CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 5 and 5.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2015-2078 310 2015-02-24 2015-02-27
5.0
None Remote Low Not required None Partial None
The SDK for Komodia Redirector with SSL Digestor, as used in Lavasoft Ad-Aware Web Companion 1.1.885.1766 and Ad-Aware AdBlocker (alpha) 1.3.69.1, Qustodio for Windows, Atom Security, Inc. StaffCop 5.8, and other products, does not properly verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers, a different vulnerability than CVE-2015-2077.
2 CVE-2015-2077 200 +Info 2015-02-24 2015-02-27
5.0
None Remote Low Not required Partial None None
The SDK for Komodia Redirector with SSL Digestor, as used in Lavasoft Ad-Aware Web Companion 1.1.885.1766 and Ad-Aware AdBlocker (alpha) 1.3.69.1, Qustodio for Windows, Atom Security, Inc. StaffCop 5.8, and other products, uses the same X.509 certificate private key for a root CA certificate across different customers' installations, which makes it easier for man-in-the-middle attackers to spoof SSL servers by leveraging knowledge of this key, as originally reported for Superfish VisualDiscovery on certain Lenovo Notebook laptop products.
3 CVE-2015-2067 22 1 Dir. Trav. 2015-02-24 2015-02-25
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in web/ajax_pluginconf.php in the MAGMI (aka Magento Mass Importer) plugin for Magento Server allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.
4 CVE-2015-1589 22 Dir. Trav. 2015-02-23 2015-02-24
5.0
None Remote Low Not required None Partial None
Directory traversal vulnerability in arCHMage 0.2.4 allows remote attackers to write to arbitrary files via a .. (dot dot) in a CHM file.
5 CVE-2015-1579 22 1 Dir. Trav. 2015-02-11 2015-02-12
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in the Elegant Themes Divi theme for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the img parameter in a revslider_show_image action to wp-admin/admin-ajax.php.
6 CVE-2015-1578 2015-02-11 2015-02-12
5.8
None Remote Medium Not required Partial Partial None
Multiple open redirect vulnerabilities in u5CMS before 3.9.4 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) pidvesa cookie to u5admin/pidvesa.php or (2) uri parameter to u5admin/meta2.php.
7 CVE-2015-1574 19 DoS 2015-02-15 2015-02-17
5.0
None Remote Low Not required None None Partial
The Google Email application 4.2.2.0200 for Android allows remote attackers to cause a denial of service (persistent application crash) via a "Content-Disposition: ;" header in an e-mail message.
8 CVE-2015-1548 119 Overflow +Info 2015-02-10 2015-02-11
5.0
None Remote Low Not required Partial None None
mini_httpd 1.21 and earlier allows remote attackers to obtain sensitive information from process memory via an HTTP request with a long protocol string, which triggers an incorrect response size calculation and an out-of-bounds read.
9 CVE-2015-1546 DoS 2015-02-12 2015-02-23
5.0
None Remote Low Not required None None Partial
Double free vulnerability in the get_vrFilter function in servers/slapd/filter.c in OpenLDAP 2.4.40 allows remote attackers to cause a denial of service (crash) via a crafted search query with a matched values control.
10 CVE-2015-1545 DoS 2015-02-12 2015-02-25
5.0
None Remote Low Not required None None Partial
The deref_parseCtrl function in servers/slapd/overlays/deref.c in OpenLDAP 2.4.13 through 2.4.40 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via an empty attribute list in a deref control in a search request.
11 CVE-2015-1482 200 1 Bypass +Info 2015-02-04 2015-02-05
5.0
None Remote Low Not required Partial None None
Ansible Tower (aka Ansible UI) before 2.0.5 allows remote attackers to bypass authentication and obtain sensitive information via a websocket connection to socket.io/1/.
12 CVE-2015-1463 17 DoS 2015-02-03 2015-02-23
5.0
None Remote Low Not required None None Partial
ClamAV before 0.98.6 allows remote attackers to cause a denial of service (crash) via a crafted petite packer file, related to an "incorrect compiler optimization."
13 CVE-2015-1453 310 2015-02-02 2015-02-18
5.0
None Remote Low Not required Partial None None
The qm class in Fortinet FortiClient 5.2.3.091 for Android uses a hardcoded encryption key of FoRtInEt!AnDrOiD, which makes it easier for attackers to obtain passwords and possibly other sensitive data by leveraging the key to decrypt data in the Shared Preferences.
