CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 2 and 2.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1451 CVE-2015-8487 200 +Info CSRF 2016-02-16 2016-02-22
2.6
None Remote High Not required Partial None None
Cybozu Office 9.0.0 through 10.3 allows remote attackers to discover CSRF tokens via unspecified vectors, a different vulnerability than CVE-2015-8488.
1452 CVE-2015-8482 264 2015-12-07 2015-12-08
2.1
None Local Low Not required None Partial None
Blue Coat Unified Agent before 4.6.2 does not prevent modification of its configuration files when running in local enforcement mode, which allows local administrators to unblock categories or disable the agent via unspecified vectors.
1453 CVE-2015-8374 200 +Info 2015-12-28 2018-01-04
2.1
None Local Low Not required Partial None None
fs/btrfs/inode.c in the Linux kernel before 4.3.3 mishandles compressed inline extents, which allows local users to obtain sensitive pre-truncation information from a file via a clone action.
1454 CVE-2015-8345 399 DoS 2017-04-13 2017-11-03
2.1
None Local Low Not required None None Partial
The eepro100 emulator in QEMU qemu-kvm blank allows local guest users to cause a denial of service (application crash and infinite loop) via vectors involving the command block list.
1455 CVE-2015-8303 200 +Info 2016-01-08 2016-01-13
2.1
None Local Low Not required Partial None None
Huawei Document Security Management (DSM) with software before V100R002C05SPC661 does not clear the clipboard when closing a secure file, which allows local users to obtain sensitive information by pasting the contents to another file.
1456 CVE-2015-8233 79 XSS 2015-11-17 2015-11-18
2.6
None Remote High Not required None Partial None
Cross-site scripting (XSS) vulnerability in the MAYO theme 7.x-1.x before 7.x-1.4 and 7.x-2.x before 7.x-2.6 for Drupal allows remote administrators with the "Administer themes" permission to inject arbitrary web script or HTML via unspecified vectors related to theme settings.
1457 CVE-2015-8100 200 +Info 2015-11-09 2016-12-07
2.1
None Local Low Not required Partial None None
The net-snmp package in OpenBSD through 5.8 uses 0644 permissions for snmpd.conf, which allows local users to obtain sensitive community information by reading this file.
1458 CVE-2015-8035 399 DoS 2015-11-18 2017-09-13
2.6
None Remote High Not required None None Partial
The xz_decomp function in xzlib.c in libxml2 2.9.1 does not properly detect compression errors, which allows context-dependent attackers to cause a denial of service (process hang) via crafted XML data.
1459 CVE-2015-8034 200 +Info 2017-01-30 2017-03-01
2.1
None Local Low Not required Partial None None
The state.sls function in Salt before 2015.8.3 uses weak permissions on the cache data, which allows local users to obtain sensitive information by reading the file.
1460 CVE-2015-8025 264 Bypass 2015-11-10 2016-12-07
2.1
None Local Low Not required None Partial None
driver/subprocs.c in XScreenSaver before 5.34 does not properly perform an internal consistency check, which allows physically proximate attackers to bypass the lock screen by hot swapping monitors.
1461 CVE-2015-7975 119 DoS Overflow 2017-01-30 2017-11-20
2.1
None Local Low Not required None None Partial
The nextvar function in NTP before 4.2.8p6 and 4.3.x before 4.3.90 does not properly validate the length of its input, which allows an attacker to cause a denial of service (application crash).
1462 CVE-2015-7974 254 2016-01-26 2018-01-04
2.1
None Remote High Single system None Partial None
NTP 4.x before 4.2.8p6 and 4.3.x before 4.3.90 do not verify peer associations of symmetric keys when authenticating packets, which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a "skeleton key."
1463 CVE-2015-7972 399 DoS 2015-10-30 2018-10-30
2.1
None Local Low Not required None None Partial
The (1) libxl_set_memory_target function in tools/libxl/libxl.c and (2) libxl__build_post function in tools/libxl/libxl_dom.c in Xen 3.4.x through 4.6.x do not properly calculate the balloon size when using the populate-on-demand (PoD) system, which allows local HVM guest users to cause a denial of service (guest crash) via unspecified vectors related to "heavy memory pressure."
1464 CVE-2015-7971 19 DoS 2015-10-30 2018-10-30
2.1
None Local Low Not required None None Partial
Xen 3.2.x through 4.6.x does not limit the number of printk console messages when logging certain pmu and profiling hypercalls, which allows local guests to cause a denial of service via a sequence of crafted (1) HYPERCALL_xenoprof_op hypercalls, which are not properly handled in the do_xenoprof_op function in common/xenoprof.c, or (2) HYPERVISOR_xenpmu_op hypercalls, which are not properly handled in the do_xenpmu_op function in arch/x86/cpu/vpmu.c.
