CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (Gain Information)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2015-4453 Bypass +Info 2015-07-04 2015-07-04
0.0
None ??? ??? ??? ??? ??? ???
The web interface in OpenEMR 2.x, 3.x, and 4.x before 4.2.0 patch 2 allows remote attackers to bypass authentication and obtain sensitive information via unspecified vectors.
2 CVE-2015-4395 200 +Info 2015-06-15 2015-06-16
3.5
None Remote Medium Single system Partial None None
The HybridAuth Social Login module 7.x-2.x before 7.x-2.10 for Drupal stores passwords in plaintext when the "Ask user for a password when registering" option is enabled, which allows remote authenticated users with certain permissions to obtain sensitive information by leveraging access to the database.
3 CVE-2015-4394 264 Bypass +Info 2015-06-15 2015-06-16
5.0
None Remote Low Not required Partial None None
The Services module 7.x-3.x before 7.x-3.12 for Drupal allows remote attackers to bypass the field_access restriction and obtain sensitive private field information via unspecified vectors.
4 CVE-2015-4375 200 +Info 2015-06-15 2015-06-16
4.3
None Remote Medium Not required Partial None None
The Chaos tool suite (ctools) module 7.x-1.x before 7.x-1.7 for Drupal allows remote attackers to obtain sensitive node titles via (1) an autocomplete search on custom entities without an access query tag or (2) leveraging knowledge of the ID of an entity.
5 CVE-2015-4345 200 +Info 2015-06-15 2015-06-16
5.0
None Remote Low Not required Partial None None
The RESTWS Basic Auth submodule in the RESTful Web Services module 7.x-1.x before 7.x-1.5 and 7.x-2.x before 7.x-2.3 for Drupal caches pages for authenticated requests, which allows remote attackers to obtain sensitive information via unspecified vectors.
6 CVE-2015-4229 200 +Info 2015-06-30 2015-06-30
5.0
None Remote Low Not required Partial None None
The web framework in Cisco Unified Communications Domain Manager 8.1(4)ER1 allows remote attackers to obtain sensitive information by visiting a bvsmweb URL, aka Bug ID CSCuq22589.
7 CVE-2015-4225 264 +Info 2015-06-27 2015-06-29
4.0
None Remote Low Single system Partial None None
Cisco Application Policy Infrastructure Controller (APIC) 1.0(1.110a) and 1.0(1e) on Nexus 9000 devices does not properly implement RBAC health scoring, which allows remote authenticated users to obtain sensitive information via unspecified vectors, aka Bug ID CSCuq77485.
8 CVE-2015-4219 200 +Info 2015-06-24 2015-06-24
4.0
None Remote Low Single system Partial None None
Cisco Secure Access Control System before 5.4(0.46.2) and 5.5 before 5.5(0.46) and Cisco Identity Services Engine 1.0(4.573) do not properly implement access control for support bundles, which allows remote authenticated users to obtain sensitive information via brute-force attempts to send valid credentials, aka Bug IDs CSCue00833 and CSCub40331.
9 CVE-2015-4218 200 +Info 2015-06-24 2015-06-24
5.0
None Remote Low Not required Partial None None
The web-based user interface in Cisco Jabber through 9.6(3) and 9.7 through 9.7(5) on Windows allows remote attackers to obtain sensitive information via a crafted value in a GET request, aka Bug IDs CSCuu65622 and CSCuu70858.
10 CVE-2015-4216 200 Bypass +Info 2015-06-26 2015-06-26
5.0
None Remote Low Not required Partial None None
The remote-support feature on Cisco Web Security Virtual Appliance (WSAv), Email Security Virtual Appliance (ESAv), and Security Management Virtual Appliance (SMAv) devices before 2015-06-25 uses the same default SSH root authorized key across different customers' installations, which makes it easier for remote attackers to bypass authentication by leveraging knowledge of a private key from another installation, aka Bug IDs CSCuu95988, CSCuu95994, and CSCuu96630.
11 CVE-2015-4214 200 +Info 2015-06-24 2015-06-24
4.0
None Remote Low Single system Partial None None
Cisco Unified MeetingPlace 8.6(1.2) and 8.6(1.9) allows remote authenticated users to discover cleartext passwords by reading HTML source code, aka Bug ID CSCuu33050.
