CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 5 and 5.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
8951 CVE-2015-1254 264 Bypass 2015-05-20 2017-01-02
5.0
None Remote Low Not required None Partial None
core/dom/Document.cpp in Blink, as used in Google Chrome before 43.0.2357.65, enables the inheritance of the designMode attribute, which allows remote attackers to bypass the Same Origin Policy by leveraging the availability of editing.
8952 CVE-2015-1247 200 +Info 2015-04-19 2017-01-02
5.0
None Remote Low Not required Partial None None
The SearchEngineTabHelper::OnPageHasOSDD function in browser/ui/search_engines/search_engine_tab_helper.cc in Google Chrome before 42.0.2311.90 does not prevent use of a file: URL for an OpenSearch descriptor XML document, which might allow remote attackers to obtain sensitive information from local files via a crafted (1) http or (2) https web site.
8953 CVE-2015-1246 119 DoS Overflow 2015-04-19 2017-01-02
5.0
None Remote Low Not required None None Partial
Blink, as used in Google Chrome before 42.0.2311.90, allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors.
8954 CVE-2015-1244 200 +Info 2015-04-19 2017-01-02
5.0
None Remote Low Not required Partial None None
The URLRequest::GetHSTSRedirect function in url_request/url_request.cc in Google Chrome before 42.0.2311.90 does not replace the ws scheme with the wss scheme whenever an HSTS Policy is active, which makes it easier for remote attackers to obtain sensitive information by sniffing the network for WebSocket traffic.
8955 CVE-2015-1240 119 DoS Overflow 2015-04-19 2017-01-02
5.0
None Remote Low Not required None None Partial
gpu/blink/webgraphicscontext3d_impl.cc in the WebGL implementation in Google Chrome before 42.0.2311.90 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted WebGL program that triggers a state inconsistency.
8956 CVE-2015-1235 264 Bypass 2015-04-19 2017-01-02
5.0
None Remote Low Not required None Partial None
The ContainerNode::parserRemoveChild function in core/dom/ContainerNode.cpp in the HTML parser in Blink, as used in Google Chrome before 42.0.2311.90, allows remote attackers to bypass the Same Origin Policy via a crafted HTML document with an IFRAME element.
8957 CVE-2015-1229 19 2015-03-08 2016-12-21
5.0
None Remote Low Not required None Partial None
net/http/proxy_client_socket.cc in Google Chrome before 41.0.2272.76 does not properly handle a 407 (aka Proxy Authentication Required) HTTP status code accompanied by a Set-Cookie header, which allows remote proxy servers to conduct cookie-injection attacks via a crafted response.
8958 CVE-2015-1226 264 Bypass 2015-03-08 2016-12-21
5.0
None Remote Low Not required None Partial None
The DebuggerFunction::InitAgentHost function in browser/extensions/api/debugger/debugger_api.cc in Google Chrome before 41.0.2272.76 does not properly restrict what URLs are available as debugger targets, which allows remote attackers to bypass intended access restrictions via a crafted extension.
8959 CVE-2015-1225 119 DoS Overflow 2015-03-08 2016-12-21
5.0
None Remote Low Not required None None Partial
PDFium, as used in Google Chrome before 41.0.2272.76, allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors.
8960 CVE-2015-1224 17 DoS 2015-03-08 2016-12-21
5.0
None Remote Low Not required None None Partial
The VpxVideoDecoder::VpxDecode function in media/filters/vpx_video_decoder.cc in the vpxdecoder implementation in Google Chrome before 41.0.2272.76 does not ensure that alpha-plane dimensions are identical to image dimensions, which allows remote attackers to cause a denial of service (out-of-bounds read) via crafted VPx video data.
8961 CVE-2015-1210 264 Bypass 2015-02-06 2017-09-07
5.0
None Remote Low Not required None Partial None
The V8ThrowException::createDOMException function in bindings/core/v8/V8ThrowException.cpp in the V8 bindings in Blink, as used in Google Chrome before 40.0.2214.111 on Windows, OS X, and Linux and before 40.0.2214.109 on Android, does not properly consider frame access restrictions during the throwing of an exception, which allows remote attackers to bypass the Same Origin Policy via a crafted web site.
