Search
Total
201818 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2015-2043 | 1 Visualware | 1 Myconnection Server | 2015-02-26 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in Visualware MyConnection Server 8.2b allow remote attackers to inject arbitrary web script or HTML via the (1) bt, (2) variable, or (3) et parameter to myspeed/db/historyitem. | |||||
| CVE-2014-9282 | 1 Speed Software | 2 Explorer, Root Explorer | 2015-02-25 | 5.0 MEDIUM | N/A |
| Directory traversal vulnerability in the Speed Root Explorer application before 3.2 for Android and the Speed Explorer application before 2.2 for Android allows remote attackers to write to arbitrary files via a crafted filename. | |||||
| CVE-2015-1605 | 1 Dell | 1 Asset Manager | 2015-02-25 | 7.5 HIGH | N/A |
| Multiple SQL injection vulnerabilities in Dell ScriptLogic Asset Manager (aka Quest Workspace Asset Manager) before 9.5 allow remote attackers to execute arbitrary SQL commands via unspecified vectors to (1) GetClientPackage.aspx or (2) GetProcessedPackage.aspx. | |||||
| CVE-2014-6115 | 1 Ibm | 1 Rational Insight | 2015-02-25 | 5.0 MEDIUM | N/A |
| IBM Rational Insight 1.1.1.5 allows remote attackers to bypass authentication and obtain sensitive information via a crafted request to a Jazz Reporting Service (JRS) report URL. | |||||
| CVE-2015-2048 | 1 D-link | 2 Dcs-931l, Dcs-931l Firmware | 2015-02-24 | 6.8 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in D-Link DCS-931L with firmware 1.04 and earlier allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. | |||||
| CVE-2015-1315 | 2 Canonical, Info-zip | 2 Ubuntu Linux, Unzip | 2015-02-24 | 7.5 HIGH | N/A |
| Buffer overflow in the charset_to_intern function in unix/unix.c in Info-Zip UnZip 6.10b allows remote attackers to execute arbitrary code via a crafted string, as demonstrated by converting a string from CP866 to UTF-8. | |||||
| CVE-2014-7247 | 1 Justsystems | 2 Ichitaro, Ichitaro Pro | 2015-02-24 | 10.0 HIGH | N/A |
| Unspecified vulnerability in JustSystems Ichitaro 2008 through 2011; Ichitaro Government 6, 7, 2008, 2009, and 2010; Ichitaro Pro; Ichitaro Pro 2; Ichitaro 2011 Sou; Ichitaro 2012 Shou; Ichitaro 2013 Gen; and Ichitaro 2014 Tetsu allows remote attackers to execute arbitrary code via a crafted file. | |||||
| CVE-2012-3541 | 2015-02-24 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. | |||||
| CVE-2014-7922 | 1 Google | 1 Play Services Sdk | 2015-02-23 | 4.3 MEDIUM | N/A |
| The GoogleAuthUtil.getToken method in the Google Play services SDK before 2015 sets parameters in OAuth token requests upon finding a corresponding _opt_ parameter in the Bundle extras argument, which allows attackers to bypass an intended consent dialog and retrieve tokens for arbitrary OAuth scopes including the SID and LSID scopes, and consequently obtain access to a Google account, via a crafted application, as demonstrated by setting the has_permission=1 parameter value upon finding _opt_has_permission in that argument. | |||||
| CVE-2015-1359 | 1 Google | 1 Chrome | 2015-02-21 | 6.8 MEDIUM | N/A |
| Multiple off-by-one errors in fpdfapi/fpdf_font/font_int.h in PDFium, as used in Google Chrome before 40.0.2214.91, allow remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a crafted PDF document, related to an "intra-object-overflow" issue, a different vulnerability than CVE-2015-1205. | |||||
| CVE-2015-1360 | 1 Google | 1 Chrome | 2015-02-21 | 7.5 HIGH | N/A |
| Skia, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via crafted data that is improperly handled during text drawing, related to gpu/GrBitmapTextContext.cpp and gpu/GrDistanceFieldTextContext.cpp, a different vulnerability than CVE-2015-1205. | |||||
| CVE-2015-1361 | 1 Google | 1 Chrome | 2015-02-21 | 6.8 MEDIUM | N/A |
| platform/image-decoders/ImageFrame.h in Blink, as used in Google Chrome before 40.0.2214.91, does not initialize a variable that is used in calls to the Skia SkBitmap::setAlphaType function, which might allow remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted HTML document, a different vulnerability than CVE-2015-1205. | |||||
