MEMPHIS COMPUTER REPAIR . COM

Networking - WiFi, Data Recovery, Web Design, SEO, Computer Repair and Support



 

Memphis Computer Repair brings you top quality technicians at unbeatable rates 24 hours a day, 7 days a week. Our highly trained and experienced staff will assist you with all of your information technology needs. We service business computers, residential computers, servers, workstations, desktop PCs, and laptops.

Computer Related Services

Our skilled staff has more to offer than merely computer repair services. We specialize in building and implementing residential and business computer networks. Securing your network is only a click away! Guarauntee the safety of your data by only allowing access to who you choose! Are you sure you need a new printer? Don't buy a new printer for every computer you own. Save money by networking your computers and your printer! Any printer can be used on a network, be it a residential network or a business network.

Memphis Computer Repair is always open for business. We service and repair all bands and models of computers including: Dell, Gateway, Compaq, Hewlett-Packard HP, IBM, and all custom built computers.

Our discounted computer repair rates will fit your budget.

We stand behind our work with a 100% satisfaction guarauntee!

With every computer we service we include a comprehensive and easily read reapir ticket to keep you informed on what has been done. We replace difficult computer lingo with understandable terms that you will understand. We never perform unnecessary work and we will ALWAYS inform you of the cost before any work is done!

Have you been blindsided by a computer repair company that charged you an outrageous amount for repairs you think you might not have needed? You will know the complete cost of any computer work done before the service is performed. If computer repair cost is out of your budget, we will not charge you for the estimate.

Servicing The Following Locations

Memphis, TN, Olive Branch, Southaven, Horn Lake, Hernando, Byhalia, Barton, Collierville, Cordova, Germantown, West Memphis, AR, Oakland, TN, Bartlett, Raleigh, Millington, Tunica, MS, and all areas of Shelby County Tennessee, DeSoto County Mississippi, and Marshall County Mississippi.

Have questions? Need help?

We would be glad to help you; simply contact us via our contact page, Contact Us.

*based on 33.6 Kilobits per second Internet connection speed

Valid CSS!

Open a Service Request/Repair Ticket or Call us @
901-515-8433
Name:
Address:
City: State:
Zip:Phone Number:
Email Address:
Computer Brand:
Computer Model:
Problem or Service Requested



US-CERT: The United States Computer Emergency Readiness Team


01/26/2015 05:12 AM
SB15-026: Vulnerability Summary for the Week of January 19, 2015
Original release date: January 26, 2015

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0

  • Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9

  • Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

High Vulnerabilities

Primary
Vendor -- Product
DescriptionPublishedCVSS ScoreSource & Patch Info
adb -- p.dga4001n_firmwareThe ADB (formerly Pirelli Broadband Solutions) P.DGA4001N router with firmware PDG_TEF_SP_4.06L.6 does not properly restrict access to the web interface, which allows remote attackers to obtain sensitive information or cause a denial of service (device restart) as demonstrated by a direct request to (1) wlsecurity.html or (2) resetrouter.html.2015-01-219.4CVE-2015-0554
EXPLOIT-DB
MISC
advantech -- adamviewMultiple stack-based buffer overflows in Advantech AdamView 4.3 and earlier allow remote attackers to execute arbitrary code via a crafted (1) display properties or (2) conditional bitmap parameter in a GNI file.2015-01-207.5CVE-2014-8386
EXPLOIT-DB
MISC
FULLDISC
arbiter_systems -- 1094b_gps_substation_clockArbiter 1094B GPS Substation Clock allows remote attackers to cause a denial of service (disruption) via crafted radio transmissions that spoof GPS satellite broadcasts.2015-01-167.8CVE-2014-9194
ceragon_fiberair_ip-10 -- -Ceragon FiberAir IP-10 bridges have a default password for the root account, which makes it easier for remote attackers to obtain access via a (1) HTTP, (2) SSH, (3) TELNET, or (4) CLI session.2015-01-177.8CVE-2015-0924
ffmpeg -- ffmpegUse-after-free vulnerability in the matroska_read_seek function in libavformat/matroskadec.c in FFmpeg before 2.5.1, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted Matroska file that triggers improper maintenance of tracks data.2015-01-227.5CVE-2014-7933
CONFIRM
CONFIRM
ffmpeg -- ffmpegMultiple off-by-one errors in libavcodec/vorbisdec.c in FFmpeg before 2.4.2, as used in Google Chrome before 40.0.2214.91, allow remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted Vorbis I data.2015-01-227.5CVE-2014-7937
ffmpeg -- ffmpeglibavcodec/xface.h in FFmpeg before 2.5.2 establishes certain digits and words array dimensions that do not satisfy a required mathematical relationship, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted X-Face image data.2015-01-167.5CVE-2014-9602
CONFIRM
ffmpeg -- ffmpegThe vmd_decode function in libavcodec/vmdvideo.c in FFmpeg before 2.5.2 does not validate the relationship between a certain length value and the frame width, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted Sierra VMD video data.2015-01-167.5CVE-2014-9603
CONFIRM
ffmpeg -- ffmpeglibavcodec/utvideodec.c in FFmpeg before 2.5.2 does not check for a zero value of a slice height, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted Ut Video data, related to the (1) restore_median and (2) restore_median_il functions.2015-01-167.5CVE-2014-9604
CONFIRM
ge -- multilink_ml1200GE Multilink ML800, ML1200, ML1600, and ML2400 switches with firmware 4.2.1 and earlier and Multilink ML810, ML3000, and ML3100 switches with firmware 5.2.0 and earlier allow remote attackers to cause a denial of service (resource consumption or reboot) via crafted packets.2015-01-167.8CVE-2014-5418
gentoo -- libsndfileThe sd2_parse_rsrc_fork function in sd2.c in libsndfile allows attackers to have unspecified impact via vectors related to a (1) map offset or (2) rsrc marker, which triggers an out-of-bounds read.2015-01-1610.0CVE-2014-9496
CONFIRM
CONFIRM
MLIST
SECUNIA
SUSE
gnu -- coreutilsThe parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted date string, as demonstrated by the "--date=TZ="123"345" @1" string to the touch or date command.2015-01-167.5CVE-2014-9471
CONFIRM
MLIST
MLIST
MLIST
SECUNIA
CONFIRM
google -- chromeThe Regular Expressions package in International Components for Unicode (ICU) 52 before SVN revision 292944, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via vectors related to a (1) zero-length quantifier or (2) look-behind expression, a different vulnerability than CVE-2014-7926.2015-01-227.5CVE-2014-7923
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
google -- chromeUse-after-free vulnerability in the WebAudio implementation in Blink, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger an audio-rendering thread in which AudioNode data is improperly maintained.2015-01-227.5CVE-2014-7925
CONFIRM
CONFIRM
CONFIRM
CONFIRM
google -- chromeThe Regular Expressions package in International Components for Unicode (ICU) 52 before SVN revision 292944, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via vectors related to a (1) zero-length quantifier or (2) look-behind expression, a different vulnerability than CVE-2014-7923.2015-01-227.5CVE-2014-7926
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
google -- chromeThe SimplifiedLowering::DoLoadBuffer function in compiler/simplified-lowering.cc in Google V8, as used in Google Chrome before 40.0.2214.91, does not properly choose an integer data type, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted JavaScript code.2015-01-227.5CVE-2014-7927
CONFIRM
CONFIRM
google -- chromehydrogen.cc in Google V8, as used Google Chrome before 40.0.2214.91, does not properly handle arrays with holes, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted JavaScript code that triggers an array copy.2015-01-227.5CVE-2014-7928
CONFIRM
CONFIRM
google -- chromeUse-after-free vulnerability in the HTMLScriptElement::didMoveToNewDocument function in core/html/HTMLScriptElement.cpp in the DOM implementation in Blink, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving movement of a SCRIPT element across documents.2015-01-227.5CVE-2014-7929
CONFIRM
CONFIRM
google -- chromeUse-after-free vulnerability in core/events/TreeScopeEventContext.cpp in the DOM implementation in Blink, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted JavaScript code that triggers improper maintenance of TreeScope data.2015-01-227.5CVE-2014-7930
CONFIRM
CONFIRM
google -- chromefactory.cc in Google V8, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted JavaScript code that triggers improper maintenance of backing-store pointers.2015-01-227.5CVE-2014-7931
CONFIRM
CONFIRM
google -- chromeUse-after-free vulnerability in the Element::detach function in core/dom/Element.cpp in the DOM implementation in Blink, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving pending updates of detached elements.2015-01-227.5CVE-2014-7932
CONFIRM
CONFIRM
google -- chromeUse-after-free vulnerability in the DOM implementation in Blink, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to unexpected absence of document data structures.2015-01-227.5CVE-2014-7934
CONFIRM
CONFIRM
CONFIRM
google -- chromeUse-after-free vulnerability in browser/speech/tts_message_filter.cc in the Speech implementation in Google Chrome before 40.0.2214.91 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving utterances from a closed tab.2015-01-227.5CVE-2014-7935
CONFIRM
CONFIRM
google -- chromeThe Fonts implementation in Google Chrome before 40.0.2214.91 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors.2015-01-227.5CVE-2014-7938
google -- chromeThe collator implementation in i18n/ucol.cpp in International Components for Unicode (ICU) 52 through SVN revision 293126, as used in Google Chrome before 40.0.2214.91, does not initialize memory for a data structure, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted character sequence.2015-01-227.5CVE-2014-7940
google -- chromeThe Fonts implementation in Google Chrome before 40.0.2214.91 does not initialize memory for a data structure, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.2015-01-227.5CVE-2014-7942
gtk -- gtk+GTK+ 3.10.9 and earlier, as used in cinnamon-screensaver, gnome-screensaver, and other applications, allows physically proximate attackers to bypass the lock screen by pressing the menu button.2015-01-167.2CVE-2014-1949
CONFIRM
CONFIRM
CONFIRM
UBUNTU
MLIST
MLIST
ibm -- sas_connectivity_module_firmwareIBM BladeCenter SAS Connectivity Module (aka NSSM) and SAS RAID Module (aka RSSM) before 1.3.3.006 allow remote attackers to cause a denial of service (reboot) via a flood of IP packets.2015-01-177.8CVE-2014-3018
XF
ipass -- ipass_open_mobileThe client in iPass Open Mobile before 2.4.5 on Windows allows remote authenticated users to execute arbitrary code via a DLL pathname in a crafted Unicode string that is improperly handled by a subprocess reached through a named pipe, as demonstrated by a UNC share pathname.2015-01-229.0CVE-2015-0925
juniper -- junosThe Juniper MX Series routers with Junos 13.3R3 through 13.3Rx before 13.3R6, 14.1 before 14.1R4, 14.1X50 before 14.1X50-D70, and 14.2 before 14.2R2, when configured as a broadband edge (BBE) router, allows remote attackers to cause a denial of service (jpppd crash and restart) by sending a crafted PAP Authenticate-Request after the PPPoE Discovery and LCP phase are complete.2015-01-167.1CVE-2014-6382
BID
juniper -- junosJuniper Junos 11.4 before 11.4R8, 12.1X44 before 12.1X44-D35, 12.1X45 before 12.1X45-D25, 12.1X46 before 12.1X46-D20, 12.1X47 before 12.1X47-D10, 12.2 before 12.2R9, 12.3R2 before 12.3R2-S3, 12.3 before 12.3R3, 13.1 before 13.1R4, and 13.2 before 13.2R1 allows remote attackers to cause a denial of service (assertion failure and rpd restart) via a crafted BGP FlowSpec prefix.2015-01-167.8CVE-2014-6386
SECTRACK
BID
libpng -- libpngBuffer overflow in the png_read_IDAT_data function in pngrutil.c in libpng before 1.5.21 and 1.6.x before 1.6.16 allows context-dependent attackers to execute arbitrary code via IDAT data with a large width, a different vulnerability than CVE-2014-9495.2015-01-187.5CVE-2015-0973
MLIST
MLIST
MISC
MLIST
macroplant -- iexplorerUntrusted search path vulnerability in Macroplant iExplorer 3.6.3.0 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse itunesmobiledevice.dll.2015-01-167.2CVE-2014-9600
XF
MISC
oracle -- oracle_and_sun_systems_product_suiteUnspecified vulnerability in the Solaris Cluster component in Oracle Sun Systems Products Suite 3.3 and 4.1 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to System management.2015-01-219.0CVE-2014-4259
oracle -- jdkUnspecified vulnerability in Oracle Java SE 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries.2015-01-2110.0CVE-2014-6549
oracle -- jd_edwards_productsUnspecified vulnerability in the JD Edwards EnterpriseOne Tools component in Oracle JD Edwards Products 9.1.5 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Portal SEC.2015-01-217.5CVE-2014-6565
oracle -- database_serverUnspecified vulnerability in the Core RDBMS component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information is from the January 2015 CPU. Oracle has not commented on the researcher's claim that this is a stack-based buffer overflow in DBMS_AW.EXECUTE, which allows code execution via a long Current Directory Alias (CDA) command.2015-01-219.0CVE-2014-6567
MISC
oracle -- jdkUnspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.2015-01-2110.0CVE-2014-6601
oracle -- jdkUnspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.2015-01-219.3CVE-2015-0395
oracle -- fusion_middlewareUnspecified vulnerability in the Oracle GlassFish Server component in Oracle Fusion Middleware 3.0.1 and 3.1.2 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Admin Console.2015-01-217.5CVE-2015-0396
oracle -- jdkUnspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to RMI.2015-01-2110.0CVE-2015-0408
CONFIRM
oracle -- mysqlUnspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier, and 5.6.21 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Server : Security : Encryption.2015-01-217.5CVE-2015-0411
oracle -- jdkUnspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JAX-WS.2015-01-217.2CVE-2015-0412
oracle -- integrated_lights_out_manager_firmwareUnspecified vulnerability in the Integrated Lights Out Manager (ILOM) component in Oracle Sun Systems Products Suite ILOM prior to 3.2.4 allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to IPMI.2015-01-217.5CVE-2015-0424
oracle -- jdkUnspecified vulnerability in Oracle Java SE 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.2015-01-219.3CVE-2015-0437
pheonixcontact-software -- multiprogPhoenix Contact ProConOs and MultiProg do not require authentication, which allows remote attackers to execute arbitrary commands via protocol-compliant traffic.2015-01-167.5CVE-2014-9195
redhat -- cloudforms_3.1_management_engineThe customization template in Red Hat CloudForms 3.1 Management Engine (CFME) 5.3 uses a default password for the root account when a password is not specified for a new image, which allows remote attackers to gain privileges.2015-01-1610.0CVE-2014-3692
SECUNIA
samba -- sambaSamba 4.0.x before 4.0.24, 4.1.x before 4.1.16, and 4.2.x before 4.2rc4, when an Active Directory Domain Controller (AD DC) is configured, allows remote authenticated users to set the LDB userAccountControl UF_SERVER_TRUST_ACCOUNT bit, and consequently gain privileges, by leveraging delegation of authority for user-account or computer-account creation.2015-01-168.5CVE-2014-8143
sap -- hana_extend_application_servicesThe Extended Application Services (XS) in SAP HANA allows remote attackers to inject arbitrary ABAP code via unspecified vectors, aka SAP Note 2098906. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.2015-01-2210.0CVE-2015-1311
MISC
sap -- enterprise_resource_planningThe Dealer Portal in SAP ERP does not properly restrict access, which allows remote attackers to obtain sensitive information, gain privileges, and possibly have other unspecified impact via unknown vectors, aka SAP Note 2000401. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.2015-01-227.5CVE-2015-1312
MISC
siemens -- scalance_x-300_series_firmwareThe web server on Siemens SCALANCE X-300 switches with firmware before 4.0 and SCALANCE X 408 switches with firmware before 4.0 allows remote attackers to cause a denial of service (reboot) via malformed HTTP requests.2015-01-217.8CVE-2014-8478
sun -- sunosUnspecified vulnerability in Oracle Solaris 11 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Power Management Utility.2015-01-217.2CVE-2014-6510
sun -- sunosUnspecified vulnerability in Oracle Solaris 10 allows local users to affect confidentiality, integrity, and availability via vectors related to CDE - Power Management Utility.2015-01-217.2CVE-2014-6521
sun -- sunosUnspecified vulnerability in Oracle Solaris 10 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Kernel.2015-01-217.2CVE-2014-6524
sybase -- adaptive_server_enterpriseSQL injection vulnerability in SAP Adaptive Server Enterprise (Sybase ASE) allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Note 2113333. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.2015-01-227.5CVE-2015-1310
MISC
symantec -- critical_system_protectionThe Agent Control Interface in the management server in Symantec Critical System Protection (SCSP) 5.2.9 before MP6 and Symantec Data Center Security: Server Advanced (SDCS:SA) 6.0.x before 6.0 MP1 allows remote authenticated users to execute arbitrary commands by leveraging client-system access to upload a log file.2015-01-219.0CVE-2014-3440
BID
symantec -- critical_system_protectionThe management server in Symantec Critical System Protection (SCSP) 5.2.9 through MP6 and Symantec Data Center Security: Server Advanced (SDCS:SA) 6.0.x through 6.0 MP1 allows local users to bypass intended Protection Policies via unspecified vectors.2015-01-217.2CVE-2014-9226
BID
web-dorado -- photo_gallerySQL injection vulnerability in the Photo Gallery plugin 1.2.7 for WordPress allows remote attackers to execute arbitrary SQL commands via the order_by parameter in a GalleryBox action to wp-admin/admin-ajax.php.2015-01-167.5CVE-2015-1055
BID
FULLDISC
Back to top

