rugged Operating System | 2016-12-22 | 4.3 MEDIUM | N/A |
| Siemens RUGGEDCOM ROS 3.8.0 through 4.1.x permanently enables the IP forwarding feature, which allows remote attackers to bypass a VLAN isolation protection mechanism via IP traffic. | |||||
| CVE-2014-8632 | 1 Mozilla | 2 Firefox, Seamonkey | 2016-12-22 | 4.3 MEDIUM | N/A |
| The structured-clone implementation in Mozilla Firefox before 34.0 and SeaMonkey before 2.31 does not properly interact with XrayWrapper property filtering, which allows remote attackers to bypass intended DOM object restrictions by leveraging property availability after XrayWrapper removal. | |||||
| CVE-2014-8631 | 1 Mozilla | 2 Firefox, Seamonkey | 2016-12-22 | 4.3 MEDIUM | N/A |
| The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 34.0 and SeaMonkey before 2.31 supports native-interface passing, which allows remote attackers to bypass intended DOM object restrictions via a call to an unspecified method. | |||||
| CVE-2015-1927 | 1 Ibm | 1 Websphere Application Server | 2016-12-22 | 6.8 MEDIUM | N/A |
| The default configuration of IBM WebSphere Application Server (WAS) 7.0.0 before 7.0.0.39, 8.0.0 before 8.0.0.11, and 8.5 before 8.5.5.6 has a false value for the com.ibm.ws.webcontainer.disallowServeServletsByClassname WebContainer property, which allows remote attackers to obtain privileged access via unspecified vectors. | |||||
| CVE-2014-1589 | 1 Mozilla | 2 Firefox, Seamonkey | 2016-12-22 | 6.8 MEDIUM | N/A |
| Mozilla Firefox before 34.0 and SeaMonkey before 2.31 provide stylesheets with an incorrect primary namespace, which allows remote attackers to bypass intended access restrictions via an XBL binding. | |||||
| CVE-2015-5913 | 1 Apple | 1 Mac Os X | 2016-12-08 | 6.8 MEDIUM | N/A |
| Heimdal, as used in Apple OS X before 10.11, allows remote attackers to conduct replay attacks against the SMB server via packet data that represents a Kerberos authenticated request. | |||||
| CVE-2013-2175 | 4 Canonical, Debian, Haproxy and 1 more | 4 Ubuntu Linux, Debian Linux, Haproxy and 1 more | 2016-12-07 | 5.0 MEDIUM | N/A |
| HAProxy 1.4 before 1.4.24 and 1.5 before 1.5-dev19, when configured to use hdr_ip or other "hdr_*" functions with a negative occurrence count, allows remote attackers to cause a denial of service (negative array index usage and crash) via an HTTP header with a certain number of values, related to the MAX_HDR_HISTORY variable. | |||||
| CVE-2015-6928 | 1 Cubecart | 1 Cubecart | 2016-12-07 | 6.8 MEDIUM | N/A |
| classes/admin.class.php in CubeCart 5.2.12 through 5.2.16 and 6.x before 6.0.7 does not properly validate that a password reset request was made, which allows remote attackers to change the administrator password via a recovery request with a space character in the validate parameter and the administrator email in the email parameter. | |||||
| CVE-2015-6478 | 1 Unitronics | 1 Visilogic Oplc Ide | 2016-12-07 | 6.8 MEDIUM | N/A |
| Unitronics VisiLogic OPLC IDE before 9.8.02 does not properly restrict access to ActiveX controls, which allows remote attackers to have an unspecified impact via a crafted web site. | |||||
| CVE-2015-6366 | 1 Cisco | 1 Ios | 2016-12-07 | 5.0 MEDIUM | N/A |
| Cisco IOS 15.2(04)M6 and 15.4(03)S lets physical-interface ACLs supersede tunnel-interface ACLs, which allows remote attackers to bypass intended network-traffic restrictions in opportunistic circumstances by using a tunnel, aka Bug ID CSCur01042. | |||||
| CVE-2012-2351 | 2 Debian, Mahara | 2 Debian Linux, Mahara | 2016-12-07 | 5.0 MEDIUM | N/A |
| The default configuration of the auth/saml plugin in Mahara before 1.4.2 sets the "Match username attribute to Remote username" option to false, which allows remote SAML IdP servers to spoof users of other SAML IdP servers by using the same internal username. | |||||
| CVE-2011-4016 | 1 Cisco | 1 Ios | 2016-12-07 | 5.4 MEDIUM | N/A |
| The PPP implementation in Cisco IOS 12.2 and 15.0 through 15.2, when Point-to-Point Termination and Aggregation (PTA) and L2TP are used, allows remote attackers to cause a denial of service (device crash) via crafted network traffic, aka Bug ID CSCtf71673. | |||||
| CVE-2013-4316 | 2 Apache, Oracle | 4 Struts, Flexcube Private Banking, Mysql Enterprise Monitor and 1 more | 2016-12-07 | 10.0 HIGH | N/A |
| Apache Struts 2.0.0 through 2.3.15.1 enables Dynamic Method Invocation by default, which has unknown impact and attack vectors. | |||||
| CVE-2014-3120 | 1 Elasticsearch | 1 Elasticsearch | 2016-12-06 | 6.8 MEDIUM | N/A |
| The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. NOTE: this only violates the vendor's intended security policy if the user does not run Elasticsearch in its own independent virtual machine. | |||||
