ECI Blog @WordPress

Latest news from the ECI Networks Group

(SB15-026) Vulnerability Summary for the Week of January 19, 2015

Original release date: January 26, 2015

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week.

The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High – Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 – 10.0
  • Medium – Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 – 6.9
  • Low – Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 – 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

High Vulnerabilities

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
adb — p.dga4001n_firmware The ADB (formerly Pirelli Broadband Solutions) P.DGA4001N router with firmware PDG_TEF_SP_4.06L.6 does not properly restrict access to the web interface, which allows remote attackers to obtain sensitive information or cause a denial of service (device restart) as demonstrated by a direct request to (1) wlsecurity.html or (2) resetrouter.html. 2015-01-21 9.4 CVE-2015-0554
EXPLOIT-DB (link is external)
MISC (link is external)
advantech — adamview Multiple stack-based buffer overflows in Advantech AdamView 4.3 and earlier allow remote attackers to execute arbitrary code via a crafted (1) display properties or (2) conditional bitmap parameter in a GNI file. 2015-01-20 7.5 CVE-2014-8386
EXPLOIT-DB (link is external)
MISC (link is external)
FULLDISC
arbiter_systems — 1094b_gps_substation_clock Arbiter 1094B GPS Substation Clock allows remote attackers to cause a denial of service (disruption) via crafted radio transmissions that spoof GPS satellite broadcasts. 2015-01-16 7.8 CVE-2014-9194
ceragon_fiberair_ip-10 — – Ceragon FiberAir IP-10 bridges have a default password for the root account, which makes it easier for remote attackers to obtain access via a (1) HTTP, (2) SSH, (3) TELNET, or (4) CLI session. 2015-01-17 7.8 CVE-2015-0924
ffmpeg — ffmpeg Use-after-free vulnerability in the matroska_read_seek function in libavformat/matroskadec.c in FFmpeg before 2.5.1, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted Matroska file that triggers improper maintenance of tracks data. 2015-01-22 7.5 CVE-2014-7933
CONFIRM (link is external)
CONFIRM
ffmpeg — ffmpeg Multiple off-by-one errors in libavcodec/vorbisdec.c in FFmpeg before 2.4.2, as used in Google Chrome before 40.0.2214.91, allow remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted Vorbis I data. 2015-01-22 7.5 CVE-2014-7937
ffmpeg — ffmpeg libavcodec/xface.h in FFmpeg before 2.5.2 establishes certain digits and words array dimensions that do not satisfy a required mathematical relationship, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted X-Face image data. 2015-01-16 7.5 CVE-2014-9602
CONFIRM
ffmpeg — ffmpeg The vmd_decode function in libavcodec/vmdvideo.c in FFmpeg before 2.5.2 does not validate the relationship between a certain length value and the frame width, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted Sierra VMD video data. 2015-01-16 7.5 CVE-2014-9603
CONFIRM
ffmpeg — ffmpeg libavcodec/utvideodec.c in FFmpeg before 2.5.2 does not check for a zero value of a slice height, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted Ut Video data, related to the (1) restore_median and (2) restore_median_il functions. 2015-01-16 7.5 CVE-2014-9604
CONFIRM
ge — multilink_ml1200 GE Multilink ML800, ML1200, ML1600, and ML2400 switches with firmware 4.2.1 and earlier and Multilink ML810, ML3000, and ML3100 switches with firmware 5.2.0 and earlier allow remote attackers to cause a denial of service (resource consumption or reboot) via crafted packets. 2015-01-16 7.8 CVE-2014-5418
gentoo — libsndfile The sd2_parse_rsrc_fork function in sd2.c in libsndfile allows attackers to have unspecified impact via vectors related to a (1) map offset or (2) rsrc marker, which triggers an out-of-bounds read. 2015-01-16 10.0 CVE-2014-9496
CONFIRM (link is external)
CONFIRM (link is external)
MLIST (link is external)
SECUNIA (link is external)
SUSE
gnu — coreutils The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted date string, as demonstrated by the “–date=TZ=”123″345″ @1″ string to the touch or date command. 2015-01-16 7.5 CVE-2014-9471
CONFIRM
MLIST (link is external)
MLIST (link is external)
MLIST (link is external)
SECUNIA (link is external)
CONFIRM
google — chrome The Regular Expressions package in International Components for Unicode (ICU) 52 before SVN revision 292944, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via vectors related to a (1) zero-length quantifier or (2) look-behind expression, a different vulnerability than CVE-2014-7926. 2015-01-22 7.5 CVE-2014-7923
CONFIRM
CONFIRM (link is external)
CONFIRM (link is external)
CONFIRM (link is external)
CONFIRM
CONFIRM
google — chrome Use-after-free vulnerability in the WebAudio implementation in Blink, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger an audio-rendering thread in which AudioNode data is improperly maintained. 2015-01-22 7.5 CVE-2014-7925
CONFIRM
CONFIRM
CONFIRM
CONFIRM (link is external)
google — chrome The Regular Expressions package in International Components for Unicode (ICU) 52 before SVN revision 292944, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via vectors related to a (1) zero-length quantifier or (2) look-behind expression, a different vulnerability than CVE-2014-7923. 2015-01-22 7.5 CVE-2014-7926
CONFIRM
CONFIRM (link is external)
CONFIRM (link is external)
CONFIRM (link is external)
CONFIRM
CONFIRM
google — chrome The SimplifiedLowering::DoLoadBuffer function in compiler/simplified-lowering.cc in Google V8, as used in Google Chrome before 40.0.2214.91, does not properly choose an integer data type, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted JavaScript code. 2015-01-22 7.5 CVE-2014-7927
CONFIRM
CONFIRM (link is external)
google — chrome hydrogen.cc in Google V8, as used Google Chrome before 40.0.2214.91, does not properly handle arrays with holes, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted JavaScript code that triggers an array copy. 2015-01-22 7.5 CVE-2014-7928
CONFIRM
CONFIRM (link is external)
google — chrome Use-after-free vulnerability in the HTMLScriptElement::didMoveToNewDocument function in core/html/HTMLScriptElement.cpp in the DOM implementation in Blink, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving movement of a SCRIPT element across documents. 2015-01-22 7.5 CVE-2014-7929
CONFIRM
CONFIRM (link is external)
google — chrome Use-after-free vulnerability in core/events/TreeScopeEventContext.cpp in the DOM implementation in Blink, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted JavaScript code that triggers improper maintenance of TreeScope data. 2015-01-22 7.5 CVE-2014-7930
CONFIRM
CONFIRM (link is external)
google — chrome factory.cc in Google V8, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted JavaScript code that triggers improper maintenance of backing-store pointers. 2015-01-22 7.5 CVE-2014-7931
CONFIRM
CONFIRM (link is external)
google — chrome Use-after-free vulnerability in the Element::detach function in core/dom/Element.cpp in the DOM implementation in Blink, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving pending updates of detached elements. 2015-01-22 7.5 CVE-2014-7932
CONFIRM
CONFIRM (link is external)
google — chrome Use-after-free vulnerability in the DOM implementation in Blink, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to unexpected absence of document data structures. 2015-01-22 7.5 CVE-2014-7934
CONFIRM
CONFIRM
CONFIRM (link is external)
google — chrome Use-after-free vulnerability in browser/speech/tts_message_filter.cc in the Speech implementation in Google Chrome before 40.0.2214.91 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving utterances from a closed tab. 2015-01-22 7.5 CVE-2014-7935
CONFIRM
CONFIRM (link is external)
google — chrome The Fonts implementation in Google Chrome before 40.0.2214.91 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors. 2015-01-22 7.5 CVE-2014-7938
google — chrome The collator implementation in i18n/ucol.cpp in International Components for Unicode (ICU) 52 through SVN revision 293126, as used in Google Chrome before 40.0.2214.91, does not initialize memory for a data structure, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted character sequence. 2015-01-22 7.5 CVE-2014-7940
google — chrome The Fonts implementation in Google Chrome before 40.0.2214.91 does not initialize memory for a data structure, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. 2015-01-22 7.5 CVE-2014-7942
gtk — gtk+ GTK+ 3.10.9 and earlier, as used in cinnamon-screensaver, gnome-screensaver, and other applications, allows physically proximate attackers to bypass the lock screen by pressing the menu button. 2015-01-16 7.2 CVE-2014-1949
CONFIRM (link is external)
CONFIRM (link is external)
CONFIRM
UBUNTU (link is external)
MLIST
MLIST
ibm — sas_connectivity_module_firmware IBM BladeCenter SAS Connectivity Module (aka NSSM) and SAS RAID Module (aka RSSM) before 1.3.3.006 allow remote attackers to cause a denial of service (reboot) via a flood of IP packets. 2015-01-17 7.8 CVE-2014-3018
XF (link is external)
