CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 5 and 5.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2015-3393 2015-04-21 2015-04-23
5.8
None Remote Medium Not required Partial Partial None
Open redirect vulnerability in the Commerce WeDeal module before 7.x-1.3 for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via an unspecified parameter.
2 CVE-2015-3391 200 Bypass +Info 2015-04-21 2015-04-23
5.0
None Remote Low Not required Partial None None
The Path Breadcrumbs module before 7.x-3.2 for Drupal allows remote attackers to bypass intended access restrictions and obtaining sensitive node titles by reading a 403 Not Found page.
3 CVE-2015-3388 352 CSRF 2015-04-21 2015-04-23
5.8
None Remote Medium Not required None Partial Partial
Cross-site request forgery (CSRF) vulnerability in the Commerce Balanced Payments module for Drupal allows remote attackers to hijack the authentication of arbitrary users for requests that delete the user's configured bank accounts via unspecified vectors.
4 CVE-2015-3383 2015-04-21 2015-04-23
5.8
None Remote Medium Not required Partial Partial None
Open redirect vulnerability in the Node basket module for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
5 CVE-2015-3382 352 CSRF 2015-04-21 2015-04-23
5.8
None Remote Medium Not required None Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in the Node basket module for Drupal allow remote attackers to hijack the authentication of arbitrary users for requests that (1) add or (2) remove nodes from a basket via unspecified vectors.
6 CVE-2015-3380 352 CSRF 2015-04-21 2015-04-23
5.8
None Remote Medium Not required None Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in the Feature Set module for Drupal allow remote attackers to hijack the authentication of administrator for requests that (1) enable or (2) disable a module via unspecified vectors.
7 CVE-2015-3375 352 CSRF 2015-04-21 2015-04-23
5.8
None Remote Medium Not required None Partial Partial
Cross-site request forgery (CSRF) vulnerability in the Shibboleth Authentication module before 6.x-4.1 and 7.x-4.x before 7.x-4.1 for Drupal allows remote attackers to hijack the authentication of administrators for requests that delete user role matching rules via unspecified vectors.
8 CVE-2015-3374 352 CSRF 2015-04-21 2015-04-23
5.8
None Remote Medium Not required None Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in the Corner module for Drupal allow remote attackers to hijack the authentication of administrators for requests that (1) enable or (2) disable corners via unspecified vectors.
9 CVE-2015-3373 200 +Info 2015-04-21 2015-04-23
5.0
None Remote Low Not required Partial None None
The Amazon AWS module before 7.x-1.3 for Drupal uses the base URL and AWS access key to generate the access token, which makes it easier for remote attackers to guess the token value and create backups via a crafted URL.
10 CVE-2015-3371 2015-04-21 2015-04-23
5.8
None Remote Medium Not required Partial Partial None
Open redirect vulnerability in the Node Invite module before 6.x-2.5 for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the destination parameter.
11 CVE-2015-3366 352 CSRF 2015-04-21 2015-04-23
5.8
None Remote Medium Not required None Partial Partial
Cross-site request forgery (CSRF) vulnerability in the Alfresco module before 6.x-1.3 for Drupal allows remote attackers to hijack the authentication of arbitrary users for requests that delete an alfresco node via unspecified vectors.
12 CVE-2015-3358 2015-04-21 2015-04-22
5.8
None Remote Medium Not required Partial Partial None
Multiple open redirect vulnerabilities in the Tadaa! module before 7.x-1.4 for Drupal allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in a destination parameter, related to callbacks that (1) enable and disable modules or (2) change variables.
13 CVE-2015-3354 352 CSRF 2015-04-21 2015-04-22
5.8
None Remote Medium Not required None Partial Partial
Cross-site request forgery (CSRF) vulnerability in the Wishlist module before 6.x-2.7 and 7.x-2.x before 7.x-2.7 for Drupal allows remote attackers to hijack the authentication of arbitrary users for requests that delete wishlist purchase intentions via unspecified vectors.
