Original release date: January 26, 2015
The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.
The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
-
High – Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 – 10.0
-
Medium – Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 – 6.9
-
Low – Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 – 3.9
Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.
High Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| adb — p.dga4001n_firmware | The ADB (formerly Pirelli Broadband Solutions) P.DGA4001N router with firmware PDG_TEF_SP_4.06L.6 does not properly restrict access to the web interface, which allows remote attackers to obtain sensitive information or cause a denial of service (device restart) as demonstrated by a direct request to (1) wlsecurity.html or (2) resetrouter.html. | 2015-01-21 | 9.4 | CVE-2015-0554 EXPLOIT-DB MISC |
| advantech — adamview | Multiple stack-based buffer overflows in Advantech AdamView 4.3 and earlier allow remote attackers to execute arbitrary code via a crafted (1) display properties or (2) conditional bitmap parameter in a GNI file. | 2015-01-20 | 7.5 | CVE-2014-8386 EXPLOIT-DB MISC FULLDISC |
| arbiter_systems — 1094b_gps_substation_clock | Arbiter 1094B GPS Substation Clock allows remote attackers to cause a denial of service (disruption) via crafted radio transmissions that spoof GPS satellite broadcasts. | 2015-01-16 | 7.8 | CVE-2014-9194 |
| ceragon_fiberair_ip-10 — – | Ceragon FiberAir IP-10 bridges have a default password for the root account, which makes it easier for remote attackers to obtain access via a (1) HTTP, (2) SSH, (3) TELNET, or (4) CLI session. | 2015-01-17 | 7.8 | CVE-2015-0924 |
| ffmpeg — ffmpeg | Use-after-free vulnerability in the matroska_read_seek function in libavformat/matroskadec.c in FFmpeg before 2.5.1, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted Matroska file that triggers improper maintenance of tracks data. | 2015-01-22 | 7.5 | CVE-2014-7933 CONFIRM CONFIRM |
| ffmpeg — ffmpeg | Multiple off-by-one errors in libavcodec/vorbisdec.c in FFmpeg before 2.4.2, as used in Google Chrome before 40.0.2214.91, allow remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted Vorbis I data. | 2015-01-22 | 7.5 | CVE-2014-7937 |
| ffmpeg — ffmpeg | libavcodec/xface.h in FFmpeg before 2.5.2 establishes certain digits and words array dimensions that do not satisfy a required mathematical relationship, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted X-Face image data. | 2015-01-16 | 7.5 | CVE-2014-9602 CONFIRM |
| ffmpeg — ffmpeg | The vmd_decode function in libavcodec/vmdvideo.c in FFmpeg before 2.5.2 does not validate the relationship between a certain length value and the frame width, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted Sierra VMD video data. | 2015-01-16 | 7.5 | CVE-2014-9603 CONFIRM |
| ffmpeg — ffmpeg | libavcodec/utvideodec.c in FFmpeg before 2.5.2 does not check for a zero value of a slice height, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted Ut Video data, related to the (1) restore_median and (2) restore_median_il functions. | 2015-01-16 | 7.5 | CVE-2014-9604 CONFIRM |
| ge — multilink_ml1200 | GE Multilink ML800, ML1200, ML1600, and ML2400 switches with firmware 4.2.1 and earlier and Multilink ML810, ML3000, and ML3100 switches with firmware 5.2.0 and earlier allow remote attackers to cause a denial of service (resource consumption or reboot) via crafted packets. | 2015-01-16 | 7.8 | CVE-2014-5418 |
| gentoo — libsndfile | The sd2_parse_rsrc_fork function in sd2.c in libsndfile allows attackers to have unspecified impact via vectors related to a (1) map offset or (2) rsrc marker, which triggers an out-of-bounds read. | 2015-01-16 | 10.0 | CVE-2014-9496 CONFIRM CONFIRM MLIST SECUNIA SUSE |
| gnu — coreutils | The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted date string, as demonstrated by the “–date=TZ=”123″345″ @1” string to the touch or date command. | 2015-01-16 | 7.5 | CVE-2014-9471 CONFIRM MLIST MLIST MLIST SECUNIA CONFIRM |
| google — chrome | The Regular Expressions package in International Components for Unicode (ICU) 52 before SVN revision 292944, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via vectors related to a (1) zero-length quantifier or (2) look-behind expression, a different vulnerability than CVE-2014-7926. | 2015-01-22 | 7.5 | CVE-2014-7923 CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM |
| google — chrome | Use-after-free vulnerability in the WebAudio implementation in Blink, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger an audio-rendering thread in which AudioNode data is improperly maintained. | 2015-01-22 | 7.5 | CVE-2014-7925 CONFIRM CONFIRM CONFIRM CONFIRM |
| google — chrome | The Regular Expressions package in International Components for Unicode (ICU) 52 before SVN revision 292944, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via vectors related to a (1) zero-length quantifier or (2) look-behind expression, a different vulnerability than CVE-2014-7923. | 2015-01-22 | 7.5 | CVE-2014-7926 CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM |
| google — chrome | The SimplifiedLowering::DoLoadBuffer function in compiler/simplified-lowering.cc in Google V8, as used in Google Chrome before 40.0.2214.91, does not properly choose an integer data type, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted JavaScript code. | 2015-01-22 | 7.5 | CVE-2014-7927 CONFIRM CONFIRM |
| google — chrome | hydrogen.cc in Google V8, as used Google Chrome before 40.0.2214.91, does not properly handle arrays with holes, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted JavaScript code that triggers an array copy. | 2015-01-22 | 7.5 | CVE-2014-7928 CONFIRM CONFIRM |
| google — chrome | Use-after-free vulnerability in the HTMLScriptElement::didMoveToNewDocument function in core/html/HTMLScriptElement.cpp in the DOM implementation in Blink, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving movement of a SCRIPT element across documents. | 2015-01-22 | 7.5 | CVE-2014-7929 CONFIRM CONFIRM |
| google — chrome | Use-after-free vulnerability in core/events/TreeScopeEventContext.cpp in the DOM implementation in Blink, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted JavaScript code that triggers improper maintenance of TreeScope data. | 2015-01-22 | 7.5 | CVE-2014-7930 CONFIRM CONFIRM |
| google — chrome | factory.cc in Google V8, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted JavaScript code that triggers improper maintenance of backing-store pointers. | 2015-01-22 | 7.5 | CVE-2014-7931 CONFIRM CONFIRM |
| google — chrome | Use-after-free vulnerability in the Element::detach function in core/dom/Element.cpp in the DOM implementation in Blink, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving pending updates of detached elements. | 2015-01-22 | 7.5 | CVE-2014-7932 CONFIRM CONFIRM |
| google — chrome | Use-after-free vulnerability in the DOM implementation in Blink, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to unexpected absence of document data structures. | 2015-01-22 | 7.5 | CVE-2014-7934 CONFIRM CONFIRM CONFIRM |
| google — chrome | Use-after-free vulnerability in browser/speech/tts_message_filter.cc in the Speech implementation in Google Chrome before 40.0.2214.91 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving utterances from a closed tab. | 2015-01-22 | 7.5 | CVE-2014-7935 CONFIRM CONFIRM |
| google — chrome | The Fonts implementation in Google Chrome before 40.0.2214.91 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors. | 2015-01-22 | 7.5 | CVE-2014-7938 |
| google — chrome | The collator implementation in i18n/ucol.cpp in International Components for Unicode (ICU) 52 through SVN revision 293126, as used in Google Chrome before 40.0.2214.91, does not initialize memory for a data structure, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted character sequence. | 2015-01-22 | 7.5 | CVE-2014-7940 |
| google — chrome | The Fonts implementation in Google Chrome before 40.0.2214.91 does not initialize memory for a data structure, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. | 2015-01-22 | 7.5 | CVE-2014-7942 |
| gtk — gtk+ | GTK+ 3.10.9 and earlier, as used in cinnamon-screensaver, gnome-screensaver, and other applications, allows physically proximate attackers to bypass the lock screen by pressing the menu button. | 2015-01-16 | 7.2 | CVE-2014-1949 CONFIRM CONFIRM CONFIRM UBUNTU MLIST MLIST |
| ibm — sas_connectivity_module_firmware | IBM BladeCenter SAS Connectivity Module (aka NSSM) and SAS RAID Module (aka RSSM) before 1.3.3.006 allow remote attackers to cause a denial of service (reboot) via a flood of IP packets. | 2015-01-17 | 7.8 | CVE-2014-3018 XF |
| ipass — ipass_open_mobile | The client in iPass Open Mobile before 2.4.5 on Windows allows remote authenticated users to execute arbitrary code via a DLL pathname in a crafted Unicode string that is improperly handled by a subprocess reached through a named pipe, as demonstrated by a UNC share pathname. | 2015-01-22 | 9.0 | CVE-2015-0925 |
