CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 6 and 6.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
7901 CVE-2015-0555 119 Exec Code Overflow 2015-02-24 2016-03-31
6.8
None Remote Medium Not required Partial Partial Partial
Buffer overflow in the XnsSdkDeviceIpInstaller.ocx ActiveX control in Samsung iPOLiS Device Manager 1.12.2 allows remote attackers to execute arbitrary code via a long string in the first argument to the (1) ReadConfigValue or (2) WriteConfigValue function.
7902 CVE-2015-0552 22 Dir. Trav. 2015-01-15 2018-10-30
6.4
None Remote Low Not required None Partial Partial
Directory traversal vulnerability in the gcab_folder_extract function in libgcab/gcab-folder.c in gcab 0.4 allows remote attackers to write to arbitrary files via crafted path in a CAB file, as demonstrated by "\tmp\moo."
7903 CVE-2015-0542 352 CSRF 2015-08-20 2017-09-20
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in EMC RSA Archer GRC 5.5 SP1 before P3 allow remote attackers to hijack the authentication of arbitrary users.
7904 CVE-2015-0541 352 CSRF 2015-06-05 2016-12-30
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in EMC RSA Web Threat Detection before 5.1 allows remote attackers to hijack the authentication of arbitrary users.
7905 CVE-2015-0540 89 Exec Code Sql 2015-05-25 2015-05-27
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in the xAdmin interface in EMC Document Sciences xPression 4.2 before P44 and 4.5 SP1 before P03 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.
7906 CVE-2015-0515 Exec Code 2015-01-21 2017-01-02
6.5
None Remote Low Single system Partial Partial Partial
Unrestricted file upload vulnerability in EMC M&R (aka Watch4Net) before 6.5u1 and ViPR SRM before 3.6.1 allows remote authenticated users to execute arbitrary code by uploading and then accessing an executable file.
7907 CVE-2015-0484 2015-04-16 2018-10-30
6.8
None Remote Medium Not required Partial Partial Partial
Unspecified vulnerability in Oracle Java SE 7u76 and 8u40, and Java FX 2.2.76, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2015-0492.
7908 CVE-2015-0482 2015-04-16 2017-01-02
6.0
None Remote Medium Single system Partial Partial Partial
Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 12.1.2.0 and 12.1.3.0 allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to WLS-WebServices.
7909 CVE-2015-0468 2015-07-16 2017-09-21
6.0
None Remote Medium Single system Partial Partial Partial
Unspecified vulnerability in the Core RDBMS component in Oracle Database Server 11.1.0.7, 11.2.0.3, and 12.1.0.1 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors.
7910 CVE-2015-0455 2015-04-16 2017-01-02
6.8
None Remote Low Single system Complete None None
Unspecified vulnerability in the XDB - XML Database component in Oracle Database Server 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors.
7911 CVE-2015-0446 2015-07-16 2015-07-16
6.8
None Remote Medium Not required Partial Partial Partial
Unspecified vulnerability in the Oracle Data Integrator component in Oracle Fusion Middleware 11.1.1.3.0 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Data Quality based on Trillium, a different vulnerability than CVE-2015-0443, CVE-2015-0444, CVE-2015-0445, CVE-2015-2634, CVE-2015-2635, CVE-2015-2636, CVE-2015-4758, and CVE-2015-4759.
7912 CVE-2015-0445 2015-07-16 2015-07-16
6.8
None Remote Medium Not required Partial Partial Partial
Unspecified vulnerability in the Oracle Data Integrator component in Oracle Fusion Middleware 11.1.1.3.0 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Data Quality based on Trillium, a different vulnerability than CVE-2015-0443, CVE-2015-0444, CVE-2015-0446, CVE-2015-2634, CVE-2015-2635, CVE-2015-2636, CVE-2015-4758, and CVE-2015-4759.
7913 CVE-2015-0444 2015-07-16 2015-07-16
6.8
None Remote Medium Not required Partial Partial Partial
Unspecified vulnerability in the Oracle Data Integrator component in Oracle Fusion Middleware 11.1.1.3.0 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Data Quality based on Trillium, a different vulnerability than CVE-2015-0443, CVE-2015-0445, CVE-2015-0446, CVE-2015-2634, CVE-2015-2635, CVE-2015-2636, CVE-2015-4758, and CVE-2015-4759.
