Search
Total
5300 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2015-6606 | 1 Google | 1 Android | 2015-10-07 | 9.3 HIGH | N/A |
| The Secure Element Evaluation Kit (aka SEEK or SmartCard API) plugin in Android before 5.1.1 LMY48T allows attackers to gain privileges via a crafted application, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 22301786. | |||||
| CVE-2015-6596 | 1 Google | 1 Android | 2015-10-07 | 9.3 HIGH | N/A |
| mediaserver in Android before 5.1.1 LMY48T allows attackers to gain privileges via a crafted application, aka internal bugs 20731946 and 20719651, a different vulnerability than CVE-2015-7717. | |||||
| CVE-2015-5645 | 1 Icz | 1 Matchasns | 2015-10-07 | 6.5 MEDIUM | N/A |
| ICZ MATCHA SNS before 1.3.7 allows remote authenticated users to obtain administrative privileges via unspecified vectors. | |||||
| CVE-2015-3865 | 1 Google | 1 Android | 2015-10-07 | 9.3 HIGH | N/A |
| The Runtime subsystem in Android before 5.1.1 LMY48T allows attackers to gain privileges via a crafted application, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 23050463. | |||||
| CVE-2015-3847 | 1 Google | 1 Android | 2015-10-07 | 6.4 MEDIUM | N/A |
| Bluetooth in Android before 5.1.1 LMY48T allows attackers to remove stored SMS messages via a crafted application, aka internal bug 22343270. | |||||
| CVE-2015-5640 | 1 E-catchup | 1 Basercms | 2015-10-06 | 6.5 MEDIUM | N/A |
| baserCMS before 3.0.8 allows remote authenticated users to modify arbitrary user settings via a crafted request. | |||||
| CVE-2015-4964 | 1 Ibm | 1 Urbancode Deploy | 2015-10-06 | 6.0 MEDIUM | N/A |
| IBM UrbanCode Deploy 6.0 and 6.0.1.x before 6.0.1.10, 6.1.1.x before 6.1.1.8, and 6.1.2 writes admin AUTH_TOKEN values to execution logs, which allows remote authenticated users to gain privileges by leveraging the ability to create and execute a process. | |||||
| CVE-2015-7709 | 1 Arkeia | 1 Western Digital Arkeia | 2015-10-06 | 10.0 HIGH | N/A |
| The arkeiad daemon in the Arkeia Backup Agent in Western Digital Arkeia 11.0.12 and earlier allows remote attackers to bypass authentication and execute arbitrary commands via a series of crafted requests involving the ARKFS_EXEC_CMD operation. | |||||
| CVE-2015-7685 | 1 Glpi-project | 1 Glpi | 2015-10-06 | 4.0 MEDIUM | N/A |
| GLPI before 0.85.3 allows remote authenticated users to create super-admin accounts by leveraging permissions to create a user and the _profiles_id parameter to front/user.form.php. | |||||
| CVE-2015-2027 | 1 Ibm | 1 Websphere Extreme Scale | 2015-10-05 | 2.1 LOW | N/A |
| IBM WebSphere eXtreme Scale 7.1.0 before 7.1.0.3 and 7.1.1 before 7.1.1.1 improperly performs logout actions, which allows remote attackers to bypass intended access restrictions by leveraging an unattended workstation. | |||||
| CVE-2015-0142 | 1 Ibm | 1 Openpages Grc Platform | 2015-10-05 | 4.0 MEDIUM | N/A |
| IBM OpenPages GRC Platform 6.2 before IF7, 6.2.1 before 6.2.1.1 IF5, 7.0 before FP4, and 7.1 before FP1 allows remote authenticated users to cause a denial of service (maintenance-mode transition and data-storage outage) by calling the System Administration Mode function. | |||||
| CVE-2015-3858 | 1 Google | 1 Android | 2015-10-01 | 9.3 HIGH | N/A |
| The checkDestination function in internal/telephony/SMSDispatcher.java in Android before 5.1.1 LMY48M relies on an obsolete permission name for an authorization check, which allows attackers to bypass an intended user-confirmation requirement for SMS short-code messaging via a crafted application, aka internal bug 22314646. | |||||
| CVE-2015-3849 | 1 Google | 1 Android | 2015-10-01 | 9.3 HIGH | N/A |
| The Region_createFromParcel function in core/jni/android/graphics/Region.cpp in Region in Android before 5.1.1 LMY48M does not check the return values of certain read operations, which allows attackers to execute arbitrary code via an application that sends a crafted message to a service, aka internal bug 21585255. | |||||
| CVE-2015-3843 | 1 Google | 1 Android | 2015-10-01 | 9.3 HIGH | N/A |
| The SIM Toolkit (STK) framework in Android before 5.1.1 LMY48I allows attackers to (1) intercept or (2) emulate unspecified Telephony STK SIM commands via an application that sends a crafted Intent, related to com/android/internal/telephony/cat/AppInterface.java, aka internal bug 21697171. | |||||