| juniper — junos | The Juniper MX Series routers with Junos 13.3R3 through 13.3Rx before 13.3R6, 14.1 before 14.1R4, 14.1X50 before 14.1X50-D70, and 14.2 before 14.2R2, when configured as a broadband edge (BBE) router, allows remote attackers to cause a denial of service (jpppd crash and restart) by sending a crafted PAP Authenticate-Request after the PPPoE Discovery and LCP phase are complete. | 2015-01-16 | 7.1 | CVE-2014-6382 BID |
| juniper — junos | Juniper Junos 11.4 before 11.4R8, 12.1X44 before 12.1X44-D35, 12.1X45 before 12.1X45-D25, 12.1X46 before 12.1X46-D20, 12.1X47 before 12.1X47-D10, 12.2 before 12.2R9, 12.3R2 before 12.3R2-S3, 12.3 before 12.3R3, 13.1 before 13.1R4, and 13.2 before 13.2R1 allows remote attackers to cause a denial of service (assertion failure and rpd restart) via a crafted BGP FlowSpec prefix. | 2015-01-16 | 7.8 | CVE-2014-6386 SECTRACK BID |
| libpng — libpng | Buffer overflow in the png_read_IDAT_data function in pngrutil.c in libpng before 1.5.21 and 1.6.x before 1.6.16 allows context-dependent attackers to execute arbitrary code via IDAT data with a large width, a different vulnerability than CVE-2014-9495. | 2015-01-18 | 7.5 | CVE-2015-0973 MLIST MLIST MISC MLIST |
| macroplant — iexplorer | Untrusted search path vulnerability in Macroplant iExplorer 3.6.3.0 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse itunesmobiledevice.dll. | 2015-01-16 | 7.2 | CVE-2014-9600 XF MISC |
| oracle — oracle_and_sun_systems_product_suite | Unspecified vulnerability in the Solaris Cluster component in Oracle Sun Systems Products Suite 3.3 and 4.1 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to System management. | 2015-01-21 | 9.0 | CVE-2014-4259 |
| oracle — jdk | Unspecified vulnerability in Oracle Java SE 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. | 2015-01-21 | 10.0 | CVE-2014-6549 |
| oracle — jd_edwards_products | Unspecified vulnerability in the JD Edwards EnterpriseOne Tools component in Oracle JD Edwards Products 9.1.5 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Portal SEC. | 2015-01-21 | 7.5 | CVE-2014-6565 |
| oracle — database_server | Unspecified vulnerability in the Core RDBMS component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information is from the January 2015 CPU. Oracle has not commented on the researcher’s claim that this is a stack-based buffer overflow in DBMS_AW.EXECUTE, which allows code execution via a long Current Directory Alias (CDA) command. | 2015-01-21 | 9.0 | CVE-2014-6567 MISC |
| oracle — jdk | Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot. | 2015-01-21 | 10.0 | CVE-2014-6601 |
| oracle — jdk | Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot. | 2015-01-21 | 9.3 | CVE-2015-0395 |
| oracle — fusion_middleware | Unspecified vulnerability in the Oracle GlassFish Server component in Oracle Fusion Middleware 3.0.1 and 3.1.2 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Admin Console. | 2015-01-21 | 7.5 | CVE-2015-0396 |
| oracle — jdk | Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to RMI. | 2015-01-21 | 10.0 | CVE-2015-0408 CONFIRM |
| oracle — mysql | Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier, and 5.6.21 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Server : Security : Encryption. | 2015-01-21 | 7.5 | CVE-2015-0411 |
| oracle — jdk | Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JAX-WS. | 2015-01-21 | 7.2 | CVE-2015-0412 |
| oracle — integrated_lights_out_manager_firmware | Unspecified vulnerability in the Integrated Lights Out Manager (ILOM) component in Oracle Sun Systems Products Suite ILOM prior to 3.2.4 allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to IPMI. | 2015-01-21 | 7.5 | CVE-2015-0424 |
| oracle — jdk | Unspecified vulnerability in Oracle Java SE 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot. | 2015-01-21 | 9.3 | CVE-2015-0437 |
| pheonixcontact-software — multiprog | Phoenix Contact ProConOs and MultiProg do not require authentication, which allows remote attackers to execute arbitrary commands via protocol-compliant traffic. | 2015-01-16 | 7.5 | CVE-2014-9195 |
| redhat — cloudforms_3.1_management_engine | The customization template in Red Hat CloudForms 3.1 Management Engine (CFME) 5.3 uses a default password for the root account when a password is not specified for a new image, which allows remote attackers to gain privileges. | 2015-01-16 | 10.0 | CVE-2014-3692 SECUNIA |
| samba — samba | Samba 4.0.x before 4.0.24, 4.1.x before 4.1.16, and 4.2.x before 4.2rc4, when an Active Directory Domain Controller (AD DC) is configured, allows remote authenticated users to set the LDB userAccountControl UF_SERVER_TRUST_ACCOUNT bit, and consequently gain privileges, by leveraging delegation of authority for user-account or computer-account creation. | 2015-01-16 | 8.5 | CVE-2014-8143 |
| sap — hana_extend_application_services | The Extended Application Services (XS) in SAP HANA allows remote attackers to inject arbitrary ABAP code via unspecified vectors, aka SAP Note 2098906. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | 2015-01-22 | 10.0 | CVE-2015-1311 MISC |
| sap — enterprise_resource_planning | The Dealer Portal in SAP ERP does not properly restrict access, which allows remote attackers to obtain sensitive information, gain privileges, and possibly have other unspecified impact via unknown vectors, aka SAP Note 2000401. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | 2015-01-22 | 7.5 | CVE-2015-1312 MISC |
| siemens — scalance_x-300_series_firmware | The web server on Siemens SCALANCE X-300 switches with firmware before 4.0 and SCALANCE X 408 switches with firmware before 4.0 allows remote attackers to cause a denial of service (reboot) via malformed HTTP requests. | 2015-01-21 | 7.8 | CVE-2014-8478 |
| sun — sunos | Unspecified vulnerability in Oracle Solaris 11 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Power Management Utility. | 2015-01-21 | 7.2 | CVE-2014-6510 |
| sun — sunos | Unspecified vulnerability in Oracle Solaris 10 allows local users to affect confidentiality, integrity, and availability via vectors related to CDE – Power Management Utility. | 2015-01-21 | 7.2 | CVE-2014-6521 |
| sun — sunos | Unspecified vulnerability in Oracle Solaris 10 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Kernel. | 2015-01-21 | 7.2 | CVE-2014-6524 |
| sybase — adaptive_server_enterprise | SQL injection vulnerability in SAP Adaptive Server Enterprise (Sybase ASE) allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Note 2113333. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | 2015-01-22 | 7.5 | CVE-2015-1310 MISC |
| symantec — critical_system_protection | The Agent Control Interface in the management server in Symantec Critical System Protection (SCSP) 5.2.9 before MP6 and Symantec Data Center Security: Server Advanced (SDCS:SA) 6.0.x before 6.0 MP1 allows remote authenticated users to execute arbitrary commands by leveraging client-system access to upload a log file. | 2015-01-21 | 9.0 | CVE-2014-3440 BID |
| symantec — critical_system_protection | The management server in Symantec Critical System Protection (SCSP) 5.2.9 through MP6 and Symantec Data Center Security: Server Advanced (SDCS:SA) 6.0.x through 6.0 MP1 allows local users to bypass intended Protection Policies via unspecified vectors. | 2015-01-21 | 7.2 | CVE-2014-9226 BID |
| web-dorado — photo_gallery | SQL injection vulnerability in the Photo Gallery plugin 1.2.7 for WordPress allows remote attackers to execute arbitrary SQL commands via the order_by parameter in a GalleryBox action to wp-admin/admin-ajax.php. | 2015-01-16 | 7.5 | CVE-2015-1055 BID FULLDISC |
Medium Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| 7-zip — p7zip | p7zip 9.20.1 allows remote attackers to write to arbitrary files via a symlink attack in an archive. | 2015-01-21 | 5.8 | CVE-2015-1038 MISC MISC XF BID MLIST |
| apache — xml_security | Apache Santuario XML Security for Java 2.0.x before 2.0.3 allows remote attackers to bypass the streaming XML signature protection mechanism via a crafted XML document. | 2015-01-21 | 5.0 | CVE-2014-8152 XF SECTRACK BID MLIST |
| b2evolution — b2evolution | Cross-site scripting (XSS) vulnerability in the filemanager in b2evolution before 5.2.1 allows remote attackers to inject arbitrary web script or HTML via the fm_filter parameter to blogs/admin.php. | 2015-01-16 | 4.3 | CVE-2014-9599 CONFIRM XF BID MISC MISC FULLDISC MISC |
| brother — mfc-j4410dw | Cross-site scripting (XSS) vulnerability in Brother MFC-J4410DW printer with firmware before L allows remote attackers to inject arbitrary web script or HTML via the url parameter to general/status.html and possibly other pages. | 2015-01-16 | 4.3 | CVE-2015-1056 XF BID BUGTRAQ MISC |
| cagintranetworks — getsimple_cms | XML external entity (XXE) vulnerability in admin/api.php in GetSimple CMS 3.1.1 through 3.3.x before 3.3.5 Beta 1, when in certain configurations, allows remote attackers to read arbitrary files via the data parameter. | 2015-01-20 | 5.0 | CVE-2014-8790 CONFIRM FULLDISC MISC MISC CONFIRM |
| cisco — unified_communications_manager | Absolute path traversal vulnerability in the Real-Time Monitoring Tool (RTMT) API in Cisco Unified Communications Manager (CUCM) allows remote authenticated users to read arbitrary files via a full pathname in an API command, aka Bug ID CSCur49414. | 2015-01-22 | 6.8 | CVE-2014-8008 |