Medium Vulnerabilities

Primary
Vendor -- Product
DescriptionPublishedCVSS ScoreSource & Patch Info
7-zip -- p7zipp7zip 9.20.1 allows remote attackers to write to arbitrary files via a symlink attack in an archive.2015-01-215.8CVE-2015-1038
MISC
MISC
XF
BID
MLIST
apache -- xml_securityApache Santuario XML Security for Java 2.0.x before 2.0.3 allows remote attackers to bypass the streaming XML signature protection mechanism via a crafted XML document.2015-01-215.0CVE-2014-8152
XF
SECTRACK
BID
MLIST
b2evolution -- b2evolutionCross-site scripting (XSS) vulnerability in the filemanager in b2evolution before 5.2.1 allows remote attackers to inject arbitrary web script or HTML via the fm_filter parameter to blogs/admin.php.2015-01-164.3CVE-2014-9599
CONFIRM
XF
BID
MISC
MISC
FULLDISC
MISC
brother -- mfc-j4410dwCross-site scripting (XSS) vulnerability in Brother MFC-J4410DW printer with firmware before L allows remote attackers to inject arbitrary web script or HTML via the url parameter to general/status.html and possibly other pages.2015-01-164.3CVE-2015-1056
XF
BID
BUGTRAQ
MISC
cagintranetworks -- getsimple_cmsXML external entity (XXE) vulnerability in admin/api.php in GetSimple CMS 3.1.1 through 3.3.x before 3.3.5 Beta 1, when in certain configurations, allows remote attackers to read arbitrary files via the data parameter.2015-01-205.0CVE-2014-8790
CONFIRM
FULLDISC
MISC
MISC
CONFIRM
cisco -- unified_communications_managerAbsolute path traversal vulnerability in the Real-Time Monitoring Tool (RTMT) API in Cisco Unified Communications Manager (CUCM) allows remote authenticated users to read arbitrary files via a full pathname in an API command, aka Bug ID CSCur49414.2015-01-226.8CVE-2014-8008
cisco -- webex_meeting_centerCisco WebEx Meeting Center allows remote attackers to activate disabled meeting attributes, and consequently obtain sensitive information, by providing crafted parameters during a meeting-join action, aka Bug ID CSCuo34165.2015-01-175.0CVE-2015-0590
clorius_controls_a/s -- java_web_clientThe Clorius Controls Java web client before 01.00.0009g allows remote attackers to discover credentials by sniffing the network for cleartext-equivalent traffic.2015-01-165.0CVE-2014-9199
croogo -- croogoCross-site scripting (XSS) vulnerability in the administrative backend in Croogo before 2.2.1 allows remote attackers to inject arbitrary web script or HTML via the path parameter to admin/file_manager/file_manager/editfile.2015-01-164.3CVE-2015-1053
CONFIRM
XF
BID
MISC
MISC
FULLDISC
MISC
debian -- dpkgMultiple format string vulnerabilities in the parse_error_msg function in parsehelp.c in dpkg before 1.17.22 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via format string specifiers in the (1) package or (2) architecture name.2015-01-206.8CVE-2014-8625
CONFIRM
CONFIRM
XF
MLIST
MLIST
MLIST
djangoproject -- djangoDjango before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allows remote attackers to spoof WSGI headers by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X-Auth_User header.2015-01-165.0CVE-2015-0219
SECUNIA
SECUNIA
djangoproject -- djangoThe django.util.http.is_safe_url function in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 does not properly handle leading whitespaces, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL, related to redirect URLs, as demonstrated by a "\njavascript:" URL.2015-01-164.3CVE-2015-0220
UBUNTU
SECUNIA
SECUNIA
djangoproject -- djangoThe django.views.static.serve view in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 reads files an entire line at a time, which allows remote attackers to cause a denial of service (memory consumption) via a long line in a file.2015-01-165.0CVE-2015-0221
SECUNIA
SECUNIA
djangoproject -- djangoModelMultipleChoiceField in Django 1.6.x before 1.6.10 and 1.7.x before 1.7.3, when show_hidden_initial is set to True, allows remote attackers to cause a denial of service by submitting duplicate values, which triggers a large number of SQL queries.2015-01-165.0CVE-2015-0222
SECUNIA
SECUNIA
e107 -- e107Cross-site scripting (XSS) vulnerability in usersettings.php in e107 2.0.0 allows remote attackers to inject arbitrary web script or HTML via the "Real Name" value.2015-01-164.3CVE-2015-1057
XF
EXPLOIT-DB
OSVDB
emc -- vipr_srmEMC M&R (aka Watch4Net) before 6.5u1 and ViPR SRM before 3.6.1 might allow remote attackers to obtain cleartext data-center discovery credentials by leveraging certain SRM access to conduct a decryption attack.2015-01-215.0CVE-2015-0514
BUGTRAQ
emc -- vipr_srmUnrestricted file upload vulnerability in EMC M&R (aka Watch4Net) before 6.5u1 and ViPR SRM before 3.6.1 allows remote authenticated users to execute arbitrary code by uploading and then accessing an executable file.2015-01-216.5CVE-2015-0515
BUGTRAQ
emc -- vipr_srmDirectory traversal vulnerability in EMC M&R (aka Watch4Net) before 6.5u1 and ViPR SRM before 3.6.1 allows remote authenticated users to read arbitrary files via a crafted URL.2015-01-214.0CVE-2015-0516
BUGTRAQ
file_project -- fileThe ELF parser in file 5.08 through 5.21 allows remote attackers to cause a denial of service via a large number of notes.2015-01-215.0CVE-2014-9620
CONFIRM
MLIST
DEBIAN
MLIST
file_project -- fileThe ELF parser in file 5.16 through 5.21 allows remote attackers to cause a denial of service via a long string.2015-01-215.0CVE-2014-9621
CONFIRM
MLIST
MLIST
ge -- intelligent_platforms_proficy_hmi/scada_cimplicityThe (1) CimView and (2) CimEdit components in GE Proficy HMI/SCADA-CIMPLICITY 8.2 and earlier allow remote attackers to gain privileges via a crafted CIMPLICITY screen (aka .CIM) file.2015-01-166.9CVE-2014-2355
ge -- multilink_ml1200GE Multilink ML800, ML1200, ML1600, and ML2400 switches with firmware 4.2.1 and earlier and Multilink ML810, ML3000, and ML3100 switches with firmware 5.2.0 and earlier use the same RSA private key across different customers' installations, which makes it easier for remote attackers to obtain the cleartext content of network traffic by reading this key from a firmware image and then sniffing the network.2015-01-165.0CVE-2014-5419
gentoo -- xdg-utilsEval injection vulnerability in xdg-utils 1.1.0 RC1, when no supported desktop environment is identified, allows context-dependent attackers to execute arbitrary code via the URL argument to xdg-open.2015-01-216.8CVE-2014-9622
CONFIRM
CONFIRM
MLIST
DEBIAN
SECUNIA
FULLDISC
getsentry -- raven-rubyThe numtok function in lib/raven/okjson.rb in the raven-ruby gem before 0.12.2 for Ruby allows remote attackers to cause a denial of service via a large exponent value in a scientific number.2015-01-205.0CVE-2014-9490
CONFIRM
CONFIRM
XF
MLIST
getusedtoit -- wp_slimstatCross-site scripting (XSS) vulnerability in the Save Filters functionality in the WP Slimstat plugin before 3.9.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the fs[resource] parameter in the wp-slim-view-2 page to wp-admin/admin.php.2015-01-214.3CVE-2015-1204
MISC
CONFIRM
SECUNIA
gnu -- patchGNU patch 2.7.1 allows remote attackers to write to arbitrary files via a symlink attack in a patch file.2015-01-214.3CVE-2015-1196
CONFIRM
CONFIRM
XF
BID
MLIST
CONFIRM
google -- chromeUse-after-free vulnerability in the IndexedDB implementation in Google Chrome before 40.0.2214.91 allows remote attackers to cause a denial of service or possibly have unspecified other impact by triggering duplicate BLOB references, related to content/browser/indexed_db/indexed_db_callbacks.cc and content/browser/indexed_db/indexed_db_dispatcher_host.cc.2015-01-225.0CVE-2014-7924
CONFIRM
CONFIRM
google -- chromeUse-after-free vulnerability in the ZoomBubbleView::Close function in browser/ui/views/location_bar/zoom_bubble_view.cc in the Views implementation in Google Chrome before 40.0.2214.91 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted document that triggers improper maintenance of a zoom bubble.2015-01-226.8CVE-2014-7936
CONFIRM
CONFIRM
google -- chromeGoogle Chrome before 40.0.2214.91, when the Harmony proxy in Google V8 is enabled, allows remote attackers to bypass the Same Origin Policy via crafted JavaScript code with Proxy.create and console.log calls, related to HTTP responses that lack an "X-Content-Type-Options: nosniff" header.2015-01-224.3CVE-2014-7939
google -- chromeThe SelectionOwner::ProcessTarget function in ui/base/x/selection_owner.cc in the UI implementation in Google Chrome before 40.0.2214.91 uses an incorrect data type for a certain length value, which allows remote attackers to cause a denial of service (out-of-bounds read) via crafted X11 data.2015-01-225.0CVE-2014-7941
google -- chromeSkia, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors.2015-01-225.0CVE-2014-7943
CONFIRM
google -- chromeThe sycc422_to_rgb function in fxcodec/codec/fx_codec_jpx_opj.cpp in PDFium, as used in Google Chrome before 40.0.2214.91, does not properly handle odd values of image width, which allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted PDF document.2015-01-225.0CVE-2014-7944
google -- chromeOpenJPEG before r2908, as used in PDFium in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted PDF document, related to j2k.c, jp2.c, and t2.c.2015-01-225.0CVE-2014-7945
google -- chromeThe RenderTable::simplifiedNormalFlowLayout function in core/rendering/RenderTable.cpp in Blink, as used in Google Chrome before 40.0.2214.91, skips captions during table layout in certain situations, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors related to the Fonts implementation.2015-01-225.0CVE-2014-7946
CONFIRM
google -- chromeOpenJPEG before r2944, as used in PDFium in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted PDF document, related to j2k.c, jp2.c, pi.c, t1.c, t2.c, and tcd.c.2015-01-225.0CVE-2014-7947
google -- chromeThe AppCacheUpdateJob::URLFetcher::OnResponseStarted function in content/browser/appcache/appcache_update_job.cc in Google Chrome before 40.0.2214.91 proceeds with AppCache caching for SSL sessions even if there is an X.509 certificate error, which allows man-in-the-middle attackers to spoof HTML5 application content via a crafted certificate.2015-01-224.3CVE-2014-7948
ibm -- sas_connectivity_module_firmwareIBM BladeCenter SAS Connectivity Module (aka NSSM) and SAS RAID Module (aka RSSM) before 1.3.3.006 allow remote attackers to obtain blade and storage-pool access via a TELNET session.2015-01-175.0CVE-2014-3019
XF
ibm -- api_managementIBM API Management 3.0 before 3.0.4.0 IF1 allows remote attackers to obtain sensitive analytics information in an encrypted form via unspecified vectors.2015-01-215.0CVE-2014-6172
XF
AIXAPAR
ibm -- security_network_protection_xgs_firmwareIBM Security Network Protection 5.1.x and 5.2.x before 5.2.0.0 FP5 and 5.3.x before 5.3.0.0 FP1 allows remote attackers to conduct clickjacking attacks via unspecified vectors.2015-01-174.3CVE-2014-6197
XF
illumos -- illumosThe devzvol_readdir function in illumos does not check the return value of a strchr call, which allows remote attackers to cause a denial of service (NULL pointer dereference and panic) via unspecified vectors.2015-01-205.0CVE-2014-9491
CONFIRM
CONFIRM
XF
MLIST
insanevisions -- adaptcmsMultiple cross-site scripting (XSS) vulnerabilities in AdaptCMS 3.0.3 allow remote attackers to inject arbitrary web script or HTML via the (1) data[Category][title] parameter to admin/categories/add, (2) data[Field][title] parameter to admin/fields/ajax_fields/, (3) name property in a basicInfo JSON object to admin/tools/create_theme, (4) data[Link][link_title] parameter to admin/links/links/add, or (5) data[ForumTopic][subject] parameter to forums/off-topic/new.2015-01-164.3CVE-2015-1058
XF
MISC
EXPLOIT-DB
MISC
OSVDB
OSVDB
OSVDB
OSVDB
OSVDB
insanevisions -- adaptcmsUnrestricted file upload vulnerability in admin/files/add in AdaptCMS 3.0.3 allows remote authenticated users to execute arbitrary PHP code by uploading a file with a PHP extension, then accessing it via a direct request to the file in /app/webroot/uploads.2015-01-166.5CVE-2015-1059
MISC
XF
EXPLOIT-DB
MISC
OSVDB
insanevisions -- adaptcmsOpen redirect vulnerability in lib/Cake/Controller/Controller.php in AdaptCMS 3.0.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the HTTP Referer header.2015-01-165.8CVE-2015-1060
XF
MISC
EXPLOIT-DB
MISC
OSVDB
juniper -- junosThe stateless firewall in Juniper Junos 13.3R3, 14.1R1, and 14.1R2, when using Trio-based PFE modules, does not properly match ports, which might allow remote attackers to bypass firewall rule.2015-01-165.0CVE-2014-6383
SECTRACK
BID
juniper -- junosJuniper Junos 12.1X44 before 12.1X44-D45, 12.1X46 before 12.1X46-D25, 12.1X47 before 12.1X47-D15, 12.3 before 12.3R9, 13.1 before 13.1R4-S3, 13.2 before 13.2R6, 13.3 before 13.3R5, 14.1 before 14.1R3, and 14.2 before 14.2R1 does not properly handle double quotes in authorization attributes in the TACACS+ configuration, which allows local users to bypass the security policy and execute commands via unspecified vectors.2015-01-166.9CVE-2014-6384
SECTRACK
BID
juniper -- junosJuniper Junos 11.4 before 11.4R13, 12.1X44 before 12.1X44-D45, 12.1X46 before 12.1X46-D30, 12.1X47 before 12.1X47-D15, 12.2 before 12.2R9, 12.3R7 before 12.3R7-S1, 12.3 before 12.3R8, 13.1 before 13.1R5, 13.2 before 13.2R6, 13.3 before 13.3R4, 14.1 before 14.1R2, and 14.2 before 14.2R1 allows remote attackers to cause a denial of service (kernel crash and restart) via a crafted fragmented OSPFv3 packet with an IPsec Authentication Header (AH).2015-01-166.1CVE-2014-6385
BID
kde -- kde_applicationskwalletd in KWallet before KDE Applications 14.12.0 uses Blowfish with ECB mode instead of CBC mode when encrypting the password store, which makes it easier for attackers to guess passwords via a codebook attack.2015-01-185.0CVE-2013-7252
CONFIRM
BID
MLIST
MLIST
MISC
kgb_project -- kgbAbsolute path traversal vulnerability in kgb 1.0b4 allows remote attackers to write to arbitrary files via a full pathname in a crafted archive.2015-01-215.0CVE-2015-1192
MISC
BID
MLIST
SECUNIA
kiwix -- kiwixCross-site scripting (XSS) vulnerability in Kiwix before 0.9.1, when using kiwix-serve, allows remote attackers to inject arbitrary web script or HTML via the pattern parameter to /search.2015-01-214.3CVE-2015-1032
BUGTRAQ
CONFIRM
MISC
MISC
libtiff -- libtiffInteger overflow in tif_packbits.c in bmp2tif in libtiff 4.0.3 allows remote attackers to cause a denial of service (crash) via crafted BMP image, related to dimensions, which triggers an out-of-bounds read.2015-01-205.0CVE-2014-9330
SECTRACK
FULLDISC
CONFIRM
mediawiki -- mediawikiMediaWiki 1.2x before 1.22.15, 1.23.x before 1.23.8, and 1.24.x before 1.24.1 allows remote attackers to bypass CORS restrictions in $wgCrossSiteAJAXdomains via a domain that has a partial match to an allowed origin, as demonstrated by "http://en.wikipedia.org.evilsite.example/."2015-01-165.0CVE-2014-9476
CONFIRM
MLIST
MLIST
mediawiki -- mediawikiMultiple cross-site scripting (XSS) vulnerabilities in the Listings extension for MediaWiki allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) url parameter.2015-01-164.3CVE-2014-9477
CONFIRM
MLIST
MLIST
mediawiki -- mediawikiCross-site scripting (XSS) vulnerability in the preview in the TemplateSandbox extension for MediaWiki allows remote attackers to inject arbitrary web script or HTML via the text parameter to Special:TemplateSandbox.2015-01-164.3CVE-2014-9479
CONFIRM
MLIST
MLIST
mediawiki -- mediawikiCross-site scripting (XSS) vulnerability in the Hovercards extension for MediaWiki allows remote attackers to inject arbitrary web script or HTML via vectors related to text extracts.2015-01-164.3CVE-2014-9480
CONFIRM
MLIST
MLIST
openstack -- image_registry_and_delivery_service_(glance)The V2 API in OpenStack Image Registry and Delivery Service (Glance) before 2014.1.4 and 2014.2.x before 2014.2.2 allows remote authenticated users to read or delete arbitrary files via a full pathname in a filesystem: URL in the image location property. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-9493.2015-01-216.5CVE-2015-1195
CONFIRM
MLIST
MLIST
SECUNIA
MLIST
oracle -- fusion_middlewareUnspecified vulnerability in the Oracle HTTP Server component in Oracle Fusion Middleware 11.1.1.7.0, 12.1.2.0, and 12.1.3.0 allows remote attackers to affect availability via unknown vectors related to Web Listener, a different vulnerability than CVE-2013-0338, CVE-2013-2877, and CVE-2015-0386.2015-01-214.3CVE-2014-0191
oracle -- oracle_and_sun_systems_product_suiteUnspecified vulnerability in the Solaris Cluster component in Oracle Sun Systems Products Suite 3.3 and 4.1 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to System management.2015-01-216.5CVE-2014-6480
oracle -- database_serverUnspecified vulnerability in the PL/SQL component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, and 12.1.0.1 allows remote authenticated users to affect confidentiality via unknown vectors.2015-01-214.0CVE-2014-6514
oracle -- fusion_middlewareUnspecified vulnerability in the Oracle Directory Server Enterprise Edition component in Oracle Fusion Middleware 7.0 allows remote attackers to affect integrity via unknown vectors related to Admin Console.2015-01-214.3CVE-2014-6526
oracle -- siebel_crmUnspecified vulnerability in the Siebel Core - System Management component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote authenticated users to affect confidentiality via unknown vectors related to Server Infrastructure.2015-01-214.0CVE-2014-6528
oracle -- database_serverUnspecified vulnerability in the Recovery component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2, when running on Windows, allows remote authenticated users to affect confidentiality via vectors related to DBMS_IR.2015-01-216.3CVE-2014-6541
oracle -- fusion_middlewareUnspecified vulnerability in the Oracle SOA Suite component in Oracle Fusion Middleware 11.1.1.7 allows local users to affect confidentiality, integrity, and availability via vectors related to B2B Engine.2015-01-214.6CVE-2014-6548
oracle -- e-business_suiteUnspecified vulnerability in the Oracle Applications DBA component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.3, 12.2.2, 12.2.3, and 12.2.4 allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to AD_DDL.2015-01-214.6CVE-2014-6556
oracle -- peoplesoft_productsUnspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.53 allows remote authenticated users to affect integrity via unknown vectors related to Portal.2015-01-214.0CVE-2014-6566
oracle -- fusion_middlewareUnspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.0.2.0, 10.3.6.0, 12.1.1.0, and 12.1.2.0 allows remote attackers to affect confidentiality via vectors related to CIE Related Components.2015-01-215.0CVE-2014-6569
oracle -- fusion_middlewareUnspecified vulnerability in the Oracle HTTP Server component in Oracle Fusion Middleware 11.1.1.7.0, 12.1.2.0, and 12.1.3.0 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Web Listener, a different vulnerability than CVE-2011-1944.2015-01-216.8CVE-2014-6571
oracle -- e-business_suiteUnspecified vulnerability in the Oracle Customer Interaction History component in Oracle E-Business Suite 12.0.4, 12.0.5, 12.0.6, 12.1.1, 12.1.2, 12.1.3, 12.2.2, 12.2.3, and 12.2.4 allows remote attackers to affect confidentiality and integrity via unknown vectors related to List of Values.2015-01-216.4CVE-2014-6572
oracle -- enterprise_manager_grid_controlUnspecified vulnerability in the Enterprise Manager Ops Center component in Oracle Enterprise Manager Grid Control 11.1.3 and 12.1.4 allows remote attackers to affect integrity via unknown vectors related to User Interface Framework.2015-01-214.3CVE-2014-6573
oracle -- supply_chain_products_suiteUnspecified vulnerability in the Oracle Agile PLM for Process component in Oracle Supply Chain Products Suite 6.1.0.3 allows remote attackers to affect integrity via unknown vectors related to Testing Protocol Library.2015-01-214.3CVE-2014-6574
oracle -- fusion_middlewareUnspecified vulnerability in the Oracle Adaptive Access Manager component in Oracle Fusion Middleware 11.1.1.5, 11.1.1.7, 11.1.2.1, and 11.1.2.2 allows remote authenticated users to affect confidentiality and integrity via vectors related to OAM Integration.2015-01-215.5CVE-2014-6576
oracle -- database_serverUnspecified vulnerability in the XML Developer's Kit for C component in Oracle Database Server 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors. NOTE: the previous information is from the January 2015 CPU. Oracle has not commented on the original researcher's claim that this is an XML external entity (XXE) vulnerability in the XML parser, which allows attackers to conduct internal port scanning, perform SSRF attacks, or cause a denial of service via a crafted (1) http: or (2) ftp: URI.2015-01-216.8CVE-2014-6577
MISC
oracle -- database_serverUnspecified vulnerability in the Workspace Manager component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, and 12.1.0.1 allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to SDO_TOPO and WMSYS.LT.2015-01-216.5CVE-2014-6578
oracle -- peoplesoft_productsUnspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.52 and 8.53 allows remote authenticated users to affect confidentiality via unknown vectors related to Integration Broker.2015-01-214.0CVE-2014-6579
oracle -- fusion_middlewareUnspecified vulnerability in the Oracle Reports Developer component in Oracle Fusion Middleware 11.1.1.7 and 11.1.2.2 allows remote attackers to affect integrity via unknown vectors.2015-01-214.3CVE-2014-6580
oracle -- e-business_suiteUnspecified vulnerability in the Oracle Customer Intelligence component in Oracle E-Business Suite 11.5.10.2, 12.0.4, 12.0.5, 12.0.6, 12.1.1, 12.1.2, 12.1.3, 12.2.2, 12.2.3, and 12.2.4 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Extract/Load Programs.2015-01-216.4CVE-2014-6581