ipass — ipass_open_mobile The client in iPass Open Mobile before 2.4.5 on Windows allows remote authenticated users to execute arbitrary code via a DLL pathname in a crafted Unicode string that is improperly handled by a subprocess reached through a named pipe, as demonstrated by a UNC share pathname. 2015-01-22 9.0 CVE-2015-0925
juniper — junos The Juniper MX Series routers with Junos 13.3R3 through 13.3Rx before 13.3R6, 14.1 before 14.1R4, 14.1X50 before 14.1X50-D70, and 14.2 before 14.2R2, when configured as a broadband edge (BBE) router, allows remote attackers to cause a denial of service (jpppd crash and restart) by sending a crafted PAP Authenticate-Request after the PPPoE Discovery and LCP phase are complete. 2015-01-16 7.1 CVE-2014-6382
BID (link is external)
juniper — junos Juniper Junos 11.4 before 11.4R8, 12.1X44 before 12.1X44-D35, 12.1X45 before 12.1X45-D25, 12.1X46 before 12.1X46-D20, 12.1X47 before 12.1X47-D10, 12.2 before 12.2R9, 12.3R2 before 12.3R2-S3, 12.3 before 12.3R3, 13.1 before 13.1R4, and 13.2 before 13.2R1 allows remote attackers to cause a denial of service (assertion failure and rpd restart) via a crafted BGP FlowSpec prefix. 2015-01-16 7.8 CVE-2014-6386
SECTRACK (link is external)
BID (link is external)
libpng — libpng Buffer overflow in the png_read_IDAT_data function in pngrutil.c in libpng before 1.5.21 and 1.6.x before 1.6.16 allows context-dependent attackers to execute arbitrary code via IDAT data with a large width, a different vulnerability than CVE-2014-9495. 2015-01-18 7.5 CVE-2015-0973
MLIST (link is external)
MLIST (link is external)
MISC (link is external)
MLIST (link is external)
macroplant — iexplorer Untrusted search path vulnerability in Macroplant iExplorer 3.6.3.0 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse itunesmobiledevice.dll. 2015-01-16 7.2 CVE-2014-9600
XF (link is external)
MISC (link is external)
oracle — oracle_and_sun_systems_product_suite Unspecified vulnerability in the Solaris Cluster component in Oracle Sun Systems Products Suite 3.3 and 4.1 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to System management. 2015-01-21 9.0 CVE-2014-4259
oracle — jdk Unspecified vulnerability in Oracle Java SE 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. 2015-01-21 10.0 CVE-2014-6549
oracle — jd_edwards_products Unspecified vulnerability in the JD Edwards EnterpriseOne Tools component in Oracle JD Edwards Products 9.1.5 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Portal SEC. 2015-01-21 7.5 CVE-2014-6565
oracle — database_server Unspecified vulnerability in the Core RDBMS component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information is from the January 2015 CPU. Oracle has not commented on the researcher’s claim that this is a stack-based buffer overflow in DBMS_AW.EXECUTE, which allows code execution via a long Current Directory Alias (CDA) command. 2015-01-21 9.0 CVE-2014-6567
MISC (link is external)
oracle — jdk Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot. 2015-01-21 10.0 CVE-2014-6601
oracle — jdk Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot. 2015-01-21 9.3 CVE-2015-0395
oracle — fusion_middleware Unspecified vulnerability in the Oracle GlassFish Server component in Oracle Fusion Middleware 3.0.1 and 3.1.2 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Admin Console. 2015-01-21 7.5 CVE-2015-0396
oracle — jdk Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to RMI. 2015-01-21 10.0 CVE-2015-0408
CONFIRM (link is external)
oracle — mysql Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier, and 5.6.21 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Server : Security : Encryption. 2015-01-21 7.5 CVE-2015-0411
oracle — jdk Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JAX-WS. 2015-01-21 7.2 CVE-2015-0412
oracle — integrated_lights_out_manager_firmware Unspecified vulnerability in the Integrated Lights Out Manager (ILOM) component in Oracle Sun Systems Products Suite ILOM prior to 3.2.4 allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to IPMI. 2015-01-21 7.5 CVE-2015-0424
oracle — jdk Unspecified vulnerability in Oracle Java SE 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot. 2015-01-21 9.3 CVE-2015-0437
pheonixcontact-software — multiprog Phoenix Contact ProConOs and MultiProg do not require authentication, which allows remote attackers to execute arbitrary commands via protocol-compliant traffic. 2015-01-16 7.5 CVE-2014-9195
redhat — cloudforms_3.1_management_engine The customization template in Red Hat CloudForms 3.1 Management Engine (CFME) 5.3 uses a default password for the root account when a password is not specified for a new image, which allows remote attackers to gain privileges. 2015-01-16 10.0 CVE-2014-3692
SECUNIA (link is external)
samba — samba Samba 4.0.x before 4.0.24, 4.1.x before 4.1.16, and 4.2.x before 4.2rc4, when an Active Directory Domain Controller (AD DC) is configured, allows remote authenticated users to set the LDB userAccountControl UF_SERVER_TRUST_ACCOUNT bit, and consequently gain privileges, by leveraging delegation of authority for user-account or computer-account creation. 2015-01-16 8.5 CVE-2014-8143
sap — hana_extend_application_services The Extended Application Services (XS) in SAP HANA allows remote attackers to inject arbitrary ABAP code via unspecified vectors, aka SAP Note 2098906. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 2015-01-22 10.0 CVE-2015-1311
MISC (link is external)
sap — enterprise_resource_planning The Dealer Portal in SAP ERP does not properly restrict access, which allows remote attackers to obtain sensitive information, gain privileges, and possibly have other unspecified impact via unknown vectors, aka SAP Note 2000401. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 2015-01-22 7.5 CVE-2015-1312
MISC (link is external)
siemens — scalance_x-300_series_firmware The web server on Siemens SCALANCE X-300 switches with firmware before 4.0 and SCALANCE X 408 switches with firmware before 4.0 allows remote attackers to cause a denial of service (reboot) via malformed HTTP requests. 2015-01-21 7.8 CVE-2014-8478
sun — sunos Unspecified vulnerability in Oracle Solaris 11 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Power Management Utility. 2015-01-21 7.2 CVE-2014-6510
sun — sunos Unspecified vulnerability in Oracle Solaris 10 allows local users to affect confidentiality, integrity, and availability via vectors related to CDE – Power Management Utility. 2015-01-21 7.2 CVE-2014-6521
sun — sunos Unspecified vulnerability in Oracle Solaris 10 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Kernel. 2015-01-21 7.2 CVE-2014-6524
sybase — adaptive_server_enterprise SQL injection vulnerability in SAP Adaptive Server Enterprise (Sybase ASE) allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Note 2113333. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 2015-01-22 7.5 CVE-2015-1310
MISC (link is external)
symantec — critical_system_protection The Agent Control Interface in the management server in Symantec Critical System Protection (SCSP) 5.2.9 before MP6 and Symantec Data Center Security: Server Advanced (SDCS:SA) 6.0.x before 6.0 MP1 allows remote authenticated users to execute arbitrary commands by leveraging client-system access to upload a log file. 2015-01-21 9.0 CVE-2014-3440
BID (link is external)
symantec — critical_system_protection The management server in Symantec Critical System Protection (SCSP) 5.2.9 through MP6 and Symantec Data Center Security: Server Advanced (SDCS:SA) 6.0.x through 6.0 MP1 allows local users to bypass intended Protection Policies via unspecified vectors. 2015-01-21 7.2 CVE-2014-9226
BID (link is external)
web-dorado — photo_gallery SQL injection vulnerability in the Photo Gallery plugin 1.2.7 for WordPress allows remote attackers to execute arbitrary SQL commands via the order_by parameter in a GalleryBox action to wp-admin/admin-ajax.php. 2015-01-16 7.5 CVE-2015-1055
BID (link is external)
FULLDISC

Medium Vulnerabilities

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
7-zip — p7zip p7zip 9.20.1 allows remote attackers to write to arbitrary files via a symlink attack in an archive. 2015-01-21 5.8 CVE-2015-1038
MISC (link is external)
MISC
XF (link is external)
BID (link is external)
MLIST (link is external)
apache — xml_security Apache Santuario XML Security for Java 2.0.x before 2.0.3 allows remote attackers to bypass the streaming XML signature protection mechanism via a crafted XML document. 2015-01-21 5.0 CVE-2014-8152
XF (link is external)
SECTRACK (link is external)
BID (link is external)
MLIST
b2evolution — b2evolution Cross-site scripting (XSS) vulnerability in the filemanager in b2evolution before 5.2.1 allows remote attackers to inject arbitrary web script or HTML via the fm_filter parameter to blogs/admin.php. 2015-01-16 4.3 CVE-2014-9599
CONFIRM (link is external)
XF (link is external)
BID (link is external)
MISC (link is external)
MISC (link is external)
FULLDISC
MISC (link is external)
brother — mfc-j4410dw Cross-site scripting (XSS) vulnerability in Brother MFC-J4410DW printer with firmware before L allows remote attackers to inject arbitrary web script or HTML via the url parameter to general/status.html and possibly other pages. 2015-01-16 4.3 CVE-2015-1056
XF (link is external)
BID (link is external)
BUGTRAQ (link is external)
MISC (link is external)
