CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Related To CWE-200

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2015-2077 200 +Info 2015-02-24 2015-02-27
5.0
None Remote Low Not required Partial None None
The SDK for Komodia Redirector with SSL Digestor, as used in Lavasoft Ad-Aware Web Companion 1.1.885.1766 and Ad-Aware AdBlocker (alpha) 1.3.69.1, Qustodio for Windows, Atom Security, Inc. StaffCop 5.8, and other products, uses the same X.509 certificate private key for a root CA certificate across different customers' installations, which makes it easier for man-in-the-middle attackers to spoof SSL servers by leveraging knowledge of this key, as originally reported for Superfish VisualDiscovery on certain Lenovo Notebook laptop products.
2 CVE-2015-2076 200 +Info 2015-02-27 2015-03-02
5.0
None Remote Low Not required Partial None None
The Auditing service in SAP BussinessObjects Edge 4.0 allows remote attackers to obtains sensitive information by reading an audit event, aka SAP Note 2011395.
3 CVE-2015-1618 200 +Info 2015-02-17 2015-02-18
4.0
None Remote Low Single system Partial None None
The ePO extension in McAfee Data Loss Prevention Endpoint (DLPe) before 9.3.400 allows remote authenticated users to obtain sensitive password information via a crafted URL.
4 CVE-2015-1613 200 +Info 2015-02-16 2015-02-17
4.0
None Remote Low Single system Partial None None
RhodeCode before 2.2.7 allows remote authenticated users to obtain API keys and other sensitive information via the (1) update_repo, (2) get_locks, or (3) get_user_groups API method.
5 CVE-2015-1482 200 1 Bypass +Info 2015-02-04 2015-02-05
5.0
None Remote Low Not required Partial None None
Ansible Tower (aka Ansible UI) before 2.0.5 allows remote attackers to bypass authentication and obtain sensitive information via a websocket connection to socket.io/1/.
6 CVE-2015-1480 200 1 +Info 2015-02-04 2015-02-04
4.0
None Remote Low Single system Partial None None
ZOHO ManageEngine ServiceDesk Plus (SDP) before 9.0 build 9031 allows remote authenticated users to obtain sensitive ticket information via a (1) getTicketData action to servlet/AJaxServlet or a direct request to (2) swf/flashreport.swf, (3) reports/flash/details.jsp, or (4) reports/CreateReportTable.jsp.
7 CVE-2015-1457 200 +Info 2015-02-03 2015-02-19
4.9
None Local Low Not required Complete None None
Fortinet FortiAuthenticator 3.0.0 allows local users to read arbitrary files via the -f flag to the dig command.
8 CVE-2015-1456 200 +Info 2015-02-03 2015-02-19
4.0
None Remote Low Single system Partial None None
Fortinet FortiAuthenticator 3.0.0 logs the PostgreSQL usernames and passwords in cleartext, which allows remote administrators to obtain sensitive information by reading the log at debug/startup/.
9 CVE-2015-1426 200 +Info 2015-02-23 2015-02-24
2.1
None Local Low Not required Partial None None
Puppet Labs Facter 1.6.0 through 2.4.0 allows local users to obtains sensitive Amazon EC2 IAM instance metadata by reading a fact for an Amazon EC2 node.
10 CVE-2015-1357 200 +Info 2015-02-02 2015-02-04
5.0
None Remote Low Not required Partial None None
Siemens Ruggedcom WIN51xx devices with firmware before SS4.4.4624.35, WIN52xx devices with firmware before SS4.4.4624.35, WIN70xx devices with firmware before BS4.4.4621.32, and WIN72xx devices with firmware before BS4.4.4621.32 allow context-dependent attackers to discover password hashes by reading (1) files or (2) security logs.
11 CVE-2015-1308 200 +Info 2015-01-26 2015-01-26
4.3
None Remote Medium Not required Partial None None
kde-workspace 4.2.0 and plasma-workspace before 5.1.95 allows remote attackers to obtain input events, and consequently obtain passwords, by leveraging access to the X server when the screen is locked.
12 CVE-2015-1306 200 +Info 2015-01-22 2015-01-23
5.0
None Remote Low Not required Partial None None
The newsletter posting area in the web interface in Sympa 6.0.x before 6.0.10 and 6.1.x before 6.1.24 allows remote attackers to read arbitrary files via unspecified vectors.
