CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 5 and 5.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2015-5354 2015-07-01 2015-07-02
5.8
None Remote Medium Not required Partial Partial None
Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirect parameter to admin/nos/login.
2 CVE-2015-5149 22 Dir. Trav. 2015-06-30 2015-07-01
5.5
None Remote Low Single system None Partial Partial
Directory traversal vulnerability in Zoho ManageEngine SupportCenter Plus 7.90 allows remote authenticated users to write to arbitrary files via a .. (dot dot) in the component parameter in the Request component to workorder/Attachment.jsp.
3 CVE-2015-5067 255 2015-06-24 2015-06-24
5.0
None Remote Low Not required Partial None None
The (1) Cross-System Tools and (2) Data Transfer Workbench in SAP NetWeaver have hardcoded credentials, which allows remote attackers to obtain access via unspecified vectors, aka SAP Security Note 2059659 and 2057982.
4 CVE-2015-5065 22 Dir. Trav. 2015-06-24 2015-06-24
5.0
None Remote Low Not required Partial None None
Absolute path traversal vulnerability in proxy.php in the google currency lookup in the Paypal Currency Converter Basic For WooCommerce plugin before 1.4 for WordPress allows remote attackers to read arbitrary files via a full pathname in the requrl parameter.
5 CVE-2015-5062 2015-06-24 2015-06-24
5.8
None Remote Medium Not required Partial Partial None
Open redirect vulnerability in SilverStripe CMS & Framework 3.1.13 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the returnURL parameter to dev/build.
6 CVE-2015-4695 119 DoS Overflow 2015-07-01 2015-07-02
5.0
None Remote Low Not required None None Partial
meta.h in libwmf 0.2.8.4 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted WMF file.
7 CVE-2015-4590 119 DoS Overflow 2015-06-22 2015-06-23
5.0
None Remote Low Not required None None Partial
The extractFrom function in Internals/QuotedString.cpp in Arduino JSON before 4.5 allows remote attackers to cause a denial of service (crash) via a JSON string with a \ (backslash) followed by a terminator, as demonstrated by "\\\0", which triggers a buffer overflow and over-read.
8 CVE-2015-4418 284 2015-06-08 2015-06-09
5.0
None Remote Low Not required None Partial None
Zoho NetFlow Analyzer build 10250 and earlier does not have an off autocomplete attribute for a password field, which makes it easier for remote attackers to obtain access by leveraging an unattended workstation.
9 CVE-2015-4415 22 Dir. Trav. 2015-06-10 2015-06-11
5.0
None Remote Low Not required Partial None None
Multiple directory traversal vulnerabilities in func.php in Magnifica Webscripts Anima Gallery 2.6 allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) theme or (2) lang cookie parameter to AnimaGallery/.
10 CVE-2015-4414 22 Dir. Trav. 2015-06-17 2015-06-18
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in download_audio.php in the SE HTML5 Album Audio Player (se-html5-album-audio-player) plugin 1.1.0 and earlier for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter.
11 CVE-2015-4398 2015-06-16 2015-06-25
5.8
None Remote Medium Not required Partial Partial None
Open redirect vulnerability in the Chaos tool suite (ctools) module before 6.x-1.12 and 7.x-1.x before 7.x-1.7 for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors involving processing confirmation delete pages.
12 CVE-2015-4396 352 CSRF 2015-06-15 2015-06-17
5.1
None Remote High Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in the Keyword Research module 6.x-1.x before 6.x-1.2 for Drupal allow remote attackers to hijack the authentication of users with the "kwresearch admin site keywords" permission for requests that (1) create, (2) delete, or (3) set priorities to keywords via unspecified vectors.
13 CVE-2015-4394 264 Bypass +Info 2015-06-15 2015-06-16
5.0
None Remote Low Not required Partial None None
The Services module 7.x-3.x before 7.x-3.12 for Drupal allows remote attackers to bypass the field_access restriction and obtain sensitive private field information via unspecified vectors.
14 CVE-2015-4371 2015-06-15 2015-06-26
5.8
None Remote Medium Not required Partial Partial None
Open redirect vulnerability in the Perfecto module before 7.x-1.2 for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in an unspecified parameter.