14 CVE-2015-3342 2015-04-21 2015-04-23
5.8
None Remote Medium Not required Partial Partial None
Open redirect vulnerability in the Ubercart Currency Conversion module before 6.x-1.2 for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the destination query parameter.
15 CVE-2015-3323 20 DoS 2015-04-16 2015-04-20
5.0
None Remote Low Not required None None Partial
The ThinkServer System Manager (TSM) Baseboard Management Controller before firmware 1.27.73476 for ThinkServer RD350, RD450, RD550, RD650, and TD350 allows remote attackers to cause a denial of service (web interface crash) via a malformed HTTP request during authentication.
16 CVE-2015-3322 310 2015-04-16 2015-04-21
5.0
None Remote Low Not required Partial None None
Lenovo ThinkServer RD350, RD450, RD550, RD650, and TD350 servers before 1.26.0 use weak encryption to store (1) user and (2) administrator BIOS passwords, which allows attackers to decrypt the passwords via unspecified vectors.
17 CVE-2015-3319 200 +Info 2015-04-16 2015-04-17
5.0
None Remote Low Not required Partial None None
Hotspot Express hotEx Billing Manager 73 does not include the HTTPOnly flag in a Set-Cookie header, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.
18 CVE-2015-3044 200 Bypass +Info 2015-04-14 2015-04-22
5.0
None Remote Low Not required Partial None None
Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0.0.169 on Windows and OS X and before 11.2.202.457 on Linux allows attackers to bypass intended access restrictions and obtain sensitive information via unspecified vectors.
19 CVE-2015-3040 200 Bypass +Info 2015-04-14 2015-04-22
5.0
None Remote Low Not required Partial None None
Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0.0.169 on Windows and OS X and before 11.2.202.457 on Linux does not properly restrict discovery of memory addresses, which allows attackers to bypass the ASLR protection mechanism via unspecified vectors, a different vulnerability than CVE-2015-0357.
20 CVE-2015-3028 264 Bypass 2015-04-08 2015-04-09
5.5
None Remote Low Single system Partial Partial None
McAfee Advanced Threat Defense (MATD) before 3.4.4.63 allows remote authenticated users to bypass intended restrictions and change or update configuration settings via crafted parameters.
21 CVE-2015-3027 264 Bypass 2015-04-10 2015-04-17
5.0
None Remote Low Not required None Partial None
Clang in LLVM, as used in Apple Xcode before 6.3, performs incorrect register allocation in a way that triggers stack storage for stack cookie pointers, which might allow context-dependent attackers to bypass a stack-guard protection mechanism via crafted input to an affected C program.
22 CVE-2015-2935 200 Bypass +Info 2015-04-13 2015-04-14
5.0
None Remote Low Not required Partial None None
MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 allows remote attackers to bypass the SVG filtering and obtain sensitive user information via a mixed case @import in a style element in an SVG file, as demonstrated by "@imporT."
23 CVE-2015-2841 284 Bypass 2015-04-03 2015-04-03
5.0
None Remote Low Not required None Partial None
Citrix NetScaler AppFirewall, as used in NetScaler 10.5, allows remote attackers to bypass intended firewall restrictions via a crafted Content-Type header, as demonstrated by the application/octet-stream and text/xml Content-Types.
24 CVE-2015-2820 119 DoS Overflow 2015-04-01 2015-04-01
5.0
None Remote Low Not required None None Partial
Buffer overflow in XcListener in SAP Afaria 7.0.6001.5 allows remote attackers to cause a denial of service (process termination) via a crafted request, aka SAP Security Note 2132584.
25 CVE-2015-2819 20 DoS 2015-04-01 2015-04-15
5.0
None Remote Low Not required None None Partial
SAP Sybase SQL Anywhere 11 and 16 allows remote attackers to cause a denial of service (crash) via a crafted request, aka SAP Security Note 2108161.
26 CVE-2015-2818 2015-04-01 2015-04-01
5.0
None Remote Low Not required None Partial None
XML external entity (XXE) vulnerability in SAP Mobile Platform 3 allows remote attackers to send requests to intranet servers via crafted XML, aka SAP Security Note 2125513.
