US-CERT Alerts – Alerts warn about vulnerabilities, incidents, and other security issues that pose a significant risk.
Original release date: February 05, 2015
Google has released Chrome 40.0.2214.111 for Windows, Mac, and Linux to address multiple vulnerabilities. Exploitation of these vulnerabilities could allow a remote attacker to take control of an affected system.
US-CERT encourages users and administrators to review the Google Chrome blog entry and apply the necessary updates.
This product is provided subject to this Notification and this Privacy & Use policy.
Original release date: February 05, 2015
Adobe has released security updates to address multiple vulnerabilities in Flash Player, one of which could allow a remote attacker to take control of an affected system.
Users and administrators are encouraged to review Adobe Security Bulletin APSB15-04 and apply the necessary updates.
This product is provided subject to this Notification and this Privacy & Use policy.
Original release date: February 02, 2015
The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.
The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
High – Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 – 10.0
Medium – Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 – 6.9
Low – Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 – 3.9
Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.
| Primary Vendor — Product |
Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| adobe — flash_player | Adobe Flash Player before 13.0.0.262 and 14.x through 16.x before 16.0.0.287 on Windows and OS X and before 11.2.202.438 on Linux does not properly restrict discovery of memory addresses, which allows attackers to bypass the ASLR protection mechanism on Windows, and have an unspecified impact on other platforms, via unknown vectors, as exploited in the wild in January 2015. | 2015-01-23 | 10.0 | CVE-2015-0310 |
| adobe — flash_player | Unspecified vulnerability in Adobe Flash Player through 13.0.0.262 and 14.x, 15.x, and 16.x through 16.0.0.287 on Windows and OS X and through 11.2.202.438 on Linux allows remote attackers to execute arbitrary code via unknown vectors, as exploited in the wild in January 2015. | 2015-01-23 | 10.0 | CVE-2015-0311 |
| adobe — flash_player | Double free vulnerability in Adobe Flash Player before 13.0.0.264 and 14.x through 16.x before 16.0.0.296 on Windows and OS X and before 11.2.202.440 on Linux allows attackers to execute arbitrary code via unspecified vectors. | 2015-01-28 | 10.0 | CVE-2015-0312 |
| catbot_project — catbot | SQL injection vulnerability in index.php in CatBot 0.4.2 allows remote attackers to execute arbitrary SQL commands via the lastcatbot parameter. | 2015-01-27 | 7.5 | CVE-2015-1367 XF MISC BUGTRAQ FULLDISC MISC |
| cisco — prime_service_catalog | The XML parser in Cisco Prime Service Catalog before 10.1 allows remote authenticated users to read arbitrary files or cause a denial of service (CPU and memory consumption) via an external entity declaration in conjunction with an entity reference, as demonstrated by reading private keys, related to an XML External Entity (XXE) issue, aka Bug ID CSCup92880. | 2015-01-28 | 7.5 | CVE-2015-0581 |
| cisco — ios | The Network-Based Application Recognition (NBAR) protocol implementation in Cisco IOS 15.3(100)M and earlier on Cisco 2900 Integrated Services Router (aka Cisco Internet Router) devices allows remote attackers to cause a denial of service (NBAR process hang) via IPv4 packets, aka Bug ID CSCuo73682. | 2015-01-28 | 7.8 | CVE-2015-0586 |
| ferretcms_project — ferretcms | Unrestricted file upload vulnerability in ferretCMS 1.0.4-alpha allows remote administrators to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in custom/uploads/. | 2015-01-27 | 7.5 | CVE-2015-1371 CONFIRM BID MLIST MISC FULLDISC |
| ferretcms_project — ferretcms | SQL injection vulnerability in ferretCMS 1.0.4-alpha allows remote attackers to execute arbitrary SQL commands via the p parameter in an update action to admin.php. | 2015-01-27 | 7.5 | CVE-2015-1372 CONFIRM BID MLIST MISC FULLDISC |
| freereprintables — articlefr | SQL injection vulnerability in the getProfile function in system/profile.functions.php in Free Reprintables ArticleFR 3.0.5 allows remote attackers to execute arbitrary SQL commands via the username parameter to register/. | 2015-01-27 | 7.5 | CVE-2015-1364 MISC EXPLOIT-DB FULLDISC |
| gnome — vala | The Gst.MapInfo function in Vala 0.26.0 and 0.26.1 uses an incorrect buffer length declaration for the Gstreamer bindings, which allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary code via unspecified vectors, which trigger a heap-based buffer overflow. | 2015-01-27 | 7.5 | CVE-2014-8154 MISC SUSE |
| gnu — glibc | Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18, allows context-dependent attackers to execute arbitrary code via vectors related to the (1) gethostbyname or (2) gethostbyname2 function, aka “GHOST.” | 2015-01-28 | 10.0 | CVE-2015-0235 MISC BUGTRAQ BUGTRAQ |
| google — chrome | Skia, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via crafted data that is improperly handled during text drawing, related to gpu/GrBitmapTextContext.cpp and gpu/GrDistanceFieldTextContext.cpp, a different vulnerability than CVE-2015-1205. | 2015-01-27 | 7.5 | CVE-2015-1360 CONFIRM CONFIRM CONFIRM |
| ibm — i_access | Buffer overflow in the Data Transfer Program in IBM i Access 5770-XE1 5R4, 6.1, and 7.1 on Windows allows local users to gain privileges via unspecified vectors. | 2015-01-28 | 7.2 | CVE-2014-8920 XF |
| jasper_project — jasper | Off-by-one error in the jpc_dec_process_sot function in JasPer 1.900.1 and earlier allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted JPEG 2000 image, which triggers a heap-based buffer overflow. | 2015-01-26 | 7.5 | CVE-2014-8157 CONFIRM REDHAT |
| mantisbt — mantisbt | MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 does not properly restrict access to /*/install.php, which allows remote attackers to obtain database credentials via the install parameter with the value 4. | 2015-01-26 | 7.5 | CVE-2014-9572 CONFIRM MISC XF MLIST |
| midgard-project — midgard2 | The default D-Bus access control rule in Midgard2 10.05.7.1 allows local users to send arbitrary method calls or signals to any process on the system bus and possibly execute arbitrary code with root privileges. | 2015-01-26 | 7.2 | CVE-2014-8148 MLIST SUSE |
| php — php | Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate numerical keys within the serialized properties of an object. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-8142. | 2015-01-27 | 7.5 | CVE-2015-0231 CONFIRM CONFIRM |
| pixabay_images_project — pixabay_images | pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress does not properly restrict access to the upload functionality, which allows remote attackers to write to arbitrary files. | 2015-01-28 | 7.5 | CVE-2015-1375 CONFIRM BUGTRAQ OSVDB MLIST EXPLOIT-DB FULLDISC MISC |
| polarssl — polarssl | The asn1_get_sequence_of function in library/asn1parse.c in PolarSSL 1.0 through 1.2.12 and 1.3.x through 1.3.9 does not properly initialize a pointer in the asn1_sequence linked list, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted ASN.1 sequence in a certificate. | 2015-01-27 | 7.5 | CVE-2015-1182 SECUNIA SECUNIA |
| schneider-electric — tsxetg3000 | The Schneider Electric ETG3000 FactoryCast HMI Gateway with firmware before 1.60 IR 04 stores rde.jar under the web root with insufficient access control, which allows remote attackers to obtain sensitive setup and configuration information via a direct request. | 2015-01-27 | 7.8 | CVE-2014-9197 |
| schneider-electric — tsxetg3000 | The FTP server on the Schneider Electric ETG3000 FactoryCast HMI Gateway with firmware through 1.60 IR 04 has hardcoded credentials, which makes it easier for remote attackers to obtain access via an FTP session. | 2015-01-27 | 10.0 | CVE-2014-9198 |
| sequelize_project — sequelize | SQL injection vulnerability in Sequelize before 2.0.0-rc7 for Node.js allows remote attackers to execute arbitrary SQL commands via the order parameter. | 2015-01-27 | 7.5 | CVE-2015-1369 CONFIRM CONFIRM MLIST |
| two_pilots — exif_pilot | Buffer overflow in the Customize 35mm tab in Two Pilots Exif Pilot 4.7.2 allows remote attackers to execute arbitrary code via a long string in the maker element in an XML file. | 2015-01-27 | 7.5 | CVE-2015-1362 EXPLOIT-DB MISC |
| Primary Vendor — Product |
Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| ansible — tower | Multiple cross-site scripting (XSS) vulnerabilities in Ansible Tower (aka Ansible UI) before 2.0.5 allow remote attackers to inject arbitrary web script or HTML via the (1) order_by parameter to credentials/, (2) inventories/, (3) projects/, or (4) users/3/permissions/ in api/v1/ or the (5) next_run parameter to api/v1/schedules/. | 2015-01-27 | 4.3 | CVE-2015-1368 MISC XF BID BUGTRAQ EXPLOIT-DB FULLDISC MISC OSVDB OSVDB OSVDB OSVDB OSVDB |
| apple — apple_tv | The mach_port_kobject interface in the kernel in Apple iOS before 8.1.3 and Apple TV before 7.0.3 does not properly restrict kernel-address and heap-permutation information, which makes it easier for attackers to bypass the ASLR protection mechanism via a crafted app. | 2015-01-30 | 5.0 | CVE-2014-4496 |
| apple — mac_os_x | The Security component in Apple OS X before 10.10.2 does not properly process cached information about app certificates, which allows attackers to bypass the Gatekeeper protection mechanism by leveraging access to a revoked Developer ID certificate for signing a crafted app. | 2015-01-30 | 4.3 | CVE-2014-8838 |
| apple — mac_os_x | Spotlight in Apple OS X before 10.10.2 does not enforce the Mail “Load remote content in messages” configuration, which allows remote attackers to discover recipient IP addresses by including an inline image in an HTML e-mail message and logging HTTP requests for this image’s URL. | 2015-01-30 | 5.0 | CVE-2014-8839 MISC SECTRACK MISC |
| apple — iphone_os | The iTunes Store component in Apple iOS before 8.1.3 allows remote attackers to bypass a Safari sandbox protection mechanism by leveraging redirection of an SSL URL to the iTunes Store. | 2015-01-30 | 6.8 | CVE-2014-8840 MISC |
| attachmate — reflection_ftp_client | Stack-based buffer overflow in the Attachmate Reflection FTP Client before 14.1.433 allows remote FTP servers to execute arbitrary code via a large PWD response. | 2015-01-27 | 6.8 | CVE-2014-5211 MISC SECUNIA |
| beasts — vsftpd | Unspecified vulnerability in vsftp 3.0.2 and earlier allows remote attackers to bypass access restrictions via unknown vectors, related to deny_file parsing. | 2015-01-28 | 5.0 | CVE-2015-1419 SECUNIA |
| eventsentry — eventsentry | Cross-site scripting (XSS) vulnerability in the Web Reports in EventSentry 3.1.0 allows remote attackers to inject arbitrary web script or HTML via the pageId parameter to networktile/bullet. | 2015-01-23 | 4.3 | CVE-2015-1180 BUGTRAQ MISC |
| ferretcms_project — ferretcms | Multiple cross-site scripting (XSS) vulnerabilities in admin.php in ferretCMS 1.0.4-alpha allow remote attackers to inject arbitrary web script or HTML via the (1) action parameter in a search request, (2) username in a login request, which is not properly handled when logging the event, or (3) page title in an insert action. | 2015-01-27 | 4.3 | CVE-2015-1373 CONFIRM BID MLIST MISC FULLDISC |
| ferretcms_project — ferretcms | Multiple cross-site request forgery (CSRF) vulnerabilities in admin.php in ferretCMS 1.0.4-alpha allow remote attackers to hijack the authentication of administrators for requests that conduct (1) cross-site scripting (XSS), (2) SQL injection, or (3) unrestricted file upload attacks. | 2015-01-27 | 6.8 | CVE-2015-1374 MISC MLIST |
| freereprintables — articlefr | Cross-site scripting (XSS) vulnerability in Free Reprintables ArticleFR 3.0.5 allows remote attackers to inject arbitrary web script or HTML via the q parameter to search/v/. | 2015-01-27 | 4.3 | CVE-2015-1363 MISC FULLDISC MISC |
| genetechsolutions — pie_register | The Pie Register plugin before 2.0.14 for WordPress does not properly restrict access to certain functions in pie-register.php, which allows remote attackers to (1) add a user by uploading a crafted CSV file or (2) activate a user account via a verifyit action. | 2015-01-23 | 5.0 | CVE-2014-8802 MISC SECUNIA |
