CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 2 and 2.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2015-3999 200 +Info 2015-05-20 2015-05-21
2.1
None Local Low Not required Partial None None
Piriform CCleaner 3.26.0.1988 through 5.02.5101 writes the filenames to disk when overwriting files, which allows local users to obtain sensitive information by searching unallocated disk space.
2 CVE-2015-3978 200 +Info 2015-05-12 2015-05-14
2.1
None Local Low Not required Partial None None
SAP Sybase Unwired Platform Online Data Proxy allows local users to obtain usernames and passwords via the DataVault, aka SAP Security Note 2094830.
3 CVE-2015-3455 20 2015-05-18 2015-05-19
2.6
None Remote High Not required None Partial None
Squid 3.2.x before 3.2.14, 3.3.x before 3.3.14, 3.4.x before 3.4.13, and 3.5.x before 3.5.4, when configured with client-first SSL-bump, does not properly validate the domain or hostname fields of X.509 certificates, which allows man-in-the-middle attackers to spoof SSL servers via a valid certificate.
4 CVE-2015-3448 200 +Info 2015-04-29 2015-04-30
2.1
None Local Low Not required Partial None None
REST client for Ruby (aka rest-client) before 1.7.3 logs usernames and passwords, which allows local users to obtain sensitive information by reading the log.
5 CVE-2015-3361 79 XSS 2015-04-21 2015-04-23
2.1
None Remote High Single system None Partial None
Cross-site scripting (XSS) vulnerability in the Linkit module before 7.x-2.7 and 7.x-3.x before 7.x-3.3 for Drupal, when the node search plugin is enabled, allows remote authenticated users to inject arbitrary web script or HTML via a node title.
6 CVE-2015-3340 200 +Info 2015-04-28 2015-05-13
2.9
None Local Network Medium Not required Partial None None
Xen 4.2.x through 4.5.x does not initialize certain fields, which allows certain remote service domains to obtain sensitive information from memory via a (1) XEN_DOMCTL_gettscinfo or (2) XEN_SYSCTL_getdomaininfolist request.
7 CVE-2015-3320 200 +Info 2015-04-16 2015-04-20
2.1
None Local Low Not required Partial None None
Lenovo USB Enhanced Performance Keyboard software before 2.0.2.2 includes active debugging code in SKHOOKS.DLL, which allows local users to obtain keypress information by accessing debug output.
8 CVE-2015-2714 264 +Info 2015-05-14 2015-05-14
2.1
None Local Low Not required Partial None None
Mozilla Firefox before 38.0 on Android does not properly restrict writing URL data to the Android logging system, which allows attackers to obtain sensitive information via a crafted application that has a required permission for reading a log, as demonstrated by the READ_LOGS permission for the mixed-content violation log on Android 4.0 and earlier.
9 CVE-2015-2579 2015-04-16 2015-04-29
2.1
None Local Low Not required Partial None None
Unspecified vulnerability in the Oracle Health Sciences Argus Safety component in Oracle Health Sciences Applications 8.0 allows local users to affect confidentiality via vectors related to BIP Installer.
10 CVE-2015-2576 2015-04-16 2015-04-17
2.1
None Local Low Not required None Partial None
Unspecified vulnerability in the MySQL Utilities component in Oracle MySQL 1.5.1 and earlier, when running on Windows, allows local users to affect integrity via unknown vectors related to Installation.
11 CVE-2015-2574 2015-04-16 2015-04-17
2.1
None Local Low Not required Partial None None
Unspecified vulnerability in Oracle Sun Solaris 10 allows local users to affect confidentiality via unknown vectors related to Text Utilities.
12 CVE-2015-2566 2015-04-16 2015-04-17
2.8
None Remote Medium Multiple systems None None Partial
Unspecified vulnerability in Oracle MySQL Server 5.6.22 and earlier allows remote authenticated users to affect availability via vectors related to DML.
13 CVE-2015-2157 200 +Info 2015-03-27 2015-03-31
2.1
None Local Low Not required Partial None None
The (1) ssh2_load_userkey and (2) ssh2_save_userkey functions in PuTTY 0.51 through 0.63 do not properly wipe SSH-2 private keys from memory, which allows local users to obtain sensitive information by reading the memory.