27 CVE-2015-2817 200 +Info 2015-04-01 2015-04-02
5.0
None Remote Low Not required Partial None None
The SAP Management Console in SAP NetWeaver 7.40 allows remote attackers to obtain sensitive information via the ReadProfile parameters, aka SAP Security Note 2091768.
28 CVE-2015-2813 2015-04-01 2015-04-02
5.0
None Remote Low Not required None Partial None
XML external entity (XXE) vulnerability in SAP Mobile Platform allows remote attackers to send requests to intranet servers via crafted XML, aka SAP Security Note 2125358.
29 CVE-2015-2812 2015-04-01 2015-04-02
5.0
None Remote Low Not required None Partial None
XML external entity (XXE) vulnerability in XMLValidationComponent in SAP NetWeaver Portal 7.31.201109172004 allows remote attackers to send requests to intranet servers via crafted XML, aka SAP Security Note 2093966.
30 CVE-2015-2811 2015-04-01 2015-04-02
5.0
None Remote Low Not required None Partial None
XML external entity (XXE) vulnerability in ReportXmlViewer in SAP NetWeaver Portal 7.31.201109172004 allows remote attackers to send requests to intranet servers via crafted XML, aka SAP Security Note 2111939.
31 CVE-2015-2809 200 DoS +Info 2015-03-31 2015-04-01
5.0
None Remote Low Not required Partial None None
The Multicast DNS (mDNS) responder in Synology DiskStation Manager (DSM) before 3.1 inadvertently responds to unicast queries with source addresses that are not link-local, which allows remote attackers to cause a denial of service (traffic amplification) or obtain potentially sensitive information via port-5353 UDP packets to the Avahi component.
32 CVE-2015-2779 399 DoS 2015-04-10 2015-04-13
5.0
None Remote Low Not required None None Partial
Stack consumption vulnerability in the message splitting functionality in Quassel before 0.12-rc1 allows remote attackers to cause a denial of service (uncontrolled recursion) via a crafted massage.
33 CVE-2015-2778 399 DoS 2015-04-10 2015-04-10
5.0
None Remote Low Not required None None Partial
Quassel before 0.12-rc1 uses an incorrect data-type size when splitting a message, which allows remote attackers to cause a denial of service (crash) via a long CTCP query containing only multibyte characters.
34 CVE-2015-2773 2015-03-27 2015-03-30
5.0
None Remote Low Not required Partial None None
SVM in Websense TRITON V-Series appliances before 8.0.0 allows attackers to read arbitrary files via unspecified vectors.
35 CVE-2015-2771 200 +Info 2015-03-27 2015-03-30
5.0
None Remote Low Not required Partial None None
The Mail Server in Websense TRITON AP-EMAIL and V-Series appliances before 8.0.0 uses plaintext credentials, which allows remote attackers to obtain sensitive information via unspecified vectors.
36 CVE-2015-2766 255 2015-03-27 2015-03-30
5.0
None Remote Low Not required Partial None None
The Personal Email Manager (PEM) in Websense TRITON AP-EMAIL before 8.0.0 allows attackers to have unspecified impact via a brute force attack.
37 CVE-2015-2762 200 +Info 2015-03-27 2015-03-30
5.0
None Remote Low Not required Partial None None
Websense TRITON AP-WEB before 8.0.0 allows remote attackers to enumerate Windows domain user accounts via vectors related to HTTP authentication.
38 CVE-2015-2748 200 +Info 2015-03-26 2015-03-27
5.0
None Remote Low Not required Partial None None
Websense TRITON AP-WEB before 8.0.0 does not properly restrict access to files in explorer_wse/, which allows remote attackers to obtain sensitive information via a direct request to a (1) Web Security incident report or the (2) Explorer configuration (websense.ini) file.
39 CVE-2015-2682 17 2015-03-26 2015-04-02
5.0
None Remote Low Not required Partial None None
Citrix Command Center before 5.1 Build 35.4 and 5.2 before Build 42.7 allows remote attackers to obtain credentials via a direct request to conf/securitydbData.xml.
