Search
Total
201818 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2015-0196 | 1 Ibm | 1 Websphere Commerce | 2015-06-29 | 5.0 MEDIUM | N/A |
| CRLF injection vulnerability in IBM WebSphere Commerce 6.0 through 6.0.0.11 and 7.0 before 7.0.0.8 Cumulative iFix 2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL. | |||||
| CVE-2015-0131 | 1 Ibm | 1 Leads | 2015-06-29 | 3.5 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in IBM Leads 7.x, 8.1.0 before 8.1.0.14, 8.2, 8.5.0 before 8.5.0.7.3, 8.6.0 before 8.6.0.8.1, 9.0.0 through 9.0.0.4, 9.1.0 before 9.1.0.6.1, and 9.1.1 before 9.1.1.0.2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2015-0127 | 1 Ibm | 1 Leads | 2015-06-29 | 3.5 LOW | N/A |
| IBM Leads 7.x, 8.1.0 before 8.1.0.14, 8.2, 8.5.0 before 8.5.0.7.3, 8.6.0 before 8.6.0.8.1, 9.0.0 through 9.0.0.4, 9.1.0 before 9.1.0.6.1, and 9.1.1 before 9.1.1.0.2 does not properly restrict use of FRAME elements, which allows remote authenticated users to conduct phishing attacks via a crafted web site. | |||||
| CVE-2015-0126 | 1 Ibm | 1 Leads | 2015-06-29 | 6.5 MEDIUM | N/A |
| IBM Leads 7.x, 8.1.0 before 8.1.0.14, 8.2, 8.5.0 before 8.5.0.7.3, 8.6.0 before 8.6.0.8.1, 9.0.0 through 9.0.0.4, 9.1.0 before 9.1.0.6.1, and 9.1.1 before 9.1.1.0.2 allows remote authenticated users to bypass intended file-upload restrictions via a modified extension. | |||||
| CVE-2015-0118 | 1 Ibm | 2 Integration Bus, Websphere Message Broker | 2015-06-29 | 4.3 MEDIUM | N/A |
| IBM WebSphere Message Broker Toolkit 7 before 7007 IF2 and 8 before 8005 IF1 and Integration Toolkit 9 before 9003 IF1 are distributed with MQ client JAR files that support only weak TLS ciphers, which might make it easier for remote attackers to obtain sensitive information by sniffing the network during a connection to an Integration Bus node. | |||||
| CVE-2015-0115 | 1 Ibm | 1 Leads | 2015-06-29 | 6.0 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in IBM Leads 7.x, 8.1.0 before 8.1.0.14, 8.2, 8.5.0 before 8.5.0.7.3, 8.6.0 before 8.6.0.8.1, 9.0.0 through 9.0.0.4, 9.1.0 before 9.1.0.6.1, and 9.1.1 before 9.1.1.0.2 allows remote authenticated users to hijack the authentication of customer accounts. | |||||
| CVE-2015-4371 | 1 Perfecto Project | 1 Perfecto | 2015-06-26 | 5.8 MEDIUM | N/A |
| Open redirect vulnerability in the Perfecto module before 7.x-1.2 for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in an unspecified parameter. | |||||
| CVE-2015-4367 | 1 Simple Subscription Project | 1 Simple Subscription | 2015-06-26 | 3.5 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in the Simple Subscription module before 6.x-1.1 and 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with the "administer blocks" permission to inject arbitrary web script or HTML via vectors related to block content. | |||||
| CVE-2015-4369 | 1 Trick Question Project | 1 Trick Question | 2015-06-26 | 3.5 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in the Trick Question module before 6.x-1.5 and 7.x-1.x before 7.x-1.5 for Drupal allows remote authenticated users with the "Administer Trick Question" permission to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2015-4370 | 1 Site Documentation Project | 1 Site Documentation | 2015-06-26 | 3.5 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in the Site Documentation module before 6.x-1.5 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via vectors related to taxonomy terms. | |||||
| CVE-2015-4388 | 1 Current Search Links Project | 1 Current Search Links | 2015-06-26 | 2.6 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in the Current Search Links module 7.x-1.x before 7.x-1.1 for Drupal, when the "Append the keywords passed by the user to the list" option is disabled, allows remote attackers to inject arbitrary web script or HTML via a crafted search query. | |||||
| CVE-2015-4392 | 1 Display Suite Project | 1 Display Suite | 2015-06-26 | 3.5 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in the Display Suite module 7.x-2.7 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors related to field display settings. | |||||
| CVE-2015-4387 | 1 Password Policy Project | 1 Password Policy | 2015-06-26 | 2.6 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in unspecified administration pages in the Password Policy module 6.x-1.x before 6.x-1.11 and 7.x-1.x before 7.x-1.11 for Drupal, when a site has a policy that uses the username constraint, allows remote attackers to inject arbitrary web script or HTML via a crafted username that is imported from an external source. | |||||
