CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (Gain Information)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2015-2214 200 +Info 2015-03-05 2015-03-05
5.0
None Remote Low Not required Partial None None
NetCat 5.01 and earlier allows remote attackers to obtain the installation path via the redirect_url parameter to netshop/post.php.
2 CVE-2015-2209 200 +Info 2015-03-04 2015-03-05
5.0
None Remote Low Not required Partial None None
DLGuard 4.5 allows remote attackers to obtain the installation path via the c parameter to index.php.
3 CVE-2015-2077 200 +Info 2015-02-24 2015-02-27
5.0
None Remote Low Not required Partial None None
The SDK for Komodia Redirector with SSL Digestor, as used in Lavasoft Ad-Aware Web Companion 1.1.885.1766 and Ad-Aware AdBlocker (alpha) 1.3.69.1, Qustodio for Windows, Atom Security, Inc. StaffCop 5.8, and other products, uses the same X.509 certificate private key for a root CA certificate across different customers' installations, which makes it easier for man-in-the-middle attackers to spoof SSL servers by leveraging knowledge of this key, as originally reported for Superfish VisualDiscovery on certain Lenovo Notebook laptop products.
4 CVE-2015-2076 200 +Info 2015-02-27 2015-03-02
5.0
None Remote Low Not required Partial None None
The Auditing service in SAP BussinessObjects Edge 4.0 allows remote attackers to obtains sensitive information by reading an audit event, aka SAP Note 2011395.
5 CVE-2015-1618 200 +Info 2015-02-17 2015-02-18
4.0
None Remote Low Single system Partial None None
The ePO extension in McAfee Data Loss Prevention Endpoint (DLPe) before 9.3.400 allows remote authenticated users to obtain sensitive password information via a crafted URL.
6 CVE-2015-1613 200 +Info 2015-02-16 2015-02-17
4.0
None Remote Low Single system Partial None None
RhodeCode before 2.2.7 allows remote authenticated users to obtain API keys and other sensitive information via the (1) update_repo, (2) get_locks, or (3) get_user_groups API method.
7 CVE-2015-1548 119 Overflow +Info 2015-02-10 2015-02-11
5.0
None Remote Low Not required Partial None None
mini_httpd 1.21 and earlier allows remote attackers to obtain sensitive information from process memory via an HTTP request with a long protocol string, which triggers an incorrect response size calculation and an out-of-bounds read.
8 CVE-2015-1482 200 1 Bypass +Info 2015-02-04 2015-02-05
5.0
None Remote Low Not required Partial None None
Ansible Tower (aka Ansible UI) before 2.0.5 allows remote attackers to bypass authentication and obtain sensitive information via a websocket connection to socket.io/1/.
9 CVE-2015-1480 200 1 +Info 2015-02-04 2015-02-04
4.0
None Remote Low Single system Partial None None
ZOHO ManageEngine ServiceDesk Plus (SDP) before 9.0 build 9031 allows remote authenticated users to obtain sensitive ticket information via a (1) getTicketData action to servlet/AJaxServlet or a direct request to (2) swf/flashreport.swf, (3) reports/flash/details.jsp, or (4) reports/CreateReportTable.jsp.
10 CVE-2015-1457 200 +Info 2015-02-03 2015-02-19
4.9
None Local Low Not required Complete None None
Fortinet FortiAuthenticator 3.0.0 allows local users to read arbitrary files via the -f flag to the dig command.
11 CVE-2015-1456 200 +Info 2015-02-03 2015-02-19
4.0
None Remote Low Single system Partial None None
Fortinet FortiAuthenticator 3.0.0 logs the PostgreSQL usernames and passwords in cleartext, which allows remote administrators to obtain sensitive information by reading the log at debug/startup/.
12 CVE-2015-1426 200 +Info 2015-02-23 2015-02-24
2.1
None Local Low Not required Partial None None
Puppet Labs Facter 1.6.0 through 2.4.0 allows local users to obtains sensitive Amazon EC2 IAM instance metadata by reading a fact for an Amazon EC2 node.
13 CVE-2015-1357 200 +Info 2015-02-02 2015-02-04
5.0
None Remote Low Not required Partial None None
Siemens Ruggedcom WIN51xx devices with firmware before SS4.4.4624.35, WIN52xx devices with firmware before SS4.4.4624.35, WIN70xx devices with firmware before BS4.4.4621.32, and WIN72xx devices with firmware before BS4.4.4621.32 allow context-dependent attackers to discover password hashes by reading (1) files or (2) security logs.