14 CVE-2015-2115 +Info 2015-04-27 2015-04-27
2.7
None Local Network Low Single system Partial None None
Unspecified vulnerability in HP Capture and Route Software (HPCR) 1.3 before Patch 7, 1.3 FP1 before Patch 1, and 1.4 before Patch 1 allows remote authenticated users to obtain sensitive information via unknown vectors.
15 CVE-2015-2111 +Info 2015-04-03 2015-04-06
2.1
None Local Low Not required Partial None None
Unspecified vulnerability in HP Intelligent Provisioning 1.40 through 1.60 on Windows Server 2008 R2 and 2012 allows local users to obtain sensitive information via unknown vectors.
16 CVE-2015-2047 287 Bypass 2015-02-23 2015-03-23
2.6
None Remote High Not required None Partial None
The rsaauth extension in TYPO3 4.3.0 through 4.3.14, 4.4.0 through 4.4.15, 4.5.0 through 4.5.39, and 4.6.0 through 4.6.18, when configured for the frontend, allows remote attackers to bypass authentication via a password that is casted to an empty value.
17 CVE-2015-2045 200 +Info 2015-03-12 2015-03-25
2.1
None Local Low Not required Partial None None
The HYPERVISOR_xen_version hypercall in Xen 3.2.x through 4.5.x does not properly initialize data structures, which allows local guest users to obtain sensitive information via unspecified vectors.
18 CVE-2015-2044 200 +Info 2015-03-12 2015-03-25
2.1
None Local Low Not required Partial None None
The emulation routines for unspecified X86 devices in Xen 3.2.x through 4.5.x does not properly initialize data, which allow local HVM guest users to obtain sensitive information via vectors involving an unsupported access size.
19 CVE-2015-1787 20 DoS 2015-03-19 2015-03-25
2.6
None Remote High Not required None None Partial
The ssl3_get_client_key_exchange function in s3_srvr.c in OpenSSL 1.0.2 before 1.0.2a, when client authentication and an ephemeral Diffie-Hellman ciphersuite are enabled, allows remote attackers to cause a denial of service (daemon crash) via a ClientKeyExchange message with a length of zero.
20 CVE-2015-1680 200 Bypass +Info 2015-05-13 2015-05-13
2.1
None Local Low Not required Partial None None
The kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allow local users to bypass the ASLR protection mechanism via a crafted function call, aka "Microsoft Windows Kernel Memory Disclosure Vulnerability," a different vulnerability than CVE-2015-1676, CVE-2015-1677, CVE-2015-1678, and CVE-2015-1679.
21 CVE-2015-1679 200 Bypass +Info 2015-05-13 2015-05-13
2.1
None Local Low Not required Partial None None
The kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allow local users to bypass the ASLR protection mechanism via a crafted function call, aka "Microsoft Windows Kernel Memory Disclosure Vulnerability," a different vulnerability than CVE-2015-1676, CVE-2015-1677, CVE-2015-1678, and CVE-2015-1680.
22 CVE-2015-1678 200 Bypass +Info 2015-05-13 2015-05-13
2.1
None Local Low Not required Partial None None
The kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allow local users to bypass the ASLR protection mechanism via a crafted function call, aka "Microsoft Windows Kernel Memory Disclosure Vulnerability," a different vulnerability than CVE-2015-1676, CVE-2015-1677, CVE-2015-1679, and CVE-2015-1680.
23 CVE-2015-1677 200 Bypass +Info 2015-05-13 2015-05-13
2.1
None Local Low Not required Partial None None
The kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allow local users to bypass the ASLR protection mechanism via a crafted function call, aka "Microsoft Windows Kernel Memory Disclosure Vulnerability," a different vulnerability than CVE-2015-1676, CVE-2015-1678, CVE-2015-1679, and CVE-2015-1680.
24 CVE-2015-1676 200 Bypass +Info 2015-05-13 2015-05-13
2.1
None Local Low Not required Partial None None
The kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allow local users to bypass the ASLR protection mechanism via a crafted function call, aka "Microsoft Windows Kernel Memory Disclosure Vulnerability," a different vulnerability than CVE-2015-1677, CVE-2015-1678, CVE-2015-1679, and CVE-2015-1680.
