Search
Total
201818 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2015-1495 | 1 Motorola | 1 Motorola Scanner Sdk | 2015-02-17 | 6.8 MEDIUM | N/A |
| Multiple stack-based buffer overflows in Motorola Scanner SDK allow remote attackers to execute arbitrary code via a crafted string to the Open method in (1) IOPOSScanner.ocx or (2) IOPOSScale.ocx. | |||||
| CVE-2015-1501 | 1 Solarwinds | 1 Server And Application Monitor | 2015-02-17 | 6.8 MEDIUM | N/A |
| The factory.loadExtensionFactory function in TSUnicodeGraphEditorControl in SolarWinds Server and Application Monitor (SAM) allow remote attackers to execute arbitrary code via a UNC path to a crafted binary. | |||||
| CVE-2015-1500 | 1 Solarwinds | 1 Server And Application Monitor | 2015-02-17 | 6.8 MEDIUM | N/A |
| Multiple stack-based buffer overflows in the TSUnicodeGraphEditorControl in SolarWinds Server and Application Monitor (SAM) allow remote attackers to execute arbitrary code via unspecified vectors to (1) graphManager.load or (2) factory.load. | |||||
| CVE-2015-0931 | 1 Ektron | 1 Ektron Content Management System | 2015-02-17 | 6.8 MEDIUM | N/A |
| Ektron Content Management System (CMS) 8.5 and 8.7 before 8.7sp2 and 9.0 before sp1, when the Saxon XSLT parser is used, allows remote attackers to execute arbitrary code via a crafted XSLT document, related to a "resource injection" issue. | |||||
| CVE-2015-1613 | 1 Rhodecode | 1 Rhodecode Enterprise | 2015-02-17 | 4.0 MEDIUM | N/A |
| RhodeCode before 2.2.7 allows remote authenticated users to obtain API keys and other sensitive information via the (1) update_repo, (2) get_locks, or (3) get_user_groups API method. | |||||
| CVE-2015-0923 | 1 Ektron | 1 Ektron Content Management System | 2015-02-17 | 5.0 MEDIUM | N/A |
| The ContentBlockEx method in Workarea/ServerControlWS.asmx in Ektron Content Management System (CMS) 8.5 and 8.7 before 8.7sp2 and 9.0 before sp1 allows remote attackers to read arbitrary files via an external entity declaration in conjunction with an entity reference within an XML document named in the xslt parameter, related to an XML External Entity (XXE) issue. | |||||
| CVE-2014-9300 | 1 Alfresco | 1 Alfresco | 2015-02-17 | 6.8 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in the cmisbrowser servlet in Content Management Interoperability Service (CMIS) in Alfresco Community Edition before 5.0.a allows remote attackers to hijack the authentication of users for requests that access unauthorized URLs and obtain user credentials via a URL in the url parameter. | |||||
| CVE-2014-9301 | 1 Alfresco | 1 Alfresco | 2015-02-17 | 6.4 MEDIUM | N/A |
| Server-side request forgery (SSRF) vulnerability in the proxy servlet in Alfresco Community Edition before 5.0.a allows remote attackers to trigger outbound requests to intranet servers, conduct port scans, and read arbitrary files via a crafted URI in the endpoint parameter. | |||||
| CVE-2014-8678 | 1 Manageengine | 1 Oputils | 2015-02-17 | 7.8 HIGH | N/A |
| The ConfigSaveServlet servlet in ManageEngine OpUtils before build 71024 allows remote attackers to "disclose" files via a crafted filename, related to "saveFile." | |||||
| CVE-2014-9372 | 1 Manageengine | 1 Password Manager Pro | 2015-02-17 | 6.4 MEDIUM | N/A |
| Directory traversal vulnerability in the UploadAccountActivities servlet in ManageEngine Password Manager Pro (PMP) before 7103 allows remote attackers to delete arbitrary files via a .. (dot dot) in a filename. | |||||