cagintranetworks — getsimple_cms XML external entity (XXE) vulnerability in admin/api.php in GetSimple CMS 3.1.1 through 3.3.x before 3.3.5 Beta 1, when in certain configurations, allows remote attackers to read arbitrary files via the data parameter. 2015-01-20 5.0 CVE-2014-8790
CONFIRM (link is external)
FULLDISC
MISC (link is external)
MISC (link is external)
CONFIRM (link is external)
cisco — unified_communications_manager Absolute path traversal vulnerability in the Real-Time Monitoring Tool (RTMT) API in Cisco Unified Communications Manager (CUCM) allows remote authenticated users to read arbitrary files via a full pathname in an API command, aka Bug ID CSCur49414. 2015-01-22 6.8 CVE-2014-8008
cisco — webex_meeting_center Cisco WebEx Meeting Center allows remote attackers to activate disabled meeting attributes, and consequently obtain sensitive information, by providing crafted parameters during a meeting-join action, aka Bug ID CSCuo34165. 2015-01-17 5.0 CVE-2015-0590
clorius_controls_a/s — java_web_client The Clorius Controls Java web client before 01.00.0009g allows remote attackers to discover credentials by sniffing the network for cleartext-equivalent traffic. 2015-01-16 5.0 CVE-2014-9199
croogo — croogo Cross-site scripting (XSS) vulnerability in the administrative backend in Croogo before 2.2.1 allows remote attackers to inject arbitrary web script or HTML via the path parameter to admin/file_manager/file_manager/editfile. 2015-01-16 4.3 CVE-2015-1053
CONFIRM (link is external)
XF (link is external)
BID (link is external)
MISC (link is external)
MISC (link is external)
FULLDISC
MISC (link is external)
debian — dpkg Multiple format string vulnerabilities in the parse_error_msg function in parsehelp.c in dpkg before 1.17.22 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via format string specifiers in the (1) package or (2) architecture name. 2015-01-20 6.8 CVE-2014-8625
CONFIRM (link is external)
CONFIRM
XF (link is external)
MLIST
MLIST
MLIST
djangoproject — django Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allows remote attackers to spoof WSGI headers by using an _ (underscore) character instead of a – (dash) character in an HTTP header, as demonstrated by an X-Auth_User header. 2015-01-16 5.0 CVE-2015-0219
SECUNIA (link is external)
SECUNIA (link is external)
djangoproject — django The django.util.http.is_safe_url function in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 does not properly handle leading whitespaces, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL, related to redirect URLs, as demonstrated by a “\njavascript:” URL. 2015-01-16 4.3 CVE-2015-0220
UBUNTU (link is external)
SECUNIA (link is external)
SECUNIA (link is external)
djangoproject — django The django.views.static.serve view in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 reads files an entire line at a time, which allows remote attackers to cause a denial of service (memory consumption) via a long line in a file. 2015-01-16 5.0 CVE-2015-0221
SECUNIA (link is external)
SECUNIA (link is external)
djangoproject — django ModelMultipleChoiceField in Django 1.6.x before 1.6.10 and 1.7.x before 1.7.3, when show_hidden_initial is set to True, allows remote attackers to cause a denial of service by submitting duplicate values, which triggers a large number of SQL queries. 2015-01-16 5.0 CVE-2015-0222
SECUNIA (link is external)
SECUNIA (link is external)
e107 — e107 Cross-site scripting (XSS) vulnerability in usersettings.php in e107 2.0.0 allows remote attackers to inject arbitrary web script or HTML via the “Real Name” value. 2015-01-16 4.3 CVE-2015-1057
XF (link is external)
EXPLOIT-DB (link is external)
OSVDB
emc — vipr_srm EMC M&R (aka Watch4Net) before 6.5u1 and ViPR SRM before 3.6.1 might allow remote attackers to obtain cleartext data-center discovery credentials by leveraging certain SRM access to conduct a decryption attack. 2015-01-21 5.0 CVE-2015-0514
BUGTRAQ (link is external)
emc — vipr_srm Unrestricted file upload vulnerability in EMC M&R (aka Watch4Net) before 6.5u1 and ViPR SRM before 3.6.1 allows remote authenticated users to execute arbitrary code by uploading and then accessing an executable file. 2015-01-21 6.5 CVE-2015-0515
BUGTRAQ (link is external)
emc — vipr_srm Directory traversal vulnerability in EMC M&R (aka Watch4Net) before 6.5u1 and ViPR SRM before 3.6.1 allows remote authenticated users to read arbitrary files via a crafted URL. 2015-01-21 4.0 CVE-2015-0516
BUGTRAQ (link is external)
file_project — file The ELF parser in file 5.08 through 5.21 allows remote attackers to cause a denial of service via a large number of notes. 2015-01-21 5.0 CVE-2014-9620
CONFIRM (link is external)
MLIST (link is external)
DEBIAN
MLIST (link is external)
file_project — file The ELF parser in file 5.16 through 5.21 allows remote attackers to cause a denial of service via a long string. 2015-01-21 5.0 CVE-2014-9621
CONFIRM (link is external)
MLIST (link is external)
MLIST (link is external)
ge — intelligent_platforms_proficy_hmi/scada_cimplicity The (1) CimView and (2) CimEdit components in GE Proficy HMI/SCADA-CIMPLICITY 8.2 and earlier allow remote attackers to gain privileges via a crafted CIMPLICITY screen (aka .CIM) file. 2015-01-16 6.9 CVE-2014-2355
ge — multilink_ml1200 GE Multilink ML800, ML1200, ML1600, and ML2400 switches with firmware 4.2.1 and earlier and Multilink ML810, ML3000, and ML3100 switches with firmware 5.2.0 and earlier use the same RSA private key across different customers’ installations, which makes it easier for remote attackers to obtain the cleartext content of network traffic by reading this key from a firmware image and then sniffing the network. 2015-01-16 5.0 CVE-2014-5419
gentoo — xdg-utils Eval injection vulnerability in xdg-utils 1.1.0 RC1, when no supported desktop environment is identified, allows context-dependent attackers to execute arbitrary code via the URL argument to xdg-open. 2015-01-21 6.8 CVE-2014-9622
CONFIRM
CONFIRM
MLIST (link is external)
DEBIAN
SECUNIA (link is external)
FULLDISC
getsentry — raven-ruby The numtok function in lib/raven/okjson.rb in the raven-ruby gem before 0.12.2 for Ruby allows remote attackers to cause a denial of service via a large exponent value in a scientific number. 2015-01-20 5.0 CVE-2014-9490
CONFIRM (link is external)
CONFIRM (link is external)
XF (link is external)
MLIST
getusedtoit — wp_slimstat Cross-site scripting (XSS) vulnerability in the Save Filters functionality in the WP Slimstat plugin before 3.9.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the fs[resource] parameter in the wp-slim-view-2 page to wp-admin/admin.php. 2015-01-21 4.3 CVE-2015-1204
MISC (link is external)
CONFIRM
SECUNIA (link is external)
gnu — patch GNU patch 2.7.1 allows remote attackers to write to arbitrary files via a symlink attack in a patch file. 2015-01-21 4.3 CVE-2015-1196
CONFIRM (link is external)
CONFIRM
XF (link is external)
BID (link is external)
MLIST
CONFIRM
google — chrome Use-after-free vulnerability in the IndexedDB implementation in Google Chrome before 40.0.2214.91 allows remote attackers to cause a denial of service or possibly have unspecified other impact by triggering duplicate BLOB references, related to content/browser/indexed_db/indexed_db_callbacks.cc and content/browser/indexed_db/indexed_db_dispatcher_host.cc. 2015-01-22 5.0 CVE-2014-7924
CONFIRM
CONFIRM (link is external)
google — chrome Use-after-free vulnerability in the ZoomBubbleView::Close function in browser/ui/views/location_bar/zoom_bubble_view.cc in the Views implementation in Google Chrome before 40.0.2214.91 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted document that triggers improper maintenance of a zoom bubble. 2015-01-22 6.8 CVE-2014-7936
CONFIRM
CONFIRM (link is external)
google — chrome Google Chrome before 40.0.2214.91, when the Harmony proxy in Google V8 is enabled, allows remote attackers to bypass the Same Origin Policy via crafted JavaScript code with Proxy.create and console.log calls, related to HTTP responses that lack an “X-Content-Type-Options: nosniff” header. 2015-01-22 4.3 CVE-2014-7939
google — chrome The SelectionOwner::ProcessTarget function in ui/base/x/selection_owner.cc in the UI implementation in Google Chrome before 40.0.2214.91 uses an incorrect data type for a certain length value, which allows remote attackers to cause a denial of service (out-of-bounds read) via crafted X11 data. 2015-01-22 5.0 CVE-2014-7941
google — chrome Skia, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors. 2015-01-22 5.0 CVE-2014-7943
CONFIRM (link is external)
google — chrome The sycc422_to_rgb function in fxcodec/codec/fx_codec_jpx_opj.cpp in PDFium, as used in Google Chrome before 40.0.2214.91, does not properly handle odd values of image width, which allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted PDF document. 2015-01-22 5.0 CVE-2014-7944
google — chrome OpenJPEG before r2908, as used in PDFium in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted PDF document, related to j2k.c, jp2.c, and t2.c. 2015-01-22 5.0 CVE-2014-7945
google — chrome The RenderTable::simplifiedNormalFlowLayout function in core/rendering/RenderTable.cpp in Blink, as used in Google Chrome before 40.0.2214.91, skips captions during table layout in certain situations, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors related to the Fonts implementation. 2015-01-22 5.0 CVE-2014-7946
CONFIRM
