ECI Blog @WordPress

Latest news from the ECI Networks Group

SB15-299 Vulnerability Summary for the Week of October 19th 2015

Original release date: October 26, 2015
The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week.
The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High – Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 – 10.0
  • Medium – Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 – 6.9
  • Low – Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 – 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

High Vulnerabilities

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
accelerite — radia_client_automation Stack-based buffer overflow in the agent in Persistent Accelerite Radia Client Automation (formerly HP Client Automation), possibly before 9.1, allows remote attackers to execute arbitrary code by sending a large amount of data in an environment that lacks relationship-based firewalling. 2015-10-19 10.0 CVE-2015-7860
MISC
accelerite — radia_client_automation Persistent Accelerite Radia Client Automation (formerly HP Client Automation), possibly before 9.1, allows remote attackers to execute arbitrary code by sending unspecified commands in an environment that lacks relationship-based firewalling. 2015-10-19 10.0 CVE-2015-7861
MISC
adobe — air Use-after-free vulnerability in Adobe Flash Player before 18.0.0.252 and 19.x before 19.0.0.207 on Windows and OS X and before 11.2.202.535 on Linux, Adobe AIR before 19.0.0.213, Adobe AIR SDK before 19.0.0.213, and Adobe AIR SDK & Compiler before 19.0.0.213 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-7629, CVE-2015-7631, CVE-2015-7636, CVE-2015-7637, CVE-2015-7638, CVE-2015-7639, CVE-2015-7640, CVE-2015-7641, CVE-2015-7642, CVE-2015-7643, and CVE-2015-7644. 2015-10-18 10.0 CVE-2015-7635
CONFIRM
adobe — air Use-after-free vulnerability in Adobe Flash Player before 18.0.0.252 and 19.x before 19.0.0.207 on Windows and OS X and before 11.2.202.535 on Linux, Adobe AIR before 19.0.0.213, Adobe AIR SDK before 19.0.0.213, and Adobe AIR SDK & Compiler before 19.0.0.213 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-7629, CVE-2015-7631, CVE-2015-7635, CVE-2015-7637, CVE-2015-7638, CVE-2015-7639, CVE-2015-7640, CVE-2015-7641, CVE-2015-7642, CVE-2015-7643, and CVE-2015-7644. 2015-10-18 10.0 CVE-2015-7636
CONFIRM
adobe — air Use-after-free vulnerability in Adobe Flash Player before 18.0.0.252 and 19.x before 19.0.0.207 on Windows and OS X and before 11.2.202.535 on Linux, Adobe AIR before 19.0.0.213, Adobe AIR SDK before 19.0.0.213, and Adobe AIR SDK & Compiler before 19.0.0.213 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-7629, CVE-2015-7631, CVE-2015-7635, CVE-2015-7636, CVE-2015-7638, CVE-2015-7639, CVE-2015-7640, CVE-2015-7641, CVE-2015-7642, CVE-2015-7643, and CVE-2015-7644. 2015-10-18 10.0 CVE-2015-7637
CONFIRM
adobe — air Use-after-free vulnerability in Adobe Flash Player before 18.0.0.252 and 19.x before 19.0.0.207 on Windows and OS X and before 11.2.202.535 on Linux, Adobe AIR before 19.0.0.213, Adobe AIR SDK before 19.0.0.213, and Adobe AIR SDK & Compiler before 19.0.0.213 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-7629, CVE-2015-7631, CVE-2015-7635, CVE-2015-7636, CVE-2015-7637, CVE-2015-7639, CVE-2015-7640, CVE-2015-7641, CVE-2015-7642, CVE-2015-7643, and CVE-2015-7644. 2015-10-18 10.0 CVE-2015-7638
CONFIRM
adobe — air Use-after-free vulnerability in Adobe Flash Player before 18.0.0.252 and 19.x before 19.0.0.207 on Windows and OS X and before 11.2.202.535 on Linux, Adobe AIR before 19.0.0.213, Adobe AIR SDK before 19.0.0.213, and Adobe AIR SDK & Compiler before 19.0.0.213 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-7629, CVE-2015-7631, CVE-2015-7635, CVE-2015-7636, CVE-2015-7637, CVE-2015-7638, CVE-2015-7640, CVE-2015-7641, CVE-2015-7642, CVE-2015-7643, and CVE-2015-7644. 2015-10-18 10.0 CVE-2015-7639
CONFIRM
adobe — air Use-after-free vulnerability in Adobe Flash Player before 18.0.0.252 and 19.x before 19.0.0.207 on Windows and OS X and before 11.2.202.535 on Linux, Adobe AIR before 19.0.0.213, Adobe AIR SDK before 19.0.0.213, and Adobe AIR SDK & Compiler before 19.0.0.213 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-7629, CVE-2015-7631, CVE-2015-7635, CVE-2015-7636, CVE-2015-7637, CVE-2015-7638, CVE-2015-7639, CVE-2015-7641, CVE-2015-7642, CVE-2015-7643, and CVE-2015-7644. 2015-10-18 10.0 CVE-2015-7640
CONFIRM
adobe — air Use-after-free vulnerability in Adobe Flash Player before 18.0.0.252 and 19.x before 19.0.0.207 on Windows and OS X and before 11.2.202.535 on Linux, Adobe AIR before 19.0.0.213, Adobe AIR SDK before 19.0.0.213, and Adobe AIR SDK & Compiler before 19.0.0.213 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-7629, CVE-2015-7631, CVE-2015-7635, CVE-2015-7636, CVE-2015-7637, CVE-2015-7638, CVE-2015-7639, CVE-2015-7640, CVE-2015-7642, CVE-2015-7643, and CVE-2015-7644. 2015-10-18 10.0 CVE-2015-7641
CONFIRM
adobe — air Use-after-free vulnerability in Adobe Flash Player before 18.0.0.252 and 19.x before 19.0.0.207 on Windows and OS X and before 11.2.202.535 on Linux, Adobe AIR before 19.0.0.213, Adobe AIR SDK before 19.0.0.213, and Adobe AIR SDK & Compiler before 19.0.0.213 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-7629, CVE-2015-7631, CVE-2015-7635, CVE-2015-7636, CVE-2015-7637, CVE-2015-7638, CVE-2015-7639, CVE-2015-7640, CVE-2015-7641, CVE-2015-7643, and CVE-2015-7644. 2015-10-18 10.0 CVE-2015-7642
CONFIRM
adobe — flash_player Adobe Flash Player before 18.0.0.255 and 19.x before 19.0.0.226 on Windows and OS X and before 11.2.202.540 on Linux allows attackers to execute arbitrary code by leveraging an unspecified “type confusion,” a different vulnerability than CVE-2015-7648. 2015-10-18 10.0 CVE-2015-7647
CONFIRM
adobe — flash_player Adobe Flash Player before 18.0.0.255 and 19.x before 19.0.0.226 on Windows and OS X and before 11.2.202.540 on Linux allows attackers to execute arbitrary code by leveraging an unspecified “type confusion,” a different vulnerability than CVE-2015-7647. 2015-10-18 10.0 CVE-2015-7648
CONFIRM
apple — itunes CoreText in Apple iOS before 9.1, OS X before 10.11.1, and iTunes before 12.3.1 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted font file, a different vulnerability than CVE-2015-6992 and CVE-2015-7017. 2015-10-23 7.5 CVE-2015-6975
APPLE
CONFIRM
CONFIRM
CONFIRM
APPLE
APPLE
apple — iphone_os GasGauge in Apple iOS before 9.1 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app. 2015-10-23 9.3 CVE-2015-6979
CONFIRM
APPLE
apple — iphone_os com.apple.driver.AppleVXD393 in the Graphics Driver subsystem in Apple iOS before 9.1 allows attackers to execute arbitrary code via a crafted app that leverages an unspecified “type confusion.” 2015-10-23 9.3 CVE-2015-6986
CONFIRM
APPLE
apple — itunes CoreText in Apple iOS before 9.1, OS X before 10.11.1, and iTunes before 12.3.1 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted font file, a different vulnerability than CVE-2015-6975 and CVE-2015-7017. 2015-10-23 7.5 CVE-2015-6992
APPLE
CONFIRM
CONFIRM
CONFIRM
APPLE
APPLE
apple — iphone_os The kernel in Apple iOS before 9.1 allows attackers to cause a denial of service via a crafted app. 2015-10-23 7.1 CVE-2015-7004