15 CVE-2015-4368 2015-06-15 2015-06-16
5.0
None Remote Low Not required None Partial None
The Commerce Ogone module 7.x-1.x before 7.x-1.5 for Drupal allows remote attackers to complete the checkout for an order without paying via unspecified vectors.
16 CVE-2015-4363 2015-06-15 2015-06-30
5.8
None Remote Medium Not required Partial Partial None
Open redirect vulnerability in the finder_form_goto function in the Finder module for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.
17 CVE-2015-4353 352 CSRF 2015-06-15 2015-06-16
5.8
None Remote Medium Not required None Partial Partial
Cross-site request forgery (CSRF) vulnerability in the Custom Sitemap module for Drupal allows remote attackers to hijack the authentication of administrators for requests that delete sitemaps via unspecified vectors.
18 CVE-2015-4352 352 CSRF 2015-06-15 2015-06-16
5.8
None Remote Medium Not required None Partial Partial
Cross-site request forgery (CSRF) vulnerability in the Spider Video Player module for Drupal allows remote attackers to hijack the authentication of administrators for requests that delete videos via unspecified vectors.
19 CVE-2015-4349 352 CSRF 2015-06-15 2015-06-30
5.8
None Remote Medium Not required None Partial Partial
Cross-site request forgery (CSRF) vulnerability in the Spider Contacts module for Drupal allows remote attackers to hijack the authentication of administrators for requests that delete contact categories via unspecified vectors.
20 CVE-2015-4345 200 +Info 2015-06-15 2015-06-16
5.0
None Remote Low Not required Partial None None
The RESTWS Basic Auth submodule in the RESTful Web Services module 7.x-1.x before 7.x-1.5 and 7.x-2.x before 7.x-2.3 for Drupal caches pages for authenticated requests, which allows remote attackers to obtain sensitive information via unspecified vectors.
21 CVE-2015-4344 264 Bypass 2015-06-15 2015-06-16
5.0
None Remote Low Not required None Partial None
The Services Basic Authentication module 7.x-1.x through 7.x-1.3 for Drupal allows remote attackers to bypass intended resource restrictions via vectors related to page caching.
22 CVE-2015-4229 200 +Info 2015-06-30 2015-06-30
5.0
None Remote Low Not required Partial None None
The web framework in Cisco Unified Communications Domain Manager 8.1(4)ER1 allows remote attackers to obtain sensitive information by visiting a bvsmweb URL, aka Bug ID CSCuq22589.
23 CVE-2015-4228 399 DoS 2015-07-02 2015-07-02
5.4
None Remote High Not required None None Complete
Cisco Digital Content Manager (DCM) 15.0.0 might allow remote ad servers to cause a denial of service (reboot) via malformed ad messages, aka Bug ID CSCur13999.
24 CVE-2015-4223 399 DoS 2015-06-25 2015-06-26
5.0
None Remote Low Not required None Partial None
Cisco IOS XR 5.1.3 allows remote attackers to cause a denial of service (process reload) via crafted MPLS Label Distribution Protocol (LDP) packets, aka Bug ID CSCuu77478.
25 CVE-2015-4218 200 +Info 2015-06-24 2015-06-24
5.0
None Remote Low Not required Partial None None
The web-based user interface in Cisco Jabber through 9.6(3) and 9.7 through 9.7(5) on Windows allows remote attackers to obtain sensitive information via a crafted value in a GET request, aka Bug IDs CSCuu65622 and CSCuu70858.
26 CVE-2015-4216 200 Bypass +Info 2015-06-26 2015-06-26
5.0
None Remote Low Not required Partial None None
The remote-support feature on Cisco Web Security Virtual Appliance (WSAv), Email Security Virtual Appliance (ESAv), and Security Management Virtual Appliance (SMAv) devices before 2015-06-25 uses the same default SSH root authorized key across different customers' installations, which makes it easier for remote attackers to bypass authentication by leveraging knowledge of a private key from another installation, aka Bug IDs CSCuu95988, CSCuu95994, and CSCuu96630.