1465 CVE-2015-7898 284 DoS 2017-06-27 2017-07-03
2.1
None Local Low Not required None None Partial
Samsung Gallery in the Samsung Galaxy S6 allows local users to cause a denial of service (process crash).
1466 CVE-2015-7895 284 DoS 2017-06-27 2017-07-03
2.1
None Local Low Not required None None Partial
Samsung Gallery on the Samsung Galaxy S6 allows local users to cause a denial of service (process crash).
1467 CVE-2015-7885 200 +Info 2015-12-28 2016-12-07
2.1
None Local Low Not required Partial None None
The dgnc_mgmt_ioctl function in drivers/staging/dgnc/dgnc_mgmt.c in the Linux kernel through 4.3.3 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel memory via a crafted application.
1468 CVE-2015-7872 20 DoS 2015-11-16 2017-01-19
2.1
None Local Low Not required None None Partial
The key_gc_unused_keys function in security/keys/gc.c in the Linux kernel through 4.2.6 allows local users to cause a denial of service (OOPS) via crafted keyctl commands.
1469 CVE-2015-7846 200 +Info 2017-09-25 2017-10-10
2.1
None Local Low Not required Partial None None
Huawei S7700, S9700, S9300 before V200R07C00SPC500, and AR200, AR1200, AR2200, AR3200 before V200R005C20SPC200 allows attackers with physical access to the CF card to obtain sensitive information.
1470 CVE-2015-7837 254 Bypass 2017-09-19 2017-10-05
2.1
None Local Low Not required None Partial None
The Linux kernel, as used in Red Hat Enterprise Linux 7, kernel-rt, and Enterprise MRG 2 and when booted with UEFI Secure Boot enabled, allows local users to bypass intended securelevel/secureboot restrictions by leveraging improper handling of secure_boot flag across kexec reboot.
1471 CVE-2015-7813 399 DoS 2015-10-30 2018-10-30
2.1
None Local Low Not required None None Partial
Xen 4.4.x, 4.5.x, and 4.6.x does not limit the number of printk console messages when reporting unimplemented hypercalls, which allows local guests to cause a denial of service via a sequence of (1) HYPERVISOR_physdev_op hypercalls, which are not properly handled in the do_physdev_op function in arch/arm/physdev.c, or (2) HYPERVISOR_hvm_op hypercalls, which are not properly handled in the do_hvm_op function in arch/arm/hvm.c.
1472 CVE-2015-7758 59 2016-01-08 2018-10-30
2.1
None Local Low Not required None Partial None
Gummi 0.6.5 allows local users to write to arbitrary files via a symlink attack on a temporary dot file that uses the name of an existing file and a (1) .aux, (2) .log, (3) .out, (4) .pdf, or (5) .toc extension for the file name, as demonstrated by .thesis.tex.aux.
1473 CVE-2015-7744 19 2016-01-22 2018-10-30
2.6
None Remote High Not required Partial None None
wolfSSL (formerly CyaSSL) before 3.6.8 does not properly handle faults associated with the Chinese Remainder Theorem (CRT) process when allowing ephemeral key exchange without low memory optimizations on a server, which makes it easier for remote attackers to obtain private RSA keys by capturing TLS handshakes, aka a Lenstra attack.
1474 CVE-2015-7549 476 DoS 2017-10-30 2017-11-21
2.1
None Local Low Not required None None Partial
The MSI-X MMIO support in hw/pci/msix.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (NULL pointer dereference and QEMU process crash) by leveraging failure to define the .write method.
1475 CVE-2015-7548 200 +Info 2016-01-12 2018-11-16
2.1
None Remote High Single system Partial None None
OpenStack Compute (Nova) before 2015.1.3 (kilo) and 12.0.x before 12.0.1 (liberty), when using libvirt to spawn instances and use_cow_images is set to false, allow remote authenticated users to read arbitrary files by overwriting an instance disk with a crafted image and requesting a snapshot.
1476 CVE-2015-7488 200 +Info 2016-01-27 2016-01-27
2.1
None Local Low Not required Partial None None
IBM Spectrum Scale 4.1.1.x before 4.1.1.4 and 4.2.x before 4.2.0.1, in certain LDAP File protocol configurations, allows remote attackers to discover an LDAP password via unspecified vectors.