| cisco — webex_meeting_center | Cisco WebEx Meeting Center allows remote attackers to activate disabled meeting attributes, and consequently obtain sensitive information, by providing crafted parameters during a meeting-join action, aka Bug ID CSCuo34165. | 2015-01-17 | 5.0 | CVE-2015-0590 |
| clorius_controls_a/s — java_web_client | The Clorius Controls Java web client before 01.00.0009g allows remote attackers to discover credentials by sniffing the network for cleartext-equivalent traffic. | 2015-01-16 | 5.0 | CVE-2014-9199 |
| croogo — croogo | Cross-site scripting (XSS) vulnerability in the administrative backend in Croogo before 2.2.1 allows remote attackers to inject arbitrary web script or HTML via the path parameter to admin/file_manager/file_manager/editfile. | 2015-01-16 | 4.3 | CVE-2015-1053 CONFIRM XF BID MISC MISC FULLDISC MISC |
| debian — dpkg | Multiple format string vulnerabilities in the parse_error_msg function in parsehelp.c in dpkg before 1.17.22 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via format string specifiers in the (1) package or (2) architecture name. | 2015-01-20 | 6.8 | CVE-2014-8625 CONFIRM CONFIRM XF MLIST MLIST MLIST |
| djangoproject — django | Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allows remote attackers to spoof WSGI headers by using an _ (underscore) character instead of a – (dash) character in an HTTP header, as demonstrated by an X-Auth_User header. | 2015-01-16 | 5.0 | CVE-2015-0219 SECUNIA SECUNIA |
| djangoproject — django | The django.util.http.is_safe_url function in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 does not properly handle leading whitespaces, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL, related to redirect URLs, as demonstrated by a “njavascript:” URL. | 2015-01-16 | 4.3 | CVE-2015-0220 UBUNTU SECUNIA SECUNIA |
| djangoproject — django | The django.views.static.serve view in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 reads files an entire line at a time, which allows remote attackers to cause a denial of service (memory consumption) via a long line in a file. | 2015-01-16 | 5.0 | CVE-2015-0221 SECUNIA SECUNIA |
| djangoproject — django | ModelMultipleChoiceField in Django 1.6.x before 1.6.10 and 1.7.x before 1.7.3, when show_hidden_initial is set to True, allows remote attackers to cause a denial of service by submitting duplicate values, which triggers a large number of SQL queries. | 2015-01-16 | 5.0 | CVE-2015-0222 SECUNIA SECUNIA |
| e107 — e107 | Cross-site scripting (XSS) vulnerability in usersettings.php in e107 2.0.0 allows remote attackers to inject arbitrary web script or HTML via the “Real Name” value. | 2015-01-16 | 4.3 | CVE-2015-1057 XF EXPLOIT-DB OSVDB |
| emc — vipr_srm | EMC M&R (aka Watch4Net) before 6.5u1 and ViPR SRM before 3.6.1 might allow remote attackers to obtain cleartext data-center discovery credentials by leveraging certain SRM access to conduct a decryption attack. | 2015-01-21 | 5.0 | CVE-2015-0514 BUGTRAQ |
| emc — vipr_srm | Unrestricted file upload vulnerability in EMC M&R (aka Watch4Net) before 6.5u1 and ViPR SRM before 3.6.1 allows remote authenticated users to execute arbitrary code by uploading and then accessing an executable file. | 2015-01-21 | 6.5 | CVE-2015-0515 BUGTRAQ |
| emc — vipr_srm | Directory traversal vulnerability in EMC M&R (aka Watch4Net) before 6.5u1 and ViPR SRM before 3.6.1 allows remote authenticated users to read arbitrary files via a crafted URL. | 2015-01-21 | 4.0 | CVE-2015-0516 BUGTRAQ |
| file_project — file | The ELF parser in file 5.08 through 5.21 allows remote attackers to cause a denial of service via a large number of notes. | 2015-01-21 | 5.0 | CVE-2014-9620 CONFIRM MLIST DEBIAN MLIST |
| file_project — file | The ELF parser in file 5.16 through 5.21 allows remote attackers to cause a denial of service via a long string. | 2015-01-21 | 5.0 | CVE-2014-9621 CONFIRM MLIST MLIST |
| ge — intelligent_platforms_proficy_hmi/scada_cimplicity | The (1) CimView and (2) CimEdit components in GE Proficy HMI/SCADA-CIMPLICITY 8.2 and earlier allow remote attackers to gain privileges via a crafted CIMPLICITY screen (aka .CIM) file. | 2015-01-16 | 6.9 | CVE-2014-2355 |
| ge — multilink_ml1200 | GE Multilink ML800, ML1200, ML1600, and ML2400 switches with firmware 4.2.1 and earlier and Multilink ML810, ML3000, and ML3100 switches with firmware 5.2.0 and earlier use the same RSA private key across different customers’ installations, which makes it easier for remote attackers to obtain the cleartext content of network traffic by reading this key from a firmware image and then sniffing the network. | 2015-01-16 | 5.0 | CVE-2014-5419 |
| gentoo — xdg-utils | Eval injection vulnerability in xdg-utils 1.1.0 RC1, when no supported desktop environment is identified, allows context-dependent attackers to execute arbitrary code via the URL argument to xdg-open. | 2015-01-21 | 6.8 | CVE-2014-9622 CONFIRM CONFIRM MLIST DEBIAN SECUNIA FULLDISC |
| getsentry — raven-ruby | The numtok function in lib/raven/okjson.rb in the raven-ruby gem before 0.12.2 for Ruby allows remote attackers to cause a denial of service via a large exponent value in a scientific number. | 2015-01-20 | 5.0 | CVE-2014-9490 CONFIRM CONFIRM XF MLIST |
| getusedtoit — wp_slimstat | Cross-site scripting (XSS) vulnerability in the Save Filters functionality in the WP Slimstat plugin before 3.9.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the fs[resource] parameter in the wp-slim-view-2 page to wp-admin/admin.php. | 2015-01-21 | 4.3 | CVE-2015-1204 MISC CONFIRM SECUNIA |
| gnu — patch | GNU patch 2.7.1 allows remote attackers to write to arbitrary files via a symlink attack in a patch file. | 2015-01-21 | 4.3 | CVE-2015-1196 CONFIRM CONFIRM XF BID MLIST CONFIRM |
| google — chrome | Use-after-free vulnerability in the IndexedDB implementation in Google Chrome before 40.0.2214.91 allows remote attackers to cause a denial of service or possibly have unspecified other impact by triggering duplicate BLOB references, related to content/browser/indexed_db/indexed_db_callbacks.cc and content/browser/indexed_db/indexed_db_dispatcher_host.cc. | 2015-01-22 | 5.0 | CVE-2014-7924 CONFIRM CONFIRM |
| google — chrome | Use-after-free vulnerability in the ZoomBubbleView::Close function in browser/ui/views/location_bar/zoom_bubble_view.cc in the Views implementation in Google Chrome before 40.0.2214.91 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted document that triggers improper maintenance of a zoom bubble. | 2015-01-22 | 6.8 | CVE-2014-7936 CONFIRM CONFIRM |
| google — chrome | Google Chrome before 40.0.2214.91, when the Harmony proxy in Google V8 is enabled, allows remote attackers to bypass the Same Origin Policy via crafted JavaScript code with Proxy.create and console.log calls, related to HTTP responses that lack an “X-Content-Type-Options: nosniff” header. | 2015-01-22 | 4.3 | CVE-2014-7939 |
| google — chrome | The SelectionOwner::ProcessTarget function in ui/base/x/selection_owner.cc in the UI implementation in Google Chrome before 40.0.2214.91 uses an incorrect data type for a certain length value, which allows remote attackers to cause a denial of service (out-of-bounds read) via crafted X11 data. | 2015-01-22 | 5.0 | CVE-2014-7941 |
| google — chrome | Skia, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors. | 2015-01-22 | 5.0 | CVE-2014-7943 CONFIRM |
| google — chrome | The sycc422_to_rgb function in fxcodec/codec/fx_codec_jpx_opj.cpp in PDFium, as used in Google Chrome before 40.0.2214.91, does not properly handle odd values of image width, which allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted PDF document. | 2015-01-22 | 5.0 | CVE-2014-7944 |
| google — chrome | OpenJPEG before r2908, as used in PDFium in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted PDF document, related to j2k.c, jp2.c, and t2.c. | 2015-01-22 | 5.0 | CVE-2014-7945 |
| google — chrome | The RenderTable::simplifiedNormalFlowLayout function in core/rendering/RenderTable.cpp in Blink, as used in Google Chrome before 40.0.2214.91, skips captions during table layout in certain situations, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors related to the Fonts implementation. | 2015-01-22 | 5.0 | CVE-2014-7946 CONFIRM |
| google — chrome | OpenJPEG before r2944, as used in PDFium in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted PDF document, related to j2k.c, jp2.c, pi.c, t1.c, t2.c, and tcd.c. | 2015-01-22 | 5.0 | CVE-2014-7947 |
| google — chrome | The AppCacheUpdateJob::URLFetcher::OnResponseStarted function in content/browser/appcache/appcache_update_job.cc in Google Chrome before 40.0.2214.91 proceeds with AppCache caching for SSL sessions even if there is an X.509 certificate error, which allows man-in-the-middle attackers to spoof HTML5 application content via a crafted certificate. | 2015-01-22 | 4.3 | CVE-2014-7948 |