| CVE-2014-7850 | 1 Freeipa | 1 Freeipa | 2015-02-17 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the Web UI in FreeIPA 4.x before 4.1.2 allows remote attackers to inject arbitrary web script or HTML via vectors related to breadcrumb navigation. | |||||
| CVE-2014-6139 | 1 Ibm | 1 Business Process Manager | 2015-02-17 | 4.0 MEDIUM | N/A |
| The Search REST API in IBM Business Process Manager 8.0.1.3, 8.5.0.1, and 8.5.5.0 allows remote authenticated users to bypass intended access restrictions and perform task-instance and process-instance searches by specifying a false value for the filterByCurrentUser parameter. | |||||
| CVE-2014-7196 | 2015-02-15 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2014-7169. Reason: This candidate is a duplicate of CVE-2014-7169. A typo caused the wrong ID to be used. Notes: All CVE users should reference CVE-2014-7169 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. | |||||
| CVE-2015-0311 | 4 Adobe, Apple, Linux and 1 more | 4 Flash Player, Mac Os X, Linux Kernel and 1 more | 2015-02-14 | 10.0 HIGH | N/A |
| Unspecified vulnerability in Adobe Flash Player through 13.0.0.262 and 14.x, 15.x, and 16.x through 16.0.0.287 on Windows and OS X and through 11.2.202.438 on Linux allows remote attackers to execute arbitrary code via unknown vectors, as exploited in the wild in January 2015. | |||||
| CVE-2015-0873 | 1 Homepage Decorator | 1 Perltreebbs | 2015-02-13 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in Homepage Decorator PerlTreeBBS 2.30 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2014-8385 | 1 Advantech | 6 Eki-1200 Gateway Series Firmware, Eki-1221, Eki-1221d and 3 more | 2015-02-13 | 10.0 HIGH | N/A |
| Buffer overflow on Advantech EKI-1200 gateways with firmware before 1.63 allows remote attackers to execute arbitrary code via unspecified vectors. | |||||
| CVE-2014-0154 | 1 Ovirt | 1 Ovirt | 2015-02-13 | 5.0 MEDIUM | N/A |
| oVirt Engine before 3.5.0 does not include the HTTPOnly flag in a Set-Cookie header for the session IDs, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie. | |||||
| CVE-2015-1471 | 1 Pragyan Cms Project | 1 Pragyan Cms | 2015-02-13 | 7.5 HIGH | N/A |
| SQL injection vulnerability in userprofile.lib.php in Pragyan CMS 3.0 allows remote attackers to execute arbitrary SQL commands via the user parameter to the default URI. | |||||
| CVE-2015-1581 | 1 Mobile Domain Project | 1 Mobile Domain | 2015-02-12 | 6.8 MEDIUM | N/A |
| Multiple cross-site request forgery (CSRF) vulnerabilities in the Mobile Domain plugin 1.5.2 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) change plugin settings or conduct cross-site scripting (XSS) attacks via the (2) domain, (3) text, (4) font, (5) fontcolor, (6) color, or (7) padding parameter in an add-domain action in the mobile-domain page to wp-admin/options-general.php. | |||||
| CVE-2015-1582 | 1 Web-dorado | 1 Spider Facebook | 2015-02-12 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in the Spider Facebook plugin before 1.0.11 for WordPress allow (1) remote attackers to inject arbitrary web script or HTML via the appid parameter in a registration task to the default URI or remote administrators to inject arbitrary web script or HTML via the (2) asc_or_desc, (3) order_by, (4) page_number, (5) serch_or_not, or (6) search_events_by_title parameter in (a) the Spider_Facebook_manage page to wp-admin/admin.php or a (b) selectpagesforfacebook or (c) selectpostsforfacebook action to wp-admin/admin-ajax.php. | |||||
| CVE-2015-1580 | 1 Redirection Project | 1 Redirection | 2015-02-12 | 6.8 MEDIUM | N/A |