8962 CVE-2015-1201 DoS 2015-01-20 2015-01-22
5.0
None Remote Low Not required None None Partial
Privoxy before 3.0.22 allows remote attackers to cause a denial of service (file descriptor consumption) via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
8963 CVE-2015-1199 22 Dir. Trav. 2017-08-28 2017-09-05
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in ppmd 10.1-5.
8964 CVE-2015-1198 22 Dir. Trav. 2017-08-28 2017-09-06
5.0
None Remote Low Not required Partial None None
Multiple directory traversal vulnerabilities in ha 0.999p+dfsg-5.
8965 CVE-2015-1193 22 Dir. Trav. 2015-01-21 2015-01-23
5.0
None Remote Low Not required None Partial None
Multiple directory traversal vulnerabilities in pax 1:20140703 allow remote attackers to write to arbitrary files via a (1) full pathname or (2) .. (dot dot) in an archive.
8966 CVE-2015-1192 22 Dir. Trav. 2015-01-21 2015-01-23
5.0
None Remote Low Not required None Partial None
Absolute path traversal vulnerability in kgb 1.0b4 allows remote attackers to write to arbitrary files via a full pathname in a crafted archive.
8967 CVE-2015-1191 22 Dir. Trav. 2015-01-21 2016-12-02
5.0
None Remote Low Not required None Partial None
Multiple directory traversal vulnerabilities in pigz 2.3.1 allow remote attackers to write to arbitrary files via a (1) full pathname or (2) .. (dot dot) in an archive.
8968 CVE-2015-1165 200 +Info 2015-03-09 2015-10-27
5.0
None Remote Low Not required Partial None None
RT (aka Request Tracker) 3.8.8 through 4.x before 4.0.23 and 4.2.x before 4.2.10 allows remote attackers to obtain sensitive RSS feed URLs and ticket data via unspecified vectors.
8969 CVE-2015-1151 284 Bypass 2015-04-28 2016-03-31
5.0
None Remote Low Not required None Partial None
Wiki Server in Apple OS X Server before 4.1 allows remote attackers to bypass intended restrictions on Activity and People pages by connecting from an iPad client.
8970 CVE-2015-1150 17 Bypass 2015-04-28 2016-03-31
5.0
None Remote Low Not required None Partial None
The Firewall component in Apple OS X Server before 4.1 uses an incorrect pathname in configuration files, which allows remote attackers to bypass network-access restrictions by sending packets for which custom-rule blocking was intended.
8971 CVE-2015-1148 200 +Info 2015-04-10 2015-09-17
5.0
None Remote Low Not required Partial None None
Screen Sharing in Apple OS X before 10.10.3 stores the password of a user in a log file, which might allow context-dependent attackers to obtain sensitive information by reading this file.
8972 CVE-2015-1147 200 +Info 2015-04-10 2015-09-17
5.0
None Remote Low Not required Partial None None
Open Directory Client in Apple OS X before 10.10.3 sends unencrypted password-change requests in certain circumstances involving missing certificates, which allows remote attackers to obtain sensitive information by sniffing the network.
8973 CVE-2015-1128 200 +Info 2015-04-10 2015-09-11
5.0
None Remote Low Not required Partial None None
The private-browsing implementation in Apple Safari before 6.2.5, 7.x before 7.1.5, and 8.x before 8.0.5 allows attackers to obtain sensitive browsing-history information via vectors involving push-notification requests.
8974 CVE-2015-1118 DoS Mem. Corr. 2015-04-10 2015-09-11
5.0
None Remote Low Not required None None Partial
libnetcore in Apple iOS before 8.3, Apple OS X before 10.10.3, and Apple TV before 7.2 allows attackers to cause a denial of service (memory corruption and application crash) via a crafted configuration profile.
8975 CVE-2015-1112 200 +Info 2015-04-10 2015-11-30
5.0
None Remote Low Not required Partial None None
Apple Safari before 6.2.5, 7.x before 7.1.5, and 8.x before 8.0.5, as used on iOS before 8.3 and other platforms, does not properly delete browsing-history data from the history.plist file, which allows attackers to obtain sensitive information by reading this file.