CONFIRM
APPLE
apple — itunes CoreText in Apple iOS before 9.1, OS X before 10.11.1, and iTunes before 12.3.1 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted font file, a different vulnerability than CVE-2015-6975 and CVE-2015-6992. 2015-10-23 7.5 CVE-2015-7017
APPLE
CONFIRM
CONFIRM
CONFIRM
APPLE
APPLE
apple — xcode The Swift implementation in Apple Xcode before 7.1 mishandles type conversion, which has unspecified impact and attack vectors. 2015-10-23 7.5 CVE-2015-7030
CONFIRM
APPLE
apple — mac_os_x Apple Mac EFI before 2015-002, as used in OS X before 10.11.1 and other products, mishandles arguments, which allows attackers to reach “unused” functions via unspecified vectors. 2015-10-23 7.5 CVE-2015-7035
CONFIRM
CONFIRM
APPLE
APPLE
cloudbees — jenkins The API token-issuing service in CloudBees Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to gain privileges via a “forced API token change” involving anonymous users. 2015-10-16 7.5 CVE-2015-1814
CONFIRM
CONFIRM
REDHAT
drupal_7_driver_for_sql_server_and_sql_azure_project — drupal_7_driver_for_sql_server_and_sql_azure The escapeLike function in sqlsrv/database.inc in the Drupal 7 driver for SQL Server and SQL Azure 7.x-1.x before 7.x-1.4 does not properly escape certain characters, which allows remote attackers to execute arbitrary SQL commands vectors involving a module using the db_like function. 2015-10-21 7.5 CVE-2015-7876
MISC
CONFIRM
CONFIRM
CONFIRM
emc — sourceone_email_supervisor EMC SourceOne Email Supervisor before 7.2 does not properly employ random values for session IDs, which makes it easier for remote attackers to obtain access by guessing an ID. 2015-10-18 7.5 CVE-2015-6845
BUGTRAQ
juniper — junos Juniper Junos OS before 11.4R12-S4, 12.1X44 before 12.1X44-D41, 12.1X46 before 12.1X46-D26, 12.1X47 before 12.1X47-D11/D15, 12.2 before 12.2R9, 12.2X50 before 12.2X50-D70, 12.3 before 12.3R8, 12.3X48 before 12.3X48-D10, 12.3X50 before 12.3X50-D42, 13.1 before 13.1R4-S3, 13.1X49 before 13.1X49-D42, 13.1X50 before 13.1X50-D30, 13.2 before 13.2R6, 13.2X51 before 13.2X51-D26, 13.2X52 before 13.2X52-D15, 13.3 before 13.3R3-S3, 14.1 before 14.1R3, 14.2 before 14.2R1, 15.1 before 15.1R1, and 15.1X49 before 15.1X49-D10, when configured for IPv6, allow remote attackers to cause a denial of service (mbuf chain corruption and kernel panic) via crafted IPv6 packets. 2015-10-16 7.8 CVE-2014-6450
CONFIRM
juniper — junos J-Web in Juniper vSRX virtual firewalls with Junos OS before 15.1X49-D20 allows remote attackers to cause a denial of service (system reboot) via unspecified vectors. 2015-10-16 7.8 CVE-2014-6451
CONFIRM
juniper — junos The PFE daemon in Juniper vSRX virtual firewalls with Junos OS before 15.1X49-D20 allows remote attackers to cause a denial of service via an unspecified connection request to the “host-OS.” 2015-10-19 7.8 CVE-2015-7749
CONFIRM
juniper — junos The SSH server in Juniper Junos OS before 12.1X44-D50, 12.1X46 before 12.1X46-D35, 12.1X47 before 12.1X47-D25, 12.3 before 12.3R10, 12.3X48 before 12.3X48-D10, 13.2 before 13.2R8, 13.2X51 before 13.2X51-D35, 13.3 before 13.3R6, 14.1 before 14.1R5, 14.1X53 before 14.1X53-D25, 14.2 before 14.2R3, 15.1 before 15.1R1, and 15.1X49 before 15.1X49-D20 allows remote attackers to cause a denial of service (CPU consumption) via unspecified SSH traffic. 2015-10-19 7.8 CVE-2015-7752
SECTRACK
CONFIRM
linux — linux_kernel The __rds_conn_create function in net/rds/connection.c in the Linux kernel through 4.2.3 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by using a socket that was not properly bound. 2015-10-19 7.8 CVE-2015-6937
CONFIRM
CONFIRM
MLIST
CONFIRM
microsoft — sharepoint SQL injection vulnerability in Runtime/Runtime/AjaxCall.ashx in K2 blackpearl, smartforms, and K2 for SharePoint 4.6.7 allows remote attackers to execute arbitrary SQL commands via the xml parameter. 2015-10-21 7.5 CVE-2015-7299
BUGTRAQ
MISC
opennms — opennms OpenNMS has a default password of rtc for the rtc account, which makes it easier for remote attackers to obtain access by leveraging knowledge of the credentials. 2015-10-16 10.0 CVE-2015-7856
MISC
CONFIRM
oracle — communications_applications Unspecified vulnerability in (1) the Oracle Communications Diameter Signaling Router (DSR) component in Oracle Communications Applications 4.1.6 and earlier, 5.1.0 and earlier, 6.0.2 and earlier, and 7.1.0 and earlier; (2) the Oracle Communications Performance Intelligence Center Software component in Oracle Communications Applications 9.0.3 and earlier and 10.1.5 and earlier; (3) the Oracle Communications Policy Management component in Oracle Communications Applications 9.9.0 and earlier, 10.5.0 and earlier, 11.5.0 and earlier, and 12.1.0 and earlier; (4) the Oracle Communications Tekelec HLR Router component in Oracle Communications Applications 4.0.0; and (5) the Oracle Communications User Data Repository component in Oracle Communications Applications 10.2.0 and earlier allows remote attackers to affect confidentiality, integrity, and availability via vectors related to PMAC. 2015-10-21 10.0 CVE-2015-2608
CONFIRM
oracle — database_server Unspecified vulnerability in the Java VM component in Oracle Database Server 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors. 2015-10-21 9.0 CVE-2015-4794
CONFIRM
oracle — industry_applications Unspecified vulnerability in the Oracle Utilities Work and Asset Management component in Oracle Industry Applications 1.9.1.1.2 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Add-On Applications. 2015-10-21 7.5 CVE-2015-4795
CONFIRM
oracle — database_server Unspecified vulnerability in the Java VM component in Oracle Database Server 11.2.0.4, 12.1.0.1, and 12.1.0.2, when running on Windows, allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2015-4888. 2015-10-21 9.0 CVE-2015-4796
CONFIRM
oracle — jdk Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Serialization. 2015-10-21 10.0 CVE-2015-4805
CONFIRM
oracle — mysql Unspecified vulnerability in Oracle MySQL Server 5.5.44 and earlier, and 5.6.25 and earlier, allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Client programs. 2015-10-21 7.2 CVE-2015-4819
CONFIRM
oracle — oracle_and_sun_systems_product_suite Unspecified vulnerability in the Integrated Lights Out Manager (ILOM) component in Oracle Sun Systems Products Suite 3.0, 3.1, and 3.2 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Web. 2015-10-21 9.3 CVE-2015-4821
CONFIRM
oracle — jdk Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to CORBA, a different vulnerability than CVE-2015-4881. 2015-10-21 10.0 CVE-2015-4835
CONFIRM
oracle — jdk Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. 2015-10-21 10.0 CVE-2015-4843
CONFIRM
oracle — jdk Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. 2015-10-21 10.0 CVE-2015-4844
CONFIRM
oracle — jdk Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to RMI, a different vulnerability than CVE-2015-4883. 2015-10-21 10.0 CVE-2015-4860
CONFIRM
oracle — database_server Unspecified vulnerability in the Portable Clusterware component in Oracle Database Server 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. 2015-10-21 10.0 CVE-2015-4863
CONFIRM