25 CVE-2015-1648 19 +Info 2015-04-14 2015-04-29
2.6
None Remote High Not required Partial None None
ASP.NET in Microsoft .NET Framework 1.1 SP1, 2.0 SP2, 3.5, 3.5.1, 4, 4.5, 4.5.1, and 4.5.2, when the customErrors configuration is disabled, allows remote attackers to obtain sensitive configuration-file information via a crafted request, aka "ASP.NET Information Disclosure Vulnerability."
26 CVE-2015-1647 20 DoS 2015-04-14 2015-04-29
2.1
None Local Low Not required None None Partial
Virtual Machine Manager (VMM) in Hyper-V in Microsoft Windows 8.1 and Windows Server 2012 R2 allows guest OS users to cause a denial of service (VMM functionality loss) via a crafted application, aka "Windows Hyper-V DoS Vulnerability."
27 CVE-2015-1602 200 +Info 2015-04-05 2015-04-23
2.1
None Local Low Not required Partial None None
Siemens SIMATIC STEP 7 (TIA Portal) 12 and 13 before 13 SP1 Upd1 improperly stores password data within project files, which makes it easier for local users to determine cleartext (1) protection-level passwords or (2) web-server passwords by leveraging the ability to read these files.
28 CVE-2015-1599 264 Bypass 2015-03-06 2015-03-09
2.1
None Local Low Not required None Partial None
The Siemens SPCanywhere application for iOS allows physically proximate attackers to bypass intended access restrictions by leveraging a filesystem architectural error.
29 CVE-2015-1598 200 +Info 2015-03-06 2015-03-09
2.1
None Local Low Not required Partial None None
The Siemens SPCanywhere application for Android does not properly store application passwords, which allows physically proximate attackers to obtain sensitive information by examining the device filesystem.
30 CVE-2015-1563 399 DoS 2015-02-09 2015-03-25
2.1
None Local Low Not required None None Partial
The ARM GIC distributor virtualization in Xen 4.4.x and 4.5.x allows local guests to cause a denial of service by causing a large number messages to be logged.
31 CVE-2015-1426 200 +Info 2015-02-23 2015-02-24
2.1
None Local Low Not required Partial None None
Puppet Labs Facter 1.6.0 through 2.4.0 allows local users to obtains sensitive Amazon EC2 IAM instance metadata by reading a fact for an Amazon EC2 node.
32 CVE-2015-1420 362 Bypass 2015-03-16 2015-03-18
2.1
None Local Low Not required Partial None None
Race condition in the handle_to_path function in fs/fhandle.c in the Linux kernel through 3.19.1 allows local users to bypass intended size restrictions and trigger read operations on additional memory locations by changing the handle_bytes value of a file handle during the execution of this function.
33 CVE-2015-1415 200 +Info 2015-04-10 2015-04-10
2.1
None Local Low Not required Partial None None
The bsdinstall installer in FreeBSD 10.x before 10.1 p9, when configuring full disk encrypted ZFS, uses world-readable permissions for the GELI keyfile (/boot/encryption.key), which allows local users to obtain sensitive key information by reading the file.
34 CVE-2015-1355 310 2015-02-17 2015-02-18
2.1
None Local Low Not required Partial None None
Siemens SIMATIC STEP 7 (TIA Portal) before 13 SP1 uses a weak password-hash algorithm, which makes it easier for local users to determine cleartext passwords by reading a project file and conducting a brute-force attack.
35 CVE-2015-1345 119 DoS Overflow 2015-02-12 2015-02-12
2.1
None Local Low Not required None None Partial
The bmexec_trans function in kwset.c in grep 2.19 through 2.21 allows local users to cause a denial of service (out-of-bounds heap read and crash) via crafted input when using the -F option.
36 CVE-2015-1314 200 +Info 2015-04-16 2015-04-17
2.1
None Local Low Not required Partial None None
The USAA Mobile Banking application before 7.10.1 for Android displays the most recently-used screen before prompting the user for login, which might allow physically proximate users to obtain banking account numbers and balances.
37 CVE-2015-1200 362 Bypass 2015-01-23 2015-01-26
2.1
None Local Low Not required None Partial None
Race condition in pxz 4.999.99 Beta 3 uses weak file permissions for the output file when compressing a file before changing the permission to match the original file, which allows local users to bypass the intended access restrictions.
38 CVE-2015-1142 20 DoS 2015-04-10 2015-04-29
2.1
None Local Low Not required None None Partial
LaunchServices in Apple OS X before 10.10.3 allows local users to cause a denial of service (Finder crash) via crafted localization data.