| ibm — sas_connectivity_module_firmware | IBM BladeCenter SAS Connectivity Module (aka NSSM) and SAS RAID Module (aka RSSM) before 1.3.3.006 allow remote attackers to obtain blade and storage-pool access via a TELNET session. | 2015-01-17 | 5.0 | CVE-2014-3019 XF |
| ibm — api_management | IBM API Management 3.0 before 3.0.4.0 IF1 allows remote attackers to obtain sensitive analytics information in an encrypted form via unspecified vectors. | 2015-01-21 | 5.0 | CVE-2014-6172 XF AIXAPAR |
| ibm — security_network_protection_xgs_firmware | IBM Security Network Protection 5.1.x and 5.2.x before 5.2.0.0 FP5 and 5.3.x before 5.3.0.0 FP1 allows remote attackers to conduct clickjacking attacks via unspecified vectors. | 2015-01-17 | 4.3 | CVE-2014-6197 XF |
| illumos — illumos | The devzvol_readdir function in illumos does not check the return value of a strchr call, which allows remote attackers to cause a denial of service (NULL pointer dereference and panic) via unspecified vectors. | 2015-01-20 | 5.0 | CVE-2014-9491 CONFIRM CONFIRM XF MLIST |
| insanevisions — adaptcms | Multiple cross-site scripting (XSS) vulnerabilities in AdaptCMS 3.0.3 allow remote attackers to inject arbitrary web script or HTML via the (1) data[Category][title] parameter to admin/categories/add, (2) data[Field][title] parameter to admin/fields/ajax_fields/, (3) name property in a basicInfo JSON object to admin/tools/create_theme, (4) data[Link][link_title] parameter to admin/links/links/add, or (5) data[ForumTopic][subject] parameter to forums/off-topic/new. | 2015-01-16 | 4.3 | CVE-2015-1058 XF MISC EXPLOIT-DB MISC OSVDB OSVDB OSVDB OSVDB OSVDB |
| insanevisions — adaptcms | Unrestricted file upload vulnerability in admin/files/add in AdaptCMS 3.0.3 allows remote authenticated users to execute arbitrary PHP code by uploading a file with a PHP extension, then accessing it via a direct request to the file in /app/webroot/uploads. | 2015-01-16 | 6.5 | CVE-2015-1059 MISC XF EXPLOIT-DB MISC OSVDB |
| insanevisions — adaptcms | Open redirect vulnerability in lib/Cake/Controller/Controller.php in AdaptCMS 3.0.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the HTTP Referer header. | 2015-01-16 | 5.8 | CVE-2015-1060 XF MISC EXPLOIT-DB MISC OSVDB |
| juniper — junos | The stateless firewall in Juniper Junos 13.3R3, 14.1R1, and 14.1R2, when using Trio-based PFE modules, does not properly match ports, which might allow remote attackers to bypass firewall rule. | 2015-01-16 | 5.0 | CVE-2014-6383 SECTRACK BID |
| juniper — junos | Juniper Junos 12.1X44 before 12.1X44-D45, 12.1X46 before 12.1X46-D25, 12.1X47 before 12.1X47-D15, 12.3 before 12.3R9, 13.1 before 13.1R4-S3, 13.2 before 13.2R6, 13.3 before 13.3R5, 14.1 before 14.1R3, and 14.2 before 14.2R1 does not properly handle double quotes in authorization attributes in the TACACS+ configuration, which allows local users to bypass the security policy and execute commands via unspecified vectors. | 2015-01-16 | 6.9 | CVE-2014-6384 SECTRACK BID |
| juniper — junos | Juniper Junos 11.4 before 11.4R13, 12.1X44 before 12.1X44-D45, 12.1X46 before 12.1X46-D30, 12.1X47 before 12.1X47-D15, 12.2 before 12.2R9, 12.3R7 before 12.3R7-S1, 12.3 before 12.3R8, 13.1 before 13.1R5, 13.2 before 13.2R6, 13.3 before 13.3R4, 14.1 before 14.1R2, and 14.2 before 14.2R1 allows remote attackers to cause a denial of service (kernel crash and restart) via a crafted fragmented OSPFv3 packet with an IPsec Authentication Header (AH). | 2015-01-16 | 6.1 | CVE-2014-6385 BID |
| kde — kde_applications | kwalletd in KWallet before KDE Applications 14.12.0 uses Blowfish with ECB mode instead of CBC mode when encrypting the password store, which makes it easier for attackers to guess passwords via a codebook attack. | 2015-01-18 | 5.0 | CVE-2013-7252 CONFIRM BID MLIST MLIST MISC |
| kgb_project — kgb | Absolute path traversal vulnerability in kgb 1.0b4 allows remote attackers to write to arbitrary files via a full pathname in a crafted archive. | 2015-01-21 | 5.0 | CVE-2015-1192 MISC BID MLIST SECUNIA |
| kiwix — kiwix | Cross-site scripting (XSS) vulnerability in Kiwix before 0.9.1, when using kiwix-serve, allows remote attackers to inject arbitrary web script or HTML via the pattern parameter to /search. | 2015-01-21 | 4.3 | CVE-2015-1032 BUGTRAQ CONFIRM MISC MISC |
| libtiff — libtiff | Integer overflow in tif_packbits.c in bmp2tif in libtiff 4.0.3 allows remote attackers to cause a denial of service (crash) via crafted BMP image, related to dimensions, which triggers an out-of-bounds read. | 2015-01-20 | 5.0 | CVE-2014-9330 SECTRACK FULLDISC CONFIRM |
| mediawiki — mediawiki | MediaWiki 1.2x before 1.22.15, 1.23.x before 1.23.8, and 1.24.x before 1.24.1 allows remote attackers to bypass CORS restrictions in $wgCrossSiteAJAXdomains via a domain that has a partial match to an allowed origin, as demonstrated by “http://en.wikipedia.org.evilsite.example/.” | 2015-01-16 | 5.0 | CVE-2014-9476 CONFIRM MLIST MLIST |
| mediawiki — mediawiki | Multiple cross-site scripting (XSS) vulnerabilities in the Listings extension for MediaWiki allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) url parameter. | 2015-01-16 | 4.3 | CVE-2014-9477 CONFIRM MLIST MLIST |
| mediawiki — mediawiki | Cross-site scripting (XSS) vulnerability in the preview in the TemplateSandbox extension for MediaWiki allows remote attackers to inject arbitrary web script or HTML via the text parameter to Special:TemplateSandbox. | 2015-01-16 | 4.3 | CVE-2014-9479 CONFIRM MLIST MLIST |
| mediawiki — mediawiki | Cross-site scripting (XSS) vulnerability in the Hovercards extension for MediaWiki allows remote attackers to inject arbitrary web script or HTML via vectors related to text extracts. | 2015-01-16 | 4.3 | CVE-2014-9480 CONFIRM MLIST MLIST |
| openstack — image_registry_and_delivery_service_(glance) | The V2 API in OpenStack Image Registry and Delivery Service (Glance) before 2014.1.4 and 2014.2.x before 2014.2.2 allows remote authenticated users to read or delete arbitrary files via a full pathname in a filesystem: URL in the image location property. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-9493. | 2015-01-21 | 6.5 | CVE-2015-1195 CONFIRM MLIST MLIST SECUNIA MLIST |
| oracle — fusion_middleware | Unspecified vulnerability in the Oracle HTTP Server component in Oracle Fusion Middleware 11.1.1.7.0, 12.1.2.0, and 12.1.3.0 allows remote attackers to affect availability via unknown vectors related to Web Listener, a different vulnerability than CVE-2013-0338, CVE-2013-2877, and CVE-2015-0386. | 2015-01-21 | 4.3 | CVE-2014-0191 |
| oracle — oracle_and_sun_systems_product_suite | Unspecified vulnerability in the Solaris Cluster component in Oracle Sun Systems Products Suite 3.3 and 4.1 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to System management. | 2015-01-21 | 6.5 | CVE-2014-6480 |
| oracle — database_server | Unspecified vulnerability in the PL/SQL component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, and 12.1.0.1 allows remote authenticated users to affect confidentiality via unknown vectors. | 2015-01-21 | 4.0 | CVE-2014-6514 |
| oracle — fusion_middleware | Unspecified vulnerability in the Oracle Directory Server Enterprise Edition component in Oracle Fusion Middleware 7.0 allows remote attackers to affect integrity via unknown vectors related to Admin Console. | 2015-01-21 | 4.3 | CVE-2014-6526 |
| oracle — siebel_crm | Unspecified vulnerability in the Siebel Core – System Management component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote authenticated users to affect confidentiality via unknown vectors related to Server Infrastructure. | 2015-01-21 | 4.0 | CVE-2014-6528 |
| oracle — database_server | Unspecified vulnerability in the Recovery component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2, when running on Windows, allows remote authenticated users to affect confidentiality via vectors related to DBMS_IR. | 2015-01-21 | 6.3 | CVE-2014-6541 |
| oracle — fusion_middleware | Unspecified vulnerability in the Oracle SOA Suite component in Oracle Fusion Middleware 11.1.1.7 allows local users to affect confidentiality, integrity, and availability via vectors related to B2B Engine. | 2015-01-21 | 4.6 | CVE-2014-6548 |
| oracle — e-business_suite | Unspecified vulnerability in the Oracle Applications DBA component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.3, 12.2.2, 12.2.3, and 12.2.4 allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to AD_DDL. | 2015-01-21 | 4.6 | CVE-2014-6556 |
| oracle — peoplesoft_products | Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.53 allows remote authenticated users to affect integrity via unknown vectors related to Portal. | 2015-01-21 | 4.0 | CVE-2014-6566 |
| oracle — fusion_middleware | Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.0.2.0, 10.3.6.0, 12.1.1.0, and 12.1.2.0 allows remote attackers to affect confidentiality via vectors related to CIE Related Components. | 2015-01-21 | 5.0 | CVE-2014-6569 |
| oracle — fusion_middleware | Unspecified vulnerability in the Oracle HTTP Server component in Oracle Fusion Middleware 11.1.1.7.0, 12.1.2.0, and 12.1.3.0 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Web Listener, a different vulnerability than CVE-2011-1944. | 2015-01-21 | 6.8 | CVE-2014-6571 |