13 CVE-2015-0922 200 +Info 2015-01-09 2015-02-11
5.0
None Remote Low Not required Partial None None
McAfee ePolicy Orchestrator (ePO) before 4.6.9 and 5.x before 5.1.2 uses the same secret key across different customers' installations, which allows attackers to obtain the administrator password by leveraging knowledge of the encrypted password.
14 CVE-2015-0875 200 +Info 2015-02-14 2015-02-19
1.8
None Local Network High Not required Partial None None
The Ogaki Kyoritsu Bank Smartphone Passbook application 1.0.0 for Android creates a log file containing input data from the user, which allows attackers to obtain sensitive information by reading a file.
15 CVE-2015-0834 200 +Info 2015-02-25 2015-03-02
4.3
None Remote Medium Not required Partial None None
The WebRTC subsystem in Mozilla Firefox before 36.0 recognizes turns: and stuns: URIs but accesses the TURN or STUN server without using TLS, which makes it easier for man-in-the-middle attackers to discover credentials by spoofing a server and completing a brute-force attack within a short time window.
16 CVE-2015-0822 200 +Info 2015-02-25 2015-03-02
4.3
None Remote Medium Not required Partial None None
The Form Autocompletion feature in Mozilla Firefox before 36.0, Firefox ESR 31.x before 31.5, and Thunderbird before 31.5 allows remote attackers to read arbitrary files via crafted JavaScript code.
17 CVE-2015-0628 200 Bypass +Info 2015-02-19 2015-02-20
5.0
None Remote Low Not required Partial None None
The proxy engine on Cisco Web Security Appliance (WSA) devices allows remote attackers to bypass intended proxying restrictions via a malformed HTTP method, aka Bug ID CSCus79174.
18 CVE-2015-0602 200 +Info 2015-02-07 2015-02-13
5.0
None Remote Low Not required Partial None None
The mobility extension on Cisco Unified IP 9900 phones with firmware 9.4(.1) and earlier allows remote attackers to obtain sensitive information by sniffing the network, aka Bug ID CSCuq12117.
19 CVE-2015-0597 200 +Info 2015-02-01 2015-02-11
5.0
None Remote Low Not required Partial None None
The Forgot Password feature in Cisco WebEx Meetings Server 1.5(.1.131) and earlier allows remote attackers to enumerate administrative accounts via crafted packets, aka Bug IDs CSCuj67166 and CSCuj67159.
20 CVE-2015-0595 200 +Info 2015-02-01 2015-02-11
5.0
None Remote Low Not required Partial None None
The XMLAPI in Cisco WebEx Meetings Server 1.5(.1.131) and earlier allows remote attackers to obtain sensitive information by reading return messages from crafted GET requests, aka Bug ID CSCuj67079.
21 CVE-2015-0590 200 +Info 2015-01-17 2015-02-11
5.0
None Remote Low Not required Partial None None
Cisco WebEx Meeting Center allows remote attackers to activate disabled meeting attributes, and consequently obtain sensitive information, by providing crafted parameters during a meeting-join action, aka Bug ID CSCuo34165.
22 CVE-2015-0583 200 +Info 2015-01-14 2015-02-05
5.0
None Remote Low Not required Partial None None
Cisco WebEx Meeting Center does not properly restrict the content of URLs, which allows remote attackers to obtain sensitive information via vectors related to file: URIs, aka Bug ID CSCus18281.
23 CVE-2015-0519 200 +Info 2015-02-14 2015-02-20
2.1
None Local Low Not required Partial None None
The InputAccel Database (IADB) installation process in EMC Captiva Capture 7.0 before patch 25 and 7.1 before patch 13 places a cleartext InputAccel (IA) SQL password in a DAL log file, which allows local users to obtain sensitive information by reading a file.
24 CVE-2015-0517 200 +Info 2015-02-14 2015-02-20
4.0
None Remote Low Single system Partial None None
The D2-API component in EMC Documentum D2 3.1 through SP1, 4.0 and 4.1 before 4.1 P22, and 4.2 before P11 places the MD5 hash of an encryption passphrase in log files, which allows remote authenticated users to obtain sensitive information by reading a file.
25 CVE-2015-0514 200 +Info 2015-01-21 2015-01-23
5.0
None Remote Low Not required Partial None None
EMC M&R (aka Watch4Net) before 6.5u1 and ViPR SRM before 3.6.1 might allow remote attackers to obtain cleartext data-center discovery credentials by leveraging certain SRM access to conduct a decryption attack.