google — chrome OpenJPEG before r2944, as used in PDFium in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted PDF document, related to j2k.c, jp2.c, pi.c, t1.c, t2.c, and tcd.c. 2015-01-22 5.0 CVE-2014-7947
google — chrome The AppCacheUpdateJob::URLFetcher::OnResponseStarted function in content/browser/appcache/appcache_update_job.cc in Google Chrome before 40.0.2214.91 proceeds with AppCache caching for SSL sessions even if there is an X.509 certificate error, which allows man-in-the-middle attackers to spoof HTML5 application content via a crafted certificate. 2015-01-22 4.3 CVE-2014-7948
ibm — sas_connectivity_module_firmware IBM BladeCenter SAS Connectivity Module (aka NSSM) and SAS RAID Module (aka RSSM) before 1.3.3.006 allow remote attackers to obtain blade and storage-pool access via a TELNET session. 2015-01-17 5.0 CVE-2014-3019
XF (link is external)
ibm — api_management IBM API Management 3.0 before 3.0.4.0 IF1 allows remote attackers to obtain sensitive analytics information in an encrypted form via unspecified vectors. 2015-01-21 5.0 CVE-2014-6172
XF (link is external)
AIXAPAR (link is external)
ibm — security_network_protection_xgs_firmware IBM Security Network Protection 5.1.x and 5.2.x before 5.2.0.0 FP5 and 5.3.x before 5.3.0.0 FP1 allows remote attackers to conduct clickjacking attacks via unspecified vectors. 2015-01-17 4.3 CVE-2014-6197
XF (link is external)
illumos — illumos The devzvol_readdir function in illumos does not check the return value of a strchr call, which allows remote attackers to cause a denial of service (NULL pointer dereference and panic) via unspecified vectors. 2015-01-20 5.0 CVE-2014-9491
CONFIRM
CONFIRM (link is external)
XF (link is external)
MLIST
insanevisions — adaptcms Multiple cross-site scripting (XSS) vulnerabilities in AdaptCMS 3.0.3 allow remote attackers to inject arbitrary web script or HTML via the (1) data[Category][title] parameter to admin/categories/add, (2) data[Field][title] parameter to admin/fields/ajax_fields/, (3) name property in a basicInfo JSON object to admin/tools/create_theme, (4) data[Link][link_title] parameter to admin/links/links/add, or (5) data[ForumTopic][subject] parameter to forums/off-topic/new. 2015-01-16 4.3 CVE-2015-1058
XF (link is external)
MISC (link is external)
EXPLOIT-DB (link is external)
MISC (link is external)
OSVDB
OSVDB
OSVDB
OSVDB
OSVDB
insanevisions — adaptcms Unrestricted file upload vulnerability in admin/files/add in AdaptCMS 3.0.3 allows remote authenticated users to execute arbitrary PHP code by uploading a file with a PHP extension, then accessing it via a direct request to the file in /app/webroot/uploads. 2015-01-16 6.5 CVE-2015-1059
MISC (link is external)
XF (link is external)
EXPLOIT-DB (link is external)
MISC (link is external)
OSVDB
insanevisions — adaptcms Open redirect vulnerability in lib/Cake/Controller/Controller.php in AdaptCMS 3.0.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the HTTP Referer header. 2015-01-16 5.8 CVE-2015-1060
XF (link is external)
MISC (link is external)
EXPLOIT-DB (link is external)
MISC (link is external)
OSVDB
juniper — junos The stateless firewall in Juniper Junos 13.3R3, 14.1R1, and 14.1R2, when using Trio-based PFE modules, does not properly match ports, which might allow remote attackers to bypass firewall rule. 2015-01-16 5.0 CVE-2014-6383
SECTRACK (link is external)
BID (link is external)
juniper — junos Juniper Junos 12.1X44 before 12.1X44-D45, 12.1X46 before 12.1X46-D25, 12.1X47 before 12.1X47-D15, 12.3 before 12.3R9, 13.1 before 13.1R4-S3, 13.2 before 13.2R6, 13.3 before 13.3R5, 14.1 before 14.1R3, and 14.2 before 14.2R1 does not properly handle double quotes in authorization attributes in the TACACS+ configuration, which allows local users to bypass the security policy and execute commands via unspecified vectors. 2015-01-16 6.9 CVE-2014-6384
SECTRACK (link is external)
BID (link is external)
juniper — junos Juniper Junos 11.4 before 11.4R13, 12.1X44 before 12.1X44-D45, 12.1X46 before 12.1X46-D30, 12.1X47 before 12.1X47-D15, 12.2 before 12.2R9, 12.3R7 before 12.3R7-S1, 12.3 before 12.3R8, 13.1 before 13.1R5, 13.2 before 13.2R6, 13.3 before 13.3R4, 14.1 before 14.1R2, and 14.2 before 14.2R1 allows remote attackers to cause a denial of service (kernel crash and restart) via a crafted fragmented OSPFv3 packet with an IPsec Authentication Header (AH). 2015-01-16 6.1 CVE-2014-6385
BID (link is external)
kde — kde_applications kwalletd in KWallet before KDE Applications 14.12.0 uses Blowfish with ECB mode instead of CBC mode when encrypting the password store, which makes it easier for attackers to guess passwords via a codebook attack. 2015-01-18 5.0 CVE-2013-7252
CONFIRM (link is external)
BID (link is external)
MLIST (link is external)
MLIST (link is external)
MISC (link is external)
kgb_project — kgb Absolute path traversal vulnerability in kgb 1.0b4 allows remote attackers to write to arbitrary files via a full pathname in a crafted archive. 2015-01-21 5.0 CVE-2015-1192
MISC
BID (link is external)
MLIST (link is external)
SECUNIA (link is external)
kiwix — kiwix Cross-site scripting (XSS) vulnerability in Kiwix before 0.9.1, when using kiwix-serve, allows remote attackers to inject arbitrary web script or HTML via the pattern parameter to /search. 2015-01-21 4.3 CVE-2015-1032
BUGTRAQ (link is external)
CONFIRM (link is external)
MISC (link is external)
MISC (link is external)
libtiff — libtiff Integer overflow in tif_packbits.c in bmp2tif in libtiff 4.0.3 allows remote attackers to cause a denial of service (crash) via crafted BMP image, related to dimensions, which triggers an out-of-bounds read. 2015-01-20 5.0 CVE-2014-9330
SECTRACK (link is external)
FULLDISC
CONFIRM
mediawiki — mediawiki MediaWiki 1.2x before 1.22.15, 1.23.x before 1.23.8, and 1.24.x before 1.24.1 allows remote attackers to bypass CORS restrictions in $wgCrossSiteAJAXdomains via a domain that has a partial match to an allowed origin, as demonstrated by “http://en.wikipedia.org.evilsite.example/.” 2015-01-16 5.0 CVE-2014-9476
CONFIRM
MLIST (link is external)
MLIST (link is external)
mediawiki — mediawiki Multiple cross-site scripting (XSS) vulnerabilities in the Listings extension for MediaWiki allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) url parameter. 2015-01-16 4.3 CVE-2014-9477
CONFIRM
MLIST (link is external)
MLIST (link is external)
mediawiki — mediawiki Cross-site scripting (XSS) vulnerability in the preview in the TemplateSandbox extension for MediaWiki allows remote attackers to inject arbitrary web script or HTML via the text parameter to Special:TemplateSandbox. 2015-01-16 4.3 CVE-2014-9479
CONFIRM
MLIST (link is external)
MLIST (link is external)
mediawiki — mediawiki Cross-site scripting (XSS) vulnerability in the Hovercards extension for MediaWiki allows remote attackers to inject arbitrary web script or HTML via vectors related to text extracts. 2015-01-16 4.3 CVE-2014-9480
CONFIRM
MLIST (link is external)
MLIST (link is external)
openstack — image_registry_and_delivery_service_(glance) The V2 API in OpenStack Image Registry and Delivery Service (Glance) before 2014.1.4 and 2014.2.x before 2014.2.2 allows remote authenticated users to read or delete arbitrary files via a full pathname in a filesystem: URL in the image location property. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-9493. 2015-01-21 6.5 CVE-2015-1195
CONFIRM (link is external)
MLIST (link is external)
MLIST (link is external)
SECUNIA (link is external)
MLIST
oracle — fusion_middleware Unspecified vulnerability in the Oracle HTTP Server component in Oracle Fusion Middleware 11.1.1.7.0, 12.1.2.0, and 12.1.3.0 allows remote attackers to affect availability via unknown vectors related to Web Listener, a different vulnerability than CVE-2013-0338, CVE-2013-2877, and CVE-2015-0386. 2015-01-21 4.3 CVE-2014-0191
oracle — oracle_and_sun_systems_product_suite Unspecified vulnerability in the Solaris Cluster component in Oracle Sun Systems Products Suite 3.3 and 4.1 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to System management. 2015-01-21 6.5 CVE-2014-6480
oracle — database_server Unspecified vulnerability in the PL/SQL component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, and 12.1.0.1 allows remote authenticated users to affect confidentiality via unknown vectors. 2015-01-21 4.0 CVE-2014-6514
oracle — fusion_middleware Unspecified vulnerability in the Oracle Directory Server Enterprise Edition component in Oracle Fusion Middleware 7.0 allows remote attackers to affect integrity via unknown vectors related to Admin Console. 2015-01-21 4.3 CVE-2014-6526
oracle — siebel_crm Unspecified vulnerability in the Siebel Core – System Management component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote authenticated users to affect confidentiality via unknown vectors related to Server Infrastructure. 2015-01-21 4.0 CVE-2014-6528
oracle — database_server Unspecified vulnerability in the Recovery component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2, when running on Windows, allows remote authenticated users to affect confidentiality via vectors related to DBMS_IR. 2015-01-21 6.3 CVE-2014-6541
oracle — fusion_middleware Unspecified vulnerability in the Oracle SOA Suite component in Oracle Fusion Middleware 11.1.1.7 allows local users to affect confidentiality, integrity, and availability via vectors related to B2B Engine. 2015-01-21 4.6 CVE-2014-6548