| google — chrome | Unquoted Windows search path vulnerability in the GoogleChromeDistribution::DoPostUninstallOperations function in installer/util/google_chrome_distribution.cc in the uninstall-survey feature in Google Chrome before 40.0.2214.91 allows local users to gain privileges via a Trojan horse program in the %SYSTEMDRIVE% directory, as demonstrated by program.exe, a different vulnerability than CVE-2015-1205. | 2015-01-27 | 4.6 | CVE-2014-9646 CONFIRM CONFIRM CONFIRM |
| google — chrome | Use-after-free vulnerability in PDFium, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted PDF document, related to fpdfsdk/src/fpdfview.cpp and fpdfsdk/src/fsdk_mgr.cpp, a different vulnerability than CVE-2015-1205. | 2015-01-27 | 6.8 | CVE-2014-9647 CONFIRM CONFIRM CONFIRM |
| google — chrome | components/navigation_interception/intercept_navigation_resource_throttle.cc in Google Chrome before 40.0.2214.91 on Android does not properly restrict use of intent: URLs to open an application after navigation to a web site, which allows remote attackers to cause a denial of service (loss of browser access to that site) via crafted JavaScript code, as demonstrated by pandora.com and the Pandora application, a different vulnerability than CVE-2015-1205. | 2015-01-27 | 4.3 | CVE-2014-9648 CONFIRM CONFIRM |
| google — chrome | Multiple off-by-one errors in fpdfapi/fpdf_font/font_int.h in PDFium, as used in Google Chrome before 40.0.2214.91, allow remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a crafted PDF document, related to an “intra-object-overflow” issue, a different vulnerability than CVE-2015-1205. | 2015-01-27 | 6.8 | CVE-2015-1359 CONFIRM CONFIRM CONFIRM |
| google — chrome | platform/image-decoders/ImageFrame.h in Blink, as used in Google Chrome before 40.0.2214.91, does not initialize a variable that is used in calls to the Skia SkBitmap::setAlphaType function, which might allow remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted HTML document, a different vulnerability than CVE-2015-1205. | 2015-01-27 | 6.8 | CVE-2015-1361 CONFIRM CONFIRM CONFIRM |
| ibm — tririga_application_platform | Open redirect vulnerability in IBM TRIRIGA Application Platform 3.2.1.x, 3.3.2 before 3.3.2.3, and 3.4.1 before 3.4.1.1 allows remote authenticated users to redirect users to arbitrary web sites and conduct phishing attacks via the out parameter. | 2015-01-28 | 4.9 | CVE-2014-8894 XF |
| ibm — tririga_application_platform | IBM TRIRIGA Application Platform 3.2.1.x, 3.3.2 before 3.3.2.3, and 3.4.1 before 3.4.1.1 allows remote attackers to bypass intended access restrictions and read the image files of arbitrary users via a crafted URL. | 2015-01-28 | 4.3 | CVE-2014-8895 XF |
| ibm — social_media_analytics | Multiple cross-site scripting (XSS) vulnerabilities in (1) dojox/form/resources/uploader.swf (aka upload.swf), (2) dojox/form/resources/fileuploader.swf (aka fileupload.swf), (3) dojox/av/resources/audio.swf, and (4) dojox/av/resources/video.swf in the IBM Dojo Toolkit, as used in IBM Social Media Analytics 1.3 before IF11 and other products, allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 2015-01-28 | 4.3 | CVE-2014-8917 XF |
| infinite_automation_systems — mango_automation | Multiple cross-site scripting (XSS) vulnerabilities in data_point_details.shtm in Mango Automation 2.4.0 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) dpid, (2) dpxid, or (3) pid parameter. | 2015-01-26 | 4.3 | CVE-2015-1179 BUGTRAQ MISC |
| jakweb — gecko_cms | Multiple SQL injection vulnerabilities in Gecko CMS 2.2 and 2.3 allow remote administrators to execute arbitrary SQL commands via the (1) jak_delete_log[] or (2) ssp parameter to admin/index.php. | 2015-01-29 | 6.5 | CVE-2015-1423 XF MISC EXPLOIT-DB MISC OSVDB |
| jakweb — gecko_cms | Cross-site request forgery (CSRF) vulnerability in Gecko CMS 2.2 and 2.3 allows remote attackers to hijack the authentication of administrators for requests that add an administrator user via a newuser request to admin/index.php. | 2015-01-29 | 6.8 | CVE-2015-1424 XF MISC EXPLOIT-DB MISC OSVDB |
| jasper_project — jasper | Multiple stack-based buffer overflows in jpc_qmfb.c in JasPer 1.900.1 and earlier allow remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted JPEG 2000 image. | 2015-01-26 | 6.8 | CVE-2014-8158 REDHAT |
| kde — plasma-workspace | plasma-workspace before 5.1.95 allows remote attackers to obtain passwords via a Trojan horse Look and Feel package. | 2015-01-26 | 4.3 | CVE-2015-1307 BID MLIST |
| kde — kde-workspace | kde-workspace 4.2.0 and plasma-workspace before 5.1.95 allows remote attackers to obtain input events, and consequently obtain passwords, by leveraging access to the X server when the screen is locked. | 2015-01-26 | 4.3 | CVE-2015-1308 CONFIRM BID MLIST SECUNIA |
| mantisbt — mantisbt | Cross-site scripting (XSS) vulnerability in admin/install.php in MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 allows remote attackers to inject arbitrary web script or HTML via the (1) admin_username or (2) admin_password parameter. | 2015-01-26 | 4.3 | CVE-2014-9571 CONFIRM MISC CONFIRM CONFIRM XF MLIST |
| mantisbt — mantisbt | SQL injection vulnerability in manage_user_page.php in MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 allows remote administrators with FILE privileges to execute arbitrary SQL commands via the MANTIS_MANAGE_USERS_COOKIE cookie. | 2015-01-26 | 6.0 | CVE-2014-9573 CONFIRM CONFIRM MISC CONFIRM CONFIRM XF MLIST |
| marked_project — marked | Incomplete blacklist vulnerability in marked 0.3.2 and earlier for Node.js allows remote attackers to conduct cross-site scripting (XSS) attacks via a vbscript tag in a link. | 2015-01-27 | 4.3 | CVE-2015-1370 MISC MISC MISC MLIST |
| openstack — image_registry_and_delivery_service_(glance) | OpenStack Glance 2014.2.x through 2014.2.1, 2014.1.3, and earlier allows remote authenticated users to bypass the storage quote and cause a denial of service (disk consumption) by deleting an image in the saving state. | 2015-01-23 | 4.0 | CVE-2014-9623 CONFIRM CONFIRM MLIST SECUNIA |
| osticket — osticket | Cross-site scripting (XSS) vulnerability in upload/scp/tickets.php in osTicket before 1.9.5 allows remote attackers to inject arbitrary web script or HTML via the status parameter in a search action. | 2015-01-23 | 4.3 | CVE-2015-1176 CONFIRM CONFIRM BID BUGTRAQ MISC |
| osticket — osticket | Cross-site scripting (XSS) vulnerability in client.inc.php in osTicket before 1.9.5.1 allows remote attackers to inject arbitrary web script or HTML via the lang parameter. | 2015-01-23 | 4.3 | CVE-2015-1347 CONFIRM CONFIRM |
| php — php | The exif_process_unicode function in ext/exif/exif.c in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized pointer free and application crash) via crafted EXIF data in a JPEG image. | 2015-01-27 | 6.8 | CVE-2015-0232 CONFIRM CONFIRM CONFIRM |
| pivotal_software — rabbitmq | Cross-site scripting (XSS) vulnerability in the management plugin in RabbitMQ 2.1.0 through 3.4.x before 3.4.1 allows remote attackers to inject arbitrary web script or HTML via the path info to api/, which is not properly handled in an error message. | 2015-01-27 | 4.3 | CVE-2014-9649 CONFIRM MLIST |
| pivotal_software — rabbitmq | CRLF injection vulnerability in the management plugin in RabbitMQ 2.1.0 through 3.4.x before 3.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the download parameter to api/definitions. | 2015-01-27 | 5.0 | CVE-2014-9650 CONFIRM MLIST |
| pixabay_images_project — pixabay_images | Directory traversal vulnerability in pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress allows remote attackers to write to arbitrary files via a .. (dot dot) in the q parameter. | 2015-01-27 | 5.0 | CVE-2015-1365 MISC CONFIRM XF BUGTRAQ MLIST EXPLOIT-DB FULLDISC MISC OSVDB |
| pixabay_images_project — pixabay_images | Cross-site scripting (XSS) vulnerability in pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress allows remote attackers to inject arbitrary web script or HTML via the image_user parameter. | 2015-01-27 | 4.3 | CVE-2015-1366 MISC CONFIRM XF BUGTRAQ MLIST EXPLOIT-DB FULLDISC MISC OSVDB |
| pixabay_images_project — pixabay_images | pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress does not validate hostnames, which allows remote authenticated users to write to arbitrary files via an upload URL with a host other than pixabay.com. | 2015-01-28 | 4.0 | CVE-2015-1376 CONFIRM BUGTRAQ MLIST EXPLOIT-DB FULLDISC MISC |
| qualiteam — x-cart | Multiple cross-site scripting (XSS) vulnerabilities in cart.php in X-Cart 5.1.8 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) product_id or (2) category_id parameter. | 2015-01-26 | 4.3 | CVE-2015-1178 BID BUGTRAQ MISC |
| xiph — vorbis-tools | oggenc in vorbis-tools 1.4.0 allows remote attackers to cause a denial of service (divide-by-zero error and crash) via a WAV file with the number of channels set to zero. | 2015-01-23 | 5.0 | CVE-2014-9638 MISC MLIST MLIST FULLDISC |
| xiph — vorbis-tools | Integer overflow in oggenc in vorbis-tools 1.4.0 allows remote attackers to cause a denial of service (crash) via a crafted number of channels in a WAV file, which triggers an out-of-bounds memory access. | 2015-01-23 | 5.0 | CVE-2014-9639 MISC MLIST MLIST FULLDISC |
| xiph — vorbis-tools | oggenc/oggenc.c in vorbis-tools 1.4.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted raw file. | 2015-01-23 | 5.0 | CVE-2014-9640 CONFIRM CONFIRM MLIST MLIST |
| Primary Vendor — Product |
Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| ibm — tririga_application_platform | Multiple cross-site scripting (XSS) vulnerabilities in (1) mainpage.jsp and (2) GetImageServlet.img in IBM TRIRIGA Application Platform 3.2.1.x, 3.3.2 before 3.3.2.3, and 3.4.1 before 3.4.1.1 allow remote authenticated users to inject arbitrary web script or HTML via a crafted URL. | 2015-01-28 | 3.5 | CVE-2014-8893 XF |
| pxz_project — pxz | Race condition in pxz 4.999.99 Beta 3 uses weak file permissions for the output file when compressing a file before changing the permission to match the original file, which allows local users to bypass the intended access restrictions. | 2015-01-23 | 2.1 | CVE-2015-1200 XF BID MLIST |
This product is provided subject to this Notification and this Privacy & Use policy.
Original release date: January 27, 2015
Apple has released security updates for OS X, Safari, iOS and Apple TV to address multiple vulnerabilities, one of which could allow a remote attacker to take control of an affected system.
Updates available include:
US-CERT encourages users and administrators to review Apple security updates HT204244, HT204243, HT204245 and HT204246, and apply the necessary updates.
This product is provided subject to this Notification and this Privacy & Use policy.
Original release date: January 27, 2015
The Linux GNU C Library (glibc) versions prior to 2.18 are vulnerable to remote code execution via a vulnerability in the gethostbyname function. Exploitation of this vulnerability may allow a remote attacker to take control of an affected system. Linux distributions employing glibc-2.18 and later are not affected.
US-CERT recommends users and administrators refer to their respective Linux or Unix-based OS vendor(s) for an appropriate patch if affected. Patches are available from Ubuntu and Red Hat. The GNU C Library versions 2.18 and later are also available for experienced users and administrators to implement.
This product is provided subject to this Notification and this Privacy & Use policy.
Original release date: January 26, 2015
Adobe has released Flash Player desktop version 16.0.0.296 to address a critical vulnerability (CVE-2015-0311) in 16.0.0.287 and earlier versions for Windows and Macintosh. This vulnerability could allow an attacker to take control of the affected system.
Users and administrators are encouraged to review Adobe Security Bulletin APSB15-01 and apply the necessary updates.
This product is provided subject to this Notification and this Privacy & Use policy.
Original release date: January 26, 2015
The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.