12 CVE-2015-4213 200 +Info 2015-06-24 2015-06-24
4.0
None Remote Low Single system Partial None None
Cisco NX-OS 1.1(1g) on Nexus 9000 devices allows remote authenticated users to discover cleartext passwords by leveraging the existence of a decryption mechanism, aka Bug ID CSCuu84391.
13 CVE-2015-4212 200 +Info 2015-06-24 2015-06-24
5.0
None Remote Low Not required Partial None None
Cisco WebEx Meeting Center allows remote attackers to obtain sensitive information via unspecified vectors, as demonstrated by discovering credentials, aka Bug ID CSCut17466.
14 CVE-2015-4209 200 +Info 2015-06-23 2015-06-23
6.4
None Remote Low Not required Partial None Partial
Cisco WebEx Meeting Center does not properly determine authorization for reading a host calendar, which allows remote attackers to obtain sensitive information by obtaining a list of all meetings and then sending a calendar request for each one, aka Bug ID CSCur23913.
15 CVE-2015-4208 89 Sql +Info 2015-06-24 2015-06-24
7.5
None Remote Low Not required Partial Partial Partial
Cisco WebEx Meeting Center does not properly restrict the content of URLs in GET requests, which allows remote attackers to obtain sensitive information or conduct SQL injection attacks via vectors involving read access to a request, aka Bug ID CSCup88398.
16 CVE-2015-4207 200 Bypass +Info 2015-06-23 2015-06-23
5.0
None Remote Low Not required Partial None None
Cisco WebEx Meeting Center places a meeting's access number in a URL, which allows remote attackers to obtain sensitive information and bypass intended attendance restrictions by visiting a meeting-registration page, aka Bug ID CSCus62147.
17 CVE-2015-4202 200 +Info 2015-06-20 2015-06-22
5.0
None Remote Low Not required Partial None None
Cisco IOS 12.2SCH on uBR10000 router Cable Modem Termination Systems (CMTS) does not properly restrict access to the IP Detail Record (IPDR) service, which allows remote attackers to obtain potentially sensitive MAC address and network-utilization information via crafted IPDR packets, aka Bug ID CSCua39203.
18 CVE-2015-4194 200 +Info 2015-06-18 2015-06-19
5.0
None Remote Low Not required Partial None None
The web-based administrative interface in Cisco WebEx Meeting Center provides different error messages for failed login attempts depending on whether the username exists or corresponds to a privileged account, which allows remote attackers to enumerate account names and obtain sensitive information via a series of requests, aka Bug ID CSCuf28861.
19 CVE-2015-4182 264 Bypass +Info 2015-06-12 2015-06-15
5.5
None Remote Low Single system Partial Partial None
The administrative web interface in Cisco Identity Services Engine (ISE) before 1.3 allows remote authenticated users to bypass intended access restrictions, and obtain sensitive information or change settings, via unspecified vectors, aka Bug ID CSCui72087.
20 CVE-2015-4171 200 +Info 2015-06-10 2015-06-11
2.6
None Remote High Not required Partial None None
strongSwan 4.3.0 through 5.x before 5.3.2 and strongSwan VPN Client before 1.4.6, when using EAP or pre-shared keys for authenticating an IKEv2 connection, does not enforce server authentication restrictions until the entire authentication process is complete, which allows remote servers to obtain credentials by using a valid certificate and then reading the responses.
21 CVE-2015-4162 +Info 2015-06-02 2015-06-03
4.0
None Remote Low Single system Partial None None
XML external entity (XXE) vulnerability in the management interface in PAN-OS before 5.0.16, 6.x before 6.0.8, and 6.1.x before 6.1.4 allows remote authenticated administrators to obtain sensitive information via crafted XML data.
22 CVE-2015-4161 264 +Priv +Info 2015-06-02 2015-06-03
7.5
None Remote Low Not required Partial Partial Partial
SAP Afaria does not properly restrict access to unspecified functionality, which allows remote attackers to obtain sensitive information, gain privileges, or have other unspecified impact via unknown vectors, SAP Security Note 2155690.
23 CVE-2015-4148 20 +Info 2015-06-09 2015-06-10
5.0
None Remote Low Not required Partial None None
The do_soap_call function in ext/soap/soap.c in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 does not verify that the uri property is a string, which allows remote attackers to obtain sensitive information by providing crafted serialized data with an int data type, related to a "type confusion" issue.