27 CVE-2015-4212 200 +Info 2015-06-24 2015-06-24
5.0
None Remote Low Not required Partial None None
Cisco WebEx Meeting Center allows remote attackers to obtain sensitive information via unspecified vectors, as demonstrated by discovering credentials, aka Bug ID CSCut17466.
28 CVE-2015-4207 200 Bypass +Info 2015-06-23 2015-06-23
5.0
None Remote Low Not required Partial None None
Cisco WebEx Meeting Center places a meeting's access number in a URL, which allows remote attackers to obtain sensitive information and bypass intended attendance restrictions by visiting a meeting-registration page, aka Bug ID CSCus62147.
29 CVE-2015-4205 399 DoS 2015-06-23 2015-06-23
5.7
None Local Network Medium Not required None None Complete
Cisco IOS XR 5.3.1 on ASR 9000 devices allows remote attackers to cause a denial of service (NPU chip reset or line-card reload) by sending crafted IEEE 802.3x flow-control PAUSE frames on the local network, aka Bug ID CSCut19959.
30 CVE-2015-4203 362 DoS 2015-06-23 2015-06-23
5.4
None Remote High Not required None None Complete
Race condition in Cisco IOS 12.2SCH in the Performance Routing Engine (PRE) module on uBR10000 devices, when NetFlow and an MPLS IPv6 VPN are configured, allows remote attackers to cause a denial of service (PXF process crash) by sending malformed MPLS 6VPE packets quickly, aka Bug ID CSCud83396.
31 CVE-2015-4202 200 +Info 2015-06-20 2015-06-22
5.0
None Remote Low Not required Partial None None
Cisco IOS 12.2SCH on uBR10000 router Cable Modem Termination Systems (CMTS) does not properly restrict access to the IP Detail Record (IPDR) service, which allows remote attackers to obtain potentially sensitive MAC address and network-utilization information via crafted IPDR packets, aka Bug ID CSCua39203.
32 CVE-2015-4201 20 DoS 2015-06-20 2015-06-22
5.0
None Remote Low Not required None None Partial
The Gateway General Packet Radio Service Support Node (GGSN) component on Cisco ASR 5000 devices with software 17.2.0.59184 and 18.0.L0.59219 allows remote attackers to cause a denial of service (Session Manager restart) via an invalid TCP/IP header, aka Bug ID CSCut68058.
33 CVE-2015-4194 200 +Info 2015-06-18 2015-06-19
5.0
None Remote Low Not required Partial None None
The web-based administrative interface in Cisco WebEx Meeting Center provides different error messages for failed login attempts depending on whether the username exists or corresponds to a privileged account, which allows remote attackers to enumerate account names and obtain sensitive information via a series of requests, aka Bug ID CSCuf28861.
34 CVE-2015-4191 399 DoS 2015-06-18 2015-06-19
5.0
None Remote Low Not required None None Partial
Cisco IOS XR 5.2.1 allows remote attackers to cause a denial of service (ipv6_io service reload) via a malformed IPv6 packet, aka Bug ID CSCuq95565.
35 CVE-2015-4188 89 Exec Code Sql 2015-06-17 2015-06-17
5.0
None Remote Low Not required Partial None None
SQL injection vulnerability in the Manager interface in Cisco Prime Collaboration 10.5(1) allows remote attackers to execute arbitrary SQL commands via a crafted URL, aka Bug IDs CSCuu29910, CSCuu29928, and CSCuu59104.
36 CVE-2015-4184 20 Bypass 2015-06-13 2015-06-15
5.0
None Remote Low Not required None Partial None
The anti-spam scanner on Cisco Email Security Appliance (ESA) devices 3.3.1-09, 7.5.1-gpl-022, and 8.5.6-074 allows remote attackers to bypass intended e-mail restrictions via a malformed DNS SPF record, aka Bug IDs CSCuu35853 and CSCuu37733.
37 CVE-2015-4182 264 Bypass +Info 2015-06-12 2015-06-15
5.5
None Remote Low Single system Partial Partial None
The administrative web interface in Cisco Identity Services Engine (ISE) before 1.3 allows remote authenticated users to bypass intended access restrictions, and obtain sensitive information or change settings, via unspecified vectors, aka Bug ID CSCui72087.