The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
High – Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 – 10.0
Medium – Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 – 6.9
Low – Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 – 3.9
Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.
| Primary Vendor — Product |
Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| adb — p.dga4001n_firmware | The ADB (formerly Pirelli Broadband Solutions) P.DGA4001N router with firmware PDG_TEF_SP_4.06L.6 does not properly restrict access to the web interface, which allows remote attackers to obtain sensitive information or cause a denial of service (device restart) as demonstrated by a direct request to (1) wlsecurity.html or (2) resetrouter.html. | 2015-01-21 | 9.4 | CVE-2015-0554 EXPLOIT-DB MISC |
| advantech — adamview | Multiple stack-based buffer overflows in Advantech AdamView 4.3 and earlier allow remote attackers to execute arbitrary code via a crafted (1) display properties or (2) conditional bitmap parameter in a GNI file. | 2015-01-20 | 7.5 | CVE-2014-8386 EXPLOIT-DB MISC FULLDISC |
| arbiter_systems — 1094b_gps_substation_clock | Arbiter 1094B GPS Substation Clock allows remote attackers to cause a denial of service (disruption) via crafted radio transmissions that spoof GPS satellite broadcasts. | 2015-01-16 | 7.8 | CVE-2014-9194 |
| ceragon_fiberair_ip-10 — – | Ceragon FiberAir IP-10 bridges have a default password for the root account, which makes it easier for remote attackers to obtain access via a (1) HTTP, (2) SSH, (3) TELNET, or (4) CLI session. | 2015-01-17 | 7.8 | CVE-2015-0924 |
| ffmpeg — ffmpeg | Use-after-free vulnerability in the matroska_read_seek function in libavformat/matroskadec.c in FFmpeg before 2.5.1, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted Matroska file that triggers improper maintenance of tracks data. | 2015-01-22 | 7.5 | CVE-2014-7933 CONFIRM CONFIRM |
| ffmpeg — ffmpeg | Multiple off-by-one errors in libavcodec/vorbisdec.c in FFmpeg before 2.4.2, as used in Google Chrome before 40.0.2214.91, allow remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted Vorbis I data. | 2015-01-22 | 7.5 | CVE-2014-7937 |
| ffmpeg — ffmpeg | libavcodec/xface.h in FFmpeg before 2.5.2 establishes certain digits and words array dimensions that do not satisfy a required mathematical relationship, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted X-Face image data. | 2015-01-16 | 7.5 | CVE-2014-9602 CONFIRM |
| ffmpeg — ffmpeg | The vmd_decode function in libavcodec/vmdvideo.c in FFmpeg before 2.5.2 does not validate the relationship between a certain length value and the frame width, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted Sierra VMD video data. | 2015-01-16 | 7.5 | CVE-2014-9603 CONFIRM |
| ffmpeg — ffmpeg | libavcodec/utvideodec.c in FFmpeg before 2.5.2 does not check for a zero value of a slice height, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted Ut Video data, related to the (1) restore_median and (2) restore_median_il functions. | 2015-01-16 | 7.5 | CVE-2014-9604 CONFIRM |
| ge — multilink_ml1200 | GE Multilink ML800, ML1200, ML1600, and ML2400 switches with firmware 4.2.1 and earlier and Multilink ML810, ML3000, and ML3100 switches with firmware 5.2.0 and earlier allow remote attackers to cause a denial of service (resource consumption or reboot) via crafted packets. | 2015-01-16 | 7.8 | CVE-2014-5418 |
| gentoo — libsndfile | The sd2_parse_rsrc_fork function in sd2.c in libsndfile allows attackers to have unspecified impact via vectors related to a (1) map offset or (2) rsrc marker, which triggers an out-of-bounds read. | 2015-01-16 | 10.0 | CVE-2014-9496 CONFIRM CONFIRM MLIST SECUNIA SUSE |
| gnu — coreutils | The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted date string, as demonstrated by the “–date=TZ=”123″345″ @1” string to the touch or date command. | 2015-01-16 | 7.5 | CVE-2014-9471 CONFIRM MLIST MLIST MLIST SECUNIA CONFIRM |
| google — chrome | The Regular Expressions package in International Components for Unicode (ICU) 52 before SVN revision 292944, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via vectors related to a (1) zero-length quantifier or (2) look-behind expression, a different vulnerability than CVE-2014-7926. | 2015-01-22 | 7.5 | CVE-2014-7923 CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM |
| google — chrome | Use-after-free vulnerability in the WebAudio implementation in Blink, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger an audio-rendering thread in which AudioNode data is improperly maintained. | 2015-01-22 | 7.5 | CVE-2014-7925 CONFIRM CONFIRM CONFIRM CONFIRM |
| google — chrome | The Regular Expressions package in International Components for Unicode (ICU) 52 before SVN revision 292944, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via vectors related to a (1) zero-length quantifier or (2) look-behind expression, a different vulnerability than CVE-2014-7923. | 2015-01-22 | 7.5 | CVE-2014-7926 CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM |
| google — chrome | The SimplifiedLowering::DoLoadBuffer function in compiler/simplified-lowering.cc in Google V8, as used in Google Chrome before 40.0.2214.91, does not properly choose an integer data type, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted JavaScript code. | 2015-01-22 | 7.5 | CVE-2014-7927 CONFIRM CONFIRM |
| google — chrome | hydrogen.cc in Google V8, as used Google Chrome before 40.0.2214.91, does not properly handle arrays with holes, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted JavaScript code that triggers an array copy. | 2015-01-22 | 7.5 | CVE-2014-7928 CONFIRM CONFIRM |
| google — chrome | Use-after-free vulnerability in the HTMLScriptElement::didMoveToNewDocument function in core/html/HTMLScriptElement.cpp in the DOM implementation in Blink, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving movement of a SCRIPT element across documents. | 2015-01-22 | 7.5 | CVE-2014-7929 CONFIRM CONFIRM |
| google — chrome | Use-after-free vulnerability in core/events/TreeScopeEventContext.cpp in the DOM implementation in Blink, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted JavaScript code that triggers improper maintenance of TreeScope data. | 2015-01-22 | 7.5 | CVE-2014-7930 CONFIRM CONFIRM |
| google — chrome | factory.cc in Google V8, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted JavaScript code that triggers improper maintenance of backing-store pointers. | 2015-01-22 | 7.5 | CVE-2014-7931 CONFIRM CONFIRM |
| google — chrome | Use-after-free vulnerability in the Element::detach function in core/dom/Element.cpp in the DOM implementation in Blink, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving pending updates of detached elements. | 2015-01-22 | 7.5 | CVE-2014-7932 CONFIRM CONFIRM |
| google — chrome | Use-after-free vulnerability in the DOM implementation in Blink, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to unexpected absence of document data structures. | 2015-01-22 | 7.5 | CVE-2014-7934 CONFIRM CONFIRM CONFIRM |
| google — chrome | Use-after-free vulnerability in browser/speech/tts_message_filter.cc in the Speech implementation in Google Chrome before 40.0.2214.91 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving utterances from a closed tab. | 2015-01-22 | 7.5 | CVE-2014-7935 CONFIRM CONFIRM |
| google — chrome | The Fonts implementation in Google Chrome before 40.0.2214.91 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors. | 2015-01-22 | 7.5 | CVE-2014-7938 |
| google — chrome | The collator implementation in i18n/ucol.cpp in International Components for Unicode (ICU) 52 through SVN revision 293126, as used in Google Chrome before 40.0.2214.91, does not initialize memory for a data structure, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted character sequence. | 2015-01-22 | 7.5 | CVE-2014-7940 |
| google — chrome | The Fonts implementation in Google Chrome before 40.0.2214.91 does not initialize memory for a data structure, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. | 2015-01-22 | 7.5 | CVE-2014-7942 |
| gtk — gtk+ | GTK+ 3.10.9 and earlier, as used in cinnamon-screensaver, gnome-screensaver, and other applications, allows physically proximate attackers to bypass the lock screen by pressing the menu button. | 2015-01-16 | 7.2 | CVE-2014-1949 CONFIRM CONFIRM CONFIRM UBUNTU MLIST MLIST |
| ibm — sas_connectivity_module_firmware | IBM BladeCenter SAS Connectivity Module (aka NSSM) and SAS RAID Module (aka RSSM) before 1.3.3.006 allow remote attackers to cause a denial of service (reboot) via a flood of IP packets. | 2015-01-17 | 7.8 | CVE-2014-3018 XF |
| ipass — ipass_open_mobile | The client in iPass Open Mobile before 2.4.5 on Windows allows remote authenticated users to execute arbitrary code via a DLL pathname in a crafted Unicode string that is improperly handled by a subprocess reached through a named pipe, as demonstrated by a UNC share pathname. | 2015-01-22 | 9.0 | CVE-2015-0925 |
| juniper — junos | The Juniper MX Series routers with Junos 13.3R3 through 13.3Rx before 13.3R6, 14.1 before 14.1R4, 14.1X50 before 14.1X50-D70, and 14.2 before 14.2R2, when configured as a broadband edge (BBE) router, allows remote attackers to cause a denial of service (jpppd crash and restart) by sending a crafted PAP Authenticate-Request after the PPPoE Discovery and LCP phase are complete. | 2015-01-16 | 7.1 | CVE-2014-6382 BID |
| juniper — junos | Juniper Junos 11.4 before 11.4R8, 12.1X44 before 12.1X44-D35, 12.1X45 before 12.1X45-D25, 12.1X46 before 12.1X46-D20, 12.1X47 before 12.1X47-D10, 12.2 before 12.2R9, 12.3R2 before 12.3R2-S3, 12.3 before 12.3R3, 13.1 before 13.1R4, and 13.2 before 13.2R1 allows remote attackers to cause a denial of service (assertion failure and rpd restart) via a crafted BGP FlowSpec prefix. | 2015-01-16 | 7.8 | CVE-2014-6386 SECTRACK BID |
| libpng — libpng | Buffer overflow in the png_read_IDAT_data function in pngrutil.c in libpng before 1.5.21 and 1.6.x before 1.6.16 allows context-dependent attackers to execute arbitrary code via IDAT data with a large width, a different vulnerability than CVE-2014-9495. | 2015-01-18 | 7.5 | CVE-2015-0973 MLIST MLIST MISC MLIST |
| macroplant — iexplorer | Untrusted search path vulnerability in Macroplant iExplorer 3.6.3.0 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse itunesmobiledevice.dll. | 2015-01-16 | 7.2 | CVE-2014-9600 XF MISC |
| oracle — oracle_and_sun_systems_product_suite | Unspecified vulnerability in the Solaris Cluster component in Oracle Sun Systems Products Suite 3.3 and 4.1 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to System management. | 2015-01-21 | 9.0 | CVE-2014-4259 |
| oracle — jdk | Unspecified vulnerability in Oracle Java SE 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. | 2015-01-21 | 10.0 | CVE-2014-6549 |
| oracle — jd_edwards_products | Unspecified vulnerability in the JD Edwards EnterpriseOne Tools component in Oracle JD Edwards Products 9.1.5 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Portal SEC. | 2015-01-21 | 7.5 | CVE-2014-6565 |
| oracle — database_server | Unspecified vulnerability in the Core RDBMS component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information is from the January 2015 CPU. Oracle has not commented on the researcher’s claim that this is a stack-based buffer overflow in DBMS_AW.EXECUTE, which allows code execution via a long Current Directory Alias (CDA) command. | 2015-01-21 | 9.0 | CVE-2014-6567 MISC |
| oracle — jdk | Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot. | 2015-01-21 | 10.0 | CVE-2014-6601 |
| oracle — jdk | Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot. | 2015-01-21 | 9.3 | CVE-2015-0395 |
| oracle — fusion_middleware | Unspecified vulnerability in the Oracle GlassFish Server component in Oracle Fusion Middleware 3.0.1 and 3.1.2 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Admin Console. | 2015-01-21 | 7.5 | CVE-2015-0396 |
| oracle — jdk | Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to RMI. | 2015-01-21 | 10.0 | CVE-2015-0408 CONFIRM |
| oracle — mysql | Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier, and 5.6.21 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Server : Security : Encryption. | 2015-01-21 | 7.5 | CVE-2015-0411 |
| oracle — jdk | Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JAX-WS. | 2015-01-21 | 7.2 | CVE-2015-0412 |
