SB15-026: Vulnerability Summary for the Week of January 19, 2015

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


(追記) (追記ここまで)

Title: SB15-026: Vulnerability Summary for the Week of January 19, 2015

NCCIC / US-CERT

National Cyber Awareness System:

01/26/2015 06:12 AM EST

Original release date: January 26, 2015

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0

  • Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9

  • Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

High Vulnerabilities

Primary
Vendor -- Product		DescriptionPublishedCVSS ScoreSource & Patch Info
adb -- p.dga4001n_firmware The ADB (formerly Pirelli Broadband Solutions) P.DGA4001N router with firmware PDG_TEF_SP_4.06L.6 does not properly restrict access to the web interface, which allows remote attackers to obtain sensitive information or cause a denial of service (device restart) as demonstrated by a direct request to (1) wlsecurity.html or (2) resetrouter.html. 2015年01月21日 9.4 CVE-2015-0554
EXPLOIT-DB
MISC
advantech -- adamview Multiple stack-based buffer overflows in Advantech AdamView 4.3 and earlier allow remote attackers to execute arbitrary code via a crafted (1) display properties or (2) conditional bitmap parameter in a GNI file. 2015年01月20日 7.5 CVE-2014-8386
EXPLOIT-DB
MISC
FULLDISC
arbiter_systems -- 1094b_gps_substation_clock Arbiter 1094B GPS Substation Clock allows remote attackers to cause a denial of service (disruption) via crafted radio transmissions that spoof GPS satellite broadcasts. 2015年01月16日 7.8 CVE-2014-9194
ceragon_fiberair_ip-10 -- - Ceragon FiberAir IP-10 bridges have a default password for the root account, which makes it easier for remote attackers to obtain access via a (1) HTTP, (2) SSH, (3) TELNET, or (4) CLI session. 2015年01月17日 7.8 CVE-2015-0924
ffmpeg -- ffmpeg Use-after-free vulnerability in the matroska_read_seek function in libavformat/matroskadec.c in FFmpeg before 2.5.1, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted Matroska file that triggers improper maintenance of tracks data. 2015年01月22日 7.5 CVE-2014-7933
CONFIRM
CONFIRM
ffmpeg -- ffmpeg Multiple off-by-one errors in libavcodec/vorbisdec.c in FFmpeg before 2.4.2, as used in Google Chrome before 40.0.2214.91, allow remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted Vorbis I data. 2015年01月22日 7.5 CVE-2014-7937
ffmpeg -- ffmpeg libavcodec/xface.h in FFmpeg before 2.5.2 establishes certain digits and words array dimensions that do not satisfy a required mathematical relationship, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted X-Face image data. 2015年01月16日 7.5 CVE-2014-9602
CONFIRM
ffmpeg -- ffmpeg The vmd_decode function in libavcodec/vmdvideo.c in FFmpeg before 2.5.2 does not validate the relationship between a certain length value and the frame width, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted Sierra VMD video data. 2015年01月16日 7.5 CVE-2014-9603
CONFIRM
ffmpeg -- ffmpeg libavcodec/utvideodec.c in FFmpeg before 2.5.2 does not check for a zero value of a slice height, which allows remote attackers to cause a denial of service (out-of-bounds array access) or possibly have unspecified other impact via crafted Ut Video data, related to the (1) restore_median and (2) restore_median_il functions. 2015年01月16日 7.5 CVE-2014-9604
CONFIRM
ge -- multilink_ml1200 GE Multilink ML800, ML1200, ML1600, and ML2400 switches with firmware 4.2.1 and earlier and Multilink ML810, ML3000, and ML3100 switches with firmware 5.2.0 and earlier allow remote attackers to cause a denial of service (resource consumption or reboot) via crafted packets. 2015年01月16日 7.8 CVE-2014-5418
gentoo -- libsndfile The sd2_parse_rsrc_fork function in sd2.c in libsndfile allows attackers to have unspecified impact via vectors related to a (1) map offset or (2) rsrc marker, which triggers an out-of-bounds read. 2015年01月16日 10.0 CVE-2014-9496
CONFIRM
CONFIRM
MLIST
SECUNIA
SUSE
gnu -- coreutils The parse_datetime function in GNU coreutils allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted date string, as demonstrated by the "--date=TZ="123"345" @1" string to the touch or date command. 2015年01月16日 7.5 CVE-2014-9471
CONFIRM
MLIST
MLIST
MLIST
SECUNIA
CONFIRM
google -- chrome The Regular Expressions package in International Components for Unicode (ICU) 52 before SVN revision 292944, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via vectors related to a (1) zero-length quantifier or (2) look-behind _expression_, a different vulnerability than CVE-2014-7926. 2015年01月22日 7.5 CVE-2014-7923
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
google -- chrome Use-after-free vulnerability in the WebAudio implementation in Blink, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger an audio-rendering thread in which AudioNode data is improperly maintained. 2015年01月22日 7.5 CVE-2014-7925
CONFIRM
CONFIRM
CONFIRM
CONFIRM
google -- chrome The Regular Expressions package in International Components for Unicode (ICU) 52 before SVN revision 292944, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via vectors related to a (1) zero-length quantifier or (2) look-behind _expression_, a different vulnerability than CVE-2014-7923. 2015年01月22日 7.5 CVE-2014-7926
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
google -- chrome The SimplifiedLowering::DoLoadBuffer function in compiler/simplified-lowering.cc in Google V8, as used in Google Chrome before 40.0.2214.91, does not properly choose an integer data type, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted _javascript_ code. 2015年01月22日 7.5 CVE-2014-7927
CONFIRM
CONFIRM
google -- chrome hydrogen.cc in Google V8, as used Google Chrome before 40.0.2214.91, does not properly handle arrays with holes, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted _javascript_ code that triggers an array copy. 2015年01月22日 7.5 CVE-2014-7928
CONFIRM
CONFIRM
google -- chrome Use-after-free vulnerability in the HTMLScriptElement::didMoveToNewDocument function in core/html/HTMLScriptElement.cpp in the DOM implementation in Blink, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving movement of a SCRIPT element across documents. 2015年01月22日 7.5 CVE-2014-7929
CONFIRM
CONFIRM
google -- chrome Use-after-free vulnerability in core/events/TreeScopeEventContext.cpp in the DOM implementation in Blink, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted _javascript_ code that triggers improper maintenance of TreeScope data. 2015年01月22日 7.5 CVE-2014-7930
CONFIRM
CONFIRM
google -- chrome factory.cc in Google V8, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted _javascript_ code that triggers improper maintenance of backing-store pointers. 2015年01月22日 7.5 CVE-2014-7931
CONFIRM
CONFIRM
google -- chrome Use-after-free vulnerability in the Element::detach function in core/dom/Element.cpp in the DOM implementation in Blink, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving pending updates of detached elements. 2015年01月22日 7.5 CVE-2014-7932
CONFIRM
CONFIRM
google -- chrome Use-after-free vulnerability in the DOM implementation in Blink, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to unexpected absence of document data structures. 2015年01月22日 7.5 CVE-2014-7934