| CVE-2015-4034 | 1 Samsung | 1 Galaxy S5 | 2016-12-06 | 7.9 HIGH | N/A |
| The createFromParcel method in the com.absolute.android.persistence.MethodSpec class in Samsung Galaxy S5s allows remote attackers to execute arbitrary files via a crafted Parcelable object in a serialized MethodSpec object. | |||||
| CVE-2015-3692 | 1 Apple | 1 Mac Os X | 2016-12-06 | 6.8 MEDIUM | N/A |
| Apple Mac EFI before 2015-001, as used in OS X before 10.10.4 and other products, does not enforce a locking protection mechanism upon being woken from sleep, which allows local users to conduct EFI flash attacks by leveraging root privileges. | |||||
| CVE-2015-3224 | 1 Rubyonrails | 1 Web Console | 2016-12-03 | 4.3 MEDIUM | N/A |
| request.rb in Web Console before 2.1.3, as used with Ruby on Rails 3.x and 4.x, does not properly restrict the use of X-Forwarded-For headers in determining a client's IP address, which allows remote attackers to bypass the whitelisted_ips protection mechanism via a crafted request. | |||||
| CVE-2015-2952 | 1 Igreks | 3 Milkystep Light, Milkystep Professional, Milkystep Professional Oem | 2016-12-03 | 6.5 MEDIUM | N/A |
| The user-information management functionality in Igreks MilkyStep Light 0.94 and earlier and Professional 1.82 and earlier allows remote authenticated users to bypass intended access restrictions and modify administrative credentials via unspecified vectors, a different vulnerability than CVE-2015-2953 and CVE-2015-2958. | |||||
| CVE-2015-2841 | 1 Citrix | 1 Netscaler | 2016-12-03 | 5.0 MEDIUM | N/A |
| Citrix NetScaler AppFirewall, as used in NetScaler 10.5, allows remote attackers to bypass intended firewall restrictions via a crafted Content-Type header, as demonstrated by the application/octet-stream and text/xml Content-Types. | |||||
| CVE-2015-1937 | 1 Ibm | 1 Powervc | 2016-11-30 | 7.5 HIGH | N/A |
| IBM PowerVC 1.2.0.x through 1.2.0.4, 1.2.1.x through 1.2.1.2, and 1.2.2.x through 1.2.2.2 does not require authentication for the ceilometer NoSQL database, which allows remote attackers to read or write to arbitrary database records, and consequently obtain administrator privileges, via a session on port 27017. | |||||
| CVE-2015-1936 | 1 Ibm | 1 Websphere Application Server | 2016-11-30 | 6.0 MEDIUM | N/A |
| The administrative console in IBM WebSphere Application Server (WAS) 8.0.0 before 8.0.0.11 and 8.5 before 8.5.5.6, when the Security feature is disabled, allows remote authenticated users to hijack sessions via the JSESSIONID parameter. | |||||
| CVE-2015-6867 | 1 Hp | 1 Vertica | 2016-11-28 | 7.5 HIGH | N/A |
| The vertica-udx-zygote process in HP Vertica 7.1.1 UDx does not require authentication, which allows remote attackers to execute arbitrary commands via a crafted packet, aka ZDI-CAN-2914. | |||||
| CVE-2015-5502 | 1 Storage Api Project | 1 Storage Api | 2016-11-28 | 7.5 HIGH | N/A |
| The Storage API module 7.x-1.x before 7.x-1.8 for Drupal does not properly restrict access to Storage API fields attached to entities that are not nodes, which allows remote attackers to have unspecified impact via unknown vectors. | |||||
| CVE-2015-5512 | 1 Me Aliases Project | 1 Me Aliases | 2016-11-28 | 5.0 MEDIUM | N/A |
| The me aliases module 6.x-2.x before 6.x-2.10 and 7.x-1.x before 7.x-1.2 for Drupal allows remote attackers to access Views using the "me" user argument handler by substituting "me" for a user id in a URL. | |||||
| CVE-2015-1151 | 1 Apple | 1 Os X Server | 2016-04-01 | 5.0 MEDIUM | N/A |
| Wiki Server in Apple OS X Server before 4.1 allows remote attackers to bypass intended restrictions on Activity and People pages by connecting from an iPad client. | |||||
| CVE-2015-0531 | 1 Emc | 1 Sourceone Email Management | 2016-04-01 | 5.0 MEDIUM | N/A |
| EMC SourceOne Email Management before 7.2 does not have a lockout mechanism for invalid login attempts, which makes it easier for remote attackers to obtain access via a brute-force attack. | |||||
| CVE-2015-5464 | 1 Gemalto | 3 Safenet Luna G5, Safenet Luna Pci-e, Safenet Luna Sa | 2016-03-31 | 1.3 LOW | N/A |
| The Gemalto SafeNet Luna HSM allows remote authenticated users to bypass intended key-export restrictions by leveraging (1) crypto-user or (2) crypto-officer access to an HSM partition. | |||||
| CVE-2015-6848 | 1 Emc | 1 Isilon Onefs | 2015-11-27 | 8.5 HIGH | N/A |
| EMC Isilon OneFS 7.1.x before 7.1.1.5, 7.2.0.x before 7.2.0.3, and 7.2.1.x before 7.2.1.1, when the RFC 2307 feature is configured but SFU is not universally present, allows remote authenticated AD users to obtain root privileges via unspecified vectors. | |||||