8976 CVE-2015-1111 200 +Info 2015-04-10 2017-01-02
5.0
None Remote Low Not required Partial None None
Safari in Apple iOS before 8.3 does not delete Recently Closed Tabs data in response to a history-clearing action, which allows attackers to obtain sensitive information by reading a history file.
8977 CVE-2015-1110 200 +Info 2015-04-10 2017-01-02
5.0
None Remote Low Not required Partial None None
The Podcasts component in Apple iOS before 8.3 and Apple TV before 7.2 allows remote attackers to discover unique identifiers by reading asset-download request data.
8978 CVE-2015-1105 20 DoS 2015-04-10 2016-12-07
5.0
None Remote Low Not required None None Partial
The TCP implementation in the kernel in Apple iOS before 8.3, Apple OS X before 10.10.3, and Apple TV before 7.2 does not properly implement the Urgent (aka out-of-band data) mechanism, which allows remote attackers to cause a denial of service via crafted packets.
8979 CVE-2015-1104 20 Bypass 2015-04-10 2016-12-07
5.0
None Remote Low Not required None Partial None
The kernel in Apple iOS before 8.3, Apple OS X before 10.10.3, and Apple TV before 7.2 does not properly determine whether an IPv6 packet had a local origin, which allows remote attackers to bypass an intended network-filtering protection mechanism via a crafted packet.
8980 CVE-2015-1100 119 DoS Overflow +Info 2015-04-10 2016-12-07
5.4
None Local Medium Not required Partial None Complete
The kernel in Apple iOS before 8.3, Apple OS X before 10.10.3, and Apple TV before 7.2 allows attackers to cause a denial of service (out-of-bounds memory access) or obtain sensitive memory-content information via a crafted app.
8981 CVE-2015-1092 2015-04-10 2017-01-02
5.0
None Remote Low Not required Partial None None
NSXMLParser in Foundation in Apple iOS before 8.3 and Apple TV before 7.2 allows remote attackers to read arbitrary files via an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
8982 CVE-2015-1090 200 +Info 2015-04-10 2017-01-02
5.0
None Remote Low Not required Partial None None
CFNetwork in Apple iOS before 8.3 does not delete HTTP Strict Transport Security (HSTS) state information in response to a Safari history-clearing action, which allows attackers to obtain sensitive information by reading a history file.
8983 CVE-2015-1089 200 Bypass +Info 2015-04-10 2017-01-02
5.0
None Remote Low Not required Partial None None
CFNetwork in Apple iOS before 8.3 and Apple OS X before 10.10.3 does not properly handle cookies during processing of redirects in HTTP responses, which allows remote attackers to bypass the Same Origin Policy via a crafted web site.
8984 CVE-2015-1084 17 2015-03-18 2015-09-30
5.0
None Remote Low Not required None Partial None
The user interface in WebKit, as used in Apple Safari before 6.2.4, 7.x before 7.1.4, and 8.x before 8.0.4, does not display URLs consistently, which makes it easier for remote attackers to conduct phishing attacks via a crafted URL.
8985 CVE-2015-1065 119 Exec Code Overflow 2015-03-12 2016-12-07
5.4
None Local Network Medium Not required Partial Partial Partial
Multiple buffer overflows in iCloud Keychain in Apple iOS before 8.2 and Apple OS X through 10.10.2 allow man-in-the-middle attackers to execute arbitrary code by modifying the client-server data stream during keychain recovery.
8986 CVE-2015-1062 19 2015-03-12 2015-09-11
5.0
None Remote Low Not required None Partial None
MobileStorageMounter in Apple iOS before 8.2 and Apple TV before 7.1 does not delete invalid disk-image folders, which allows attackers to create folders in arbitrary filesystem locations via a crafted app.
8987 CVE-2015-1060 1 2015-01-16 2017-09-07
5.8
None Remote Medium Not required Partial Partial None
Open redirect vulnerability in lib/Cake/Controller/Controller.php in AdaptCMS 3.0.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the HTTP Referer header.
8988 CVE-2015-1051 2015-01-15 2016-08-23
5.8
None Remote Medium Not required Partial Partial None
Open redirect vulnerability in the Context UI module in the Context module 7.x-3.x before 7.x-3.6 for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the destination parameter.