39 CVE-2015-1127 200 +Info 2015-04-10 2015-04-14
2.1
None Local Low Not required Partial None None
The private-browsing implementation in WebKit in Apple Safari before 6.2.5, 7.x before 7.1.5, and 8.x before 8.0.5 places browsing history into an index, which might allow local users to obtain sensitive information by reading index entries.
40 CVE-2015-1116 200 +Info 2015-04-10 2015-04-14
2.1
None Local Low Not required Partial None None
The UIKit View component in Apple iOS before 8.3 displays unblurred application snapshots in the Task Switcher, which makes it easier for physically proximate attackers to obtain sensitive information by reading the device screen.
41 CVE-2015-1109 200 +Info 2015-04-10 2015-04-14
2.1
None Local Low Not required Partial None None
NetworkExtension in Apple iOS before 8.3 stores credentials in VPN configuration logs, which makes it easier for physically proximate attackers to obtain sensitive information by reading a log file.
42 CVE-2015-1108 200 +Info 2015-04-10 2015-04-14
2.1
None Local Low Not required Partial None None
The Lock Screen component in Apple iOS before 8.3 does not properly enforce the limit on incorrect passcode-authentication attempts, which makes it easier for physically proximate attackers to obtain access by making many passcode guesses.
43 CVE-2015-1106 200 +Info 2015-04-10 2015-04-14
2.1
None Local Low Not required Partial None None
The QuickType feature in the Keyboards subsystem in Apple iOS before 8.3 allows physically proximate attackers to discover passcodes by reading the lock screen during use of a Bluetooth keyboard.
44 CVE-2015-1087 22 Dir. Trav. 2015-04-10 2015-04-14
2.1
None Local Low Not required Partial None None
Directory traversal vulnerability in Backup in Apple iOS before 8.3 allows attackers to read arbitrary files via a crafted relative path.
45 CVE-2015-0999 200 +Info 2015-03-29 2015-03-30
2.1
None Local Low Not required Partial None None
Schneider Electric InduSoft Web Studio before 7.1.3.4 SP3 Patch 4 and InTouch Machine Edition 2014 before 7.1.3.4 SP3 Patch 4 store cleartext OPC User credentials in a configuration file, which allows local users to obtain sensitive information by reading this file.
46 CVE-2015-0996 200 +Info 2015-03-29 2015-03-30
2.1
None Local Low Not required Partial None None
Schneider Electric InduSoft Web Studio before 7.1.3.4 SP3 Patch 4 and InTouch Machine Edition 2014 before 7.1.3.4 SP3 Patch 4 rely on a hardcoded cleartext password to control read access to Project files and Project Configuration files, which makes it easier for local users to obtain sensitive information by discovering this password.
47 CVE-2015-0992 200 +Info 2015-04-03 2015-04-03
2.1
None Local Low Not required Partial None None
Inductive Automation Ignition 7.7.2 stores cleartext OPC Server credentials, which allows local users to obtain sensitive information via unspecified vectors.
48 CVE-2015-0820 284 Bypass 2015-02-25 2015-03-26
2.6
None Remote High Not required None Partial None
Mozilla Firefox before 36.0 does not properly restrict transitions of JavaScript objects from a non-extensible state to an extensible state, which allows remote attackers to bypass a Caja Compiler sandbox protection mechanism or a Secure EcmaScript sandbox protection mechanism via a crafted web site.
49 CVE-2015-0777 200 +Info 2015-04-05 2015-04-09
2.1
None Local Low Not required Partial None None
drivers/xen/usbback/usbback.c in linux-2.6.18-xen-3.4.0 (aka the Xen 3.4.x support patches for the Linux kernel 2.6.18), as used in the Linux kernel 2.6.x and 3.x in SUSE Linux distributions, allows guest OS users to obtain sensitive information from uninitialized locations in host OS kernel memory via unspecified vectors.
50 CVE-2015-0527 200 +Info 2015-03-23 2015-03-31
2.1
None Local Low Not required Partial None None
EMC Documentum xCelerated Management System (xMS) 1.1 before P14 stores cleartext Windows Service credentials in a batch file during Documentum Platform and xCelerated Composition Platform (xCP) provisioning, which allows local users to obtain sensitive information by reading a file.
Total number of vulnerabilities : 2867   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.