| Multiple cross-site request forgery (CSRF) vulnerabilities in the Redirection Page plugin 1.2 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) change plugin settings or conduct cross-site scripting (XSS) attacks via the (2) source or (3) redir parameter in an add action in the redirection-page to wp-admin/options-general.php. | |||||
| CVE-2015-1577 | 1 Yuba | 1 U5cms | 2015-02-12 | 6.4 MEDIUM | N/A |
| Directory traversal vulnerability in u5admin/deletefile.php in u5CMS before 3.9.4 allows remote attackers to write to arbitrary files via a (1) .. (dot dot) or (2) full pathname in the f parameter. | |||||
| CVE-2015-1578 | 1 Yuba | 1 U5cms | 2015-02-12 | 5.8 MEDIUM | N/A |
| Multiple open redirect vulnerabilities in u5CMS before 3.9.4 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) pidvesa cookie to u5admin/pidvesa.php or (2) uri parameter to u5admin/meta2.php. | |||||
| CVE-2015-1576 | 1 Yuba | 1 U5cms | 2015-02-12 | 7.5 HIGH | N/A |
| Multiple SQL injection vulnerabilities in u5CMS before 3.9.4 allow remote attackers to execute arbitrary SQL commands via the name parameter to (1) copy2.php, (2) localize.php, (3) metai.php, (4) nc.php, (5) new2.php, or (6) rename2.php in u5admin/; (7) c parameter to u5admin/editor.php; (8) typ parameter to u5admin/meta2.php; or (9) newname parameter to u5admin/rename2.php. | |||||
| CVE-2015-1575 | 1 Yuba | 1 U5cms | 2015-02-12 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in u5CMS before 3.9.4 allow remote attackers to inject arbitrary web script or HTML via the (1) c, (2) i, (3) l, or (4) p parameter to index.php; the (5) a or (6) b parameter to u5admin/cookie.php; the name parameter to (7) copy.php or (8) delete.php in u5admin/; the (9) f or (10) typ parameter to u5admin/deletefile.php; the (11) n parameter to u5admin/done.php; the (12) c parameter to u5admin/editor.php; the (13) uri parameter to u5admin/meta2.php; the (14) n parameter to u5admin/notdone.php; the (15) newname parameter to u5admin/rename2.php; the (16) l parameter to u5admin/sendfile.php; the (17) s parameter to u5admin/characters.php; the (18) page parameter to u5admin/savepage.php; or the (19) name parameter to u5admin/new2.php. | |||||
| CVE-2015-1169 | 1 Apereo | 1 Central Authentication Service | 2015-02-11 | 7.5 HIGH | N/A |
| Apereo Central Authentication Service (CAS) Server before 3.5.3 allows remote attackers to conduct LDAP injection attacks via a crafted username, as demonstrated by using a wildcard and a valid password to bypass LDAP authentication. | |||||
| CVE-2015-1377 | 1 Webmin | 1 Webmin | 2015-02-11 | 4.9 MEDIUM | N/A |
| The Read Mail module in Webmin 1.720 allows local users to read arbitrary files via a symlink attack on an unspecified file. | |||||
| CVE-2015-1569 | 1 Fortinet | 1 Forticlient | 2015-02-11 | 4.3 MEDIUM | N/A |
| Fortinet FortiClient 5.2.028 for iOS does not validate certificates, which makes it easier for man-in-the-middle attackers to spoof SSL VPN servers via a crafted certificate. | |||||
| CVE-2015-1570 | 1 Fortinet | 1 Forticlient | 2015-02-11 | 4.3 MEDIUM | N/A |
| The Endpoint Control protocol implementation in Fortinet FortiClient 5.2.3.091 for Android and 5.2.028 for iOS does not validate certificates, which makes it easier for man-in-the-middle attackers to spoof servers via a crafted certificate. | |||||
| CVE-2014-8733 | 1 Cloudera | 1 Cloudera Manager | 2015-02-11 | 2.1 LOW | N/A |
| Cloudera Manager 5.2.0, 5.2.1, and 5.3.0 stores the LDAP bind password in plaintext in unspecified world-readable files under /etc/hadoop, which allows local users to obtain this password. | |||||
| CVE-2014-7731 | 1 Radio De La Cato Project | 1 Radio De La Cato | 2015-02-11 | 5.4 MEDIUM | N/A |
