The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
-
High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0
-
Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9
-
Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9
Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.
High Vulnerabilities
Primary Vendor -- Product |
Description | Published | CVSS Score | Source & Patch Info |
---|---|---|---|---|
adobe -- air | Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Adobe AIR SDK & Compiler before 18.0.0.180 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-3117, CVE-2015-3123, CVE-2015-3130, CVE-2015-3133, CVE-2015-3134, and CVE-2015-4431. | 2015-07-20 | 10.0 | CVE-2015-5124 CONFIRM |
cisco -- application_policy_ |
Cisco Application Policy Infrastructure Controller (APIC) devices with software before 1.0(3o) and 1.1 before 1.1(1j) and Nexus 9000 ACI devices with software before 11.0(4o) and 11.x before 11.1(1j) do not properly restrict access to the APIC filesystem, which allows remote authenticated users to obtain root privileges via unspecified use of the APIC cluster-management configuration feature, aka Bug IDs CSCuu72094 and CSCuv11991. | 2015-07-24 | 9.0 | CVE-2015-4235 CISCO |
cisco -- unified_meetingplace_web_ |
The password-change feature in Cisco Unified MeetingPlace Web Conferencing 8.5 before 8.5(5) MR3 and 8.6 before 8.6(2) does not check the session ID or require entry of the current password, which allows remote attackers to reset arbitrary passwords via a crafted HTTP request, aka Bug ID CSCuu51839. | 2015-07-24 | 10.0 | CVE-2015-4262 CISCO |
cisco -- unified_computing_system | The Manager component in Cisco Unified Computing System (UCS) 2.2(3b) on B Blade Server devices allows local users to gain privileges for executing arbitrary CLI commands by leveraging access to the subordinate fabric interconnect, aka Bug ID CSCut32778. | 2015-07-20 | 7.2 | CVE-2015-4279 CISCO |
cisco -- videoscape_policy_resource_ |
Cisco Videoscape Policy Resource Manager (PRM) 3.5.4 allows remote attackers to cause a denial of service (CPU and memory consumption, and TCP service outage) via (1) a SYN flood or (2) another type of TCP traffic flood, aka Bug IDs CSCuu35104 and CSCuu35128. | 2015-07-21 | 7.8 | CVE-2015-4283 CISCO |
eaton -- proview | Eaton Cooper Power Systems ProView 4.0 and 5.0 before 5.0 11 on Form 6 controls and Idea and IdeaPLUS relays generates TCP initial sequence number (ISN) values linearly, which makes it easier for remote attackers to spoof TCP sessions by predicting an ISN value. | 2015-07-19 | 9.3 | CVE-2014-9196 MISC |
emc -- avamar_server | Directory traversal vulnerability in EMC Avamar Server 7.x before 7.1.2 and Avamar Virtual Addition (AVE) 7.x before 7.1.2 allows remote attackers to read arbitrary files by using the Avamar Desktop/Laptop client interface to send crafted parameters. | 2015-07-23 | 7.8 | CVE-2015-4527 BUGTRAQ |
fca -- uconnect | Unspecified vulnerability in Uconnect 15.26.1, as used in certain Fiat Chrysler Automobiles (FCA), allows remote attackers in the same cellular network to control vehicle movement, cause human harm or physical damage, or modify dashboard settings via vectors related to modification of entertainment-system firmware and access of the CAN bus due to insufficient "Radio security protection," as demonstrated on a 2014 Jeep Cherokee Limited FWD. | 2015-07-21 | 8.3 | CVE-2015-5611 MISC MISC MISC MISC MISC MISC |
gemalto_safenet_luna_hsm -- - | Unspecified vulnerability on the Gemalto SafeNet Luna HSM has unknown impact and attack vectors. | 2015-07-22 | 10.0 | CVE-2015-5464 CONFIRM |
google -- chrome | Use-after-free vulnerability in the GPU process implementation in Google Chrome before 44.0.2403.89 allows remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging the continued availability of a GPUChannelHost data structure during Blink shutdown, related to content/browser/gpu/browser_ |
2015-07-22 | 7.5 | CVE-2015-1272 CONFIRM MISC CONFIRM CONFIRM |