40 CVE-2015-2568 2015-04-16 2015-04-17
5.0
None Remote Low Not required None None Partial
Unspecified vulnerability in Oracle MySQL Server 5.5.41 and earlier, and 5.6.22 and earlier, allows remote attackers to affect availability via unknown vectors related to Server : Security : Privileges.
41 CVE-2015-2348 264 Bypass 2015-03-30 2015-04-13
5.0
None Remote Low Not required None Partial None
The move_uploaded_file implementation in ext/standard/basic_functions.c in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 truncates a pathname upon encountering a \x00 character, which allows remote attackers to bypass intended extension restrictions and create files with unexpected names via a crafted second argument. NOTE: this vulnerability exists because of an incomplete fix for CVE-2006-7243.
42 CVE-2015-2335 200 +Info 2015-03-18 2015-03-25
5.0
None Remote Low Not required Partial None None
A JSON library in MyBB (aka MyBulletinBoard) before 1.8.4 allows remote attackers to obtain the installation path via unknown vectors.
43 CVE-2015-2316 399 DoS 2015-03-25 2015-04-09
5.0
None Remote Low Not required None None Partial
The utils.html.strip_tags function in Django 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1, when using certain versions of Python, allows remote attackers to cause a denial of service (infinite loop) by increasing the length of the input string.
44 CVE-2015-2235 310 2015-03-06 2015-03-09
5.0
None Remote Low Not required None Partial None
Secure Transport in Apple iOS through 8.1.3, Apple OS X through 10.10.2, and Apple TV through 7.0.3 does not properly restrict TLS state transitions, which makes it easier for remote attackers to conduct cipher-downgrade attacks to EXPORT_RSA ciphers via crafted TLS traffic, related to the "FREAK" issue, a different vulnerability than CVE-2015-0204 and CVE-2015-1637.
45 CVE-2015-2215 2015-03-05 2015-03-05
5.8
None Remote Medium Not required Partial Partial None
Open redirect vulnerability in the Services single sign-on server helper (services_sso_server_helper) module for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified parameters.
46 CVE-2015-2214 200 +Info 2015-03-05 2015-03-05
5.0
None Remote Low Not required Partial None None
NetCat 5.01 and earlier allows remote attackers to obtain the installation path via the redirect_url parameter to netshop/post.php.
47 CVE-2015-2209 200 +Info 2015-03-04 2015-03-05
5.0
None Remote Low Not required Partial None None
DLGuard 4.5 allows remote attackers to obtain the installation path via the c parameter to index.php.
48 CVE-2015-2206 200 +Info CSRF 2015-03-09 2015-04-02
5.0
None Remote Low Not required Partial None None
libraries/select_lang.lib.php in phpMyAdmin 4.0.x before 4.0.10.9, 4.2.x before 4.2.13.2, and 4.3.x before 4.3.11.1 includes invalid language values in unknown-language error responses that contain a CSRF token and may be sent with HTTP compression, which makes it easier for remote attackers to conduct a BREACH attack and determine this token via a series of crafted requests.
49 CVE-2015-2192 189 DoS Overflow 2015-03-07 2015-03-23
5.0
None Remote Low Not required None None Partial
Integer overflow in the dissect_osd2_cdb_continuation function in epan/dissectors/packet-scsi-osd.c in the SCSI OSD dissector in Wireshark 1.12.x before 1.12.4 allows remote attackers to cause a denial of service (infinite loop) via a crafted length field in a packet.
50 CVE-2015-2191 189 DoS Overflow 2015-03-07 2015-04-06
5.0
None Remote Low Not required None None Partial
Integer overflow in the dissect_tnef function in epan/dissectors/packet-tnef.c in the TNEF dissector in Wireshark 1.10.x before 1.10.13 and 1.12.x before 1.12.4 allows remote attackers to cause a denial of service (infinite loop) via a crafted length field in a packet.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.