Search
Total
201818 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2013-7354 | 1 Libpng | 1 Libpng | 2016-12-31 | 5.0 MEDIUM | N/A |
| Multiple integer overflows in libpng before 1.5.14rc03 allow remote attackers to cause a denial of service (crash) via a crafted image to the (1) png_set_sPLT or (2) png_set_text_2 function, which triggers a heap-based buffer overflow. | |||||
| CVE-2013-7365 | 1 Sap | 1 Enterprise Portal | 2016-12-31 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in SAP Enterprise Portal allows remote attackers to inject arbitrary web script or HTML via unspecified parameters. | |||||
| CVE-2013-7368 | 1 Raoul Proenca | 1 Gnew | 2016-12-31 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in Gnew 2013.1 allow remote attackers to inject arbitrary web script or HTML via the gnew_template parameter to (1) users/profile.php, (2) articles/index.php, or (3) admin/polls.php; (4) category_id parameter to news/submit.php; news_id parameter to (5) news/send.php or (6) comments/add.php; or (7) post_subject or (8) thread_id parameter to posts/edit.php. | |||||
| CVE-2013-7375 | 1 Php-fusion | 1 Php-fusion | 2016-12-31 | 7.5 HIGH | N/A |
| SQL injection vulnerability in includes/classes/Authenticate.class.php in PHP-Fusion 7.02.01 through 7.02.05 allows remote attackers to execute arbitrary SQL commands via the user ID in a user cookie, a different vulnerability than CVE-2013-1803. | |||||
| CVE-2013-7389 | 1 D-link | 2 Dir-645, Dir-645 Firmware | 2016-12-31 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in D-Link DIR-645 Router (Rev. A1) with firmware before 1.04B11 allow remote attackers to inject arbitrary web script or HTML via the (1) deviceid parameter to parentalcontrols/bind.php, (2) RESULT parameter to info.php, or (3) receiver parameter to bsc_sms_send.php. | |||||
| CVE-2013-7409 | 1 Allplayer | 1 Allplayer | 2016-12-31 | 7.5 HIGH | N/A |
| Buffer overflow in ALLPlayer 5.6.2 through 5.8.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string in a .m3u (playlist) file. | |||||
| CVE-2013-7441 | 1 Wouter Verhelst | 1 Nbd | 2016-12-31 | 7.8 HIGH | N/A |
| The modern style negotiation in Network Block Device (nbd-server) 2.9.22 through 3.3 allows remote attackers to cause a denial of service (root process termination) by (1) closing the connection during negotiation or (2) specifying a name for a non-existent export. | |||||
| CVE-2014-0004 | 2 Canonical, Freedesktop | 2 Ubuntu Linux, Udisks | 2016-12-31 | 6.9 MEDIUM | N/A |
| Stack-based buffer overflow in udisks before 1.0.5 and 2.x before 2.1.3 allows local users to cause a denial of service (crash) and possibly execute arbitrary code via a long mount point. | |||||
| CVE-2014-0045 | 1 Light Speed Gaming | 2 Mumble, Mumblekit | 2016-12-31 | 7.5 HIGH | N/A |
| The needSamples method in AudioOutputSpeech.cpp in the client in Mumble 1.2.4 and the 1.2.3 pre-release snapshots, Mumble for iOS 1.1 through 1.2.2, and MumbleKit before commit fd190328a9b24d37382b269a5674b0c0c7a7e36d does not check the return value of the opus_decode_float function, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted Opus voice packet, which triggers an error in opus_decode_float, a conversion of a negative integer to an unsigned integer, and a heap-based buffer over-read and over-write. | |||||
| CVE-2014-3684 | 1 Adaptivecomputing | 1 Torque Resource Manager | 2016-12-31 | 6.8 MEDIUM | N/A |
| The tm_adopt function in lib/Libifl/tm.c in Terascale Open-Source Resource and Queue Manager (aka TORQUE Resource Manager) 5.0.x, 4.5.x, 4.2.x, and earlier does not validate that the owner of the process also owns the adopted session id, which allows remote authenticated users to kill arbitrary processes via a crafted executable. | |||||
| CVE-2014-8142 | 1 Php | 1 Php | 2016-12-31 | 7.5 HIGH | N/A |
| Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys within the serialized properties of an object, a different vulnerability than CVE-2004-1019. | |||||
| CVE-2014-8514 | 1 Schneider Electric | 1 Proclima | 2016-12-31 | 7.5 HIGH | N/A |
| Buffer overflow in an ActiveX control in MDraw30.ocx in Schneider Electric ProClima before 6.1.7 allows remote attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-8513 and CVE-2014-9188. NOTE: this may be clarified later based on details provided by researchers. | |||||
| CVE-2014-9200 | 1 Schneider-electric | 4 Somachine, Somove, Somove Lite and 1 more | 2016-12-31 | 7.5 HIGH | N/A |
| Stack-based buffer overflow in an unspecified DLL file in a DTM development kit in Schneider Electric Unity Pro, SoMachine, SoMove, SoMove Lite, Modbus Communication Library 2.2.6 and earlier, CANopen Communication Library 1.0.2 and earlier, EtherNet/IP Communication Library 1.0.0 and earlier, EM X80 Gateway DTM (MB TCP/SL), Advantys DTM for OTB, Advantys DTM for STB, KINOS DTM, SOLO DTM, and Xantrex DTMs allows remote attackers to execute arbitrary code via unspecified vectors. | |||||
| CVE-2014-9427 | 1 Php | 1 Php | 2016-12-31 | 7.5 HIGH | N/A |
| sapi/cgi/cgi_main.c in the CGI component in PHP through 5.4.36, 5.5.x through 5.5.20, and 5.6.x through 5.6.4, when mmap is used to read a .php file, does not properly consider the mapping's length during processing of an invalid file that begins with a # character and lacks a newline character, which causes an out-of-bounds read and might (1) allow remote attackers to obtain sensitive information from php-cgi process memory by leveraging the ability to upload a .php file or (2) trigger unexpected code execution if a valid PHP script is present in memory locations adjacent to the mapping. | |||||
| CVE-2014-9710 | 1 Linux | 1 Linux Kernel | 2016-12-31 | 6.9 MEDIUM | N/A |
| The Btrfs implementation in the Linux kernel before 3.19 does not ensure that the visible xattr state is consistent with a requested replacement, which allows local users to bypass intended ACL settings and gain privileges via standard filesystem operations (1) during an xattr-replacement time window, related to a race condition, or (2) after an xattr-replacement attempt that fails because the data does not fit. | |||||
| CVE-2014-9715 | 1 Linux | 1 Linux Kernel | 2016-12-31 | 4.9 MEDIUM | N/A |
| include/net/netfilter/nf_conntrack_extend.h in the netfilter subsystem in the Linux kernel before 3.14.5 uses an insufficiently large data type for certain extension data, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) via outbound network traffic that triggers extension loading, as demonstrated by configuring a PPTP tunnel in a NAT environment. | |||||
| CVE-2015-0197 | 1 Ibm | 1 General Parallel File System | 2016-12-31 | 7.2 HIGH | N/A |
| IBM General Parallel File System (GPFS) 3.4 before 3.4.0.32, 3.5 before 3.5.0.24, and 4.1 before 4.1.0.7 allows local users to obtain root privileges for program execution via unspecified vectors. | |||||
| CVE-2015-0198 | 1 Ibm | 1 General Parallel File System | 2016-12-31 | 10.0 HIGH | N/A |
| IBM General Parallel File System (GPFS) 3.4 before 3.4.0.32, 3.5 before 3.5.0.24, and 4.1 before 4.1.0.7 in certain cipherList configurations allows remote attackers to bypass authentication and execute arbitrary programs as root via unspecified vectors. | |||||
| CVE-2015-0199 | 1 Ibm | 1 General Parallel File System | 2016-12-31 | 4.9 MEDIUM | N/A |
| The mmfslinux kernel module in IBM General Parallel File System (GPFS) 3.4 before 3.4.0.32, 3.5 before 3.5.0.24, and 4.1 before 4.1.0.7 allows local users to cause a denial of service (memory corruption) via unspecified character-device ioctl calls. | |||||
| CVE-2015-0231 | 1 Php | 1 Php | 2016-12-31 | 7.5 HIGH | N/A |
| Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate numerical keys within the serialized properties of an object. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-8142. | |||||