| oracle — e-business_suite | Unspecified vulnerability in the Oracle Customer Interaction History component in Oracle E-Business Suite 12.0.4, 12.0.5, 12.0.6, 12.1.1, 12.1.2, 12.1.3, 12.2.2, 12.2.3, and 12.2.4 allows remote attackers to affect confidentiality and integrity via unknown vectors related to List of Values. | 2015-01-21 | 6.4 | CVE-2014-6572 |
| oracle — enterprise_manager_grid_control | Unspecified vulnerability in the Enterprise Manager Ops Center component in Oracle Enterprise Manager Grid Control 11.1.3 and 12.1.4 allows remote attackers to affect integrity via unknown vectors related to User Interface Framework. | 2015-01-21 | 4.3 | CVE-2014-6573 |
| oracle — supply_chain_products_suite | Unspecified vulnerability in the Oracle Agile PLM for Process component in Oracle Supply Chain Products Suite 6.1.0.3 allows remote attackers to affect integrity via unknown vectors related to Testing Protocol Library. | 2015-01-21 | 4.3 | CVE-2014-6574 |
| oracle — fusion_middleware | Unspecified vulnerability in the Oracle Adaptive Access Manager component in Oracle Fusion Middleware 11.1.1.5, 11.1.1.7, 11.1.2.1, and 11.1.2.2 allows remote authenticated users to affect confidentiality and integrity via vectors related to OAM Integration. | 2015-01-21 | 5.5 | CVE-2014-6576 |
| oracle — database_server | Unspecified vulnerability in the XML Developer’s Kit for C component in Oracle Database Server 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors. NOTE: the previous information is from the January 2015 CPU. Oracle has not commented on the original researcher’s claim that this is an XML external entity (XXE) vulnerability in the XML parser, which allows attackers to conduct internal port scanning, perform SSRF attacks, or cause a denial of service via a crafted (1) http: or (2) ftp: URI. | 2015-01-21 | 6.8 | CVE-2014-6577 MISC |
| oracle — database_server | Unspecified vulnerability in the Workspace Manager component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, and 12.1.0.1 allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to SDO_TOPO and WMSYS.LT. | 2015-01-21 | 6.5 | CVE-2014-6578 |
| oracle — peoplesoft_products | Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.52 and 8.53 allows remote authenticated users to affect confidentiality via unknown vectors related to Integration Broker. | 2015-01-21 | 4.0 | CVE-2014-6579 |
| oracle — fusion_middleware | Unspecified vulnerability in the Oracle Reports Developer component in Oracle Fusion Middleware 11.1.1.7 and 11.1.2.2 allows remote attackers to affect integrity via unknown vectors. | 2015-01-21 | 4.3 | CVE-2014-6580 |
| oracle — e-business_suite | Unspecified vulnerability in the Oracle Customer Intelligence component in Oracle E-Business Suite 11.5.10.2, 12.0.4, 12.0.5, 12.0.6, 12.1.1, 12.1.2, 12.1.3, 12.2.2, 12.2.3, and 12.2.4 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Extract/Load Programs. | 2015-01-21 | 6.4 | CVE-2014-6581 |
| oracle — e-business_suite | Unspecified vulnerability in the Oracle HCM Configuration Workbench component in Oracle E-Business Suite 11.5.10.2, 12.0.4, 12.0.5, 12.0.6, 12.1.1, 12.1.2, 12.1.3, 12.2.2, 12.2.3, and 12.2.4 allows remote attackers to affect confidentiality via unknown vectors related to Rapid Implementation. | 2015-01-21 | 5.0 | CVE-2014-6582 |
| oracle — e-business_suite | Unspecified vulnerability in the Oracle Marketing component in Oracle E-Business Suite 11.5.10.2, 12.0.4, 12.0.5, 12.0.6, 12.1.1, 12.1.2, and 12.1.3. allows remote attackers to affect confidentiality and integrity via unknown vectors related to Audience. | 2015-01-21 | 6.4 | CVE-2014-6583 |
| oracle — integrated_lights_out_manager_firmware | Unspecified vulnerability in the Integrated Lights Out Manager (ILOM) component in Oracle Sun Systems Products Suite ILOM before 3.2.4 allows remote authenticated users to affect confidentiality via unknown vectors related to Backup Restore. | 2015-01-21 | 4.0 | CVE-2014-6584 |
| oracle — peoplesoft_products | Unspecified vulnerability in the PeopleSoft Enterprise HRMS component in Oracle PeopleSoft Products 9.1 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Time and Labor. | 2015-01-21 | 5.5 | CVE-2014-6586 |
| oracle — jdk | Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. | 2015-01-21 | 4.3 | CVE-2014-6587 |
| oracle — jdk | Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25; Java SE Embedded 7u71 and 8u6; and JRockit 27.8.4 and 28.3.4 allows remote attackers to affect confidentiality and integrity via vectors related to JSSE. | 2015-01-21 | 4.0 | CVE-2014-6593 |
| oracle — ilearning | Unspecified vulnerability in the Oracle iLearning component in Oracle iLearning 6.0 and 6.1 allows remote attackers to affect confidentiality via unknown vectors related to Learner Pages. | 2015-01-21 | 4.3 | CVE-2014-6594 |
| oracle — siebel_crm | Unspecified vulnerability in the Siebel UI Framework component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote attackers to affect integrity via unknown vectors related to Portal Framework. | 2015-01-21 | 4.3 | CVE-2014-6596 |
| oracle — peoplesoft_products | Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.52, 8.53, and 8.54 allows remote authenticated users to affect integrity via vectors related to PIA Core Technology. | 2015-01-21 | 4.0 | CVE-2014-6597 |
| oracle — fusion_middleware | Unspecified vulnerability in the BI Publisher (formerly XML Publisher) component in Oracle Fusion Middleware 11.1.1.7 allows remote attackers to affect confidentiality via unknown vectors related to BI Publisher Security. | 2015-01-21 | 5.0 | CVE-2015-0362 |
| oracle — siebel_crm | Unspecified vulnerability in the Siebel Core EAI component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote authenticated users to affect availability via unknown vectors related to Integration Business Services. | 2015-01-21 | 4.0 | CVE-2015-0363 |
| oracle — siebel_crm | Unspecified vulnerability in the Siebel Core – Server Infrastructure component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote attackers to affect confidentiality via unknown vectors related to Security. | 2015-01-21 | 4.3 | CVE-2015-0365 |
| oracle — siebel_crm | Unspecified vulnerability in the Siebel Core – EAI component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote attackers to affect confidentiality via unknown vectors related to Java Integration. | 2015-01-21 | 5.0 | CVE-2015-0366 |
| oracle — fusion_middleware | Unspecified vulnerability in the Oracle Access Manager component in Oracle Fusion Middleware 11.1.1.5, 11.1.1.7, 11.1.2.1, and 11.1.2.2 allows remote attackers to affect integrity via vectors related to SSO Engine. | 2015-01-21 | 5.0 | CVE-2015-0367 |
| oracle — supply_chain_products_suite | Unspecified vulnerability in the Oracle Transportation Management component in Oracle Supply Chain Products Suite 6.1, 6.2, 6.3, 6.3.1, 6.3.2, 6.3.3, 6.3.4, and 6.3.5 allows remote attackers to affect availability via unknown vectors related to Security. | 2015-01-21 | 5.0 | CVE-2015-0368 |
| oracle — siebel_crm | Unspecified vulnerability in the Siebel UI Framework component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote attackers to affect integrity via unknown vectors related to AX/HI Web UI. | 2015-01-21 | 4.3 | CVE-2015-0369 |
| oracle — database_server | Unspecified vulnerability in the Core RDBMS component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, and 12.1.0.1 allows remote authenticated users to affect integrity and availability via unknown vectors. | 2015-01-21 | 4.9 | CVE-2015-0371 |
| oracle — fusion_middleware | Unspecified vulnerability in the Oracle Containers for J2EE component in Oracle Fusion Middleware 10.1.3.5 allows remote attackers to affect confidentiality via unknown vectors. | 2015-01-21 | 5.0 | CVE-2015-0372 |
| oracle — database_server | Unspecified vulnerability in the OJVM component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors. | 2015-01-21 | 6.5 | CVE-2015-0373 |
| oracle — fusion_middleware | Unspecified vulnerability in the Oracle WebCenter Content component in Oracle Fusion Middleware 11.1.1.8.0 allows remote attackers to affect integrity via unknown vectors related to Content Server. | 2015-01-21 | 4.3 | CVE-2015-0376 |
| oracle — vm_virtualbox | Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox prior to 3.2.26, 4.0.28, 4.1.36, and 4.2.28 allows local users to affect availability via unknown vectors related to Core, a different vulnerability than CVE-2015-0418. | 2015-01-21 | 4.4 | CVE-2015-0377 |
| oracle — peoplesoft_products | Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.54 allows remote attackers to affect integrity via vectors related to PIA Core Technology. | 2015-01-21 | 4.3 | CVE-2015-0379 |
| oracle — e-business_suite | Unspecified vulnerability in the Oracle Telecommunications Billing Integrator component in Oracle E-Business Suite 11.5.10.2, 12.0.4, 12.0.5, 12.0.6, 12.1.1, 12.1.2, 12.1.3, 12.2.2, 12.2.3, and 12.2.4 allows remote attackers to affect integrity via unknown vectors related to OA Based UI for Bill Summary. | 2015-01-21 | 4.3 | CVE-2015-0380 |
