CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 2 and 2.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1401 CVE-2015-4640 254 Exec Code 2015-06-19 2016-12-07
2.9
None Local Network Medium Not required None Partial None
The SwiftKey language-pack update implementation on Samsung Galaxy S4, S4 Mini, S5, and S6 devices relies on an HTTP connection to the skslm.swiftkey.net server, which allows man-in-the-middle attackers to write to language-pack files by modifying an HTTP response. NOTE: CVE-2015-4640 exploitation can be combined with CVE-2015-4641 exploitation for man-in-the-middle code execution.
1402 CVE-2015-4508 254 2015-09-24 2016-12-21
2.6
None Remote High Not required None Partial None
Mozilla Firefox before 41.0, when reader mode is enabled, allows remote attackers to spoof the relationship between address-bar URLs and web content via a crafted web site.
1403 CVE-2015-4456 Bypass +Info 2015-10-26 2016-12-23
2.6
None Remote High Not required Partial None None
ownCloud Desktop Client before 1.8.2 does not call QNetworkReply::ignoreSslErrors with the list of errors to be ignored, which allows man-in-the-middle attackers to bypass the user's certificate distrust decision and obtain sensitive information by leveraging a self-signed certificate and a connection to a server using its own self-signed certificate.
1404 CVE-2015-4400 255 +Info 2018-02-06 2018-03-13
2.1
None Local Low Not required Partial None None
Ring (formerly DoorBot) video doorbells allow remote attackers to obtain sensitive information about the wireless network configuration by pressing the set up button and leveraging an API in the GainSpan Wi-Fi module.
1405 CVE-2015-4388 79 XSS 2015-06-15 2015-06-26
2.6
None Remote High Not required None Partial None
Cross-site scripting (XSS) vulnerability in the Current Search Links module 7.x-1.x before 7.x-1.1 for Drupal, when the "Append the keywords passed by the user to the list" option is disabled, allows remote attackers to inject arbitrary web script or HTML via a crafted search query.
1406 CVE-2015-4387 79 XSS 2015-06-15 2015-06-26
2.6
None Remote High Not required None Partial None
Cross-site scripting (XSS) vulnerability in unspecified administration pages in the Password Policy module 6.x-1.x before 6.x-1.11 and 7.x-1.x before 7.x-1.11 for Drupal, when a site has a policy that uses the username constraint, allows remote attackers to inject arbitrary web script or HTML via a crafted username that is imported from an external source.
1407 CVE-2015-4385 79 XSS 2015-06-15 2015-06-26
2.1
None Remote High Single system None Partial None
Cross-site scripting (XSS) vulnerability in unspecified administration pages in the Imagefield Info module 7.x-1.x before 7.x-1.2 for Drupal allows remote authenticated users with the "Administer image styles" permission to inject arbitrary web script or HTML via unspecified vectors.
1408 CVE-2015-4378 79 XSS 2015-06-15 2015-06-16
2.1
None Remote High Single system None Partial None
Cross-site scripting (XSS) vulnerability in the Crumbs module 7.x-2.x before 7.x-2.3 for Drupal allows remote authenticated users with the "Administer Crumbs" permission to inject arbitrary web script or HTML via a custom breadcrumb separator.
1409 CVE-2015-4377 79 XSS 2015-06-15 2015-06-17
2.1
None Remote High Single system None Partial None
Cross-site scripting (XSS) vulnerability in unspecified administration pages in the Petition module 6.x-1.x before 6.x-1.3 for Drupal allows remote authenticated users with the "create petition" permission to inject arbitrary web script or HTML via unknown vectors.
1410 CVE-2015-4346 79 XSS 2015-06-15 2015-06-30
2.6
None Remote High Not required None Partial None
Cross-site scripting (XSS) vulnerability in the SMS Framework module 6.x-1.x before 6.x-1.1 for Drupal, when the "Send to phone" submodule is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to message previews.
1411 CVE-2015-4176 200 +Info 2016-05-02 2016-05-05
2.1
None Local Low Not required None Partial None
fs/namespace.c in the Linux kernel before 4.0.2 does not properly support mount connectivity, which allows local users to read arbitrary files by leveraging user-namespace root access for deletion of a file or directory.
1412 CVE-2015-4171 200 +Info 2015-06-10 2017-11-07
2.6
None Remote High Not required Partial None None
strongSwan 4.3.0 through 5.x before 5.3.2 and strongSwan VPN Client before 1.4.6, when using EAP or pre-shared keys for authenticating an IKEv2 connection, does not enforce server authentication restrictions until the entire authentication process is complete, which allows remote servers to obtain credentials by using a valid certificate and then reading the responses.