26 CVE-2015-0260 200 +Info 2015-02-16 2015-02-17
4.0
None Remote Low Single system Partial None None
RhodeCode before 2.2.7 and Kallithea 0.1 allows remote authenticated users to obtain API keys and other sensitive information via the get_repo API method.
27 CVE-2015-0255 200 DoS +Info 2015-02-13 2015-02-26
6.4
None Remote Low Not required Partial None Partial
X.Org Server (aka xserver and xorg-server) before 1.16.3 and 1.17.x before 1.17.1 allows remote attackers to obtain sensitive information from process memory or cause a denial of service (crash) via a crafted string length value in a XkbSetGeometry request.
28 CVE-2015-0236 200 +Info 2015-01-29 2015-02-20
3.5
None Remote Medium Single system Partial None None
libvirt before 1.2.12 allow remote authenticated users to obtain the VNC password by using the VIR_DOMAIN_XML_SECURE flag with a crafted (1) snapshot to the virDomainSnapshotGetXMLDesc interface or (2) image to the virDomainSaveImageGetXMLDesc interface.
29 CVE-2015-0070 200 +Info 2015-02-10 2015-02-18
4.3
None Remote Medium Not required Partial None None
Microsoft Internet Explorer 6 through 11 allows remote attackers to read content from a different (1) domain or (2) zone via a crafted web site, aka "Internet Explorer Cross-domain Information Disclosure Vulnerability."
30 CVE-2015-0061 200 +Info 2015-02-10 2015-02-18
4.3
None Remote Medium Not required Partial None None
Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 do not properly initialize memory for TIFF images, which allows remote attackers to obtain sensitive information from process memory via a crafted image file, aka "TIFF Processing Information Disclosure Vulnerability."
31 CVE-2015-0010 200 Bypass +Info 2015-02-10 2015-02-18
1.9
None Local Medium Not required Partial None None
The CryptProtectMemory function in cng.sys (aka the Cryptography Next Generation driver) in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1, when the CRYPTPROTECTMEMORY_SAME_LOGON option is used, does not check an impersonation token's level, which allows local users to bypass intended decryption restrictions by leveraging a service that (1) has a named-pipe planting vulnerability or (2) uses world-readable shared memory for encrypted data, aka "CNG Security Feature Bypass Vulnerability" or MSRC ID 20707.
32 CVE-2014-10026 200 Bypass +Info 2015-01-13 2015-01-13
5.0
None Remote Low Not required Partial None None
index.cgi in D-Link DAP-1360 with firmware 2.5.4 and earlier allows remote attackers to bypass authentication and obtain sensitive information by setting the client_login cookie to admin.
33 CVE-2014-10005 200 +Info 2015-01-13 2015-01-13
5.0
None Remote Low Not required Partial None None
Maian Uploader 4.0 allows remote attackers to obtain sensitive information via a request without the height parameter to load_flv.js.php, which reveals the installation path in an error message.
34 CVE-2014-100009 200 +Info 2015-01-13 2015-01-13
5.0
None Remote Low Not required Partial None None
The Joomlaskin JS Multi Hotel (aka JS MultiHotel and Js-Multi-Hotel) plugin 2.2.1 and earlier for WordPress allows remote attackers to obtain the installation path via a request to (1) functions.php, (2) myCalendar.php, (3) refreshDate.php, (4) show_image.php, (5) widget.php, (6) phpthumb/GdThumb.inc.php, or (7) phpthumb/thumb_plugins/gd_reflection.inc.php in includes/.
35 CVE-2014-9593 200 +Info 2015-01-15 2015-01-16
5.0
None Remote Low Not required Partial None None
Apache CloudStack before 4.3.2 and 4.4.x before 4.4.2 allows remote attackers to obtain private keys via a listSslCerts API call.
36 CVE-2014-9579 200 +Info 2015-01-08 2015-01-08
5.0
None Remote Low Not required Partial None None
VDG Security SENSE (formerly DIVA) 2.3.13 stores administrator credentials in cleartext, which allows attackers to obtain sensitive information by reading the plugin configuration files.
37 CVE-2014-9577 200 +Info 2015-01-08 2015-01-08
4.0
None Remote Low Single system Partial None None
VDG Security SENSE (formerly DIVA) 2.3.13 sends the user database when a user logs in, which allows remote authenticated users to obtain usernames and password hashes by logging in to TCP port 51410 and reading the response.