oracle — e-business_suite Unspecified vulnerability in the Oracle Applications DBA component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.3, 12.2.2, 12.2.3, and 12.2.4 allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to AD_DDL. 2015-01-21 4.6 CVE-2014-6556
oracle — peoplesoft_products Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.53 allows remote authenticated users to affect integrity via unknown vectors related to Portal. 2015-01-21 4.0 CVE-2014-6566
oracle — fusion_middleware Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.0.2.0, 10.3.6.0, 12.1.1.0, and 12.1.2.0 allows remote attackers to affect confidentiality via vectors related to CIE Related Components. 2015-01-21 5.0 CVE-2014-6569
oracle — fusion_middleware Unspecified vulnerability in the Oracle HTTP Server component in Oracle Fusion Middleware 11.1.1.7.0, 12.1.2.0, and 12.1.3.0 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Web Listener, a different vulnerability than CVE-2011-1944. 2015-01-21 6.8 CVE-2014-6571
oracle — e-business_suite Unspecified vulnerability in the Oracle Customer Interaction History component in Oracle E-Business Suite 12.0.4, 12.0.5, 12.0.6, 12.1.1, 12.1.2, 12.1.3, 12.2.2, 12.2.3, and 12.2.4 allows remote attackers to affect confidentiality and integrity via unknown vectors related to List of Values. 2015-01-21 6.4 CVE-2014-6572
oracle — enterprise_manager_grid_control Unspecified vulnerability in the Enterprise Manager Ops Center component in Oracle Enterprise Manager Grid Control 11.1.3 and 12.1.4 allows remote attackers to affect integrity via unknown vectors related to User Interface Framework. 2015-01-21 4.3 CVE-2014-6573
oracle — supply_chain_products_suite Unspecified vulnerability in the Oracle Agile PLM for Process component in Oracle Supply Chain Products Suite 6.1.0.3 allows remote attackers to affect integrity via unknown vectors related to Testing Protocol Library. 2015-01-21 4.3 CVE-2014-6574
oracle — fusion_middleware Unspecified vulnerability in the Oracle Adaptive Access Manager component in Oracle Fusion Middleware 11.1.1.5, 11.1.1.7, 11.1.2.1, and 11.1.2.2 allows remote authenticated users to affect confidentiality and integrity via vectors related to OAM Integration. 2015-01-21 5.5 CVE-2014-6576
oracle — database_server Unspecified vulnerability in the XML Developer’s Kit for C component in Oracle Database Server 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors. NOTE: the previous information is from the January 2015 CPU. Oracle has not commented on the original researcher’s claim that this is an XML external entity (XXE) vulnerability in the XML parser, which allows attackers to conduct internal port scanning, perform SSRF attacks, or cause a denial of service via a crafted (1) http: or (2) ftp: URI. 2015-01-21 6.8 CVE-2014-6577
MISC (link is external)
oracle — database_server Unspecified vulnerability in the Workspace Manager component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, and 12.1.0.1 allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to SDO_TOPO and WMSYS.LT. 2015-01-21 6.5 CVE-2014-6578
oracle — peoplesoft_products Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.52 and 8.53 allows remote authenticated users to affect confidentiality via unknown vectors related to Integration Broker. 2015-01-21 4.0 CVE-2014-6579
oracle — fusion_middleware Unspecified vulnerability in the Oracle Reports Developer component in Oracle Fusion Middleware 11.1.1.7 and 11.1.2.2 allows remote attackers to affect integrity via unknown vectors. 2015-01-21 4.3 CVE-2014-6580
oracle — e-business_suite Unspecified vulnerability in the Oracle Customer Intelligence component in Oracle E-Business Suite 11.5.10.2, 12.0.4, 12.0.5, 12.0.6, 12.1.1, 12.1.2, 12.1.3, 12.2.2, 12.2.3, and 12.2.4 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Extract/Load Programs. 2015-01-21 6.4 CVE-2014-6581
oracle — e-business_suite Unspecified vulnerability in the Oracle HCM Configuration Workbench component in Oracle E-Business Suite 11.5.10.2, 12.0.4, 12.0.5, 12.0.6, 12.1.1, 12.1.2, 12.1.3, 12.2.2, 12.2.3, and 12.2.4 allows remote attackers to affect confidentiality via unknown vectors related to Rapid Implementation. 2015-01-21 5.0 CVE-2014-6582
oracle — e-business_suite Unspecified vulnerability in the Oracle Marketing component in Oracle E-Business Suite 11.5.10.2, 12.0.4, 12.0.5, 12.0.6, 12.1.1, 12.1.2, and 12.1.3. allows remote attackers to affect confidentiality and integrity via unknown vectors related to Audience. 2015-01-21 6.4 CVE-2014-6583
oracle — integrated_lights_out_manager_firmware Unspecified vulnerability in the Integrated Lights Out Manager (ILOM) component in Oracle Sun Systems Products Suite ILOM before 3.2.4 allows remote authenticated users to affect confidentiality via unknown vectors related to Backup Restore. 2015-01-21 4.0 CVE-2014-6584
oracle — peoplesoft_products Unspecified vulnerability in the PeopleSoft Enterprise HRMS component in Oracle PeopleSoft Products 9.1 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Time and Labor. 2015-01-21 5.5 CVE-2014-6586
oracle — jdk Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. 2015-01-21 4.3 CVE-2014-6587
oracle — jdk Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25; Java SE Embedded 7u71 and 8u6; and JRockit 27.8.4 and 28.3.4 allows remote attackers to affect confidentiality and integrity via vectors related to JSSE. 2015-01-21 4.0 CVE-2014-6593
oracle — ilearning Unspecified vulnerability in the Oracle iLearning component in Oracle iLearning 6.0 and 6.1 allows remote attackers to affect confidentiality via unknown vectors related to Learner Pages. 2015-01-21 4.3 CVE-2014-6594
oracle — siebel_crm Unspecified vulnerability in the Siebel UI Framework component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote attackers to affect integrity via unknown vectors related to Portal Framework. 2015-01-21 4.3 CVE-2014-6596
oracle — peoplesoft_products Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.52, 8.53, and 8.54 allows remote authenticated users to affect integrity via vectors related to PIA Core Technology. 2015-01-21 4.0 CVE-2014-6597
oracle — fusion_middleware Unspecified vulnerability in the BI Publisher (formerly XML Publisher) component in Oracle Fusion Middleware 11.1.1.7 allows remote attackers to affect confidentiality via unknown vectors related to BI Publisher Security. 2015-01-21 5.0 CVE-2015-0362
oracle — siebel_crm Unspecified vulnerability in the Siebel Core EAI component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote authenticated users to affect availability via unknown vectors related to Integration Business Services. 2015-01-21 4.0 CVE-2015-0363
oracle — siebel_crm Unspecified vulnerability in the Siebel Core – Server Infrastructure component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote attackers to affect confidentiality via unknown vectors related to Security. 2015-01-21 4.3 CVE-2015-0365
oracle — siebel_crm Unspecified vulnerability in the Siebel Core – EAI component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote attackers to affect confidentiality via unknown vectors related to Java Integration. 2015-01-21 5.0 CVE-2015-0366
oracle — fusion_middleware Unspecified vulnerability in the Oracle Access Manager component in Oracle Fusion Middleware 11.1.1.5, 11.1.1.7, 11.1.2.1, and 11.1.2.2 allows remote attackers to affect integrity via vectors related to SSO Engine. 2015-01-21 5.0 CVE-2015-0367
oracle — supply_chain_products_suite Unspecified vulnerability in the Oracle Transportation Management component in Oracle Supply Chain Products Suite 6.1, 6.2, 6.3, 6.3.1, 6.3.2, 6.3.3, 6.3.4, and 6.3.5 allows remote attackers to affect availability via unknown vectors related to Security. 2015-01-21 5.0 CVE-2015-0368
oracle — siebel_crm Unspecified vulnerability in the Siebel UI Framework component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote attackers to affect integrity via unknown vectors related to AX/HI Web UI. 2015-01-21 4.3 CVE-2015-0369
oracle — database_server Unspecified vulnerability in the Core RDBMS component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, and 12.1.0.1 allows remote authenticated users to affect integrity and availability via unknown vectors. 2015-01-21 4.9 CVE-2015-0371
oracle — fusion_middleware Unspecified vulnerability in the Oracle Containers for J2EE component in Oracle Fusion Middleware 10.1.3.5 allows remote attackers to affect confidentiality via unknown vectors. 2015-01-21 5.0 CVE-2015-0372
oracle — database_server Unspecified vulnerability in the OJVM component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors. 2015-01-21 6.5 CVE-2015-0373
oracle — fusion_middleware Unspecified vulnerability in the Oracle WebCenter Content component in Oracle Fusion Middleware 11.1.1.8.0 allows remote attackers to affect integrity via unknown vectors related to Content Server. 2015-01-21 4.3 CVE-2015-0376
oracle — vm_virtualbox Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox prior to 3.2.26, 4.0.28, 4.1.36, and 4.2.28 allows local users to affect availability via unknown vectors related to Core, a different vulnerability than CVE-2015-0418. 2015-01-21 4.4 CVE-2015-0377