| oracle — integrated_lights_out_manager_firmware | Unspecified vulnerability in the Integrated Lights Out Manager (ILOM) component in Oracle Sun Systems Products Suite ILOM prior to 3.2.4 allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to IPMI. | 2015-01-21 | 7.5 | CVE-2015-0424 |
| oracle — jdk | Unspecified vulnerability in Oracle Java SE 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot. | 2015-01-21 | 9.3 | CVE-2015-0437 |
| pheonixcontact-software — multiprog | Phoenix Contact ProConOs and MultiProg do not require authentication, which allows remote attackers to execute arbitrary commands via protocol-compliant traffic. | 2015-01-16 | 7.5 | CVE-2014-9195 |
| redhat — cloudforms_3.1_management_engine | The customization template in Red Hat CloudForms 3.1 Management Engine (CFME) 5.3 uses a default password for the root account when a password is not specified for a new image, which allows remote attackers to gain privileges. | 2015-01-16 | 10.0 | CVE-2014-3692 SECUNIA |
| samba — samba | Samba 4.0.x before 4.0.24, 4.1.x before 4.1.16, and 4.2.x before 4.2rc4, when an Active Directory Domain Controller (AD DC) is configured, allows remote authenticated users to set the LDB userAccountControl UF_SERVER_TRUST_ACCOUNT bit, and consequently gain privileges, by leveraging delegation of authority for user-account or computer-account creation. | 2015-01-16 | 8.5 | CVE-2014-8143 |
| sap — hana_extend_application_services | The Extended Application Services (XS) in SAP HANA allows remote attackers to inject arbitrary ABAP code via unspecified vectors, aka SAP Note 2098906. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | 2015-01-22 | 10.0 | CVE-2015-1311 MISC |
| sap — enterprise_resource_planning | The Dealer Portal in SAP ERP does not properly restrict access, which allows remote attackers to obtain sensitive information, gain privileges, and possibly have other unspecified impact via unknown vectors, aka SAP Note 2000401. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | 2015-01-22 | 7.5 | CVE-2015-1312 MISC |
| siemens — scalance_x-300_series_firmware | The web server on Siemens SCALANCE X-300 switches with firmware before 4.0 and SCALANCE X 408 switches with firmware before 4.0 allows remote attackers to cause a denial of service (reboot) via malformed HTTP requests. | 2015-01-21 | 7.8 | CVE-2014-8478 |
| sun — sunos | Unspecified vulnerability in Oracle Solaris 11 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Power Management Utility. | 2015-01-21 | 7.2 | CVE-2014-6510 |
| sun — sunos | Unspecified vulnerability in Oracle Solaris 10 allows local users to affect confidentiality, integrity, and availability via vectors related to CDE – Power Management Utility. | 2015-01-21 | 7.2 | CVE-2014-6521 |
| sun — sunos | Unspecified vulnerability in Oracle Solaris 10 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Kernel. | 2015-01-21 | 7.2 | CVE-2014-6524 |
| sybase — adaptive_server_enterprise | SQL injection vulnerability in SAP Adaptive Server Enterprise (Sybase ASE) allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Note 2113333. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | 2015-01-22 | 7.5 | CVE-2015-1310 MISC |
| symantec — critical_system_protection | The Agent Control Interface in the management server in Symantec Critical System Protection (SCSP) 5.2.9 before MP6 and Symantec Data Center Security: Server Advanced (SDCS:SA) 6.0.x before 6.0 MP1 allows remote authenticated users to execute arbitrary commands by leveraging client-system access to upload a log file. | 2015-01-21 | 9.0 | CVE-2014-3440 BID |
| symantec — critical_system_protection | The management server in Symantec Critical System Protection (SCSP) 5.2.9 through MP6 and Symantec Data Center Security: Server Advanced (SDCS:SA) 6.0.x through 6.0 MP1 allows local users to bypass intended Protection Policies via unspecified vectors. | 2015-01-21 | 7.2 | CVE-2014-9226 BID |
| web-dorado — photo_gallery | SQL injection vulnerability in the Photo Gallery plugin 1.2.7 for WordPress allows remote attackers to execute arbitrary SQL commands via the order_by parameter in a GalleryBox action to wp-admin/admin-ajax.php. | 2015-01-16 | 7.5 | CVE-2015-1055 BID FULLDISC |
| Primary Vendor — Product |
Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| 7-zip — p7zip | p7zip 9.20.1 allows remote attackers to write to arbitrary files via a symlink attack in an archive. | 2015-01-21 | 5.8 | CVE-2015-1038 MISC MISC XF BID MLIST |
| apache — xml_security | Apache Santuario XML Security for Java 2.0.x before 2.0.3 allows remote attackers to bypass the streaming XML signature protection mechanism via a crafted XML document. | 2015-01-21 | 5.0 | CVE-2014-8152 XF SECTRACK BID MLIST |
| b2evolution — b2evolution | Cross-site scripting (XSS) vulnerability in the filemanager in b2evolution before 5.2.1 allows remote attackers to inject arbitrary web script or HTML via the fm_filter parameter to blogs/admin.php. | 2015-01-16 | 4.3 | CVE-2014-9599 CONFIRM XF BID MISC MISC FULLDISC MISC |
| brother — mfc-j4410dw | Cross-site scripting (XSS) vulnerability in Brother MFC-J4410DW printer with firmware before L allows remote attackers to inject arbitrary web script or HTML via the url parameter to general/status.html and possibly other pages. | 2015-01-16 | 4.3 | CVE-2015-1056 XF BID BUGTRAQ MISC |
| cagintranetworks — getsimple_cms | XML external entity (XXE) vulnerability in admin/api.php in GetSimple CMS 3.1.1 through 3.3.x before 3.3.5 Beta 1, when in certain configurations, allows remote attackers to read arbitrary files via the data parameter. | 2015-01-20 | 5.0 | CVE-2014-8790 CONFIRM FULLDISC MISC MISC CONFIRM |
| cisco — unified_communications_manager | Absolute path traversal vulnerability in the Real-Time Monitoring Tool (RTMT) API in Cisco Unified Communications Manager (CUCM) allows remote authenticated users to read arbitrary files via a full pathname in an API command, aka Bug ID CSCur49414. | 2015-01-22 | 6.8 | CVE-2014-8008 |
| cisco — webex_meeting_center | Cisco WebEx Meeting Center allows remote attackers to activate disabled meeting attributes, and consequently obtain sensitive information, by providing crafted parameters during a meeting-join action, aka Bug ID CSCuo34165. | 2015-01-17 | 5.0 | CVE-2015-0590 |
| clorius_controls_a/s — java_web_client | The Clorius Controls Java web client before 01.00.0009g allows remote attackers to discover credentials by sniffing the network for cleartext-equivalent traffic. | 2015-01-16 | 5.0 | CVE-2014-9199 |
| croogo — croogo | Cross-site scripting (XSS) vulnerability in the administrative backend in Croogo before 2.2.1 allows remote attackers to inject arbitrary web script or HTML via the path parameter to admin/file_manager/file_manager/editfile. | 2015-01-16 | 4.3 | CVE-2015-1053 CONFIRM XF BID MISC MISC FULLDISC MISC |
| debian — dpkg | Multiple format string vulnerabilities in the parse_error_msg function in parsehelp.c in dpkg before 1.17.22 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via format string specifiers in the (1) package or (2) architecture name. | 2015-01-20 | 6.8 | CVE-2014-8625 CONFIRM CONFIRM XF MLIST MLIST MLIST |
| djangoproject — django | Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allows remote attackers to spoof WSGI headers by using an _ (underscore) character instead of a – (dash) character in an HTTP header, as demonstrated by an X-Auth_User header. | 2015-01-16 | 5.0 | CVE-2015-0219 SECUNIA SECUNIA |
| djangoproject — django | The django.util.http.is_safe_url function in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 does not properly handle leading whitespaces, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL, related to redirect URLs, as demonstrated by a “njavascript:” URL. | 2015-01-16 | 4.3 | CVE-2015-0220 UBUNTU SECUNIA SECUNIA |
| djangoproject — django | The django.views.static.serve view in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 reads files an entire line at a time, which allows remote attackers to cause a denial of service (memory consumption) via a long line in a file. | 2015-01-16 | 5.0 | CVE-2015-0221 SECUNIA SECUNIA |
| djangoproject — django | ModelMultipleChoiceField in Django 1.6.x before 1.6.10 and 1.7.x before 1.7.3, when show_hidden_initial is set to True, allows remote attackers to cause a denial of service by submitting duplicate values, which triggers a large number of SQL queries. | 2015-01-16 | 5.0 | CVE-2015-0222 SECUNIA SECUNIA |
| e107 — e107 | Cross-site scripting (XSS) vulnerability in usersettings.php in e107 2.0.0 allows remote attackers to inject arbitrary web script or HTML via the “Real Name” value. | 2015-01-16 | 4.3 | CVE-2015-1057 XF EXPLOIT-DB OSVDB |
| emc — vipr_srm | EMC M&R (aka Watch4Net) before 6.5u1 and ViPR SRM before 3.6.1 might allow remote attackers to obtain cleartext data-center discovery credentials by leveraging certain SRM access to conduct a decryption attack. | 2015-01-21 | 5.0 | CVE-2015-0514 BUGTRAQ |
| emc — vipr_srm | Unrestricted file upload vulnerability in EMC M&R (aka Watch4Net) before 6.5u1 and ViPR SRM before 3.6.1 allows remote authenticated users to execute arbitrary code by uploading and then accessing an executable file. | 2015-01-21 | 6.5 | CVE-2015-0515 BUGTRAQ |
| emc — vipr_srm | Directory traversal vulnerability in EMC M&R (aka Watch4Net) before 6.5u1 and ViPR SRM before 3.6.1 allows remote authenticated users to read arbitrary files via a crafted URL. | 2015-01-21 | 4.0 | CVE-2015-0516 BUGTRAQ |
| file_project — file | The ELF parser in file 5.08 through 5.21 allows remote attackers to cause a denial of service via a large number of notes. | 2015-01-21 | 5.0 | CVE-2014-9620 CONFIRM MLIST DEBIAN MLIST |
| file_project — file | The ELF parser in file 5.16 through 5.21 allows remote attackers to cause a denial of service via a long string. | 2015-01-21 | 5.0 | CVE-2014-9621 CONFIRM MLIST MLIST |
| ge — intelligent_platforms_proficy_hmi/scada_cimplicity | The (1) CimView and (2) CimEdit components in GE Proficy HMI/SCADA-CIMPLICITY 8.2 and earlier allow remote attackers to gain privileges via a crafted CIMPLICITY screen (aka .CIM) file. | 2015-01-16 | 6.9 | CVE-2014-2355 |
| ge — multilink_ml1200 | GE Multilink ML800, ML1200, ML1600, and ML2400 switches with firmware 4.2.1 and earlier and Multilink ML810, ML3000, and ML3100 switches with firmware 5.2.0 and earlier use the same RSA private key across different customers’ installations, which makes it easier for remote attackers to obtain the cleartext content of network traffic by reading this key from a firmware image and then sniffing the network. | 2015-01-16 | 5.0 | CVE-2014-5419 |
| gentoo — xdg-utils | Eval injection vulnerability in xdg-utils 1.1.0 RC1, when no supported desktop environment is identified, allows context-dependent attackers to execute arbitrary code via the URL argument to xdg-open. | 2015-01-21 | 6.8 | CVE-2014-9622 CONFIRM CONFIRM MLIST DEBIAN SECUNIA FULLDISC |
| getsentry — raven-ruby | The numtok function in lib/raven/okjson.rb in the raven-ruby gem before 0.12.2 for Ruby allows remote attackers to cause a denial of service via a large exponent value in a scientific number. | 2015-01-20 | 5.0 | CVE-2014-9490 CONFIRM CONFIRM XF MLIST |
| getusedtoit — wp_slimstat | Cross-site scripting (XSS) vulnerability in the Save Filters functionality in the WP Slimstat plugin before 3.9.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the fs[resource] parameter in the wp-slim-view-2 page to wp-admin/admin.php. | 2015-01-21 | 4.3 | CVE-2015-1204 MISC CONFIRM SECUNIA |
| gnu — patch | GNU patch 2.7.1 allows remote attackers to write to arbitrary files via a symlink attack in a patch file. | 2015-01-21 | 4.3 | CVE-2015-1196 CONFIRM CONFIRM XF BID MLIST CONFIRM |
| google — chrome | Use-after-free vulnerability in the IndexedDB implementation in Google Chrome before 40.0.2214.91 allows remote attackers to cause a denial of service or possibly have unspecified other impact by triggering duplicate BLOB references, related to content/browser/indexed_db/indexed_db_callbacks.cc and content/browser/indexed_db/indexed_db_dispatcher_host.cc. | 2015-01-22 | 5.0 | CVE-2014-7924 CONFIRM CONFIRM |
| google — chrome | Use-after-free vulnerability in the ZoomBubbleView::Close function in browser/ui/views/location_bar/zoom_bubble_view.cc in the Views implementation in Google Chrome before 40.0.2214.91 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted document that triggers improper maintenance of a zoom bubble. | 2015-01-22 | 6.8 | CVE-2014-7936 CONFIRM CONFIRM |