38 CVE-2014-9576 200 +Info 2015-01-08 2015-01-08
5.0
None Remote Low Not required Partial None None
VDG Security SENSE (formerly DIVA) 2.3.13 has a hardcoded password of (1) ArpaRomaWi for the root Postgres account and !DVService for the (2) postgres and (3) NTP Windows user accounts, which allows remote attackers to obtain access.
39 CVE-2014-9568 200 +Info 2015-02-03 2015-02-17
2.1
None Local Low Not required Partial None None
puppetlabs-rabbitmq 3.0 through 4.1 stores the RabbitMQ Erlang cookie value in the facts of a node, which allows local users to obtain sensitive information as demonstrated by using Facter.
40 CVE-2014-9506 200 +Info 2015-01-04 2015-01-10
3.5
None Remote Medium Single system Partial None None
MantisBT before 1.2.18 does not properly check permissions when sending an email that indicates when a monitored issue is related to another issue, which allows remote authenticated users to obtain sensitive information about restricted issues.
41 CVE-2014-9423 200 +Info 2015-02-19 2015-02-19
5.0
None Remote Low Not required Partial None None
The svcauth_gss_accept_sec_context function in lib/rpc/svc_auth_gss.c in MIT Kerberos 5 (aka krb5) 1.11.x through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 transmits uninitialized interposer data to clients, which allows remote attackers to obtain sensitive information from process heap memory by sniffing the network for data in a handle field.
42 CVE-2014-9419 200 Bypass +Info 2014-12-25 2014-12-29
2.1
None Local Low Not required Partial None None
The __switch_to function in arch/x86/kernel/process_64.c in the Linux kernel through 3.18.1 does not ensure that Thread Local Storage (TLS) descriptors are loaded before proceeding with other steps, which makes it easier for local users to bypass the ASLR protection mechanism via a crafted application that reads a TLS base address.
43 CVE-2014-9408 200 +Info 2014-12-19 2014-12-19
5.0
None Remote Low Not required Partial None None
Ekahau B4 staff badge tag 5.7 with firmware 1.4.52, Real-Time Location System (RTLS) Controller 6.0.5-FINAL, and Activator 3 uses part of the MAC address as part of the RC4 setup key, which makes it easier for remote attackers to guess the key via a brute-force attack.
44 CVE-2014-9361 200 +Priv +Info 2014-12-10 2014-12-11
4.3
None Remote Medium Not required Partial None None
The LoginToboggan module 7.x-1.x before 7.x-1.4 for Drupal does not properly unset the authorized user role for certain users, which allows remote attackers with the pre-authorized role to gain privileges and possibly obtain sensitive information by accessing a Page Not Found (404) page.
45 CVE-2014-9355 200 +Info 2014-12-19 2014-12-22
4.0
None Remote Low Single system Partial None None
Puppet Enterprise before 3.7.1 allows remote authenticated users to obtain licensing and certificate signing request information by leveraging access to an unspecified API endpoint.
46 CVE-2014-9354 200 +Info 2015-02-06 2015-02-09
4.0
None Remote Low Single system Partial None None
NetApp OnCommand Balance before 4.2P3 allows local users to obtain sensitive information via unspecified vectors related to cleartext storage.
47 CVE-2014-9303 200 +Info 2014-12-07 2014-12-08
7.8
None Remote Low Not required Complete None None
EntryPass N5200 Active Network Control Panel allows remote attackers to read device memory and obtain the administrator username and password via a URL starting with an ASCII character o through z or A through D, different vectors than CVE-2014-8868.
48 CVE-2014-9279 200 +Info 2014-12-08 2014-12-09
5.0
None Remote Low Not required Partial None None
The print_test_result function in admin/upgrade_unattended.php in MantisBT 1.1.0a3 through 1.2.x before 1.2.18 allows remote attackers to obtain database credentials via a URL in the hostname parameter and reading the parameters in the response sent to the URL.
49 CVE-2014-9252 200 +Info 2014-12-15 2014-12-16
2.1
None Local Low Not required Partial None None
Zenoss Core through 5 Beta 3 stores cleartext passwords in the session database, which might allow local users to obtain sensitive information by reading database entries, aka ZEN-15416.
50 CVE-2014-9250 200 +Info 2014-12-15 2014-12-16
5.0
None Remote Low Not required Partial None None
Zenoss Core through 5 Beta 3 does not include the HTTPOnly flag in a Set-Cookie header for the authentication cookie, which makes it easier for remote attackers to obtain credential information via script access to this cookie, aka ZEN-10418.
Total number of vulnerabilities : 1856   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.