google -- chrome | Use-after-free vulnerability in content/browser/indexed_db/ |
2015-07-22 | 7.5 | CVE-2015-1276 CONFIRM CONFIRM CONFIRM |
google -- chrome | Use-after-free vulnerability in the accessibility implementation in Google Chrome before 44.0.2403.89 allows remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging lack of certain validity checks for accessibility-tree data structures. | 2015-07-22 | 7.5 | CVE-2015-1277 CONFIRM CONFIRM CONFIRM CONFIRM |
google -- chrome | Integer overflow in the CJBig2_Image::expand function in fxcodec/jbig2/JBig2_Image.cpp in PDFium, as used in Google Chrome before 44.0.2403.89, allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via large height and stride values. | 2015-07-22 | 7.5 | CVE-2015-1279 CONFIRM CONFIRM CONFIRM CONFIRM |
google -- chrome | SkPictureShader.cpp in Skia, as used in Google Chrome before 44.0.2403.89, allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging access to a renderer process and providing crafted serialized data. | 2015-07-22 | 7.5 | CVE-2015-1280 CONFIRM CONFIRM CONFIRM |
google -- chrome | The LocalFrame::isURLAllowed function in core/frame/LocalFrame.cpp in Blink, as used in Google Chrome before 44.0.2403.89, does not properly check for a page's maximum number of frames, which allows remote attackers to cause a denial of service (invalid count value and use-after-free) or possibly have unspecified other impact via crafted JavaScript code that makes many createElement calls for IFRAME elements. | 2015-07-22 | 7.5 | CVE-2015-1284 CONFIRM CONFIRM CONFIRM |
google -- chrome | Multiple unspecified vulnerabilities in Google Chrome before 44.0.2403.89 allow attackers to cause a denial of service or possibly have other impact via unknown vectors. | 2015-07-22 | 7.5 | CVE-2015-1289 CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM |
ibm -- db2 | The scalar-function implementation in IBM DB2 9.7 through FP10, 9.8 through FP5, 10.1 before FP5, and 10.5 through FP5 on Linux, UNIX, and Windows allows remote attackers to cause a denial of service or execute arbitrary code via unspecified vectors. | 2015-07-19 | 8.0 | CVE-2015-1935 CONFIRM AIXAPAR AIXAPAR AIXAPAR AIXAPAR |
microsoft -- windows_7 | Buffer underflow in atmfd.dll in the Windows Adobe Type Manager Library in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via a crafted OpenType font, aka "OpenType Font Driver Vulnerability." | 2015-07-20 | 9.3 | CVE-2015-2426 CERT-VN MS MISC |
nvidia -- gpu_driver | The NVIDIA GPU driver for FreeBSD R352 before 352.09, 346 before 346.72, R349 before 349.16, R343 before 343.36, R340 before 340.76, R337 before 337.25, R334 before 334.21, R331 before 331.113, and R304 before 304.125 allows local users with certain permissions to read or write arbitrary kernel memory via unspecified vectors that trigger an untrusted pointer dereference. | 2015-07-17 | 7.2 | CVE-2015-3625 CONFIRM |
siemens -- siprotec_firmware | The EN100 module with firmware before 4.25 for Siemens SIPROTEC 4 and SIPROTEC Compact devices allows remote attackers to cause a denial of service via crafted packets on UDP port 50000. | 2015-07-18 | 7.8 | CVE-2015-5374 CONFIRM |
sysphonic -- thetis | Multiple SQL injection vulnerabilities in Sysphonic Thetis before 2.3.0 allow remote attackers to execute arbitrary SQL commands via unspecified vectors. | 2015-07-19 | 7.5 | CVE-2015-2972 CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM JVNDB JVN |
tibco -- silver_fabric_enabler_for_ |
Multiple unspecified vulnerabilities in TIBCO Spotfire Client and Spotfire Web Player Client in Spotfire Analyst before 5.5.2, 6.0.x before 6.0.3, 6.5.x before 6.5.3, and 7.0.x before 7.0.1; Spotfire Analytics Platform for AWS 6.5 and 7.0.x before 7.0.1; Spotfire Automation Services before 5.5.2, 6.0.x before 6.0.3, 6.5.x before 6.5.3, and 7.0.x before 7.0.1; Spotfire Deployment Kit before 5.5.2, 6.0.x before 6.0.3, 6.5.x before 6.5.3, and 7.0.x before 7.0.1; Spotfire Desktop before 6.5.2 and 7.0.x before 7.0.1; Spotfire Desktop Language Packs 7.0.x before 7.0.1; Spotfire Professional before 5.5.2, 6.0.x before 6.0.3, 6.5.x before 6.5.3, and 7.0.x before 7.0.1; Spotfire Web Player before 5.5.2, 6.0.x before 6.0.3, 6.5.x before 6.5.3, and 7.0.x before 7.0.1; and Silver Fabric Enabler for Spotfire Web Player before 2.1.1 allow remote attackers to execute arbitrary code or obtain sensitive information via unknown vectors. | 2015-07-21 | 7.5 | CVE-2015-4554 CONFIRM CONFIRM |