| google — chrome | Google Chrome before 40.0.2214.91, when the Harmony proxy in Google V8 is enabled, allows remote attackers to bypass the Same Origin Policy via crafted JavaScript code with Proxy.create and console.log calls, related to HTTP responses that lack an “X-Content-Type-Options: nosniff” header. | 2015-01-22 | 4.3 | CVE-2014-7939 |
| google — chrome | The SelectionOwner::ProcessTarget function in ui/base/x/selection_owner.cc in the UI implementation in Google Chrome before 40.0.2214.91 uses an incorrect data type for a certain length value, which allows remote attackers to cause a denial of service (out-of-bounds read) via crafted X11 data. | 2015-01-22 | 5.0 | CVE-2014-7941 |
| google — chrome | Skia, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors. | 2015-01-22 | 5.0 | CVE-2014-7943 CONFIRM |
| google — chrome | The sycc422_to_rgb function in fxcodec/codec/fx_codec_jpx_opj.cpp in PDFium, as used in Google Chrome before 40.0.2214.91, does not properly handle odd values of image width, which allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted PDF document. | 2015-01-22 | 5.0 | CVE-2014-7944 |
| google — chrome | OpenJPEG before r2908, as used in PDFium in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted PDF document, related to j2k.c, jp2.c, and t2.c. | 2015-01-22 | 5.0 | CVE-2014-7945 |
| google — chrome | The RenderTable::simplifiedNormalFlowLayout function in core/rendering/RenderTable.cpp in Blink, as used in Google Chrome before 40.0.2214.91, skips captions during table layout in certain situations, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors related to the Fonts implementation. | 2015-01-22 | 5.0 | CVE-2014-7946 CONFIRM |
| google — chrome | OpenJPEG before r2944, as used in PDFium in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted PDF document, related to j2k.c, jp2.c, pi.c, t1.c, t2.c, and tcd.c. | 2015-01-22 | 5.0 | CVE-2014-7947 |
| google — chrome | The AppCacheUpdateJob::URLFetcher::OnResponseStarted function in content/browser/appcache/appcache_update_job.cc in Google Chrome before 40.0.2214.91 proceeds with AppCache caching for SSL sessions even if there is an X.509 certificate error, which allows man-in-the-middle attackers to spoof HTML5 application content via a crafted certificate. | 2015-01-22 | 4.3 | CVE-2014-7948 |
| ibm — sas_connectivity_module_firmware | IBM BladeCenter SAS Connectivity Module (aka NSSM) and SAS RAID Module (aka RSSM) before 1.3.3.006 allow remote attackers to obtain blade and storage-pool access via a TELNET session. | 2015-01-17 | 5.0 | CVE-2014-3019 XF |
| ibm — api_management | IBM API Management 3.0 before 3.0.4.0 IF1 allows remote attackers to obtain sensitive analytics information in an encrypted form via unspecified vectors. | 2015-01-21 | 5.0 | CVE-2014-6172 XF AIXAPAR |
| ibm — security_network_protection_xgs_firmware | IBM Security Network Protection 5.1.x and 5.2.x before 5.2.0.0 FP5 and 5.3.x before 5.3.0.0 FP1 allows remote attackers to conduct clickjacking attacks via unspecified vectors. | 2015-01-17 | 4.3 | CVE-2014-6197 XF |
| illumos — illumos | The devzvol_readdir function in illumos does not check the return value of a strchr call, which allows remote attackers to cause a denial of service (NULL pointer dereference and panic) via unspecified vectors. | 2015-01-20 | 5.0 | CVE-2014-9491 CONFIRM CONFIRM XF MLIST |
| insanevisions — adaptcms | Multiple cross-site scripting (XSS) vulnerabilities in AdaptCMS 3.0.3 allow remote attackers to inject arbitrary web script or HTML via the (1) data[Category][title] parameter to admin/categories/add, (2) data[Field][title] parameter to admin/fields/ajax_fields/, (3) name property in a basicInfo JSON object to admin/tools/create_theme, (4) data[Link][link_title] parameter to admin/links/links/add, or (5) data[ForumTopic][subject] parameter to forums/off-topic/new. | 2015-01-16 | 4.3 | CVE-2015-1058 XF MISC EXPLOIT-DB MISC OSVDB OSVDB OSVDB OSVDB OSVDB |
| insanevisions — adaptcms | Unrestricted file upload vulnerability in admin/files/add in AdaptCMS 3.0.3 allows remote authenticated users to execute arbitrary PHP code by uploading a file with a PHP extension, then accessing it via a direct request to the file in /app/webroot/uploads. | 2015-01-16 | 6.5 | CVE-2015-1059 MISC XF EXPLOIT-DB MISC OSVDB |
| insanevisions — adaptcms | Open redirect vulnerability in lib/Cake/Controller/Controller.php in AdaptCMS 3.0.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the HTTP Referer header. | 2015-01-16 | 5.8 | CVE-2015-1060 XF MISC EXPLOIT-DB MISC OSVDB |
| juniper — junos | The stateless firewall in Juniper Junos 13.3R3, 14.1R1, and 14.1R2, when using Trio-based PFE modules, does not properly match ports, which might allow remote attackers to bypass firewall rule. | 2015-01-16 | 5.0 | CVE-2014-6383 SECTRACK BID |
| juniper — junos | Juniper Junos 12.1X44 before 12.1X44-D45, 12.1X46 before 12.1X46-D25, 12.1X47 before 12.1X47-D15, 12.3 before 12.3R9, 13.1 before 13.1R4-S3, 13.2 before 13.2R6, 13.3 before 13.3R5, 14.1 before 14.1R3, and 14.2 before 14.2R1 does not properly handle double quotes in authorization attributes in the TACACS+ configuration, which allows local users to bypass the security policy and execute commands via unspecified vectors. | 2015-01-16 | 6.9 | CVE-2014-6384 SECTRACK BID |
| juniper — junos | Juniper Junos 11.4 before 11.4R13, 12.1X44 before 12.1X44-D45, 12.1X46 before 12.1X46-D30, 12.1X47 before 12.1X47-D15, 12.2 before 12.2R9, 12.3R7 before 12.3R7-S1, 12.3 before 12.3R8, 13.1 before 13.1R5, 13.2 before 13.2R6, 13.3 before 13.3R4, 14.1 before 14.1R2, and 14.2 before 14.2R1 allows remote attackers to cause a denial of service (kernel crash and restart) via a crafted fragmented OSPFv3 packet with an IPsec Authentication Header (AH). | 2015-01-16 | 6.1 | CVE-2014-6385 BID |
| kde — kde_applications | kwalletd in KWallet before KDE Applications 14.12.0 uses Blowfish with ECB mode instead of CBC mode when encrypting the password store, which makes it easier for attackers to guess passwords via a codebook attack. | 2015-01-18 | 5.0 | CVE-2013-7252 CONFIRM BID MLIST MLIST MISC |
| kgb_project — kgb | Absolute path traversal vulnerability in kgb 1.0b4 allows remote attackers to write to arbitrary files via a full pathname in a crafted archive. | 2015-01-21 | 5.0 | CVE-2015-1192 MISC BID MLIST SECUNIA |
| kiwix — kiwix | Cross-site scripting (XSS) vulnerability in Kiwix before 0.9.1, when using kiwix-serve, allows remote attackers to inject arbitrary web script or HTML via the pattern parameter to /search. | 2015-01-21 | 4.3 | CVE-2015-1032 BUGTRAQ CONFIRM MISC MISC |
| libtiff — libtiff | Integer overflow in tif_packbits.c in bmp2tif in libtiff 4.0.3 allows remote attackers to cause a denial of service (crash) via crafted BMP image, related to dimensions, which triggers an out-of-bounds read. | 2015-01-20 | 5.0 | CVE-2014-9330 SECTRACK FULLDISC CONFIRM |
| mediawiki — mediawiki | MediaWiki 1.2x before 1.22.15, 1.23.x before 1.23.8, and 1.24.x before 1.24.1 allows remote attackers to bypass CORS restrictions in $wgCrossSiteAJAXdomains via a domain that has a partial match to an allowed origin, as demonstrated by “http://en.wikipedia.org.evilsite.example/.” | 2015-01-16 | 5.0 | CVE-2014-9476 CONFIRM MLIST MLIST |
| mediawiki — mediawiki | Multiple cross-site scripting (XSS) vulnerabilities in the Listings extension for MediaWiki allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) url parameter. | 2015-01-16 | 4.3 | CVE-2014-9477 CONFIRM MLIST MLIST |
| mediawiki — mediawiki | Cross-site scripting (XSS) vulnerability in the preview in the TemplateSandbox extension for MediaWiki allows remote attackers to inject arbitrary web script or HTML via the text parameter to Special:TemplateSandbox. | 2015-01-16 | 4.3 | CVE-2014-9479 CONFIRM MLIST MLIST |
| mediawiki — mediawiki | Cross-site scripting (XSS) vulnerability in the Hovercards extension for MediaWiki allows remote attackers to inject arbitrary web script or HTML via vectors related to text extracts. | 2015-01-16 | 4.3 | CVE-2014-9480 CONFIRM MLIST MLIST |
| openstack — image_registry_and_delivery_service_(glance) | The V2 API in OpenStack Image Registry and Delivery Service (Glance) before 2014.1.4 and 2014.2.x before 2014.2.2 allows remote authenticated users to read or delete arbitrary files via a full pathname in a filesystem: URL in the image location property. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-9493. | 2015-01-21 | 6.5 | CVE-2015-1195 CONFIRM MLIST MLIST SECUNIA MLIST |
| oracle — fusion_middleware | Unspecified vulnerability in the Oracle HTTP Server component in Oracle Fusion Middleware 11.1.1.7.0, 12.1.2.0, and 12.1.3.0 allows remote attackers to affect availability via unknown vectors related to Web Listener, a different vulnerability than CVE-2013-0338, CVE-2013-2877, and CVE-2015-0386. | 2015-01-21 | 4.3 | CVE-2014-0191 |
| oracle — oracle_and_sun_systems_product_suite | Unspecified vulnerability in the Solaris Cluster component in Oracle Sun Systems Products Suite 3.3 and 4.1 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to System management. | 2015-01-21 | 6.5 | CVE-2014-6480 |
| oracle — database_server | Unspecified vulnerability in the PL/SQL component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, and 12.1.0.1 allows remote authenticated users to affect confidentiality via unknown vectors. | 2015-01-21 | 4.0 | CVE-2014-6514 |
| oracle — fusion_middleware | Unspecified vulnerability in the Oracle Directory Server Enterprise Edition component in Oracle Fusion Middleware 7.0 allows remote attackers to affect integrity via unknown vectors related to Admin Console. | 2015-01-21 | 4.3 | CVE-2014-6526 |
| oracle — siebel_crm | Unspecified vulnerability in the Siebel Core – System Management component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote authenticated users to affect confidentiality via unknown vectors related to Server Infrastructure. | 2015-01-21 | 4.0 | CVE-2014-6528 |
| oracle — database_server | Unspecified vulnerability in the Recovery component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2, when running on Windows, allows remote authenticated users to affect confidentiality via vectors related to DBMS_IR. | 2015-01-21 | 6.3 | CVE-2014-6541 |
| oracle — fusion_middleware | Unspecified vulnerability in the Oracle SOA Suite component in Oracle Fusion Middleware 11.1.1.7 allows local users to affect confidentiality, integrity, and availability via vectors related to B2B Engine. | 2015-01-21 | 4.6 | CVE-2014-6548 |
| oracle — e-business_suite | Unspecified vulnerability in the Oracle Applications DBA component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.3, 12.2.2, 12.2.3, and 12.2.4 allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to AD_DDL. | 2015-01-21 | 4.6 | CVE-2014-6556 |
| oracle — peoplesoft_products | Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.53 allows remote authenticated users to affect integrity via unknown vectors related to Portal. | 2015-01-21 | 4.0 | CVE-2014-6566 |
| oracle — fusion_middleware | Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.0.2.0, 10.3.6.0, 12.1.1.0, and 12.1.2.0 allows remote attackers to affect confidentiality via vectors related to CIE Related Components. | 2015-01-21 | 5.0 | CVE-2014-6569 |
| oracle — fusion_middleware | Unspecified vulnerability in the Oracle HTTP Server component in Oracle Fusion Middleware 11.1.1.7.0, 12.1.2.0, and 12.1.3.0 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Web Listener, a different vulnerability than CVE-2011-1944. | 2015-01-21 | 6.8 | CVE-2014-6571 |
| oracle — e-business_suite | Unspecified vulnerability in the Oracle Customer Interaction History component in Oracle E-Business Suite 12.0.4, 12.0.5, 12.0.6, 12.1.1, 12.1.2, 12.1.3, 12.2.2, 12.2.3, and 12.2.4 allows remote attackers to affect confidentiality and integrity via unknown vectors related to List of Values. | 2015-01-21 | 6.4 | CVE-2014-6572 |
| oracle — enterprise_manager_grid_control | Unspecified vulnerability in the Enterprise Manager Ops Center component in Oracle Enterprise Manager Grid Control 11.1.3 and 12.1.4 allows remote attackers to affect integrity via unknown vectors related to User Interface Framework. | 2015-01-21 | 4.3 | CVE-2014-6573 |