oracle -- e-business_suiteUnspecified vulnerability in the Oracle HCM Configuration Workbench component in Oracle E-Business Suite 11.5.10.2, 12.0.4, 12.0.5, 12.0.6, 12.1.1, 12.1.2, 12.1.3, 12.2.2, 12.2.3, and 12.2.4 allows remote attackers to affect confidentiality via unknown vectors related to Rapid Implementation.2015-01-215.0CVE-2014-6582
oracle -- e-business_suiteUnspecified vulnerability in the Oracle Marketing component in Oracle E-Business Suite 11.5.10.2, 12.0.4, 12.0.5, 12.0.6, 12.1.1, 12.1.2, and 12.1.3. allows remote attackers to affect confidentiality and integrity via unknown vectors related to Audience.2015-01-216.4CVE-2014-6583
oracle -- integrated_lights_out_manager_firmwareUnspecified vulnerability in the Integrated Lights Out Manager (ILOM) component in Oracle Sun Systems Products Suite ILOM before 3.2.4 allows remote authenticated users to affect confidentiality via unknown vectors related to Backup Restore.2015-01-214.0CVE-2014-6584
oracle -- peoplesoft_productsUnspecified vulnerability in the PeopleSoft Enterprise HRMS component in Oracle PeopleSoft Products 9.1 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Time and Labor.2015-01-215.5CVE-2014-6586
oracle -- jdkUnspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Libraries.2015-01-214.3CVE-2014-6587
oracle -- jdkUnspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25; Java SE Embedded 7u71 and 8u6; and JRockit 27.8.4 and 28.3.4 allows remote attackers to affect confidentiality and integrity via vectors related to JSSE.2015-01-214.0CVE-2014-6593
oracle -- ilearningUnspecified vulnerability in the Oracle iLearning component in Oracle iLearning 6.0 and 6.1 allows remote attackers to affect confidentiality via unknown vectors related to Learner Pages.2015-01-214.3CVE-2014-6594
oracle -- siebel_crmUnspecified vulnerability in the Siebel UI Framework component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote attackers to affect integrity via unknown vectors related to Portal Framework.2015-01-214.3CVE-2014-6596
oracle -- peoplesoft_productsUnspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.52, 8.53, and 8.54 allows remote authenticated users to affect integrity via vectors related to PIA Core Technology.2015-01-214.0CVE-2014-6597
oracle -- fusion_middlewareUnspecified vulnerability in the BI Publisher (formerly XML Publisher) component in Oracle Fusion Middleware 11.1.1.7 allows remote attackers to affect confidentiality via unknown vectors related to BI Publisher Security.2015-01-215.0CVE-2015-0362
oracle -- siebel_crmUnspecified vulnerability in the Siebel Core EAI component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote authenticated users to affect availability via unknown vectors related to Integration Business Services.2015-01-214.0CVE-2015-0363
oracle -- siebel_crmUnspecified vulnerability in the Siebel Core - Server Infrastructure component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote attackers to affect confidentiality via unknown vectors related to Security.2015-01-214.3CVE-2015-0365
oracle -- siebel_crmUnspecified vulnerability in the Siebel Core - EAI component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote attackers to affect confidentiality via unknown vectors related to Java Integration.2015-01-215.0CVE-2015-0366
oracle -- fusion_middlewareUnspecified vulnerability in the Oracle Access Manager component in Oracle Fusion Middleware 11.1.1.5, 11.1.1.7, 11.1.2.1, and 11.1.2.2 allows remote attackers to affect integrity via vectors related to SSO Engine.2015-01-215.0CVE-2015-0367
oracle -- supply_chain_products_suiteUnspecified vulnerability in the Oracle Transportation Management component in Oracle Supply Chain Products Suite 6.1, 6.2, 6.3, 6.3.1, 6.3.2, 6.3.3, 6.3.4, and 6.3.5 allows remote attackers to affect availability via unknown vectors related to Security.2015-01-215.0CVE-2015-0368
oracle -- siebel_crmUnspecified vulnerability in the Siebel UI Framework component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote attackers to affect integrity via unknown vectors related to AX/HI Web UI.2015-01-214.3CVE-2015-0369
oracle -- database_serverUnspecified vulnerability in the Core RDBMS component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, and 12.1.0.1 allows remote authenticated users to affect integrity and availability via unknown vectors.2015-01-214.9CVE-2015-0371
oracle -- fusion_middlewareUnspecified vulnerability in the Oracle Containers for J2EE component in Oracle Fusion Middleware 10.1.3.5 allows remote attackers to affect confidentiality via unknown vectors.2015-01-215.0CVE-2015-0372
oracle -- database_serverUnspecified vulnerability in the OJVM component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors.2015-01-216.5CVE-2015-0373
oracle -- fusion_middlewareUnspecified vulnerability in the Oracle WebCenter Content component in Oracle Fusion Middleware 11.1.1.8.0 allows remote attackers to affect integrity via unknown vectors related to Content Server.2015-01-214.3CVE-2015-0376
oracle -- vm_virtualboxUnspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox prior to 3.2.26, 4.0.28, 4.1.36, and 4.2.28 allows local users to affect availability via unknown vectors related to Core, a different vulnerability than CVE-2015-0418.2015-01-214.4CVE-2015-0377
oracle -- peoplesoft_productsUnspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.54 allows remote attackers to affect integrity via vectors related to PIA Core Technology.2015-01-214.3CVE-2015-0379
oracle -- e-business_suiteUnspecified vulnerability in the Oracle Telecommunications Billing Integrator component in Oracle E-Business Suite 11.5.10.2, 12.0.4, 12.0.5, 12.0.6, 12.1.1, 12.1.2, 12.1.3, 12.2.2, 12.2.3, and 12.2.4 allows remote attackers to affect integrity via unknown vectors related to OA Based UI for Bill Summary.2015-01-214.3CVE-2015-0380
oracle -- mysqlUnspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier and 5.6.21 and earlier allows remote attackers to affect availability via unknown vectors related to Server : Replication, a different vulnerability than CVE-2015-0382.2015-01-214.3CVE-2015-0381
oracle -- mysqlUnspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier and 5.6.21 and earlier allows remote attackers to affect availability via unknown vectors related to Server : Replication, a different vulnerability than CVE-2015-0381.2015-01-214.3CVE-2015-0382
oracle -- jdkUnspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25; Java SE Embedded 7u71 and 8u6; and JRockit R27.8.4 and R28.3.4 allows local users to affect integrity and availability via unknown vectors related to Hotspot.2015-01-215.4CVE-2015-0383
oracle -- fusion_middlewareUnspecified vulnerability in the Oracle HTTP Server component in Oracle Fusion Middleware 11.1.1.7.0, 12.1.2.0, and 12.1.3.0 allows remote attackers to affect availability via unknown vectors related to Web Listener, a different vulnerability than CVE-2013-0338, CVE-2013-2877, and CVE-2014-0191.2015-01-214.3CVE-2015-0386
oracle -- siebel_crmUnspecified vulnerability in the Siebel Core - Server OM Services component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote authenticated users to affect confidentiality via vectors related to Security - LDAP Security Adapter.2015-01-214.0CVE-2015-0387
oracle -- siebel_crmUnspecified vulnerability in the Siebel UI Framework component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote authenticated users to affect confidentiality via unknown vectors related to Portal Framework, a different vulnerability than CVE-2015-0417.2015-01-214.0CVE-2015-0388
oracle -- retail_applications_xstoreUnspecified vulnerability in the MICROS Retail component in Oracle Retail Applications Xstore: 3.2.1, 3.4.2, 3.5.0, 4.0.1, 4.5.1, 4.8.0, 5.0.3, 5.5.3, 6.0.6, and 6.5.2 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Xstore Point of Sale.2015-01-216.8CVE-2015-0390
oracle -- mysqlUnspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier, and 5.6.19 and earlier, allows remote authenticated users to affect availability via vectors related to DDL.2015-01-214.0CVE-2015-0391
oracle -- siebel_crmUnspecified vulnerability in the Siebel Core - Server BizLogic Script component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to Config - Scripting.2015-01-214.6CVE-2015-0392
oracle -- e-business_suiteUnspecified vulnerability in the Oracle Applications DBA component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.3, 12.2.2, 12.2.3, and 12.2.4 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to DB Privileges. NOTE: the previous information is from the January 2015 CPU. Oracle has not commented on the researcher's claim that the PUBLIC role is granted the INDEX privilege for the DUAL table during a "seeded install," which allows remote authenticated users to gain SYSDBA privileges and execute arbitrary code.2015-01-216.0CVE-2015-0393
oracle -- peoplesoft_productsUnspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.52 and 8.53 allows remote authenticated users to affect confidentiality via unknown vectors related to Report Distribution.2015-01-214.0CVE-2015-0394
oracle -- siebel_crmUnspecified vulnerability in the Siebel Life Sciences component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote authenticated users to affect confidentiality via unknown vectors related to Clinical Trip Report.2015-01-214.0CVE-2015-0398
oracle -- fusion_middlewareUnspecified vulnerability in the Oracle Business Intelligence Enterprise Edition component in Oracle Fusion Middleware 10.1.3.4.2 and 11.1.1.7 allows remote authenticated users to affect confidentiality via unknown vectors related to Analytics Web General.2015-01-214.0CVE-2015-0399
oracle -- jdkUnspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality via unknown vectors related to Libraries.2015-01-215.0CVE-2015-0400
oracle -- fusion_middlewareUnspecified vulnerability in the Oracle Directory Server Enterprise Edition component in Oracle Fusion Middleware 7.0 and 11.1.1.7 allows remote authenticated users to affect integrity via unknown vectors related to Admin Console.2015-01-214.0CVE-2015-0401
oracle -- siebel_crmUnspecified vulnerability in the Siebel Core - Server BizLogic Script component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote attackers to affect integrity via vectors related to Integration - COM.2015-01-214.3CVE-2015-0402
oracle -- jdkUnspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Deployment.2015-01-216.9CVE-2015-0403
oracle -- e-business_suiteUnspecified vulnerability in the Oracle Applications Framework component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.3, 12.2.2, 12.2.3, and 12.2.4 allows remote attackers to affect integrity via unknown vectors related to Error Messages.2015-01-214.3CVE-2015-0404
oracle -- jdkUnspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality and availability via unknown vectors related to Deployment.2015-01-215.8CVE-2015-0406
oracle -- jdkUnspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality via unknown vectors related to Swing.2015-01-215.0CVE-2015-0407
oracle -- mysqlUnspecified vulnerability in Oracle MySQL Server 5.6.21 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer.2015-01-214.0CVE-2015-0409
oracle -- jdkUnspecified vulnerability in the Java SE, Java SE Embedded, JRockit component in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25; Java SE Embedded 7u71 and 8u6; and JRockit R27.8.4 and R28.3.4 allows remote attackers to affect availability via unknown vectors related to Security.2015-01-215.0CVE-2015-0410
oracle -- e-business_suiteUnspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite 12.1.3 allows remote authenticated users to affect integrity via unknown vectors related to Session Management.2015-01-214.0CVE-2015-0415
oracle -- siebel_crmUnspecified vulnerability in the Siebel UI Framework component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote authenticated users to affect confidentiality via unknown vectors related to Portal Framework, a different vulnerability than CVE-2015-0388.2015-01-214.0CVE-2015-0417
oracle -- siebel_crmUnspecified vulnerability in the Siebel UI Framework component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote attackers to affect confidentiality via unknown vectors related to Portal Framework.2015-01-214.3CVE-2015-0419
oracle -- fusion_middlewareUnspecified vulnerability in the Oracle Forms component in Oracle Fusion Middleware 11.1.1.7 and 11.1.2.2 allows remote attackers to affect confidentiality via unknown vectors related to Forms Services.2015-01-214.3CVE-2015-0420
oracle -- jdkUnspecified vulnerability in Oracle Java SE 8u25 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to the installation process.2015-01-216.9CVE-2015-0421
oracle -- supply_chain_products_suiteUnspecified vulnerability in the Oracle Transportation Management component in Oracle Supply Chain Products Suite 6.1, 6.2, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, and 6.3.5 allows remote authenticated users to affect confidentiality via unknown vectors related to UI Infrastructure.2015-01-214.0CVE-2015-0422
oracle -- siebel_crmUnspecified vulnerability in the Oracle Enterprise Asset Management component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote attackers to affect confidentiality via unknown vectors related to Siebel Core - Unix/Windows.2015-01-214.3CVE-2015-0425
oracle -- enterprise_manager_grid_controlUnspecified vulnerability in the Enterprise Manager Base Platform component in Oracle Enterprise Manager Grid Control 12.1.0.3 and 12.1.0.4 allows remote attackers to affect confidentiality via unknown vectors related to UI Framework.2015-01-215.0CVE-2015-0426
oracle -- supply_chain_products_suiteUnspecified vulnerability in the Oracle Transportation Management component in Oracle Supply Chain Products Suite 6.1, 6.2, 6.3.0 6.3.1, 6.3.2, 6.3.4, and 6.3.5 allows remote attackers to affect integrity via unknown vectors related to UI Infrastructure.2015-01-214.3CVE-2015-0431
oracle -- mysqlUnspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier allows remote authenticated users to affect availability via vectors related to Server : InnoDB : DDL : Foreign Key.2015-01-214.0CVE-2015-0432
oracle -- fusion_middlewareUnspecified vulnerability in the Oracle Access Manager component in Oracle Fusion Middleware 11.1.1.5, 11.1.1.7, 11.1.2.1, and 11.1.2.2 allows remote attackers to affect confidentiality via vectors related to Integration with OAM.2015-01-214.3CVE-2015-0434
oracle -- supply_chain_products_suiteUnspecified vulnerability in the Oracle Transportation Management component in Oracle Supply Chain Products Suite 6.1, 6.2, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, and 6.3.5 allows remote authenticated users to affect confidentiality via unknown vectors related to Security.2015-01-216.8CVE-2015-0435
oracle -- ilearningUnspecified vulnerability in the Oracle iLearning component in Oracle iLearning 6.0 and 6.1 allows remote attackers to affect confidentiality via unknown vectors related to Login.2015-01-214.3CVE-2015-0436
pax_project -- paxMultiple directory traversal vulnerabilities in pax 1:20140703 allow remote attackers to write to arbitrary files via a (1) full pathname or (2) .. (dot dot) in an archive.2015-01-215.0CVE-2015-1193
MISC
MLIST
pax_project -- paxpax 1:20140703 allows remote attackers to write to arbitrary files via a symlink attack in an archive.2015-01-214.3CVE-2015-1194
MISC
MLIST
pivotal_software -- rabbitmqRabbitMQ before 3.4.0 allows remote attackers to bypass the loopback_users restriction via a crafted X-Forwareded-For header.2015-01-205.0CVE-2014-9494
CONFIRM
XF
MLIST
privoxy -- privoxyMemory leak in the rfc2553_connect_to function in jbsocket.c in Privoxy before 3.0.22 allows remote attackers to cause a denial of service (memory consumption) via a large number of requests that are rejected because the socket limit is reached.2015-01-205.0CVE-2015-1030
MLIST
SECUNIA
privoxy -- privoxyPrivoxy before 3.0.22 allows remote attackers to cause a denial of service (file descriptor consumption) via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.2015-01-205.0CVE-2015-1201
SECUNIA
puppetlabs -- stdlibThe puppetlabs-stdlib module 2.1 through 3.0 and 4.1.0 through 4.5.x before 4.5.1 for Puppet 2.8.8 and earlier allows remote authenticated users to gain privileges or obtain sensitive information by prepopulating the fact cache.2015-01-166.5CVE-2015-1029
SECUNIA
python -- pillowPillow before 2.7.0 allows remote attackers to cause a denial of service via a compressed text chunk in a PNG image that has a large size when it is decompressed.2015-01-165.0CVE-2014-9601
CONFIRM
CONFIRM
redhat -- cloudforms_3.1_management_engineSQL injection vulnerability in Red Hat CloudForms 3.1 Management Engine (CFME) 5.3 allows remote authenticated users to execute arbitrary SQL commands via a crafted REST API request to an SQL filter.2015-01-166.5CVE-2014-7814
SECUNIA
sap -- netweaver_abapXML external entity vulnerability in the Extended Computer Aided Test Tool (eCATT) in SAP NetWeaver AS ABAP 7.31 and earlier allows remote attackers to access arbitrary files via a crafted XML request, related to ECATT_DISPLAY_XMLSTRING_REMOTE, aka SAP Note 2016638.2015-01-225.0CVE-2015-1309
SECUNIA
MISC
MISC
serve-static_project -- serve-staticOpen redirect vulnerability in the serve-static plugin before 1.7.2 for Node.js, when mounted at the root, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a // (slash slash) followed by a domain in the PATH_INFO to the default URI.2015-01-214.3CVE-2015-1164
CONFIRM
CONFIRM
XF
BID
CONFIRM
siemens -- scalance_x-300_series_firmwareThe FTP server on Siemens SCALANCE X-300 switches with firmware before 4.0 and SCALANCE X 408 switches with firmware before 4.0 allows remote authenticated users to cause a denial of service (reboot) via crafted FTP packets.2015-01-216.8CVE-2014-8479
siemens -- simatic_s7_1200_cpu_firmwareOpen redirect vulnerability in the integrated web server on Siemens SIMATIC S7-1200 CPU devices with firmware before 4.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.2015-01-214.3CVE-2015-1048
sun -- sunosUnspecified vulnerability in Oracle Solaris 10 and 11 allows remote attackers to affect confidentiality via vectors related to KSSL.2015-01-214.3CVE-2014-6481
sun -- sunosUnspecified vulnerability in Oracle Solaris 10 allows local users to affect availability via unknown vectors related to Kernel.2015-01-214.9CVE-2014-6509
sun -- sunosUnspecified vulnerability in Oracle Solaris 10 and 11 allows local users to affect integrity and availability via vectors related to Unix File System (UFS).2015-01-216.6CVE-2014-6518
sun -- sunosUnspecified vulnerability in Oracle Sun Solaris 11 allows local users to affect availability via unknown vectors related to File System, a different vulnerability than CVE-2014-6600 and CVE-2015-0397.2015-01-214.9CVE-2014-6570
sun -- sunosUnspecified vulnerability in Oracle Sun Solaris 10 and 11 allows remote attackers to affect availability via unknown vectors related to Network, a different vulnerability than CVE-2004-0230.2015-01-215.0CVE-2014-6575
sun -- sunosUnspecified vulnerability in Oracle Sun Solaris 11 allows local users to affect availability via unknown vectors related to File System, a different vulnerability than CVE-2014-6570 and CVE-2015-0397.2015-01-214.9CVE-2014-6600
sun -- sunosUnspecified vulnerability in Oracle Sun Solaris 10 and 11 allows remote attackers to affect confidentiality via unknown vectors related to Network.2015-01-215.0CVE-2015-0375
sun -- sunosUnspecified vulnerability in Oracle Sun Solaris 10 and 11 allows local users to affect availability via unknown vectors related to Resource Control.2015-01-214.9CVE-2015-0428
symantec -- critical_system_protectionSQL injection vulnerability in the management server in Symantec Critical System Protection (SCSP) 5.2.9 before MP6 and Symantec Data Center Security: Server Advanced (SDCS:SA) 6.0.x before 6.0 MP1 allows remote authenticated users to execute arbitrary SQL commands via a crafted HTTP request.2015-01-216.5CVE-2014-7289
BID
symantec -- critical_system_protectionThe ajaxswing webui in the management server in Symantec Critical System Protection (SCSP) 5.2.9 through MP6 and Symantec Data Center Security: Server Advanced (SDCS:SA) 6.0.x through 6.0 MP1 allows remote authenticated users to obtain sensitive server information via unspecified vectors.2015-01-214.0CVE-2014-9225
BID
sympa -- sympaThe newsletter posting area in the web interface in Sympa 6.0.x before 6.0.10 and 6.1.x before 6.1.24 allows remote attackers to read arbitrary files via unspecified vectors.2015-01-225.0CVE-2015-1306
MLIST
DEBIAN
SECUNIA
SECUNIA
synck_graphica -- download_log_cgiDirectory traversal vulnerability in SYNCK GRAPHICA Download Log CGI 3.0 and earlier allows remote attackers to read arbitrary files via a crafted filename.2015-01-215.0CVE-2015-0867
videolan -- vlc_media_playerThe picture_pool_Delete function in misc/picture_pool.c in VideoLAN VLC media player 2.1.5 allows remote attackers to execute arbitrary code or cause a denial of service (DEP violation and application crash) via a crafted FLV file.2015-01-216.8CVE-2014-9597
MISC
MISC
MISC
FULLDISC
videolan -- vlc_media_playerThe picture_Release function in misc/picture.c in VideoLAN VLC media player 2.1.5 allows remote attackers to execute arbitrary code or cause a denial of service (write access violation) via a crafted M2V file.2015-01-216.8CVE-2014-9598
MISC
MISC
MISC
FULLDISC
websitebaker -- websitebakerCross-site scripting (XSS) vulnerability in admin/pages/modify.php in WebsiteBaker 2.8.3 SP3 allows remote attackers to inject arbitrary web script or HTML via the page_id parameter.2015-01-214.3CVE-2015-0553
MISC
BID
MISC
MISC
FULLDISC
MISC
zlib -- pigzMultiple directory traversal vulnerabilities in pigz 2.3.1 allow remote attackers to write to arbitrary files via a (1) full pathname or (2) .. (dot dot) in an archive.2015-01-215.0CVE-2015-1191
CONFIRM
CONFIRM
MLIST
Back to top