| CVE-2015-0283 | 1 Redhat | 1 Slapi-nis | 2016-12-31 | 7.8 HIGH | N/A |
| The slapi-nis plug-in before 0.54.2 does not properly reallocate memory when processing user accounts, which allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a request for a (1) group with a large number of members or (2) user that belongs to a large number of groups. | |||||
| CVE-2015-0343 | 1 Adobe | 1 Connect | 2016-12-31 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in admin/home/homepage/search in the web app in Adobe Connect before 9.4 allows remote attackers to inject arbitrary web script or HTML via the query parameter. | |||||
| CVE-2015-0344 | 1 Adobe | 1 Connect | 2016-12-31 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the web app in Adobe Connect before 9.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2015-0847 | 2 Canonical, Wouter Verhelst | 2 Ubuntu Linux, Nbd | 2016-12-31 | 7.8 HIGH | N/A |
| nbd-server.c in Network Block Device (nbd-server) before 3.11 does not properly handle signals, which allows remote attackers to cause a denial of service (deadlock) via unspecified vectors. | |||||
| CVE-2015-1266 | 1 Google | 1 Chrome | 2016-12-31 | 5.0 MEDIUM | N/A |
| content/browser/webui/content_web_ui_controller_factory.cc in Google Chrome before 43.0.2357.130 does not properly consider the scheme in determining whether a URL is associated with a WebUI SiteInstance, which allows remote attackers to bypass intended access restrictions via a similar URL, as demonstrated by use of http://gpu when there is a WebUI class for handling chrome://gpu requests. | |||||
| CVE-2015-1267 | 1 Google | 1 Chrome | 2016-12-31 | 5.0 MEDIUM | N/A |
| Blink, as used in Google Chrome before 43.0.2357.130, does not properly restrict the creation context during creation of a DOM wrapper, which allows remote attackers to bypass the Same Origin Policy via crafted JavaScript code that uses a Blink public API, related to WebArrayBufferConverter.cpp, WebBlob.cpp, WebDOMError.cpp, and WebDOMFileSystem.cpp. | |||||
| CVE-2015-1268 | 1 Google | 1 Chrome | 2016-12-31 | 5.0 MEDIUM | N/A |
| bindings/scripts/v8_types.py in Blink, as used in Google Chrome before 43.0.2357.130, does not properly select a creation context for a return value's DOM wrapper, which allows remote attackers to bypass the Same Origin Policy via crafted JavaScript code, as demonstrated by use of a data: URL. | |||||
| CVE-2015-1269 | 1 Google | 1 Chrome | 2016-12-31 | 4.3 MEDIUM | N/A |
| The DecodeHSTSPreloadRaw function in net/http/transport_security_state.cc in Google Chrome before 43.0.2357.130 does not properly canonicalize DNS hostnames before making comparisons to HSTS or HPKP preload entries, which allows remote attackers to bypass intended access restrictions via a string that (1) ends in a . (dot) character or (2) is not entirely lowercase. | |||||
| CVE-2015-1389 | 1 Arubanetworks | 1 Clearpass Policy Manager | 2016-12-31 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in Aruba Networks ClearPass Policy Manager (CPPM) before 6.4.5 allows remote attackers to inject arbitrary web script or HTML via the username parameter to tips/tipsLoginSubmit.action. | |||||
| CVE-2015-1608 | 1 Topline Systems | 1 Opportunity Form | 2016-12-31 | 4.0 MEDIUM | N/A |
| Topline Opportunity Form (aka XLS Opp form) before 2015-02-15 does not properly restrict access to database-connection strings, which allows attackers to read the cleartext version of sensitive credential and e-mail address information via unspecified vectors. | |||||
| CVE-2015-1803 | 3 Canonical, Debian, X | 3 Ubuntu Linux, Debian Linux, Libxfont | 2016-12-31 | 8.5 HIGH | N/A |
