CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In March 2015

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2015-2809 200 DoS +Info 2015-03-31 2016-07-29
5.0
None Remote Low Not required Partial None None
The Multicast DNS (mDNS) responder in Synology DiskStation Manager (DSM) before 3.1 inadvertently responds to unicast queries with source addresses that are not link-local, which allows remote attackers to cause a denial of service (traffic amplification) or obtain potentially sensitive information via port-5353 UDP packets to the Avahi component.
2 CVE-2015-2808 310 2015-03-31 2017-05-23
4.3
None Remote Medium Not required Partial None None
The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic that occasionally relies on keys affected by the Invariance Weakness, and then using a brute-force approach involving LSB values, aka the "Bar Mitzvah" issue.
3 CVE-2015-2792 284 Bypass 2015-03-30 2015-03-31
7.5
None Remote Low Not required Partial Partial Partial
The WPML plugin before 3.1.9 for WordPress does not properly handle multiple actions in a request, which allows remote attackers to bypass nonce checks and perform arbitrary actions via a request containing an action POST parameter, an action GET parameter, and a valid nonce for the action GET parameter.
4 CVE-2015-2791 264 2015-03-30 2015-03-31
6.4
None Remote Low Not required None Partial Partial
The "menu sync" function in the WPML plugin before 3.1.9 for WordPress allows remote attackers to delete arbitrary posts, pages, and menus via a crafted request to sitepress-multilingual-cms/menu/menus-sync.php.
5 CVE-2015-2790 20 2 DoS Mem. Corr. 2015-03-30 2016-12-02
4.3
None Remote Medium Not required None None Partial
Foxit Reader, Enterprise Reader, and PhantomPDF before 7.1 allow remote attackers to cause a denial of service (memory corruption and crash) via a crafted (1) Ubyte Size in a DataSubBlock structure or (2) LZWMinimumCodeSize in a GIF image.
6 CVE-2015-2789 1 +Priv 2015-03-30 2016-12-02
4.4
None Local Medium Not required Partial Partial Partial
Unquoted Windows search path vulnerability in the Foxit Cloud Safe Update Service in the Cloud plugin in Foxit Reader 6.1 through 7.0.6.1126 allows local users to gain privileges via a Trojan horse program in the %SYSTEMDRIVE% folder.
7 CVE-2015-2787 Exec Code 2015-03-30 2016-12-30
7.5
None Remote Low Not required Partial Partial Partial
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages use of the unset function within an __wakeup function, a related issue to CVE-2015-0231.
8 CVE-2015-2786 2015-03-29 2016-12-02
10.0
None Remote Low Not required Complete Complete Complete
Unspecified vulnerability in MyBB (aka MyBulletinBoard) before 1.8.4 has unknown attack vectors related to "Group join request notifications sent to wrong group leaders."
9 CVE-2015-2785 119 DoS Exec Code Overflow 2015-03-29 2015-03-30
7.5
None Remote Low Not required Partial Partial Partial
The GIF encoder in Byzanz allows remote attackers to cause a denial of service (out-of-bounds heap write and crash) or possibly execute arbitrary code via a crafted Byzanz debug data recording (ByzanzRecording file) to the byzanz-playback command.
10 CVE-2015-2776 20 DoS 2015-03-31 2016-12-02
4.3
None Remote Medium Not required None None Partial
The parse_SST function in FreeXL before 1.0.0i allows remote attackers to cause a denial of service (memory consumption) via a crafted shared strings table in a workbook.
11 CVE-2015-2773 2015-03-27 2016-12-02
5.0
None Remote Low Not required Partial None None
SVM in Websense TRITON V-Series appliances before 8.0.0 allows attackers to read arbitrary files via unspecified vectors.
12 CVE-2015-2772 2015-03-27 2016-12-02
7.5
None Remote Low Not required Partial Partial Partial
SVM in Websense TRITON V-Series appliances before 8.0.0 allows attackers to upload arbitrary files via unspecified vectors.