CONFIRM
CONFIRM
CONFIRM
google -- chrome Use-after-free vulnerability in browser/speech/tts_message_filter.cc in the Speech implementation in Google Chrome before 40.0.2214.91 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving utterances from a closed tab. 2015年01月22日 7.5 CVE-2014-7935
CONFIRM
CONFIRM
google -- chrome The Fonts implementation in Google Chrome before 40.0.2214.91 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors. 2015年01月22日 7.5 CVE-2014-7938
google -- chrome The collator implementation in i18n/ucol.cpp in International Components for Unicode (ICU) 52 through SVN revision 293126, as used in Google Chrome before 40.0.2214.91, does not initialize memory for a data structure, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted character sequence. 2015年01月22日 7.5 CVE-2014-7940
google -- chrome The Fonts implementation in Google Chrome before 40.0.2214.91 does not initialize memory for a data structure, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. 2015年01月22日 7.5 CVE-2014-7942
gtk -- gtk+ GTK+ 3.10.9 and earlier, as used in cinnamon-screensaver, gnome-screensaver, and other applications, allows physically proximate attackers to bypass the lock screen by pressing the menu button. 2015年01月16日 7.2 CVE-2014-1949
CONFIRM
CONFIRM
CONFIRM
UBUNTU
MLIST
MLIST
ibm -- sas_connectivity_module_firmware IBM BladeCenter SAS Connectivity Module (aka NSSM) and SAS RAID Module (aka RSSM) before 1.3.3.006 allow remote attackers to cause a denial of service (reboot) via a flood of IP packets. 2015年01月17日 7.8 CVE-2014-3018
XF
ipass -- ipass_open_mobile The client in iPass Open Mobile before 2.4.5 on Windows allows remote authenticated users to execute arbitrary code via a DLL pathname in a crafted Unicode string that is improperly handled by a subprocess reached through a named pipe, as demonstrated by a UNC share pathname. 2015年01月22日 9.0 CVE-2015-0925
juniper -- junos The Juniper MX Series routers with Junos 13.3R3 through 13.3Rx before 13.3R6, 14.1 before 14.1R4, 14.1X50 before 14.1X50-D70, and 14.2 before 14.2R2, when configured as a broadband edge (BBE) router, allows remote attackers to cause a denial of service (jpppd crash and restart) by sending a crafted PAP Authenticate-Request after the PPPoE Discovery and LCP phase are complete. 2015年01月16日 7.1 CVE-2014-6382
BID
juniper -- junos Juniper Junos 11.4 before 11.4R8, 12.1X44 before 12.1X44-D35, 12.1X45 before 12.1X45-D25, 12.1X46 before 12.1X46-D20, 12.1X47 before 12.1X47-D10, 12.2 before 12.2R9, 12.3R2 before 12.3R2-S3, 12.3 before 12.3R3, 13.1 before 13.1R4, and 13.2 before 13.2R1 allows remote attackers to cause a denial of service (assertion failure and rpd restart) via a crafted BGP FlowSpec prefix. 2015年01月16日 7.8 CVE-2014-6386
SECTRACK
BID
libpng -- libpng Buffer overflow in the png_read_IDAT_data function in pngrutil.c in libpng before 1.5.21 and 1.6.x before 1.6.16 allows context-dependent attackers to execute arbitrary code via IDAT data with a large width, a different vulnerability than CVE-2014-9495. 2015年01月18日 7.5 CVE-2015-0973
MLIST
MLIST
MISC
MLIST
macroplant -- iexplorer Untrusted search path vulnerability in Macroplant iExplorer 3.6.3.0 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse itunesmobiledevice.dll. 2015年01月16日 7.2 CVE-2014-9600
XF
MISC
oracle -- oracle_and_sun_systems_product_suite Unspecified vulnerability in the Solaris Cluster component in Oracle Sun Systems Products Suite 3.3 and 4.1 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to System management. 2015年01月21日 9.0 CVE-2014-4259
oracle -- jdk Unspecified vulnerability in Oracle Java SE 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. 2015年01月21日 10.0 CVE-2014-6549
oracle -- jd_edwards_products Unspecified vulnerability in the JD Edwards EnterpriseOne Tools component in Oracle JD Edwards Products 9.1.5 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Portal SEC. 2015年01月21日 7.5 CVE-2014-6565
oracle -- database_server Unspecified vulnerability in the Core RDBMS component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information is from the January 2015 CPU. Oracle has not commented on the researcher's claim that this is a stack-based buffer overflow in DBMS_AW.EXECUTE, which allows code execution via a long Current Directory Alias (CDA) command. 2015年01月21日 9.0 CVE-2014-6567
MISC
oracle -- jdk Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot. 2015年01月21日 10.0 CVE-2014-6601
oracle -- jdk Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot. 2015年01月21日 9.3 CVE-2015-0395
oracle -- fusion_middleware Unspecified vulnerability in the Oracle GlassFish Server component in Oracle Fusion Middleware 3.0.1 and 3.1.2 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Admin Console. 2015年01月21日 7.5 CVE-2015-0396
oracle -- jdk Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to RMI. 2015年01月21日 10.0 CVE-2015-0408
CONFIRM
oracle -- mysql Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier, and 5.6.21 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Server : Security : Encryption. 2015年01月21日 7.5 CVE-2015-0411
oracle -- jdk Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JAX-WS. 2015年01月21日 7.2 CVE-2015-0412
oracle -- integrated_lights_out_manager_firmware Unspecified vulnerability in the Integrated Lights Out Manager (ILOM) component in Oracle Sun Systems Products Suite ILOM prior to 3.2.4 allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to IPMI. 2015年01月21日 7.5 CVE-2015-0424
oracle -- jdk Unspecified vulnerability in Oracle Java SE 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot. 2015年01月21日 9.3 CVE-2015-0437
pheonixcontact-software -- multiprog Phoenix Contact ProConOs and MultiProg do not require authentication, which allows remote attackers to execute arbitrary commands via protocol-compliant traffic. 2015年01月16日 7.5 CVE-2014-9195
redhat -- cloudforms_3.1_management_engine The customization template in Red Hat CloudForms 3.1 Management Engine (CFME) 5.3 uses a default password for the root account when a password is not specified for a new image, which allows remote attackers to gain privileges. 2015年01月16日 10.0 CVE-2014-3692
SECUNIA
samba -- samba Samba 4.0.x before 4.0.24, 4.1.x before 4.1.16, and 4.2.x before 4.2rc4, when an Active Directory Domain Controller (AD DC) is configured, allows remote authenticated users to set the LDB userAccountControl UF_SERVER_TRUST_ACCOUNT bit, and consequently gain privileges, by leveraging delegation of authority for user-account or computer-account creation. 2015年01月16日 8.5 CVE-2014-8143
sap -- hana_extend_application_services The Extended Application Services (XS) in SAP HANA allows remote attackers to inject arbitrary ABAP code via unspecified vectors, aka SAP Note 2098906. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 2015年01月22日 10.0 CVE-2015-1311
MISC
sap -- enterprise_resource_planning The Dealer Portal in SAP ERP does not properly restrict access, which allows remote attackers to obtain sensitive information, gain privileges, and possibly have other unspecified impact via unknown vectors, aka SAP Note 2000401. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 2015年01月22日 7.5 CVE-2015-1312