Medium Vulnerabilities
Primary Vendor -- Product |
Description | Published | CVSS Score | Source & Patch Info |
---|---|---|---|---|
apache -- http_server | The read_request_line function in server/protocol.c in the Apache HTTP Server 2.4.12 does not initialize the protocol structure member, which allows remote attackers to cause a denial of service (NULL pointer dereference and process crash) by sending a request that lacks a method to an installation that enables the INCLUDES filter and has an ErrorDocument 400 directive specifying a local URI. | 2015-07-20 | 5.0 | CVE-2015-0253 CONFIRM CONFIRM CONFIRM CONFIRM |
apache -- http_server | The chunked transfer coding implementation in the Apache HTTP Server before 2.4.14 does not properly parse chunk headers, which allows remote attackers to conduct HTTP request smuggling attacks via a crafted request, related to mishandling of large chunk-size values and invalid chunk-extension characters in modules/http/http_filters.c. | 2015-07-20 | 5.0 | CVE-2015-3183 CONFIRM CONFIRM CONFIRM |
apache -- http_server | The ap_some_auth_required function in server/request.c in the Apache HTTP Server 2.4.x before 2.4.14 does not consider that a Require directive may be associated with an authorization setting rather than an authentication setting, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging the presence of a module that relies on the 2.2 API behavior. | 2015-07-20 | 4.3 | CVE-2015-3185 CONFIRM CONFIRM CONFIRM |
blackberry -- blackberry_link | mc_demux_mp4_ds.ax in an unspecified third-party codec demux in BlackBerry Link before 1.2.3.53 with installer before 1.1.0.22 allows remote attackers to execute arbitrary code via a crafted MP4 file. | 2015-07-19 | 6.8 | CVE-2015-4111 CONFIRM |
cisco -- webex_training_center | Cross-site scripting (XSS) vulnerability in Cisco WebEx Meeting Center allows remote attackers to inject arbitrary web script or HTML via an unspecified value, aka Bug ID CSCuv01955. | 2015-07-21 | 4.3 | CVE-2015-4246 CISCO |
cisco -- prime_collaboration | Cisco Prime Collaboration Assurance 10.0 allows remote attackers to cause a denial of service (HTTP service outage) via a crafted HTTP request, aka Bug ID CSCum38844. | 2015-07-18 | 5.0 | CVE-2015-4280 CISCO |
cisco -- webex_meetings_server | Cross-site request forgery (CSRF) vulnerability in Cisco WebEx Meetings Server 2.5 MR1 allows remote attackers to hijack the authentication of arbitrary users, aka Bug IDs CSCus56150 and CSCus56146. | 2015-07-22 | 6.8 | CVE-2015-4281 CISCO |
cisco -- ios_xr | The Concurrent Data Management Replication process in Cisco IOS XR 5.3.0 on ASR 9000 devices allows remote attackers to cause a denial of service (BGP process reload) via malformed BGPv4 packets, aka Bug ID CSCur70670. | 2015-07-22 | 5.0 | CVE-2015-4284 CISCO |
cisco -- ios_xr | The Local Packet Transport Services (LPTS) implementation in Cisco IOS XR 5.1.2, 5.1.3, 5.2.1, and 5.2.2 on ASR9k devices makes incorrect decisions about the opening of TCP and UDP ports during the processing of flow base entries, which allows remote attackers to cause a denial of service (resource consumption) by sending traffic to these ports continuously, aka Bug ID CSCur88273. | 2015-07-23 | 5.0 | CVE-2015-4285 CISCO |
cisco -- adaptive_security_appliance_ |
The TLS implementation in the Cavium cryptographic-module firmware, as distributed with Cisco Adaptive Security Appliance (ASA) Software 9.1(5.21) and other products, does not verify the MAC field, which allows man-in-the-middle attackers to spoof TLS content by modifying packets, aka Bug ID CSCuu52976. | 2015-07-18 | 4.3 | CVE-2015-4458 CISCO |