oracle — peoplesoft_products Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.54 allows remote attackers to affect integrity via vectors related to PIA Core Technology. 2015-01-21 4.3 CVE-2015-0379
oracle — e-business_suite Unspecified vulnerability in the Oracle Telecommunications Billing Integrator component in Oracle E-Business Suite 11.5.10.2, 12.0.4, 12.0.5, 12.0.6, 12.1.1, 12.1.2, 12.1.3, 12.2.2, 12.2.3, and 12.2.4 allows remote attackers to affect integrity via unknown vectors related to OA Based UI for Bill Summary. 2015-01-21 4.3 CVE-2015-0380
oracle — mysql Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier and 5.6.21 and earlier allows remote attackers to affect availability via unknown vectors related to Server : Replication, a different vulnerability than CVE-2015-0382. 2015-01-21 4.3 CVE-2015-0381
oracle — mysql Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier and 5.6.21 and earlier allows remote attackers to affect availability via unknown vectors related to Server : Replication, a different vulnerability than CVE-2015-0381. 2015-01-21 4.3 CVE-2015-0382
oracle — jdk Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25; Java SE Embedded 7u71 and 8u6; and JRockit R27.8.4 and R28.3.4 allows local users to affect integrity and availability via unknown vectors related to Hotspot. 2015-01-21 5.4 CVE-2015-0383
oracle — fusion_middleware Unspecified vulnerability in the Oracle HTTP Server component in Oracle Fusion Middleware 11.1.1.7.0, 12.1.2.0, and 12.1.3.0 allows remote attackers to affect availability via unknown vectors related to Web Listener, a different vulnerability than CVE-2013-0338, CVE-2013-2877, and CVE-2014-0191. 2015-01-21 4.3 CVE-2015-0386
oracle — siebel_crm Unspecified vulnerability in the Siebel Core – Server OM Services component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote authenticated users to affect confidentiality via vectors related to Security – LDAP Security Adapter. 2015-01-21 4.0 CVE-2015-0387
oracle — siebel_crm Unspecified vulnerability in the Siebel UI Framework component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote authenticated users to affect confidentiality via unknown vectors related to Portal Framework, a different vulnerability than CVE-2015-0417. 2015-01-21 4.0 CVE-2015-0388
oracle — retail_applications_xstore Unspecified vulnerability in the MICROS Retail component in Oracle Retail Applications Xstore: 3.2.1, 3.4.2, 3.5.0, 4.0.1, 4.5.1, 4.8.0, 5.0.3, 5.5.3, 6.0.6, and 6.5.2 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Xstore Point of Sale. 2015-01-21 6.8 CVE-2015-0390
oracle — mysql Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier, and 5.6.19 and earlier, allows remote authenticated users to affect availability via vectors related to DDL. 2015-01-21 4.0 CVE-2015-0391
oracle — siebel_crm Unspecified vulnerability in the Siebel Core – Server BizLogic Script component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to Config – Scripting. 2015-01-21 4.6 CVE-2015-0392
oracle — e-business_suite Unspecified vulnerability in the Oracle Applications DBA component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.3, 12.2.2, 12.2.3, and 12.2.4 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to DB Privileges. NOTE: the previous information is from the January 2015 CPU. Oracle has not commented on the researcher’s claim that the PUBLIC role is granted the INDEX privilege for the DUAL table during a “seeded install,” which allows remote authenticated users to gain SYSDBA privileges and execute arbitrary code. 2015-01-21 6.0 CVE-2015-0393
oracle — peoplesoft_products Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.52 and 8.53 allows remote authenticated users to affect confidentiality via unknown vectors related to Report Distribution. 2015-01-21 4.0 CVE-2015-0394
oracle — siebel_crm Unspecified vulnerability in the Siebel Life Sciences component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote authenticated users to affect confidentiality via unknown vectors related to Clinical Trip Report. 2015-01-21 4.0 CVE-2015-0398
oracle — fusion_middleware Unspecified vulnerability in the Oracle Business Intelligence Enterprise Edition component in Oracle Fusion Middleware 10.1.3.4.2 and 11.1.1.7 allows remote authenticated users to affect confidentiality via unknown vectors related to Analytics Web General. 2015-01-21 4.0 CVE-2015-0399
oracle — jdk Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality via unknown vectors related to Libraries. 2015-01-21 5.0 CVE-2015-0400
oracle — fusion_middleware Unspecified vulnerability in the Oracle Directory Server Enterprise Edition component in Oracle Fusion Middleware 7.0 and 11.1.1.7 allows remote authenticated users to affect integrity via unknown vectors related to Admin Console. 2015-01-21 4.0 CVE-2015-0401
oracle — siebel_crm Unspecified vulnerability in the Siebel Core – Server BizLogic Script component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote attackers to affect integrity via vectors related to Integration – COM. 2015-01-21 4.3 CVE-2015-0402
oracle — jdk Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. 2015-01-21 6.9 CVE-2015-0403
oracle — e-business_suite Unspecified vulnerability in the Oracle Applications Framework component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.3, 12.2.2, 12.2.3, and 12.2.4 allows remote attackers to affect integrity via unknown vectors related to Error Messages. 2015-01-21 4.3 CVE-2015-0404
oracle — jdk Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality and availability via unknown vectors related to Deployment. 2015-01-21 5.8 CVE-2015-0406
oracle — jdk Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality via unknown vectors related to Swing. 2015-01-21 5.0 CVE-2015-0407
oracle — mysql Unspecified vulnerability in Oracle MySQL Server 5.6.21 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer. 2015-01-21 4.0 CVE-2015-0409
oracle — jdk Unspecified vulnerability in the Java SE, Java SE Embedded, JRockit component in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25; Java SE Embedded 7u71 and 8u6; and JRockit R27.8.4 and R28.3.4 allows remote attackers to affect availability via unknown vectors related to Security. 2015-01-21 5.0 CVE-2015-0410
oracle — e-business_suite Unspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite 12.1.3 allows remote authenticated users to affect integrity via unknown vectors related to Session Management. 2015-01-21 4.0 CVE-2015-0415
oracle — siebel_crm Unspecified vulnerability in the Siebel UI Framework component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote authenticated users to affect confidentiality via unknown vectors related to Portal Framework, a different vulnerability than CVE-2015-0388. 2015-01-21 4.0 CVE-2015-0417
oracle — siebel_crm Unspecified vulnerability in the Siebel UI Framework component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote attackers to affect confidentiality via unknown vectors related to Portal Framework. 2015-01-21 4.3 CVE-2015-0419
oracle — fusion_middleware Unspecified vulnerability in the Oracle Forms component in Oracle Fusion Middleware 11.1.1.7 and 11.1.2.2 allows remote attackers to affect confidentiality via unknown vectors related to Forms Services. 2015-01-21 4.3 CVE-2015-0420
oracle — jdk Unspecified vulnerability in Oracle Java SE 8u25 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to the installation process. 2015-01-21 6.9 CVE-2015-0421
oracle — supply_chain_products_suite Unspecified vulnerability in the Oracle Transportation Management component in Oracle Supply Chain Products Suite 6.1, 6.2, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, and 6.3.5 allows remote authenticated users to affect confidentiality via unknown vectors related to UI Infrastructure. 2015-01-21 4.0 CVE-2015-0422
oracle — siebel_crm Unspecified vulnerability in the Oracle Enterprise Asset Management component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote attackers to affect confidentiality via unknown vectors related to Siebel Core – Unix/Windows. 2015-01-21 4.3 CVE-2015-0425
oracle — enterprise_manager_grid_control Unspecified vulnerability in the Enterprise Manager Base Platform component in Oracle Enterprise Manager Grid Control 12.1.0.3 and 12.1.0.4 allows remote attackers to affect confidentiality via unknown vectors related to UI Framework. 2015-01-21 5.0 CVE-2015-0426
oracle — supply_chain_products_suite Unspecified vulnerability in the Oracle Transportation Management component in Oracle Supply Chain Products Suite 6.1, 6.2, 6.3.0 6.3.1, 6.3.2, 6.3.4, and 6.3.5 allows remote attackers to affect integrity via unknown vectors related to UI Infrastructure. 2015-01-21 4.3 CVE-2015-0431
oracle — mysql Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier allows remote authenticated users to affect availability via vectors related to Server : InnoDB : DDL : Foreign Key. 2015-01-21 4.0 CVE-2015-0432
oracle — fusion_middleware Unspecified vulnerability in the Oracle Access Manager component in Oracle Fusion Middleware 11.1.1.5, 11.1.1.7, 11.1.2.1, and 11.1.2.2 allows remote attackers to affect confidentiality via vectors related to Integration with OAM. 2015-01-21 4.3 CVE-2015-0434