14 CVE-2015-1419 Bypass 2015-01-28 2015-01-28
5.0
None Remote Low Not required None Partial None
Unspecified vulnerability in vsftp 3.0.2 and earlier allows remote attackers to bypass access restrictions via unknown vectors, related to deny_file parsing.
15 CVE-2015-1382 20 DoS 2015-02-03 2015-02-19
5.0
None Remote Low Not required None None Partial
parsers.c in Privoxy before 3.0.23 allows remote attackers to cause a denial of service (invalid read and crash) via vectors related to an HTTP time header.
16 CVE-2015-1381 399 DoS 2015-02-03 2015-02-19
5.0
None Remote Low Not required None None Partial
Multiple unspecified vulnerabilities in pcrs.c in Privoxy before 3.0.23 allow remote attackers to cause a denial of service (segmentation fault or memory consumption) via unspecified vectors.
17 CVE-2015-1380 20 DoS 2015-02-03 2015-02-19
5.0
None Remote Low Not required None None Partial
jcc.c in Privoxy before 3.0.23 allows remote attackers to cause a denial of service (abort) via a crafted chunk-encoded body.
18 CVE-2015-1365 22 1 Dir. Trav. 2015-01-27 2015-01-29
5.0
None Remote Low Not required None Partial None
Directory traversal vulnerability in pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress allows remote attackers to write to arbitrary files via a .. (dot dot) in the q parameter.
19 CVE-2015-1358 310 2015-02-17 2015-02-18
5.0
None Remote Low Not required Partial None None
The remote-management module in the (1) Multi Panels, (2) Comfort Panels, and (3) RT Advanced functionality in Siemens SIMATIC WinCC (TIA Portal) before 13 SP1 does not properly encrypt credentials in transit, which makes it easier for remote attackers to determine cleartext credentials by sniffing the network and conducting a decryption attack.
20 CVE-2015-1357 200 +Info 2015-02-02 2015-02-04
5.0
None Remote Low Not required Partial None None
Siemens Ruggedcom WIN51xx devices with firmware before SS4.4.4624.35, WIN52xx devices with firmware before SS4.4.4624.35, WIN70xx devices with firmware before BS4.4.4621.32, and WIN72xx devices with firmware before BS4.4.4621.32 allow context-dependent attackers to discover password hashes by reading (1) files or (2) security logs.
21 CVE-2015-1349 399 DoS 2015-02-18 2015-02-23
5.4
None Remote High Not required None None Complete
named in ISC BIND 9.7.0 through 9.9.6 before 9.9.6-P2 and 9.10.x before 9.10.1-P2, when DNSSEC validation and the managed-keys feature are enabled, allows remote attackers to cause a denial of service (assertion failure and daemon exit, or daemon crash) by triggering an incorrect trust-anchor management scenario in which no key is ready for use.
22 CVE-2015-1309 2015-01-22 2015-01-25
5.0
None Remote Low Not required Partial None None
XML external entity vulnerability in the Extended Computer Aided Test Tool (eCATT) in SAP NetWeaver AS ABAP 7.31 and earlier allows remote attackers to access arbitrary files via a crafted XML request, related to ECATT_DISPLAY_XMLSTRING_REMOTE, aka SAP Note 2016638.
23 CVE-2015-1306 200 +Info 2015-01-22 2015-01-23
5.0
None Remote Low Not required Partial None None
The newsletter posting area in the web interface in Sympa 6.0.x before 6.0.10 and 6.1.x before 6.1.24 allows remote attackers to read arbitrary files via unspecified vectors.
24 CVE-2015-1210 264 Bypass 2015-02-06 2015-02-20
5.0
None Remote Low Not required None Partial None
The V8ThrowException::createDOMException function in bindings/core/v8/V8ThrowException.cpp in the V8 bindings in Blink, as used in Google Chrome before 40.0.2214.111 on Windows, OS X, and Linux and before 40.0.2214.109 on Android, does not properly consider frame access restrictions during the throwing of an exception, which allows remote attackers to bypass the Same Origin Policy via a crafted web site.