| oracle — mysql | Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier and 5.6.21 and earlier allows remote attackers to affect availability via unknown vectors related to Server : Replication, a different vulnerability than CVE-2015-0382. | 2015-01-21 | 4.3 | CVE-2015-0381 |
| oracle — mysql | Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier and 5.6.21 and earlier allows remote attackers to affect availability via unknown vectors related to Server : Replication, a different vulnerability than CVE-2015-0381. | 2015-01-21 | 4.3 | CVE-2015-0382 |
| oracle — jdk | Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25; Java SE Embedded 7u71 and 8u6; and JRockit R27.8.4 and R28.3.4 allows local users to affect integrity and availability via unknown vectors related to Hotspot. | 2015-01-21 | 5.4 | CVE-2015-0383 |
| oracle — fusion_middleware | Unspecified vulnerability in the Oracle HTTP Server component in Oracle Fusion Middleware 11.1.1.7.0, 12.1.2.0, and 12.1.3.0 allows remote attackers to affect availability via unknown vectors related to Web Listener, a different vulnerability than CVE-2013-0338, CVE-2013-2877, and CVE-2014-0191. | 2015-01-21 | 4.3 | CVE-2015-0386 |
| oracle — siebel_crm | Unspecified vulnerability in the Siebel Core – Server OM Services component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote authenticated users to affect confidentiality via vectors related to Security – LDAP Security Adapter. | 2015-01-21 | 4.0 | CVE-2015-0387 |
| oracle — siebel_crm | Unspecified vulnerability in the Siebel UI Framework component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote authenticated users to affect confidentiality via unknown vectors related to Portal Framework, a different vulnerability than CVE-2015-0417. | 2015-01-21 | 4.0 | CVE-2015-0388 |
| oracle — retail_applications_xstore | Unspecified vulnerability in the MICROS Retail component in Oracle Retail Applications Xstore: 3.2.1, 3.4.2, 3.5.0, 4.0.1, 4.5.1, 4.8.0, 5.0.3, 5.5.3, 6.0.6, and 6.5.2 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Xstore Point of Sale. | 2015-01-21 | 6.8 | CVE-2015-0390 |
| oracle — mysql | Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier, and 5.6.19 and earlier, allows remote authenticated users to affect availability via vectors related to DDL. | 2015-01-21 | 4.0 | CVE-2015-0391 |
| oracle — siebel_crm | Unspecified vulnerability in the Siebel Core – Server BizLogic Script component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to Config – Scripting. | 2015-01-21 | 4.6 | CVE-2015-0392 |
| oracle — e-business_suite | Unspecified vulnerability in the Oracle Applications DBA component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.3, 12.2.2, 12.2.3, and 12.2.4 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to DB Privileges. NOTE: the previous information is from the January 2015 CPU. Oracle has not commented on the researcher’s claim that the PUBLIC role is granted the INDEX privilege for the DUAL table during a “seeded install,” which allows remote authenticated users to gain SYSDBA privileges and execute arbitrary code. | 2015-01-21 | 6.0 | CVE-2015-0393 |
| oracle — peoplesoft_products | Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.52 and 8.53 allows remote authenticated users to affect confidentiality via unknown vectors related to Report Distribution. | 2015-01-21 | 4.0 | CVE-2015-0394 |
| oracle — siebel_crm | Unspecified vulnerability in the Siebel Life Sciences component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote authenticated users to affect confidentiality via unknown vectors related to Clinical Trip Report. | 2015-01-21 | 4.0 | CVE-2015-0398 |
| oracle — fusion_middleware | Unspecified vulnerability in the Oracle Business Intelligence Enterprise Edition component in Oracle Fusion Middleware 10.1.3.4.2 and 11.1.1.7 allows remote authenticated users to affect confidentiality via unknown vectors related to Analytics Web General. | 2015-01-21 | 4.0 | CVE-2015-0399 |
| oracle — jdk | Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality via unknown vectors related to Libraries. | 2015-01-21 | 5.0 | CVE-2015-0400 |
| oracle — fusion_middleware | Unspecified vulnerability in the Oracle Directory Server Enterprise Edition component in Oracle Fusion Middleware 7.0 and 11.1.1.7 allows remote authenticated users to affect integrity via unknown vectors related to Admin Console. | 2015-01-21 | 4.0 | CVE-2015-0401 |
| oracle — siebel_crm | Unspecified vulnerability in the Siebel Core – Server BizLogic Script component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote attackers to affect integrity via vectors related to Integration – COM. | 2015-01-21 | 4.3 | CVE-2015-0402 |
| oracle — jdk | Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. | 2015-01-21 | 6.9 | CVE-2015-0403 |
| oracle — e-business_suite | Unspecified vulnerability in the Oracle Applications Framework component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.3, 12.2.2, 12.2.3, and 12.2.4 allows remote attackers to affect integrity via unknown vectors related to Error Messages. | 2015-01-21 | 4.3 | CVE-2015-0404 |
| oracle — jdk | Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality and availability via unknown vectors related to Deployment. | 2015-01-21 | 5.8 | CVE-2015-0406 |
| oracle — jdk | Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality via unknown vectors related to Swing. | 2015-01-21 | 5.0 | CVE-2015-0407 |
| oracle — mysql | Unspecified vulnerability in Oracle MySQL Server 5.6.21 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer. | 2015-01-21 | 4.0 | CVE-2015-0409 |
| oracle — jdk | Unspecified vulnerability in the Java SE, Java SE Embedded, JRockit component in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25; Java SE Embedded 7u71 and 8u6; and JRockit R27.8.4 and R28.3.4 allows remote attackers to affect availability via unknown vectors related to Security. | 2015-01-21 | 5.0 | CVE-2015-0410 |
| oracle — e-business_suite | Unspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite 12.1.3 allows remote authenticated users to affect integrity via unknown vectors related to Session Management. | 2015-01-21 | 4.0 | CVE-2015-0415 |
| oracle — siebel_crm | Unspecified vulnerability in the Siebel UI Framework component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote authenticated users to affect confidentiality via unknown vectors related to Portal Framework, a different vulnerability than CVE-2015-0388. | 2015-01-21 | 4.0 | CVE-2015-0417 |
| oracle — siebel_crm | Unspecified vulnerability in the Siebel UI Framework component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote attackers to affect confidentiality via unknown vectors related to Portal Framework. | 2015-01-21 | 4.3 | CVE-2015-0419 |
| oracle — fusion_middleware | Unspecified vulnerability in the Oracle Forms component in Oracle Fusion Middleware 11.1.1.7 and 11.1.2.2 allows remote attackers to affect confidentiality via unknown vectors related to Forms Services. | 2015-01-21 | 4.3 | CVE-2015-0420 |
| oracle — jdk | Unspecified vulnerability in Oracle Java SE 8u25 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to the installation process. | 2015-01-21 | 6.9 | CVE-2015-0421 |
| oracle — supply_chain_products_suite | Unspecified vulnerability in the Oracle Transportation Management component in Oracle Supply Chain Products Suite 6.1, 6.2, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, and 6.3.5 allows remote authenticated users to affect confidentiality via unknown vectors related to UI Infrastructure. | 2015-01-21 | 4.0 | CVE-2015-0422 |
| oracle — siebel_crm | Unspecified vulnerability in the Oracle Enterprise Asset Management component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote attackers to affect confidentiality via unknown vectors related to Siebel Core – Unix/Windows. | 2015-01-21 | 4.3 | CVE-2015-0425 |
| oracle — enterprise_manager_grid_control | Unspecified vulnerability in the Enterprise Manager Base Platform component in Oracle Enterprise Manager Grid Control 12.1.0.3 and 12.1.0.4 allows remote attackers to affect confidentiality via unknown vectors related to UI Framework. | 2015-01-21 | 5.0 | CVE-2015-0426 |
| oracle — supply_chain_products_suite | Unspecified vulnerability in the Oracle Transportation Management component in Oracle Supply Chain Products Suite 6.1, 6.2, 6.3.0 6.3.1, 6.3.2, 6.3.4, and 6.3.5 allows remote attackers to affect integrity via unknown vectors related to UI Infrastructure. | 2015-01-21 | 4.3 | CVE-2015-0431 |
| oracle — mysql | Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier allows remote authenticated users to affect availability via vectors related to Server : InnoDB : DDL : Foreign Key. | 2015-01-21 | 4.0 | CVE-2015-0432 |
| oracle — fusion_middleware | Unspecified vulnerability in the Oracle Access Manager component in Oracle Fusion Middleware 11.1.1.5, 11.1.1.7, 11.1.2.1, and 11.1.2.2 allows remote attackers to affect confidentiality via vectors related to Integration with OAM. | 2015-01-21 | 4.3 | CVE-2015-0434 |
