CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 2 and 2.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1301 CVE-2015-7046 200 Bypass +Info 2015-12-11 2017-09-12
2.6
None Remote High Not required Partial None None
The Sandbox feature in xnu in Apple iOS before 9.2, OS X before 10.11.2, tvOS before 9.1, and watchOS before 2.1 does not properly implement privilege separation, which allows attackers to bypass the ASLR protection mechanism via a crafted app with root privileges.
1302 CVE-2015-7000 200 +Info 2015-10-23 2016-12-23
2.1
None Local Low Not required Partial None None
Notification Center in Apple iOS before 9.1 mishandles changes to "Show on Lock Screen" settings, which allows physically proximate attackers to obtain sensitive information by looking for a (1) Phone or (2) Messages notification on the lock screen soon after a setting was disabled.
1303 CVE-2015-6987 20 DoS 2015-10-23 2015-10-26
2.1
None Local Low Not required None None Partial
The File Bookmark component in Apple OS X before 10.11.1 allows local users to cause a denial of service (application crash) via crafted bookmark metadata in a folder.
1304 CVE-2015-6921 79 XSS 2015-09-11 2015-09-14
2.6
None Remote High Not required None Partial None
Cross-site scripting (XSS) vulnerability in the Zendesk Feedback Tab module 7.x-1.x before 7.x-1.1 for Drupal allows remote administrators with the "Configure Zendesk Feedback Tab" permission to inject arbitrary web script or HTML via unspecified vectors.
1305 CVE-2015-6847 200 +Info 2015-11-18 2016-12-07
2.1
None Local Low Not required Partial None None
The default configuration of EMC VPLEX GeoSynchrony 5.4 SP1 before P3 stores cleartext NAVISPHERE GUI passwords in a log file, which allows local users to obtain sensitive information by reading this file.
1306 CVE-2015-6839 20 2017-10-23 2017-11-17
2.1
None Local Low Not required None Partial None
The parse function in MSA vot.Ar 3.1 does not check whether a candidate receives more than one vote, which allows physically proximate attackers to cast multiple votes for a candidate via a crafted RFID ballot tag.
1307 CVE-2015-6807 79 XSS 2015-09-04 2015-09-04
2.1
None Remote High Single system None Partial None
Cross-site scripting (XSS) vulnerability in the Mass Contact module 6.x-1.x before 6.x-1.6 and 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with the "administer mass contact" permission to inject arbitrary web script or HTML via a category label.
1308 CVE-2015-6754 79 XSS 2015-08-31 2015-09-01
2.1
None Remote High Single system None Partial None
Cross-site scripting (XSS) vulnerability in the administration interface in the Path Breadcrumbs module 7.x-3.x before 7.x-3.3 for Drupal allows remote authenticated users with the "Administer Path Breadcrumbs" permission to inject arbitrary web script or HTML via unspecified vectors.
1309 CVE-2015-6752 79 XSS 2015-08-31 2015-09-01
2.1
None Remote High Single system None Partial None
Cross-site scripting (XSS) vulnerability in the Search API Autocomplete module 7.x-1.x before 7.x-1.3 for Drupal, when the search index is configured to use the HTML filter processor, allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via unspecified vectors, which are not properly handled in the returned suggestions.
1310 CVE-2015-6746 200 +Info 2015-08-31 2015-08-31
2.1
None Local Low Not required Partial None None
Basware Banking (Maksuliikenne) before 8.90.07.X stores private keys in plaintext in the SQL database, which allows remote attackers to spoof communications with banks via unspecified vectors. NOTE: this identifier was SPLIT from CVE-2015-0942 per ADT2 due to different vulnerability types.
1311 CVE-2015-6654 264 DoS 2015-09-03 2016-12-07
2.1
None Local Low Not required None None Partial
The xenmem_add_to_physmap_one function in arch/arm/mm.c in Xen 4.5.x, 4.4.x, and earlier does not limit the number of printk console messages when reporting a failure to retrieve a reference on a foreign page, which allows remote domains to cause a denial of service by leveraging permissions to map the memory of a foreign guest.
1312 CVE-2015-6641 200 +Info 2016-01-06 2016-12-07
2.9
None Local Network Medium Not required Partial None None
Bluetooth in Android 6.0 before 2016-01-01 allows remote attackers to obtain sensitive Contacts information by leveraging pairing, aka internal bug 23607427.