25 CVE-2015-1201 DoS 2015-01-20 2015-01-22
5.0
None Remote Low Not required None None Partial
Privoxy before 3.0.22 allows remote attackers to cause a denial of service (file descriptor consumption) via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
26 CVE-2015-1193 22 Dir. Trav. 2015-01-21 2015-01-23
5.0
None Remote Low Not required None Partial None
Multiple directory traversal vulnerabilities in pax 1:20140703 allow remote attackers to write to arbitrary files via a (1) full pathname or (2) .. (dot dot) in an archive.
27 CVE-2015-1192 22 Dir. Trav. 2015-01-21 2015-01-23
5.0
None Remote Low Not required None Partial None
Absolute path traversal vulnerability in kgb 1.0b4 allows remote attackers to write to arbitrary files via a full pathname in a crafted archive.
28 CVE-2015-1191 22 Dir. Trav. 2015-01-21 2015-01-23
5.0
None Remote Low Not required None Partial None
Multiple directory traversal vulnerabilities in pigz 2.3.1 allow remote attackers to write to arbitrary files via a (1) full pathname or (2) .. (dot dot) in an archive.
29 CVE-2015-1060 1 2015-01-16 2015-01-20
5.8
None Remote Medium Not required Partial Partial None
Open redirect vulnerability in lib/Cake/Controller/Controller.php in AdaptCMS 3.0.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the HTTP Referer header.
30 CVE-2015-1051 2015-01-15 2015-01-16
5.8
None Remote Medium Not required Partial Partial None
Open redirect vulnerability in the Context UI module in the Context module 7.x-3.x before 7.x-3.6 for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the destination parameter.
31 CVE-2015-1042 2015-02-10 2015-02-11
5.8
None Remote Medium Not required Partial Partial None
The string_sanitize_url function in core/string_api.php in MantisBT 1.2.0a3 through 1.2.18 uses an incorrect regular expression, which allows remote attackers to conduct open redirect and phishing attacks via a URL with a ":/" (colon slash) separator in the return parameter to login_page.php, a different vulnerability than CVE-2014-6316.
32 CVE-2015-1038 59 2015-01-21 2015-01-23
5.8
None Remote Medium Not required None Partial Partial
p7zip 9.20.1 allows remote attackers to write to arbitrary files via a symlink attack in an archive.
33 CVE-2015-1030 399 DoS 2015-01-20 2015-02-04
5.0
None Remote Low Not required None None Partial
Memory leak in the rfc2553_connect_to function in jbsocket.c in Privoxy before 3.0.22 allows remote attackers to cause a denial of service (memory consumption) via a large number of requests that are rejected because the socket limit is reached.
34 CVE-2015-0923 2015-02-13 2015-02-17
5.0
None Remote Low Not required Partial None None
The ContentBlockEx method in Workarea/ServerControlWS.asmx in Ektron Content Management System (CMS) 8.5 and 8.7 before 8.7sp2 and 9.0 before sp1 allows remote attackers to read arbitrary files via an external entity declaration in conjunction with an entity reference within an XML document named in the xslt parameter, related to an XML External Entity (XXE) issue.
35 CVE-2015-0922 200 +Info 2015-01-09 2015-02-11
5.0
None Remote Low Not required Partial None None
McAfee ePolicy Orchestrator (ePO) before 4.6.9 and 5.x before 5.1.2 uses the same secret key across different customers' installations, which allows attackers to obtain the administrator password by leveraging knowledge of the encrypted password.
36 CVE-2015-0878 22 Dir. Trav. 2015-02-20 2015-02-20
5.8
None Remote Medium Not required None Partial Partial
Directory traversal vulnerability in CREAR AL-Mail32 before 1.13d allows remote attackers to write to arbitrary files via a crafted filename of an attachment.
37 CVE-2015-0867 22 Dir. Trav. 2015-01-21 2015-01-23
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in SYNCK GRAPHICA Download Log CGI 3.0 and earlier allows remote attackers to read arbitrary files via a crafted filename.
38 CVE-2015-0832 254 Bypass 2015-02-25 2015-02-27
5.0
None Remote Low Not required None Partial None
Mozilla Firefox before 36.0 does not properly recognize the equivalence of domain names with and without a trailing . (dot) character, which allows man-in-the-middle attackers to bypass the HPKP and HSTS protection mechanisms by constructing a URL with this character and leveraging access to an X.509 certificate for a domain with this character.