MISC
siemens -- scalance_x-300_series_firmware The web server on Siemens SCALANCE X-300 switches with firmware before 4.0 and SCALANCE X 408 switches with firmware before 4.0 allows remote attackers to cause a denial of service (reboot) via malformed HTTP requests. 2015年01月21日 7.8 CVE-2014-8478
sun -- sunos Unspecified vulnerability in Oracle Solaris 11 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Power Management Utility. 2015年01月21日 7.2 CVE-2014-6510
sun -- sunos Unspecified vulnerability in Oracle Solaris 10 allows local users to affect confidentiality, integrity, and availability via vectors related to CDE - Power Management Utility. 2015年01月21日 7.2 CVE-2014-6521
sun -- sunos Unspecified vulnerability in Oracle Solaris 10 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Kernel. 2015年01月21日 7.2 CVE-2014-6524
sybase -- adaptive_server_enterprise SQL injection vulnerability in SAP Adaptive Server Enterprise (Sybase ASE) allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Note 2113333. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 2015年01月22日 7.5 CVE-2015-1310
MISC
symantec -- critical_system_protection The Agent Control Interface in the management server in Symantec Critical System Protection (SCSP) 5.2.9 before MP6 and Symantec Data Center Security: Server Advanced (SDCS:SA) 6.0.x before 6.0 MP1 allows remote authenticated users to execute arbitrary commands by leveraging client-system access to upload a log file. 2015年01月21日 9.0 CVE-2014-3440
BID
symantec -- critical_system_protection The management server in Symantec Critical System Protection (SCSP) 5.2.9 through MP6 and Symantec Data Center Security: Server Advanced (SDCS:SA) 6.0.x through 6.0 MP1 allows local users to bypass intended Protection Policies via unspecified vectors. 2015年01月21日 7.2 CVE-2014-9226
BID
web-dorado -- photo_gallery SQL injection vulnerability in the Photo Gallery plugin 1.2.7 for WordPress allows remote attackers to execute arbitrary SQL commands via the order_by parameter in a GalleryBox action to wp-admin/admin-ajax.php. 2015年01月16日 7.5 CVE-2015-1055
BID
FULLDISC
Back to top

Medium Vulnerabilities

Primary
Vendor -- Product		DescriptionPublishedCVSS ScoreSource & Patch Info
7-zip -- p7zip p7zip 9.20.1 allows remote attackers to write to arbitrary files via a symlink attack in an archive. 2015年01月21日 5.8 CVE-2015-1038
MISC
MISC
XF
BID
MLIST
apache -- xml_security Apache Santuario XML Security for Java 2.0.x before 2.0.3 allows remote attackers to bypass the streaming XML signature protection mechanism via a crafted XML document. 2015年01月21日 5.0 CVE-2014-8152
XF
SECTRACK
BID
MLIST
b2evolution -- b2evolution Cross-site scripting (XSS) vulnerability in the filemanager in b2evolution before 5.2.1 allows remote attackers to inject arbitrary web script or HTML via the fm_filter parameter to blogs/admin.php. 2015年01月16日 4.3 CVE-2014-9599
CONFIRM
XF
BID
MISC
MISC
FULLDISC
MISC
brother -- mfc-j4410dw Cross-site scripting (XSS) vulnerability in Brother MFC-J4410DW printer with firmware before L allows remote attackers to inject arbitrary web script or HTML via the url parameter to general/status.html and possibly other pages. 2015年01月16日 4.3 CVE-2015-1056
XF
BID
BUGTRAQ
MISC
cagintranetworks -- getsimple_cms XML external entity (XXE) vulnerability in admin/api.php in GetSimple CMS 3.1.1 through 3.3.x before 3.3.5 Beta 1, when in certain configurations, allows remote attackers to read arbitrary files via the data parameter. 2015年01月20日 5.0 CVE-2014-8790
CONFIRM
FULLDISC
MISC
MISC
CONFIRM
cisco -- unified_communications_manager Absolute path traversal vulnerability in the Real-Time Monitoring Tool (RTMT) API in Cisco Unified Communications Manager (CUCM) allows remote authenticated users to read arbitrary files via a full pathname in an API command, aka Bug ID CSCur49414. 2015年01月22日 6.8 CVE-2014-8008
cisco -- webex_meeting_center Cisco WebEx Meeting Center allows remote attackers to activate disabled meeting attributes, and consequently obtain sensitive information, by providing crafted parameters during a meeting-join action, aka Bug ID CSCuo34165. 2015年01月17日 5.0 CVE-2015-0590
clorius_controls_a/s -- java_web_client The Clorius Controls Java web client before 01.00.0009g allows remote attackers to discover credentials by sniffing the network for cleartext-equivalent traffic. 2015年01月16日 5.0 CVE-2014-9199
croogo -- croogo Cross-site scripting (XSS) vulnerability in the administrative backend in Croogo before 2.2.1 allows remote attackers to inject arbitrary web script or HTML via the path parameter to admin/file_manager/file_manager/editfile. 2015年01月16日 4.3 CVE-2015-1053
CONFIRM
XF
BID
MISC
MISC
FULLDISC
MISC
debian -- dpkg Multiple format string vulnerabilities in the parse_error_msg function in parsehelp.c in dpkg before 1.17.22 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via format string specifiers in the (1) package or (2) architecture name. 2015年01月20日 6.8 CVE-2014-8625
CONFIRM
CONFIRM
XF
MLIST
MLIST
MLIST
djangoproject -- django Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 allows remote attackers to spoof WSGI headers by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X-Auth_User header. 2015年01月16日 5.0 CVE-2015-0219
SECUNIA
SECUNIA
djangoproject -- django The django.util.http.is_safe_url function in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 does not properly handle leading whitespaces, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL, related to redirect URLs, as demonstrated by a "\njavascript:" URL. 2015年01月16日 4.3 CVE-2015-0220
UBUNTU
SECUNIA
SECUNIA
djangoproject -- django The django.views.static.serve view in Django before 1.4.18, 1.6.x before 1.6.10, and 1.7.x before 1.7.3 reads files an entire line at a time, which allows remote attackers to cause a denial of service (memory consumption) via a long line in a file. 2015年01月16日 5.0 CVE-2015-0221
SECUNIA
SECUNIA
djangoproject -- django ModelMultipleChoiceField in Django 1.6.x before 1.6.10 and 1.7.x before 1.7.3, when show_hidden_initial is set to True, allows remote attackers to cause a denial of service by submitting duplicate values, which triggers a large number of SQL queries. 2015年01月16日 5.0 CVE-2015-0222
SECUNIA
SECUNIA
e107 -- e107 Cross-site scripting (XSS) vulnerability in usersettings.php in e107 2.0.0 allows remote attackers to inject arbitrary web script or HTML via the "Real Name" value. 2015年01月16日 4.3 CVE-2015-1057
XF
EXPLOIT-DB
OSVDB
emc -- vipr_srm EMC M&R (aka Watch4Net) before 6.5u1 and ViPR SRM before 3.6.1 might allow remote attackers to obtain cleartext data-center discovery credentials by leveraging certain SRM access to conduct a decryption attack. 2015年01月21日 5.0 CVE-2015-0514
BUGTRAQ
emc -- vipr_srm Unrestricted file upload vulnerability in EMC M&R (aka Watch4Net) before 6.5u1 and ViPR SRM before 3.6.1 allows remote authenticated users to execute arbitrary code by uploading and then accessing an executable file. 2015年01月21日 6.5 CVE-2015-0515
BUGTRAQ
emc -- vipr_srm Directory traversal vulnerability in EMC M&R (aka Watch4Net) before 6.5u1 and ViPR SRM before 3.6.1 allows remote authenticated users to read arbitrary files via a crafted URL. 2015年01月21日 4.0 CVE-2015-0516