| CVE-2014-9646 | 1 Google | 1 Chrome | 2015-02-21 | 4.6 MEDIUM | N/A |
| Unquoted Windows search path vulnerability in the GoogleChromeDistribution::DoPostUninstallOperations function in installer/util/google_chrome_distribution.cc in the uninstall-survey feature in Google Chrome before 40.0.2214.91 allows local users to gain privileges via a Trojan horse program in the %SYSTEMDRIVE% directory, as demonstrated by program.exe, a different vulnerability than CVE-2015-1205. | |||||
| CVE-2014-9647 | 1 Google | 1 Chrome | 2015-02-21 | 6.8 MEDIUM | N/A |
| Use-after-free vulnerability in PDFium, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted PDF document, related to fpdfsdk/src/fpdfview.cpp and fpdfsdk/src/fsdk_mgr.cpp, a different vulnerability than CVE-2015-1205. | |||||
| CVE-2014-9648 | 1 Google | 1 Chrome | 2015-02-21 | 4.3 MEDIUM | N/A |
| components/navigation_interception/intercept_navigation_resource_throttle.cc in Google Chrome before 40.0.2214.91 on Android does not properly restrict use of intent: URLs to open an application after navigation to a web site, which allows remote attackers to cause a denial of service (loss of browser access to that site) via crafted JavaScript code, as demonstrated by pandora.com and the Pandora application, a different vulnerability than CVE-2015-1205. | |||||
| CVE-2015-1604 | 1 Adminsystems Cms Project | 1 Adminsystems Cms | 2015-02-21 | 6.5 MEDIUM | N/A |
| Unrestricted file upload vulnerability in asys/site/files.php in Adminsystems CMS before 4.0.2 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in upload/files/. | |||||
| CVE-2015-1603 | 1 Adminsystems Cms Project | 1 Adminsystems Cms | 2015-02-21 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in Adminsystems CMS before 4.0.2 allow remote attackers to inject arbitrary web script or HTML via the (1) page parameter to index.php or (2) id parameter in a users_users action to asys/site/system.php. | |||||
| CVE-2015-1587 | 1 Maarch | 2 Gec\/ged, Letterbox | 2015-02-21 | 7.5 HIGH | N/A |
| Unrestricted file upload vulnerability in file_to_index.php in Maarch LetterBox 2.8 and earlier and GEC/GED 1.4 and earlier allows remote attackers to execute arbitrary PHP code by uploading a file with a PHP extension, then accessing it via a request to a predictable filename in tmp/. | |||||
| CVE-2015-1515 | 1 Softsphere | 1 Defensewall Personal Firewall | 2015-02-21 | 7.2 HIGH | N/A |
| The dwall.sys driver in SoftSphere DefenseWall Personal Firewall 3.24 allows local users to write data to arbitrary memory locations, and consequently gain privileges, via a crafted 0x00222000, 0x00222004, 0x00222008, 0x0022200c, or 0x00222010 IOCTL call. | |||||
| CVE-2014-1832 | 1 Phusion | 1 Passenger | 2015-02-20 | 2.1 LOW | N/A |
| Phusion Passenger 4.0.37 allows local users to write to certain files and directories via a symlink attack on (1) control_process.pid or a (2) generation-* file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1831. | |||||
| CVE-2014-1831 | 1 Phusion | 1 Passenger | 2015-02-20 | 2.1 LOW | N/A |
| Phusion Passenger before 4.0.37 allows local users to write to certain files and directories via a symlink attack on (1) control_process.pid or a (2) generation-* file. | |||||
| CVE-2015-1879 | 1 Google Doc Embedder | 1 Google Doc Embedder | 2015-02-20 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the Google Doc Embedder plugin before 2.5.19 for WordPress allows remote attackers to inject arbitrary web script or HTML via the profile parameter in an edit action in the gde-settings page to wp-admin/options-general.php. | |||||
| CVE-2015-0879 | 1 Almail | 1 Al-mail32 | 2015-02-20 | 4.3 MEDIUM | N/A |
| CREAR AL-Mail32 before 1.13d allows remote attackers to cause a denial of service (application crash) via a (1) CON, (2) AUX, or (3) NUL device name in the filename of an attachment. | |||||
| CVE-2015-0878 | 1 Almail | 1 Al-mail32 | 2015-02-20 | 5.8 MEDIUM | N/A |
| Directory traversal vulnerability in CREAR AL-Mail32 before 1.13d allows remote attackers to write to arbitrary files via a crafted filename of an attachment. | |||||