1313 CVE-2015-6627 200 +Info 2015-12-08 2015-12-09
2.6
None Remote High Not required Partial None None
The Audio component in Android before 5.1.1 LMY48Z and 6.0 before 2015-12-01 allows remote attackers to obtain sensitive information via a crafted audio file, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 24211743.
1314 CVE-2015-6557 200 +Info 2015-08-22 2015-08-24
2.1
None Local Low Not required Partial None None
IBM Tivoli Storage Manager for Databases: Data Protection for Microsoft SQL Server 5.5 before 5.5.6.1, 6.3 before 6.3.1.5, 6.4 before 6.4.1.7, and 7.1 before 7.1.2; Tivoli Storage Manager for Mail: Data Protection for Microsoft Exchange Server 5.5 before 5.5.1.1, 6.1 before 6.1.3.7, 6.3 before 6.3.1.5, 6.4 before 6.4.1.7, and 7.1 before 7.1.2; and Tivoli Storage FlashCopy Manager 3.1 before 3.1.1.5, 3.2 before 3.2.1.7, and 4.1 before 4.1.2, when application tracing is used, place cleartext passwords in exception messages, which allows physically proximate attackers to obtain sensitive information by reading trace output, a different vulnerability than CVE-2015-4949.
1315 CVE-2015-6556 200 +Info 2015-12-18 2015-12-18
2.3
None Local Network Medium Single system Partial None None
EACommunicatorSrv.exe in the Framework Service in the client in Symantec Endpoint Encryption (SEE) before 11.1.0 allows remote authenticated users to discover credentials by triggering a memory dump.
1316 CVE-2015-6414 200 +Info 2015-12-12 2016-12-07
2.1
None Local Low Not required Partial None None
Cisco TelePresence Video Communication Server (VCS) X8.6 uses the same encryption key across different customers' installations, which makes it easier for local users to defeat cryptographic protection mechanisms by leveraging knowledge of a key from another installation, aka Bug ID CSCuw64516.
1317 CVE-2015-6375 200 +Info 2015-11-21 2016-11-28
2.1
None Local Low Not required Partial None None
The debug-logging (aka debug cns) feature in Cisco Networking Services (CNS) for IOS 15.2(2)E3 allows local users to obtain sensitive information by reading an unspecified file, aka Bug ID CSCux18010.
1318 CVE-2015-6252 399 DoS 2015-10-19 2017-11-03
2.1
None Local Low Not required None None Partial
The vhost_dev_ioctl function in drivers/vhost/vhost.c in the Linux kernel before 4.1.5 allows local users to cause a denial of service (memory consumption) via a VHOST_SET_LOG_FD ioctl call that triggers permanent file-descriptor allocation.
1319 CVE-2015-6109 200 Bypass +Info 2015-11-11 2018-10-12
2.1
None Local Low Not required Partial None None
The kernel in Microsoft Windows 8.1, Windows Server 2012 R2, Windows RT 8.1, and Windows 10 Gold and 1511 allows local users to bypass the KASLR protection mechanism, and consequently discover a driver base address, via a crafted application, aka "Windows Kernel Memory Information Disclosure Vulnerability."
1320 CVE-2015-6102 200 Bypass +Info 2015-11-11 2018-10-12
2.1
None Local Low Not required Partial None None
The kernel in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, and Windows 10 Gold and 1511 allows local users to bypass the KASLR protection mechanism, and consequently discover a driver base address, via a crafted application, aka "Windows Kernel Memory Information Disclosure Vulnerability."
1321 CVE-2015-5969 200 +Info 2016-04-08 2018-10-30
2.1
None Local Low Not required Partial None None
The mysql-systemd-helper script in the mysql-community-server package before 5.6.28-2.17.1 in openSUSE 13.2 and before 5.6.28-13.1 in openSUSE Leap 42.1 and the mariadb package before 10.0.22-2.21.2 in openSUSE 13.2 and before 10.0.22-3.1 in SUSE Linux Enterprise (SLE) 12.1 and openSUSE Leap 42.1 allows local users to discover database credentials by listing a process and its arguments.
1322 CVE-2015-5923 200 +Info 2015-10-09 2016-12-07
2.1
None Local Low Not required Partial None None
Apple iOS before 9.0.2 does not properly restrict the options available on the lock screen, which allows physically proximate attackers to read contact data or view photos via unspecified vectors.