Low Vulnerabilities

Primary
Vendor -- Product
DescriptionPublishedCVSS ScoreSource & Patch Info
crea8social -- crea8socialCross-site scripting (XSS) vulnerability in the Games feature in Crea8Social 2.0 allows remote authenticated users to inject arbitrary web script or HTML via the Game Content field in Add Game.2015-01-163.5CVE-2015-1054
XF
EXPLOIT-DB
MISC
OSVDB
CONFIRM
CONFIRM
emc -- vipr_srmMultiple cross-site scripting (XSS) vulnerabilities in the administrative user interface in EMC M&R (aka Watch4Net) before 6.5u1 and ViPR SRM before 3.6.1 allow remote authenticated users to inject arbitrary web script or HTML by leveraging privileged access to set crafted values of unspecified fields.2015-01-213.5CVE-2015-0513
BUGTRAQ
ibm -- tivoli_netcool/omnibusCross-site scripting (XSS) vulnerability in the Web GUI in IBM Tivoli Netcool/OMNIbus 7.3.0 before 7.3.0.6, 7.3.1 before 7.3.1.7, and 7.4.0 before 7.4.0.3 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.2015-01-173.5CVE-2014-3032
XF
ibm -- serverguideIBM ServerGuide before 9.63, UpdateXpress System Packs Installer (UXSPI) before 9.63, and ToolsCenter Suite before 9.63 place credentials in logs, which allows local users to obtain sensitive information by reading a file.2015-01-172.1CVE-2014-4835
XF
ibm -- business_process_managerCross-site scripting (XSS) vulnerability in the Process Portal in IBM Business Process Manager 8.0 through 8.0.1.3, 8.5.0 through 8.5.0.1, and 8.5.5 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL, a different vulnerability than CVE-2014-8914.2015-01-213.5CVE-2014-8913
XF
ibm -- business_process_managerCross-site scripting (XSS) vulnerability in the Process Portal in IBM Business Process Manager 8.0 through 8.0.1.3, 8.5.0 through 8.5.0.1, and 8.5.5 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL, a different vulnerability than CVE-2014-8913.2015-01-213.5CVE-2014-8914
XF
mediawiki -- mediawikiCross-site scripting (XSS) vulnerability in the preview in the ExpandTemplates extension for MediaWiki, when $wgRawHTML is set to true, allows remote attackers to inject arbitrary web script or HTML via the wpInput parameter to the Special:ExpandTemplates page.2015-01-162.6CVE-2014-9478
CONFIRM
MLIST
MLIST
oracle -- peoplesoft_productsUnspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.53 allows remote authenticated users to affect integrity via vectors related to PIA Core Technology.2015-01-213.5CVE-2014-4279
oracle -- e-business_suiteUnspecified vulnerability in the Oracle Web Applications Desktop Integrator component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.3, 12.2.2, 12.2.3, and 12.2.4 allows remote authenticated users to affect integrity via unknown vectors related to Templates.2015-01-213.5CVE-2014-6525
oracle -- mysqlUnspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier, and 5.6.21 and earlier, allows remote authenticated users to affect availability via vectors related to Server : InnoDB : DML.2015-01-213.5CVE-2014-6568
oracle -- jdkUnspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality via unknown vectors reelated to 2D, a different vulnerability than CVE-2014-6591.2015-01-212.6CVE-2014-6585
oracle -- vm_virtualboxUnspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 4.3.20 allows local users to affect integrity and availability via vectors related to VMSVGA virtual graphics device, a different vulnerability than CVE-2014-6589, CVE-2014-6590, CVE-2014-6595, and CVE-2015-0427.2015-01-213.2CVE-2014-6588
oracle -- vm_virtualboxUnspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 4.3.20 allows local users to affect integrity and availability via vectors related to VMSVGA virtual graphics device, a different vulnerability than CVE-2014-6588, CVE-2014-6590, CVE-2014-6595, and CVE-2015-0427.2015-01-213.2CVE-2014-6589
oracle -- vm_virtualboxUnspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 4.3.20 allows local users to affect integrity and availability via vectors related to VMSVGA virtual graphics device, a different vulnerability than CVE-2014-6588, CVE-2014-6589, CVE-2014-6595, and CVE-2015-0427.2015-01-213.2CVE-2014-6590
oracle -- jdkUnspecified vulnerability in the Java SE component in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality via unknown vectors related to 2D, a different vulnerability than CVE-2014-6585.2015-01-212.6CVE-2014-6591
oracle -- fusion_middlewareUnspecified vulnerability in the Oracle OpenSSO component in Oracle Fusion Middleware 8.0 Update 2 Patch 5 allows remote authenticated users to affect integrity via vectors related to SAML, a different vulnerability than CVE-2015-0389.2015-01-213.5CVE-2014-6592
oracle -- vm_virtualboxUnspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 4.3.20 allows local users to affect integrity and availability via vectors related to VMSVGA virtual graphics device, a different vulnerability than CVE-2014-6588, CVE-2014-6589, CVE-2014-6590, and CVE-2015-0427.2015-01-213.2CVE-2014-6595
oracle -- siebel_crmUnspecified vulnerability in the Siebel Core - Common Components component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote authenticated users to affect confidentiality via unknown vectors related to Email.2015-01-213.5CVE-2014-6599
oracle -- siebel_crmUnspecified vulnerability in the Siebel Core - EAI component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote authenticated users to affect availability via unknown vectors related to Integration Business Services.2015-01-213.5CVE-2015-0364
oracle -- database_serverUnspecified vulnerability in the Core RDBMS component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, and 12.1.0.1 allows remote authenticated users to affect integrity via unknown vectors.2015-01-213.5CVE-2015-0370
oracle -- mysqlUnspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier and 5.6.21 and earlier allows remote authenticated users to affect confidentiality via unknown vectors related to Server : Security : Privileges : Foreign Key.2015-01-213.5CVE-2015-0374
oracle -- siebel_crmUnspecified vulnerability in the Siebel Public Sector component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote authenticated users to affect integrity via unknown vectors related to Public Sector Portal.2015-01-213.5CVE-2015-0384
oracle -- mysqlUnspecified vulnerability in Oracle MySQL Server 5.6.21 and earlier allows remote authenticated users to affect availability via unknown vectors related to Pluggable Auth.2015-01-213.5CVE-2015-0385
oracle -- fusion_middlewareUnspecified vulnerability in the Oracle OpenSSO component in Oracle Fusion Middleware 8.0 Update 2 Patch 5 allows remote authenticated users to affect integrity via vectors related to SAML, a different vulnerability than CVE-2014-6592.2015-01-213.5CVE-2015-0389
oracle -- jdkUnspecified vulnerability in Oracle Java SE 7u72 and 8u25 allows local users to affect integrity via unknown vectors related to Serviceability.2015-01-211.9CVE-2015-0413
oracle -- fusion_middlewareUnspecified vulnerability in the Oracle SOA Suite component in Oracle Fusion Middleware 11.1.1.7 and 12.1.3.0 allows remote authenticated users to affect confidentiality via unknown vectors related to Fabric Layer.2015-01-213.5CVE-2015-0414
oracle -- supply_chain_products_suiteUnspecified vulnerability in the Oracle Agile PLM component in Oracle Supply Chain Products Suite 9.3.3 allows remote authenticated users to affect integrity via unknown vectors related to Roles & Privileges.2015-01-213.5CVE-2015-0416
oracle -- vm_virtualboxUnspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox prior to 3.2.26, 4.0.28, 4.1.36, and 4.2.28 allows local users to affect availability via unknown vectors related to Core, a different vulnerability than CVE-2015-0377.2015-01-212.1CVE-2015-0418
oracle -- vm_virtualboxUnspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox prior to 4.3.20 allows local users to affect integrity and availability via vectors related to VMSVGA virtual graphics device, a different vulnerability than CVE-2014-6588, CVE-2014-6589, CVE-2014-6590, and CVE-2014-6595.2015-01-213.2CVE-2015-0427
pivotal_software -- rabbitmq_managementMultiple cross-site scripting (XSS) vulnerabilities in the management web UI in the RabbitMQ management plugin before 3.4.3 allow remote authenticated users to inject arbitrary web script or HTML via (1) message details when a message is unqueued, such as headers or arguments; (2) policy names, which are not properly handled when viewing policies; (3) details for AMQP network clients, such as the version; allow remote authenticated administrators to inject arbitrary web script or HTML via (4) user names, (5) the cluster name; or allow RabbitMQ cluster administrators to (6) modify unspecified content.2015-01-183.5CVE-2015-0862
sun -- sunosUnspecified vulnerability in Oracle Sun Solaris 11 allows local users to affect availability via unknown vectors related to Libc.2015-01-212.1CVE-2015-0378
sun -- sunosUnspecified vulnerability in Oracle Sun Solaris 11 allows local users to affect availability via unknown vectors related to File System, a different vulnerability than CVE-2014-6570 and CVE-2014-6600.2015-01-212.1CVE-2015-0397
sun -- sunosUnspecified vulnerability in Oracle Sun Solaris 10 and 11 allows local users to affect integrity and availability via vectors related to RPC Utility.2015-01-213.3CVE-2015-0429
sun -- sunosUnspecified vulnerability in Oracle Sun Solaris 10 and 11 allows local users to affect confidentiality via vectors related to RPC Utility.2015-01-211.9CVE-2015-0430
symantec -- critical_system_protectionCross-site scripting (XSS) vulnerability in the ajaxswing webui in the Management Console server in the management server in Symantec Critical System Protection (SCSP) 5.2.9 through MP6 and Symantec Data Center Security: Server Advanced (SDCS:SA) 6.0.x through 6.0 MP1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.2015-01-213.5CVE-2014-9224
BID
websvn -- websvnWebSVN 2.3.3 allows remote authenticated users to read arbitrary files via a symlink attack in a commit.2015-01-213.5CVE-2013-6892
MISC
SECUNIA
Back to top


This product is provided subject to this Notification and this Privacy & Use policy.



01/24/2015 12:37 AM
IC3 Releases Alert for a Scam Targeting Businesses
Original release date: January 24, 2015

The Internet Crime Complaint Center (IC3) has released an alert warning companies of a sophisticated wire payment scam dubbed the Business E-mail Compromise. Scammers use fraudulent information to trick companies into directing financial transactions into accounts they control.

Users are encouraged to review the IC3 Scam Alert for details and refer to the US-CERT Tip ST04-014 for information on social engineering and phishing attacks.