| The bdfReadCharacters function in bitmap/bdfread.c in X.Org libXfont before 1.4.9 and 1.5.x before 1.5.1 does not properly handle character bitmaps it cannot read, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and crash) and possibly execute arbitrary code via a crafted BDF font file. | |||||
| CVE-2015-1804 | 3 Canonical, Debian, X | 3 Ubuntu Linux, Debian Linux, Libxfont | 2016-12-31 | 8.5 HIGH | N/A |
| The bdfReadCharacters function in bitmap/bdfread.c in X.Org libXfont before 1.4.9 and 1.5.x before 1.5.1 does not properly perform type conversion for metrics values, which allows remote authenticated users to cause a denial of service (out-of-bounds memory access) and possibly execute arbitrary code via a crafted BDF font file. | |||||
| CVE-2015-1815 | 2 Fedoraproject, Selinux | 2 Fedora, Setroubleshoot | 2016-12-31 | 10.0 HIGH | N/A |
| The get_rpm_nvr_by_file_path_temporary function in util.py in setroubleshoot before 3.2.22 allows remote attackers to execute arbitrary commands via shell metacharacters in a file name. | |||||
| CVE-2015-1827 | 2 Fedoraproject, Freeipa | 2 Fedora, Freeipa | 2016-12-31 | 5.0 MEDIUM | N/A |
| The get_user_grouplist function in the extdom plug-in in FreeIPA before 4.1.4 does not properly reallocate memory when processing user accounts, which allows remote attackers to cause a denial of service (crash) via a group list request for a user that belongs to a large number of groups. | |||||
| CVE-2015-1848 | 2 Fedora, Redhat | 5 Pacemaker Configuration System, Enterprise Linux High Availability, Enterprise Linux High Availability Eus and 2 more | 2016-12-31 | 6.8 MEDIUM | N/A |
| The pcs daemon (pcsd) in PCS 0.9.137 and earlier does not set the secure flag for a cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session. NOTE: this issue was SPLIT per ADT2 due to different vulnerability types. CVE-2015-3983 is for the issue with not setting the HTTPOnly flag. | |||||
| CVE-2015-2051 | 1 D-link | 2 Dir-645, Dir-645 Firmware | 2016-12-31 | 10.0 HIGH | N/A |
| The D-Link DIR-645 Wired/Wireless Router Rev. Ax with firmware 1.04b12 and earlier allows remote attackers to execute arbitrary commands via a GetDeviceSettings action to the HNAP interface. | |||||
| CVE-2015-2052 | 1 D-link | 2 Dir-645, Dir-645 Firmware | 2016-12-31 | 10.0 HIGH | N/A |
| Stack-based buffer overflow in the DIR-645 Wired/Wireless Router Rev. Ax with firmware 1.04b12 and earlier allows remote attackers to execute arbitrary code via a long string in a GetDeviceSettings action to the HNAP interface. | |||||
| CVE-2015-2064 | 1 Dlguard | 1 Dlguard | 2016-12-31 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in DLGuard 5, 4.6, and 4.5 allow remote attackers to inject arbitrary web script or HTML via the (1) page, (2) c, or (3) redirect parameter to index.php or (4) search field (searchTerm parameter) in the main page. | |||||
| CVE-2015-2066 | 1 Dlguard | 1 Dlguard | 2016-12-31 | 7.5 HIGH | N/A |
| SQL injection vulnerability in DLGuard 4.5 allows remote attackers to execute arbitrary SQL commands via the c parameter to index.php. | |||||
| CVE-2015-2077 | 1 Komodia | 1 Redirector Sdk | 2016-12-31 | 5.0 MEDIUM | N/A |
| The SDK for Komodia Redirector with SSL Digestor, as used in Lavasoft Ad-Aware Web Companion 1.1.885.1766 and Ad-Aware AdBlocker (alpha) 1.3.69.1, Qustodio for Windows, Atom Security, Inc. StaffCop 5.8, and other products, uses the same X.509 certificate private key for a root CA certificate across different customers' installations, which makes it easier for man-in-the-middle attackers to spoof SSL servers by leveraging knowledge of this key, as originally reported for Superfish VisualDiscovery on certain Lenovo Notebook laptop products. | |||||
| CVE-2015-2120 | 1 Hp | 1 Sitescope | 2016-12-31 | 8.7 HIGH | N/A |
| Unspecified vulnerability in HP SiteScope 11.1x before 11.13, 11.2x before 11.24.391, and 11.3x before 11.30.521 allows remote authenticated users to gain privileges via unknown vectors, aka ZDI-CAN-2567. | |||||