| CVE-2015-4382 | 1 Invoice Project | 1 Invoice | 2015-06-26 | 6.8 MEDIUM | N/A |
| Multiple cross-site request forgery (CSRF) vulnerabilities in the Invoice module 6.x-1.x before 6.x-1.2 and 7.x-1.x before 7.x-1.3 for Drupal allow remote attackers to hijack the authentication of arbitrary users for requests that (1) create, (2) delete, or (3) alter invoices via unspecified vectors. | |||||
| CVE-2015-4385 | 1 Imagefield Info Project | 1 Imagefield Info | 2015-06-26 | 2.1 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in unspecified administration pages in the Imagefield Info module 7.x-1.x before 7.x-1.2 for Drupal allows remote authenticated users with the "Administer image styles" permission to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2015-4386 | 1 Entitybulkdelete Project | 1 Entitybulkdelete | 2015-06-26 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in unspecified administration pages in the EntityBulkDelete module 7.x-1.0 for Drupal allow remote attackers to inject arbitrary web script or HTML via unknown vectors involving creating or editing (1) comments, (2) taxonomy terms, or (3) nodes. | |||||
| CVE-2015-4381 | 1 Invoice Project | 1 Invoice | 2015-06-26 | 3.5 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in the Invoice module 6.x-1.x before 6.x-1.2 and 7.x-1.x before 7.x-1.3 for Drupal allows remote authenticated users with the "Administer own invoices" permission to inject arbitrary web script or HTML via unspecified vectors involving nodes of the "Invoice" content type. | |||||
| CVE-2015-4373 | 1 Og Tabs Project | 1 Og Tabs | 2015-06-26 | 3.5 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in the OG tabs module before 7.x-1.1 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via vectors related to nodes posted in an Organic Groups group. | |||||
| CVE-2015-4374 | 1 Webform Project | 1 Webform | 2015-06-26 | 3.5 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in the Webform module before 6.x-3.23, 7.x-3.x before 7.x-3.23, and 7.x-4.x before 7.x-4.5 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via a component name in the recipient (To) address of an email. | |||||
| CVE-2015-3242 | 2015-06-26 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. | |||||
| CVE-2015-4398 | 1 Chaos Tool Suite Project | 1 Ctools | 2015-06-25 | 5.8 MEDIUM | N/A |
| Open redirect vulnerability in the Chaos tool suite (ctools) module before 6.x-1.12 and 7.x-1.x before 7.x-1.7 for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors involving processing confirmation delete pages. | |||||
| CVE-2015-4053 | 1 Ceph | 1 Ceph-deploy | 2015-06-25 | 2.1 LOW | N/A |
| The admin command in ceph-deploy before 1.5.25 uses world-readable permissions for /etc/ceph/ceph.client.admin.keyring, which allows local users to obtain sensitive information by reading the file. | |||||
| CVE-2015-4018 | 1 Feedwordpress Project | 1 Feedwordpress | 2015-06-25 | 6.5 MEDIUM | N/A |
| SQL injection vulnerability in feedwordpresssyndicationpage.class.php in the FeedWordPress plugin before 2015.0514 for WordPress allows remote authenticated users to execute arbitrary SQL commands via the link_ids[] parameter in an Update action in the syndication.php page to wp-admin/admin.php. | |||||
| CVE-2015-3337 | 1 Elasticsearch | 1 Elasticsearch | 2015-06-25 | 4.3 MEDIUM | N/A |
| Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, allows remote attackers to read arbitrary files via unspecified vectors. | |||||
| CVE-2015-3325 | 1 Wpsymposium | 1 Wp Symposium | 2015-06-25 | 7.5 HIGH | N/A |
| SQL injection vulnerability in forum.php in the WP Symposium plugin before 15.4 for WordPress allows remote attackers to execute arbitrary SQL commands via the show parameter in the QUERY_STRING to the default URI. | |||||
| CVE-2015-0112 | 1 Ibm | 8 Rational Collaborative Lifecycle Management, Rational Doors Next Generation, Rational Engineering Lifecycle Manager and 5 more | 2015-06-25 | 4.0 MEDIUM | N/A |