| oracle — supply_chain_products_suite | Unspecified vulnerability in the Oracle Transportation Management component in Oracle Supply Chain Products Suite 6.1, 6.2, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, and 6.3.5 allows remote authenticated users to affect confidentiality via unknown vectors related to Security. | 2015-01-21 | 6.8 | CVE-2015-0435 |
| oracle — ilearning | Unspecified vulnerability in the Oracle iLearning component in Oracle iLearning 6.0 and 6.1 allows remote attackers to affect confidentiality via unknown vectors related to Login. | 2015-01-21 | 4.3 | CVE-2015-0436 |
| pax_project — pax | Multiple directory traversal vulnerabilities in pax 1:20140703 allow remote attackers to write to arbitrary files via a (1) full pathname or (2) .. (dot dot) in an archive. | 2015-01-21 | 5.0 | CVE-2015-1193 MISC MLIST |
| pax_project — pax | pax 1:20140703 allows remote attackers to write to arbitrary files via a symlink attack in an archive. | 2015-01-21 | 4.3 | CVE-2015-1194 MISC MLIST |
| pivotal_software — rabbitmq | RabbitMQ before 3.4.0 allows remote attackers to bypass the loopback_users restriction via a crafted X-Forwareded-For header. | 2015-01-20 | 5.0 | CVE-2014-9494 CONFIRM XF MLIST |
| privoxy — privoxy | Memory leak in the rfc2553_connect_to function in jbsocket.c in Privoxy before 3.0.22 allows remote attackers to cause a denial of service (memory consumption) via a large number of requests that are rejected because the socket limit is reached. | 2015-01-20 | 5.0 | CVE-2015-1030 MLIST SECUNIA |
| privoxy — privoxy | Privoxy before 3.0.22 allows remote attackers to cause a denial of service (file descriptor consumption) via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | 2015-01-20 | 5.0 | CVE-2015-1201 SECUNIA |
| puppetlabs — stdlib | The puppetlabs-stdlib module 2.1 through 3.0 and 4.1.0 through 4.5.x before 4.5.1 for Puppet 2.8.8 and earlier allows remote authenticated users to gain privileges or obtain sensitive information by prepopulating the fact cache. | 2015-01-16 | 6.5 | CVE-2015-1029 SECUNIA |
| python — pillow | Pillow before 2.7.0 allows remote attackers to cause a denial of service via a compressed text chunk in a PNG image that has a large size when it is decompressed. | 2015-01-16 | 5.0 | CVE-2014-9601 CONFIRM CONFIRM |
| redhat — cloudforms_3.1_management_engine | SQL injection vulnerability in Red Hat CloudForms 3.1 Management Engine (CFME) 5.3 allows remote authenticated users to execute arbitrary SQL commands via a crafted REST API request to an SQL filter. | 2015-01-16 | 6.5 | CVE-2014-7814 SECUNIA |
| sap — netweaver_abap | XML external entity vulnerability in the Extended Computer Aided Test Tool (eCATT) in SAP NetWeaver AS ABAP 7.31 and earlier allows remote attackers to access arbitrary files via a crafted XML request, related to ECATT_DISPLAY_XMLSTRING_REMOTE, aka SAP Note 2016638. | 2015-01-22 | 5.0 | CVE-2015-1309 SECUNIA MISC MISC |
| serve-static_project — serve-static | Open redirect vulnerability in the serve-static plugin before 1.7.2 for Node.js, when mounted at the root, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a // (slash slash) followed by a domain in the PATH_INFO to the default URI. | 2015-01-21 | 4.3 | CVE-2015-1164 CONFIRM CONFIRM XF BID CONFIRM |
| siemens — scalance_x-300_series_firmware | The FTP server on Siemens SCALANCE X-300 switches with firmware before 4.0 and SCALANCE X 408 switches with firmware before 4.0 allows remote authenticated users to cause a denial of service (reboot) via crafted FTP packets. | 2015-01-21 | 6.8 | CVE-2014-8479 |
| siemens — simatic_s7_1200_cpu_firmware | Open redirect vulnerability in the integrated web server on Siemens SIMATIC S7-1200 CPU devices with firmware before 4.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. | 2015-01-21 | 4.3 | CVE-2015-1048 |
| sun — sunos | Unspecified vulnerability in Oracle Solaris 10 and 11 allows remote attackers to affect confidentiality via vectors related to KSSL. | 2015-01-21 | 4.3 | CVE-2014-6481 |
| sun — sunos | Unspecified vulnerability in Oracle Solaris 10 allows local users to affect availability via unknown vectors related to Kernel. | 2015-01-21 | 4.9 | CVE-2014-6509 |
| sun — sunos | Unspecified vulnerability in Oracle Solaris 10 and 11 allows local users to affect integrity and availability via vectors related to Unix File System (UFS). | 2015-01-21 | 6.6 | CVE-2014-6518 |
| sun — sunos | Unspecified vulnerability in Oracle Sun Solaris 11 allows local users to affect availability via unknown vectors related to File System, a different vulnerability than CVE-2014-6600 and CVE-2015-0397. | 2015-01-21 | 4.9 | CVE-2014-6570 |
| sun — sunos | Unspecified vulnerability in Oracle Sun Solaris 10 and 11 allows remote attackers to affect availability via unknown vectors related to Network, a different vulnerability than CVE-2004-0230. | 2015-01-21 | 5.0 | CVE-2014-6575 |
| sun — sunos | Unspecified vulnerability in Oracle Sun Solaris 11 allows local users to affect availability via unknown vectors related to File System, a different vulnerability than CVE-2014-6570 and CVE-2015-0397. | 2015-01-21 | 4.9 | CVE-2014-6600 |
| sun — sunos | Unspecified vulnerability in Oracle Sun Solaris 10 and 11 allows remote attackers to affect confidentiality via unknown vectors related to Network. | 2015-01-21 | 5.0 | CVE-2015-0375 |
| sun — sunos | Unspecified vulnerability in Oracle Sun Solaris 10 and 11 allows local users to affect availability via unknown vectors related to Resource Control. | 2015-01-21 | 4.9 | CVE-2015-0428 |
| symantec — critical_system_protection | SQL injection vulnerability in the management server in Symantec Critical System Protection (SCSP) 5.2.9 before MP6 and Symantec Data Center Security: Server Advanced (SDCS:SA) 6.0.x before 6.0 MP1 allows remote authenticated users to execute arbitrary SQL commands via a crafted HTTP request. | 2015-01-21 | 6.5 | CVE-2014-7289 BID |
| symantec — critical_system_protection | The ajaxswing webui in the management server in Symantec Critical System Protection (SCSP) 5.2.9 through MP6 and Symantec Data Center Security: Server Advanced (SDCS:SA) 6.0.x through 6.0 MP1 allows remote authenticated users to obtain sensitive server information via unspecified vectors. | 2015-01-21 | 4.0 | CVE-2014-9225 BID |
| sympa — sympa | The newsletter posting area in the web interface in Sympa 6.0.x before 6.0.10 and 6.1.x before 6.1.24 allows remote attackers to read arbitrary files via unspecified vectors. | 2015-01-22 | 5.0 | CVE-2015-1306 MLIST DEBIAN SECUNIA SECUNIA |
| synck_graphica — download_log_cgi | Directory traversal vulnerability in SYNCK GRAPHICA Download Log CGI 3.0 and earlier allows remote attackers to read arbitrary files via a crafted filename. | 2015-01-21 | 5.0 | CVE-2015-0867 |
| videolan — vlc_media_player | The picture_pool_Delete function in misc/picture_pool.c in VideoLAN VLC media player 2.1.5 allows remote attackers to execute arbitrary code or cause a denial of service (DEP violation and application crash) via a crafted FLV file. | 2015-01-21 | 6.8 | CVE-2014-9597 MISC MISC MISC FULLDISC |
| videolan — vlc_media_player | The picture_Release function in misc/picture.c in VideoLAN VLC media player 2.1.5 allows remote attackers to execute arbitrary code or cause a denial of service (write access violation) via a crafted M2V file. | 2015-01-21 | 6.8 | CVE-2014-9598 MISC MISC MISC FULLDISC |
| websitebaker — websitebaker | Cross-site scripting (XSS) vulnerability in admin/pages/modify.php in WebsiteBaker 2.8.3 SP3 allows remote attackers to inject arbitrary web script or HTML via the page_id parameter. | 2015-01-21 | 4.3 | CVE-2015-0553 MISC BID MISC MISC FULLDISC MISC |
| zlib — pigz | Multiple directory traversal vulnerabilities in pigz 2.3.1 allow remote attackers to write to arbitrary files via a (1) full pathname or (2) .. (dot dot) in an archive. | 2015-01-21 | 5.0 | CVE-2015-1191 CONFIRM CONFIRM MLIST |
Low Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| crea8social — crea8social | Cross-site scripting (XSS) vulnerability in the Games feature in Crea8Social 2.0 allows remote authenticated users to inject arbitrary web script or HTML via the Game Content field in Add Game. | 2015-01-16 | 3.5 | CVE-2015-1054 XF EXPLOIT-DB MISC OSVDB CONFIRM CONFIRM |
| emc — vipr_srm | Multiple cross-site scripting (XSS) vulnerabilities in the administrative user interface in EMC M&R (aka Watch4Net) before 6.5u1 and ViPR SRM before 3.6.1 allow remote authenticated users to inject arbitrary web script or HTML by leveraging privileged access to set crafted values of unspecified fields. | 2015-01-21 | 3.5 | CVE-2015-0513 BUGTRAQ |
| ibm — tivoli_netcool/omnibus | Cross-site scripting (XSS) vulnerability in the Web GUI in IBM Tivoli Netcool/OMNIbus 7.3.0 before 7.3.0.6, 7.3.1 before 7.3.1.7, and 7.4.0 before 7.4.0.3 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL. | 2015-01-17 | 3.5 | CVE-2014-3032 XF |
| ibm — serverguide | IBM ServerGuide before 9.63, UpdateXpress System Packs Installer (UXSPI) before 9.63, and ToolsCenter Suite before 9.63 place credentials in logs, which allows local users to obtain sensitive information by reading a file. | 2015-01-17 | 2.1 | CVE-2014-4835 XF |