This product is provided subject to this Notification and this Privacy & Use policy.



01/23/2015 05:42 PM
FBI Releases "Ransomware on the Rise"
Original release date: January 23, 2015

The FBI has released an article addressing ransomware campaigns that use intimidating messages claiming to be from the FBI or other government agencies. Scam operators use ransomware a type of malicious software to infect a computer and restrict access to it until a ransom is paid to unlock it.

Users and administrators are encouraged to review the FBI article "Ransomware on the Rise" for details and refer to Alert TA-295A for information on Crypto Ransomware.


This product is provided subject to this Notification and this Privacy & Use policy.



01/23/2015 04:14 PM
Google Releases Security Updates for Chrome
Original release date: January 23, 2015

Google has released Chrome 40.0.2214.91 for Windows, Mac, and Linux to address multiple vulnerabilities. Exploitation of these vulnerabilities may allow a remote attacker to cause a denial of service condition or obtain personal information.

US-CERT encourages users and administrators to review the Google Chrome blog entry and apply the necessary updates.


This product is provided subject to this Notification and this Privacy & Use policy.



01/22/2015 06:18 PM
Adobe Releases Security Updates for Flash Player
Original release date: January 22, 2015

Adobe has released security updates to address a vulnerability in Flash Player, which could potentially allow a remote attacker to take control of an affected system.

Users and administrators are encouraged to review Adobe Security Bulletin APSB15-02 and apply the necessary updates.


This product is provided subject to this Notification and this Privacy & Use policy.



01/20/2015 05:54 PM
Oracle Releases January 2015 Security Advisory
Original release date: January 20, 2015

Oracle has released its Critical Patch Update for January 2015 to address 169 vulnerabilities across multiple products.

This update contains the following security fixes:

  • 8 for Oracle Database Server
  • 36 for Oracle Fusion Middleware
  • 10 for Oracle Enterprise Manager Grid Control
  • 10 for Oracle E-Business Suite
  • 6 for Oracle Supply Chain Products Suite
  • 7 for Oracle PeopleSoft Products
  • 1 for Oracle JD Edwards Products
  • 17 for Oracle Siebel CRM
  • 2 for Oracle iLearning
  • 2 for Oracle Communications Applications
  • 1 for Oracle Retail Applications
  • 1 for Oracle Health Sciences Applications
  • 19 for Oracle Java SE
  • 29 for Oracle Sun Systems Products Suite
  • 11 for Oracle Linux and Virtualization
  • 9 for Oracle MySQL

US-CERT encourages users and administrators to review the Oracle January 2015 Critical Patch Update and apply the necessary updates.


This product is provided subject to this Notification and this Privacy & Use policy.



01/20/2015 12:24 PM
Ubuntu Releases Security Updates
Original release date: January 20, 2015

Ubuntu has released security updates to address multiple vulnerabilities affecting Ubuntu 10.04 LTS, 12.04 LTS, 14.04 LTS, and 14.10. Exploitation of these vulnerabilities may allow an attacker to cause a denial of service or execute arbitrary code.

Users and administrators are encouraged to review Ubuntu Security Notices USN-2460-1, USN-2477-1, USN-2478-1, and USN-2479-1, and apply the necessary updates.


This product is provided subject to this Notification and this Privacy & Use policy.



01/19/2015 05:27 AM
SB15-019: Vulnerability Summary for the Week of January 12, 2015
Original release date: January 19, 2015

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0

  • Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9

  • Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

High Vulnerabilities

Primary
Vendor -- Product
DescriptionPublishedCVSS ScoreSource & Patch Info
adobe -- adobe_airAdobe Flash Player before 13.0.0.260 and 14.x through 16.x before 16.0.0.257 on Windows and OS X and before 11.2.202.429 on Linux, Adobe AIR before 16.0.0.245 on Windows and OS X and before 16.0.0.272 on Android, Adobe AIR SDK before 16.0.0.272, and Adobe AIR SDK & Compiler before 16.0.0.272 do not properly validate files, which has unspecified impact and attack vectors.2015-01-1310.0CVE-2015-0301
adobe -- adobe_airAdobe Flash Player before 13.0.0.260 and 14.x through 16.x before 16.0.0.257 on Windows and OS X and before 11.2.202.429 on Linux, Adobe AIR before 16.0.0.245 on Windows and OS X and before 16.0.0.272 on Android, Adobe AIR SDK before 16.0.0.272, and Adobe AIR SDK & Compiler before 16.0.0.272 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-0306.2015-01-1310.0CVE-2015-0303
adobe -- adobe_airHeap-based buffer overflow in Adobe Flash Player before 13.0.0.260 and 14.x through 16.x before 16.0.0.257 on Windows and OS X and before 11.2.202.429 on Linux, Adobe AIR before 16.0.0.245 on Windows and OS X and before 16.0.0.272 on Android, Adobe AIR SDK before 16.0.0.272, and Adobe AIR SDK & Compiler before 16.0.0.272 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-0309.2015-01-1310.0CVE-2015-0304
adobe -- adobe_airAdobe Flash Player before 13.0.0.260 and 14.x through 16.x before 16.0.0.257 on Windows and OS X and before 11.2.202.429 on Linux, Adobe AIR before 16.0.0.245 on Windows and OS X and before 16.0.0.272 on Android, Adobe AIR SDK before 16.0.0.272, and Adobe AIR SDK & Compiler before 16.0.0.272 allow attackers to execute arbitrary code by leveraging an unspecified "type confusion."2015-01-139.3CVE-2015-0305
CONFIRM
adobe -- adobe_airAdobe Flash Player before 13.0.0.260 and 14.x through 16.x before 16.0.0.257 on Windows and OS X and before 11.2.202.429 on Linux, Adobe AIR before 16.0.0.245 on Windows and OS X and before 16.0.0.272 on Android, Adobe AIR SDK before 16.0.0.272, and Adobe AIR SDK & Compiler before 16.0.0.272 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-0303.2015-01-1310.0CVE-2015-0306
adobe -- adobe_airAdobe Flash Player before 13.0.0.260 and 14.x through 16.x before 16.0.0.257 on Windows and OS X and before 11.2.202.429 on Linux, Adobe AIR before 16.0.0.245 on Windows and OS X and before 16.0.0.272 on Android, Adobe AIR SDK before 16.0.0.272, and Adobe AIR SDK & Compiler before 16.0.0.272 allow remote attackers to obtain sensitive information from process memory or cause a denial of service (out-of-bounds read) via unspecified vectors.2015-01-138.5CVE-2015-0307
adobe -- adobe_airUse-after-free vulnerability in Adobe Flash Player before 13.0.0.260 and 14.x through 16.x before 16.0.0.257 on Windows and OS X and before 11.2.202.429 on Linux, Adobe AIR before 16.0.0.245 on Windows and OS X and before 16.0.0.272 on Android, Adobe AIR SDK before 16.0.0.272, and Adobe AIR SDK & Compiler before 16.0.0.272 allows attackers to execute arbitrary code via unspecified vectors.2015-01-1310.0CVE-2015-0308
adobe -- adobe_airHeap-based buffer overflow in Adobe Flash Player before 13.0.0.260 and 14.x through 16.x before 16.0.0.257 on Windows and OS X and before 11.2.202.429 on Linux, Adobe AIR before 16.0.0.245 on Windows and OS X and before 16.0.0.272 on Android, Adobe AIR SDK before 16.0.0.272, and Adobe AIR SDK & Compiler before 16.0.0.272 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-0304.2015-01-1310.0CVE-2015-0309
awpcp -- another_wordpress_classifieds_pluginSQL injection vulnerability in the Another WordPress Classifieds Plugin plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the keywordphrase parameter in a dosearch action.2015-01-137.5CVE-2014-10013
XF
EXPLOIT-DB
MISC
dev4press -- gd_star_ratingSQL injection vulnerability in the GD Star Rating plugin 19.22 for WordPress allows remote administrators to execute arbitrary SQL commands via the s parameter in the gd-star-rating-stats page to wp-admin/admin.php.2015-01-127.5CVE-2014-2839
XF
FULLDISC
divx -- directshowdemuxfilterMultiple integer signedness errors in DirectShowDemuxFilter, as used in Divx Web Player, Divx Player, and other Divx plugins, allow remote attackers to execute arbitrary code via a (1) negative or (2) large value in a Stream Format (STRF) chunk in an AVI file, which triggers a heap-based buffer overflow.2015-01-137.5CVE-2014-10024
BID
FULLDISC
domphp -- domphpDirectory traversal vulnerability in DomPHP 0.83 and earlier allows remote attackers to have unspecified impact via a .. (dot dot) in the url parameter to photoalbum/index.php.2015-01-137.5CVE-2014-10037
XF
EXPLOIT-DB
OSVDB
domphp -- domphpSQL injection vulnerability in agenda/indexdate.php in DomPHP 0.83 and earlier allows remote attackers to execute arbitrary SQL commands via the ids parameter.2015-01-137.5CVE-2014-10038
XF
EXPLOIT-DB
MISC
OSVDB
fluxbb -- fluxbbSQL injection vulnerability in profile.php in FluxBB before 1.4.13 and 1.5.x before 1.5.7 allows remote attackers to execute arbitrary SQL commands via the req_new_email parameter.2015-01-137.5CVE-2014-10029
XF
SECUNIA
FULLDISC
MISC
hancom -- hancom_office_2010_seBuffer overflow in Hancom Office 2010 SE allows remote attackers to execute arbitrary via a long string in the Text attribute in a TEXTART XML element in an HML file.2015-01-127.5CVE-2013-7420
XF
BUGTRAQ
ibm -- pureapplication_systemMultiple directory traversal vulnerabilities in the file-upload feature in IBM PureApplication System 1.0 before 1.0.0.4 iFix 10, 1.1 before 1.1.0.5, and 2.0 before 2.0.0.1 and Workload Deployer 3.1.0.7 before IF5 allow remote authenticated users to execute arbitrary code via a (1) Script Package, (2) Add-On, or (3) Emergency Fixes component.2015-01-099.0CVE-2014-6158
ibm -- aixlquerylv in cmdlvm in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x allows local users to gain privileges via a crafted DBGCMD_LQUERYLV environment-variable value.2015-01-157.2CVE-2014-8904
XF
AIXAPAR
AIXAPAR
AIXAPAR
AIXAPAR
AIXAPAR
ismail_fahmi -- ganesha_digital_libraryMultiple SQL injection vulnerabilities in Ganesha Digital Library (GDL) 4.2 allow remote attackers to execute arbitrary SQL commands via the id parameter in (1) download.php or (2) main.php.2015-01-137.5CVE-2014-100031
XF
SECUNIA
MISC
itechscripts -- itechclassifiedsSQL injection vulnerability in ChangeEmail.php in iTechClassifieds 3.03.057 allows remote attackers to execute arbitrary SQL commands via the PreviewNum parameter. NOTE: the CatID parameter is already covered by CVE-2008-0685.2015-01-137.5CVE-2014-100020
XF
BID
EXPLOIT-DB
OSVDB
libpng -- libpngHeap-based buffer overflow in the png_combine_row function in libpng before 1.5.21 and 1.6.x before 1.6.16 might allow context-dependent attackers to execute arbitrary code via a "very wide interlaced" PNG image.2015-01-1010.0CVE-2014-9495
SECTRACK
BID
MLIST
MISC
MLIST
licensepal -- arcticdeskSQL injection vulnerability in the ticket grid in the admin interface in LicensePal ArcticDesk before 1.2.5 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.2015-01-137.5CVE-2014-100035
linux -- linux_kernelRace condition in the key_gc_unused_keys function in security/keys/gc.c in the Linux kernel through 3.18.2 allows local users to cause a denial of service (memory corruption or panic) or possibly have unspecified other impact via keyctl commands that trigger access to a key structure member during garbage collection of a key.2015-01-097.2CVE-2014-9529
CONFIRM
MLIST
CONFIRM
maianscriptworld -- maian_uploaderSQL injection vulnerability in admin/data_files/move.php in Maian Uploader 4.0 allows remote attackers to execute arbitrary SQL commands via the id parameter.2015-01-137.5CVE-2014-10004
XF
MISC
OSVDB
microsoft -- windows_7The AhcVerifyAdminContext function in ahcache.sys in the Application Compatibility component in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not verify that an impersonation token is associated with an administrative account, which allows local users to gain privileges by running AppCompatCache.exe with a crafted DLL file, aka MSRC ID 20544 or "Microsoft Application Compatibility Infrastructure Elevation of Privilege Vulnerability."2015-01-137.2CVE-2015-0002
MISC
MISC
MISC
microsoft -- windows_7The User Profile Service (aka ProfSvc) in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges by conducting a junction attack to load another user's UsrClass.dat registry hive, aka MSRC ID 20674 or "Microsoft User Profile Service Elevation of Privilege Vulnerability."2015-01-137.2CVE-2015-0004
MISC
microsoft -- windows_7Buffer overflow in the Telnet service in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 allows remote attackers to execute arbitrary code via crafted packets, aka "Windows Telnet Service Buffer Overflow Vulnerability."2015-01-1310.0CVE-2015-0014
microsoft -- windows_server_2003Microsoft Windows Server 2003 SP2, Server 2008 SP2 and R2 SP1, and Server 2012 Gold and R2 allow remote attackers to cause a denial of service (system hang and RADIUS outage) via crafted username strings to (1) Internet Authentication Service (IAS) or (2) Network Policy Server (NPS), aka "Network Policy Server RADIUS Implementation Denial of Service Vulnerability."2015-01-137.8CVE-2015-0015
microsoft -- windows_7Directory traversal vulnerability in the TS WebProxy (aka TSWbPrxy) component in Microsoft Windows Vista SP2, Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to gain privileges via a crafted pathname in an executable file, as demonstrated by a transition from Low Integrity to Medium Integrity, aka "Directory Traversal Elevation of Privilege Vulnerability."2015-01-139.3CVE-2015-0016
mozilla -- firefoxMultiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 35.0, Firefox ESR 31.x before 31.4, Thunderbird before 31.4, and SeaMonkey before 2.32 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.2015-01-147.5CVE-2014-8634
CONFIRM
CONFIRM
mozilla -- firefoxMultiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.2015-01-147.5CVE-2014-8635
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
mozilla -- firefoxThe XrayWrapper implementation in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 does not properly interact with a DOM object that has a named getter, which might allow remote attackers to execute arbitrary JavaScript code with chrome privileges via unspecified vectors.2015-01-147.5CVE-2014-8636
CONFIRM
mozilla -- firefoxUse-after-free vulnerability in the WebRTC implementation in Mozilla Firefox before 35.0, Firefox ESR 31.x before 31.4, and SeaMonkey before 2.32 allows remote attackers to execute arbitrary code via crafted track data.2015-01-147.5CVE-2014-8641
CONFIRM
mozilla -- firefoxMozilla Firefox before 35.0 on Windows allows remote attackers to bypass the Gecko Media Plugin (GMP) sandbox protection mechanism by leveraging access to the GMP process, as demonstrated by the OpenH264 plugin's process.2015-01-147.1CVE-2014-8643
CONFIRM
mtouch_quiz_project -- mtouch_quizSQL injection vulnerability in question.php in the mTouch Quiz before 3.0.7 for WordPress allows remote attackers to execute arbitrary SQL commands via the quiz parameter to wp-admin/edit.php.2015-01-137.5CVE-2014-100022
MISC
XF
SECUNIA
phpjabbers -- event_booking_calendarSQL injection vulnerability in load-calendar.php in PHPJabbers Event Booking Calendar 2.0 allows remote attackers to execute arbitrary SQL commands via the cid parameter.2015-01-137.5CVE-2014-10015
MISC
pomm-project -- pommSQL injection vulnerability in the LTree converter in Pomm before 1.1.5 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.2015-01-137.5CVE-2014-100019
CONFIRM
XF
BID
SECUNIA
qualcomm -- eudora_worldmailBuffer overflow in the IMAPd service in Qualcomm Eudora WorldMail 9.0.333.0 allows remote attackers to execute arbitrary code via a long string in a UID command.2015-01-137.5CVE-2014-10031
XF
EXPLOIT-DB
OSVDB
realnetworks -- realarcade_installerThe RACInstaller.StateCtrl.1 ActiveX control in InstallerDlg.dll in RealNetworks GameHouse RealArcade Installer 2.6.0.481 performs unexpected type conversions for invalid parameter types, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via crafted arguments to the (1) AddTag, (2) Ping, (3) QueuePause, (4) QueueRemove, (5) QueueTop, (6) RemoveTag, (7) TagRemoved, or (8) message method.2015-01-1210.0CVE-2013-2603
MISC
MISC
OSVDB
realnetworks -- realarcade_installerRealNetworks GameHouse RealArcade Installer (aka ActiveMARK Game Installer) 2.6.0.481 and 3.0.7 uses weak permissions (Create Files/Write Data) for the GameHouse Games directory tree, which allows local users to gain privileges via a Trojan horse DLL in an individual game's directory, as demonstrated by DDRAW.DLL in the Zuma Deluxe directory.2015-01-127.2CVE-2013-2604
MISC
MISC
OSVDB
schneider-electric -- wonderware_intouch_access_anywhere_serverStack-based buffer overflow in Schneider Electric Wonderware InTouch Access Anywhere Server 10.6 and 11.0 allows remote attackers to execute arbitrary code via a request for a filename that does not exist.2015-01-0910.0CVE-2014-9190
CONFIRM
sendy -- sendySQL injection vulnerability in /send-to in Sendy 1.1.9.1 allows remote attackers to execute arbitrary SQL commands via the c parameter.2015-01-137.5CVE-2014-100011
XF
BID
BUGTRAQ
EXPLOIT-DB
sendy -- sendySQL injection vulnerability in /app in Sendy 1.1.8.4 allows remote attackers to execute arbitrary SQL commands via the i parameter.2015-01-137.5CVE-2014-100012
EXPLOIT-DB
softbb -- softbbSQL injection vulnerability in redir_last_post_list.php in SoftBB 0.1.3 allows remote attackers to execute arbitrary SQL commands via the post parameter.2015-01-157.5CVE-2014-9560
BID
MISC
FULLDISC
MISC
solidworks -- product_data_managementMultiple stack-based buffer overflows in pdmwService.exe in SolidWorks Workgroup PDM 2014 SP2 allow remote attackers to execute arbitrary code via a long string in a (1) 2001, (2) 2002, or (3) 2003 opcode to port 3000.2015-01-137.5CVE-2014-100014
XF
EXPLOIT-DB
SECUNIA
tecorange -- simple_e-documentSQL injection vulnerability in login.php in Simple e-document 1.31 allows remote attackers to execute arbitrary SQL commands via the username parameter.2015-01-137.5CVE-2014-10020
XF
EXPLOIT-DB
MISC
OSVDB
topicsviewer -- topicsviewerMultiple SQL injection vulnerabilities in TopicsViewer 3.0 Beta 1 allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) edit_block.php, (2) edit_cat.php, (3) edit_note.php, or (4) rmv_topic.php in admincp/.2015-01-137.5CVE-2014-10023
XF
BID
EXPLOIT-DB
MISC
OSVDB
OSVDB
OSVDB
OSVDB
trendnet -- tv-ip422wStack-based buffer overflow in UltraCamLib in the UltraCam ActiveX Control (UltraCamX.ocx) for the TRENDnet SecurView camera TV-IP422WN allows remote attackers to execute arbitrary code via a long string to the (1) CGI_ParamSet, (2) OpenFileDlg, (3) SnapFileName, (4) Password, (5) SetCGIAPNAME, (6) AccountCode, or (7) RemoteHost function.2015-01-137.5CVE-2014-10011
XF
MISC
MISC
BID
MISC
welcart -- e-commerceMultiple SQL injection vulnerabilities in the Welcart e-Commerce plugin 1.3.12 for WordPress allow remote attackers to execute arbitrary SQL commands via the (1) changeSort or (2) switch parameter in the usces_itemedit page to wp-admin/admin.php.2015-01-137.5CVE-2014-10017
XF
BID
MISC
wpsymposium -- wp_symposiumUnrestricted file upload vulnerability in UploadHandler.php in the WP Symposium plugin 14.11 for WordPress allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in server/php/.2015-01-137.5CVE-2014-10021
EXPLOIT-DB
yourmembers -- yourmembersSQL injection vulnerability in includes/ym-download_functions.include.php in the Code Futures YourMembers plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the ym_download_id parameter to the default URI.2015-01-137.5CVE-2014-100003
EXPLOIT-DB
MISC
Back to top