| CVE-2015-0628 | 1 Cisco | 1 Web Security Appliance | 2015-02-20 | 5.0 MEDIUM | N/A |
| The proxy engine on Cisco Web Security Appliance (WSA) devices allows remote attackers to bypass intended proxying restrictions via a malformed HTTP method, aka Bug ID CSCus79174. | |||||
| CVE-2015-2010 | 2015-02-20 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2015-0010. Reason: This candidate is a duplicate of CVE-2015-0010. A typo caused the wrong ID to be used. Notes: All CVE users should reference CVE-2015-0010 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. | |||||
| CVE-2013-6500 | 2015-02-20 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. | |||||
| CVE-2015-0875 | 1 Okb.co.jp | 1 Smartphone Passbook | 2015-02-20 | 1.8 LOW | N/A |
| The Ogaki Kyoritsu Bank Smartphone Passbook application 1.0.0 for Android creates a log file containing input data from the user, which allows attackers to obtain sensitive information by reading a file. | |||||
| CVE-2015-0623 | 1 Cisco | 1 Web Security Appliance | 2015-02-19 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the Administrator report page on Cisco Web Security Appliance (WSA) devices allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka Bug ID CSCus40627. | |||||
| CVE-2015-0626 | 1 Cisco | 1 Hosted Collaboration Solution | 2015-02-19 | 4.3 MEDIUM | N/A |
| The SOAP interface in Cisco Hosted Collaboration Solution (HCS) allows remote attackers to obtain access to system-management tools via crafted Challenge SOAP calls, aka Bug ID CSCuc38114. | |||||
| CVE-2015-0622 | 1 Cisco | 1 Wireless Lan Controller | 2015-02-19 | 7.1 HIGH | N/A |
| The Wireless Intrusion Detection (aka WIDS) functionality on Cisco Wireless LAN Controller (WLC) devices allows remote attackers to cause a denial of service (device outage) via crafted packets that are improperly handled during rendering of the Signature Events Summary page, aka Bug ID CSCus46861. | |||||
| CVE-2014-5286 | 1 Tibco | 3 Activematrix Management Agent, Activematrix Policy Agent, Activematrix Policy Manager | 2015-02-19 | 6.4 MEDIUM | N/A |
| The ActiveMatrix Policy Manager Authentication module in TIBCO ActiveMatrix Policy Agent 3.x before 3.1.2, ActiveMatrix Policy Manager 3.x before 3.1.2, ActiveMatrix Management Agent 1.x before 1.2.1 for WCF, and ActiveMatrix Management Agent 1.x before 1.2.1 for WebSphere allows remote attackers to gain privileges and obtain sensitive information via unspecified vectors. | |||||
| CVE-2015-1452 | 1 Fortinet | 1 Fortios | 2015-02-19 | 7.8 HIGH | N/A |
| The Control and Provisioning of Wireless Access Points (CAPWAP) daemon in Fortinet FortiOS 5.0 Patch 7 build 4457 allows remote attackers to cause a denial of service (locked CAPWAP Access Controller) via a large number of ClientHello DTLS messages. | |||||
| CVE-2015-1455 | 1 Fortinet | 1 Fortiauthenticator | 2015-02-19 | 7.5 HIGH | N/A |
| Fortinet FortiAuthenticator 3.0.0 has a password of (1) slony for the slony PostgreSQL user and (2) www-data for the www-data PostgreSQL user, which makes it easier for remote attackers to obtain access via unspecified vectors. | |||||
| CVE-2015-1456 | 1 Fortinet | 1 Fortiauthenticator | 2015-02-19 | 4.0 MEDIUM | N/A |
| Fortinet FortiAuthenticator 3.0.0 logs the PostgreSQL usernames and passwords in cleartext, which allows remote administrators to obtain sensitive information by reading the log at debug/startup/. | |||||
| CVE-2015-1451 | 1 Fortinet | 1 Fortios | 2015-02-19 | 3.5 LOW | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in Fortinet FortiOS 5.0 Patch 7 build 4457 allow remote authenticated users to inject arbitrary web script or HTML via the (1) WTP Name or (2) WTP Active Software Version field in a CAPWAP Join request. | |||||
| CVE-2014-6304 | 1 Pnmsoft | 1 Sequence Kinetics | 2015-02-19 | 5.0 MEDIUM | N/A |
| The Form Controls CSS file in PNMsoft Sequence Kinetics before 7.7 allows remote attackers to obtain sensitive source-code information via unspecified vectors. | |||||