| Jazz Team Server in Jazz Foundation in IBM Rational Collaborative Lifecycle Management (CLM) 3.0.1, 4.x before 4.0.7 IF5, and 5.x before 5.0.2 IF4; Rational Quality Manager (RQM) 2.0 through 2.0.1, 3.0 through 3.0.1.6, 4.0 through 4.0.7, and 5.0 through 5.0.2; Rational Team Concert (RTC) 2.0 through 2.0.0.2, 3.x before 3.0.1.6 IF6, 4.x before 4.0.7 IF5, and 5.x before 5.0.2 IF4; Rational Requirements Composer (RRC) 2.0 through 2.0.0.4, 3.x before 3.0.1.6 IF6, and 4.0 through 4.0.7; Rational DOORS Next Generation (RDNG) 4.x before 4.0.7 IF5 and 5.x before 5.0.2 IF4; Rational Engineering Lifecycle Manager (RELM) 1.0 through 1.0.0.1, 4.0.3 through 4.0.7, and 5.0 through 5.0.2; Rational Rhapsody Design Manager (DM) 3.0 through 3.0.1, 4.0 through 4.0.7, and 5.0 through 5.0.2; and Rational Software Architect Design Manager (RSA DM) 3.0 through 3.0.1, 4.0 through 4.0.7, and 5.0 through 5.0.2 allows remote authenticated users to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. | |||||
| CVE-2014-4875 | 1 Toshiba | 1 Chec | 2015-06-24 | 5.0 MEDIUM | N/A |
| CreateBossCredentials.jar in Toshiba CHEC before 6.6 build 4014 and 6.7 before build 4329 contains a hardcoded AES key, which allows attackers to discover Back Office System Server (BOSS) DB2 database credentials by leveraging knowledge of this key in conjunction with bossinfo.pro read access. | |||||
| CVE-2015-0972 | 1 Pearson | 1 Proctorcache | 2015-06-24 | 5.0 MEDIUM | N/A |
| Pearson ProctorCache before 2015.1.17 uses the same hardcoded password across different customers' installations, which allows remote attackers to modify test metadata or cause a denial of service (test disruption) by leveraging knowledge of this password. | |||||
| CVE-2014-4882 | 1 Aptexx | 1 Resident Anywhere | 2015-06-23 | 7.5 HIGH | N/A |
| Aptexx Resident Anywhere does not require authentication, which allows remote attackers to obtain sensitive information or modify data via a direct request. | |||||
| CVE-2015-4590 | 1 Arduino Json Project | 1 Arduino Json | 2015-06-23 | 5.0 MEDIUM | N/A |
| The extractFrom function in Internals/QuotedString.cpp in Arduino JSON before 4.5 allows remote attackers to cause a denial of service (crash) via a JSON string with a \ (backslash) followed by a terminator, as demonstrated by "\\\0", which triggers a buffer overflow and over-read. | |||||
| CVE-2015-2723 | 2015-06-20 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2015-4000. Reason: This candidate is a duplicate of CVE-2015-4000. Notes: All CVE users should reference CVE-2015-4000 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. | |||||
| CVE-2015-2865 | 2015-06-19 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2015-4640, CVE-2015-4641. Reason: this ID was intended for one issue, but was associated with two issues. Notes: All CVE users should consult CVE-2015-4640 and CVE-2015-4641 to identify the ID or IDs of interest. All references and descriptions in this candidate have been removed to prevent accidental usage. | |||||
| CVE-2015-4658 | 1 Milw0rm Project | 1 Milw0rm Clone Script | 2015-06-19 | 7.5 HIGH | N/A |
| Multiple SQL injection vulnerabilities in admin/login.php in Milw0rm Clone Script 1.0 allow remote attackers to execute arbitrary SQL commands via the (1) usr or (2) pwd parameter. | |||||
| CVE-2012-5559 | 1 Chaos Tool Suite Project | 1 Ctools | 2015-06-19 | 2.6 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in the page manager node view task in the Chaos tool suite (ctools) module 6.x-1.x before 6.x-1.10 for Drupal allows remote authenticated users with permissions to submit or edit nodes to inject arbitrary web script or HTML via the page title. | |||||
| CVE-2015-4139 | 1 Wp Smiley Project | 1 Wp Smiley | 2015-06-19 | 3.5 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in smilies4wp.php in the WP Smiley plugin 1.4.1 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the s4w-more parameter to wp-admin/options-general.php. | |||||
| CVE-2015-4140 | 1 Wp Smiley Project | 1 Wp Smiley | 2015-06-19 | 6.8 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in the WP Smiley plugin 1.4.1 for WordPress allows remote attackers to hijack the authentication of editors for requests that conduct cross-site scripting (XSS) attacks via the s4w-more parameter to the smilies4wp.php page to wp-admin/options-general.php. | |||||
| CVE-2015-4338 | 1 Xcloner | 1 Xcloner | 2015-06-18 | 6.5 MEDIUM | N/A |
| Static code injection vulnerability in the XCloner plugin 3.1.2 for WordPress allows remote authenticated users to inject arbitrary PHP code into the language files via a Translation LM_FRONT_* field for a language, as demonstrated by language/italian.php. | |||||