| CVE-2015-3845 | 1 Google | 1 Android | 2015-10-01 | 6.8 MEDIUM | N/A |
| The Parcel::appendFrom function in libs/binder/Parcel.cpp in Binder in Android before 5.1.1 LMY48M does not consider parcel boundaries during identification of binder objects in an append operation, which allows attackers to obtain a different application's privileges via a crafted application, aka internal bug 17312693. | |||||
| CVE-2015-3844 | 1 Google | 1 Android | 2015-10-01 | 6.8 MEDIUM | N/A |
| The getProcessRecordLocked method in services/core/java/com/android/server/am/ActivityManagerService.java in ActivityManager in Android before 5.1.1 LMY48I allows attackers to trigger incorrect process loading via a crafted application, as demonstrated by interfering with use of the Settings application, aka internal bug 21669445. | |||||
| CVE-2015-5637 | 1 Newphoria Corporation | 1 1.1 | 2015-09-23 | 6.8 MEDIUM | N/A |
| The Newphoria Photon application before 1.2 for Android allows attackers to bypass a URL whitelist protection mechanism and obtain API access via unspecified vectors. | |||||
| CVE-2015-5636 | 1 Newphoria Corporation | 1 Reversi | 2015-09-23 | 6.8 MEDIUM | N/A |
| The Newphoria Reversi application before 1.0.3 for Android and before 1.2 for iOS allows attackers to bypass a URL whitelist protection mechanism and obtain API access via unspecified vectors. | |||||
| CVE-2015-5635 | 1 Newphoria Corporation | 1 Koritore | 2015-09-23 | 6.8 MEDIUM | N/A |
| The Newphoria Koritore application before 1.1 for Android and before 1.1 for iOS allows attackers to bypass a URL whitelist protection mechanism and obtain API access via unspecified vectors. | |||||
| CVE-2015-5634 | 1 Newphoria Corporation | 1 Megaphone Music | 2015-09-23 | 6.8 MEDIUM | N/A |
| The Newphoria MEGAPHONE MUSIC application before 1.1 for Android and before 1.1 for iOS allows attackers to bypass a URL whitelist protection mechanism and obtain API access via unspecified vectors. | |||||
| CVE-2015-5633 | 1 Newphoria Corporation | 1 Auction Camera | 2015-09-23 | 6.8 MEDIUM | N/A |
| The Newphoria Auction Camera application for iOS and before 1.2 for Android allows attackers to bypass a URL whitelist protection mechanism and obtain API access via unspecified vectors. | |||||
| CVE-2015-5632 | 1 Newphoria Corporation | 1 Applican | 2015-09-23 | 6.8 MEDIUM | N/A |
| The runtime engine in the Newphoria applican framework before 1.12.3 for Android and before 1.12.2 for iOS allows attackers to bypass a whitelist.xml URL whitelist protection mechanism and obtain API access via unspecified vectors. | |||||
| CVE-2015-7238 | 1 Mcafee | 1 Threat Intelligence Exchange | 2015-09-22 | 2.1 LOW | N/A |
| The Secondary server in Threat Intelligence Exchange (TIE) before 1.2.0 uses weak permissions for unspecified (1) configuration files and (2) installation logs, which allows local users to obtain sensitive information by reading the files. | |||||
| CVE-2015-7227 | 1 Fieldable Panels Panes Project | 1 Fieldable Panels Panes | 2015-09-22 | 3.5 LOW | N/A |
| The Fieldable Panels Panes module 7.x-1.x before 7.x-1.7 for Drupal does not properly check permissions to edit Fieldable Panels Panes entities, which allows remote authenticated users to edit panes by leveraging permissions to edit panels. | |||||
| CVE-2015-7229 | 1 Twitter Project | 1 Twitter | 2015-09-22 | 3.5 LOW | N/A |
| The Twitter module 6.x-5.x before 6.x-5.2, 7.x-5.x before 7.x-5.9, and 7.x-6.x before 7.x-6.0 for Drupal does not properly check access permissions, which allows remote authenticated users to post tweets to arbitrary accounts by leveraging the (1) "post to twitter" permission or change the options for arbitrary attached accounts by leveraging the (2) "add twitter accounts" or (3) "add authenticated twitter accounts" permission. | |||||
| CVE-2015-7230 | 1 Workbench Email Project | 1 Workbench Email | 2015-09-22 | 3.5 LOW | N/A |
| The Workbench Email module 7.x-3.x before 7.x-3.4 for Drupal allows remote authenticated users with certain permissions to bypass node and field validation by saving a node. | |||||