14 CVE-2015-1312 264 +Priv +Info 2015-01-22 2015-01-25
7.5
None Remote Low Not required Partial Partial Partial
The Dealer Portal in SAP ERP does not properly restrict access, which allows remote attackers to obtain sensitive information, gain privileges, and possibly have other unspecified impact via unknown vectors, aka SAP Note 2000401. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
15 CVE-2015-1308 200 +Info 2015-01-26 2015-01-26
4.3
None Remote Medium Not required Partial None None
kde-workspace 4.2.0 and plasma-workspace before 5.1.95 allows remote attackers to obtain input events, and consequently obtain passwords, by leveraging access to the X server when the screen is locked.
16 CVE-2015-1306 200 +Info 2015-01-22 2015-01-23
5.0
None Remote Low Not required Partial None None
The newsletter posting area in the web interface in Sympa 6.0.x before 6.0.10 and 6.1.x before 6.1.24 allows remote attackers to read arbitrary files via unspecified vectors.
17 CVE-2015-1029 264 +Priv +Info 2015-01-16 2015-01-21
6.5
None Remote Low Single system Partial Partial Partial
The puppetlabs-stdlib module 2.1 through 3.0 and 4.1.0 through 4.5.x before 4.5.1 for Puppet 2.8.8 and earlier allows remote authenticated users to gain privileges or obtain sensitive information by prepopulating the fact cache.
18 CVE-2015-0922 200 +Info 2015-01-09 2015-02-11
5.0
None Remote Low Not required Partial None None
McAfee ePolicy Orchestrator (ePO) before 4.6.9 and 5.x before 5.1.2 uses the same secret key across different customers' installations, which allows attackers to obtain the administrator password by leveraging knowledge of the encrypted password.
19 CVE-2015-0875 200 +Info 2015-02-14 2015-02-19
1.8
None Local Network High Not required Partial None None
The Ogaki Kyoritsu Bank Smartphone Passbook application 1.0.0 for Android creates a log file containing input data from the user, which allows attackers to obtain sensitive information by reading a file.
20 CVE-2015-0834 200 +Info 2015-02-25 2015-03-02
4.3
None Remote Medium Not required Partial None None
The WebRTC subsystem in Mozilla Firefox before 36.0 recognizes turns: and stuns: URIs but accesses the TURN or STUN server without using TLS, which makes it easier for man-in-the-middle attackers to discover credentials by spoofing a server and completing a brute-force attack within a short time window.
21 CVE-2015-0827 119 Overflow +Info 2015-02-25 2015-03-05
4.3
None Remote Medium Not required Partial None None
Heap-based buffer overflow in the mozilla::gfx::CopyRect function in Mozilla Firefox before 36.0, Firefox ESR 31.x before 31.5, and Thunderbird before 31.5 allows remote attackers to obtain sensitive information from uninitialized process memory via a malformed SVG graphic.
22 CVE-2015-0825 119 Overflow +Info 2015-02-25 2015-03-02
4.3
None Remote Medium Not required Partial None None
Stack-based buffer underflow in the mozilla::MP3FrameParser::ParseBuffer function in Mozilla Firefox before 36.0 allows remote attackers to obtain sensitive information from process memory via a malformed MP3 file that improperly interacts with memory allocation during playback.
23 CVE-2015-0822 200 +Info 2015-02-25 2015-03-05
4.3
None Remote Medium Not required Partial None None
The Form Autocompletion feature in Mozilla Firefox before 36.0, Firefox ESR 31.x before 31.5, and Thunderbird before 31.5 allows remote attackers to read arbitrary files via crafted JavaScript code.
24 CVE-2015-0628 200 Bypass +Info 2015-02-19 2015-02-20
5.0
None Remote Low Not required Partial None None
The proxy engine on Cisco Web Security Appliance (WSA) devices allows remote attackers to bypass intended proxying restrictions via a malformed HTTP method, aka Bug ID CSCus79174.
25 CVE-2015-0602 200 +Info 2015-02-07 2015-02-13
5.0
None Remote Low Not required Partial None None
The mobility extension on Cisco Unified IP 9900 phones with firmware 9.4(.1) and earlier allows remote attackers to obtain sensitive information by sniffing the network, aka Bug ID CSCuq12117.
26 CVE-2015-0597 200 +Info 2015-02-01 2015-02-11
5.0
None Remote Low Not required Partial None None
The Forgot Password feature in Cisco WebEx Meetings Server 1.5(.1.131) and earlier allows remote attackers to enumerate administrative accounts via crafted packets, aka Bug IDs CSCuj67166 and CSCuj67159.
27 CVE-2015-0595 200 +Info 2015-02-01 2015-02-11
5.0
None Remote Low Not required Partial None None
The XMLAPI in Cisco WebEx Meetings Server 1.5(.1.131) and earlier allows remote attackers to obtain sensitive information by reading return messages from crafted GET requests, aka Bug ID CSCuj67079.