39 CVE-2015-0830 399 DoS 2015-02-25 2015-02-27
5.0
None Remote Low Not required None None Partial
The WebGL implementation in Mozilla Firefox before 36.0 does not properly allocate memory for copying an unspecified string to a shader's compilation log, which allows remote attackers to cause a denial of service (application crash) via crafted WebGL content.
40 CVE-2015-0824 119 DoS Overflow 2015-02-25 2015-02-27
5.0
None Remote Low Not required None None Partial
The mozilla::layers::BufferTextureClient::AllocateForSurface function in Mozilla Firefox before 36.0 allows remote attackers to cause a denial of service (out-of-bounds write of zero values, and application crash) via vectors that trigger use of DrawTarget and the Cairo library for image drawing.
41 CVE-2015-0632 362 DoS 2015-02-26 2015-02-27
5.7
None Local Network Medium Not required None None Complete
Race condition in the Neighbor Discovery (ND) protocol implementation in Cisco IOS and IOS XE allows remote attackers to cause a denial of service via a flood of Router Solicitation messages on the local network, aka Bug ID CSCuo67770.
42 CVE-2015-0628 200 Bypass +Info 2015-02-19 2015-02-20
5.0
None Remote Low Not required Partial None None
The proxy engine on Cisco Web Security Appliance (WSA) devices allows remote attackers to bypass intended proxying restrictions via a malformed HTTP method, aka Bug ID CSCus79174.
43 CVE-2015-0619 399 DoS 2015-02-11 2015-02-18
5.0
None Remote Low Not required None None Partial
Memory leak in the embedded web server in the WebVPN subsystem in Cisco Adaptive Security Appliance (ASA) Software allows remote attackers to cause a denial of service (memory consumption and SSL outage) via multiple crafted HTTP requests, aka Bug ID CSCue05458.
44 CVE-2015-0617 399 DoS 2015-02-17 2015-02-20
5.0
None Remote Low Not required None None Partial
Cisco ASR 5500 System Architecture Evolution (SAE) Gateway devices allow remote attackers to cause a denial of service (CPU consumption and SNMP outage) via malformed SNMP packets, aka Bug ID CSCur13393.
45 CVE-2015-0604 20 2015-02-06 2015-02-19
5.0
None Remote Low Not required None Partial None
The web framework on Cisco Unified IP 9900 phones with firmware 9.4(.1) and earlier allows remote attackers to upload files to arbitrary locations on a phone's filesystem via crafted HTTP requests, aka Bug ID CSCup90424.
46 CVE-2015-0602 200 +Info 2015-02-07 2015-02-13
5.0
None Remote Low Not required Partial None None
The mobility extension on Cisco Unified IP 9900 phones with firmware 9.4(.1) and earlier allows remote attackers to obtain sensitive information by sniffing the network, aka Bug ID CSCuq12117.
47 CVE-2015-0600 20 DoS 2015-02-07 2015-02-13
5.0
None Remote Low Not required None None Partial
The mobility extension on Cisco Unified IP 9900 phones with firmware 9.4(.1) and earlier allows remote attackers to cause a denial of service (logoff) via crafted packets, aka Bug ID CSCuq12139.
48 CVE-2015-0597 200 +Info 2015-02-01 2015-02-11
5.0
None Remote Low Not required Partial None None
The Forgot Password feature in Cisco WebEx Meetings Server 1.5(.1.131) and earlier allows remote attackers to enumerate administrative accounts via crafted packets, aka Bug IDs CSCuj67166 and CSCuj67159.
49 CVE-2015-0595 200 +Info 2015-02-01 2015-02-11
5.0
None Remote Low Not required Partial None None
The XMLAPI in Cisco WebEx Meetings Server 1.5(.1.131) and earlier allows remote attackers to obtain sensitive information by reading return messages from crafted GET requests, aka Bug ID CSCuj67079.
50 CVE-2015-0591 399 DoS 2015-01-15 2015-01-27
5.0
None Remote Low Not required None None Partial
Cisco Unified Communications Domain Manager (UCDM) 10 allows remote attackers to cause a denial of service (daemon hang and GUI outage) via a flood of malformed TCP packets, aka Bug ID CSCur44177.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.