| CVE-2014-9476 | 1 Mediawiki | 1 Mediawiki | 2015-09-17 | 5.0 MEDIUM | N/A |
| MediaWiki 1.2x before 1.22.15, 1.23.x before 1.23.8, and 1.24.x before 1.24.1 allows remote attackers to bypass CORS restrictions in $wgCrossSiteAJAXdomains via a domain that has a partial match to an allowed origin, as demonstrated by "http://en.wikipedia.org.evilsite.example/." | |||||
| CVE-2015-5498 | 1 Shipwire Api Project | 1 Shipwire Api | 2015-09-03 | 5.0 MEDIUM | N/A |
| The Shipwire API module 7.x-1.x before 7.x-1.03 for Drupal does not check the view permission for the shipments overview (admin/shipwire/shipments), which allows remote attackers to obtain sensitive information via a request to the page. | |||||
| CVE-2011-2687 | 1 Drupal | 1 Drupal | 2015-09-03 | 7.5 HIGH | N/A |
| Drupal 7.x before 7.3 allows remote attackers to bypass intended node_access restrictions via vectors related to a listing that shows nodes but lacks a JOIN clause for the node table. | |||||
| CVE-2015-6520 | 1 Ippusbxd Project | 1 Ippusbxd | 2015-09-02 | 7.5 HIGH | N/A |
| IPPUSBXD before 1.22 listens on all interfaces, which allows remote attackers to obtain access to USB connected printers via a direct request. | |||||
| CVE-2015-6745 | 1 Basware | 1 Banking | 2015-08-31 | 4.6 MEDIUM | N/A |
| Basware Banking (Maksuliikenne) 8.90.07.X relies on the client to enforce account locking, which allows local users to bypass that security mechanism by deleting the entry from the locking table. NOTE: this identifier was SPLIT from CVE-2015-0942 per ADT2 and ADT3 due to different vulnerability type and different affected versions. NOTE: this vulnerability exists because of an incorrect fix for CVE-2015-6744. | |||||
| CVE-2015-3158 | 1 Picketlink | 1 Picketlink | 2015-08-27 | 4.0 MEDIUM | N/A |
| The invokeNextValve function in identity/federation/bindings/tomcat/idp/AbstractIDPValve.java in PicketLink before 2.8.0.Beta1 does not properly check role based authorization, which allows remote authenticated users to gain access to restricted application resources via a (1) direct request or (2) request through an SP initiated flow. | |||||
| CVE-2015-5402 | 1 Hp | 2 Matrix Operating Environment, Systems Insight Manager | 2015-08-27 | 7.2 HIGH | N/A |
| HP Systems Insight Manager (SIM) before 7.5.0, as used in HP Matrix Operating Environment before 7.5.0 and other products, allows local users to gain privileges, and consequently obtain sensitive information, modify data, or cause a denial of service, via unspecified vectors. | |||||
| CVE-2015-5222 | 1 Redhat | 1 Openshift | 2015-08-25 | 8.5 HIGH | N/A |
| Red Hat OpenShift Enterprise 3.0.0.0 does not properly check permissions, which allows remote authenticated users with build permissions to execute arbitrary shell commands with root permissions on arbitrary build pods via unspecified vectors. | |||||
| CVE-2015-5961 | 1 Mozilla | 1 Firefox Os | 2015-08-21 | 3.3 LOW | N/A |
| The COPPA error page in the Accounts setup dialog in Mozilla Firefox OS before 2.2 embeds content from an external web server URL into the System process, which allows man-in-the-middle attackers to bypass intended access restrictions by spoofing that server. | |||||
| CVE-2015-5499 | 1 Navigate Project | 1 Navigate | 2015-08-20 | 4.0 MEDIUM | N/A |
| The Navigate module for Drupal does not properly check permissions, which allows remote authenticated users to modify custom widgets and create widget database records by leveraging the "navigate view" permission. | |||||
| CVE-2015-5493 | 1 Entityform Block Project | 1 Entityform Block | 2015-08-20 | 5.0 MEDIUM | N/A |
| The Entityform Block module 7.x-1.x before 7.x-1.3 for Drupal does not properly check permissions when a form is locked to a role, which allows remote attackers to obtain access to certain entityforms via unspecified vectors. | |||||
| CVE-2015-3235 | 1 Theforeman | 1 Foreman | 2015-08-18 | 6.0 MEDIUM | N/A |
| Foreman before 1.9.0 allows remote authenticated users with the edit_users permission to edit administrator users and change their passwords via unspecified vectors. | |||||
| CVE-2014-2541 | 1 Tibco | 3 Messaging Appliance, Rendezvous, Substantiation Es | 2015-08-11 | 5.0 MEDIUM | N/A |