28 CVE-2015-0590 200 +Info 2015-01-17 2015-02-11
5.0
None Remote Low Not required Partial None None
Cisco WebEx Meeting Center allows remote attackers to activate disabled meeting attributes, and consequently obtain sensitive information, by providing crafted parameters during a meeting-join action, aka Bug ID CSCuo34165.
29 CVE-2015-0583 200 +Info 2015-01-14 2015-02-05
5.0
None Remote Low Not required Partial None None
Cisco WebEx Meeting Center does not properly restrict the content of URLs, which allows remote attackers to obtain sensitive information via vectors related to file: URIs, aka Bug ID CSCus18281.
30 CVE-2015-0554 264 1 DoS +Info 2015-01-21 2015-01-23
9.4
None Remote Low Not required Complete None Complete
The ADB (formerly Pirelli Broadband Solutions) P.DGA4001N router with firmware PDG_TEF_SP_4.06L.6 does not properly restrict access to the web interface, which allows remote attackers to obtain sensitive information or cause a denial of service (device restart) as demonstrated by a direct request to (1) wlsecurity.html or (2) resetrouter.html.
31 CVE-2015-0519 200 +Info 2015-02-14 2015-02-20
2.1
None Local Low Not required Partial None None
The InputAccel Database (IADB) installation process in EMC Captiva Capture 7.0 before patch 25 and 7.1 before patch 13 places a cleartext InputAccel (IA) SQL password in a DAL log file, which allows local users to obtain sensitive information by reading a file.
32 CVE-2015-0517 200 +Info 2015-02-14 2015-02-20
4.0
None Remote Low Single system Partial None None
The D2-API component in EMC Documentum D2 3.1 through SP1, 4.0 and 4.1 before 4.1 P22, and 4.2 before P11 places the MD5 hash of an encryption passphrase in log files, which allows remote authenticated users to obtain sensitive information by reading a file.
33 CVE-2015-0514 200 +Info 2015-01-21 2015-01-23
5.0
None Remote Low Not required Partial None None
EMC M&R (aka Watch4Net) before 6.5u1 and ViPR SRM before 3.6.1 might allow remote attackers to obtain cleartext data-center discovery credentials by leveraging certain SRM access to conduct a decryption attack.
34 CVE-2015-0307 119 DoS Overflow +Info 2015-01-13 2015-02-13
8.5
None Remote Low Not required Partial None Complete
Adobe Flash Player before 13.0.0.260 and 14.x through 16.x before 16.0.0.257 on Windows and OS X and before 11.2.202.429 on Linux, Adobe AIR before 16.0.0.245 on Windows and OS X and before 16.0.0.272 on Android, Adobe AIR SDK before 16.0.0.272, and Adobe AIR SDK & Compiler before 16.0.0.272 allow remote attackers to obtain sensitive information from process memory or cause a denial of service (out-of-bounds read) via unspecified vectors.
35 CVE-2015-0302 +Info 2015-01-13 2015-02-13
5.0
None Remote Low Not required Partial None None
Adobe Flash Player before 13.0.0.260 and 14.x through 16.x before 16.0.0.257 on Windows and OS X and before 11.2.202.429 on Linux, Adobe AIR before 16.0.0.245 on Windows and OS X and before 16.0.0.272 on Android, Adobe AIR SDK before 16.0.0.272, and Adobe AIR SDK & Compiler before 16.0.0.272 allow attackers to obtain sensitive keystroke information via unspecified vectors.
36 CVE-2015-0260 200 +Info 2015-02-16 2015-02-17
4.0
None Remote Low Single system Partial None None
RhodeCode before 2.2.7 and Kallithea 0.1 allows remote authenticated users to obtain API keys and other sensitive information via the get_repo API method.
37 CVE-2015-0255 200 DoS +Info 2015-02-13 2015-02-26
6.4
None Remote Low Not required Partial None Partial
X.Org Server (aka xserver and xorg-server) before 1.16.3 and 1.17.x before 1.17.1 allows remote attackers to obtain sensitive information from process memory or cause a denial of service (crash) via a crafted string length value in a XkbSetGeometry request.
38 CVE-2015-0236 200 +Info 2015-01-29 2015-03-05
3.5
None Remote Medium Single system Partial None None
libvirt before 1.2.12 allow remote authenticated users to obtain the VNC password by using the VIR_DOMAIN_XML_SECURE flag with a crafted (1) snapshot to the virDomainSnapshotGetXMLDesc interface or (2) image to the virDomainSaveImageGetXMLDesc interface.