ghisler -- total_commander | The FileInfo plugin before 2.22 for Ghisler Total Commander allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via (1) a large Size value in the Archive Member Header of a COFF Archive Library file, (2) a large Number Of Symbols value in the 1st Linker Member of a COFF Archive Library file, (3) a large Resource Table Count value in the LE Header of a Linear Executable file, or (4) a large value in a certain Object field in a Resource Table Entry in a Linear Executable file. | 2015-07-21 | 5.0 | CVE-2015-2869 CERT-VN MISC MISC |
google -- chrome | The ucnv_io_getConverterName function in common/ucnv_io.cpp in International Components for Unicode (ICU), as used in Google Chrome before 44.0.2403.89, mishandles converter names with initial x- substrings, which allows remote attackers to cause a denial of service (read of uninitialized memory) or possibly have unspecified other impact via a crafted file. | 2015-07-22 | 6.8 | CVE-2015-1270 CONFIRM CONFIRM CONFIRM CONFIRM |
google -- chrome | PDFium, as used in Google Chrome before 44.0.2403.89, does not properly handle certain out-of-memory conditions, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted PDF document that triggers a large memory allocation. | 2015-07-22 | 6.8 | CVE-2015-1271 CONFIRM CONFIRM CONFIRM |
google -- chrome | Heap-based buffer overflow in j2k.c in OpenJPEG before r3002, as used in PDFium in Google Chrome before 44.0.2403.89, allows remote attackers to cause a denial of service or possibly have unspecified other impact via invalid JPEG2000 data in a PDF document. | 2015-07-22 | 6.8 | CVE-2015-1273 CONFIRM CONFIRM CONFIRM |
google -- chrome | Google Chrome before 44.0.2403.89 does not ensure that the auto-open list omits all dangerous file types, which makes it easier for remote attackers to execute arbitrary code by providing a crafted file and leveraging a user's previous "Always open files of this type" choice, related to download_commands.cc and download_prefs.cc. | 2015-07-22 | 6.8 | CVE-2015-1274 CONFIRM CONFIRM CONFIRM |
google -- chrome | Cross-site scripting (XSS) vulnerability in org/chromium/chrome/browser/ |
2015-07-22 | 4.3 | CVE-2015-1275 CONFIRM CONFIRM CONFIRM |
google -- chrome | content/browser/web_contents/ |
2015-07-22 | 4.3 | CVE-2015-1278 CONFIRM CONFIRM CONFIRM CONFIRM |
google -- chrome | core/loader/ImageLoader.cpp in Blink, as used in Google Chrome before 44.0.2403.89, does not properly determine the V8 context of a microtask, which allows remote attackers to bypass Content Security Policy (CSP) restrictions by providing an image from an unintended source. | 2015-07-22 | 4.3 | CVE-2015-1281 CONFIRM CONFIRM CONFIRM |
google -- chrome | Multiple use-after-free vulnerabilities in fpdfsdk/src/javascript/ |
2015-07-22 | 6.8 | CVE-2015-1282 CONFIRM CONFIRM CONFIRM |
google -- chrome | Multiple integer overflows in the XML_GetBuffer function in Expat through 2.1.0, as used in Google Chrome before 44.0.2403.89 and other products, allow remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted XML data, a related issue to CVE-2015-2716. | 2015-07-22 | 6.8 | CVE-2015-1283 CONFIRM CONFIRM CONFIRM |
google -- chrome | The XSSAuditor::canonicalize function in core/html/parser/XSSAuditor. |
2015-07-22 | 5.0 | CVE-2015-1285 CONFIRM CONFIRM CONFIRM |
google -- chrome | Cross-site scripting (XSS) vulnerability in the V8ContextNativeHandler:: |
2015-07-22 | 4.3 | CVE-2015-1286 CONFIRM CONFIRM CONFIRM CONFIRM |
google -- chrome | Blink, as used in Google Chrome before 44.0.2403.89, enables a quirks-mode exception that limits the cases in which a Cascading Style Sheets (CSS) document is required to have the text/css content type, which allows remote attackers to bypass the Same Origin Policy via a crafted web site, related to core/fetch/ |
2015-07-22 | 4.3 | CVE-2015-1287 CONFIRM CONFIRM CONFIRM |