| CVE-2015-4337 | 1 Xcloner | 1 Xcloner | 2015-06-18 | 3.5 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in the XCloner plugin 3.1.2 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the excl_manual parameter in the xcloner_show page to wpadmin/plugins.php. | |||||
| CVE-2015-4336 | 1 Xcloner | 1 Xcloner | 2015-06-18 | 6.5 MEDIUM | N/A |
| cloner.functions.php in the XCloner plugin 3.1.2 for WordPress allows remote authenticated users to execute arbitrary commands via a file containing filenames with shell metacharacters, as demonstrated by using the backup comments feature to create the file. | |||||
| CVE-2015-4377 | 1 Petition Project | 1 Petition | 2015-06-17 | 2.1 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in unspecified administration pages in the Petition module 6.x-1.x before 6.x-1.3 for Drupal allows remote authenticated users with the "create petition" permission to inject arbitrary web script or HTML via unknown vectors. | |||||
| CVE-2015-4397 | 1 Node Template Project | 1 Node Template | 2015-06-16 | 6.8 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in the Node Template module for Drupal allows remote attackers to hijack the authentication of users with the "access node template" permission for requests that delete node templates via unspecified vectors. | |||||
| CVE-2015-4378 | 1 Crumbs Project | 1 Crumbs | 2015-06-16 | 2.1 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in the Crumbs module 7.x-2.x before 7.x-2.3 for Drupal allows remote authenticated users with the "Administer Crumbs" permission to inject arbitrary web script or HTML via a custom breadcrumb separator. | |||||
| CVE-2015-4375 | 1 Chaos Tool Suite Project | 1 Ctools | 2015-06-16 | 4.3 MEDIUM | N/A |
| The Chaos tool suite (ctools) module 7.x-1.x before 7.x-1.7 for Drupal allows remote attackers to obtain sensitive node titles via (1) an autocomplete search on custom entities without an access query tag or (2) leveraging knowledge of the ID of an entity. | |||||
| CVE-2014-9284 | 1 Buffalotech | 14 Bhr-4grv2, Bhr-4grv2 Firmware, Wex-300 and 11 more | 2015-06-16 | 7.7 HIGH | N/A |
| The Buffalo WHR-1166DHP 1.60 and earlier, WSR-600DHP 1.60 and earlier, WHR-600D 1.60 and earlier, WHR-300HP2 1.60 and earlier, WMR-300 1.60 and earlier, WEX-300 1.60 and earlier, and BHR-4GRV2 1.04 and earlier routers allow remote authenticated users to execute arbitrary OS commands via unspecified vectors. | |||||
| CVE-2012-4716 | 1 N-tron | 1 702w Industrial Wireless Access Point | 2015-06-16 | 8.8 HIGH | N/A |
| N-Tron 702-W Industrial Wireless Access Point devices use the same (1) SSH and (2) HTTPS private keys across different customers' installations, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging knowledge of a key. | |||||
| CVE-2014-8606 | 1 Xcloner | 1 Xcloner | 2015-06-11 | 4.0 MEDIUM | N/A |
| Directory traversal vulnerability in the XCloner plugin 3.1.1 for WordPress and 3.5.1 for Joomla! allows remote administrators to read arbitrary files via a .. (dot dot) in the file parameter in a json_return action in the xcloner_show page to wp-admin/admin-ajax.php. | |||||
| CVE-2014-8607 | 1 Xcloner | 1 Xcloner | 2015-06-11 | 2.1 LOW | N/A |
| The XCloner plugin 3.1.1 for WordPress and 3.5.1 for Joomla! provides the MySQL username and password on the command line, which allows local users to obtain sensitive information via the ps command. | |||||
| CVE-2015-4465 | 1 Zanematthew | 1 Zm Ajax Login \& Register | 2015-06-11 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the zM Ajax Login & Register plugin before 1.1.0 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2014-8605 | 1 Xcloner | 1 Xcloner | 2015-06-11 | 5.0 MEDIUM | N/A |
| The XCloner plugin 3.1.1 for WordPress and 3.5.1 for Joomla! stores database backup files with predictable names under the web root with insufficient access control, which allows remote attackers to obtain sensitive information via a direct request to a backup file in administrators/backups/. | |||||
| CVE-2014-8604 | 1 Xcloner | 1 Xcloner | 2015-06-11 | 5.0 MEDIUM | N/A |
| The XCloner plugin 3.1.1 for WordPress and 3.5.1 for Joomla! returns the MySQL password in cleartext to a text box in the configuration panel, which allows remote attackers to obtain sensitive information via unspecified vectors. | |||||