oracle — jdk Unspecified vulnerability in Oracle Java SE 8u60 and Java SE Embedded 8u51 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. 2015-10-21 7.6 CVE-2015-4868
CONFIRM
oracle — database_server Unspecified vulnerability in the Database Scheduler component in Oracle Database Server 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to Local. 2015-10-21 9.0 CVE-2015-4873
CONFIRM
oracle — jdk Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to CORBA, a different vulnerability than CVE-2015-4835. 2015-10-21 10.0 CVE-2015-4881
CONFIRM
oracle — jdk Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to RMI, a different vulnerability than CVE-2015-4860. 2015-10-21 10.0 CVE-2015-4883
CONFIRM
oracle — jdk Unspecified vulnerability in Oracle Java SE 8u60 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to JavaFX. 2015-10-21 9.3 CVE-2015-4901
CONFIRM
oracle — oracle_and_sun_systems_product_suite Unspecified vulnerability in the Integrated Lights Out Manager (ILOM) component in Oracle Sun Systems Products Suite 3.0, 3.1, and 3.2 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to System Management. 2015-10-21 10.0 CVE-2015-4915
CONFIRM
owncloud — owncloud Directory traversal vulnerability in the routing component in ownCloud Server before 7.0.6 and 8.0.x before 8.0.4, when running on Windows, allows remote attackers to reinstall the application or execute arbitrary code via unspecified vectors. 2015-10-21 10.0 CVE-2015-4716
CONFIRM
DEBIAN
owncloud — owncloud The filename sanitization component in ownCloud Server before 6.0.8, 7.0.x before 7.0.6, and 8.0.x before 8.0.4 does not properly handle $_GET parameters cast by PHP to an array, which allows remote attackers to cause a denial of service (infinite loop and log file consumption) via crafted endpoint file names. 2015-10-21 7.8 CVE-2015-4717
CONFIRM
BID
DEBIAN
owncloud — owncloud The external SMB storage driver in ownCloud Server before 6.0.8, 7.0.x before 7.0.6, and 8.0.x before 8.0.4 allows remote authenticated users to execute arbitrary SMB commands via a ; (semicolon) character in a file. 2015-10-21 9.0 CVE-2015-4718
CONFIRM
BID
DEBIAN
owncloud — owncloud icewind1991 SMB before 1.0.3 allows remote authenticated users to execute arbitrary SMB commands via shell metacharacters in the user argument in the (1) listShares function in Server.php or the (2) connect or (3) read function in Share.php. 2015-10-21 9.0 CVE-2015-7698
CONFIRM
CONFIRM

Medium Vulnerabilities

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
3s-software — codesys_runtime_system Runtime Toolkit before 2.4.7.48 in 3S-Smart CODESYS before 2.3.9.48 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted request. 2015-10-18 5.0 CVE-2015-6482
MISC
accelerite — radia_client_automation Persistent Accelerite Radia Client Automation (formerly HP Client Automation) 7.9 through 9.1 before 2015-02-19 improperly implements the Role Based Access Control feature, which might allow remote attackers to modify an account’s role assignments via unspecified vectors. 2015-10-19 5.0 CVE-2015-7862
CONFIRM
accelerite — radia_client_automation The default configuration of Persistent Accelerite Radia Client Automation (formerly HP Client Automation) 7.9 through 9.1 before 2015-02-19 enables a remote Notify capability without the Extended Notify Security features, which might allow remote attackers to bypass intended access restrictions via unspecified vectors. 2015-10-19 5.0 CVE-2015-7863
CONFIRM
airdroid — airdroid The SAND STUDIO AirDroid application 1.1.0 and earlier for Android mishandles implicit intents, which allows attackers to obtain sensitive information via a crafted application. 2015-10-18 4.3 CVE-2015-5661
JVNDB
JVN
apple — iphone_os WebKit, as used in Apple iOS before 9.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2015-10-21-1. 2015-10-23 6.8 CVE-2015-6981
CONFIRM
APPLE
apple — iphone_os WebKit, as used in Apple iOS before 9.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2015-10-21-1. 2015-10-23 6.8 CVE-2015-6982
CONFIRM
APPLE
apple — iphone_os The X.509 certificate-trust implementation in Apple iOS before 9.1 does not recognize that the kSecRevocationRequirePositiveResponse flag implies a revocation-checking requirement, which makes it easier for man-in-the-middle attackers to spoof endpoints by leveraging access to a revoked certificate. 2015-10-23 4.3 CVE-2015-6997
CONFIRM
APPLE
apple — iphone_os The OCSP client in Apple iOS before 9.1 does not check for certificate expiry, which allows remote attackers to spoof a valid certificate by leveraging access to a revoked certificate. 2015-10-23 5.0 CVE-2015-6999
CONFIRM
APPLE
apple — iphone_os WebKit, as used in Apple iOS before 9.1, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2015-10-21-1. 2015-10-23 6.8 CVE-2015-7005
CONFIRM
APPLE
apple — iphone_os The Telephony subsystem in Apple iOS before 9.1 allows attackers to obtain sensitive call-status information via a crafted app. 2015-10-23 4.3 CVE-2015-7022
CONFIRM
APPLE
apple — mac_os_x_server The Web Service component in Apple OS X Server before 5.0.15 omits an unspecified HTTP header configuration, which allows remote attackers to bypass intended access restrictions via unknown vectors. 2015-10-23 5.0 CVE-2015-7031
CONFIRM
APPLE
apple — iwork The Apple iWork application before 2.6 for iOS, Apple Keynote before 6.6, Apple Pages before 5.6, and Apple Numbers before 3.6 allow remote attackers to obtain sensitive information via a crafted document. 2015-10-18 4.3 CVE-2015-7032
CONFIRM
APPLE
apple — iwork The Apple iWork application before 2.6 for iOS, Apple Keynote before 6.6, Apple Pages before 5.6, and Apple Numbers before 3.6 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted document. 2015-10-18 6.8 CVE-2015-7033
CONFIRM
APPLE
apple — iwork The Apple iWork application before 2.6 for iOS and Apple Pages before 5.6 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted Pages document. 2015-10-18 6.8 CVE-2015-7034
CONFIRM
APPLE
avast — avast_antivirus Directory traversal vulnerability in Avast before 150918-0 allows remote attackers to delete or write to arbitrary files via a crafted entry in a ZIP archive. 2015-10-18 6.4 CVE-2015-5662
JVNDB
JVN
cloudbees — jenkins The combination filter Groovy script in CloudBees Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with job configuration permission to gain privileges and execute arbitrary code on the master via unspecified vectors. 2015-10-16 6.5 CVE-2015-1806
CONFIRM
CONFIRM
REDHAT
cloudbees — jenkins The HudsonPrivateSecurityRealm class in CloudBees Jenkins before 1.600 and LTS before 1.596.1 does not restrict access to reserved names when using the “Jenkins’ own user database” setting, which allows remote attackers to gain privileges by creating a reserved name. 2015-10-16 4.6 CVE-2015-1810
CONFIRM
CONFIRM
REDHAT
cloudbees — jenkins Cross-site scripting (XSS) vulnerability in CloudBees Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-1813. 2015-10-16 4.3 CVE-2015-1812
CONFIRM
CONFIRM
REDHAT
cloudbees — jenkins Cross-site scripting (XSS) vulnerability in CloudBees Jenkins before 1.606 and LTS before 1.596.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2015-1812. 2015-10-16 4.3 CVE-2015-1813
CONFIRM
CONFIRM
REDHAT