1323 CVE-2015-5907 310 2015-09-18 2016-12-21
2.6
None Remote High Not required None Partial None
WebKit in Apple iOS before 9 allows man-in-the-middle attackers to conduct redirection attacks by leveraging the mishandling of the resource cache of an SSL web site with an invalid X.509 certificate.
1324 CVE-2015-5901 200 +Info 2015-10-09 2016-12-07
2.1
None Local Low Not required Partial None None
The Secure Empty Trash feature in Finder in Apple OS X before 10.11 improperly deletes Trash files, which might allow local users to obtain sensitive information by reading storage media, as demonstrated by reading a flash drive.
1325 CVE-2015-5898 200 +Info 2015-09-18 2016-12-21
2.1
None Local Low Not required Partial None None
CFNetwork in Apple iOS before 9 relies on the hardware UID for its cache encryption key, which makes it easier for physically proximate attackers to obtain sensitive information by obtaining this UID.
1326 CVE-2015-5893 200 +Info 2015-10-09 2016-12-07
2.1
None Local Low Not required Partial None None
SMBClient in SMB in Apple OS X before 10.11 allows local users to obtain sensitive kernel memory-layout information via unspecified vectors.
1327 CVE-2015-5892 200 Bypass +Info 2015-09-18 2016-12-21
2.1
None Local Low Not required Partial None None
Siri in Apple iOS before 9 allows physically proximate attackers to bypass an intended client-side protection mechanism and obtain sensitive content-notification information by listening to a device in the lock-screen state.
1328 CVE-2015-5878 200 +Info 2015-10-09 2016-12-09
2.1
None Local Low Not required Partial None None
Notes in Apple OS X before 10.11 misparses links, which allows local users to obtain sensitive information via unspecified vectors.
1329 CVE-2015-5875 79 XSS 2015-10-09 2016-12-09
2.1
None Local Low Not required None Partial None
Cross-site scripting (XSS) vulnerability in Notes in Apple OS X before 10.11 allows local users to inject arbitrary web script or HTML via crafted text.
1330 CVE-2015-5870 200 +Info 2015-10-09 2016-12-09
2.1
None Local Low Not required Partial None None
The debugging interfaces in the kernel in Apple OS X before 10.11 allow local users to obtain sensitive memory-layout information via unspecified vectors.
1331 CVE-2015-5864 200 +Info 2015-10-09 2016-12-09
2.1
None Local Low Not required Partial None None
IOAudioFamily in Apple OS X before 10.11 allows local users to obtain sensitive kernel memory-layout information via unspecified vectors.
1332 CVE-2015-5863 200 +Info 2015-09-18 2016-12-21
2.1
None Local Low Not required Partial None None
IOStorageFamily in Apple iOS before 9 does not properly initialize an unspecified data structure, which allows local users to obtain sensitive information from kernel memory via unknown vectors.
1333 CVE-2015-5861 284 Bypass 2015-09-18 2016-12-21
2.1
None Local Low Not required None Partial None
SpringBoard in Apple iOS before 9 allows physically proximate attackers to bypass a lock-screen preview-disabled setting, and reply to an audio message, via unspecified vectors.
1334 CVE-2015-5854 200 +Info 2015-10-09 2016-12-09
2.1
None Local Low Not required Partial None None
The backup implementation in Time Machine in Apple OS X before 10.11 allows local users to obtain access to keychain items via unspecified vectors.
1335 CVE-2015-5851 200 +Info 2015-09-18 2016-12-21
2.1
None Local Low Not required Partial None None
The convenience initializer in the Multipeer Connectivity component in Apple iOS before 9 does not require an encrypted session, which allows local users to obtain cleartext multipeer data via an encrypted-to-unencrypted downgrade attack.
1336 CVE-2015-5850 254 2015-09-18 2016-12-21
2.1
None Local Low Not required None Partial None
AppleKeyStore in Apple iOS before 9 allows physically proximate attackers to reset the count of incorrect passcode attempts via a device backup.
1337 CVE-2015-5842 200 +Info 2015-09-18 2016-12-21
2.1
None Local Low Not required Partial None None
XNU in the kernel in Apple iOS before 9 does not properly initialize an unspecified data structure, which allows local users to obtain sensitive memory-layout information via unknown vectors.
1338 CVE-2015-5832 200 +Info 2015-09-18 2016-12-21
2.1
None Local Low Not required Partial None None
The iTunes Store component in Apple iOS before 9 does not properly delete AppleID credentials from the keychain upon a signout action, which might allow physically proximate attackers to obtain sensitive information via unspecified vectors.