1477 CVE-2015-7473 284 Bypass 2016-06-26 2016-11-29
2.1
None Local Low Not required None Partial None
runmqsc in IBM WebSphere MQ 8.x before 8.0.0.5 allows local users to bypass intended queue-manager command access restrictions by leveraging authority for +connect and +dsp.
1478 CVE-2015-7462 255 2016-06-19 2016-11-29
2.1
None Local Low Not required Partial None None
IBM WebSphere MQ 8.0.0.4 on IBM i platforms allows local users to discover cleartext certificate-keystore passwords within MQ trace output by leveraging administrator privileges to execute the mqcertck program.
1479 CVE-2015-7449 326 +Info 2018-03-20 2018-04-13
2.1
None Local Low Not required Partial None None
IBM Rational Collaborative Lifecycle Management (CLM) 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, 6.0.x before 6.0.1 iFix5, and 6.0.2 before iFix2; Rational Quality Manager (RQM) 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, 6.0.x before 6.0.1 iFix5, and 6.0.2 before iFix2; Rational Team Concert (RTC) 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, 6.0.x before 6.0.1 iFix5, and 6.0.2 before iFix2; Rational Requirements Composer (RRC) 4.0.x before 4.0.7 iFix10; Rational DOORS Next Generation (RDNG) 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, 6.0.x before 6.0.1 iFix5, and 6.0.2 before iFix2; Rational Engineering Lifecycle Manager (RELM) 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7 before iFix1, 5.0.x before 5.0.2 iFix1, and 6.0.x before 6.0.2; Rational Rhapsody Design Manager (Rhapsody DM) 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, 6.0.x before 6.0.1 iFix5, and 6.0.2 before iFix2; Rational Software Architect Design Manager (RSA DM) 4.0.x before 4.0.7 iFix10, 5.0.x before 5.0.2 iFix15, 6.0.x before 6.0.1 iFix5, and 6.0.2 before iFix2 allow local users to obtain sensitive information by leveraging weak encryption. IBM X-Force ID: 108221.
1480 CVE-2015-7437 200 +Info 2016-01-02 2016-01-07
2.1
None Local Low Not required Partial None None
Queue Watcher in IBM Sterling B2B Integrator 5.2 allows local users to obtain sensitive information via unspecified vectors.
1481 CVE-2015-7434 200 +Info 2018-03-26 2018-04-17
2.1
None Local Low Not required Partial None None
IBM Capacity Management Analytics 2.1.0.0 allows local users to discover encrypted usernames and passwords by leveraging access to the CMA install machine. IBM X-Force ID: 107863.
1482 CVE-2015-7433 200 +Info 2018-03-26 2018-04-17
2.1
None Local Low Not required Partial None None
IBM Capacity Management Analytics 2.1.0.0 allows local users to discover cleartext usernames and passwords by leveraging access to the CMA install machine. IBM X-Force ID: 107862.
1483 CVE-2015-7432 200 +Info 2018-03-26 2018-04-17
2.1
None Local Low Not required Partial None None
IBM Capacity Management Analytics 2.1.0.0 allows local users to decrypt usernames and passwords by leveraging access to setenv.sh and parameter.txt. IBM X-Force ID: 107861.
1484 CVE-2015-7422 119 DoS Overflow 2016-01-02 2016-01-07
2.1
None Local Low Not required None None Partial
Buffer overflow in IBM i Access 7.1 on Windows allows local users to cause a denial of service (application crash) via unspecified vectors.
1485 CVE-2015-7418 200 +Info 2017-02-08 2017-02-14
2.1
None Local Low Not required Partial None None
IBM WebSphere eXtreme Scale and the WebSphere DataPower XC10 Appliance allow some sensitive data to linger in memory instead of being overwritten which could allow a local user with administrator privileges to obtain sensitive information.
1486 CVE-2015-7416 20 DoS 2016-01-02 2016-01-05
2.1
None Local Low Not required None None Partial
AFP Workbench Viewer in IBM i Access 7.1 on Windows allows remote attackers to cause a denial of service (viewer crash) via a crafted workbench file.
1487 CVE-2015-7412 200 +Info 2015-11-08 2015-11-09
2.6
None Remote High Not required Partial None None
The GatewayScript modules on IBM DataPower Gateways with software 7.2.0.x before 7.2.0.1, when the GatewayScript decryption API or a JWE decrypt action is enabled, do not require signed ciphertext data, which makes it easier for remote attackers to obtain plaintext data via a padding-oracle attack.