7914 CVE-2015-0443 2015-07-16 2015-07-16
6.8
None Remote Medium Not required Partial Partial Partial
Unspecified vulnerability in the Oracle Data Integrator component in Oracle Fusion Middleware 11.1.1.3.0 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Data Quality based on Trillium, a different vulnerability than CVE-2015-0444, CVE-2015-0445, CVE-2015-0446, CVE-2015-2634, CVE-2015-2635, CVE-2015-2636, CVE-2015-4758, and CVE-2015-4759.
7915 CVE-2015-0435 2015-01-21 2017-09-07
6.8
None Remote Low Single system Complete None None
Unspecified vulnerability in the Oracle Transportation Management component in Oracle Supply Chain Products Suite 6.1, 6.2, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, and 6.3.5 allows remote authenticated users to affect confidentiality via unknown vectors related to Security.
7916 CVE-2015-0421 2015-01-21 2017-09-07
6.9
None Local Medium Not required Complete Complete Complete
Unspecified vulnerability in Oracle Java SE 8u25 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to the installation process.
7917 CVE-2015-0403 2015-01-21 2017-09-07
6.9
None Local Medium Not required Complete Complete Complete
Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Deployment.
7918 CVE-2015-0393 Exec Code +Priv 2015-01-21 2017-09-07
6.0
None Remote Medium Single system Partial Partial Partial
Unspecified vulnerability in the Oracle Applications DBA component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.3, 12.2.2, 12.2.3, and 12.2.4 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to DB Privileges. NOTE: the previous information is from the January 2015 CPU. Oracle has not commented on the researcher's claim that the PUBLIC role is granted the INDEX privilege for the DUAL table during a "seeded install," which allows remote authenticated users to gain SYSDBA privileges and execute arbitrary code.
7919 CVE-2015-0390 2015-01-21 2017-09-07
6.8
None Remote Medium Not required Partial Partial Partial
Unspecified vulnerability in the MICROS Retail component in Oracle Retail Applications Xstore: 3.2.1, 3.4.2, 3.5.0, 4.0.1, 4.5.1, 4.8.0, 5.0.3, 5.5.3, 6.0.6, and 6.5.2 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Xstore Point of Sale.
7920 CVE-2015-0373 2015-01-21 2017-09-07
6.5
None Remote Low Single system Partial Partial Partial
Unspecified vulnerability in the OJVM component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors.
7921 CVE-2015-0279 94 Exec Code 2015-03-26 2016-08-23
6.8
None Remote Medium Not required Partial Partial Partial
JBoss RichFaces before 4.5.4 allows remote attackers to inject expression language (EL) expressions and execute arbitrary Java code via the do parameter.
7922 CVE-2015-0277 284 2015-08-17 2015-08-19
6.0
None Remote Medium Single system Partial Partial Partial
The Service Provider (SP) in PicketLink before 2.7.0 does not ensure that it is a member of an Audience element when an AudienceRestriction is specified, which allows remote attackers to log in to other users' accounts via a crafted SAML assertion. NOTE: this identifier has been SPLIT per ADT2 due to different vulnerability types. See CVE-2015-6254 for lack of validation for the Destination attribute in a Response element in a SAML assertion.
7923 CVE-2015-0276 352 CSRF 2017-09-21 2017-09-30
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in Kallithea before 0.2.
7924 CVE-2015-0266 264 Bypass 2016-04-11 2016-04-13
6.5
None Remote Low Single system Partial Partial Partial
The Policy Admin Tool in Apache Ranger before 0.5.0 allows remote authenticated users to bypass intended access restrictions via direct access to module URLs.
7925 CVE-2015-0255 200 DoS +Info 2015-02-13 2018-10-30
6.4
None Remote Low Not required Partial None Partial
X.Org Server (aka xserver and xorg-server) before 1.16.3 and 1.17.x before 1.17.1 allows remote attackers to obtain sensitive information from process memory or cause a denial of service (crash) via a crafted string length value in a XkbSetGeometry request.
7926 CVE-2015-0250 DoS 2015-03-24 2017-11-03
6.4
None Remote Low Not required Partial None Partial
XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG conversion classes in Apache Batik 1.x before 1.8 allows remote attackers to read arbitrary files or cause a denial of service via a crafted SVG file.