| ibm — business_process_manager | Cross-site scripting (XSS) vulnerability in the Process Portal in IBM Business Process Manager 8.0 through 8.0.1.3, 8.5.0 through 8.5.0.1, and 8.5.5 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL, a different vulnerability than CVE-2014-8914. | 2015-01-21 | 3.5 | CVE-2014-8913 XF |
| ibm — business_process_manager | Cross-site scripting (XSS) vulnerability in the Process Portal in IBM Business Process Manager 8.0 through 8.0.1.3, 8.5.0 through 8.5.0.1, and 8.5.5 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL, a different vulnerability than CVE-2014-8913. | 2015-01-21 | 3.5 | CVE-2014-8914 XF |
| mediawiki — mediawiki | Cross-site scripting (XSS) vulnerability in the preview in the ExpandTemplates extension for MediaWiki, when $wgRawHTML is set to true, allows remote attackers to inject arbitrary web script or HTML via the wpInput parameter to the Special:ExpandTemplates page. | 2015-01-16 | 2.6 | CVE-2014-9478 CONFIRM MLIST MLIST |
| oracle — peoplesoft_products | Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.53 allows remote authenticated users to affect integrity via vectors related to PIA Core Technology. | 2015-01-21 | 3.5 | CVE-2014-4279 |
| oracle — e-business_suite | Unspecified vulnerability in the Oracle Web Applications Desktop Integrator component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.3, 12.2.2, 12.2.3, and 12.2.4 allows remote authenticated users to affect integrity via unknown vectors related to Templates. | 2015-01-21 | 3.5 | CVE-2014-6525 |
| oracle — mysql | Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier, and 5.6.21 and earlier, allows remote authenticated users to affect availability via vectors related to Server : InnoDB : DML. | 2015-01-21 | 3.5 | CVE-2014-6568 |
| oracle — jdk | Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality via unknown vectors reelated to 2D, a different vulnerability than CVE-2014-6591. | 2015-01-21 | 2.6 | CVE-2014-6585 |
| oracle — vm_virtualbox | Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 4.3.20 allows local users to affect integrity and availability via vectors related to VMSVGA virtual graphics device, a different vulnerability than CVE-2014-6589, CVE-2014-6590, CVE-2014-6595, and CVE-2015-0427. | 2015-01-21 | 3.2 | CVE-2014-6588 |
| oracle — vm_virtualbox | Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 4.3.20 allows local users to affect integrity and availability via vectors related to VMSVGA virtual graphics device, a different vulnerability than CVE-2014-6588, CVE-2014-6590, CVE-2014-6595, and CVE-2015-0427. | 2015-01-21 | 3.2 | CVE-2014-6589 |
| oracle — vm_virtualbox | Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 4.3.20 allows local users to affect integrity and availability via vectors related to VMSVGA virtual graphics device, a different vulnerability than CVE-2014-6588, CVE-2014-6589, CVE-2014-6595, and CVE-2015-0427. | 2015-01-21 | 3.2 | CVE-2014-6590 |
| oracle — jdk | Unspecified vulnerability in the Java SE component in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality via unknown vectors related to 2D, a different vulnerability than CVE-2014-6585. | 2015-01-21 | 2.6 | CVE-2014-6591 |
| oracle — fusion_middleware | Unspecified vulnerability in the Oracle OpenSSO component in Oracle Fusion Middleware 8.0 Update 2 Patch 5 allows remote authenticated users to affect integrity via vectors related to SAML, a different vulnerability than CVE-2015-0389. | 2015-01-21 | 3.5 | CVE-2014-6592 |
| oracle — vm_virtualbox | Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 4.3.20 allows local users to affect integrity and availability via vectors related to VMSVGA virtual graphics device, a different vulnerability than CVE-2014-6588, CVE-2014-6589, CVE-2014-6590, and CVE-2015-0427. | 2015-01-21 | 3.2 | CVE-2014-6595 |
| oracle — siebel_crm | Unspecified vulnerability in the Siebel Core – Common Components component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote authenticated users to affect confidentiality via unknown vectors related to Email. | 2015-01-21 | 3.5 | CVE-2014-6599 |
| oracle — siebel_crm | Unspecified vulnerability in the Siebel Core – EAI component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote authenticated users to affect availability via unknown vectors related to Integration Business Services. | 2015-01-21 | 3.5 | CVE-2015-0364 |
| oracle — database_server | Unspecified vulnerability in the Core RDBMS component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, and 12.1.0.1 allows remote authenticated users to affect integrity via unknown vectors. | 2015-01-21 | 3.5 | CVE-2015-0370 |
| oracle — mysql | Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier and 5.6.21 and earlier allows remote authenticated users to affect confidentiality via unknown vectors related to Server : Security : Privileges : Foreign Key. | 2015-01-21 | 3.5 | CVE-2015-0374 |
| oracle — siebel_crm | Unspecified vulnerability in the Siebel Public Sector component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote authenticated users to affect integrity via unknown vectors related to Public Sector Portal. | 2015-01-21 | 3.5 | CVE-2015-0384 |
| oracle — mysql | Unspecified vulnerability in Oracle MySQL Server 5.6.21 and earlier allows remote authenticated users to affect availability via unknown vectors related to Pluggable Auth. | 2015-01-21 | 3.5 | CVE-2015-0385 |
| oracle — fusion_middleware | Unspecified vulnerability in the Oracle OpenSSO component in Oracle Fusion Middleware 8.0 Update 2 Patch 5 allows remote authenticated users to affect integrity via vectors related to SAML, a different vulnerability than CVE-2014-6592. | 2015-01-21 | 3.5 | CVE-2015-0389 |
| oracle — jdk | Unspecified vulnerability in Oracle Java SE 7u72 and 8u25 allows local users to affect integrity via unknown vectors related to Serviceability. | 2015-01-21 | 1.9 | CVE-2015-0413 |
| oracle — fusion_middleware | Unspecified vulnerability in the Oracle SOA Suite component in Oracle Fusion Middleware 11.1.1.7 and 12.1.3.0 allows remote authenticated users to affect confidentiality via unknown vectors related to Fabric Layer. | 2015-01-21 | 3.5 | CVE-2015-0414 |
| oracle — supply_chain_products_suite | Unspecified vulnerability in the Oracle Agile PLM component in Oracle Supply Chain Products Suite 9.3.3 allows remote authenticated users to affect integrity via unknown vectors related to Roles & Privileges. | 2015-01-21 | 3.5 | CVE-2015-0416 |
| oracle — vm_virtualbox | Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox prior to 3.2.26, 4.0.28, 4.1.36, and 4.2.28 allows local users to affect availability via unknown vectors related to Core, a different vulnerability than CVE-2015-0377. | 2015-01-21 | 2.1 | CVE-2015-0418 |
| oracle — vm_virtualbox | Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox prior to 4.3.20 allows local users to affect integrity and availability via vectors related to VMSVGA virtual graphics device, a different vulnerability than CVE-2014-6588, CVE-2014-6589, CVE-2014-6590, and CVE-2014-6595. | 2015-01-21 | 3.2 | CVE-2015-0427 |
| pivotal_software — rabbitmq_management | Multiple cross-site scripting (XSS) vulnerabilities in the management web UI in the RabbitMQ management plugin before 3.4.3 allow remote authenticated users to inject arbitrary web script or HTML via (1) message details when a message is unqueued, such as headers or arguments; (2) policy names, which are not properly handled when viewing policies; (3) details for AMQP network clients, such as the version; allow remote authenticated administrators to inject arbitrary web script or HTML via (4) user names, (5) the cluster name; or allow RabbitMQ cluster administrators to (6) modify unspecified content. | 2015-01-18 | 3.5 | CVE-2015-0862 |
| sun — sunos | Unspecified vulnerability in Oracle Sun Solaris 11 allows local users to affect availability via unknown vectors related to Libc. | 2015-01-21 | 2.1 | CVE-2015-0378 |
| sun — sunos | Unspecified vulnerability in Oracle Sun Solaris 11 allows local users to affect availability via unknown vectors related to File System, a different vulnerability than CVE-2014-6570 and CVE-2014-6600. | 2015-01-21 | 2.1 | CVE-2015-0397 |
| sun — sunos | Unspecified vulnerability in Oracle Sun Solaris 10 and 11 allows local users to affect integrity and availability via vectors related to RPC Utility. | 2015-01-21 | 3.3 | CVE-2015-0429 |
| sun — sunos | Unspecified vulnerability in Oracle Sun Solaris 10 and 11 allows local users to affect confidentiality via vectors related to RPC Utility. | 2015-01-21 | 1.9 | CVE-2015-0430 |
| symantec — critical_system_protection | Cross-site scripting (XSS) vulnerability in the ajaxswing webui in the Management Console server in the management server in Symantec Critical System Protection (SCSP) 5.2.9 through MP6 and Symantec Data Center Security: Server Advanced (SDCS:SA) 6.0.x through 6.0 MP1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. | 2015-01-21 | 3.5 | CVE-2014-9224 BID |
| websvn — websvn | WebSVN 2.3.3 allows remote authenticated users to read arbitrary files via a symlink attack in a commit. | 2015-01-21 | 3.5 | CVE-2013-6892 MISC SECUNIA |
This product is provided subject to this Notification and this Privacy & Use policy.