1413 CVE-2015-4077 200 +Info 2015-09-03 2018-10-09
2.1
None Local Low Not required Partial None None
The (1) mdare64_48.sys, (2) mdare32_48.sys, (3) mdare32_52.sys, and (4) mdare64_52.sys drivers in Fortinet FortiClient before 5.2.4 allow local users to read arbitrary kernel memory via a 0x22608C ioctl call.
1414 CVE-2015-4056 310 2017-02-21 2017-02-23
2.1
None Local Low Not required Partial None None
The System Library in VCE Vision Intelligent Operations before 2.6.5 does not properly implement cryptography, which makes it easier for local users to discover credentials by leveraging administrative access.
1415 CVE-2015-4053 200 +Info 2015-06-08 2015-06-25
2.1
None Local Low Not required Partial None None
The admin command in ceph-deploy before 1.5.25 uses world-readable permissions for /etc/ceph/ceph.client.admin.keyring, which allows local users to obtain sensitive information by reading the file.
1416 CVE-2015-3999 200 +Info 2015-05-20 2015-05-21
2.1
None Local Low Not required Partial None None
Piriform CCleaner 3.26.0.1988 through 5.02.5101 writes the filenames to disk when overwriting files, which allows local users to obtain sensitive information by searching unallocated disk space.
1417 CVE-2015-3978 200 +Info 2015-05-12 2018-12-10
2.1
None Local Low Not required Partial None None
SAP Sybase Unwired Platform Online Data Proxy allows local users to obtain usernames and passwords via the DataVault, aka SAP Security Note 2094830.
1418 CVE-2015-3949 200 +Info 2015-06-13 2016-12-05
2.1
None Local Low Not required Partial None None
Sinapsi eSolar Light with firmware before 2.0.3970_schsl_2.2.85 allows attackers to discover cleartext passwords by reading the HTML source code of the mail-configuration page.
1419 CVE-2015-3840 284 2017-06-27 2017-07-05
2.1
None Local Low Not required None Partial None
The MessageStatusReceiver service in the AndroidManifest.XML in Android 5.1.1 and earlier allows local users to alter sent/received statuses of SMS and MMS messages without the associated "WRITE_SMS" permission.
1420 CVE-2015-3839 476 DoS 2017-08-07 2017-08-09
2.1
None Local Low Not required None None Partial
The updateMessageStatus function in Android 5.1.1 and earlier allows local users to cause a denial of service (NULL pointer exception and process crash).
1421 CVE-2015-3757 284 2015-08-16 2017-09-20
2.1
None Local Low Not required None Partial None
Apple OS X before 10.10.5 does not properly restrict access to the Date & Time preferences pane, which allows local users to spoof the time by visiting this pane.
1422 CVE-2015-3756 254 2015-08-16 2016-12-23
2.1
None Local Low Not required None Partial None
The Certificate UI in Apple iOS before 8.4.1 does not prevent X.509 certificate acceptance within the lock screen, which allows physically proximate attackers to establish arbitrary certificate trust relationships by completing a dialog.
1423 CVE-2015-3455 20 2015-05-18 2016-12-21
2.6
None Remote High Not required None Partial None
Squid 3.2.x before 3.2.14, 3.3.x before 3.3.14, 3.4.x before 3.4.13, and 3.5.x before 3.5.4, when configured with client-first SSL-bump, do not properly validate the domain or hostname fields of X.509 certificates, which allows man-in-the-middle attackers to spoof SSL servers via a valid certificate.
1424 CVE-2015-3448 200 +Info 2015-04-29 2016-12-05
2.1
None Local Low Not required Partial None None
REST client for Ruby (aka rest-client) before 1.7.3 logs usernames and passwords, which allows local users to obtain sensitive information by reading the log.
1425 CVE-2015-3361 79 XSS 2015-04-21 2016-12-05
2.1
None Remote High Single system None Partial None
Cross-site scripting (XSS) vulnerability in the Linkit module before 7.x-2.7 and 7.x-3.x before 7.x-3.3 for Drupal, when the node search plugin is enabled, allows remote authenticated users to inject arbitrary web script or HTML via a node title.