BUGTRAQ
file_project -- file The ELF parser in file 5.08 through 5.21 allows remote attackers to cause a denial of service via a large number of notes. 2015年01月21日 5.0 CVE-2014-9620
CONFIRM
MLIST
DEBIAN
MLIST
file_project -- file The ELF parser in file 5.16 through 5.21 allows remote attackers to cause a denial of service via a long string. 2015年01月21日 5.0 CVE-2014-9621
CONFIRM
MLIST
MLIST
ge -- intelligent_platforms_proficy_hmi/scada_cimplicity The (1) CimView and (2) CimEdit components in GE Proficy HMI/SCADA-CIMPLICITY 8.2 and earlier allow remote attackers to gain privileges via a crafted CIMPLICITY screen (aka .CIM) file. 2015年01月16日 6.9 CVE-2014-2355
ge -- multilink_ml1200 GE Multilink ML800, ML1200, ML1600, and ML2400 switches with firmware 4.2.1 and earlier and Multilink ML810, ML3000, and ML3100 switches with firmware 5.2.0 and earlier use the same RSA private key across different customers' installations, which makes it easier for remote attackers to obtain the cleartext content of network traffic by reading this key from a firmware image and then sniffing the network. 2015年01月16日 5.0 CVE-2014-5419
gentoo -- xdg-utils Eval injection vulnerability in xdg-utils 1.1.0 RC1, when no supported desktop environment is identified, allows context-dependent attackers to execute arbitrary code via the URL argument to xdg-open. 2015年01月21日 6.8 CVE-2014-9622
CONFIRM
CONFIRM
MLIST
DEBIAN
SECUNIA
FULLDISC
getsentry -- raven-ruby The numtok function in lib/raven/okjson.rb in the raven-ruby gem before 0.12.2 for Ruby allows remote attackers to cause a denial of service via a large exponent value in a scientific number. 2015年01月20日 5.0 CVE-2014-9490
CONFIRM
CONFIRM
XF
MLIST
getusedtoit -- wp_slimstat Cross-site scripting (XSS) vulnerability in the Save Filters functionality in the WP Slimstat plugin before 3.9.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via the fs[resource] parameter in the wp-slim-view-2 page to wp-admin/admin.php. 2015年01月21日 4.3 CVE-2015-1204
MISC
CONFIRM
SECUNIA
gnu -- patch GNU patch 2.7.1 allows remote attackers to write to arbitrary files via a symlink attack in a patch file. 2015年01月21日 4.3 CVE-2015-1196
CONFIRM
CONFIRM
XF
BID
MLIST
CONFIRM
google -- chrome Use-after-free vulnerability in the IndexedDB implementation in Google Chrome before 40.0.2214.91 allows remote attackers to cause a denial of service or possibly have unspecified other impact by triggering duplicate BLOB references, related to content/browser/indexed_db/indexed_db_callbacks.cc and content/browser/indexed_db/indexed_db_dispatcher_host.cc. 2015年01月22日 5.0 CVE-2014-7924
CONFIRM
CONFIRM
google -- chrome Use-after-free vulnerability in the ZoomBubbleView::Close function in browser/ui/views/location_bar/zoom_bubble_view.cc in the Views implementation in Google Chrome before 40.0.2214.91 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted document that triggers improper maintenance of a zoom bubble. 2015年01月22日 6.8 CVE-2014-7936
CONFIRM
CONFIRM
google -- chrome Google Chrome before 40.0.2214.91, when the Harmony proxy in Google V8 is enabled, allows remote attackers to bypass the Same Origin Policy via crafted _javascript_ code with Proxy.create and console.log calls, related to HTTP responses that lack an "X-Content-Type-Options: nosniff" header. 2015年01月22日 4.3 CVE-2014-7939
google -- chrome The SelectionOwner::ProcessTarget function in ui/base/x/selection_owner.cc in the UI implementation in Google Chrome before 40.0.2214.91 uses an incorrect data type for a certain length value, which allows remote attackers to cause a denial of service (out-of-bounds read) via crafted X11 data. 2015年01月22日 5.0 CVE-2014-7941
google -- chrome Skia, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors. 2015年01月22日 5.0 CVE-2014-7943
CONFIRM
google -- chrome The sycc422_to_rgb function in fxcodec/codec/fx_codec_jpx_opj.cpp in PDFium, as used in Google Chrome before 40.0.2214.91, does not properly handle odd values of image width, which allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted PDF document. 2015年01月22日 5.0 CVE-2014-7944
google -- chrome OpenJPEG before r2908, as used in PDFium in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted PDF document, related to j2k.c, jp2.c, and t2.c. 2015年01月22日 5.0 CVE-2014-7945
google -- chrome The RenderTable::simplifiedNormalFlowLayout function in core/rendering/RenderTable.cpp in Blink, as used in Google Chrome before 40.0.2214.91, skips captions during table layout in certain situations, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors related to the Fonts implementation. 2015年01月22日 5.0 CVE-2014-7946
CONFIRM
google -- chrome OpenJPEG before r2944, as used in PDFium in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted PDF document, related to j2k.c, jp2.c, pi.c, t1.c, t2.c, and tcd.c. 2015年01月22日 5.0 CVE-2014-7947
google -- chrome The AppCacheUpdateJob::URLFetcher::OnResponseStarted function in content/browser/appcache/appcache_update_job.cc in Google Chrome before 40.0.2214.91 proceeds with AppCache caching for SSL sessions even if there is an X.509 certificate error, which allows man-in-the-middle attackers to spoof HTML5 application content via a crafted certificate. 2015年01月22日 4.3 CVE-2014-7948
ibm -- sas_connectivity_module_firmware IBM BladeCenter SAS Connectivity Module (aka NSSM) and SAS RAID Module (aka RSSM) before 1.3.3.006 allow remote attackers to obtain blade and storage-pool access via a TELNET session. 2015年01月17日 5.0 CVE-2014-3019
XF
ibm -- api_management IBM API Management 3.0 before 3.0.4.0 IF1 allows remote attackers to obtain sensitive analytics information in an encrypted form via unspecified vectors. 2015年01月21日 5.0 CVE-2014-6172
XF
AIXAPAR
ibm -- security_network_protection_xgs_firmware IBM Security Network Protection 5.1.x and 5.2.x before 5.2.0.0 FP5 and 5.3.x before 5.3.0.0 FP1 allows remote attackers to conduct clickjacking attacks via unspecified vectors. 2015年01月17日 4.3 CVE-2014-6197
XF
illumos -- illumos The devzvol_readdir function in illumos does not check the return value of a strchr call, which allows remote attackers to cause a denial of service (NULL pointer dereference and panic) via unspecified vectors. 2015年01月20日 5.0 CVE-2014-9491
CONFIRM
CONFIRM
XF
MLIST
insanevisions -- adaptcms Multiple cross-site scripting (XSS) vulnerabilities in AdaptCMS 3.0.3 allow remote attackers to inject arbitrary web script or HTML via the (1) data[Category][title] parameter to admin/categories/add, (2) data[Field][title] parameter to admin/fields/ajax_fields/, (3) name property in a basicInfo JSON object to admin/tools/create_theme, (4) data[Link][link_title] parameter to admin/links/links/add, or (5) data[ForumTopic][subject] parameter to forums/off-topic/new. 2015年01月16日 4.3 CVE-2015-1058
XF
MISC
EXPLOIT-DB
MISC
OSVDB
OSVDB
OSVDB
OSVDB
OSVDB
insanevisions -- adaptcms Unrestricted file upload vulnerability in admin/files/add in AdaptCMS 3.0.3 allows remote authenticated users to execute arbitrary PHP code by uploading a file with a PHP extension, then accessing it via a direct request to the file in /app/webroot/uploads. 2015年01月16日 6.5 CVE-2015-1059