7927 CVE-2015-0249 94 Exec Code 2017-07-17 2017-07-27
6.5
None Remote Low Single system Partial Partial Partial
The weblog page template in Apache Roller 5.1 through 5.1.1 allows remote authenticated users with admin privileges for a weblog to execute arbitrary Java code via crafted Velocity Text Language (aka VTL).
7928 CVE-2015-0237 264 DoS 2015-05-01 2016-04-11
6.8
None Remote Low Single system None None Complete
Red Hat Enterprise Virtualization (RHEV) Manager before 3.5.1 ignores the permission to deny snapshot creation during live storage migration between domains, which allows remote authenticated users to cause a denial of service (prevent host start) by creating a long snapshot chain.
7929 CVE-2015-0232 DoS Exec Code 2015-01-27 2018-01-04
6.8
None Remote Medium Not required Partial Partial Partial
The exif_process_unicode function in ext/exif/exif.c in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized pointer free and application crash) via crafted EXIF data in a JPEG image.
7930 CVE-2015-0218 352 CSRF 2015-06-01 2015-06-02
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in auth/shibboleth/logout.php in Moodle through 2.5.9, 2.6.x before 2.6.7, 2.7.x before 2.7.4, and 2.8.x before 2.8.2 allows remote attackers to hijack the authentication of arbitrary users for requests that trigger a logout.
7931 CVE-2015-0217 399 DoS 2015-06-01 2015-06-02
6.8
None Remote Low Single system None None Complete
filter/mediaplugin/filter.php in Moodle through 2.5.9, 2.6.x before 2.6.7, 2.7.x before 2.7.4, and 2.8.x before 2.8.2 allows remote authenticated users to cause a denial of service (CPU consumption or partial outage) via a crafted string that is matched against an improper regular expression.
7932 CVE-2015-0213 352 CSRF 2015-06-01 2015-06-02
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in (1) editcategories.html and (2) editcategories.php in the Glossary module in Moodle through 2.5.9, 2.6.x before 2.6.7, 2.7.x before 2.7.4, and 2.8.x before 2.8.2 allow remote attackers to hijack the authentication of unspecified victims.
7933 CVE-2015-0209 DoS Mem. Corr. 2015-03-19 2018-01-04
6.8
None Remote Medium Not required Partial Partial Partial
Use-after-free vulnerability in the d2i_ECPrivateKey function in crypto/ec/ec_asn1.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a might allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a malformed Elliptic Curve (EC) private-key file that is improperly handled during import.
7934 CVE-2015-0162 264 +Priv 2017-09-20 2017-09-27
6.9
None Local Medium Not required Complete Complete Complete
IBM Security SiteProtector System 3.0, 3.1, and 3.1.1 allows local users to gain privileges.
7935 CVE-2015-0161 89 Exec Code Sql 2015-05-25 2015-05-26
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in IBM Security SiteProtector System 3.0 before 3.0.0.7, 3.1 before 3.1.0.4, and 3.1.1 before 3.1.1.2 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.
7936 CVE-2015-0157 20 DoS 2015-07-19 2017-09-21
6.8
None Remote Low Single system None None Complete
IBM DB2 9.7 through FP10, 9.8 through FP5, 10.1 before FP5, and 10.5 through FP5 on Linux, UNIX, and Windows allows remote authenticated users to cause a denial of service (daemon crash) by leveraging an unspecified scalar function in a SQL statement.
7937 CVE-2015-0151 352 XSS CSRF 2018-04-12 2018-05-16
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in D-Link DIR-815 devices with firmware before 2.07.B01 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences.
7938 CVE-2015-0145 352 XSS CSRF 2015-10-03 2015-10-05
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in IBM OpenPages GRC Platform 6.2 before IF7, 6.2.1 before 6.2.1.1 IF5, 7.0 before FP4, and 7.1 before FP1 allows remote authenticated users to hijack the authentication of arbitrary users for requests that insert XSS sequences.
7939 CVE-2015-0140 Exec Code 2015-05-25 2015-05-26
6.8
None Remote Medium Not required Partial Partial Partial
An unspecified ActiveX control in IBM SPSS Statistics 22.0 through FP1 on 32-bit platforms allows remote attackers to execute arbitrary code via a crafted HTML document.