| CVE-2015-2336 | 2 Microsoft, Vmware | 6 Windows, Fusion, Horizon Client and 3 more | 2016-12-31 | 5.8 MEDIUM | N/A |
| TPView.dll in VMware Workstation 10.x before 10.0.6 and 11.x before 11.1.1, VMware Player 6.x before 6.0.6 and 7.x before 7.1.1, and VMware Horizon Client 3.2.x before 3.2.1, 3.3.x, and 5.x local-mode before 5.4.2 on Windows does not properly allocate memory, which allows guest OS users to execute arbitrary code on the host OS via unspecified vectors, a different vulnerability than CVE-2012-0897. | |||||
| CVE-2015-2337 | 2 Microsoft, Vmware | 6 Windows, Fusion, Horizon Client and 3 more | 2016-12-31 | 5.8 MEDIUM | N/A |
| TPInt.dll in VMware Workstation 10.x before 10.0.6 and 11.x before 11.1.1, VMware Player 6.x before 6.0.6 and 7.x before 7.1.1, and VMware Horizon Client 3.2.x before 3.2.1, 3.3.x, and 5.x local-mode before 5.4.2 on Windows does not properly allocate memory, which allows guest OS users to execute arbitrary code on the host OS via unspecified vectors. | |||||
| CVE-2015-2338 | 2 Microsoft, Vmware | 6 Windows, Fusion, Horizon Client and 3 more | 2016-12-31 | 6.1 MEDIUM | N/A |
| TPview.dll in VMware Workstation 10.x before 10.0.6 and 11.x before 11.1.1, VMware Player 6.x before 6.0.6 and 7.x before 7.1.1, and VMware Horizon Client 3.2.x before 3.2.1, 3.3.x, and 5.x local-mode before 5.4.2 on Windows does not properly allocate memory, which allows guest OS users to cause a host OS denial of service via unspecified vectors, a different vulnerability than CVE-2015-2339. | |||||
| CVE-2015-2339 | 2 Microsoft, Vmware | 6 Windows, Fusion, Horizon Client and 3 more | 2016-12-31 | 6.1 MEDIUM | N/A |
| TPview.dll in VMware Workstation 10.x before 10.0.6 and 11.x before 11.1.1, VMware Player 6.x before 6.0.6 and 7.x before 7.1.1, and VMware Horizon Client 3.2.x before 3.2.1, 3.3.x, and 5.x local-mode before 5.4.2 on Windows does not properly allocate memory, which allows guest OS users to cause a host OS denial of service via unspecified vectors, a different vulnerability than CVE-2015-2338. | |||||
| CVE-2015-2340 | 2 Microsoft, Vmware | 6 Windows, Fusion, Horizon Client and 3 more | 2016-12-31 | 6.1 MEDIUM | N/A |
| TPInt.dll in VMware Workstation 10.x before 10.0.6 and 11.x before 11.1.1, VMware Player 6.x before 6.0.6 and 7.x before 7.1.1, and VMware Horizon Client 3.2.x before 3.2.1, 3.3.x, and 5.x local-mode before 5.4.2 on Windows does not properly allocate memory, which allows guest OS users to cause a host OS denial of service via unspecified vectors. | |||||
| CVE-2015-2341 | 1 Vmware | 3 Fusion, Player, Workstation | 2016-12-31 | 7.8 HIGH | N/A |
| VMware Workstation 10.x before 10.0.5, VMware Player 6.x before 6.0.6, and VMware Fusion 6.x before 6.0.6 and 7.x before 7.0.1 allow attackers to cause a denial of service against a 32-bit guest OS or 64-bit host OS via a crafted RPC command. | |||||
| CVE-2015-2666 | 1 Linux | 1 Linux Kernel | 2016-12-31 | 6.9 MEDIUM | N/A |
| Stack-based buffer overflow in the get_matching_model_microcode function in arch/x86/kernel/cpu/microcode/intel_early.c in the Linux kernel before 4.0 allows context-dependent attackers to gain privileges by constructing a crafted microcode header and leveraging root privileges for write access to the initrd. | |||||
| CVE-2015-2959 | 1 Zohocorp | 1 Manageengine Netflow Analyzer | 2016-12-31 | 7.5 HIGH | N/A |
| Zoho NetFlow Analyzer build 10250 and earlier does not check for administrative authorization, which allows remote attackers to obtain sensitive information, modify passwords, or remove accounts by leveraging the guest role. | |||||
| CVE-2015-2960 | 1 Zohocorp | 1 Manageengine Netflow Analyzer | 2016-12-31 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in Zoho NetFlow Analyzer build 10250 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||