MISC
XF
EXPLOIT-DB
MISC
OSVDB
insanevisions -- adaptcms Open redirect vulnerability in lib/Cake/Controller/Controller.php in AdaptCMS 3.0.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the HTTP Referer header. 2015年01月16日 5.8 CVE-2015-1060
XF
MISC
EXPLOIT-DB
MISC
OSVDB
juniper -- junos The stateless firewall in Juniper Junos 13.3R3, 14.1R1, and 14.1R2, when using Trio-based PFE modules, does not properly match ports, which might allow remote attackers to bypass firewall rule. 2015年01月16日 5.0 CVE-2014-6383
SECTRACK
BID
juniper -- junos Juniper Junos 12.1X44 before 12.1X44-D45, 12.1X46 before 12.1X46-D25, 12.1X47 before 12.1X47-D15, 12.3 before 12.3R9, 13.1 before 13.1R4-S3, 13.2 before 13.2R6, 13.3 before 13.3R5, 14.1 before 14.1R3, and 14.2 before 14.2R1 does not properly handle double quotes in authorization attributes in the TACACS+ configuration, which allows local users to bypass the security policy and execute commands via unspecified vectors. 2015年01月16日 6.9 CVE-2014-6384
SECTRACK
BID
juniper -- junos Juniper Junos 11.4 before 11.4R13, 12.1X44 before 12.1X44-D45, 12.1X46 before 12.1X46-D30, 12.1X47 before 12.1X47-D15, 12.2 before 12.2R9, 12.3R7 before 12.3R7-S1, 12.3 before 12.3R8, 13.1 before 13.1R5, 13.2 before 13.2R6, 13.3 before 13.3R4, 14.1 before 14.1R2, and 14.2 before 14.2R1 allows remote attackers to cause a denial of service (kernel crash and restart) via a crafted fragmented OSPFv3 packet with an IPsec Authentication Header (AH). 2015年01月16日 6.1 CVE-2014-6385
BID
kde -- kde_applications kwalletd in KWallet before KDE Applications 14.12.0 uses Blowfish with ECB mode instead of CBC mode when encrypting the password store, which makes it easier for attackers to guess passwords via a codebook attack. 2015年01月18日 5.0 CVE-2013-7252
CONFIRM
BID
MLIST
MLIST
MISC
kgb_project -- kgb Absolute path traversal vulnerability in kgb 1.0b4 allows remote attackers to write to arbitrary files via a full pathname in a crafted archive. 2015年01月21日 5.0 CVE-2015-1192
MISC
BID
MLIST
SECUNIA
kiwix -- kiwix Cross-site scripting (XSS) vulnerability in Kiwix before 0.9.1, when using kiwix-serve, allows remote attackers to inject arbitrary web script or HTML via the pattern parameter to /search. 2015年01月21日 4.3 CVE-2015-1032
BUGTRAQ
CONFIRM
MISC
MISC
libtiff -- libtiff Integer overflow in tif_packbits.c in bmp2tif in libtiff 4.0.3 allows remote attackers to cause a denial of service (crash) via crafted BMP image, related to dimensions, which triggers an out-of-bounds read. 2015年01月20日 5.0 CVE-2014-9330
SECTRACK
FULLDISC
CONFIRM
mediawiki -- mediawiki MediaWiki 1.2x before 1.22.15, 1.23.x before 1.23.8, and 1.24.x before 1.24.1 allows remote attackers to bypass CORS restrictions in $wgCrossSiteAJAXdomains via a domain that has a partial match to an allowed origin, as demonstrated by "http://en.wikipedia.org.evilsite.example/." 2015年01月16日 5.0 CVE-2014-9476
CONFIRM
MLIST
MLIST
mediawiki -- mediawiki Multiple cross-site scripting (XSS) vulnerabilities in the Listings extension for MediaWiki allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) url parameter. 2015年01月16日 4.3 CVE-2014-9477
CONFIRM
MLIST
MLIST
mediawiki -- mediawiki Cross-site scripting (XSS) vulnerability in the preview in the TemplateSandbox extension for MediaWiki allows remote attackers to inject arbitrary web script or HTML via the text parameter to Special:TemplateSandbox. 2015年01月16日 4.3 CVE-2014-9479
CONFIRM
MLIST
MLIST
mediawiki -- mediawiki Cross-site scripting (XSS) vulnerability in the Hovercards extension for MediaWiki allows remote attackers to inject arbitrary web script or HTML via vectors related to text extracts. 2015年01月16日 4.3 CVE-2014-9480
CONFIRM
MLIST
MLIST
openstack -- image_registry_and_delivery_service_(glance) The V2 API in OpenStack Image Registry and Delivery Service (Glance) before 2014年1月4日 and 2014.2.x before 2014年2月2日 allows remote authenticated users to read or delete arbitrary files via a full pathname in a filesystem: URL in the image location property. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-9493. 2015年01月21日 6.5 CVE-2015-1195
CONFIRM
MLIST
MLIST
SECUNIA
MLIST
oracle -- fusion_middleware Unspecified vulnerability in the Oracle HTTP Server component in Oracle Fusion Middleware 11.1.1.7.0, 12.1.2.0, and 12.1.3.0 allows remote attackers to affect availability via unknown vectors related to Web Listener, a different vulnerability than CVE-2013-0338, CVE-2013-2877, and CVE-2015-0386. 2015年01月21日 4.3 CVE-2014-0191
oracle -- oracle_and_sun_systems_product_suite Unspecified vulnerability in the Solaris Cluster component in Oracle Sun Systems Products Suite 3.3 and 4.1 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to System management. 2015年01月21日 6.5 CVE-2014-6480
oracle -- database_server Unspecified vulnerability in the PL/SQL component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, and 12.1.0.1 allows remote authenticated users to affect confidentiality via unknown vectors. 2015年01月21日 4.0 CVE-2014-6514
oracle -- fusion_middleware Unspecified vulnerability in the Oracle Directory Server Enterprise Edition component in Oracle Fusion Middleware 7.0 allows remote attackers to affect integrity via unknown vectors related to Admin Console. 2015年01月21日 4.3 CVE-2014-6526
oracle -- siebel_crm Unspecified vulnerability in the Siebel Core - System Management component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote authenticated users to affect confidentiality via unknown vectors related to Server Infrastructure. 2015年01月21日 4.0 CVE-2014-6528
oracle -- database_server Unspecified vulnerability in the Recovery component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2, when running on Windows, allows remote authenticated users to affect confidentiality via vectors related to DBMS_IR. 2015年01月21日 6.3 CVE-2014-6541
oracle -- fusion_middleware Unspecified vulnerability in the Oracle SOA Suite component in Oracle Fusion Middleware 11.1.1.7 allows local users to affect confidentiality, integrity, and availability via vectors related to B2B Engine. 2015年01月21日 4.6 CVE-2014-6548
oracle -- e-business_suite Unspecified vulnerability in the Oracle Applications DBA component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.3, 12.2.2, 12.2.3, and 12.2.4 allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to AD_DDL. 2015年01月21日 4.6 CVE-2014-6556
oracle -- peoplesoft_products Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.53 allows remote authenticated users to affect integrity via unknown vectors related to Portal. 2015年01月21日 4.0 CVE-2014-6566
oracle -- fusion_middleware Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.0.2.0, 10.3.6.0, 12.1.1.0, and 12.1.2.0 allows remote attackers to affect confidentiality via vectors related to CIE Related Components. 2015年01月21日 5.0 CVE-2014-6569
oracle -- fusion_middleware Unspecified vulnerability in the Oracle HTTP Server component in Oracle Fusion Middleware 11.1.1.7.0, 12.1.2.0, and 12.1.3.0 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Web Listener, a different vulnerability than CVE-2011-1944. 2015年01月21日 6.8 CVE-2014-6571