Medium Vulnerabilities

Primary
Vendor -- Product
DescriptionPublishedCVSS ScoreSource & Patch Info
adobe -- adobe_airAdobe Flash Player before 13.0.0.260 and 14.x through 16.x before 16.0.0.257 on Windows and OS X and before 11.2.202.429 on Linux, Adobe AIR before 16.0.0.245 on Windows and OS X and before 16.0.0.272 on Android, Adobe AIR SDK before 16.0.0.272, and Adobe AIR SDK & Compiler before 16.0.0.272 allow attackers to obtain sensitive keystroke information via unspecified vectors.2015-01-135.0CVE-2015-0302
airties -- air_6372Cross-site scripting (XSS) vulnerability in top.html in the Airties Air 6372 modem allows remote attackers to inject arbitrary web script or HTML via the productboardtype parameter.2015-01-134.3CVE-2014-100032
XF
MISC
apache -- traffic_serverApache Traffic Server before 5.1.2 allows remote attackers to cause a denial of service via unspecified vectors, related to internal buffer sizing.2015-01-135.0CVE-2014-10022
CONFIRM
SECTRACK
MLIST
apache -- cloudstackApache CloudStack before 4.3.2 and 4.4.x before 4.4.2 allows remote attackers to obtain private keys via a listSslCerts API call.2015-01-155.0CVE-2014-9593
SECUNIA
april's_super_functions_pack_project -- april's_super_functions_packCross-site scripting (XSS) vulnerability in readme.php in the April's Super Functions Pack plugin before 1.4.8 for WordPress allows remote attackers to inject arbitrary web script or HTML via the page parameter. NOTE: some of these details are obtained from third party information.2015-01-134.3CVE-2014-100026
XF
BID
SECUNIA
OSVDB
awpcp -- another_wordpress_classifieds_pluginCross-site scripting (XSS) vulnerability in the Another WordPress Classifieds Plugin plugin for WordPress allows remote attackers to inject arbitrary web script or HTML via the query string to the default URI.2015-01-134.3CVE-2014-10012
XF
MISC
cisco -- anyconnect_secure_mobility_clientCisco AnyConnect on Android and OS X does not properly verify the host type, which allows remote attackers to spoof authentication forms and possibly capture credentials via unspecified vectors, aka Bug IDs CSCuo24931 and CSCuo24940.2015-01-145.0CVE-2014-3314
cisco -- unified_communications_domain_managerCisco Unified Communication Domain Manager Platform Software allows remote attackers to cause a denial of service (CPU consumption, and performance degradation or service outage) via a flood of malformed TCP packets and UDP packets, aka Bug ID CSCup25276.2015-01-095.0CVE-2014-8020
cisco -- identity_services_engine_softwareMultiple cross-site scripting (XSS) vulnerabilities in Cisco Identity Services Engine allow remote attackers to inject arbitrary web script or HTML via input to unspecified web pages, aka Bug IDs CSCur69835 and CSCur69776.2015-01-154.3CVE-2014-8022
cisco -- webex_meetings_serverCisco WebEx Meetings Server 1.5 presents the same CAPTCHA challenge for each login attempt, which makes it easier for remote attackers to obtain access via a brute-force approach of guessing usernames, aka Bug ID CSCuj40321.2015-01-155.0CVE-2014-8034
cisco -- webex_meetings_serverThe web framework in Cisco WebEx Meetings Server produces different returned messages for URL requests depending on whether a username exists, which allows remote attackers to enumerate user accounts via a series of requests, aka Bug ID CSCuj40247.2015-01-095.0CVE-2014-8035
cisco -- webex_meetings_serverThe outlookpa component in Cisco WebEx Meetings Server does not properly validate API input, which allows remote attackers to modify a meeting's invite list via a crafted URL, aka Bug ID CSCuj40254.2015-01-095.0CVE-2014-8036
cisco -- asyncosMultiple cross-site scripting (XSS) vulnerabilities in the IronPort Spam Quarantine (ISQ) page in Cisco AsyncOS, as used on the Cisco Email Security Appliance (ESA) and Content Security Management Appliance (SMA), allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug IDs CSCus22925 and CSCup08113.2015-01-144.3CVE-2015-0577
cisco -- adaptive_security_appliance_softwareCisco Adaptive Security Appliance (ASA) Software, when a DHCPv6 relay is configured, allows remote attackers to cause a denial of service (device reload) via crafted DHCP packets on the local network, aka Bug ID CSCur45455.2015-01-145.7CVE-2015-0578
cisco -- telepresence_video_communication_serverCisco TelePresence Video Communication Server (VCS) and Cisco Expressway allow remote attackers to cause a denial of service (memory and CPU consumption, and partial outage) via crafted SIP packets, aka Bug ID CSCur12473.2015-01-145.0CVE-2015-0579
cisco -- nx-osThe High Availability (HA) subsystem in Cisco NX-OS on MDS 9000 devices allows remote attackers to cause a denial of service via crafted traffic, aka Bug ID CSCuo09129.2015-01-095.0CVE-2015-0582
cisco -- webex_meeting_centerCisco WebEx Meeting Center does not properly restrict the content of URLs, which allows remote attackers to obtain sensitive information via vectors related to file: URIs, aka Bug ID CSCus18281.2015-01-145.0CVE-2015-0583
cisco -- unified_communications_domain_managerCross-site request forgery (CSRF) vulnerability in Cisco Unified Communications Domain Manager (UCDM) 10 allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCuo77055.2015-01-156.8CVE-2015-0588
cisco -- unified_communications_domain_managerCisco Unified Communications Domain Manager (UCDM) 10 allows remote attackers to cause a denial of service (daemon hang and GUI outage) via a flood of malformed TCP packets, aka Bug ID CSCur44177.2015-01-155.0CVE-2015-0591
clientresponse_project -- clientresponseMultiple cross-site scripting (XSS) vulnerabilities in clientResponse 4.1 allow remote attackers to inject arbitrary web script or HTML via the (1) Subject or (2) Message field.2015-01-134.3CVE-2014-100013
XF
EXPLOIT-DB
context_project -- contextOpen redirect vulnerability in the Context UI module in the Context module 7.x-3.x before 7.x-3.6 for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the destination parameter.2015-01-155.8CVE-2015-1051
BID
corel -- corelcadMultiple untrusted search path vulnerabilities in Corel CAD 2014 allow local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse (1) FxManagedCommands_3.08_9.tx or (2) TD_Mgd_3.08_9.dll file in the current working directory.2015-01-154.6CVE-2014-8394
BID
BUGTRAQ
MISC
FULLDISC
corel -- painterUntrusted search path vulnerability in Corel Painter 2015 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse wacommt.dll file that is located in the same folder as the file being processed.2015-01-154.6CVE-2014-8395
BID
BUGTRAQ
MISC
FULLDISC
corel -- pdf_fusionUntrusted search path vulnerability in Corel PDF Fusion allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse quserex.dll file that is located in the same folder as the file being processed.2015-01-154.6CVE-2014-8396
BID
BUGTRAQ
MISC
FULLDISC
corel -- fastflickUntrusted search path vulnerability in Corel VideoStudio PRO X7 or FastFlick allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse u32ZLib.dll file that is located in the same folder as the file being processed.2015-01-154.6CVE-2014-8397
BID
BUGTRAQ
MISC
FULLDISC
corel -- fastflickMultiple untrusted search path vulnerabilities in Corel FastFlick allow local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse (1) igfxcmrt32.dll, (2) ipl.dll, (3) MSPStyleLib.dll, (4) uFioUtil.dll, (5) uhDSPlay.dll, (6) uipl.dll, (7) uvipl.dll, (8) VC1DecDll.dll, or (9) VC1DecDll_SSE3.dll file that is located in the same folder as the file being processed.2015-01-154.6CVE-2014-8398
BID
BUGTRAQ
MISC
FULLDISC
couponphp -- couponphpMultiple SQL injection vulnerabilities in the admin area in couponPHP before 1.2.0 allow remote administrators to execute arbitrary SQL commands via the (1) iDisplayLength or (2) iDisplayStart parameter to (a) comments_paginate.php or (b) stores_paginate.php in admin/ajax/.2015-01-136.5CVE-2014-10034
XF
MISC
EXPLOIT-DB
MISC
OSVDB
OSVDB
CONFIRM
couponphp -- couponphpMultiple cross-site scripting (XSS) vulnerabilities in the admin area in couponPHP before 1.2.0 allow remote administrators to inject arbitrary web script or HTML via the (1) sEcho parameter to comments_paginate.php or (2) stores_paginate.php or the (3) affiliate_url, (4) description, (5) domain, (6) seo[description], (7) seo[heading], (8) seo[title], (9) seo[keywords], (10) setting[logo], (11) setting[perpage], or (12) setting[sitename] to admin/index.php.2015-01-134.3CVE-2014-10035
MISC
EXPLOIT-DB
SECUNIA
MISC
OSVDB
OSVDB
OSVDB
CONFIRM
csphere -- clansphereCross-site scripting (XSS) vulnerability in ClanSphere 2011.4 allows remote attackers to inject arbitrary web script or HTML via the where parameter in a list action to index.php.2015-01-134.3CVE-2014-100010
MISC
BID
BUGTRAQ
SECUNIA
FULLDISC
d-link -- dir-60Multiple cross-site request forgery (CSRF) vulnerabilities in D-Link DIR-600 router (rev. Bx) with firmware before 2.17b02 allow remote attackers to hijack the authentication of administrators for requests that (1) create an administrator account or (2) enable remote management via a crafted configuration module to hedwig.cgi, (3) activate new configuration settings via a SETCFG,SAVE,ACTIVATE action to pigwidgeon.cgi, or (4) send a ping via a ping action to diagnostic.php.2015-01-136.8CVE-2014-100005
XF
SECUNIA
MISC
d-link -- dap-1360_firmwareMultiple cross-site request forgery (CSRF) vulnerabilities in D-Link DAP-1360 with firmware 2.5.4 and earlier allow remote attackers to hijack the authentication of unspecified users for requests that change the (1) Enable Wireless, (2) MBSSID, (3) BSSID, (4) Hide Access Point, (5) SSID, (6) Country, (7) Channel, (8) Wireless mode, or (9) Max Associated Clients setting via a crafted request to index.cgi.2015-01-136.8CVE-2014-10025
MISC
FULLDISC
d-link -- dap-1360_firmwareindex.cgi in D-Link DAP-1360 with firmware 2.5.4 and earlier allows remote attackers to bypass authentication and obtain sensitive information by setting the client_login cookie to admin.2015-01-135.0CVE-2014-10026
MISC
FULLDISC
d-link -- dap-1360_firmwareMultiple cross-site request forgery (CSRF) vulnerabilities in D-Link DAP-1360 router with firmware 2.5.4 and earlier allow remote attackers to hijack the authentication of unspecified users for requests that (1) change the MAC filter restrict mode, (2) add a MAC address to the filter, or (3) remove a MAC address from the filter via a crafted request to index.cgi.2015-01-136.8CVE-2014-10027
MISC
FULLDISC
d-link -- dap-1360_firmwareCross-site scripting (XSS) vulnerability in D-Link DAP-1360 router with firmware 2.5.4 and later allows remote attackers to inject arbitrary web script or HTML via the res_buf parameter to index.cgi when res_config_id is set to 41.2015-01-134.3CVE-2014-10028
MISC
FULLDISC
dev4press -- gd_star_ratingMultiple cross-site request forgery (CSRF) vulnerabilities in the GD Star Rating plugin 19.22 for WordPress allow remote attackers to hijack the authentication of administrators for requests that conduct (1) SQL injection attacks via the s parameter in the gd-star-rating-stats page to wp-admin/admin.php or (2) cross-site scripting (XSS) attacks via unspecified vectors.2015-01-126.8CVE-2014-2838
XF
SECUNIA
FULLDISC
e107 -- e107Cross-site scripting (XSS) vulnerability in e107_admin/filemanager.php in e107 1.0.4 allows remote attackers to inject arbitrary web script or HTML via the e107_files/ file path in the QUERY_STRING.2015-01-154.3CVE-2015-1041
MISC
XF
BID
MLIST
MISC
MISC
FULLDISC
MISC
f5 -- big-ip_application_security_managerCross-site scripting (XSS) vulnerability in F5 BIG-IP Application Security Manager (ASM) before 11.6 allows remote attackers to inject arbitrary web script or HTML via the Response Body field when creating a new user account.2015-01-154.3CVE-2015-1050
XF
BUGTRAQ
FULLDISC
MISC
flatpress -- flatpressCross-site scripting (XSS) vulnerability in FlatPress 1.0.2 allows remote attackers to inject arbitrary web script or HTML via the content parameter to the default URI.2015-01-134.3CVE-2014-100036
MISC
CONFIRM
XF
SECUNIA
fluxbb -- fluxbbOpen redirect vulnerability in forums/login.php in FluxBB before 1.4.13 and 1.5.x before 1.5.7 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirect_url parameter.2015-01-135.8CVE-2014-10030
CONFIRM
ganesha_digital_library_project -- ganesha_digital_libraryMultiple directory traversal vulnerabilities in class/session.php in Ganesha Digital Library (GDL) 4.2 allow remote attackers to read arbitrary files via a .. (dot dot) in the (1) newlang or (2) newtheme parameter.2015-01-135.0CVE-2014-100029
XF
MISC
ganesha_digital_library_project -- ganesha_digital_libraryCross-site scripting (XSS) vulnerability in module/search/function.php in Ganesha Digital Library (GDL) 4.2 allows remote attackers to inject arbitrary web script or HTML via the keyword parameter in a ByEge action.2015-01-134.3CVE-2014-100030
XF
SECUNIA
MISC
getusedtoit -- wp_slimstatCross-site scripting (XSS) vulnerability in the WP SlimStat plugin before 3.5.6 for WordPress allows remote attackers to inject arbitrary web script or HTML via a crafted URL.2015-01-134.3CVE-2014-100027
CONFIRM
XF
BID
SECUNIA
gnu -- binutilsThe _bfd_slurp_extended_name_table function in bfd/archive.c in GNU binutils 2.24 and earlier allows remote attackers to cause a denial of service (invalid write, segmentation fault, and crash) via a crafted extended name table in an archive.2015-01-155.0CVE-2014-8738
CONFIRM
CONFIRM
MLIST
MLIST
MLIST
haxx -- libcurlCRLF injection vulnerability in libcurl 6.0 through 7.x before 7.40.0, when using an HTTP proxy, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in a URL.2015-01-154.3CVE-2014-8150
DEBIAN
SECUNIA
SECUNIA
haxx -- libcurlThe darwinssl_connect_step1 function in lib/vtls/curl_darwinssl.c in libcurl 7.31.0 through 7.39.0, when using the DarwinSSL (aka SecureTransport) back-end for TLS, does not check if a cached TLS session validated the certificate when reusing the session, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.2015-01-155.8CVE-2014-8151
SECUNIA
hk_exif_tags_project -- hk_exif_tagsCross-site scripting (XSS) vulnerability in the HK Exif Tags plugin before 1.12 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via an EXIF tag. NOTE: some of these details are obtained from third party information.2015-01-134.3CVE-2014-100007
XF
SECUNIA
hp -- insight_control_server_deploymentCross-site scripting (XSS) vulnerability in the server in HP Insight Control allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.2015-01-154.3CVE-2014-7881
ibm -- sterling_b2b_integratorThe HTTP Server Adapter in IBM Sterling B2B Integrator 5.1 and 5.2.x and Sterling File Gateway 2.1 and 2.2 allows remote attackers to cause a denial of service (connection-slot exhaustion) via a crafted HTTP request.2015-01-095.0CVE-2014-6199
XF
ibm -- emptorisThe Echo API in IBM Emptoris Contract Management 9.5.x before 9.5.0.6 iFix11, 10.0.0.x before 10.0.0.1 iFix12, 10.0.1.x before 10.0.1.5 iFix2, and 10.0.2.x before 10.0.2.2 iFix5; Emptoris Sourcing 9.5 before 9.5.1.3 iFix2, 10.0.0.x before 10.0.0.1 iFix1, 10.0.1.x before 10.0.1.3 iFix1, and 10.0.2.x before 10.0.2.5; and Emptoris Program Management (aka PGM) and Strategic Supply Management (aka SSMP) 10.0.0.x before 10.0.0.3 iFix6, 10.0.1.x before 10.0.1.4 iFix1, and 10.0.2.x before 10.0.2.5 allows remote authenticated users to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.2015-01-094.0CVE-2014-6212
XF
iwcn -- stark_crmMultiple cross-site request forgery (CSRF) vulnerabilities in Stark CRM 1.0 allow remote attackers to hijack the authentication of administrators for requests that add (1) an administrator via a crafted request to the admin page, (2) an agent via a crafted request to the agent page, (3) a sub-agent via a crafted request to the sub_agent page, (4) a partner via a crafted request to the partner page, or (5) a client via a crafted request to the client page.2015-01-136.8CVE-2014-10008
XF
XF
MISC
MISC
SECUNIA
iwcn -- stark_crmMultiple cross-site scripting (XSS) vulnerabilities in Stark CRM 1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) first_name, (2) last_name, or (3) notes parameter to the client page; (4) insu_name or (5) price parameter to the add_insurance_cat page; or (6) status[] parameter to the add_status page.2015-01-134.3CVE-2014-10009
XF
MISC
MISC
SECUNIA
jetbrains -- teamcityUnspecified vulnerability in JetBrains TeamCity before 8.1 allows remote attackers to obtain sensitive information via unknown vectors.2015-01-135.0CVE-2014-10002
SECUNIA
jetbrains -- teamcityCross-site scripting (XSS) vulnerability in JetBrains TeamCity before 8.1 allows remote attackers to inject arbitrary web script or HTML via the cameFromUrl parameter to feed/generateFeedUrl.html.2015-01-134.3CVE-2014-10036
MISC
XF
SECUNIA
CONFIRM
joomlaskin -- js_multi_hotelCross-site scripting (XSS) vulnerability in includes/refreshDate.php in the Joomlaskin JS Multi Hotel (aka JS MultiHotel and Js-Multi-Hotel) plugin 2.2.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the roomid parameter.2015-01-094.3CVE-2013-7419
MISC
joomlaskin -- js_multi_hotelCross-site scripting (XSS) vulnerability in includes/delete_img.php in the Joomlaskin JS Multi Hotel (aka JS MultiHotel and Js-Multi-Hotel) plugin 2.2.1 and earlier for WordPress allows remote attackers to inject arbitrary web script or HTML via the path parameter.2015-01-134.3CVE-2014-100008
XF
MISC
MISC
joomlaskin -- js_multi_hotelThe Joomlaskin JS Multi Hotel (aka JS MultiHotel and Js-Multi-Hotel) plugin 2.2.1 and earlier for WordPress allows remote attackers to obtain the installation path via a request to (1) functions.php, (2) myCalendar.php, (3) refreshDate.php, (4) show_image.php, (5) widget.php, (6) phpthumb/GdThumb.inc.php, or (7) phpthumb/thumb_plugins/gd_reflection.inc.php in includes/.2015-01-135.0CVE-2014-100009
MISC
MISC
licensepal -- arcticdeskDirectory traversal vulnerability in LicensePal ArcticDesk before 1.2.5 allows remote attackers to read arbitrary files via unspecified vectors.2015-01-135.0CVE-2014-100033
MISC
SECUNIA
licensepal -- arcticdeskCross-site scripting (XSS) vulnerability in the frontend interface in LicensePal ArcticDesk before 1.2.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.2015-01-134.3CVE-2014-100034
XF
SECUNIA
litech -- router_advertisement_daemonThe L3 agent in OpenStack Neutron 2014.2.x before 2014.2.2, when using radvd 2.0+, allows remote authenticated users to cause a denial of service (blocked router update processing) by creating eight routers and assigning an ipv6 non-provider subnet to each.2015-01-154.0CVE-2014-8153
MISC
CONFIRM
CONFIRM
BID
maianscriptworld -- maian_uploaderMultiple cross-site scripting (XSS) vulnerabilities in Maian Uploader 4.0 allow remote attackers to inject arbitrary web script or HTML via the width parameter to (1) uploader/admin/js/load_flv.js.php or (2) uploader/js/load_flv.js.php.2015-01-134.3CVE-2014-10003
XF
MISC
OSVDB
maianscriptworld -- maian_uploaderMaian Uploader 4.0 allows remote attackers to obtain sensitive information via a request without the height parameter to load_flv.js.php, which reveals the installation path in an error message.2015-01-135.0CVE-2014-10005
OSVDB
MISC
maianscriptworld -- maian_uploaderMultiple cross-site request forgery (CSRF) vulnerabilities in Maian Uploader 4.0 allow remote attackers to hijack the authentication of unspecified users for requests that conduct cross-site scripting (XSS) attacks via the width parameter to (1) uploader/admin/js/load_flv.js.php or (2) uploader/js/load_flv.js.php.2015-01-136.8CVE-2014-10006
MISC
maianscriptworld -- maian_weblogMultiple cross-site scripting (XSS) vulnerabilities in Maian Weblog 4.0 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) name, (2) email, or (3) subject parameter in a contact action to index.php.2015-01-134.3CVE-2014-10007
MISC
XF
SECUNIA