emc — sourceone_email_supervisor Reviewer in EMC SourceOne Email Supervisor before 7.2 does not properly limit attempts to authenticate, which makes it easier for remote attackers to obtain access via a brute-force approach. 2015-10-18 5.0 CVE-2015-6843
BUGTRAQ
emc — sourceone_email_supervisor Cross-site scripting (XSS) vulnerability in Reviewer in EMC SourceOne Email Supervisor before 7.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. 2015-10-18 4.3 CVE-2015-6844
BUGTRAQ
emc — sourceone_email_supervisor EMC SourceOne Email Supervisor before 7.2 uses hardcoded encryption keys, which makes it easier for attackers to obtain access by examining how a program’s code conducts cryptographic operations. 2015-10-18 6.8 CVE-2015-6846
BUGTRAQ
font_project — font Absolute path traversal vulnerability in Font.php in the Font plugin before 7.5.1 for WordPress allows remote administrators to read arbitrary files via a full pathname in the url parameter to AjaxProxy.php. 2015-10-16 4.0 CVE-2015-7683
CONFIRM
MISC
BUGTRAQ
MISC
genetechsolutions — pie_register Cross-site scripting (XSS) vulnerability in pie-register/pie-register.php in the Pie Register plugin before 2.0.19 for WordPress allows remote attackers to inject arbitrary web script or HTML via the invitaion_code parameter in a pie-register page to the default URI. 2015-10-16 4.3 CVE-2015-7377
MISC
CONFIRM
BUGTRAQ
MISC
genetechsolutions — pie_register Multiple SQL injection vulnerabilities in pie-register/pie-register.php in the Pie Register plugin before 2.0.19 for WordPress allow remote administrators to execute arbitrary SQL commands via the (1) select_invitaion_code_bulk_option or (2) invi_del_id parameter in the pie-invitation-codes page to wp-admin/admin.php. 2015-10-16 6.5 CVE-2015-7682
MISC
CONFIRM
BUGTRAQ
MISC
hp — smart_profile_server_data_analytics_layer Multiple cross-site scripting (XSS) vulnerabilities in HP Smart Profile Server Data Analytics Layer (SPS DAL) 2.3 before 2.3.5 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. 2015-10-18 4.3 CVE-2015-5444
HP
juniper — junos Juniper Junos OS before 12.1X44-D50, 12.1X46 before 12.1X46-D35, 12.1X47 before 12.1X47-D25, 12.3 before 12.3R10, 12.3X48 before 12.3X48-D15, 13.2 before 13.2R8, 13.3 before 13.3R7, 14.1 before 14.1R5, and 14.2 before 14.2R1 do not properly handle TCP packet reassembly, which allows remote attackers to cause a denial of service (buffer consumption) via a crafted sequence of packets “destined to the device.” 2015-10-16 5.0 CVE-2014-6449
CONFIRM
juniper — junos Juniper chassis with Trio (Trinity) chipset line cards and Junos OS 13.3 before 13.3R8, 14.1 before 14.1R6, 14.2 before 14.2R5, and 15.1 before 15.1R2 allow remote attackers to cause a denial of service (MPC line card crash) via a crafted uBFD packet. 2015-10-19 5.0 CVE-2015-7748
CONFIRM
juniper — screenos The L2TP packet processing functionality in Juniper Netscreen and ScreenOS Firewall products with ScreenOS before 6.3.0r13-dnd1, 6.3.0r14 through 6.3.0r18 before 6.3.0r18-dnc1, and 6.3.0r19 allows remote attackers to cause a denial of service via a crafted L2TP packet. 2015-10-19 5.0 CVE-2015-7750
CONFIRM
juniper — junos Juniper Junos OS before 12.1X44-D50, 12.1X46 before 12.1X46-D35, 12.1X47 before 12.1X47-D25, 12.3 before 12.3R9, 12.3X48 before 12.3X48-D15, 13.2 before 13.2R7, 13.2X51 before 13.2X51-D35, 13.3 before 13.3R6, 14.1 before 14.1R5, 14.1X50 before 14.1X50-D105, 14.1X51 before 14.1X51-D70, 14.1X53 before 14.1X53-D25, 14.1X55 before 14.1X55-D20, 14.2 before 14.2R1, 15.1 before 15.1F2 or 15.1R1, and 15.1X49 before 15.1X49-D10 does not require a password for the root user when pam.conf is “corrupted,” which allows local users to gain root privileges by modifying the file. 2015-10-19 6.9 CVE-2015-7751
SECTRACK
CONFIRM
kentico — kentico_cms Multiple cross-site scripting (XSS) vulnerabilities in Kentico CMS 8.2 allow remote attackers to inject arbitrary web script or HTML via a (1) parameter name to CMSModules/AdminControls/Pages/UIPage.aspx or the (2) CMSBodyClass cookie variable to the default URI. 2015-10-21 5.0 CVE-2015-7822
MISC
kentico — kentico_cms Open redirect vulnerability in CMSPages/GetDocLink.ashx in Kentico CMS 8.2 through 8.2.41 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the link parameter. 2015-10-21 5.8 CVE-2015-7823
MISC
linux — linux_kernel The ext4_zero_range function in fs/ext4/extents.c in the Linux kernel before 4.1 allows local users to cause a denial of service (BUG) via a crafted fallocate zero-range request. 2015-10-19 4.9 CVE-2015-0275
CONFIRM
CONFIRM
MLIST
MLIST
CONFIRM
linux — linux_kernel The virtnet_probe function in drivers/net/virtio_net.c in the Linux kernel before 4.2 attempts to support a FRAGLIST feature without proper memory allocation, which allows guest OS users to cause a denial of service (buffer overflow and memory corruption) via a crafted sequence of fragmented packets. 2015-10-19 6.1 CVE-2015-5156
CONFIRM
CONFIRM
CONFIRM
linux — linux_kernel The sctp_init function in net/sctp/protocol.c in the Linux kernel before 4.2.3 has an incorrect sequence of protocol-initialization steps, which allows local users to cause a denial of service (panic or memory corruption) by creating SCTP sockets before all of the steps have finished. 2015-10-19 4.7 CVE-2015-5283
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
linux — linux_kernel Integer overflow in the sg_start_req function in drivers/scsi/sg.c in the Linux kernel 2.6.x through 4.x before 4.1 allows local users to cause a denial of service or possibly have unspecified other impact via a large iov_count value in a write request. 2015-10-19 4.6 CVE-2015-5707
CONFIRM
CONFIRM
CONFIRM
MLIST
CONFIRM
CONFIRM
linux — linux_kernel Race condition in the IPC object implementation in the Linux kernel through 4.2.3 allows local users to gain privileges by triggering an ipc_addid call that leads to uid and gid comparisons against uninitialized data, related to msg.c, shm.c, and util.c. 2015-10-19 6.9 CVE-2015-7613
CONFIRM
CONFIRM
MLIST
CONFIRM
linux — linux_kernel The slhc_init function in drivers/net/slip/slhc.c in the Linux kernel through 4.2.3 does not ensure that certain slot numbers are valid, which allows local users to cause a denial of service (NULL pointer dereference and system crash) via a crafted PPPIOCSMAXCID ioctl call. 2015-10-19 4.9 CVE-2015-7799
MISC
CONFIRM
MLIST
mozilla — firefox The fetch API implementation in Mozilla Firefox before 41.0.2 does not restrict access to the HTTP response body in certain situations where user credentials are supplied but the CORS cross-origin request algorithm is improperly followed, which allows remote attackers to bypass the Same Origin Policy via a crafted web site. 2015-10-18 6.8 CVE-2015-7184
CONFIRM
CONFIRM
CONFIRM
nordex — nordex_control_2_scada Multiple cross-site scripting (XSS) vulnerabilities in the Wind Farm Portal application in Nordex Control 2 (NC2) SCADA 16 and earlier allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. 2015-10-18 4.3 CVE-2015-6477
MISC
oracle — fusion_middleware Unspecified vulnerability in the Oracle HTTP Server component in Oracle Fusion Middleware 10.1.3.5, 11.1.1.7, 11.1.1.9, 12.1.2.0, and 12.1.3.0 allows remote attackers to affect availability via unknown vectors related to Web Listener. 2015-10-21 5.0 CVE-2015-1829