24 CVE-2015-4138 200 +Info 2015-05-30 2015-06-02
4.3
None Remote Medium Not required Partial None None
The WebUI component in Blue Coat SSL Visibility Appliance SV800, SV1800, SV2800, and SV3800 3.6.x through 3.8.x before 3.8.4 does not include the HTTPOnly flag in a Set-Cookie header for the administrator's cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie, a different vulnerability than CVE-2015-2855.
25 CVE-2015-4106 284 DoS +Priv +Info 2015-06-03 2015-06-04
7.2
None Local Low Not required Complete Complete Complete
QEMU does not properly restrict write access to the PCI config space for certain PCI pass-through devices, which mighy allow local x86 HVM guests to gain privileges, cause a denial of service (host crash), obtain sensitive information, or possibly have other unspecified impact via unknown vectors.
26 CVE-2015-4094 310 +Info 2015-06-02 2015-06-03
5.8
None Remote Medium Not required Partial Partial None
The Thycotic Password Manager Secret Server application through 2.3 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
27 CVE-2015-4080 310 +Info 2015-06-09 2015-06-10
6.8
None Remote Medium Not required Partial Partial Partial
The Kankun Smart Socket device and mobile application uses a hardcoded AES 256 bit key, which makes it easier for remote attackers to (1) obtain sensitive information by sniffing the network and (2) obtain access to the device by encrypting messages.
28 CVE-2015-4069 200 +Info 2015-05-29 2015-06-02
7.8
None Remote Low Not required Complete None None
The EdgeServiceImpl web service in Arcserve UDP before 5.0 Update 4 allows remote attackers to obtain sensitive credentials via a crafted SOAP request to the (1) getBackupPolicy or (2) getBackupPolicies method.
29 CVE-2015-4068 22 DoS Dir. Trav. +Info 2015-05-29 2015-06-02
9.4
None Remote Low Not required Complete None Complete
Directory traversal vulnerability in Arcserve UDP before 5.0 Update 4 allows remote attackers to obtain sensitive information or cause a denial of service via a crafted file path to the (1) reportFileServlet or (2) exportServlet servlet.
30 CVE-2015-4053 200 +Info 2015-06-08 2015-06-25
2.1
None Local Low Not required Partial None None
The admin command in ceph-deploy before 1.5.25 uses world-readable permissions for /etc/ceph/ceph.client.admin.keyring, which allows local users to obtain sensitive information by reading the file.
31 CVE-2015-4004 119 DoS Overflow +Info 2015-06-07 2015-06-08
8.5
None Remote Low Not required Partial None Complete
The OZWPAN driver in the Linux kernel through 4.0.5 relies on an untrusted length field during packet parsing, which allows remote attackers to obtain sensitive information from kernel memory or cause a denial of service (out-of-bounds read and system crash) via a crafted packet.
32 CVE-2015-3999 200 +Info 2015-05-20 2015-05-21
2.1
None Local Low Not required Partial None None
Piriform CCleaner 3.26.0.1988 through 5.02.5101 writes the filenames to disk when overwriting files, which allows local users to obtain sensitive information by searching unallocated disk space.
33 CVE-2015-3995 200 +Info 2015-05-29 2015-06-02
4.0
None Remote Low Single system Partial None None
SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) allows remote authenticated users to read arbitrary files via an IMPORT FROM SQL statement, aka SAP Security Note 2109565.
34 CVE-2015-3983 310 +Info 2015-05-14 2015-05-15
4.3
None Remote Medium Not required Partial None None
The pcs daemon (pcsd) in PCS 0.9.137 and earlier does not include the HTTPOnly flag in a Set-Cookie header, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie. NOTE: this issue was SPLIT from CVE-2015-1848 per ADT2 due to different vulnerability types.
35 CVE-2015-3981 200 +Info 2015-05-12 2015-05-14
5.0
None Remote Low Not required Partial None None
SAP NetWeaver RFC SDK allows attackers to obtain sensitive information via unspecified vectors, aka SAP Security Note 2084037.
36 CVE-2015-3978 200 +Info 2015-05-12 2015-05-14
2.1
None Local Low Not required Partial None None
SAP Sybase Unwired Platform Online Data Proxy allows local users to obtain usernames and passwords via the DataVault, aka SAP Security Note 2094830.