oracle -- e-business_suite Unspecified vulnerability in the Oracle Customer Interaction History component in Oracle E-Business Suite 12.0.4, 12.0.5, 12.0.6, 12.1.1, 12.1.2, 12.1.3, 12.2.2, 12.2.3, and 12.2.4 allows remote attackers to affect confidentiality and integrity via unknown vectors related to List of Values. 2015年01月21日 6.4 CVE-2014-6572
oracle -- enterprise_manager_grid_control Unspecified vulnerability in the Enterprise Manager Ops Center component in Oracle Enterprise Manager Grid Control 11.1.3 and 12.1.4 allows remote attackers to affect integrity via unknown vectors related to User Interface Framework. 2015年01月21日 4.3 CVE-2014-6573
oracle -- supply_chain_products_suite Unspecified vulnerability in the Oracle Agile PLM for Process component in Oracle Supply Chain Products Suite 6.1.0.3 allows remote attackers to affect integrity via unknown vectors related to Testing Protocol Library. 2015年01月21日 4.3 CVE-2014-6574
oracle -- fusion_middleware Unspecified vulnerability in the Oracle Adaptive Access Manager component in Oracle Fusion Middleware 11.1.1.5, 11.1.1.7, 11.1.2.1, and 11.1.2.2 allows remote authenticated users to affect confidentiality and integrity via vectors related to OAM Integration. 2015年01月21日 5.5 CVE-2014-6576
oracle -- database_server Unspecified vulnerability in the XML Developer's Kit for C component in Oracle Database Server 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors. NOTE: the previous information is from the January 2015 CPU. Oracle has not commented on the original researcher's claim that this is an XML external entity (XXE) vulnerability in the XML parser, which allows attackers to conduct internal port scanning, perform SSRF attacks, or cause a denial of service via a crafted (1) http: or (2) ftp: URI. 2015年01月21日 6.8 CVE-2014-6577
MISC
oracle -- database_server Unspecified vulnerability in the Workspace Manager component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, and 12.1.0.1 allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to SDO_TOPO and WMSYS.LT. 2015年01月21日 6.5 CVE-2014-6578
oracle -- peoplesoft_products Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.52 and 8.53 allows remote authenticated users to affect confidentiality via unknown vectors related to Integration Broker. 2015年01月21日 4.0 CVE-2014-6579
oracle -- fusion_middleware Unspecified vulnerability in the Oracle Reports Developer component in Oracle Fusion Middleware 11.1.1.7 and 11.1.2.2 allows remote attackers to affect integrity via unknown vectors. 2015年01月21日 4.3 CVE-2014-6580
oracle -- e-business_suite Unspecified vulnerability in the Oracle Customer Intelligence component in Oracle E-Business Suite 11.5.10.2, 12.0.4, 12.0.5, 12.0.6, 12.1.1, 12.1.2, 12.1.3, 12.2.2, 12.2.3, and 12.2.4 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Extract/Load Programs. 2015年01月21日 6.4 CVE-2014-6581
oracle -- e-business_suite Unspecified vulnerability in the Oracle HCM Configuration Workbench component in Oracle E-Business Suite 11.5.10.2, 12.0.4, 12.0.5, 12.0.6, 12.1.1, 12.1.2, 12.1.3, 12.2.2, 12.2.3, and 12.2.4 allows remote attackers to affect confidentiality via unknown vectors related to Rapid Implementation. 2015年01月21日 5.0 CVE-2014-6582
oracle -- e-business_suite Unspecified vulnerability in the Oracle Marketing component in Oracle E-Business Suite 11.5.10.2, 12.0.4, 12.0.5, 12.0.6, 12.1.1, 12.1.2, and 12.1.3. allows remote attackers to affect confidentiality and integrity via unknown vectors related to Audience. 2015年01月21日 6.4 CVE-2014-6583
oracle -- integrated_lights_out_manager_firmware Unspecified vulnerability in the Integrated Lights Out Manager (ILOM) component in Oracle Sun Systems Products Suite ILOM before 3.2.4 allows remote authenticated users to affect confidentiality via unknown vectors related to Backup Restore. 2015年01月21日 4.0 CVE-2014-6584
oracle -- peoplesoft_products Unspecified vulnerability in the PeopleSoft Enterprise HRMS component in Oracle PeopleSoft Products 9.1 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Time and Labor. 2015年01月21日 5.5 CVE-2014-6586
oracle -- jdk Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Libraries. 2015年01月21日 4.3 CVE-2014-6587
oracle -- jdk Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25; Java SE Embedded 7u71 and 8u6; and JRockit 27.8.4 and 28.3.4 allows remote attackers to affect confidentiality and integrity via vectors related to JSSE. 2015年01月21日 4.0 CVE-2014-6593
oracle -- ilearning Unspecified vulnerability in the Oracle iLearning component in Oracle iLearning 6.0 and 6.1 allows remote attackers to affect confidentiality via unknown vectors related to Learner Pages. 2015年01月21日 4.3 CVE-2014-6594
oracle -- siebel_crm Unspecified vulnerability in the Siebel UI Framework component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote attackers to affect integrity via unknown vectors related to Portal Framework. 2015年01月21日 4.3 CVE-2014-6596
oracle -- peoplesoft_products Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.52, 8.53, and 8.54 allows remote authenticated users to affect integrity via vectors related to PIA Core Technology. 2015年01月21日 4.0 CVE-2014-6597
oracle -- fusion_middleware Unspecified vulnerability in the BI Publisher (formerly XML Publisher) component in Oracle Fusion Middleware 11.1.1.7 allows remote attackers to affect confidentiality via unknown vectors related to BI Publisher Security. 2015年01月21日 5.0 CVE-2015-0362
oracle -- siebel_crm Unspecified vulnerability in the Siebel Core EAI component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote authenticated users to affect availability via unknown vectors related to Integration Business Services. 2015年01月21日 4.0 CVE-2015-0363
oracle -- siebel_crm Unspecified vulnerability in the Siebel Core - Server Infrastructure component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote attackers to affect confidentiality via unknown vectors related to Security. 2015年01月21日 4.3 CVE-2015-0365
oracle -- siebel_crm Unspecified vulnerability in the Siebel Core - EAI component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote attackers to affect confidentiality via unknown vectors related to Java Integration. 2015年01月21日 5.0 CVE-2015-0366
oracle -- fusion_middleware Unspecified vulnerability in the Oracle Access Manager component in Oracle Fusion Middleware 11.1.1.5, 11.1.1.7, 11.1.2.1, and 11.1.2.2 allows remote attackers to affect integrity via vectors related to SSO Engine. 2015年01月21日 5.0 CVE-2015-0367
oracle -- supply_chain_products_suite Unspecified vulnerability in the Oracle Transportation Management component in Oracle Supply Chain Products Suite 6.1, 6.2, 6.3, 6.3.1, 6.3.2, 6.3.3, 6.3.4, and 6.3.5 allows remote attackers to affect availability via unknown vectors related to Security. 2015年01月21日 5.0 CVE-2015-0368
oracle -- siebel_crm Unspecified vulnerability in the Siebel UI Framework component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote attackers to affect integrity via unknown vectors related to AX/HI Web UI. 2015年01月21日 4.3 CVE-2015-0369