CONFIRM
oracle — solaris Unspecified vulnerability in Oracle Sun Solaris 10 and 11.2 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Gzip. 2015-10-21 4.4 CVE-2015-2642
CONFIRM
oracle — mysql Unspecified vulnerability in Oracle MySQL 5.6.20 and earlier allows remote authenticated users to affect availability via unknown vectors related to Types. 2015-10-21 4.0 CVE-2015-4730
CONFIRM
oracle — jdk Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JGSS. 2015-10-21 5.0 CVE-2015-4734
CONFIRM
oracle — e-business_suite Unspecified vulnerability in the Oracle Applications DBA component in Oracle E-Business Suite 12.2.3 and 12.2.4 allows remote authenticated users to affect confidentiality via unknown vectors related to Online patching. 2015-10-21 4.0 CVE-2015-4762
CONFIRM
oracle — communications_applications Unspecified vulnerability in the Oracle Communications Convergence component in Oracle Communications Applications 2.0 and 3.0.1 allows remote attackers to affect confidentiality via unknown vectors related to Mail Proxy. 2015-10-21 4.3 CVE-2015-4793
CONFIRM
oracle — e-business_suite Unspecified vulnerability in the Oracle Applications Technology Stack component in Oracle E-Business Suite 11.5.10.2 allows remote authenticated users to affect availability via unknown vectors related to DB Listener, a different vulnerability than CVE-2015-4839. 2015-10-21 4.0 CVE-2015-4798
CONFIRM
oracle — fusion_middleware Unspecified vulnerability in the Oracle WebCenter Sites component in Oracle Fusion Middleware 7.6.2, 11.1.1.6.1, and 11.1.1.8.0 allows remote attackers to affect integrity via unknown vectors related to Security. 2015-10-21 4.3 CVE-2015-4799
CONFIRM
oracle — mysql Unspecified vulnerability in Oracle MySQL Server 5.6.26 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : Optimizer. 2015-10-21 4.0 CVE-2015-4800
CONFIRM
oracle — mysql Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier and 5.6.26 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : Partition, a different vulnerability than CVE-2015-4792. 2015-10-21 4.0 CVE-2015-4802
CONFIRM
oracle — jdk Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allows remote attackers to affect availability via vectors related to JAXP, a different vulnerability than CVE-2015-4893 and CVE-2015-4911. 2015-10-21 5.0 CVE-2015-4803
CONFIRM
oracle — peoplesoft_products Unspecified vulnerability in the PeopleSoft Enterprise HCM Talent Acquistion Managment component in Oracle PeopleSoft Products 9.2 allows remote authenticated users to affect confidentiality via unknown vectors related to Security. 2015-10-21 4.0 CVE-2015-4804
CONFIRM
oracle — jdk Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality and integrity via unknown vectors related to Libraries. 2015-10-21 6.4 CVE-2015-4806
CONFIRM
oracle — jdk Unspecified vulnerability in Oracle Java SE 7u85 and 8u60 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. 2015-10-21 6.9 CVE-2015-4810
CONFIRM
oracle — mysql Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier and 5.6.26 and earlier allows remote authenticated users to affect availability via vectors related to Server : DDL. 2015-10-21 4.0 CVE-2015-4815
CONFIRM
oracle — mysql Unspecified vulnerability in Oracle MySQL Server 5.5.44 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : InnoDB. 2015-10-21 4.0 CVE-2015-4816
CONFIRM
oracle — solaris Unspecified vulnerability in Oracle Sun Solaris 11.2 allows local users to affect confidentiality, integrity, and availability via vectors related to Kernel Zones virtualized NIC driver. 2015-10-21 6.2 CVE-2015-4817
CONFIRM
oracle — peoplesoft_products Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.54 allows remote authenticated users to affect confidentiality and integrity via vectors related to PIA Core Technology. 2015-10-21 5.5 CVE-2015-4818
CONFIRM
oracle — solaris Unspecified vulnerability in Oracle Sun Solaris 11.2 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Solaris Kernel Zones, a different vulnerability than CVE-2015-4907. 2015-10-21 6.2 CVE-2015-4820
CONFIRM
oracle — mysql Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier and 5.6.26 and earlier allows remote authenticated users to affect confidentiality via unknown vectors related to Server : Types. 2015-10-21 4.0 CVE-2015-4826
CONFIRM
oracle — retail_applications Unspecified vulnerability in the Oracle Retail Open Commerce Platform component in Oracle Retail Applications 3.0 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Framework. 2015-10-21 6.4 CVE-2015-4827
CONFIRM
oracle — peoplesoft_products Unspecified vulnerability in the PeopleSoft Enterprise FSCM component in Oracle PeopleSoft Products 9.2 allows remote authenticated users to affect confidentiality via vectors related to FIN Resource Management (Security). 2015-10-21 4.0 CVE-2015-4828
CONFIRM
oracle — mysql Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier and 5.6.26 and earlier allows remote authenticated users to affect integrity via unknown vectors related to Server : Security : Privileges. 2015-10-21 4.0 CVE-2015-4830
CONFIRM
oracle — solaris Unspecified vulnerability in Oracle Sun Solaris 11.2 allows local users to affect availability via unknown vectors related to Solaris Kernel Zones, a different vulnerability than CVE-2015-4822. 2015-10-21 4.9 CVE-2015-4831
CONFIRM
oracle — fusion_middleware Unspecified vulnerability in the Oracle Identity Manager component in Oracle Fusion Middleware 11.1.1.7, 11.1.2.2, and 11.1.2.3 allows remote attackers to affect integrity via vectors related to OIM Legacy UI. 2015-10-21 4.3 CVE-2015-4832
CONFIRM
oracle — mysql Unspecified vulnerability in Oracle MySQL Server 5.6.25 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : Partition. 2015-10-21 4.0 CVE-2015-4833
CONFIRM
oracle — solaris Unspecified vulnerability in Oracle Sun Solaris 11.2 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Utility/Security. 2015-10-21 6.6 CVE-2015-4837
CONFIRM
oracle — fusion_middleware Unspecified vulnerability in the Oracle JDeveloper component in Oracle Fusion Middleware 11.1.2.4.0, 12.1.2.0.0, and 12.1.3.0.0 allows remote authenticated users to affect confidentiality via vectors related to ADF Faces. 2015-10-21 4.0 CVE-2015-4838
CONFIRM
oracle — e-business_suite Unspecified vulnerability in the Oracle Applications Technology Stack component in Oracle E-Business Suite 11.5.10.2 allows remote authenticated users to affect availability via unknown vectors related to DB Listener, a different vulnerability than CVE-2015-4798. 2015-10-21 4.0 CVE-2015-4839
CONFIRM
oracle — jdk Unspecified vulnerability in Oracle Java SE 7u85 and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via unknown vectors related to 2D. 2015-10-21 5.0 CVE-2015-4840
CONFIRM
oracle — siebel_crm Unspecified vulnerability in the Siebel Core – Server Framework component in Oracle Siebel CRM IP2014 PS10 and IP2015 PS5 allows remote attackers to affect confidentiality via unknown vectors related to Services. 2015-10-21 4.3 CVE-2015-4841
CONFIRM
oracle — jdk Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JAXP. 2015-10-21 5.0 CVE-2015-4842
CONFIRM