google -- chrome | The Spellcheck API implementation in Google Chrome before 44.0.2403.89 does not use an HTTPS session for downloading a Hunspell dictionary, which allows man-in-the-middle attackers to deliver incorrect spelling suggestions or possibly have unspecified other impact via a crafted file, a related issue to CVE-2015-1263. | 2015-07-22 | 6.8 | CVE-2015-1288 CONFIRM CONFIRM CONFIRM |
google -- chrome | The regular-expression implementation in Google V8, as used in Google Chrome before 44.0.2403.89, mishandles interrupts, which allows remote attackers to cause a denial of service (application crash) via crafted JavaScript code, as demonstrated by an error in garbage collection during allocation of a stack-overflow exception message. | 2015-07-22 | 5.0 | CVE-2015-5605 CONFIRM CONFIRM CONFIRM CONFIRM |
hp -- system_management_homepage | Cross-site request forgery (CSRF) vulnerability in HP System Management Homepage (SMH) before 7.5.0 allows remote authenticated users to hijack the authentication of unspecified victims via unknown vectors. | 2015-07-21 | 6.0 | CVE-2015-2134 HP |
ibm -- db2 | IBM DB2 9.7 through FP10, 9.8 through FP5, 10.1 before FP5, and 10.5 through FP5 on Linux, UNIX, and Windows allows remote authenticated users to read arbitrary text files via a crafted XML/XSLT function in a SELECT statement. | 2015-07-19 | 4.0 | CVE-2014-8910 CONFIRM AIXAPAR AIXAPAR AIXAPAR AIXAPAR |
ibm -- db2 | IBM DB2 9.7 through FP10, 9.8 through FP5, 10.1 before FP5, and 10.5 through FP5 on Linux, UNIX, and Windows allows remote authenticated users to cause a denial of service (daemon crash) by leveraging an unspecified scalar function in a SQL statement. | 2015-07-19 | 6.8 | CVE-2015-0157 CONFIRM AIXAPAR AIXAPAR AIXAPAR AIXAPAR |
ibm -- db2 | IBM DB2 9.7 through FP10, 9.8 through FP5, 10.1 before FP5, and 10.5 through FP5 on Linux, UNIX, and Windows allows remote authenticated users to read certain administrative files via crafted use of an automated-maintenance policy stored procedure. | 2015-07-19 | 4.0 | CVE-2015-1883 CONFIRM AIXAPAR AIXAPAR AIXAPAR AIXAPAR |
ibm -- business_process_manager | The REST API in IBM Business Process Manager (BPM) 7.5.x through 7.5.1.2, 8.0.x through 8.0.1.3, 8.5.0 through 8.5.0.1, 8.5.5 through 8.5.5.0, and 8.5.6 through 8.5.6.0 allows remote authenticated users to bypass intended access restrictions on task-variable value changes via unspecified vectors. | 2015-07-21 | 4.0 | CVE-2015-1905 CONFIRM AIXAPAR |
ibm -- infosphere_master_data_ |
IBM InfoSphere Master Data Management Collaborative Edition 9.1, 10.1, 11.0, 11.3, and 11.4 before FP03 allows remote authenticated users to obtain sensitive information via a crafted request, which reveals the full path in an error message. | 2015-07-19 | 4.0 | CVE-2015-1982 CONFIRM |
ibm -- infosphere_master_data_ |
IBM InfoSphere Master Data Management Collaborative Edition 9.1, 10.1, 11.0, 11.3, and 11.4 before FP03 allows remote authenticated users to bypass intended access restrictions and read arbitrary profiles via unspecified vectors, as demonstrated by discovering usernames for use in brute-force attacks. | 2015-07-19 | 4.0 | CVE-2015-1984 CONFIRM |
kaseya -- virtual_system_administrator | Directory traversal vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 before 9.0.0.14, and 9.1 before 9.1.0.4 allows remote authenticated users to read arbitrary files via a crafted HTTP request. | 2015-07-20 | 4.0 | CVE-2015-2862 CERT-VN |
kaseya -- virtual_system_administrator | Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 before 9.0.0.14, and 9.1 before 9.1.0.4 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. | 2015-07-20 | 4.3 | CVE-2015-2863 CERT-VN |
microsoft -- malicious_software_removal_ |
Race condition in Microsoft Malicious Software Removal Tool (MSRT) before 5.26 allows local users to gain privileges via a crafted DLL, aka "MSRT Race Condition Vulnerability." | 2015-07-20 | 6.9 | CVE-2015-2418 CONFIRM |