oracle -- database_server Unspecified vulnerability in the Core RDBMS component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, and 12.1.0.1 allows remote authenticated users to affect integrity and availability via unknown vectors. 2015年01月21日 4.9 CVE-2015-0371
oracle -- fusion_middleware Unspecified vulnerability in the Oracle Containers for J2EE component in Oracle Fusion Middleware 10.1.3.5 allows remote attackers to affect confidentiality via unknown vectors. 2015年01月21日 5.0 CVE-2015-0372
oracle -- database_server Unspecified vulnerability in the OJVM component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors. 2015年01月21日 6.5 CVE-2015-0373
oracle -- fusion_middleware Unspecified vulnerability in the Oracle WebCenter Content component in Oracle Fusion Middleware 11.1.1.8.0 allows remote attackers to affect integrity via unknown vectors related to Content Server. 2015年01月21日 4.3 CVE-2015-0376
oracle -- vm_virtualbox Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox prior to 3.2.26, 4.0.28, 4.1.36, and 4.2.28 allows local users to affect availability via unknown vectors related to Core, a different vulnerability than CVE-2015-0418. 2015年01月21日 4.4 CVE-2015-0377
oracle -- peoplesoft_products Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.54 allows remote attackers to affect integrity via vectors related to PIA Core Technology. 2015年01月21日 4.3 CVE-2015-0379
oracle -- e-business_suite Unspecified vulnerability in the Oracle Telecommunications Billing Integrator component in Oracle E-Business Suite 11.5.10.2, 12.0.4, 12.0.5, 12.0.6, 12.1.1, 12.1.2, 12.1.3, 12.2.2, 12.2.3, and 12.2.4 allows remote attackers to affect integrity via unknown vectors related to OA Based UI for Bill Summary. 2015年01月21日 4.3 CVE-2015-0380
oracle -- mysql Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier and 5.6.21 and earlier allows remote attackers to affect availability via unknown vectors related to Server : Replication, a different vulnerability than CVE-2015-0382. 2015年01月21日 4.3 CVE-2015-0381
oracle -- mysql Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier and 5.6.21 and earlier allows remote attackers to affect availability via unknown vectors related to Server : Replication, a different vulnerability than CVE-2015-0381. 2015年01月21日 4.3 CVE-2015-0382
oracle -- jdk Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25; Java SE Embedded 7u71 and 8u6; and JRockit R27.8.4 and R28.3.4 allows local users to affect integrity and availability via unknown vectors related to Hotspot. 2015年01月21日 5.4 CVE-2015-0383
oracle -- fusion_middleware Unspecified vulnerability in the Oracle HTTP Server component in Oracle Fusion Middleware 11.1.1.7.0, 12.1.2.0, and 12.1.3.0 allows remote attackers to affect availability via unknown vectors related to Web Listener, a different vulnerability than CVE-2013-0338, CVE-2013-2877, and CVE-2014-0191. 2015年01月21日 4.3 CVE-2015-0386
oracle -- siebel_crm Unspecified vulnerability in the Siebel Core - Server OM Services component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote authenticated users to affect confidentiality via vectors related to Security - LDAP Security Adapter. 2015年01月21日 4.0 CVE-2015-0387
oracle -- siebel_crm Unspecified vulnerability in the Siebel UI Framework component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote authenticated users to affect confidentiality via unknown vectors related to Portal Framework, a different vulnerability than CVE-2015-0417. 2015年01月21日 4.0 CVE-2015-0388
oracle -- retail_applications_xstore Unspecified vulnerability in the MICROS Retail component in Oracle Retail Applications Xstore: 3.2.1, 3.4.2, 3.5.0, 4.0.1, 4.5.1, 4.8.0, 5.0.3, 5.5.3, 6.0.6, and 6.5.2 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Xstore Point of Sale. 2015年01月21日 6.8 CVE-2015-0390
oracle -- mysql Unspecified vulnerability in Oracle MySQL Server 5.5.38 and earlier, and 5.6.19 and earlier, allows remote authenticated users to affect availability via vectors related to DDL. 2015年01月21日 4.0 CVE-2015-0391
oracle -- siebel_crm Unspecified vulnerability in the Siebel Core - Server BizLogic Script component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to Config - Scripting. 2015年01月21日 4.6 CVE-2015-0392
oracle -- e-business_suite Unspecified vulnerability in the Oracle Applications DBA component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.3, 12.2.2, 12.2.3, and 12.2.4 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to DB Privileges. NOTE: the previous information is from the January 2015 CPU. Oracle has not commented on the researcher's claim that the PUBLIC role is granted the INDEX privilege for the DUAL table during a "seeded install," which allows remote authenticated users to gain SYSDBA privileges and execute arbitrary code. 2015年01月21日 6.0 CVE-2015-0393
oracle -- peoplesoft_products Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.52 and 8.53 allows remote authenticated users to affect confidentiality via unknown vectors related to Report Distribution. 2015年01月21日 4.0 CVE-2015-0394
oracle -- siebel_crm Unspecified vulnerability in the Siebel Life Sciences component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote authenticated users to affect confidentiality via unknown vectors related to Clinical Trip Report. 2015年01月21日 4.0 CVE-2015-0398
oracle -- fusion_middleware Unspecified vulnerability in the Oracle Business Intelligence Enterprise Edition component in Oracle Fusion Middleware 10.1.3.4.2 and 11.1.1.7 allows remote authenticated users to affect confidentiality via unknown vectors related to Analytics Web General. 2015年01月21日 4.0 CVE-2015-0399
oracle -- jdk Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality via unknown vectors related to Libraries. 2015年01月21日 5.0 CVE-2015-0400
oracle -- fusion_middleware Unspecified vulnerability in the Oracle Directory Server Enterprise Edition component in Oracle Fusion Middleware 7.0 and 11.1.1.7 allows remote authenticated users to affect integrity via unknown vectors related to Admin Console. 2015年01月21日 4.0 CVE-2015-0401
oracle -- siebel_crm Unspecified vulnerability in the Siebel Core - Server BizLogic Script component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote attackers to affect integrity via vectors related to Integration - COM. 2015年01月21日 4.3 CVE-2015-0402
oracle -- jdk Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Deployment. 2015年01月21日 6.9 CVE-2015-0403
oracle -- e-business_suite Unspecified vulnerability in the Oracle Applications Framework component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.3, 12.2.2, 12.2.3, and 12.2.4 allows remote attackers to affect integrity via unknown vectors related to Error Messages. 2015年01月21日 4.3 CVE-2015-0404
oracle -- jdk Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality and availability via unknown vectors related to Deployment. 2015年01月21日 5.8 CVE-2015-0406
oracle -- jdk Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality via unknown vectors related to Swing. 2015年01月21日 5.0 CVE-2015-0407
oracle -- mysql Unspecified vulnerability in Oracle MySQL Server 5.6.21 and earlier allows remote authenticated users to affect availability via unknown vectors related to Optimizer. 2015年01月21日 4.0 CVE-2015-0409