| The Radio de la Cato (aka com.radio.de.la.cato) application 2.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | |||||
| CVE-2014-7539 | 1 Zhang Zhijun Taiwan Visit 2014-06-25 Project | 1 Zhang Zhijun Taiwan Visit 2014-06-25 | 2015-02-11 | 5.4 MEDIUM | N/A |
| The Zhang Zhijun Taiwan Visit 2014-06-25 (aka com.zizizzi) application 1.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | |||||
| CVE-2014-7270 | 1 Asus | 10 Rt-ac56s, Rt-ac56s Firmware, Rt-ac68u and 7 more | 2015-02-11 | 6.8 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability on ASUS JAPAN RT-AC87U routers with firmware 3.0.0.4.378.3754 and earlier, RT-AC68U routers with firmware 3.0.0.4.376.3715 and earlier, RT-AC56S routers with firmware 3.0.0.4.376.3715 and earlier, RT-N66U routers with firmware 3.0.0.4.376.3715 and earlier, and RT-N56U routers with firmware 3.0.0.4.376.3715 and earlier allows remote attackers to hijack the authentication of arbitrary users. | |||||
| CVE-2014-7246 | 1 Forgerock | 1 Openam | 2015-02-10 | 3.5 LOW | N/A |
| The Core Server in OpenAM 9.5.3 through 9.5.5, 10.0.0 through 10.0.2, 10.1.0-Xpress, and 11.0.0 through 11.0.2, when deployed on a multi-server network, allows remote authenticated users to cause a denial of service (infinite loop) via a crafted cookie in a request. | |||||
| CVE-2013-3737 | 1 Bestpractical | 1 Request Tracker | 2015-02-10 | 5.0 MEDIUM | N/A |
| The MobileUI (aka RT-Extension-MobileUI) extension before 1.04 in Request Tracker (RT) 4.0.0 before 4.0.13, when using the file-based session store (Apache::Session::File) and certain authentication extensions, allows remote attackers to reuse unauthorized sessions and obtain user preferences and caches via unspecified vectors. | |||||
| CVE-2015-1565 | 4 Hitachi, Microsoft, Novell and 1 more | 8 Compute Systems Manager, Device Manager, Global Link Manager and 5 more | 2015-02-09 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the online help in Hitachi Device Manager, Tiered Storage Manager, Replication Manager, and Global Link Manager before 8.1.2-00, and Compute Systems Manager before 7.6.1-08 and 8.x before 8.1.2-00, as used in Hitachi Command Suite, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2015-1564 | 1 Plainblack | 1 Webgui | 2015-02-09 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in style-underground/search in Plain Black WebGUI 7.10.29 and earlier allows remote attackers to inject arbitrary web script or HTML via the Search field. | |||||
| CVE-2015-1566 | 1 Dotnetnuke | 1 Dotnetnuke | 2015-02-09 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in DotNetNuke (DNN) before 7.4.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2014-9203 | 2 Ge, Mactek | 4 12400 Level Transmitter Device Type Manager, Svi Ii Ap Positioner Device Type Manager, Vector Device Type Manager and 1 more | 2015-02-09 | 5.0 MEDIUM | N/A |
| Buffer overflow in the Field Device Tool (FDT) Frame application in the HART Device Type Manager (DTM) library, as used in MACTek Bullet DTM 1.00.0, GE Vector DTM 1.00.0, GE SVi1000 Positioner DTM 1.00.0, GE SVI II AP Positioner DTM 2.00.1, and GE 12400 Level Transmitter DTM 1.00.0, allows remote attackers to cause a denial of service (DTM outage) via crafted packets. | |||||
| CVE-2015-0871 | 1 Shiromuku | 1 Guestbook | 2015-02-09 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in Mrs. Shiromuku Perl CGI shiromuku(u1)GUESTBOOK 1.62 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2013-0212 | 2 Canonical, Openstack | 2 Ubuntu Linux, Image Registry And Delivery Service \(glance\) | 2015-02-09 | 4.0 MEDIUM | N/A |