oracle — e-business_suite Unspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.3, 12.2.3, and 12.2.4 allows remote attackers to affect confidentiality via vectors related to Java APIs – AOL/J. 2015-10-21 4.3 CVE-2015-4845
CONFIRM
oracle — supply_chain_products_suite Unspecified vulnerability in the Oracle Configurator component in Oracle Supply Chain Products Suite 12.0.6, 12.1.3, 12.2.3, and 12.2.4 allows remote attackers to affect integrity via vectors related to OCI. 2015-10-21 4.3 CVE-2015-4847
CONFIRM
oracle — supply_chain_products_suite Unspecified vulnerability in the Oracle Configurator component in Oracle Supply Chain Products Suite 12.0.6, 12.1.3, 12.2.3, and 12.2.4 allows remote attackers to affect confidentiality via unknown vectors related to Integration with Peoplesoft. 2015-10-21 5.0 CVE-2015-4848
CONFIRM
oracle — e-business_suite Unspecified vulnerability in the Oracle Payments component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.3, 12.2.3, and 12.2.4 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Punch-in. 2015-10-21 6.8 CVE-2015-4849
CONFIRM
oracle — peoplesoft_products Unspecified vulnerability in the PeopleSoft Enterprise HCM component in Oracle PeopleSoft Products 9.2 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Talent Acquisition Management. 2015-10-21 5.5 CVE-2015-4850
CONFIRM
oracle — e-business_suite Unspecified vulnerability in the Oracle iSupplier Portal component in Oracle E-Business Suite 12.0.6, 12.1.3, 12.2.3, and 12.2.4 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to XML input. 2015-10-21 6.8 CVE-2015-4851
CONFIRM
oracle — e-business_suite Unspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite 12.0.6, 12.1.3, 12.2.3, and 12.2.4 allows remote attackers to affect integrity via unknown vectors related to Single Signon. 2015-10-21 4.3 CVE-2015-4854
CONFIRM
oracle — vm_virtualbox Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 4.0.30, 4.1.38, 4.2.30, 4.3.26, and 5.0.0 allows local users to affect availability via unknown vectors related to Core. 2015-10-21 4.9 CVE-2015-4856
CONFIRM
oracle — database_server Unspecified vulnerability in the RDBMS component in Oracle Database Server 12.1.0.1 and 12.1.0.2 allows remote authenticated users to affect confidentiality and integrity via unknown vectors. 2015-10-21 5.5 CVE-2015-4857
CONFIRM
oracle — mysql Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier, and 5.6.26 and earlier, allows remote authenticated users to affect availability via vectors related to DML, a different vulnerability than CVE-2015-4913. 2015-10-21 4.0 CVE-2015-4858
CONFIRM
oracle — enterprise_manager_grid_control Unspecified vulnerability in the Enterprise Manager Base Platform component in Oracle Enterprise Manager Grid Control 12.1.0.4 and 12.1.0.5 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Agent Next Gen. 2015-10-21 5.8 CVE-2015-4859
CONFIRM
oracle — mysql Unspecified vulnerability in Oracle MySQL Server 5.6.26 and earlier allows remote authenticated users to affect availability via vectors related to DML. 2015-10-21 4.0 CVE-2015-4862
CONFIRM
oracle — mysql Unspecified vulnerability in Oracle MySQL Server 5.6.23 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : InnoDB. 2015-10-21 4.0 CVE-2015-4866
CONFIRM
oracle — fusion_middleware Unspecified vulnerability in the Oracle WebCenter Content component in Oracle Fusion Middleware 10.1.3.5.1 allows remote attackers to affect integrity via unknown vectors related to Content Server, a different vulnerability than CVE-2015-4880. 2015-10-21 4.3 CVE-2015-4867
CONFIRM
oracle — solaris Unspecified vulnerability in Oracle Sun Solaris 10 and 11.2 allows local users to affect availability via unknown vectors related to Kernel. 2015-10-21 4.9 CVE-2015-4869
CONFIRM
oracle — mysql Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier, and 5.6.26 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server : Parser. 2015-10-21 4.0 CVE-2015-4870
CONFIRM
oracle — jdk Unspecified vulnerability in Oracle Java SE 7u85 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Libraries. 2015-10-21 5.8 CVE-2015-4871
CONFIRM
oracle — jdk Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allows remote attackers to affect integrity via unknown vectors related to Security. 2015-10-21 5.0 CVE-2015-4872
CONFIRM
oracle — enterprise_manager_grid_control Unspecified vulnerability in the Enterprise Manager Base Platform component in Oracle Enterprise Manager Grid Control 12.1.0.4 and 12.1.0.5 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Agent Next Gen. 2015-10-21 4.1 CVE-2015-4874
CONFIRM
oracle — enterprise_manager_grid_control Unspecified vulnerability in the Enterprise Manager Base Platform component in Oracle Enterprise Manager Grid Control 12.1.0.4 and 12.1.0.5 allows remote attackers to affect availability via unknown vectors related to Agent Next Gen. 2015-10-21 5.0 CVE-2015-4875
CONFIRM
oracle — peoplesoft_products Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.53 and 8.54 allows remote authenticated users to affect integrity via unknown vectors related to Pivot Grid. 2015-10-21 4.0 CVE-2015-4876
CONFIRM
oracle — mysql Unspecified vulnerability in Oracle MySQL Server 5.5.44 and earlier, and 5.6.25 and earlier, allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to DML. 2015-10-21 4.6 CVE-2015-4879
CONFIRM
oracle — fusion_middleware Unspecified vulnerability in the Oracle WebCenter Content component in Oracle Fusion Middleware 10.1.3.5.1 allows remote attackers to affect integrity via unknown vectors related to Content Server, a different vulnerability than CVE-2015-4867. 2015-10-21 4.3 CVE-2015-4880
CONFIRM
oracle — jdk Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect availability via vectors related to CORBA. 2015-10-21 5.0 CVE-2015-4882
CONFIRM
oracle — e-business_suite Unspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.3, 12.2.3, and 12.2.4 allows remote attackers to affect confidentiality via unknown vectors related to Single Signon. 2015-10-21 5.0 CVE-2015-4884
CONFIRM
oracle — e-business_suite Unspecified vulnerability in the Oracle Report Manager component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.3, 12.2.3, and 12.2.4 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Reports Security. 2015-10-21 6.4 CVE-2015-4886
CONFIRM
oracle — peoplesoft_products Unspecified vulnerability in the PeopleSoft Enterprise HCM component in Oracle PeopleSoft Products 9.2 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to ePerformance. 2015-10-21 6.0 CVE-2015-4887
CONFIRM
oracle — database_server Unspecified vulnerability in the Java VM component in Oracle Database Server 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2015-4796. 2015-10-21 6.5 CVE-2015-4888
CONFIRM
oracle — solaris Unspecified vulnerability in Oracle Sun Solaris 11.2 allows local users to affect confidentiality, integrity, and availability via vectors related to NSCD. 2015-10-21 4.6 CVE-2015-4891
CONFIRM
oracle — jdk Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allows remote attackers to affect availability via vectors related to JAXP, a different vulnerability than CVE-2015-4803 and CVE-2015-4911. 2015-10-21 5.0 CVE-2015-4893
CONFIRM