| oracle — supply_chain_products_suite | Unspecified vulnerability in the Oracle Agile PLM for Process component in Oracle Supply Chain Products Suite 6.1.0.3 allows remote attackers to affect integrity via unknown vectors related to Testing Protocol Library. | 2015-01-21 | 4.3 | CVE-2014-6574 |
| oracle — fusion_middleware | Unspecified vulnerability in the Oracle Adaptive Access Manager component in Oracle Fusion Middleware 11.1.1.5, 11.1.1.7, 11.1.2.1, and 11.1.2.2 allows remote authenticated users to affect confidentiality and integrity via vectors related to OAM Integration. | 2015-01-21 | 5.5 | CVE-2014-6576 |
| oracle — database_server | Unspecified vulnerability in the XML Developer’s Kit for C component in Oracle Database Server 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors. NOTE: the previous information is from the January 2015 CPU. Oracle has not commented on the original researcher’s claim that this is an XML external entity (XXE) vulnerability in the XML parser, which allows attackers to conduct internal port scanning, perform SSRF attacks, or cause a denial of service via a crafted (1) http: or (2) ftp: URI. | 2015-01-21 | 6.8 | CVE-2014-6577 MISC |
| oracle — database_server | Unspecified vulnerability in the Workspace Manager component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, and 12.1.0.1 allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to SDO_TOPO and WMSYS.LT. | 2015-01-21 | 6.5 | CVE-2014-6578 |
| oracle — peoplesoft_products | Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.52 and 8.53 allows remote authenticated users to affect confidentiality via unknown vectors related to Integration Broker. | 2015-01-21 | 4.0 | CVE-2014-6579 |
| oracle — fusion_middleware | Unspecified vulnerability in the Oracle Reports Developer component in Oracle Fusion Middleware 11.1.1.7 and 11.1.2.2 allows remote attackers to affect integrity via unknown vectors. | 2015-01-21 | 4.3 | CVE-2014-6580 |
| oracle — e-business_suite | Unspecified vulnerability in the Oracle Customer Intelligence component in Oracle E-Business Suite 11.5.10.2, 12.0.4, 12.0.5, 12.0.6, 12.1.1, 12.1.2, 12.1.3, 12.2.2, 12.2.3, and 12.2.4 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Extract/Load Programs. | 2015-01-21 | 6.4 | CVE-2014-6581 |
| oracle — e-business_suite | Unspecified vulnerability in the Oracle HCM Configuration Workbench component in Oracle E-Business Suite 11.5.10.2, 12.0.4, 12.0.5, 12.0.6, 12.1.1, 12.1.2, 12.1.3, 12.2.2, 12.2.3, and 12.2.4 allows remote attackers to affect confidentiality via unknown vectors related to Rapid Implementation. | 2015-01-21 | 5.0 | CVE-2014-6582 |
| oracle — e-business_suite | Unspecified vulnerability in the Oracle Marketing component in Oracle E-Business Suite 11.5.10.2, 12.0.4, 12.0.5, 12.0.6, 12.1.1, 12.1.2, and 12.1.3. allows remote attackers to affect confidentiality and integrity via unknown vectors related to Audience. | 2015-01-21 | 6.4 | CVE-2014-6583 |
| oracle — integrated_lights_out_manager_firmware | Unspecified vulnerability in the Integrated Lights Out Manager (ILOM) component in Oracle Sun Systems Products Suite ILOM before 3.2.4 allows remote authenticated users to affect confidentiality via unknown vectors related to Backup Restore. | 2015-01-21 | 4.0 | CVE-2014-6584 |
| oracle — peoplesoft_products | Unspecified vulnerability in the PeopleSoft Enterprise HRMS component in Oracle PeopleSoft Products 9.1 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Time and Labor. | 2015-01-21 | 5.5 | CVE-2014-6586 |
| oracle — jdk | Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. | 2015-01-21 | 4.3 | CVE-2014-6587 |
| oracle — jdk | Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25; Java SE Embedded 7u71 and 8u6; and JRockit 27.8.4 and 28.3.4 allows remote attackers to affect confidentiality and integrity via vectors related to JSSE. | 2015-01-21 | 4.0 | CVE-2014-6593 |
| oracle — ilearning | Unspecified vulnerability in the Oracle iLearning component in Oracle iLearning 6.0 and 6.1 allows remote attackers to affect confidentiality via unknown vectors related to Learner Pages. | 2015-01-21 | 4.3 | CVE-2014-6594 |
| oracle — siebel_crm | Unspecified vulnerability in the Siebel UI Framework component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote attackers to affect integrity via unknown vectors related to Portal Framework. | 2015-01-21 | 4.3 | CVE-2014-6596 |
| oracle — peoplesoft_products | Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.52, 8.53, and 8.54 allows remote authenticated users to affect integrity via vectors related to PIA Core Technology. | 2015-01-21 | 4.0 | CVE-2014-6597 |
| oracle — fusion_middleware | Unspecified vulnerability in the BI Publisher (formerly XML Publisher) component in Oracle Fusion Middleware 11.1.1.7 allows remote attackers to affect confidentiality via unknown vectors related to BI Publisher Security. | 2015-01-21 | 5.0 | CVE-2015-0362 |
| oracle — siebel_crm | Unspecified vulnerability in the Siebel Core EAI component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote authenticated users to affect availability via unknown vectors related to Integration Business Services. | 2015-01-21 | 4.0 | CVE-2015-0363 |
| oracle — siebel_crm | Unspecified vulnerability in the Siebel Core – Server Infrastructure component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote attackers to affect confidentiality via unknown vectors related to Security. | 2015-01-21 | 4.3 | CVE-2015-0365 |
| oracle — siebel_crm | Unspecified vulnerability in the Siebel Core – EAI component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote attackers to affect confidentiality via unknown vectors related to Java Integration. | 2015-01-21 | 5.0 | CVE-2015-0366 |
| oracle — fusion_middleware | Unspecified vulnerability in the Oracle Access Manager component in Oracle Fusion Middleware 11.1.1.5, 11.1.1.7, 11.1.2.1, and 11.1.2.2 allows remote attackers to affect integrity via vectors related to SSO Engine. | 2015-01-21 | 5.0 | CVE-2015-0367 |
| oracle — supply_chain_products_suite | Unspecified vulnerability in the Oracle Transportation Management component in Oracle Supply Chain Products Suite 6.1, 6.2, 6.3, 6.3.1, 6.3.2, 6.3.3, 6.3.4, and 6.3.5 allows remote attackers to affect availability via unknown vectors related to Security. | 2015-01-21 | 5.0 | CVE-2015-0368 |
| oracle — siebel_crm | Unspecified vulnerability in the Siebel UI Framework component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote attackers to affect integrity via unknown vectors related to AX/HI Web UI. | 2015-01-21 | 4.3 | CVE-2015-0369 |
| oracle — database_server | Unspecified vulnerability in the Core RDBMS component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, and 12.1.0.1 allows remote authenticated users to affect integrity and availability via unknown vectors. | 2015-01-21 | 4.9 | CVE-2015-0371 |
| oracle — fusion_middleware | Unspecified vulnerability in the Oracle Containers for J2EE component in Oracle Fusion Middleware 10.1.3.5 allows remote attackers to affect confidentiality via unknown vectors. | 2015-01-21 | 5.0 | CVE-2015-0372 |
| oracle — database_server | Unspecified vulnerability in the OJVM component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors. | 2015-01-21 | 6.5 | CVE-2015-0373 |
| oracle — fusion_middleware | Unspecified vulnerability in the Oracle WebCenter Content component in Oracle Fusion Middleware 11.1.1.8.0 allows remote attackers to affect integrity via unknown vectors related to Content Server. | 2015-01-21 | 4.3 | CVE-2015-0376 |
| oracle — vm_virtualbox | Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox prior to 3.2.26, 4.0.28, 4.1.36, and 4.2.28 allows local users to affect availability via unknown vectors related to Core, a different vulnerability than CVE-2015-0418. | 2015-01-21 | 4.4 | CVE-2015-0377 |
| oracle — peoplesoft_products | Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.54 allows remote attackers to affect integrity via vectors related to PIA Core Technology. | 2015-01-21 | 4.3 | CVE-2015-0379 |
| oracle — e-business_suite | Unspecified vulnerability in the Oracle Telecommunications Billing Integrator component in Oracle E-Business Suite 11.5.10.2, 12.0.4, 12.0.5, 12.0.6, 12.1.1, 12.1.2, 12.1.3, 12.2.2, 12.2.3, and 12.2.4 allows remote attackers to affect integrity via unknown vectors related to OA Based UI for Bill Summary. | 2015-01-21 | 4.3 | CVE-2015-0380 |
| oracle — mysql | Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier and 5.6.21 and earlier allows remote attackers to affect availability via unknown vectors related to Server : Replication, a different vulnerability than CVE-2015-0382. | 2015-01-21 | 4.3 | CVE-2015-0381 |
| oracle — mysql | Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier and 5.6.21 and earlier allows remote attackers to affect availability via unknown vectors related to Server : Replication, a different vulnerability than CVE-2015-0381. | 2015-01-21 | 4.3 | CVE-2015-0382 |
| oracle — jdk | Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25; Java SE Embedded 7u71 and 8u6; and JRockit R27.8.4 and R28.3.4 allows local users to affect integrity and availability via unknown vectors related to Hotspot. | 2015-01-21 | 5.4 | CVE-2015-0383 |
| oracle — fusion_middleware | Unspecified vulnerability in the Oracle HTTP Server component in Oracle Fusion Middleware 11.1.1.7.0, 12.1.2.0, and 12.1.3.0 allows remote attackers to affect availability via unknown vectors related to Web Listener, a different vulnerability than CVE-2013-0338, CVE-2013-2877, and CVE-2014-0191. | 2015-01-21 | 4.3 | CVE-2015-0386 |
| oracle — siebel_crm | Unspecified vulnerability in the Siebel Core – Server OM Services component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote authenticated users to affect confidentiality via vectors related to Security – LDAP Security Adapter. | 2015-01-21 | 4.0 | CVE-2015-0387 |
| oracle — siebel_crm | Unspecified vulnerability in the Siebel UI Framework component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote authenticated users to affect confidentiality via unknown vectors related to Portal Framework, a different vulnerability than CVE-2015-0417. | 2015-01-21 | 4.0 | CVE-2015-0388 |
| oracle — retail_applications_xstore | Unspecified vulnerability in the MICROS Retail component in Oracle Retail Applications Xstore: 3.2.1, 3.4.2, 3.5.0, 4.0.1, 4.5.1, 4.8.0, 5.0.3, 5.5.3, 6.0.6, and 6.5.2 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Xstore Point of Sale. | 2015-01-21 | 6.8 | CVE-2015-0390 |
| oracle — mysql | Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier, and 5.6.19 and earlier, allows remote authenticated users to affect availability via vectors related to DDL. | 2015-01-21 | 4.0 | CVE-2015-0391 |
| oracle — siebel_crm | Unspecified vulnerability in the Siebel Core – Server BizLogic Script component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to Config – Scripting. | 2015-01-21 | 4.6 | CVE-2015-0392 |
| oracle — e-business_suite | Unspecified vulnerability in the Oracle Applications DBA component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.3, 12.2.2, 12.2.3, and 12.2.4 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to DB Privileges. NOTE: the previous information is from the January 2015 CPU. Oracle has not commented on the researcher’s claim that the PUBLIC role is granted the INDEX privilege for the DUAL table during a “seeded install,” which allows remote authenticated users to gain SYSDBA privileges and execute arbitrary code. | 2015-01-21 | 6.0 | CVE-2015-0393 |
| oracle — peoplesoft_products | Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.52 and 8.53 allows remote authenticated users to affect confidentiality via unknown vectors related to Report Distribution. | 2015-01-21 | 4.0 | CVE-2015-0394 |
| oracle — siebel_crm | Unspecified vulnerability in the Siebel Life Sciences component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote authenticated users to affect confidentiality via unknown vectors related to Clinical Trip Report. | 2015-01-21 | 4.0 | CVE-2015-0398 |
| oracle — fusion_middleware | Unspecified vulnerability in the Oracle Business Intelligence Enterprise Edition component in Oracle Fusion Middleware 10.1.3.4.2 and 11.1.1.7 allows remote authenticated users to affect confidentiality via unknown vectors related to Analytics Web General. | 2015-01-21 | 4.0 | CVE-2015-0399 |
| oracle — jdk | Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality via unknown vectors related to Libraries. | 2015-01-21 | 5.0 | CVE-2015-0400 |