oracle — supply_chain_products_suite Unspecified vulnerability in the Oracle Transportation Management component in Oracle Supply Chain Products Suite 6.1, 6.2, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, and 6.3.5 allows remote authenticated users to affect confidentiality via unknown vectors related to Security. 2015-01-21 6.8 CVE-2015-0435
oracle — ilearning Unspecified vulnerability in the Oracle iLearning component in Oracle iLearning 6.0 and 6.1 allows remote attackers to affect confidentiality via unknown vectors related to Login. 2015-01-21 4.3 CVE-2015-0436
pax_project — pax Multiple directory traversal vulnerabilities in pax 1:20140703 allow remote attackers to write to arbitrary files via a (1) full pathname or (2) .. (dot dot) in an archive. 2015-01-21 5.0 CVE-2015-1193
MISC
MLIST (link is external)
pax_project — pax pax 1:20140703 allows remote attackers to write to arbitrary files via a symlink attack in an archive. 2015-01-21 4.3 CVE-2015-1194
MISC
MLIST (link is external)
pivotal_software — rabbitmq RabbitMQ before 3.4.0 allows remote attackers to bypass the loopback_users restriction via a crafted X-Forwareded-For header. 2015-01-20 5.0 CVE-2014-9494
CONFIRM (link is external)
XF (link is external)
MLIST
privoxy — privoxy Memory leak in the rfc2553_connect_to function in jbsocket.c in Privoxy before 3.0.22 allows remote attackers to cause a denial of service (memory consumption) via a large number of requests that are rejected because the socket limit is reached. 2015-01-20 5.0 CVE-2015-1030
MLIST (link is external)
SECUNIA (link is external)
privoxy — privoxy Privoxy before 3.0.22 allows remote attackers to cause a denial of service (file descriptor consumption) via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 2015-01-20 5.0 CVE-2015-1201
SECUNIA (link is external)
puppetlabs — stdlib The puppetlabs-stdlib module 2.1 through 3.0 and 4.1.0 through 4.5.x before 4.5.1 for Puppet 2.8.8 and earlier allows remote authenticated users to gain privileges or obtain sensitive information by prepopulating the fact cache. 2015-01-16 6.5 CVE-2015-1029
SECUNIA (link is external)
python — pillow Pillow before 2.7.0 allows remote attackers to cause a denial of service via a compressed text chunk in a PNG image that has a large size when it is decompressed. 2015-01-16 5.0 CVE-2014-9601
CONFIRM (link is external)
CONFIRM (link is external)
redhat — cloudforms_3.1_management_engine SQL injection vulnerability in Red Hat CloudForms 3.1 Management Engine (CFME) 5.3 allows remote authenticated users to execute arbitrary SQL commands via a crafted REST API request to an SQL filter. 2015-01-16 6.5 CVE-2014-7814
SECUNIA (link is external)
sap — netweaver_abap XML external entity vulnerability in the Extended Computer Aided Test Tool (eCATT) in SAP NetWeaver AS ABAP 7.31 and earlier allows remote attackers to access arbitrary files via a crafted XML request, related to ECATT_DISPLAY_XMLSTRING_REMOTE, aka SAP Note 2016638. 2015-01-22 5.0 CVE-2015-1309
SECUNIA (link is external)
MISC (link is external)
MISC (link is external)
serve-static_project — serve-static Open redirect vulnerability in the serve-static plugin before 1.7.2 for Node.js, when mounted at the root, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a // (slash slash) followed by a domain in the PATH_INFO to the default URI. 2015-01-21 4.3 CVE-2015-1164
CONFIRM (link is external)
CONFIRM (link is external)
XF (link is external)
BID (link is external)
CONFIRM (link is external)
siemens — scalance_x-300_series_firmware The FTP server on Siemens SCALANCE X-300 switches with firmware before 4.0 and SCALANCE X 408 switches with firmware before 4.0 allows remote authenticated users to cause a denial of service (reboot) via crafted FTP packets. 2015-01-21 6.8 CVE-2014-8479
siemens — simatic_s7_1200_cpu_firmware Open redirect vulnerability in the integrated web server on Siemens SIMATIC S7-1200 CPU devices with firmware before 4.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. 2015-01-21 4.3 CVE-2015-1048
sun — sunos Unspecified vulnerability in Oracle Solaris 10 and 11 allows remote attackers to affect confidentiality via vectors related to KSSL. 2015-01-21 4.3 CVE-2014-6481
sun — sunos Unspecified vulnerability in Oracle Solaris 10 allows local users to affect availability via unknown vectors related to Kernel. 2015-01-21 4.9 CVE-2014-6509
sun — sunos Unspecified vulnerability in Oracle Solaris 10 and 11 allows local users to affect integrity and availability via vectors related to Unix File System (UFS). 2015-01-21 6.6 CVE-2014-6518
sun — sunos Unspecified vulnerability in Oracle Sun Solaris 11 allows local users to affect availability via unknown vectors related to File System, a different vulnerability than CVE-2014-6600 and CVE-2015-0397. 2015-01-21 4.9 CVE-2014-6570
sun — sunos Unspecified vulnerability in Oracle Sun Solaris 10 and 11 allows remote attackers to affect availability via unknown vectors related to Network, a different vulnerability than CVE-2004-0230. 2015-01-21 5.0 CVE-2014-6575
sun — sunos Unspecified vulnerability in Oracle Sun Solaris 11 allows local users to affect availability via unknown vectors related to File System, a different vulnerability than CVE-2014-6570 and CVE-2015-0397. 2015-01-21 4.9 CVE-2014-6600
sun — sunos Unspecified vulnerability in Oracle Sun Solaris 10 and 11 allows remote attackers to affect confidentiality via unknown vectors related to Network. 2015-01-21 5.0 CVE-2015-0375
sun — sunos Unspecified vulnerability in Oracle Sun Solaris 10 and 11 allows local users to affect availability via unknown vectors related to Resource Control. 2015-01-21 4.9 CVE-2015-0428
symantec — critical_system_protection SQL injection vulnerability in the management server in Symantec Critical System Protection (SCSP) 5.2.9 before MP6 and Symantec Data Center Security: Server Advanced (SDCS:SA) 6.0.x before 6.0 MP1 allows remote authenticated users to execute arbitrary SQL commands via a crafted HTTP request. 2015-01-21 6.5 CVE-2014-7289
BID (link is external)
symantec — critical_system_protection The ajaxswing webui in the management server in Symantec Critical System Protection (SCSP) 5.2.9 through MP6 and Symantec Data Center Security: Server Advanced (SDCS:SA) 6.0.x through 6.0 MP1 allows remote authenticated users to obtain sensitive server information via unspecified vectors. 2015-01-21 4.0 CVE-2014-9225
BID (link is external)
sympa — sympa The newsletter posting area in the web interface in Sympa 6.0.x before 6.0.10 and 6.1.x before 6.1.24 allows remote attackers to read arbitrary files via unspecified vectors. 2015-01-22 5.0 CVE-2015-1306
MLIST (link is external)
DEBIAN
SECUNIA (link is external)
SECUNIA (link is external)
synck_graphica — download_log_cgi Directory traversal vulnerability in SYNCK GRAPHICA Download Log CGI 3.0 and earlier allows remote attackers to read arbitrary files via a crafted filename. 2015-01-21 5.0 CVE-2015-0867
videolan — vlc_media_player The picture_pool_Delete function in misc/picture_pool.c in VideoLAN VLC media player 2.1.5 allows remote attackers to execute arbitrary code or cause a denial of service (DEP violation and application crash) via a crafted FLV file. 2015-01-21 6.8 CVE-2014-9597
MISC
MISC
MISC (link is external)
FULLDISC
videolan — vlc_media_player The picture_Release function in misc/picture.c in VideoLAN VLC media player 2.1.5 allows remote attackers to execute arbitrary code or cause a denial of service (write access violation) via a crafted M2V file. 2015-01-21 6.8 CVE-2014-9598
MISC
MISC
MISC (link is external)
FULLDISC
websitebaker — websitebaker Cross-site scripting (XSS) vulnerability in admin/pages/modify.php in WebsiteBaker 2.8.3 SP3 allows remote attackers to inject arbitrary web script or HTML via the page_id parameter. 2015-01-21 4.3 CVE-2015-0553
MISC (link is external)
BID (link is external)
MISC (link is external)
MISC (link is external)
FULLDISC
MISC (link is external)
zlib — pigz Multiple directory traversal vulnerabilities in pigz 2.3.1 allow remote attackers to write to arbitrary files via a (1) full pathname or (2) .. (dot dot) in an archive. 2015-01-21 5.0 CVE-2015-1191
CONFIRM (link is external)
CONFIRM
MLIST (link is external)

Low Vulnerabilities

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
crea8social — crea8social Cross-site scripting (XSS) vulnerability in the Games feature in Crea8Social 2.0 allows remote authenticated users to inject arbitrary web script or HTML via the Game Content field in Add Game. 2015-01-16 3.5 CVE-2015-1054
XF (link is external)
EXPLOIT-DB (link is external)
MISC (link is external)
OSVDB
CONFIRM (link is external)
CONFIRM (link is external)
emc — vipr_srm Multiple cross-site scripting (XSS) vulnerabilities in the administrative user interface in EMC M&R (aka Watch4Net) before 6.5u1 and ViPR SRM before 3.6.1 allow remote authenticated users to inject arbitrary web script or HTML by leveraging privileged access to set crafted values of unspecified fields. 2015-01-21 3.5 CVE-2015-0513
BUGTRAQ (link is external)
ibm — tivoli_netcool/omnibus Cross-site scripting (XSS) vulnerability in the Web GUI in IBM Tivoli Netcool/OMNIbus 7.3.0 before 7.3.0.6, 7.3.1 before 7.3.1.7, and 7.4.0 before 7.4.0.3 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL. 2015-01-17 3.5 CVE-2014-3032
XF (link is external)