netiq -- security_solutions_for_iseries | Multiple stack-based buffer overflows in the SafeShellExecute method in the NetIQExecObject.NetIQExec.1 ActiveX control in NetIQExec.dll in NetIQ Security Solutions for iSeries 8.1 allow remote attackers to execute arbitrary code via long arguments, aka ZDI-CAN-2699. | 2015-07-18 | 6.8 | CVE-2015-0795 CONFIRM MISC |
novell -- groupwise | Multiple cross-site scripting (XSS) vulnerabilities in WebAccess in Novell GroupWise 2012 before Support Pack 4 and 2014 before Support Pack 2 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 2015-07-22 | 4.3 | CVE-2014-0611 CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM |
seeds -- acmailer | Directory traversal vulnerability in Seeds acmailer before 3.8.18 and 3.9.x before 3.9.12 Beta allows remote authenticated users to delete arbitrary files via a crafted string. | 2015-07-19 | 5.5 | CVE-2015-2971 CONFIRM JVNDB JVN |
solarwinds -- n-able_n-central | The RSM (aka RSMWinService) service in SolarWinds N-Able N-Central before 9.5.1.4514 uses the same password decryption key across different customers' installations, which makes it easier for remote authenticated users to obtain the cleartext domain-administrator password by locating the encrypted password within HTML source code and then leveraging knowledge of this key from another installation. | 2015-07-21 | 4.0 | CVE-2015-5610 CERT-VN |
wireshark -- wireshark | The dissect_wccp2r1_address_table_ |
2015-07-21 | 5.0 | CVE-2015-4651 CONFIRM CONFIRM CONFIRM |
wireshark -- wireshark | epan/dissectors/packet-gsm_a_ |
2015-07-21 | 4.3 | CVE-2015-4652 CONFIRM CONFIRM CONFIRM |
Low Vulnerabilities
Primary Vendor -- Product |
Description | Published | CVSS Score | Source & Patch Info |
---|---|---|---|---|
ibm -- rational_collaborative_ |
Cross-site scripting (XSS) vulnerability in Jazz Team Server in Jazz Foundation in IBM Rational Collaborative Lifecycle Management (CLM) 4.x before 4.0.7 IF6 and 5.x before 5.0.2 IF5; Rational Quality Manager (RQM) 4.x before 4.0.7 IF6 and 5.x before 5.0.2 IF5; Rational Team Concert (RTC) 4.x before 4.0.7 IF6 and 5.x before 5.0.2 IF5; Rational Requirements Composer (RRC) 4.x through 4.0.7; and Rational DOORS Next Generation (RDNG) 4.x before 4.0.7 IF6 and 5.x before 5.0.2 IF5 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL. | 2015-07-19 | 3.5 | CVE-2015-0130 CONFIRM |
ibm -- business_process_manager | Cross-site scripting (XSS) vulnerability in the REST API in IBM Business Process Manager (BPM) 7.5.x through 7.5.1.2, 8.0.x through 8.0.1.3, 8.5.0 through 8.5.0.1, 8.5.5 through 8.5.5.0, and 8.5.6 through 8.5.6.0 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL. | 2015-07-21 | 3.5 | CVE-2015-1906 CONFIRM AIXAPAR |
ibm -- db2 | The Data Movement implementation in IBM DB2 9.7 through FP10, 9.8 through FP5, 10.1 before FP5, and 10.5 through FP5 on Linux, UNIX, and Windows allows remote authenticated users to bypass intended access restrictions and delete table rows via unspecified vectors. | 2015-07-19 | 3.5 | CVE-2015-1922 AIXAPAR CONFIRM AIXAPAR AIXAPAR AIXAPAR |
ibm -- infosphere_master_data_ |
Cross-site scripting (XSS) vulnerability in IBM InfoSphere Master Data Management Collaborative Edition 9.1, 10.1, 11.0, 11.3, and 11.4 before FP03 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL. | 2015-07-19 | 3.5 | CVE-2015-1968 CONFIRM |
ibm -- case_manager | Multiple cross-site scripting (XSS) vulnerabilities in the Error dialog in IBM Case Manager 5.2.1 before 5.2.1.2 allow remote authenticated users to inject arbitrary web script or HTML via crafted input to the (1) addressability or (2) comments component. | 2015-07-19 | 3.5 | CVE-2015-1979 CONFIRM |
ibm -- infosphere_master_data_ |
IBM InfoSphere Master Data Management Collaborative Edition 9.1, 10.1, 11.0, 11.3, and 11.4 before FP03 allows remote authenticated users to conduct clickjacking attacks via unspecified vectors. | 2015-07-19 | 3.5 | CVE-2015-1980 CONFIRM |
기사원문확인하기: [US-CERT: Bulletin(SB15-208)] 2015년 7월 20일까지 발표된 보안 취약점