1488 CVE-2015-7408 264 2016-02-14 2016-03-10
2.6
None Remote High Not required Partial None None
The server in IBM Spectrum Protect (aka Tivoli Storage Manager) 5.5 and 6.x before 6.3.5.1 and 7.x before 7.1.4 does not properly restrict use of the ASNODENAME option, which allows remote attackers to read or write to backup data by leveraging proxy authority.
1489 CVE-2015-7403 DoS 2016-01-02 2018-10-11
2.1
None Local Low Not required None None Partial
IBM Spectrum Scale 4.1.1.x before 4.1.1.3 and General Parallel File System (GPFS) 3.5.x before 3.5.0.29 and 4.1.x through 4.1.0.8 on AIX allow local users to cause a denial of service (incorrect pointer dereference and node crash) via unspecified vectors.
1490 CVE-2015-7368 200 +Info 2015-10-14 2018-10-09
2.1
None Local Low Not required Partial None None
Revive Adserver before 3.2.2 does not send the appropriate Cache-Control HTTP headers in responses for admin UI pages, which allows local users to obtain sensitive information via the web browser cache.
1491 CVE-2015-7304 79 XSS 2015-09-21 2015-09-22
2.6
None Remote High Not required None Partial None
Cross-site scripting (XSS) vulnerability in the amoCRM module 7.x-1.x before 7.x-1.2 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified HTTP POST data.
1492 CVE-2015-7238 264 +Info 2015-09-18 2015-09-22
2.1
None Local Low Not required Partial None None
The Secondary server in Threat Intelligence Exchange (TIE) before 1.2.0 uses weak permissions for unspecified (1) configuration files and (2) installation logs, which allows local users to obtain sensitive information by reading the files.
1493 CVE-2015-7232 79 XSS 2015-09-17 2015-09-18
2.6
None Remote High Not required None Partial None
Cross-site scripting (XSS) vulnerability in unspecified administration pages in the OSF module 7.x-3.x before 7.x-3.1 for Drupal, when the OSF Ontology module is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
1494 CVE-2015-7094 20 Bypass 2015-12-11 2017-09-12
2.6
None Remote High Not required None Partial None
CFNetwork HTTPProtocol in Apple iOS before 9.2 and OS X before 10.11.2 allows man-in-the-middle attackers to bypass the HSTS protection mechanism via a crafted URL.
1495 CVE-2015-7080 200 Bypass +Info 2015-12-11 2016-12-07
2.1
None Local Low Not required Partial None None
Siri in Apple iOS before 9.2 allows physically proximate attackers to bypass an intended client-side protection mechanism and obtain sensitive content-notification information by listening to a device in the lock-screen state.
1496 CVE-2015-7067 DoS 2015-12-11 2017-09-12
2.1
None Local Low Not required None None Partial
IOThunderboltFamily in Apple OS X before 10.11.2 allows local users to cause a denial of service (NULL pointer dereference) via an unspecified userclient type.
1497 CVE-2015-7046 200 Bypass +Info 2015-12-11 2017-09-12
2.6
None Remote High Not required Partial None None
The Sandbox feature in xnu in Apple iOS before 9.2, OS X before 10.11.2, tvOS before 9.1, and watchOS before 2.1 does not properly implement privilege separation, which allows attackers to bypass the ASLR protection mechanism via a crafted app with root privileges.
1498 CVE-2015-7000 200 +Info 2015-10-23 2016-12-23
2.1
None Local Low Not required Partial None None
Notification Center in Apple iOS before 9.1 mishandles changes to "Show on Lock Screen" settings, which allows physically proximate attackers to obtain sensitive information by looking for a (1) Phone or (2) Messages notification on the lock screen soon after a setting was disabled.
1499 CVE-2015-6987 20 DoS 2015-10-23 2015-10-26
2.1
None Local Low Not required None None Partial
The File Bookmark component in Apple OS X before 10.11.1 allows local users to cause a denial of service (application crash) via crafted bookmark metadata in a folder.
1500 CVE-2015-6921 79 XSS 2015-09-11 2015-09-14
2.6
None Remote High Not required None Partial None
Cross-site scripting (XSS) vulnerability in the Zendesk Feedback Tab module 7.x-1.x before 7.x-1.1 for Drupal allows remote administrators with the "Configure Zendesk Feedback Tab" permission to inject arbitrary web script or HTML via unspecified vectors.
Total number of vulnerabilities : 4561   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 (This Page)31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.