1426 CVE-2015-3340 200 +Info 2015-04-28 2018-10-30
2.9
None Local Network Medium Not required Partial None None
Xen 4.2.x through 4.5.x does not initialize certain fields, which allows certain remote service domains to obtain sensitive information from memory via a (1) XEN_DOMCTL_gettscinfo or (2) XEN_SYSCTL_getdomaininfolist request.
1427 CVE-2015-3320 200 +Info 2015-04-16 2017-01-17
2.1
None Local Low Not required Partial None None
Lenovo USB Enhanced Performance Keyboard software before 2.0.2.2 includes active debugging code in SKHOOKS.DLL, which allows local users to obtain keypress information by accessing debug output.
1428 CVE-2015-3291 17 DoS 2015-08-31 2016-12-21
2.1
None Local Low Not required None None Partial
arch/x86/entry/entry_64.S in the Linux kernel before 4.1.6 on the x86_64 platform does not properly determine when nested NMI processing is occurring, which allows local users to cause a denial of service (skipped NMI) by modifying the rsp register, issuing a syscall instruction, and triggering an NMI.
1429 CVE-2015-3285 119 DoS Overflow Mem. Corr. 2015-08-12 2017-09-20
2.1
None Local Low Not required None None Partial
The pioctl for the OSD FS command in OpenAFS before 1.6.13 uses the wrong pointer when writing the results of the RPC, which allows local users to cause a denial of service (memory corruption and kernel panic) via a crafted OSD FS command.
1430 CVE-2015-3284 200 +Info 2015-08-12 2017-09-20
2.1
None Local Low Not required Partial None None
pioctls in OpenAFS 1.6.x before 1.6.13 allows local users to read kernel memory via crafted commands.
1431 CVE-2015-3245 20 DoS 2015-08-11 2018-05-19
2.1
None Local Low Not required None None Partial
Incomplete blacklist vulnerability in the chfn function in libuser before 0.56.13-8 and 0.60 before 0.60-7, as used in the userhelper program in the usermode package, allows local users to cause a denial of service (/etc/passwd corruption) via a newline character in the GECOS field.
1432 CVE-2015-3243 532 +Info 2017-07-25 2017-07-31
2.1
None Local Low Not required Partial None None
rsyslog uses weak permissions for generating log files, which allows local users to obtain sensitive information by reading files in /var/log/cron.
1433 CVE-2015-3218 DoS 2015-10-26 2018-07-17
2.1
None Local Low Not required None None Partial
The authentication_agent_new function in polkitbackend/polkitbackendinteractiveauthority.c in PolicyKit (aka polkit) before 0.113 allows local users to cause a denial of service (NULL pointer dereference and polkitd daemon crash) by calling RegisterAuthenticationAgent with an invalid object path.
1434 CVE-2015-3211 59 2017-08-25 2017-09-06
2.1
None Local Low Not required None Partial None
php-fpm allows local users to write to or create arbitrary files via a symlink attack.
1435 CVE-2015-3201 200 +Info 2015-06-08 2016-12-30
2.1
None Local Low Not required Partial None None
Thermostat before 2.0.0 uses world-readable permissions for the web.xml configuration file, which allows local users to obtain user credentials by reading the file.
1436 CVE-2015-3171 200 +Info 2017-07-25 2017-07-28
2.1
None Local Low Not required Partial None None
sosreport 3.2 uses weak permissions for generated sosreport archives, which allows local users with access to /var/tmp/ to obtain sensitive information by reading the contents of the archive.
1437 CVE-2015-3170 254 DoS 2017-07-21 2017-07-26
2.1
None Local Low Not required None None Partial
selinux-policy when sysctl fs.protected_hardlinks are set to 0 allows local users to cause a denial of service (SSH login prevention) by creating a hardlink to /etc/passwd from a directory named .config, and updating selinux-policy.
1438 CVE-2015-3156 59 2017-08-11 2017-08-25
2.1
None Local Low Not required None Partial None
The _write_config function in trove/guestagent/datastore/experimental/mongodb/service.py, reset_configuration function in trove/guestagent/datastore/experimental/postgresql/service/config.py, write_config function in trove/guestagent/datastore/experimental/redis/service.py, _write_mycnf function in trove/guestagent/datastore/mysql/service.py, InnoBackupEx::_run_prepare function in trove/guestagent/strategies/restore/mysql_impl.py, InnoBackupEx::cmd function in trove/guestagent/strategies/backup/mysql_impl.py, MySQLDump::cmd in trove/guestagent/strategies/backup/mysql_impl.py, InnoBackupExIncremental::cmd function in trove/guestagent/strategies/backup/mysql_impl.py, _get_actual_db_status function in trove/guestagent/datastore/experimental/cassandra/system.py and trove/guestagent/datastore/experimental/cassandra/service.py, and multiple class CbBackup methods in trove/guestagent/strategies/backup/experimental/couchbase_impl.py in Openstack DBaaS (aka Trove) as packaged in Openstack before 2015.1.0 (aka Kilo) allows local users to write to configuration files via a symlink attack on a temporary file.