| CVE-2014-6302 | 1 Pnmsoft | 1 Sequence Kinetics | 2015-02-19 | 5.0 MEDIUM | N/A |
| The Monitoring Administration pages in PNMsoft Sequence Kinetics before 7.7 allow remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. | |||||
| CVE-2014-6303 | 1 Pnmsoft | 1 Sequence Kinetics | 2015-02-19 | 5.0 MEDIUM | N/A |
| The Monitoring Administration pages in PNMsoft Sequence Kinetics before 7.7 do not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564. | |||||
| CVE-2014-6301 | 1 Pnmsoft | 1 Sequence Kinetics | 2015-02-19 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in the tables-management module in PNMsoft Sequence Kinetics before 7.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2015-1619 | 1 Mcafee | 1 Email Gateway | 2015-02-18 | 3.5 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in the Secure Web Mail Client user interface in McAfee Email Gateway (MEG) 7.6.x before 7.6.3.2, 7.5.x before 75.6, 7.0.x through 7.0.5, 5.6, and earlier allows remote authenticated users to inject arbitrary web script or HTML via unspecified tokens in Digest messages. | |||||
| CVE-2015-1616 | 1 Mcafee | 1 Data Loss Prevention Endpoint | 2015-02-18 | 6.5 MEDIUM | N/A |
| SQL injection vulnerability in the ePO extension in McAfee Data Loss Prevention Endpoint (DLPe) before 9.3.400 allows remote authenticated ePO users to execute arbitrary SQL commands via unspecified vectors. | |||||
| CVE-2015-1617 | 1 Mcafee | 1 Data Loss Prevention Endpoint | 2015-02-18 | 3.5 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in the ePO extension in McAfee Data Loss Prevention Endpoint (DLPe) before 9.3.400 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2015-1618 | 1 Mcafee | 1 Data Loss Prevention Endpoint | 2015-02-18 | 4.0 MEDIUM | N/A |
| The ePO extension in McAfee Data Loss Prevention Endpoint (DLPe) before 9.3.400 allows remote authenticated users to obtain sensitive password information via a crafted URL. | |||||
| CVE-2014-9101 | 2 Oxwall, Skalfa | 2 Oxwall, Skadate Lite | 2015-02-18 | 6.8 MEDIUM | N/A |
| Multiple cross-site request forgery (CSRF) vulnerabilities in Oxwall 1.7.0 (build 7907 and 7906) and SkaDate Lite 2.0 (build 7651) allow remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks or possibly have other unspecified impact via the (1) label parameter to admin/users/roles/, (2) lang[1][base][questions_account_type_5615100a931845eca8da20cfdf7327e0] in an AddAccountType action or (3) qst_name parameter in an addQuestion action to admin/questions/ajax-responder/, or (4) form_name or (5) restrictedUsername parameter to admin/restricted-usernames. | |||||
| CVE-2015-1356 | 1 Siemens | 1 Simatic Step 7 | 2015-02-18 | 4.4 MEDIUM | N/A |
| Siemens SIMATIC STEP 7 (TIA Portal) before 13 SP1 determines a user's privileges on the basis of project-file fields that lack integrity protection, which allows remote attackers to establish arbitrary authorization data via a modified file. | |||||
| CVE-2015-1355 | 1 Siemens | 1 Simatic Step 7 | 2015-02-18 | 2.1 LOW | N/A |
| Siemens SIMATIC STEP 7 (TIA Portal) before 13 SP1 uses a weak password-hash algorithm, which makes it easier for local users to determine cleartext passwords by reading a project file and conducting a brute-force attack. | |||||
| CVE-2015-1621 | 1 Webform Prepopulate Block Project | 1 Webform Prepopulate Block | 2015-02-18 | 3.5 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in the Webform prepopulate block module before 7.x-3.1 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2014-9375 | 1 Lexmark | 1 Markvision Enterprise | 2015-02-17 | 9.0 HIGH | N/A |
| Directory traversal vulnerability in the LibraryFileUploadServlet servlet in Lexmark Markvision Enterprise allows remote authenticated users to write to and execute arbitrary files via a .. (dot dot) in a file path in a ZIP archive. | |||||
| CVE-2015-1496 | 1 Motorola | 1 Motorola Scanner Sdk | 2015-02-17 | 7.2 HIGH | N/A |
| Motorola Scanner SDK uses weak permissions for (1) CoreScanner.exe, (2) rsmdriverproviderservice.exe, and (3) ScannerService.exe, which allows local users to gain privileges via unspecified vectors. | |||||