oracle — database_mobile/lite_server Unspecified vulnerability in the Mobile Server component in Oracle Database Mobile/Lite Server 10.3.0.3, 11.3.0.2, and 12.1.0.0 allows remote authenticated users to affect integrity and availability via unknown vectors. 2015-10-21 4.9 CVE-2015-4894
CONFIRM
oracle — vm_virtualbox Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 4.0.34, 4.1.42, 4.2.34, 4.3.32, and 5.0.8 allows remote attackers to affect availability via unknown vectors related to Core. 2015-10-21 5.0 CVE-2015-4896
CONFIRM
oracle — e-business_suite Unspecified vulnerability in the Oracle Applications Framework component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.3, 12.2.3, and 12.2.4 allows remote authenticated users to affect integrity via vectors related to Diagnostics and DMZ. 2015-10-21 4.0 CVE-2015-4898
CONFIRM
oracle — fusion_middleware Unspecified vulnerability in the Oracle GlassFish Server component in Oracle Fusion Middleware 3.0.1 and 3.1.2 allows remote attackers to affect confidentiality via unknown vectors related to Security. 2015-10-21 4.3 CVE-2015-4899
CONFIRM
oracle — database_server Unspecified vulnerability in the XDB – XML Database component in Oracle Database Server 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors. 2015-10-21 6.5 CVE-2015-4900
CONFIRM
oracle — jdk Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60 allows remote attackers to affect integrity via unknown vectors related to Deployment. 2015-10-21 5.0 CVE-2015-4902
CONFIRM
oracle — jdk Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to RMI. 2015-10-21 5.0 CVE-2015-4903
CONFIRM
oracle — mysql Unspecified vulnerability in Oracle MySQL Server 5.6.25 and earlier allows remote authenticated users to affect availability via unknown vectors related to libmysqld. 2015-10-21 4.0 CVE-2015-4904
CONFIRM
oracle — mysql Unspecified vulnerability in Oracle MySQL Server 5.6.23 and earlier allows remote authenticated users to affect availability via vectors related to Server : DML. 2015-10-21 4.0 CVE-2015-4905
CONFIRM
oracle — javafx Unspecified vulnerability in Oracle Java SE 8u60 and JavaFX 2.2.85 allows remote attackers to affect confidentiality via unknown vectors related to JavaFX, a different vulnerability than CVE-2015-4908 and CVE-2015-4916. 2015-10-21 5.0 CVE-2015-4906
CONFIRM
oracle — solaris Unspecified vulnerability in Oracle Sun Solaris 11.2 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Solaris Kernel Zones, a different vulnerability than CVE-2015-4820. 2015-10-21 4.6 CVE-2015-4907
CONFIRM
oracle — javafx Unspecified vulnerability in Oracle Java SE 8u60 and JavaFX 2.2.85 allows remote attackers to affect confidentiality via unknown vectors, a different vulnerability than CVE-2015-4906 and CVE-2015-4916. 2015-10-21 5.0 CVE-2015-4908
CONFIRM
oracle — fusion_middleware Unspecified vulnerability in the Oracle JDeveloper component in Oracle Fusion Middleware 11.1.2.4.0, 12.1.2.0.0, and 12.1.3.0.0 allows remote attackers to affect integrity via vectors related to ADF Faces. 2015-10-21 5.0 CVE-2015-4909
CONFIRM
oracle — jdk Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60; Java SE Embedded 8u51; and JRockit R28.3.7 allows remote attackers to affect availability via vectors related to JAXP, a different vulnerability than CVE-2015-4803 and CVE-2015-4893. 2015-10-21 5.0 CVE-2015-4911
CONFIRM
oracle — fusion_middleware Unspecified vulnerability in the Oracle Access Manager component in Oracle Fusion Middleware 11.1.2.2 and 11.1.2.3 allows remote attackers to affect confidentiality via vectors related to SSO Engine. 2015-10-21 4.3 CVE-2015-4912
CONFIRM
oracle — javafx Unspecified vulnerability in Oracle Java SE 8u60 and JavaFX 2.2.85 allows remote attackers to affect confidentiality via unknown vectors, a different vulnerability than CVE-2015-4906 and CVE-2015-4908. 2015-10-21 5.0 CVE-2015-4916
CONFIRM
owncloud — owncloud The virtual filesystem in ownCloud Server before 6.0.9, 7.0.x before 7.0.7, and 8.0.x before 8.0.5 does not consider that NULL is a valid getPath return value, which allows remote authenticated users to bypass intended access restrictions and gain access to users files via a sharing link to a file with a deleted parent folder. 2015-10-21 4.0 CVE-2015-5954
CONFIRM
DEBIAN
redhat — enterprise_linux The usbvision driver in the Linux kernel package 3.10.0-123.20.1.el7 through 3.10.0-229.14.1.el7 in Red Hat Enterprise Linux (RHEL) 7.1 allows physically proximate attackers to cause a denial of service (panic) via a nonzero bInterfaceNumber value in a USB device descriptor. 2015-10-19 4.9 CVE-2015-7833
MISC
BUGTRAQ
MISC

Low Vulnerabilities

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
apple — iphone_os Notification Center in Apple iOS before 9.1 mishandles changes to “Show on Lock Screen” settings, which allows physically proximate attackers to obtain sensitive information by looking for a (1) Phone or (2) Messages notification on the lock screen soon after a setting was disabled. 2015-10-23 2.1 CVE-2015-7000
CONFIRM
APPLE
cloudbees — jenkins Directory traversal vulnerability in CloudBees Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users with certain permissions to read arbitrary files via a symlink, related to building artifacts. 2015-10-16 3.5 CVE-2015-1807
CONFIRM
CONFIRM
REDHAT
cloudbees — jenkins CloudBees Jenkins before 1.600 and LTS before 1.596.1 allows remote authenticated users to cause a denial of service (improper plug-in and tool installation) via crafted update center data. 2015-10-16 3.5 CVE-2015-1808
CONFIRM
CONFIRM
REDHAT
linux — linux_kernel The vhost_dev_ioctl function in drivers/vhost/vhost.c in the Linux kernel before 4.1.5 allows local users to cause a denial of service (memory consumption) via a VHOST_SET_LOG_FD ioctl call that triggers permanent file-descriptor allocation. 2015-10-19 2.1 CVE-2015-6252
CONFIRM
CONFIRM
MLIST
CONFIRM
CONFIRM
oracle — enterprise_manager_grid_control Unspecified vulnerability in the Enterprise Manager Ops Center component in Oracle Enterprise Manager Grid Control 12.1.0.1 and 12.2.2 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Ops Center. 2015-10-21 3.6 CVE-2015-2633
CONFIRM
oracle — mysql Unspecified vulnerability in Oracle MySQL Server 5.6.25 and earlier allows local users to affect availability via unknown vectors related to Server : Security : Firewall. 2015-10-21 1.9 CVE-2015-4766
CONFIRM
oracle — mysql Unspecified vulnerability in Oracle MySQL Server 5.6.26 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : Security : Privileges. 2015-10-21 3.5 CVE-2015-4791
CONFIRM
oracle — mysql Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier and 5.6.26 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : Partition, a different vulnerability than CVE-2015-4802. 2015-10-21 1.7 CVE-2015-4792
CONFIRM
oracle — supply_chain_products_suite Unspecified vulnerability in the Oracle Agile PLM component in Oracle Supply Chain Products Suite 9.3.3 allows remote authenticated users to affect integrity via unknown vectors related to Security. 2015-10-21 3.5 CVE-2015-4797
CONFIRM
oracle — solaris Unspecified vulnerability in Oracle Sun Solaris 11.2 allows local users to affect confidentiality via unknown vectors related to Solaris Kernel Zones. 2015-10-21 2.1 CVE-2015-4801