mantisbt -- mantisbtCross-site scripting (XSS) vulnerability in file_download.php in MantisBT before 1.2.18 allows remote authenticated users to inject arbitrary web script or HTML via a Flash file with an image extension, related to inline attachments, as demonstrated by a .swf.jpeg filename.2015-01-094.3CVE-2014-9271
CONFIRM
MLIST
MLIST
MLIST
mantisbt -- mantisbtThe string_insert_href function in MantisBT 1.2.0a1 through 1.2.x before 1.2.18 does not properly validate the URL protocol, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the javascript:// protocol.2015-01-094.3CVE-2014-9272
CONFIRM
CONFIRM
MLIST
MLIST
mcafee -- epolicy_orchestratorXML external entity (XXE) vulnerability in the Server Task Log in McAfee ePolicy Orchestrator (ePO) before 4.6.9 and 5.x before 5.1.2 allows remote authenticated users to read arbitrary files via the conditionXML parameter to the taskLogTable to orionUpdateTableFilter.do.2015-01-094.0CVE-2015-0921
FULLDISC
FULLDISC
MISC
mcafee -- epolicy_orchestratorMcAfee ePolicy Orchestrator (ePO) before 4.6.9 and 5.x before 5.1.2 uses the same secret key across different customers' installations, which allows attackers to obtain the administrator password by leveraging knowledge of the encrypted password.2015-01-095.0CVE-2015-0922
FULLDISC
FULLDISC
MISC
microsoft -- windows_7The Network Location Awareness (NLA) service in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 does not perform mutual authentication to determine a domain connection, which allows remote attackers to trigger an unintended permissive configuration by spoofing DNS and LDAP responses on a local network, aka "NLA Security Feature Bypass Vulnerability."2015-01-136.1CVE-2015-0006
microsoft -- windows_7mrxdav.sys (aka the WebDAV driver) in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to bypass an impersonation protection mechanism, and obtain privileges for redirection of WebDAV requests, via a crafted application, aka "WebDAV Elevation of Privilege Vulnerability."2015-01-134.7CVE-2015-0011
moip_project -- moipCross-site scripting (XSS) vulnerability in the Moip module 7.x-1.x before 7.x-1.4 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors to the notification page callback.2015-01-094.3CVE-2014-9500
MLIST
MLIST
mozilla -- firefoxMozilla Firefox before 35.0 and SeaMonkey before 2.32 do not properly initialize memory for BMP images, which allows remote attackers to obtain sensitive information from process memory via a crafted web page that triggers the rendering of malformed BMP data within a CANVAS element.2015-01-145.0CVE-2014-8637
CONFIRM
mozilla -- firefoxThe navigator.sendBeacon implementation in Mozilla Firefox before 35.0, Firefox ESR 31.x before 31.4, Thunderbird before 31.4, and SeaMonkey before 2.32 omits the CORS Origin header, which allows remote attackers to bypass intended CORS access-control checks and conduct cross-site request forgery (CSRF) attacks via a crafted web site.2015-01-146.8CVE-2014-8638
CONFIRM
mozilla -- firefoxMozilla Firefox before 35.0, Firefox ESR 31.x before 31.4, Thunderbird before 31.4, and SeaMonkey before 2.32 do not properly interpret Set-Cookie headers within responses that have a 407 (aka Proxy Authentication Required) status code, which allows remote HTTP proxy servers to conduct session fixation attacks by providing a cookie name that corresponds to the session cookie of the origin server.2015-01-146.8CVE-2014-8639
CONFIRM
mozilla -- firefoxThe mozilla::dom::AudioParamTimeline::AudioNodeInputValue function in the Web Audio API implementation in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 does not properly restrict timeline operations, which allows remote attackers to cause a denial of service (uninitialized-memory read and application crash) via crafted API calls.2015-01-145.0CVE-2014-8640
CONFIRM
mozilla -- firefoxMozilla Firefox before 35.0 and SeaMonkey before 2.32 do not consider the id-pkix-ocsp-nocheck extension in deciding whether to trust an OCSP responder, which makes it easier for remote attackers to obtain sensitive information by sniffing the network during a session in which there was an incorrect decision to accept a compromised and revoked certificate.2015-01-144.3CVE-2014-8642
CONFIRM
mtouch_quiz_project -- mtouch_quizMultiple cross-site scripting (XSS) vulnerabilities in question.php in the mTouch Quiz before 3.0.7 for WordPress allow remote attackers to inject arbitrary web script or HTML via the quiz parameter to wp-admin/edit.php.2015-01-134.3CVE-2014-100023
MISC
XF
XF
SECUNIA
mywebsiteadvisor -- simple_securityMultiple cross-site scripting (XSS) vulnerabilities in the MyWebsiteAdvisor Simple Security plugin 1.1.5 and earlier for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) datefilter parameter in the access_log page to wp-admin/users.php or (2) simple_security_ip_blacklist[] parameter in an add_blacklist_ip action in the ip_blacklist page to wp-admin/users.php.2015-01-154.3CVE-2014-9570
MISC
BUGTRAQ
orangehrm -- orangehrmCross-site scripting (XSS) vulnerability in symfony/web/index.php/pim/viewEmployeeList in OrangeHRM before 3.1.2 allows remote attackers to inject arbitrary web script or HTML via the empsearch[employee_name][empId] parameter.2015-01-134.3CVE-2014-100021
BID
SECUNIA
MISC
oscommerce -- online_merchantSQL injection vulnerability in the update_zone function in catalog/admin/geo_zones.php in osCommerce Online Merchant 2.3.3.4 and earlier allows remote administrators to execute arbitrary SQL commands via the zID parameter in a list action.2015-01-136.5CVE-2014-10033
CONFIRM
XF
MISC
EXPLOIT-DB
OSVDB
panasonic -- arbitrator_back-end_server_mk_2.0_vpuPanasonic Arbitrator Back-End Server (BES) MK 2.0 VPU before 9.3.1 build 4.08.003.0, when USB Wi-Fi or Direct LAN is enabled, and MK 3.0 VPU before 9.3.1 build 5.06.000.0, when Embedded Wi-Fi or Direct LAN is enabled, does not use encryption, which allows remote attackers to obtain sensitive information by sniffing the network for client-server traffic, as demonstrated by Active Directory credential information.2015-01-154.3CVE-2014-9596
photocati_media -- photocratiCross-site scripting (XSS) vulnerability in photocrati-gallery/ecomm-sizes.php in the Photocrati theme for WordPress allows remote attackers to inject arbitrary web script or HTML via the prod_id parameter.2015-01-134.3CVE-2014-100016
XF
BID
SECUNIA
MISC
OSVDB
phpjabbers -- appointment_schedulerMultiple cross-site request forgery (CSRF) vulnerabilities in PHPJabbers Appointment Scheduler 2.0 allow remote attackers to hijack the authentication of administrators for requests that (1) conduct cross-site scripting (XSS) attacks via the i18n[1][name] parameter in a pjActionCreate action to the pjAdminServices controller or (2) add an administrator via a pjActionCreate action to the pjAdminUsers controller.2015-01-136.8CVE-2014-10001
XF
XF
EXPLOIT-DB
SECUNIA
MISC
phpjabbers -- appointment_schedulerDirectory traversal vulnerability in PHPJabbers Appointment Scheduler 2.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the id parameter in a pjActionDownload action to the pjBackup controller.2015-01-135.0CVE-2014-10010
XF
EXPLOIT-DB
MISC
phpjabbers -- event_booking_calendarMultiple cross-site request forgery (CSRF) vulnerabilities in PHPJabbers Event Booking Calendar 2.0 allow remote attackers to hijack the authentication of administrators for requests that (1) change the username and password of the administrator via an update action to the AdminOptions controller or conduct cross-site scripting (XSS) attacks via the (2) event_title parameter in a create action to the AdminEvents controller or (3) category_title parameter in a create action to the AdminCategories controller.2015-01-136.8CVE-2014-10014
XF
XF
SECUNIA
MISC
phpkit -- phpkitCross-site scripting (XSS) vulnerability in the poll archive in PHPKIT 1.6.6 (Build 160014) allows remote attackers to inject arbitrary web script or HTML via the result parameter to upload_files/pk/include.php.2015-01-154.3CVE-2015-1052
BID
MISC
MISC
FULLDISC
MISC
phponlinechat -- phponlinechatCross-site scripting (XSS) vulnerability in canned_opr.php in PhpOnlineChat 3.0 allows remote attackers to inject arbitrary web script or HTML via the message field.2015-01-134.3CVE-2014-100017
XF
BID
EXPLOIT-DB
MISC
pods_foundation -- podsCross-site scripting (XSS) vulnerability in the Pods plugin before 2.5 for WordPress allows remote attackers to inject arbitrary web script or HTML via the id parameter in an edit action in the pods page to wp-admin/admin.php.2015-01-154.3CVE-2014-7956
BID
BUGTRAQ
FULLDISC
MISC
pods_foundation -- podsMultiple cross-site request forgery (CSRF) vulnerabilities in the Pods plugin before 2.5 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) conduct cross-site scripting (XSS) attacks via the toggled parameter in a toggle action in the pods-components page to wp-admin/admin.php, (2) delete a pod in a delete action in the pods page to wp-admin/admin.php, (3) reset pod settings and data via the pods_reset parameter in the pod-settings page to wp-admin/admin.php, (4) deactivate and reset pod data via the pods_reset_deactivate parameter in the pod-settings page to wp-admin/admin.php, (5) delete the admin role via the id parameter in a delete action in the pods-component-roles-and-capabilities page to wp-admin/admin.php, or (6) enable "roles and capabilities" in a toggle action in the pods-components page to wp-admin/admin.php.2015-01-156.8CVE-2014-7957
BID
BUGTRAQ
FULLDISC
MISC
redhat -- jboss_data_virtualizationXML external entity (XXE) vulnerability in StaxXMLFactoryProvider2 in Odata4j, as used in Red Hat JBoss Data Virtualization before 6.0.0 patch 4, allows remote attackers to read arbitrary files via a crafted request to a REST endpoint.2015-01-155.0CVE-2014-0171
CONFIRM
roundcube -- webmailMultiple cross-site request forgery (CSRF) vulnerabilities in Roundcube Webmail before 1.0.4 allow remote attackers to hijack the authentication of unspecified victims via unknown vectors, related to (1) address book operations or the (2) ACL or (3) Managesieve plugins.2015-01-156.8CVE-2014-9587
CONFIRM
MISC
BID
MLIST
sap -- sap_kernelBuffer overflow in the SAP NetWeaver Dispatcher in SAP Kernel 7.00 32-bit and 7.40 64-bit allows remote authenticated users to cause a denial of service or possibly execute arbitrary code via unspecified vectors, related to the ABAP VM, aka SAP Note 2059734.2015-01-156.5CVE-2014-9594
SECUNIA
MISC
MISC
sap -- sap_kernelBuffer overflow in the SAP NetWeaver Dispatcher in SAP Kernel 7.00 32-bit and 7.40 64-bit allows remote authenticated users to cause a denial of service or possibly execute arbitrary code via unspecified vectors, related to the Spool System, aka SAP Note 2061271.2015-01-156.5CVE-2014-9595
SECUNIA
MISC
MISC
savsoft -- savsoft_quizCross-site request forgery (CSRF) vulnerability in index.php/user_data/insert_user in Savsoft Quiz allows remote attackers to hijack the authentication of administrators for requests that create an administrator account via a crafted request.2015-01-136.8CVE-2014-100025
XF
BID
SECUNIA
MISC
scriptbrasil -- taboada_macronewsSQL injection vulnerability in news_popup.php in Taboada MacroNews 1.0 allows remote authenticated users to execute arbitrary SQL commands via the id parameter.2015-01-136.5CVE-2014-10032
XF
EXPLOIT-DB
OSVDB
seopanel -- seo_panelCross-site scripting (XSS) vulnerability in Seo Panel before 3.4.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.2015-01-134.3CVE-2014-100024
XF
SECUNIA
OSVDB
seopressor -- seo_plugin_liveoptimCross-site request forgery (CSRF) vulnerability in the SEO Plugin LiveOptim plugin before 1.1.4-free for WordPress allows remote attackers to hijack the authentication of administrators for requests that change plugin settings via unspecified vectors. NOTE: some of these details are obtained from third party information.2015-01-136.8CVE-2014-100001
XF
SECUNIA
sitecore -- cmsCross-site scripting (XSS) vulnerability in Sitecore CMS before 7.0 Update-4 (rev. 140120) allows remote attackers to inject arbitrary web script or HTML via the xmlcontrol parameter to the default URI. NOTE: some of these details are obtained from third party information.2015-01-134.3CVE-2014-100004
XF
BID
BUGTRAQ
MISC
SECUNIA
OSVDB
softbb -- softbbCross-site scripting (XSS) vulnerability in redir_last_post_list.php in SoftBB 0.1.3 allows remote attackers to inject arbitrary web script or HTML via the post parameter.2015-01-154.3CVE-2014-9561
BID
MISC
FULLDISC
MISC
solidworks -- product_data_managementDirectory traversal vulnerability in pdmwService.exe in SolidWorks Workgroup PDM 2014 allows remote attackers to write to arbitrary files via a .. (dot dot) in the filename in a file upload.2015-01-136.4CVE-2014-100015
XF
EXPLOIT-DB
EXPLOIT-DB
MISC
storytlr -- storytlrCross-site scripting (XSS) vulnerability in Storytlr 1.3.dev and earlier allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to archives/.2015-01-134.3CVE-2014-100037
MISC
SECUNIA
storytlr -- storytlrCross-site scripting (XSS) vulnerability in Storytlr 1.3.dev and earlier allows remote attackers to inject arbitrary web script or HTML via the search parameter to search/.2015-01-134.3CVE-2014-100038
MISC
XF
SECUNIA
suse -- gcabDirectory traversal vulnerability in the gcab_folder_extract function in libgcab/gcab-folder.c in gcab 0.4 allows remote attackers to write to arbitrary files via crafted path in a CAB file, as demonstrated by "\tmp\moo."2015-01-156.4CVE-2015-0552
CONFIRM
CONFIRM
MLIST
SUSE
tapatalk -- tapatalkMultiple cross-site scripting (XSS) vulnerabilities in mobiquo/smartbanner/welcome.php in the Tapatalk (com.tapatalk.wbb4) plugin 1.x before 1.1.2 for Woltlab Burning Board 4.0 allow remote attackers to inject arbitrary web script or HTML via the (1) app_android_id or (2) app_kindle_url parameter.2015-01-154.3CVE-2014-8869
MISC
BID
BUGTRAQ
FULLDISC
tapatalk -- tapatalkOpen redirect vulnerability in mobiquo/smartbanner/welcome.php in the Tapatalk (com.tapatalk.wbb4) plugin before 1.1.2 for Woltlab Burning Board 4.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the board_url parameter.2015-01-155.8CVE-2014-8870
BID
BUGTRAQ
FULLDISC
teracom -- t2-b-gawv1.4u10y-biCross-site scripting (XSS) vulnerability in webconfig/wlan/country.html/country in the Teracom T2-B-Gawv1.4U10Y-BI modem allows remote attackers to inject arbitrary web script or HTML via the essid parameter.2015-01-134.3CVE-2014-10018
XF
BID
EXPLOIT-DB
OSVDB
teracom -- t2-b-gawv1.4u10y-biMultiple cross-site request forgery (CSRF) vulnerabilities in webconfig/wlan/country.html/country in the Teracom T2-B-Gawv1.4U10Y-BI modem allow remote attackers to hijack the authentication of administrators for requests that (1) change the SSID or (2) change the password via a crafted request.2015-01-136.8CVE-2014-10019
XF
EXPLOIT-DB
tp-link -- tl-wr840n_firmwareCross-site request forgery (CSRF) vulnerability in the administration console in TP-Link TL-WR840N (V1) router with firmware before 3.13.27 build 141120 allows remote attackers to hijack the authentication of administrators for requests that change router settings via a configuration file import.2015-01-096.8CVE-2014-9510
BID
MISC
FULLDISC
unconfirmed_project -- unconfirmedCross-site scripting (XSS) vulnerability in the Unconfirmed plugin before 1.2.5 for WordPress allows remote attackers to inject arbitrary web script or HTML via the s parameter in the unconfirmed page to wp-admin/network/users.php.2015-01-134.3CVE-2014-100018
CONFIRM
MISC
BID
SECUNIA
webcrafted_project -- webcraftedCross-site scripting (XSS) vulnerability in /signup in WEBCrafted allows remote attackers to inject arbitrary web script or HTML via the username.2015-01-134.3CVE-2014-100028
XF
BID
SECUNIA
MISC
webtrees -- webtreesMultiple cross-site scripting (XSS) vulnerabilities in modules_v3/googlemap/wt_v3_street_view.php in webtrees before 1.5.2 allow remote attackers to inject arbitrary web script or HTML via the (1) map, (2) streetview, or (3) reset parameter.2015-01-134.3CVE-2014-100006
XF
MISC
SECUNIA
welcart -- e-commerceMultiple cross-site scripting (XSS) vulnerabilities in the Welcart e-Commerce plugin 1.3.12 for WordPress allow remote attackers to inject arbitrary web script or HTML via (1) unspecified vectors related to purchase_limit or the (2) name, (3) intl, (4) nocod, or (5) time parameter in an add_delivery_method action to wp-admin/admin-ajax.php.2015-01-134.3CVE-2014-10016
XF
BID
SECUNIA
MISC
wireshark -- wiresharkMultiple use-after-free vulnerabilities in epan/dissectors/packet-wccp.c in the WCCP dissector in Wireshark 1.10.x before 1.10.12 and 1.12.x before 1.12.3 allow remote attackers to cause a denial of service (application crash) via a crafted packet, related to the use of packet-scope memory instead of pinfo-scope memory.2015-01-095.0CVE-2015-0559
CONFIRM
CONFIRM
wireshark -- wiresharkThe dissect_wccp2r1_address_table_info function in epan/dissectors/packet-wccp.c in the WCCP dissector in Wireshark 1.10.x before 1.10.12 and 1.12.x before 1.12.3 does not initialize certain data structures, which allows remote attackers to cause a denial of service (application crash) via a crafted packet.2015-01-095.0CVE-2015-0560
CONFIRM
CONFIRM
wireshark -- wiresharkasn1/lpp/lpp.cnf in the LPP dissector in Wireshark 1.10.x before 1.10.12 and 1.12.x before 1.12.3 does not validate a certain index value, which allows remote attackers to cause a denial of service (out-of-bounds memory access and application crash) via a crafted packet.2015-01-095.0CVE-2015-0561
CONFIRM
CONFIRM
wireshark -- wiresharkMultiple use-after-free vulnerabilities in epan/dissectors/packet-dec-dnart.c in the DEC DNA Routing Protocol dissector in Wireshark 1.10.x before 1.10.12 and 1.12.x before 1.12.3 allow remote attackers to cause a denial of service (application crash) via a crafted packet, related to the use of packet-scope memory instead of pinfo-scope memory.2015-01-095.0CVE-2015-0562
CONFIRM
CONFIRM
wireshark -- wiresharkepan/dissectors/packet-smtp.c in the SMTP dissector in Wireshark 1.10.x before 1.10.12 and 1.12.x before 1.12.3 uses an incorrect length value for certain string-append operations, which allows remote attackers to cause a denial of service (application crash) via a crafted packet.2015-01-095.0CVE-2015-0563
CONFIRM
CONFIRM
CONFIRM
wireshark -- wiresharkBuffer underflow in the ssl_decrypt_record function in epan/dissectors/packet-ssl-utils.c in Wireshark 1.10.x before 1.10.12 and 1.12.x before 1.12.3 allows remote attackers to cause a denial of service (application crash) via a crafted packet that is improperly handled during decryption of an SSL session.2015-01-095.0CVE-2015-0564
CONFIRM
wpeasycart -- wp_easycartUnrestricted file upload vulnerability in inc/amfphp/administration/banneruploaderscript.php in the WP EasyCart (aka WordPress Shopping Cart) plugin before 3.0.9 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in products/banners/.2015-01-156.5CVE-2014-9308
BID
EXPLOIT-DB
MISC
MISC
OSVDB
xen -- xenThe evtchn_fifo_set_pending function in Xen 4.4.x allows local guest users to cause a denial of service (host crash) via vectors involving an uninitialized FIFO-based event channel control block when (1) binding or (2) moving an event to a different VCPU.2015-01-124.9CVE-2014-6268
XF
SECTRACK
BID
zfcuser_project -- zfcuserCross-site scripting (XSS) vulnerability in user/login.phtml in ZF-Commons ZfcUser before 1.2.2 allows remote attackers to inject arbitrary web script or HTML via the redirect parameter.2015-01-154.3CVE-2015-1039
CONFIRM
CONFIRM
BID
MLIST
zohocorp -- manageengine_supportcenter_plusDirectory traversal vulnerability in ManageEngine SupportCenter Plus 7.9 before 7917 allows remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the attach parameter to WorkOrder.do in the file attachment for a new ticket.2015-01-135.0CVE-2014-100002
CONFIRM
XF
EXPLOIT-DB
OSVDB
Back to top