13 CVE-2015-2771 200 +Info 2015-03-27 2016-12-02
5.0
None Remote Low Not required Partial None None
The Mail Server in Websense TRITON AP-EMAIL and V-Series appliances before 8.0.0 uses plaintext credentials, which allows remote attackers to obtain sensitive information via unspecified vectors.
14 CVE-2015-2770 352 CSRF 2015-03-27 2015-03-30
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in the command line page in Websense TRITON V-Series appliances before 8.0.0 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
15 CVE-2015-2769 352 CSRF 2015-03-27 2015-03-30
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in the Personal Email Manager (PEM) in Websense TRITON AP-EMAIL before 8.0.0 allow remote attackers to hijack the authentication of unspecified victims via unknown vectors.
16 CVE-2015-2768 79 XSS 2015-03-27 2016-12-02
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Websense TRITON AP-EMAIL before 8.0.0 and V-Series 7.7 appliances allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
17 CVE-2015-2767 2015-03-27 2016-12-02
10.0
None Remote Low Not required Complete Complete Complete
Unspecified vulnerability in Websense TRITON AP-EMAIL before 8.0.0 has unknown impact and attack vectors, related to "Autocomplete Enabled."
18 CVE-2015-2766 255 2015-03-27 2016-12-02
5.0
None Remote Low Not required Partial None None
The Personal Email Manager (PEM) in Websense TRITON AP-EMAIL before 8.0.0 allows attackers to have unspecified impact via a brute force attack.
19 CVE-2015-2765 20 2015-03-27 2016-12-02
4.3
None Remote Medium Not required None Partial None
The Email Security Gateway in Websense TRITON AP-EMAIL before 8.0.0 allows remote attackers to conduct clickjacking attacks via unspecified vectors.
20 CVE-2015-2764 79 XSS 2015-03-27 2016-12-02
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Websense TRITON AP-DATA before 8.0.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors to the DSS (1) Mobile or (2) DLP report catalog.
21 CVE-2015-2763 2015-03-27 2016-12-02
10.0
None Remote Low Not required Complete Complete Complete
Unspecified vulnerability in Websense TRITON AP-EMAIL before 8.0.0 has unknown impact and attack vectors, related to port 17703.
22 CVE-2015-2762 200 +Info 2015-03-27 2016-12-02
5.0
None Remote Low Not required Partial None None
Websense TRITON AP-WEB before 8.0.0 allows remote attackers to enumerate Windows domain user accounts via vectors related to HTTP authentication.
23 CVE-2015-2761 79 XSS 2015-03-27 2016-12-02
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the Exceptions and Scanning Exceptions Pages in Websense TRITON AP-WEB before 8.0.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
24 CVE-2015-2760 79 XSS 2015-03-27 2016-12-02
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in the ePO extension in McAfee Data Loss Prevention Endpoint (DLPe) before 9.3 Patch 4 Hotfix 16 (9.3.416.4) allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
25 CVE-2015-2759 352 +Info CSRF 2015-03-27 2016-12-02
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in the ePO extension in McAfee Data Loss Prevention Endpoint (DLPe) before 9.3 Patch 4 Hotfix 16 (9.3.416.4) allow remote attackers to hijack the authentication of users for requests that (1) obtain sensitive information or (2) modify the database via unspecified vectors.
26 CVE-2015-2758 264 +Info 2015-03-27 2016-12-02
6.5
None Remote Low Single system Partial Partial Partial
The ePO extension in McAfee Data Loss Prevention Endpoint (DLPe) before 9.3 Patch 4 Hotfix 16 (9.3.416.4) allows remote authenticated users to obtain sensitive information, modify the database, or possibly have other unspecified impact via a crafted URL.
27 CVE-2015-2757 399 DoS 2015-03-27 2016-12-02
4.0
None Remote Low Single system None None Partial
The ePO extension in McAfee Data Loss Prevention Endpoint (DLPe) before 9.3 Patch 4 Hotfix 16 (9.3.416.4) allows remote authenticated users to cause a denial of service (database lock or license corruption) via unspecified vectors.