1439 CVE-2015-3149 59 2017-07-25 2017-07-31
2.1
None Local Low Not required None Partial None
The Hotspot component in OpenJDK8 as packaged in Red Hat Enterprise Linux 6 and 7 allows local users to write to arbitrary files via a symlink attack.
1440 CVE-2015-3010 200 +Info 2015-06-16 2016-12-02
2.1
None Local Low Not required Partial None None
ceph-deploy before 1.5.23 uses weak permissions (644) for ceph/ceph.client.admin.keyring, which allows local users to obtain sensitive information by reading the file.
1441 CVE-2015-2987 17 2015-08-28 2015-08-31
2.6
None Remote High Not required Partial None None
Type74 ED before 4.0 misuses 128-bit ECB encryption for small files, which makes it easier for attackers to obtain plaintext data via differential cryptanalysis of a file with an original length smaller than 128 bits.
1442 CVE-2015-2877 200 +Info 2017-03-03 2017-03-16
2.1
None Local Low Not required Partial None None
** DISPUTED ** Kernel Samepage Merging (KSM) in the Linux kernel 2.6.32 through 4.x does not prevent use of a write-timing side channel, which allows guest OS users to defeat the ASLR protection mechanism on other guest OS instances via a Cross-VM ASL INtrospection (CAIN) attack. NOTE: the vendor states "Basically if you care about this attack vector, disable deduplication." Share-until-written approaches for memory conservation among mutually untrusting tenants are inherently detectable for information disclosure, and can be classified as potentially misunderstood behaviors rather than vulnerabilities.
1443 CVE-2015-2714 264 +Info 2015-05-14 2017-01-02
2.1
None Local Low Not required Partial None None
Mozilla Firefox before 38.0 on Android does not properly restrict writing URL data to the Android logging system, which allows attackers to obtain sensitive information via a crafted application that has a required permission for reading a log, as demonstrated by the READ_LOGS permission for the mixed-content violation log on Android 4.0 and earlier.
1444 CVE-2015-2661 2015-07-16 2018-01-04
2.1
None Local Low Not required None None Partial
Unspecified vulnerability in Oracle MySQL Server 5.6.24 and earlier allows local users to affect availability via unknown vectors related to Client.
1445 CVE-2015-2627 2015-07-16 2018-01-04
2.6
None Remote High Not required Partial None None
Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45 allows remote attackers to affect confidentiality via unknown vectors related to installation.
1446 CVE-2015-2625 2015-07-16 2018-01-04
2.6
None Remote High Not required Partial None None
Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45; JRockit R28.3.6; and Java SE Embedded 7u75 and 8u33 allows remote attackers to affect confidentiality via vectors related to JSSE.
1447 CVE-2015-2618 2015-07-16 2017-09-21
2.1
None Remote High Single system None Partial None
Unspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.3, 12.2.3, and 12.2.4 allows remote authenticated users to affect integrity via unknown vectors related to Input validation.
1448 CVE-2015-2585 2015-07-16 2017-09-21
2.1
None Remote High Single system None None Partial
Unspecified vulnerability in the Application Express component in Oracle Database Server before 5.0 allows remote authenticated users to affect availability via unknown vectors.
1449 CVE-2015-2579 2015-04-16 2016-12-02
2.1
None Local Low Not required Partial None None
Unspecified vulnerability in the Oracle Health Sciences Argus Safety component in Oracle Health Sciences Applications 8.0 allows local users to affect confidentiality via vectors related to BIP Installer.
1450 CVE-2015-2576 2015-04-16 2017-01-03
2.1
None Local Low Not required None Partial None
Unspecified vulnerability in the MySQL Utilities component in Oracle MySQL 1.5.1 and earlier, when running on Windows, allows local users to affect integrity via unknown vectors related to Installation.
Total number of vulnerabilities : 4392   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 (This Page)30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.