| oracle — fusion_middleware | Unspecified vulnerability in the Oracle Directory Server Enterprise Edition component in Oracle Fusion Middleware 7.0 and 11.1.1.7 allows remote authenticated users to affect integrity via unknown vectors related to Admin Console. | 2015-01-21 | 4.0 | CVE-2015-0401 |
| oracle — siebel_crm | Unspecified vulnerability in the Siebel Core – Server BizLogic Script component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote attackers to affect integrity via vectors related to Integration – COM. | 2015-01-21 | 4.3 | CVE-2015-0402 |
| oracle — jdk | Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. | 2015-01-21 | 6.9 | CVE-2015-0403 |
| oracle — e-business_suite | Unspecified vulnerability in the Oracle Applications Framework component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.3, 12.2.2, 12.2.3, and 12.2.4 allows remote attackers to affect integrity via unknown vectors related to Error Messages. | 2015-01-21 | 4.3 | CVE-2015-0404 |
| oracle — jdk | Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality and availability via unknown vectors related to Deployment. | 2015-01-21 | 5.8 | CVE-2015-0406 |
| oracle — jdk | Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality via unknown vectors related to Swing. | 2015-01-21 | 5.0 | CVE-2015-0407 |
| oracle — mysql | Unspecified vulnerability in Oracle MySQL Server 5.6.21 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer. | 2015-01-21 | 4.0 | CVE-2015-0409 |
| oracle — jdk | Unspecified vulnerability in the Java SE, Java SE Embedded, JRockit component in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25; Java SE Embedded 7u71 and 8u6; and JRockit R27.8.4 and R28.3.4 allows remote attackers to affect availability via unknown vectors related to Security. | 2015-01-21 | 5.0 | CVE-2015-0410 |
| oracle — e-business_suite | Unspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite 12.1.3 allows remote authenticated users to affect integrity via unknown vectors related to Session Management. | 2015-01-21 | 4.0 | CVE-2015-0415 |
| oracle — siebel_crm | Unspecified vulnerability in the Siebel UI Framework component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote authenticated users to affect confidentiality via unknown vectors related to Portal Framework, a different vulnerability than CVE-2015-0388. | 2015-01-21 | 4.0 | CVE-2015-0417 |
| oracle — siebel_crm | Unspecified vulnerability in the Siebel UI Framework component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote attackers to affect confidentiality via unknown vectors related to Portal Framework. | 2015-01-21 | 4.3 | CVE-2015-0419 |
| oracle — fusion_middleware | Unspecified vulnerability in the Oracle Forms component in Oracle Fusion Middleware 11.1.1.7 and 11.1.2.2 allows remote attackers to affect confidentiality via unknown vectors related to Forms Services. | 2015-01-21 | 4.3 | CVE-2015-0420 |
| oracle — jdk | Unspecified vulnerability in Oracle Java SE 8u25 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to the installation process. | 2015-01-21 | 6.9 | CVE-2015-0421 |
| oracle — supply_chain_products_suite | Unspecified vulnerability in the Oracle Transportation Management component in Oracle Supply Chain Products Suite 6.1, 6.2, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, and 6.3.5 allows remote authenticated users to affect confidentiality via unknown vectors related to UI Infrastructure. | 2015-01-21 | 4.0 | CVE-2015-0422 |
| oracle — siebel_crm | Unspecified vulnerability in the Oracle Enterprise Asset Management component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote attackers to affect confidentiality via unknown vectors related to Siebel Core – Unix/Windows. | 2015-01-21 | 4.3 | CVE-2015-0425 |
| oracle — enterprise_manager_grid_control | Unspecified vulnerability in the Enterprise Manager Base Platform component in Oracle Enterprise Manager Grid Control 12.1.0.3 and 12.1.0.4 allows remote attackers to affect confidentiality via unknown vectors related to UI Framework. | 2015-01-21 | 5.0 | CVE-2015-0426 |
| oracle — supply_chain_products_suite | Unspecified vulnerability in the Oracle Transportation Management component in Oracle Supply Chain Products Suite 6.1, 6.2, 6.3.0 6.3.1, 6.3.2, 6.3.4, and 6.3.5 allows remote attackers to affect integrity via unknown vectors related to UI Infrastructure. | 2015-01-21 | 4.3 | CVE-2015-0431 |
| oracle — mysql | Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier allows remote authenticated users to affect availability via vectors related to Server : InnoDB : DDL : Foreign Key. | 2015-01-21 | 4.0 | CVE-2015-0432 |
| oracle — fusion_middleware | Unspecified vulnerability in the Oracle Access Manager component in Oracle Fusion Middleware 11.1.1.5, 11.1.1.7, 11.1.2.1, and 11.1.2.2 allows remote attackers to affect confidentiality via vectors related to Integration with OAM. | 2015-01-21 | 4.3 | CVE-2015-0434 |
| oracle — supply_chain_products_suite | Unspecified vulnerability in the Oracle Transportation Management component in Oracle Supply Chain Products Suite 6.1, 6.2, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, and 6.3.5 allows remote authenticated users to affect confidentiality via unknown vectors related to Security. | 2015-01-21 | 6.8 | CVE-2015-0435 |
| oracle — ilearning | Unspecified vulnerability in the Oracle iLearning component in Oracle iLearning 6.0 and 6.1 allows remote attackers to affect confidentiality via unknown vectors related to Login. | 2015-01-21 | 4.3 | CVE-2015-0436 |
| pax_project — pax | Multiple directory traversal vulnerabilities in pax 1:20140703 allow remote attackers to write to arbitrary files via a (1) full pathname or (2) .. (dot dot) in an archive. | 2015-01-21 | 5.0 | CVE-2015-1193 MISC MLIST |
| pax_project — pax | pax 1:20140703 allows remote attackers to write to arbitrary files via a symlink attack in an archive. | 2015-01-21 | 4.3 | CVE-2015-1194 MISC MLIST |
| pivotal_software — rabbitmq | RabbitMQ before 3.4.0 allows remote attackers to bypass the loopback_users restriction via a crafted X-Forwareded-For header. | 2015-01-20 | 5.0 | CVE-2014-9494 CONFIRM XF MLIST |
| privoxy — privoxy | Memory leak in the rfc2553_connect_to function in jbsocket.c in Privoxy before 3.0.22 allows remote attackers to cause a denial of service (memory consumption) via a large number of requests that are rejected because the socket limit is reached. | 2015-01-20 | 5.0 | CVE-2015-1030 MLIST SECUNIA |
| privoxy — privoxy | Privoxy before 3.0.22 allows remote attackers to cause a denial of service (file descriptor consumption) via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | 2015-01-20 | 5.0 | CVE-2015-1201 SECUNIA |
| puppetlabs — stdlib | The puppetlabs-stdlib module 2.1 through 3.0 and 4.1.0 through 4.5.x before 4.5.1 for Puppet 2.8.8 and earlier allows remote authenticated users to gain privileges or obtain sensitive information by prepopulating the fact cache. | 2015-01-16 | 6.5 | CVE-2015-1029 SECUNIA |
| python — pillow | Pillow before 2.7.0 allows remote attackers to cause a denial of service via a compressed text chunk in a PNG image that has a large size when it is decompressed. | 2015-01-16 | 5.0 | CVE-2014-9601 CONFIRM CONFIRM |
| redhat — cloudforms_3.1_management_engine | SQL injection vulnerability in Red Hat CloudForms 3.1 Management Engine (CFME) 5.3 allows remote authenticated users to execute arbitrary SQL commands via a crafted REST API request to an SQL filter. | 2015-01-16 | 6.5 | CVE-2014-7814 SECUNIA |
| sap — netweaver_abap | XML external entity vulnerability in the Extended Computer Aided Test Tool (eCATT) in SAP NetWeaver AS ABAP 7.31 and earlier allows remote attackers to access arbitrary files via a crafted XML request, related to ECATT_DISPLAY_XMLSTRING_REMOTE, aka SAP Note 2016638. | 2015-01-22 | 5.0 | CVE-2015-1309 SECUNIA MISC MISC |
| serve-static_project — serve-static | Open redirect vulnerability in the serve-static plugin before 1.7.2 for Node.js, when mounted at the root, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a // (slash slash) followed by a domain in the PATH_INFO to the default URI. | 2015-01-21 | 4.3 | CVE-2015-1164 CONFIRM CONFIRM XF BID CONFIRM |
| siemens — scalance_x-300_series_firmware | The FTP server on Siemens SCALANCE X-300 switches with firmware before 4.0 and SCALANCE X 408 switches with firmware before 4.0 allows remote authenticated users to cause a denial of service (reboot) via crafted FTP packets. | 2015-01-21 | 6.8 | CVE-2014-8479 |
| siemens — simatic_s7_1200_cpu_firmware | Open redirect vulnerability in the integrated web server on Siemens SIMATIC S7-1200 CPU devices with firmware before 4.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. | 2015-01-21 | 4.3 | CVE-2015-1048 |
| sun — sunos | Unspecified vulnerability in Oracle Solaris 10 and 11 allows remote attackers to affect confidentiality via vectors related to KSSL. | 2015-01-21 | 4.3 | CVE-2014-6481 |
| sun — sunos | Unspecified vulnerability in Oracle Solaris 10 allows local users to affect availability via unknown vectors related to Kernel. | 2015-01-21 | 4.9 | CVE-2014-6509 |
| sun — sunos | Unspecified vulnerability in Oracle Solaris 10 and 11 allows local users to affect integrity and availability via vectors related to Unix File System (UFS). | 2015-01-21 | 6.6 | CVE-2014-6518 |
| sun — sunos | Unspecified vulnerability in Oracle Sun Solaris 11 allows local users to affect availability via unknown vectors related to File System, a different vulnerability than CVE-2014-6600 and CVE-2015-0397. | 2015-01-21 | 4.9 | CVE-2014-6570 |
| sun — sunos | Unspecified vulnerability in Oracle Sun Solaris 10 and 11 allows remote attackers to affect availability via unknown vectors related to Network, a different vulnerability than CVE-2004-0230. | 2015-01-21 | 5.0 | CVE-2014-6575 |
| sun — sunos | Unspecified vulnerability in Oracle Sun Solaris 11 allows local users to affect availability via unknown vectors related to File System, a different vulnerability than CVE-2014-6570 and CVE-2015-0397. | 2015-01-21 | 4.9 | CVE-2014-6600 |
| sun — sunos | Unspecified vulnerability in Oracle Sun Solaris 10 and 11 allows remote attackers to affect confidentiality via unknown vectors related to Network. | 2015-01-21 | 5.0 | CVE-2015-0375 |
| sun — sunos | Unspecified vulnerability in Oracle Sun Solaris 10 and 11 allows local users to affect availability via unknown vectors related to Resource Control. | 2015-01-21 | 4.9 | CVE-2015-0428 |
| symantec — critical_system_protection | SQL injection vulnerability in the management server in Symantec Critical System Protection (SCSP) 5.2.9 before MP6 and Symantec Data Center Security: Server Advanced (SDCS:SA) 6.0.x before 6.0 MP1 allows remote authenticated users to execute arbitrary SQL commands via a crafted HTTP request. | 2015-01-21 | 6.5 | CVE-2014-7289 BID |
| symantec — critical_system_protection | The ajaxswing webui in the management server in Symantec Critical System Protection (SCSP) 5.2.9 through MP6 and Symantec Data Center Security: Server Advanced (SDCS:SA) 6.0.x through 6.0 MP1 allows remote authenticated users to obtain sensitive server information via unspecified vectors. | 2015-01-21 | 4.0 | CVE-2014-9225 BID |
| sympa — sympa | The newsletter posting area in the web interface in Sympa 6.0.x before 6.0.10 and 6.1.x before 6.1.24 allows remote attackers to read arbitrary files via unspecified vectors. | 2015-01-22 | 5.0 | CVE-2015-1306 MLIST DEBIAN SECUNIA SECUNIA |
| synck_graphica — download_log_cgi | Directory traversal vulnerability in SYNCK GRAPHICA Download Log CGI 3.0 and earlier allows remote attackers to read arbitrary files via a crafted filename. | 2015-01-21 | 5.0 | CVE-2015-0867 |
| videolan — vlc_media_player | The picture_pool_Delete function in misc/picture_pool.c in VideoLAN VLC media player 2.1.5 allows remote attackers to execute arbitrary code or cause a denial of service (DEP violation and application crash) via a crafted FLV file. | 2015-01-21 | 6.8 | CVE-2014-9597 MISC MISC MISC FULLDISC |
| videolan — vlc_media_player | The picture_Release function in misc/picture.c in VideoLAN VLC media player 2.1.5 allows remote attackers to execute arbitrary code or cause a denial of service (write access violation) via a crafted M2V file. | 2015-01-21 | 6.8 | CVE-2014-9598 MISC MISC MISC FULLDISC |