8989 CVE-2015-1047 20 DoS 2015-10-12 2018-08-11
5.0
None Remote Low Not required None None Partial
vpxd in VMware vCenter Server 5.0 before u3e, 5.1 before u3, and 5.5 before u2 allows remote attackers to cause a denial of service via a long heartbeat message.
8990 CVE-2015-1042 2015-02-10 2015-11-27
5.8
None Remote Medium Not required Partial Partial None
The string_sanitize_url function in core/string_api.php in MantisBT 1.2.0a3 through 1.2.18 uses an incorrect regular expression, which allows remote attackers to conduct open redirect and phishing attacks via a URL with a ":/" (colon slash) separator in the return parameter to login_page.php, a different vulnerability than CVE-2014-6316.
8991 CVE-2015-1038 59 2015-01-21 2017-09-07
5.8
None Remote Medium Not required None Partial Partial
p7zip 9.20.1 allows remote attackers to write to arbitrary files via a symlink attack in an archive.
8992 CVE-2015-1030 399 DoS 2015-01-20 2015-02-04
5.0
None Remote Low Not required None None Partial
Memory leak in the rfc2553_connect_to function in jbsocket.c in Privoxy before 3.0.22 allows remote attackers to cause a denial of service (memory consumption) via a large number of requests that are rejected because the socket limit is reached.
8993 CVE-2015-1012 200 +Info 2019-03-25 2019-04-04
5.0
None Remote Low Not required Partial None None
Wireless keys are stored in plain text on version 5 of the Hospira LifeCare PCA Infusion System. According to Hospira, version 3 of the LifeCare PCA Infusion System is not indicated for wireless use, is not shipped with wireless capabilities, and should not be modified to be used in a wireless capacity in a clinical setting. Hospira has developed a new version of the PCS Infusion System, version 7.0 that addresses the identified vulnerabilities. Version 7.0 has Port 20/FTP and Port 23/TELNET closed by default to prevent unauthorized access.
8994 CVE-2015-1011 200 +Info 2015-07-06 2015-07-08
5.0
None Remote Low Not required Partial None None
Hospira LifeCare PCA Infusion System before 7.0 has hardcoded credentials, which makes it easier for remote attackers to obtain access via unspecified vectors.
8995 CVE-2015-1003 22 Dir. Trav. 2015-10-24 2015-10-26
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in IniNet embeddedWebServer (aka eWebServer) before 2.02 allows remote attackers to read arbitrary files via a crafted pathname.
8996 CVE-2015-0997 200 +Info 2015-03-29 2018-10-30
5.0
None Remote Low Not required Partial None None
Schneider Electric InduSoft Web Studio before 7.1.3.4 SP3 Patch 4 and InTouch Machine Edition 2014 before 7.1.3.4 SP3 Patch 4 provide an HMI user interface that lists all valid usernames, which makes it easier for remote attackers to obtain access via a brute-force password-guessing attack.
8997 CVE-2015-0995 255 2015-04-03 2015-04-03
5.0
None Remote Low Not required Partial None None
Inductive Automation Ignition 7.7.2 uses MD5 password hashes, which makes it easier for context-dependent attackers to obtain access via a brute-force attack.
8998 CVE-2015-0991 200 +Info 2015-04-03 2015-04-03
5.0
None Remote Low Not required Partial None None
Inductive Automation Ignition 7.7.2 allows remote attackers to obtain sensitive information by reading an error message about an unhandled exception, as demonstrated by pathname information.
8999 CVE-2015-0987 200 +Info 2015-10-05 2015-10-07
5.0
None Remote Low Not required Partial None None
Omron CX-One CX-Programmer before 9.6, CJ2M PLC devices before 2.1, and CJ2H PLC devices before 1.5 rely on cleartext password transmission, which allows remote attackers to obtain sensitive information by sniffing the network during a PLC unlock request.
9000 CVE-2015-0972 255 DoS 2015-06-23 2015-06-24
5.0
None Remote Low Not required Partial None None
Pearson ProctorCache before 2015.1.17 uses the same hardcoded password across different customers' installations, which allows remote attackers to modify test metadata or cause a denial of service (test disruption) by leveraging knowledge of this password.
Total number of vulnerabilities : 23352   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 (This Page)181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.