37 CVE-2015-3951 200 +Info 2015-06-13 2015-06-15
5.0
None Remote Low Not required Partial None None
RLE Nova-Wind Turbine HMI devices store cleartext credentials, which allows remote attackers to obtain sensitive information via unspecified vectors.
38 CVE-2015-3949 200 +Info 2015-06-13 2015-06-15
2.1
None Local Low Not required Partial None None
Sinapsi eSolar Light with firmware before 2.0.3970_schsl_2.2.85 allows attackers to discover cleartext passwords by reading the HTML source code of the mail-configuration page.
39 CVE-2015-3923 200 +Info 2015-06-10 2015-06-11
5.0
None Remote Low Not required Partial None None
Coppermine Photo Gallery before 1.5.36 allows remote attackers to enumerate directories via a full path in the folder parameter to minibrowser.php.
40 CVE-2015-3912 200 +Info 2015-05-21 2015-05-22
5.0
None Remote Low Not required Partial None None
Huawei E355s Mobile WiFi with firmware before 22.158.45.02.625 and WEBUI before 13.100.04.01.625 allows remote attackers to obtain sensitive configuration information by sniffing the network or sending unspecified commands.
41 CVE-2015-3903 310 +Info 2015-05-26 2015-06-30
4.3
None Remote Medium Not required None Partial None
libraries/Config.class.php in phpMyAdmin 4.0.x before 4.0.10.10, 4.2.x before 4.2.13.3, 4.3.x before 4.3.13.1, and 4.4.x before 4.4.6.1 disables X.509 certificate verification for GitHub API calls over SSL, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
42 CVE-2015-3721 +Info 2015-07-02 2015-07-02
0.0
None ??? ??? ??? ??? ??? ???
The kernel in Apple iOS before 8.4 and OS X before 10.10.4 does not properly handle HFS parameters, which allows attackers to obtain sensitive memory-layout information via a crafted app.
43 CVE-2015-3720 +Info 2015-07-02 2015-07-02
0.0
None ??? ??? ??? ??? ??? ???
The kernel in Apple OS X before 10.10.4 does not properly manage memory in kernel-extension APIs, which allows attackers to obtain sensitive memory-layout information via a crafted app.
44 CVE-2015-3711 +Info 2015-07-02 2015-07-02
0.0
None ??? ??? ??? ??? ??? ???
The NTFS implementation in Apple OS X before 10.10.4 allows attackers to obtain sensitive memory-layout information for the kernel via a crafted app.
45 CVE-2015-3690 +Info 2015-07-02 2015-07-02
0.0
None ??? ??? ??? ??? ??? ???
The DiskImages subsystem in Apple iOS before 8.4 and OS X before 10.10.4 allows attackers to obtain sensitive memory-layout information for the kernel via a crafted app.
46 CVE-2015-3677 +Info 2015-07-02 2015-07-02
0.0
None ??? ??? ??? ??? ??? ???
The LZVN compression feature in AppleFSCompression in Apple OS X before 10.10.4 allows attackers to obtain sensitive memory-layout information for the kernel via a crafted app.
47 CVE-2015-3676 +Info 2015-07-02 2015-07-02
0.0
None ??? ??? ??? ??? ??? ???
AppleGraphicsControl in Apple OS X before 10.10.4 allows attackers to obtain sensitive memory-layout information via a crafted app.
48 CVE-2015-3646 200 +Info 2015-05-12 2015-05-14
4.0
None Remote Low Single system Partial None None
OpenStack Identity (Keystone) before 2014.1.5 and 2014.2.x before 2014.2.4 logs the backend_argument configuration option content, which allows remote authenticated users to obtain passwords and other sensitive backend information by reading the Keystone logs.
49 CVE-2015-3630 264 +Info 2015-05-18 2015-06-25
7.2
None Local Low Not required Complete Complete Complete
Docker Engine before 1.6.1 uses weak permissions for (1) /proc/asound, (2) /proc/timer_stats, (3) /proc/latency_stats, and (4) /proc/fs, which allows local users to modify the host, obtain sensitive information, and perform protocol downgrade attacks via a crafted image.
50 CVE-2015-3610 310 +Info 2015-05-07 2015-05-07
5.4
None Local Network Medium Not required Partial Partial Partial
The Siemens HomeControl for Room Automation application before 2.0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information or modify data via a crafted certificate.
Total number of vulnerabilities : 5781   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.