Low Vulnerabilities

Primary
Vendor -- Product
DescriptionPublishedCVSS ScoreSource & Patch Info
bedita -- beditaMultiple cross-site scripting (XSS) vulnerabilities in the administrative backend in BEdita 3.4.0 allow remote authenticated users to inject arbitrary web script or HTML via the (1) lrealname field in the editProfile form to index.php/home/profile; the (2) data[title] or (3) data[description] field in the addQuickItem form to index.php; the (4) "note text" field in the saveNote form to index.php/areas; or the (5) titleBEObject or (6) tagsArea field in the updateForm form to index.php/documents/view.2015-01-153.5CVE-2015-1040
CONFIRM
BID
MISC
MLIST
FULLDISC
MISC
codewrights -- hart_device_type_managerThe CodeWrights HART Device Type Manager (DTM) library in Emerson HART DTM before 1.4.181 allows physically proximate attackers to cause a denial of service (DTM outage and FDT Frame application hang) by transmitting crafted response packets on the 4-20 mA current loop.2015-01-092.1CVE-2014-9191
godwin's_law_project -- godwin's_lawCross-site scripting (XSS) vulnerability in the Godwin's Law module before 7.x-1.1 for Drupal, when using the dblog module, allows remote authenticated users to inject arbitrary web script or HTML via a Watchdog message.2015-01-093.5CVE-2014-9499
XF
MLIST
MLIST
ibm -- curam_social_program_managementCross-site scripting (XSS) vulnerability in IBM Curam Social Program Management before 6.0.5.5a allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.2015-01-093.5CVE-2014-3096
linux -- linux_kernelThe parse_rock_ridge_inode_internal function in fs/isofs/rock.c in the Linux kernel before 3.18.2 does not validate a length value in the Extensions Reference (ER) System Use Field, which allows local users to obtain sensitive information from kernel memory via a crafted iso9660 image.2015-01-092.1CVE-2014-9584
CONFIRM
CONFIRM
MLIST
CONFIRM
linux -- linux_kernelThe vdso_addr function in arch/x86/vdso/vma.c in the Linux kernel through 3.18.2 does not properly choose memory locations for the vDSO area, which makes it easier for local users to bypass the ASLR protection mechanism by guessing a location at the end of a PMD.2015-01-092.1CVE-2014-9585
MLIST
MLIST
MISC
CONFIRM
malwarebytes -- malwarebytes_anti-exploitmbae.sys in Malwarebytes Anti-Exploit before 1.05.1.2014 allows local users to cause a denial of service (crash) via a crafted size in an unspecified IOCTL call, which triggers an out-of-bounds read. NOTE: some of these details are obtained from third party information.2015-01-132.1CVE-2014-100039
CONFIRM
OSVDB
mantisbt -- mantisbtCross-site scripting (XSS) vulnerability in helper_api.php in MantisBT 1.1.0a1 through 1.2.x before 1.2.18, when Extended project browser is enabled, allows remote attackers to inject arbitrary web script or HTML via the project cookie.2015-01-092.6CVE-2014-9269
CONFIRM
DEBIAN
MLIST
MLIST
mediawiki -- mediawikiCross-site scripting (XSS) vulnerability in thumb.php in MediaWiki before 1.19.23, 1.2x before 1.22.15, 1.23.x before 1.23.8, and 1.24.x before 1.24.1 allows remote authenticated users to inject arbitrary web script or HTML via a wikitext message.2015-01-163.5CVE-2014-9475
MLIST
MLIST
DEBIAN
microsoft -- windows_8The Windows Error Reporting (WER) component in Microsoft Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to bypass the Protected Process Light protection mechanism and read the contents of arbitrary process-memory locations by leveraging administrative privileges, aka "Windows Error Reporting Security Feature Bypass Vulnerability."2015-01-131.9CVE-2015-0001
poll_chart_block_project -- poll_chart_blockCross-site scripting (XSS) vulnerability in the Poll Chart Block module 7.x-1.x before 7.x-1.2 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via a poll node title.2015-01-093.5CVE-2014-9501
MLIST
MLIST
redhat -- network_satelliteMultiple cross-site scripting (XSS) vulnerabilities in Spacewalk and Red Hat Network (RHN) Satellite before 5.7.0 allow remote authenticated users to inject arbitrary web script or HTML via crafted XML data to the REST API.2015-01-153.5CVE-2014-7811
redhat -- network_satelliteCross-site scripting (XSS) vulnerability in Spacewalk and Red Hat Network (RHN) Satellite before 5.7.0 allows remote authenticated users to inject arbitrary web script or HTML via the System Groups field.2015-01-153.5CVE-2014-7812
school_administration_project -- school_administrationCross-site scripting (XSS) vulnerability in the School Administration module 7.x-1.x before 7.x-1.8 for Drupal allows remote authenticated users with permission to create or edit a class node to inject arbitrary web script or HTML via a node title.2015-01-093.5CVE-2014-9505
XF
MLIST
MLIST
siemens -- simatic_wincc_sm@rtclientThe Siemens SIMATIC WinCC Sm@rtClient app before 1.0.2 for iOS allows physically proximate attackers to extract the password from storage via unspecified vectors.2015-01-142.1CVE-2014-5231
siemens -- simatic_wincc_sm@rtclientThe Siemens SIMATIC WinCC Sm@rtClient app before 1.0.2 for iOS allows local users to bypass an intended application-password requirement by leveraging the running of the app in the background state.2015-01-141.9CVE-2014-5232
siemens -- simatic_wincc_sm@rtclientThe Siemens SIMATIC WinCC Sm@rtClient app before 1.0.2 for iOS allows physically proximate attackers to discover Sm@rtServer credentials by leveraging an error in the credential-processing mechanism.2015-01-141.9CVE-2014-5233
webform_invitation_project -- webform_invitationCross-site scripting (XSS) vulnerability in the Webform Invitation module 7.x-1.x before 7.x-1.3 and 7.x-2.x before 7.x-2.4 for Drupal allows remote authenticated users with the Webform: Create new content, Webform: Edit own content, or Webform: Edit any content permission to inject arbitrary web script or HTML via a node title.2015-01-093.5CVE-2014-9498
MLIST
MLIST
Back to top

This product is provided subject to this Notification and this Privacy & Use policy.



01/15/2015 01:49 PM
Affordable Care Act Phishing Campaign
Original release date: January 15, 2015

US-CERT is aware of a phishing campaign purporting to come from a U.S. Federal Government Agency. The phishing emails reference the Affordable Care Act in the subject and claim to direct users to health coverage information, but instead direct them to sites which attempt to elicit private information or install malicious code.

US-CERT encourages users to take the following measures to protect themselves:

  • Do not follow links or download attachments in unsolicited email messages.
  • Maintain up-to-date antivirus software.
  • Refer to the Avoiding Social Engineering and Phishing Attacks Security Tip for additional information on social engineering attacks.

If affected by the campaign, users should report the incident to appropriate parties within their organization and notify US-CERT.


This product is provided subject to this Notification and this Privacy & Use policy.



01/15/2015 08:37 AM
IC3 Issues Alert on University Employee Payroll Scam
Original release date: January 15, 2015

The Internet Crime Complaint Center (IC3) has issued an alert addressing a spear phishing scam targeting university employees and their payroll accounts. Scam operators use fraudulent e-mails and websites to entice employees to reveal login credentials.

Users are encouraged to review the IC3 Alert for details and refer to Security Tip ST04-014 for information on social engineering and phishing attacks.


This product is provided subject to this Notification and this Privacy & Use policy.





We Specialize In...

Wireless Networking - WiFi

Wireless Network Setup, Access Points, Routers, Antennas, and other devices.

Network Wiring

Coax (RG-6/59), Ethernet Wiring (CAT 3/5/5E/6), Phone Systems, and Structured Wiring

Data Recovery

PC Desktop Harddrives, External Storage, Network Attached Storage(NAS), RAID Array, and Server Hard drives.

Hardware Service

Data Storage Systems, Hard Drive Related, Hardware Repair, Laptop Repair, PC Repiar, Scanner Repair, Server Repair, System Diagnostics, Tape Drives, and other External Media.

Software Services

Accounting Systems, Adware/Spyware Removal, Antivirus Software and Virus Removal, Back Up Software, Communications Software, Contact Management, Database Software, Documentation Creating and Publishing, and Email Software.

Operating Systems

Linux, MS-DOS, Windows NT Workstation and Server, Windows 95, Windows 98, Windows ME, Windows 2000, Windows XP Home and Windows XP Professional.

Printer Repair and Service

All inkjet and laserjet printers, Dot matrix printers, Network Printers, HP, Lexmark, Canon, Brother, Oki-Data, OTC, and many other Printer Manufacturers.

Your One-Stop Solution For..

Virus Scanning and Virus Removal, PC Help, Computer Maintenance, Business Computer/Laptop Repair, Hardware Configuration, Software Configuration, AdWare and Spyware Removal and Immunization, Door-to-Door Pc Repair and Computer Services, Networking, Cabling, Wired and Wireless Network Assistance, Network Diagnostics Service, Components, Modems, Printers, Scanners, Digital Cameras, Data Storage, Data Recovery, Backup and Fail-Safe Disaster Recovery, Cable Modem Internet and DSL Internet Connections and Maintenance, Computer Troubleshooting, Hard Drive backups, Technical Support, End user training, Software Training, Any on-site Computer Need, Computer Tune Ups, Operating System (OS) Installations, On Site Computer Traingin, Laptop/Notebook Service and Repair, Free Upgrading Advice and Computer Upgrades at unbeatable rates.

Legal InformationTechAnywhereComputer Repair MemphisComputer Repair Industry

© 2004-2015 memphiscomputerrepair.com
All rights reserved.