| The Rendezvous Daemon (rvd), Rendezvous Routing Daemon (rvrd), Rendezvous Secure Daemon (rvsd), and Rendezvous Secure Routing Daemon (rvsrd) in TIBCO Rendezvous before 8.4.2, Messaging Appliance before 8.7.1, and Substation ES before 2.8.1 do not properly implement access control, which allows remote attackers to obtain sensitive information or modify transmitted information via unspecified vectors. | |||||
| CVE-2015-2871 | 1 Chiyu | 1 Bf-660c | 2015-08-10 | 7.5 HIGH | N/A |
| Chiyu BF-660C fingerprint access-control devices allow remote attackers to bypass authentication and (1) read or (2) modify communication configuration settings via a request to net.htm, a different vulnerability than CVE-2015-5618. | |||||
| CVE-2015-5618 | 1 Chiyutw | 2 Bf-630, Bf-630w | 2015-08-03 | 7.5 HIGH | N/A |
| Chiyu BF-630 and BF-630W fingerprint access-control devices allow remote attackers to bypass authentication and (1) read or (2) modify (a) Voice Time Set configuration settings via a request to voice.htm or (b) UniFinger configuration settings via a request to bf.htm, a different vulnerability than CVE-2015-2871. | |||||
| CVE-2015-4287 | 1 Cisco | 1 Firepower Extensible Operating System | 2015-07-29 | 5.0 MEDIUM | N/A |
| Cisco Firepower Extensible Operating System 1.1(1.86) on Firepower 9000 devices allows remote attackers to bypass intended access restrictions and obtain sensitive device information by visiting an unspecified web page, aka Bug ID CSCuu82230. | |||||
| CVE-2014-2102 | 1 Cisco | 1 Unified Contact Center Express Editor Software | 2015-07-29 | 4.0 MEDIUM | N/A |
| Cisco Unified Contact Center Express (Unified CCX) does not properly restrict the content of the CCMConfig page, which allows remote authenticated users to obtain sensitive information by examining this content, aka Bug ID CSCum95575. | |||||
| CVE-2005-4854 | 1 Ez | 1 Ez Publish | 2015-07-28 | 5.0 MEDIUM | N/A |
| eZ publish 3.5 through 3.7 before 20050830 does not use a folder's read permissions to restrict notifications, which allows remote authenticated users to obtain sensitive information about changes to content in arbitrary folders. | |||||
| CVE-2005-4853 | 1 Ez | 1 Ez Publish | 2015-07-28 | 9.4 HIGH | N/A |
| The default configuration of the forum package in eZ publish 3.5 before 3.5.5, 3.6 before 3.6.2, 3.7 before 3.7.0rc2, and 3.8 before 20050818 does not restrict edit permissions to a posting's owner, which allows remote authenticated users to edit arbitrary postings. | |||||
| CVE-2006-7218 | 1 Ez | 1 Ez Publish | 2015-07-28 | 4.0 MEDIUM | N/A |
| eZ publish before 3.8.1 does not properly enforce permissions for "content edit Language" when there are four or more languages, which allows remote authenticated users to perform translations into languages that are not listed in a Module Function Limitation policy. | |||||
| CVE-2006-7219 | 1 Ez | 1 Ez Publish | 2015-07-28 | 4.0 MEDIUM | N/A |
| eZ publish before 3.8.5 does not properly enforce permissions for editing in a specific language, which allows remote authenticated users to create a draft in an unauthorized language by editing an archived version of an object, and then using Manage Versions to copy this version to a new draft. | |||||
| CVE-2014-0344 | 1 Zohocorp | 1 Manageengine Opstor | 2015-07-24 | 6.5 MEDIUM | N/A |
| Properties.do in ZOHO ManageEngine OpStor before build 8500 does not properly check privilege levels, which allows remote authenticated users to obtain Admin access by using the name parameter in conjunction with a true value of the edit parameter. | |||||
| CVE-2014-8175 | 1 Redhat | 1 Jboss Fuse | 2015-07-09 | 6.0 MEDIUM | N/A |
| Red Hat JBoss Fuse before 6.2.0 allows remote authenticated users to bypass intended restrictions and access the HawtIO console by leveraging an account defined in the users.properties file. | |||||
| CVE-2014-8605 | 1 Xcloner | 1 Xcloner | 2015-06-11 | 5.0 MEDIUM | N/A |
| The XCloner plugin 3.1.1 for WordPress and 3.5.1 for Joomla! stores database backup files with predictable names under the web root with insufficient access control, which allows remote attackers to obtain sensitive information via a direct request to a backup file in administrators/backups/. | |||||