| websitebaker — websitebaker | Cross-site scripting (XSS) vulnerability in admin/pages/modify.php in WebsiteBaker 2.8.3 SP3 allows remote attackers to inject arbitrary web script or HTML via the page_id parameter. | 2015-01-21 | 4.3 | CVE-2015-0553 MISC BID MISC MISC FULLDISC MISC |
| zlib — pigz | Multiple directory traversal vulnerabilities in pigz 2.3.1 allow remote attackers to write to arbitrary files via a (1) full pathname or (2) .. (dot dot) in an archive. | 2015-01-21 | 5.0 | CVE-2015-1191 CONFIRM CONFIRM MLIST |
| Primary Vendor — Product |
Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| crea8social — crea8social | Cross-site scripting (XSS) vulnerability in the Games feature in Crea8Social 2.0 allows remote authenticated users to inject arbitrary web script or HTML via the Game Content field in Add Game. | 2015-01-16 | 3.5 | CVE-2015-1054 XF EXPLOIT-DB MISC OSVDB CONFIRM CONFIRM |
| emc — vipr_srm | Multiple cross-site scripting (XSS) vulnerabilities in the administrative user interface in EMC M&R (aka Watch4Net) before 6.5u1 and ViPR SRM before 3.6.1 allow remote authenticated users to inject arbitrary web script or HTML by leveraging privileged access to set crafted values of unspecified fields. | 2015-01-21 | 3.5 | CVE-2015-0513 BUGTRAQ |
| ibm — tivoli_netcool/omnibus | Cross-site scripting (XSS) vulnerability in the Web GUI in IBM Tivoli Netcool/OMNIbus 7.3.0 before 7.3.0.6, 7.3.1 before 7.3.1.7, and 7.4.0 before 7.4.0.3 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL. | 2015-01-17 | 3.5 | CVE-2014-3032 XF |
| ibm — serverguide | IBM ServerGuide before 9.63, UpdateXpress System Packs Installer (UXSPI) before 9.63, and ToolsCenter Suite before 9.63 place credentials in logs, which allows local users to obtain sensitive information by reading a file. | 2015-01-17 | 2.1 | CVE-2014-4835 XF |
| ibm — business_process_manager | Cross-site scripting (XSS) vulnerability in the Process Portal in IBM Business Process Manager 8.0 through 8.0.1.3, 8.5.0 through 8.5.0.1, and 8.5.5 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL, a different vulnerability than CVE-2014-8914. | 2015-01-21 | 3.5 | CVE-2014-8913 XF |
| ibm — business_process_manager | Cross-site scripting (XSS) vulnerability in the Process Portal in IBM Business Process Manager 8.0 through 8.0.1.3, 8.5.0 through 8.5.0.1, and 8.5.5 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL, a different vulnerability than CVE-2014-8913. | 2015-01-21 | 3.5 | CVE-2014-8914 XF |
| mediawiki — mediawiki | Cross-site scripting (XSS) vulnerability in the preview in the ExpandTemplates extension for MediaWiki, when $wgRawHTML is set to true, allows remote attackers to inject arbitrary web script or HTML via the wpInput parameter to the Special:ExpandTemplates page. | 2015-01-16 | 2.6 | CVE-2014-9478 CONFIRM MLIST MLIST |
| oracle — peoplesoft_products | Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.53 allows remote authenticated users to affect integrity via vectors related to PIA Core Technology. | 2015-01-21 | 3.5 | CVE-2014-4279 |
| oracle — e-business_suite | Unspecified vulnerability in the Oracle Web Applications Desktop Integrator component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.3, 12.2.2, 12.2.3, and 12.2.4 allows remote authenticated users to affect integrity via unknown vectors related to Templates. | 2015-01-21 | 3.5 | CVE-2014-6525 |
| oracle — mysql | Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier, and 5.6.21 and earlier, allows remote authenticated users to affect availability via vectors related to Server : InnoDB : DML. | 2015-01-21 | 3.5 | CVE-2014-6568 |
| oracle — jdk | Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality via unknown vectors reelated to 2D, a different vulnerability than CVE-2014-6591. | 2015-01-21 | 2.6 | CVE-2014-6585 |
| oracle — vm_virtualbox | Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 4.3.20 allows local users to affect integrity and availability via vectors related to VMSVGA virtual graphics device, a different vulnerability than CVE-2014-6589, CVE-2014-6590, CVE-2014-6595, and CVE-2015-0427. | 2015-01-21 | 3.2 | CVE-2014-6588 |
| oracle — vm_virtualbox | Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 4.3.20 allows local users to affect integrity and availability via vectors related to VMSVGA virtual graphics device, a different vulnerability than CVE-2014-6588, CVE-2014-6590, CVE-2014-6595, and CVE-2015-0427. | 2015-01-21 | 3.2 | CVE-2014-6589 |
| oracle — vm_virtualbox | Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 4.3.20 allows local users to affect integrity and availability via vectors related to VMSVGA virtual graphics device, a different vulnerability than CVE-2014-6588, CVE-2014-6589, CVE-2014-6595, and CVE-2015-0427. | 2015-01-21 | 3.2 | CVE-2014-6590 |
| oracle — jdk | Unspecified vulnerability in the Java SE component in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality via unknown vectors related to 2D, a different vulnerability than CVE-2014-6585. | 2015-01-21 | 2.6 | CVE-2014-6591 |
| oracle — fusion_middleware | Unspecified vulnerability in the Oracle OpenSSO component in Oracle Fusion Middleware 8.0 Update 2 Patch 5 allows remote authenticated users to affect integrity via vectors related to SAML, a different vulnerability than CVE-2015-0389. | 2015-01-21 | 3.5 | CVE-2014-6592 |
| oracle — vm_virtualbox | Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 4.3.20 allows local users to affect integrity and availability via vectors related to VMSVGA virtual graphics device, a different vulnerability than CVE-2014-6588, CVE-2014-6589, CVE-2014-6590, and CVE-2015-0427. | 2015-01-21 | 3.2 | CVE-2014-6595 |
| oracle — siebel_crm | Unspecified vulnerability in the Siebel Core – Common Components component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote authenticated users to affect confidentiality via unknown vectors related to Email. | 2015-01-21 | 3.5 | CVE-2014-6599 |
| oracle — siebel_crm | Unspecified vulnerability in the Siebel Core – EAI component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote authenticated users to affect availability via unknown vectors related to Integration Business Services. | 2015-01-21 | 3.5 | CVE-2015-0364 |
| oracle — database_server | Unspecified vulnerability in the Core RDBMS component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, and 12.1.0.1 allows remote authenticated users to affect integrity via unknown vectors. | 2015-01-21 | 3.5 | CVE-2015-0370 |
| oracle — mysql | Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier and 5.6.21 and earlier allows remote authenticated users to affect confidentiality via unknown vectors related to Server : Security : Privileges : Foreign Key. | 2015-01-21 | 3.5 | CVE-2015-0374 |
| oracle — siebel_crm | Unspecified vulnerability in the Siebel Public Sector component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote authenticated users to affect integrity via unknown vectors related to Public Sector Portal. | 2015-01-21 | 3.5 | CVE-2015-0384 |
| oracle — mysql | Unspecified vulnerability in Oracle MySQL Server 5.6.21 and earlier allows remote authenticated users to affect availability via unknown vectors related to Pluggable Auth. | 2015-01-21 | 3.5 | CVE-2015-0385 |
| oracle — fusion_middleware | Unspecified vulnerability in the Oracle OpenSSO component in Oracle Fusion Middleware 8.0 Update 2 Patch 5 allows remote authenticated users to affect integrity via vectors related to SAML, a different vulnerability than CVE-2014-6592. | 2015-01-21 | 3.5 | CVE-2015-0389 |
| oracle — jdk | Unspecified vulnerability in Oracle Java SE 7u72 and 8u25 allows local users to affect integrity via unknown vectors related to Serviceability. | 2015-01-21 | 1.9 | CVE-2015-0413 |
| oracle — fusion_middleware | Unspecified vulnerability in the Oracle SOA Suite component in Oracle Fusion Middleware 11.1.1.7 and 12.1.3.0 allows remote authenticated users to affect confidentiality via unknown vectors related to Fabric Layer. | 2015-01-21 | 3.5 | CVE-2015-0414 |
| oracle — supply_chain_products_suite | Unspecified vulnerability in the Oracle Agile PLM component in Oracle Supply Chain Products Suite 9.3.3 allows remote authenticated users to affect integrity via unknown vectors related to Roles & Privileges. | 2015-01-21 | 3.5 | CVE-2015-0416 |
| oracle — vm_virtualbox | Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox prior to 3.2.26, 4.0.28, 4.1.36, and 4.2.28 allows local users to affect availability via unknown vectors related to Core, a different vulnerability than CVE-2015-0377. | 2015-01-21 | 2.1 | CVE-2015-0418 |
| oracle — vm_virtualbox | Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox prior to 4.3.20 allows local users to affect integrity and availability via vectors related to VMSVGA virtual graphics device, a different vulnerability than CVE-2014-6588, CVE-2014-6589, CVE-2014-6590, and CVE-2014-6595. | 2015-01-21 | 3.2 | CVE-2015-0427 |
| pivotal_software — rabbitmq_management | Multiple cross-site scripting (XSS) vulnerabilities in the management web UI in the RabbitMQ management plugin before 3.4.3 allow remote authenticated users to inject arbitrary web script or HTML via (1) message details when a message is unqueued, such as headers or arguments; (2) policy names, which are not properly handled when viewing policies; (3) details for AMQP network clients, such as the version; allow remote authenticated administrators to inject arbitrary web script or HTML via (4) user names, (5) the cluster name; or allow RabbitMQ cluster administrators to (6) modify unspecified content. | 2015-01-18 | 3.5 | CVE-2015-0862 |
| sun — sunos | Unspecified vulnerability in Oracle Sun Solaris 11 allows local users to affect availability via unknown vectors related to Libc. | 2015-01-21 | 2.1 | CVE-2015-0378 |
| sun — sunos | Unspecified vulnerability in Oracle Sun Solaris 11 allows local users to affect availability via unknown vectors related to File System, a different vulnerability than CVE-2014-6570 and CVE-2014-6600. | 2015-01-21 | 2.1 | CVE-2015-0397 |
| sun — sunos | Unspecified vulnerability in Oracle Sun Solaris 10 and 11 allows local users to affect integrity and availability via vectors related to RPC Utility. | 2015-01-21 | 3.3 | CVE-2015-0429 |
| sun — sunos | Unspecified vulnerability in Oracle Sun Solaris 10 and 11 allows local users to affect confidentiality via vectors related to RPC Utility. | 2015-01-21 | 1.9 | CVE-2015-0430 |
| symantec — critical_system_protection | Cross-site scripting (XSS) vulnerability in the ajaxswing webui in the Management Console server in the management server in Symantec Critical System Protection (SCSP) 5.2.9 through MP6 and Symantec Data Center Security: Server Advanced (SDCS:SA) 6.0.x through 6.0 MP1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. | 2015-01-21 | 3.5 | CVE-2014-9224 BID |
| websvn — websvn | WebSVN 2.3.3 allows remote authenticated users to read arbitrary files via a symlink attack in a commit. | 2015-01-21 | 3.5 | CVE-2013-6892 MISC SECUNIA |
This product is provided subject to this Notification and this Privacy & Use policy.
Original release date: January 23, 2015
The FBI has released an article addressing ransomware campaigns that use intimidating messages claiming to be from the FBI or other government agencies. Scam operators use ransomware – a type of malicious software – to infect a computer and restrict access to it until a ransom is paid to unlock it.
Users and administrators are encouraged to review the FBI article “Ransomware on the Rise” for details and refer to Alert TA-295A for information on Crypto Ransomware.
This product is provided subject to this Notification and this Privacy & Use policy.
Original release date: January 23, 2015
Google has released Chrome 40.0.2214.91 for Windows, Mac, and Linux to address multiple vulnerabilities. Exploitation of these vulnerabilities may allow a remote attacker to cause a denial of service condition or obtain personal information.
US-CERT encourages users and administrators to review the Google Chrome blog entry and apply the necessary updates.
This product is provided subject to this Notification and this Privacy & Use policy.
Original release date: January 22, 2015
Adobe has released security updates to address a vulnerability in Flash Player, which could potentially allow a remote attacker to take control of an affected system.
Users and administrators are encouraged to review Adobe Security Bulletin APSB15-02 and apply the necessary updates.
This product is provided subject to this Notification and this Privacy & Use policy.