| store/swift.py in OpenStack Glance Essex (2012.1), Folsom (2012.2) before 2012.2.3, and Grizzly, when in Swift single tenant mode, logs the Swift endpoint's user name and password in cleartext when the endpoint is misconfigured or unusable, allows remote authenticated users to obtain sensitive information by reading the error messages. | |||||
| CVE-2015-1562 | 1 Saurus | 1 Saurus Cms | 2015-02-09 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in Saurus CMS 4.7.0 allow remote attackers to inject arbitrary web script or HTML via the (1) search parameter to admin/user_management.php, (2) data_search parameter to /admin/profile_data.php, or (3) filter parameter to error_log.php. | |||||
| CVE-2014-9642 | 1 Bullguard | 4 Bdagent.sys, Internet Security, Online Backup and 1 more | 2015-02-09 | 7.2 HIGH | N/A |
| bdagent.sys in BullGuard Antivirus, Internet Security, Premium Protection, and Online Backup before 15.0.288 allows local users to write data to arbitrary memory locations, and consequently gain privileges, via a crafted 0x0022405c IOCTL call. | |||||
| CVE-2014-9643 | 1 K7computing | 4 Anti-virus Plus, K7sentry.sys, Total Security and 1 more | 2015-02-09 | 7.2 HIGH | N/A |
| K7Sentry.sys in K7 Computing Ultimate Security, Anti-Virus Plus, and Total Security before 14.2.0.253 allows local users to write to arbitrary memory locations, and consequently gain privileges, via a crafted 0x95002570, 0x95002574, 0x95002580, 0x950025a8, 0x950025ac, or 0x950025c8 IOCTL call. | |||||
| CVE-2014-9641 | 1 Trendmicro | 1 Tmeext.sys | 2015-02-09 | 7.2 HIGH | N/A |
| The tmeext.sys driver before 2.0.0.1015 in Trend Micro Antivirus Plus, Internet Security, and Maximum Security allows local users to write to arbitrary memory locations, and consequently gain privileges, via a crafted 0x00222400 IOCTL call. | |||||
| CVE-2013-4186 | 2015-02-09 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. | |||||
| CVE-2015-0246 | 2015-02-09 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2015-1493. Reason: This candidate is a reservation duplicate of CVE-2015-1493. Notes: All CVE users should reference CVE-2015-1493 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. | |||||
| CVE-2015-1442 | 1 Aas9 | 1 Zerocms | 2015-02-09 | 7.5 HIGH | N/A |
| SQL injection vulnerability in views/zero_transact_user.php in the administrative backend in ZeroCMS 1.3.3, 1.3.2, and earlier allows remote authenticated users to execute arbitrary SQL commands via the user_id parameter in a Modify Account action. NOTE: The article_id parameter to zero_view_article.php vector is already covered by CVE-2014-4034. | |||||
| CVE-2014-0605 | 1 Attachmate | 1 Reflection Ftp Client | 2015-02-09 | 10.0 HIGH | N/A |
| Directory traversal vulnerability in the rftpcom.dll ActiveX control in Attachmate Reflection FTP Client before 14.1.429 allows remote attackers to execute arbitrary code via unspecified vectors to the SaveSettings method. | |||||
| CVE-2014-0603 | 1 Attachmate | 1 Reflection Ftp Client | 2015-02-09 | 10.0 HIGH | N/A |
| The rftpcom.dll ActiveX control in Attachmate Reflection FTP Client before 14.1.429 allows remote attackers to cause a denial of service (memory corruption) and execute arbitrary code via vectors related to the (1) GetGlobalSettings or (2) GetSiteProperties3 methods, which triggers a dereference of an arbitrary memory address. NOTE: this issue was MERGED with CVE-2014-0606 because it is the same type of vulnerability, affecting the same set of versions, and discovered by the same researcher. | |||||