ibm — serverguide IBM ServerGuide before 9.63, UpdateXpress System Packs Installer (UXSPI) before 9.63, and ToolsCenter Suite before 9.63 place credentials in logs, which allows local users to obtain sensitive information by reading a file. 2015-01-17 2.1 CVE-2014-4835
XF (link is external)
ibm — business_process_manager Cross-site scripting (XSS) vulnerability in the Process Portal in IBM Business Process Manager 8.0 through 8.0.1.3, 8.5.0 through 8.5.0.1, and 8.5.5 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL, a different vulnerability than CVE-2014-8914. 2015-01-21 3.5 CVE-2014-8913
XF (link is external)
ibm — business_process_manager Cross-site scripting (XSS) vulnerability in the Process Portal in IBM Business Process Manager 8.0 through 8.0.1.3, 8.5.0 through 8.5.0.1, and 8.5.5 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL, a different vulnerability than CVE-2014-8913. 2015-01-21 3.5 CVE-2014-8914
XF (link is external)
mediawiki — mediawiki Cross-site scripting (XSS) vulnerability in the preview in the ExpandTemplates extension for MediaWiki, when $wgRawHTML is set to true, allows remote attackers to inject arbitrary web script or HTML via the wpInput parameter to the Special:ExpandTemplates page. 2015-01-16 2.6 CVE-2014-9478
CONFIRM
MLIST (link is external)
MLIST (link is external)
oracle — peoplesoft_products Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.53 allows remote authenticated users to affect integrity via vectors related to PIA Core Technology. 2015-01-21 3.5 CVE-2014-4279
oracle — e-business_suite Unspecified vulnerability in the Oracle Web Applications Desktop Integrator component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.3, 12.2.2, 12.2.3, and 12.2.4 allows remote authenticated users to affect integrity via unknown vectors related to Templates. 2015-01-21 3.5 CVE-2014-6525
oracle — mysql Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier, and 5.6.21 and earlier, allows remote authenticated users to affect availability via vectors related to Server : InnoDB : DML. 2015-01-21 3.5 CVE-2014-6568
oracle — jdk Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality via unknown vectors reelated to 2D, a different vulnerability than CVE-2014-6591. 2015-01-21 2.6 CVE-2014-6585
oracle — vm_virtualbox Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 4.3.20 allows local users to affect integrity and availability via vectors related to VMSVGA virtual graphics device, a different vulnerability than CVE-2014-6589, CVE-2014-6590, CVE-2014-6595, and CVE-2015-0427. 2015-01-21 3.2 CVE-2014-6588
oracle — vm_virtualbox Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 4.3.20 allows local users to affect integrity and availability via vectors related to VMSVGA virtual graphics device, a different vulnerability than CVE-2014-6588, CVE-2014-6590, CVE-2014-6595, and CVE-2015-0427. 2015-01-21 3.2 CVE-2014-6589
oracle — vm_virtualbox Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 4.3.20 allows local users to affect integrity and availability via vectors related to VMSVGA virtual graphics device, a different vulnerability than CVE-2014-6588, CVE-2014-6589, CVE-2014-6595, and CVE-2015-0427. 2015-01-21 3.2 CVE-2014-6590
oracle — jdk Unspecified vulnerability in the Java SE component in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality via unknown vectors related to 2D, a different vulnerability than CVE-2014-6585. 2015-01-21 2.6 CVE-2014-6591
oracle — fusion_middleware Unspecified vulnerability in the Oracle OpenSSO component in Oracle Fusion Middleware 8.0 Update 2 Patch 5 allows remote authenticated users to affect integrity via vectors related to SAML, a different vulnerability than CVE-2015-0389. 2015-01-21 3.5 CVE-2014-6592
oracle — vm_virtualbox Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 4.3.20 allows local users to affect integrity and availability via vectors related to VMSVGA virtual graphics device, a different vulnerability than CVE-2014-6588, CVE-2014-6589, CVE-2014-6590, and CVE-2015-0427. 2015-01-21 3.2 CVE-2014-6595
oracle — siebel_crm Unspecified vulnerability in the Siebel Core – Common Components component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote authenticated users to affect confidentiality via unknown vectors related to Email. 2015-01-21 3.5 CVE-2014-6599
oracle — siebel_crm Unspecified vulnerability in the Siebel Core – EAI component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote authenticated users to affect availability via unknown vectors related to Integration Business Services. 2015-01-21 3.5 CVE-2015-0364
oracle — database_server Unspecified vulnerability in the Core RDBMS component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, and 12.1.0.1 allows remote authenticated users to affect integrity via unknown vectors. 2015-01-21 3.5 CVE-2015-0370
oracle — mysql Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier and 5.6.21 and earlier allows remote authenticated users to affect confidentiality via unknown vectors related to Server : Security : Privileges : Foreign Key. 2015-01-21 3.5 CVE-2015-0374
oracle — siebel_crm Unspecified vulnerability in the Siebel Public Sector component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote authenticated users to affect integrity via unknown vectors related to Public Sector Portal. 2015-01-21 3.5 CVE-2015-0384
oracle — mysql Unspecified vulnerability in Oracle MySQL Server 5.6.21 and earlier allows remote authenticated users to affect availability via unknown vectors related to Pluggable Auth. 2015-01-21 3.5 CVE-2015-0385
oracle — fusion_middleware Unspecified vulnerability in the Oracle OpenSSO component in Oracle Fusion Middleware 8.0 Update 2 Patch 5 allows remote authenticated users to affect integrity via vectors related to SAML, a different vulnerability than CVE-2014-6592. 2015-01-21 3.5 CVE-2015-0389
oracle — jdk Unspecified vulnerability in Oracle Java SE 7u72 and 8u25 allows local users to affect integrity via unknown vectors related to Serviceability. 2015-01-21 1.9 CVE-2015-0413
oracle — fusion_middleware Unspecified vulnerability in the Oracle SOA Suite component in Oracle Fusion Middleware 11.1.1.7 and 12.1.3.0 allows remote authenticated users to affect confidentiality via unknown vectors related to Fabric Layer. 2015-01-21 3.5 CVE-2015-0414
oracle — supply_chain_products_suite Unspecified vulnerability in the Oracle Agile PLM component in Oracle Supply Chain Products Suite 9.3.3 allows remote authenticated users to affect integrity via unknown vectors related to Roles & Privileges. 2015-01-21 3.5 CVE-2015-0416
oracle — vm_virtualbox Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox prior to 3.2.26, 4.0.28, 4.1.36, and 4.2.28 allows local users to affect availability via unknown vectors related to Core, a different vulnerability than CVE-2015-0377. 2015-01-21 2.1 CVE-2015-0418
oracle — vm_virtualbox Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox prior to 4.3.20 allows local users to affect integrity and availability via vectors related to VMSVGA virtual graphics device, a different vulnerability than CVE-2014-6588, CVE-2014-6589, CVE-2014-6590, and CVE-2014-6595. 2015-01-21 3.2 CVE-2015-0427
pivotal_software — rabbitmq_management Multiple cross-site scripting (XSS) vulnerabilities in the management web UI in the RabbitMQ management plugin before 3.4.3 allow remote authenticated users to inject arbitrary web script or HTML via (1) message details when a message is unqueued, such as headers or arguments; (2) policy names, which are not properly handled when viewing policies; (3) details for AMQP network clients, such as the version; allow remote authenticated administrators to inject arbitrary web script or HTML via (4) user names, (5) the cluster name; or allow RabbitMQ cluster administrators to (6) modify unspecified content. 2015-01-18 3.5 CVE-2015-0862
sun — sunos Unspecified vulnerability in Oracle Sun Solaris 11 allows local users to affect availability via unknown vectors related to Libc. 2015-01-21 2.1 CVE-2015-0378
sun — sunos Unspecified vulnerability in Oracle Sun Solaris 11 allows local users to affect availability via unknown vectors related to File System, a different vulnerability than CVE-2014-6570 and CVE-2014-6600. 2015-01-21 2.1 CVE-2015-0397
sun — sunos Unspecified vulnerability in Oracle Sun Solaris 10 and 11 allows local users to affect integrity and availability via vectors related to RPC Utility. 2015-01-21 3.3 CVE-2015-0429
sun — sunos Unspecified vulnerability in Oracle Sun Solaris 10 and 11 allows local users to affect confidentiality via vectors related to RPC Utility. 2015-01-21 1.9 CVE-2015-0430
symantec — critical_system_protection Cross-site scripting (XSS) vulnerability in the ajaxswing webui in the Management Console server in the management server in Symantec Critical System Protection (SCSP) 5.2.9 through MP6 and Symantec Data Center Security: Server Advanced (SDCS:SA) 6.0.x through 6.0 MP1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. 2015-01-21 3.5 CVE-2014-9224
BID (link is external)
websvn — websvn WebSVN 2.3.3 allows remote authenticated users to read arbitrary files via a symlink attack in a commit. 2015-01-21 3.5 CVE-2013-6892
MISC
SECUNIA (link is external)

(SB15-026) Vulnerability Summary for the Week of January 19, 2015 was originally published on Blogg'n @ ECI

February 14, 2015 - Posted by | NewsUpdate | , , , , , , , , , , , ,

Sorry, the comment form is closed at this time.