38 CVE-2015-4158 DoS 2015-06-02 2015-06-03
5.0
None Remote Low Not required None None Partial
SAP ABAP & Java Server allows remote attackers to cause a denial of service (service termination) via unspecified vectors, aka SAP Security Note 2121661.
39 CVE-2015-4157 DoS 2015-06-02 2015-06-03
5.0
None Remote Low Not required None None Partial
SAP Content Server allows remote attackers to cause a denial of service (service termination) via unspecified vectors, aka SAP Security Note 2127995.
40 CVE-2015-4153 22 Dir. Trav. 2015-06-10 2015-06-11
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in the zM Ajax Login & Register plugin before 1.1.0 for WordPress allows remote attackers to include and execute arbitrary php files via a relative path in the template parameter in a load_template action to wp-admin/admin-ajax.php.
41 CVE-2015-4148 20 +Info 2015-06-09 2015-06-10
5.0
None Remote Low Not required Partial None None
The do_soap_call function in ext/soap/soap.c in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 does not verify that the uri property is a string, which allows remote attackers to obtain sensitive information by providing crafted serialized data with an int data type, related to a "type confusion" issue.
42 CVE-2015-4146 DoS 2015-06-15 2015-06-16
5.0
None Remote Low Not required None None Partial
The EAP-pwd peer implementation in hostapd and wpa_supplicant 1.0 through 2.4 does not clear the L (Length) and M (More) flags before determining if a response should be fragmented, which allows remote attackers to cause a denial of service (crash) via a crafted message.
43 CVE-2015-4145 399 DoS 2015-06-15 2015-06-16
5.0
None Remote Low Not required None None Partial
The EAP-pwd server and peer implementation in hostapd and wpa_supplicant 1.0 through 2.4 does not validate a fragment is already being processed, which allows remote attackers to cause a denial of service (memory leak) via a crafted message.
44 CVE-2015-4144 119 DoS Overflow 2015-06-15 2015-06-16
5.0
None Remote Low Not required None None Partial
The EAP-pwd server and peer implementation in hostapd and wpa_supplicant 1.0 through 2.4 does not validate that a message is long enough to contain the Total-Length field, which allows remote attackers to cause a denial of service (crash) via a crafted message.
45 CVE-2015-4143 119 DoS Overflow 2015-06-15 2015-06-16
5.0
None Remote Low Not required None None Partial
The EAP-pwd server and peer implementation in hostapd and wpa_supplicant 1.0 through 2.4 allows remote attackers to cause a denial of service (out-of-bounds read and crash) via a crafted (1) Commit or (2) Confirm message payload.
46 CVE-2015-4134 2015-05-28 2015-06-25
5.8
None Remote Medium Not required Partial Partial None
Open redirect vulnerability in goto.php in phpwind 8.7 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter.
47 CVE-2015-4094 310 +Info 2015-06-02 2015-06-03
5.8
None Remote Medium Not required Partial Partial None
The Thycotic Password Manager Secret Server application through 2.3 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
48 CVE-2015-4024 399 DoS 2015-06-09 2015-06-10
5.0
None Remote Low Not required None None Partial
Algorithmic complexity vulnerability in the multipart_buffer_headers function in main/rfc1867.c in PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 allows remote attackers to cause a denial of service (CPU consumption) via crafted form data that triggers an improper order-of-growth outcome.
49 CVE-2015-4021 189 DoS Mem. Corr. 2015-06-09 2015-06-10
5.0
None Remote Low Not required None None Partial
The phar_parse_tarfile function in ext/phar/tar.c in PHP before 5.4.41, 5.5.x before 5.5.25, and 5.6.x before 5.6.9 does not verify that the first character of a filename is different from the \0 character, which allows remote attackers to cause a denial of service (integer underflow and memory corruption) via a crafted entry in a tar archive.
50 CVE-2015-4016 17 DoS 2015-05-20 2015-06-25
5.0
None Remote Low Not required None None Partial
The client detection protocol in Valve Steam allows remote attackers to cause a denial of service (process crash) via a crafted response to a broadcast packet.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.