39 CVE-2015-0070 200 +Info 2015-02-10 2015-02-18
4.3
None Remote Medium Not required Partial None None
Microsoft Internet Explorer 6 through 11 allows remote attackers to read content from a different (1) domain or (2) zone via a crafted web site, aka "Internet Explorer Cross-domain Information Disclosure Vulnerability."
40 CVE-2015-0061 200 +Info 2015-02-10 2015-02-18
4.3
None Remote Medium Not required Partial None None
Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 do not properly initialize memory for TIFF images, which allows remote attackers to obtain sensitive information from process memory via a crafted image file, aka "TIFF Processing Information Disclosure Vulnerability."
41 CVE-2015-0010 200 Bypass +Info 2015-02-10 2015-02-18
1.9
None Local Medium Not required Partial None None
The CryptProtectMemory function in cng.sys (aka the Cryptography Next Generation driver) in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1, when the CRYPTPROTECTMEMORY_SAME_LOGON option is used, does not check an impersonation token's level, which allows local users to bypass intended decryption restrictions by leveraging a service that (1) has a named-pipe planting vulnerability or (2) uses world-readable shared memory for encrypted data, aka "CNG Security Feature Bypass Vulnerability" or MSRC ID 20707.
42 CVE-2014-10026 200 Bypass +Info 2015-01-13 2015-01-13
5.0
None Remote Low Not required Partial None None
index.cgi in D-Link DAP-1360 with firmware 2.5.4 and earlier allows remote attackers to bypass authentication and obtain sensitive information by setting the client_login cookie to admin.
43 CVE-2014-10005 200 +Info 2015-01-13 2015-01-13
5.0
None Remote Low Not required Partial None None
Maian Uploader 4.0 allows remote attackers to obtain sensitive information via a request without the height parameter to load_flv.js.php, which reveals the installation path in an error message.
44 CVE-2014-100009 200 +Info 2015-01-13 2015-01-13
5.0
None Remote Low Not required Partial None None
The Joomlaskin JS Multi Hotel (aka JS MultiHotel and Js-Multi-Hotel) plugin 2.2.1 and earlier for WordPress allows remote attackers to obtain the installation path via a request to (1) functions.php, (2) myCalendar.php, (3) refreshDate.php, (4) show_image.php, (5) widget.php, (6) phpthumb/GdThumb.inc.php, or (7) phpthumb/thumb_plugins/gd_reflection.inc.php in includes/.
45 CVE-2014-9672 119 DoS Overflow +Info 2015-02-08 2015-02-27
6.4
None Remote Low Not required Partial None Partial
Array index error in the parse_fond function in base/ftmac.c in FreeType before 2.5.4 allows remote attackers to cause a denial of service (out-of-bounds read) or obtain sensitive information from process memory via a crafted FOND resource in a Mac font file.
46 CVE-2014-9596 310 +Info 2015-01-15 2015-01-16
4.3
None Remote Medium Not required Partial None None
Panasonic Arbitrator Back-End Server (BES) MK 2.0 VPU before 9.3.1 build 4.08.003.0, when USB Wi-Fi or Direct LAN is enabled, and MK 3.0 VPU before 9.3.1 build 5.06.000.0, when Embedded Wi-Fi or Direct LAN is enabled, does not use encryption, which allows remote attackers to obtain sensitive information by sniffing the network for client-server traffic, as demonstrated by Active Directory credential information.
47 CVE-2014-9593 200 +Info 2015-01-15 2015-01-16
5.0
None Remote Low Not required Partial None None
Apache CloudStack before 4.3.2 and 4.4.x before 4.4.2 allows remote attackers to obtain private keys via a listSslCerts API call.
48 CVE-2014-9584 20 +Info 2015-01-09 2015-03-05
2.1
None Local Low Not required Partial None None
The parse_rock_ridge_inode_internal function in fs/isofs/rock.c in the Linux kernel before 3.18.2 does not validate a length value in the Extensions Reference (ER) System Use Field, which allows local users to obtain sensitive information from kernel memory via a crafted iso9660 image.
49 CVE-2014-9579 200 +Info 2015-01-08 2015-01-08
5.0
None Remote Low Not required Partial None None
VDG Security SENSE (formerly DIVA) 2.3.13 stores administrator credentials in cleartext, which allows attackers to obtain sensitive information by reading the plugin configuration files.
50 CVE-2014-9577 200 +Info 2015-01-08 2015-01-08
4.0
None Remote Low Single system Partial None None
VDG Security SENSE (formerly DIVA) 2.3.13 sends the user database when a user logs in, which allows remote authenticated users to obtain usernames and password hashes by logging in to TCP port 51410 and reading the response.
Total number of vulnerabilities : 5527   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.