28 CVE-2015-2754 20 DoS Exec Code 2015-03-31 2016-12-02
6.8
None Remote Medium Not required Partial Partial Partial
FreeXL before 1.0.0i allows remote attackers to cause a denial of service (stack corruption) and possibly execute arbitrary code via a crafted workbook, related to a "premature EOF."
29 CVE-2015-2753 20 DoS Exec Code 2015-03-31 2016-12-02
6.8
None Remote Medium Not required Partial Partial Partial
FreeXL before 1.0.0i allows remote attackers to cause a denial of service (stack corruption) or possibly execute arbitrary code via a crafted sector in a workbook.
30 CVE-2015-2748 200 +Info 2015-03-26 2015-03-27
5.0
None Remote Low Not required Partial None None
Websense TRITON AP-WEB before 8.0.0 does not properly restrict access to files in explorer_wse/, which allows remote attackers to obtain sensitive information via a direct request to a (1) Web Security incident report or the (2) Explorer configuration (websense.ini) file.
31 CVE-2015-2747 79 XSS 2015-03-26 2015-03-27
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the data loss prevention (DLP) incident Forensics Preview in Websense Triton 7.8.3 and V-Series 7.7 appliances allow remote attackers to inject arbitrary web script or HTML via a crafted (1) email or (2) HTTP request, which triggers a DLP Policy.
32 CVE-2015-2746 77 Exec Code 2015-03-26 2016-12-02
6.5
None Remote Low Single system Partial Partial Partial
The network diagnostics tool (CommandLineServlet) in the Appliance Manager command line utility (CLU) in Websense TRITON 7.8.3 and V-Series appliances before 7.8.4 Hotfix 02 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the "second" parameter of a command, as demonstrated by the Destination parameter in the ping command.
33 CVE-2015-2703 79 XSS 2015-03-25 2015-03-26
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Websense TRITON AP-WEB before 8.0.0 and V-Series 7.7 appliances allow remote attackers to inject arbitrary web script or HTML via the (1) ws-userip in the ws-encdata parameter to cve-bin/moreBlockInfo.cgi in the Data Security block page or (2) admin_msg parameter to configure/ssl_ui/eva-config/client-cert-import_wsoem.html in the Content Gateway, which is not properly handled in an error message.
34 CVE-2015-2702 79 XSS 2015-03-25 2016-12-02
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the Message Log in the Email Security Gateway in Websense TRITON AP-EMAIL before 8.0.0 and V-Series 7.7 appliances allows remote attackers to inject arbitrary web script or HTML via the sender address in an email.
35 CVE-2015-2701 352 1 CSRF 2015-03-25 2016-12-02
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in CS-Cart 4.2.4 allows remote attackers to hijack the authentication of users for requests that change a user password via a request to profiles-update/.
36 CVE-2015-2684 20 DoS 2015-03-31 2016-12-02
4.0
None Remote Low Single system None None Partial
Shibboleth Service Provider (SP) before 2.5.4 allows remote authenticated users to cause a denial of service (crash) via a crafted SAML message.
37 CVE-2015-2683 264 Exec Code 2015-03-26 2016-12-02
7.5
None Remote Low Not required Partial Partial Partial
Citrix Command Center before 5.1 Build 35.4 and 5.2 before Build 42.7 does not properly restrict access to the Advent Java Management Extensions (JMX) Servlet, which allows remote attackers to execute arbitrary code via unspecified vectors to servlets/Jmx_dynamic.
38 CVE-2015-2682 17 2015-03-26 2016-12-02
5.0
None Remote Low Not required Partial None None
Citrix Command Center before 5.1 Build 35.4 and 5.2 before Build 42.7 allows remote attackers to obtain credentials via a direct request to conf/securitydbData.xml.
39 CVE-2015-2681 79 XSS 2015-03-23 2016-12-02
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the ASUS RT-G32 routers with firmware 2.0.2.6 and 2.0.3.2 allow remote attackers to inject arbitrary web script or HTML via the (1) next_page, (2) group_id, (3) action_script, or (4) flag parameter to start_apply.htm.