CONFIRM
oracle — mysql Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier and 5.6.26 and earlier, when running on Windows, allows remote authenticated users to affect availability via unknown vectors related to Server : Query Cache. 2015-10-21 3.5 CVE-2015-4807
CONFIRM
oracle — fusion_middleware Unspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.5.0, 8.5.1, and 8.5.2 allows local users to affect availability via vectors related to Outside In PDF Export SDK, a different vulnerability than CVE-2015-4811. 2015-10-21 1.5 CVE-2015-4809
CONFIRM
oracle — fusion_middleware Unspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.5.0, 8.5.1, and 8.5.2 allows local users to affect availability via vectors related to Outside In PDF Export SDKutside In PDF Export SDK, a different vulnerability than CVE-2015-4809. 2015-10-21 1.5 CVE-2015-4811
CONFIRM
oracle — fusion_middleware Unspecified vulnerability in the Oracle HTTP Server component in Oracle Fusion Middleware 11.1.1.9 allows remote attackers to affect confidentiality via vectors related to OSSL Module. 2015-10-21 2.6 CVE-2015-4812
CONFIRM
oracle — vm_virtualbox Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox prior to 4.0.34, 4.1.42, 4.2.34, 4.3.32, and 5.0.8, when using a Windows guest, allows local users to affect availability via unknown vectors related to Core. 2015-10-21 2.1 CVE-2015-4813
CONFIRM
oracle — solaris Unspecified vulnerability in Oracle Sun Solaris 11.2 allows local users to affect availability via unknown vectors related to Solaris Kernel Zones, a different vulnerability than CVE-2015-4831. 2015-10-21 1.2 CVE-2015-4822
CONFIRM
oracle — hyperion Unspecified vulnerability in the Hyperion Installation Technology component in Oracle Hyperion 11.1.2.3 allows local users to affect confidentiality via unknown vectors related to Essbase Rapid Deploy. 2015-10-21 1.2 CVE-2015-4823
CONFIRM
oracle — supply_chain_products_suite Unspecified vulnerability in the Oracle Agile PLM component in Oracle Supply Chain Products Suite 9.3.4 allows remote authenticated users to affect confidentiality via unknown vectors related to Security. 2015-10-21 2.1 CVE-2015-4824
CONFIRM
oracle — peoplesoft_products Unspecified vulnerability in the PeopleSoft Enterprise FIN Expenses component in Oracle PeopleSoft Products 9.2 allows remote authenticated users to affect confidentiality via unknown vectors related to Expense Report General. 2015-10-21 3.5 CVE-2015-4825
CONFIRM
oracle — solaris Unspecified vulnerability in Oracle Sun Solaris 11.2 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Utility/Zones. 2015-10-21 3.7 CVE-2015-4834
CONFIRM
oracle — mysql Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier, and 5.6.26 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server : SP. 2015-10-21 2.8 CVE-2015-4836
CONFIRM
oracle — e-business_suite Unspecified vulnerability in the Oracle Applications Manager component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.3, 12.2.3, and 12.2.4 allows remote authenticated users to affect confidentiality and integrity via vectors related to SQL Extensions. 2015-10-21 3.6 CVE-2015-4846
CONFIRM
oracle — mysql Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier, and 5.6.26 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server : InnoDB. 2015-10-21 3.5 CVE-2015-4861
CONFIRM
oracle — mysql Unspecified vulnerability in Oracle MySQL Server 5.5.43 and earlier and 5.6.24 and earlier allows remote authenticated users to affect integrity via unknown vectors related to Server : Security : Privileges. 2015-10-21 3.5 CVE-2015-4864
CONFIRM
oracle — e-business_suite Unspecified vulnerability in the Oracle Applications Framework component in Oracle E-Business Suite 12.1.3, 12.2.3, and 12.2.4 allows remote authenticated users to affect confidentiality via vectors related to Business Objects – BC4J. 2015-10-21 2.1 CVE-2015-4865
CONFIRM
oracle — fusion_middleware Unspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.5.0, 8.5.1, and 8.5.2 allows local users to affect availability via unknown vectors related to Outside In Filters, a different vulnerability than CVE-2015-4878. 2015-10-21 1.5 CVE-2015-4877
CONFIRM
oracle — fusion_middleware Unspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.5.0, 8.5.1, and 8.5.2 allows local users to affect availability via unknown vectors related to Outside In Filters, a different vulnerability than CVE-2015-4877. 2015-10-21 1.5 CVE-2015-4878
CONFIRM
oracle — mysql Unspecified vulnerability in Oracle MySQL Server 5.6.26 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : Replication. 2015-10-21 3.5 CVE-2015-4890
CONFIRM
oracle — supply_chain_products_suite Unspecified vulnerability in the Oracle Agile PLM component in Oracle Supply Chain Products Suite 9.3.4 allows remote authenticated users to affect integrity via unknown vectors related to Security, a different vulnerability than CVE-2015-4917. 2015-10-21 3.5 CVE-2015-4892
CONFIRM
oracle — mysql Unspecified vulnerability in Oracle MySQL Server 5.6.25 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : InnoDB. 2015-10-21 3.5 CVE-2015-4895
CONFIRM
oracle — mysql Unspecified vulnerability in Oracle MySQL Server 5.6.26 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server : Memcached. 2015-10-21 2.1 CVE-2015-4910
CONFIRM
oracle — mysql Unspecified vulnerability in Oracle MySQL Server 5.5.45 and earlier and 5.6.26 and earlier allows remote authenticated users to affect availability via vectors related to Server : DML, a different vulnerability than CVE-2015-4858. 2015-10-21 3.5 CVE-2015-4913
CONFIRM
oracle — fusion_middleware Unspecified vulnerability in the Oracle HTTP Server component in Oracle Fusion Middleware 10.1.3.5, 11.1.1.7, 11.1.1.9, 12.1.2.0, and 12.1.3.0 allows remote authenticated users to affect confidentiality via unknown vectors related to Web Listener. 2015-10-21 3.5 CVE-2015-4914
CONFIRM
oracle — supply_chain_products_suite Unspecified vulnerability in the Oracle Agile PLM component in Oracle Supply Chain Products Suite 9.3.4 allows remote authenticated users to affect integrity via unknown vectors related to Security, a different vulnerability than CVE-2015-4892. 2015-10-21 3.5 CVE-2015-4917
CONFIRM
owncloud — owncloud Cross-site scripting (XSS) vulnerability in the activity application in ownCloud Server before 7.0.5 and 8.0.x before 8.0.4 allows remote authenticated users to inject arbitrary web script or HTML via a ” (double quote) character in a filename in a shared folder. 2015-10-21 3.5 CVE-2015-5953
CONFIRM
veeam — backup_and_replication VeeamVixProxy in Veeam Backup & Replication (B&R) before 8.0 update 3 stores local administrator credentials in log files with world-readable permissions, which allows local users to obtain sensitive information by reading the files. 2015-10-16 2.1 CVE-2015-5742
CONFIRM
MISC
BUGTRAQ
FULLDISC
MISC

#post-1403 .CPlase_panel {display:none;}

SB15-299 Vulnerability Summary for the Week of October 19th 2015 was originally published on Blogg'n @ ECI

October 27, 2015 - Posted by | ANSI, IT Security, NewsUpdate, NIST, Security Alerts, Security Issues, US-CERT | , , , , , , , , , , , , , , , , , , , , , , , , ,

Sorry, the comment form is closed at this time.