7940 CVE-2015-0126 Bypass 2015-06-28 2015-06-29
6.5
None Remote Low Single system Partial Partial Partial
IBM Leads 7.x, 8.1.0 before 8.1.0.14, 8.2, 8.5.0 before 8.5.0.7.3, 8.6.0 before 8.6.0.8.1, 9.0.0 through 9.0.0.4, 9.1.0 before 9.1.0.6.1, and 9.1.1 before 9.1.1.0.2 allows remote authenticated users to bypass intended file-upload restrictions via a modified extension.
7941 CVE-2015-0115 352 CSRF 2015-06-28 2015-06-29
6.0
None Remote Medium Single system Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in IBM Leads 7.x, 8.1.0 before 8.1.0.14, 8.2, 8.5.0 before 8.5.0.7.3, 8.6.0 before 8.6.0.8.1, 9.0.0 through 9.0.0.4, 9.1.0 before 9.1.0.6.1, and 9.1.1 before 9.1.1.0.2 allows remote authenticated users to hijack the authentication of customer accounts.
7942 CVE-2015-0104 284 Exec Code 2017-04-24 2017-04-27
6.5
None Remote Low Single system Partial Partial Partial
IBM Tivoli IT Asset Management for IT, Tivoli Service Request Manager, and Change and Configuration Management Database 7.1 through 7.1.1.8 and 7.2 and Maximo Asset Management and Maximo Industry Solutions 7.1 through 7.1.1.8, 7.5 before 7.5.0.7 IFIX003, and 7.6 before 7.6.0.0 IFIX002 allow remote authenticated users to execute arbitrary code via unspecified vectors.
7943 CVE-2015-0059 264 Exec Code +Priv 2015-02-10 2019-05-14
6.9
None Local Medium Not required Complete Complete Complete
win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2008 R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges via a crafted TrueType font, aka "TrueType Font Parsing Remote Code Execution Vulnerability."
7944 CVE-2015-0012 264 2015-02-10 2018-11-20
6.9
None Local Medium Not required Complete Complete Complete
Microsoft System Center Virtual Machine Manager (VMM) 2012 R2 Update Rollup 4 does not properly validate the roles of users, which allows local users to obtain server and virtual-machine administrative privileges by establishing a server session with Active Directory credentials, aka "Virtual Machine Manager Elevation of Privilege Vulnerability."
7945 CVE-2015-0006 264 Bypass 2015-01-13 2018-10-12
6.1
None Local Network Low Not required None Complete None
The Network Location Awareness (NLA) service in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 does not perform mutual authentication to determine a domain connection, which allows remote attackers to trigger an unintended permissive configuration by spoofing DNS and LDAP responses on a local network, aka "NLA Security Feature Bypass Vulnerability."
7946 CVE-2015-0003 476 DoS +Priv 2015-02-10 2019-05-14
6.9
None Local Medium Not required Complete Complete Complete
win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges or cause a denial of service (NULL pointer dereference) via a crafted application, aka "Win32k Elevation of Privilege Vulnerability."
7947 CVE-2014-100025 352 CSRF 2015-01-13 2017-09-07
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in index.php/user_data/insert_user in Savsoft Quiz allows remote attackers to hijack the authentication of administrators for requests that create an administrator account via a crafted request.
7948 CVE-2014-100015 22 2 Dir. Trav. 2015-01-13 2017-09-07
6.4
None Remote Low Not required None Partial Partial
Directory traversal vulnerability in pdmwService.exe in SolidWorks Workgroup PDM 2014 allows remote attackers to write to arbitrary files via a .. (dot dot) in the filename in a file upload.
7949 CVE-2014-100005 352 CSRF 2015-01-13 2017-09-07
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in D-Link DIR-600 router (rev. Bx) with firmware before 2.17b02 allow remote attackers to hijack the authentication of administrators for requests that (1) create an administrator account or (2) enable remote management via a crafted configuration module to hedwig.cgi, (3) activate new configuration settings via a SETCFG,SAVE,ACTIVATE action to pigwidgeon.cgi, or (4) send a ping via a ping action to diagnostic.php.
7950 CVE-2014-100001 352 CSRF 2015-01-13 2017-09-07
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in the SEO Plugin LiveOptim plugin before 1.1.4-free for WordPress allows remote attackers to hijack the authentication of administrators for requests that change plugin settings via unspecified vectors. NOTE: some of these details are obtained from third party information.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.