40 CVE-2015-2680 352 1 CSRF 2015-03-23 2016-12-02
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in MetalGenix GeniXCMS before 0.0.2 allows remote attackers to hijack the authentication of administrators for requests that add an administrator account via a request in the users page to gxadmin/index.php.
41 CVE-2015-2679 89 1 Exec Code Sql 2015-03-23 2016-12-02
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in MetalGenix GeniXCMS before 0.0.2 allow remote attackers to execute arbitrary SQL commands via the (1) page parameter to index.php or (2) username parameter to gxadmin/login.php.
42 CVE-2015-2678 79 1 XSS 2015-03-23 2016-12-02
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in MetalGenix GeniXCMS before 0.0.2 allow remote attackers to inject arbitrary web script or HTML via the (1) cat parameter in the categories page to gxadmin/index.php or (2) page parameter to index.php.
43 CVE-2015-2677 79 XSS 2015-03-23 2015-09-24
3.5
None Remote Medium Single system None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in ocPortal before 9.0.17 allow remote authenticated users to inject arbitrary web script or HTML via the (1) title or (2) text field in the cms_calendar page to cms/index.php; unspecified fields in (3) the cms_polls page to cms/index.php or (4) a new topic in the topics page to forum/index.php; or (5) a new PT (private topic/private message) in the topics page to forum/index.php.
44 CVE-2015-2676 352 CSRF 2015-03-23 2016-12-02
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in the ASUS RT-G32 routers with firmware 2.0.2.6 and 2.0.3.2 allows remote attackers to hijack the authentication of administrators for requests that change the administrator password via a request to start_apply.htm.
45 CVE-2015-2564 89 1 Exec Code Sql 2015-03-20 2015-03-23
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in client-edit.php in ProjectSend (formerly cFTP) r561 allows remote authenticated users to execute arbitrary SQL commands via the id parameter to users-edit.php.
46 CVE-2015-2563 89 Exec Code Sql 2015-03-20 2015-03-23
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in groups.php in Vastal I-Tech phpVID 0.9.9 and 1.2.3 allows remote attackers to execute arbitrary SQL commands via the order_by parameter. NOTE: The cat parameter vector is already covered by CVE-2008-4157.
47 CVE-2015-2562 89 Exec Code Sql 2015-03-20 2016-12-02
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in the Web-Dorado ECommerce WD (com_ecommercewd) component 1.2.5 for Joomla! allow remote attackers to execute arbitrary SQL commands via the (1) search_category_id, (2) sort_order, or (3) filter_manufacturer_ids in a displayproducts action to index.php.
48 CVE-2015-2559 284 2015-03-25 2016-08-24
3.5
None Remote Medium Single system None Partial None
Drupal 6.x before 6.35 and 7.x before 7.35 allows remote authenticated users to reset the password of other accounts by leveraging an account with the same password hash as another account and a crafted password reset URL.
49 CVE-2015-2352 2015-03-19 2016-12-02
7.5
None Remote Low Not required Partial Partial Partial
The cache handler in MyBB (aka MyBulletinBoard) before 1.8.4 does not properly check the encoding of input to the var_export function, which allows attackers to have an unspecified impact via unknown vectors.
50 CVE-2015-2351 79 XSS 2015-03-19 2016-12-02
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Alkacon OpenCms 9.5.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) homelink parameter to system/modules/org.opencms.workplace.help/jsptemplates/help_head.jsp, (2) workplaceresource parameter to system/workplace/locales/en/help/index.html, (3) path parameter to system/workplace/views/admin/admin-main.jsp, (4) mode parameter to system/workplace/views/explorer/explorer_files.jsp, or (5) query parameter in a search action to system/modules/org.opencms.workplace.help/elements/search.jsp.
Total number of vulnerabilities : 458   Page : 1 (This Page)2 3 4 5 6 7 8 9 10
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.