1339 CVE-2015-5748 17 DoS 2015-08-16 2017-09-20
2.1
None Local Low Not required None None Partial
The kernel in Apple OS X before 10.10.5 does not properly mount HFS volumes, which allows local users to cause a denial of service via a crafted volume.
1340 CVE-2015-5742 200 +Info 2015-10-16 2018-10-09
2.1
None Local Low Not required Partial None None
VeeamVixProxy in Veeam Backup & Replication (B&R) before 8.0 update 3 stores local administrator credentials in log files with world-readable permissions, which allows local users to obtain sensitive information by reading the files.
1341 CVE-2015-5697 200 +Info 2015-08-31 2017-09-20
2.1
None Local Low Not required Partial None None
The get_bitmap_file function in drivers/md/md.c in the Linux kernel before 4.1.6 does not initialize a certain bitmap data structure, which allows local users to obtain sensitive information from kernel memory via a GET_BITMAP_FILE ioctl call.
1342 CVE-2015-5677 200 +Info 2017-02-07 2017-09-09
2.1
None Local Low Not required Partial None None
bsnmpd, as used in FreeBSD 9.3, 10.1, and 10.2, uses world-readable permissions on the snmpd.config file, which allows local users to obtain the secret key for USM authentication by reading the file.
1343 CVE-2015-5667 79 XSS 2015-10-31 2016-12-07
2.6
None Remote High Not required None Partial None
Cross-site scripting (XSS) vulnerability in the HTML-Scrubber module before 0.15 for Perl, when the comment feature is enabled, allows remote attackers to inject arbitrary web script or HTML via a crafted comment.
1344 CVE-2015-5514 79 XSS 2015-08-18 2015-08-20
2.6
None Remote High Not required None Partial None
Cross-site scripting (XSS) vulnerability in the Migrate module 7.x-2.x before 7.x-2.8 for Drupal, when the migrate_ui submodule is enabled, allows user-assisted remote attackers to inject arbitrary web script or HTML via a destination field label.
1345 CVE-2015-5513 79 XSS 2015-08-18 2015-08-20
2.1
None Remote High Single system None Partial None
Cross-site scripting (XSS) vulnerability in the Shibboleth authentication module 6.x-4.x before 6.x-4.2 and 7.x-4.x before 7.x-4.2 for Drupal allows remote authenticated users with the "Administer blocks" permission to inject arbitrary web script or HTML via unspecified vectors related to a login link.
1346 CVE-2015-5495 79 XSS 2015-08-18 2015-08-19
2.1
None Remote High Single system None Partial None
Cross-site scripting (XSS) vulnerability in the Mobile sliding menu module 7.x-2.x before 7.x-2.1 for Drupal allows remote authenticated users with the "administer menu" permission to inject arbitrary web script or HTML via unspecified vectors.
1347 CVE-2015-5488 79 XSS 2015-08-18 2015-08-19
2.1
None Remote High Single system None Partial None
Cross-site scripting (XSS) vulnerability in the MailChimp Signup submodule in the MailChimp module 7.x-3.x before 7.x-3.3 for Drupal allows remote authenticated users with the "administer mailchimp" permission to inject arbitrary web script or HTML via unspecified vectors.
1348 CVE-2015-5448 200 +Info 2015-10-25 2016-12-23
2.1
None Local Low Not required Partial None None
HP Asset Manager 9.40 and 9.41 before 9.41.11103 P4-rev1 and 9.50 before 9.50.11925 P3 allows local users to obtain sensitive information via unspecified vectors.
1349 CVE-2015-5281 264 Exec Code Bypass 2015-11-24 2016-12-07
2.6
None Local High Not required Partial Partial None
The grub2 package before 2.02-0.29 in Red Hat Enterprise Linux (RHEL) 7, when used on UEFI systems, allows local users to bypass intended Secure Boot restrictions and execute non-verified code via a crafted (1) multiboot or (2) multiboot2 module in the configuration file or physically proximate attackers to bypass intended Secure Boot restrictions and execute non-verified code via the (3) boot menu.
1350 CVE-2015-5231 200 +Info 2016-06-07 2018-10-30
2.1
None Local Low Not required Partial None None
The service daemon in CRIU does not properly restrict access to non-dumpable processes, which allows local users to obtain sensitive information via (1) process dumps or (2) ptrace access.
Total number of vulnerabilities : 4356   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 (This Page)28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.