oracle -- jdk Unspecified vulnerability in the Java SE, Java SE Embedded, JRockit component in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25; Java SE Embedded 7u71 and 8u6; and JRockit R27.8.4 and R28.3.4 allows remote attackers to affect availability via unknown vectors related to Security. 2015年01月21日 5.0 CVE-2015-0410
oracle -- e-business_suite Unspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite 12.1.3 allows remote authenticated users to affect integrity via unknown vectors related to Session Management. 2015年01月21日 4.0 CVE-2015-0415
oracle -- siebel_crm Unspecified vulnerability in the Siebel UI Framework component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote authenticated users to affect confidentiality via unknown vectors related to Portal Framework, a different vulnerability than CVE-2015-0388. 2015年01月21日 4.0 CVE-2015-0417
oracle -- siebel_crm Unspecified vulnerability in the Siebel UI Framework component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote attackers to affect confidentiality via unknown vectors related to Portal Framework. 2015年01月21日 4.3 CVE-2015-0419
oracle -- fusion_middleware Unspecified vulnerability in the Oracle Forms component in Oracle Fusion Middleware 11.1.1.7 and 11.1.2.2 allows remote attackers to affect confidentiality via unknown vectors related to Forms Services. 2015年01月21日 4.3 CVE-2015-0420
oracle -- jdk Unspecified vulnerability in Oracle Java SE 8u25 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to the installation process. 2015年01月21日 6.9 CVE-2015-0421
oracle -- supply_chain_products_suite Unspecified vulnerability in the Oracle Transportation Management component in Oracle Supply Chain Products Suite 6.1, 6.2, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, and 6.3.5 allows remote authenticated users to affect confidentiality via unknown vectors related to UI Infrastructure. 2015年01月21日 4.0 CVE-2015-0422
oracle -- siebel_crm Unspecified vulnerability in the Oracle Enterprise Asset Management component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote attackers to affect confidentiality via unknown vectors related to Siebel Core - Unix/Windows. 2015年01月21日 4.3 CVE-2015-0425
oracle -- enterprise_manager_grid_control Unspecified vulnerability in the Enterprise Manager Base Platform component in Oracle Enterprise Manager Grid Control 12.1.0.3 and 12.1.0.4 allows remote attackers to affect confidentiality via unknown vectors related to UI Framework. 2015年01月21日 5.0 CVE-2015-0426
oracle -- supply_chain_products_suite Unspecified vulnerability in the Oracle Transportation Management component in Oracle Supply Chain Products Suite 6.1, 6.2, 6.3.0 6.3.1, 6.3.2, 6.3.4, and 6.3.5 allows remote attackers to affect integrity via unknown vectors related to UI Infrastructure. 2015年01月21日 4.3 CVE-2015-0431
oracle -- mysql Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier allows remote authenticated users to affect availability via vectors related to Server : InnoDB : DDL : Foreign Key. 2015年01月21日 4.0 CVE-2015-0432
oracle -- fusion_middleware Unspecified vulnerability in the Oracle Access Manager component in Oracle Fusion Middleware 11.1.1.5, 11.1.1.7, 11.1.2.1, and 11.1.2.2 allows remote attackers to affect confidentiality via vectors related to Integration with OAM. 2015年01月21日 4.3 CVE-2015-0434
oracle -- supply_chain_products_suite Unspecified vulnerability in the Oracle Transportation Management component in Oracle Supply Chain Products Suite 6.1, 6.2, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, and 6.3.5 allows remote authenticated users to affect confidentiality via unknown vectors related to Security. 2015年01月21日 6.8 CVE-2015-0435
oracle -- ilearning Unspecified vulnerability in the Oracle iLearning component in Oracle iLearning 6.0 and 6.1 allows remote attackers to affect confidentiality via unknown vectors related to Login. 2015年01月21日 4.3 CVE-2015-0436
pax_project -- pax Multiple directory traversal vulnerabilities in pax 1:20140703 allow remote attackers to write to arbitrary files via a (1) full pathname or (2) .. (dot dot) in an archive. 2015年01月21日 5.0 CVE-2015-1193
MISC
MLIST
pax_project -- pax pax 1:20140703 allows remote attackers to write to arbitrary files via a symlink attack in an archive. 2015年01月21日 4.3 CVE-2015-1194
MISC
MLIST
pivotal_software -- rabbitmq RabbitMQ before 3.4.0 allows remote attackers to bypass the loopback_users restriction via a crafted X-Forwareded-For header. 2015年01月20日 5.0 CVE-2014-9494
CONFIRM
XF
MLIST
privoxy -- privoxy Memory leak in the rfc2553_connect_to function in jbsocket.c in Privoxy before 3.0.22 allows remote attackers to cause a denial of service (memory consumption) via a large number of requests that are rejected because the socket limit is reached. 2015年01月20日 5.0 CVE-2015-1030
MLIST
SECUNIA
privoxy -- privoxy Privoxy before 3.0.22 allows remote attackers to cause a denial of service (file descriptor consumption) via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. 2015年01月20日 5.0 CVE-2015-1201
SECUNIA
puppetlabs -- stdlib The puppetlabs-stdlib module 2.1 through 3.0 and 4.1.0 through 4.5.x before 4.5.1 for Puppet 2.8.8 and earlier allows remote authenticated users to gain privileges or obtain sensitive information by prepopulating the fact cache. 2015年01月16日 6.5 CVE-2015-1029
SECUNIA
python -- pillow Pillow before 2.7.0 allows remote attackers to cause a denial of service via a compressed text chunk in a PNG image that has a large size when it is decompressed. 2015年01月16日 5.0 CVE-2014-9601
CONFIRM
CONFIRM
redhat -- cloudforms_3.1_management_engine SQL injection vulnerability in Red Hat CloudForms 3.1 Management Engine (CFME) 5.3 allows remote authenticated users to execute arbitrary SQL commands via a crafted REST API request to an SQL filter. 2015年01月16日 6.5 CVE-2014-7814
SECUNIA
sap -- netweaver_abap XML external entity vulnerability in the Extended Computer Aided Test Tool (eCATT) in SAP NetWeaver AS ABAP 7.31 and earlier allows remote attackers to access arbitrary files via a crafted XML request, related to ECATT_DISPLAY_XMLSTRING_REMOTE, aka SAP Note 2016638. 2015年01月22日 5.0 CVE-2015-1309
SECUNIA
MISC
MISC
serve-static_project -- serve-static Open redirect vulnerability in the serve-static plugin before 1.7.2 for Node.js, when mounted at the root, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a // (slash slash) followed by a domain in the PATH_INFO to the default URI. 2015年01月21日 4.3 CVE-2015-1164
CONFIRM
CONFIRM
XF
BID
CONFIRM
siemens -- scalance_x-300_series_firmware The FTP server on Siemens SCALANCE X-300 switches with firmware before 4.0 and SCALANCE X 408 switches with firmware before 4.0 allows remote authenticated users to cause a denial of service (reboot) via crafted FTP packets. 2015年01月21日 6.8 CVE-2014-8479
siemens -- simatic_s7_1200_cpu_firmware Open redirect vulnerability in the integrated web server on Siemens SIMATIC S7-1200 CPU devices with firmware before 4.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. 2015年01月21日 4.3 CVE-2015-1048
sun -- sunos Unspecified vulnerability in Oracle Solaris 10 and 11 allows remote attackers to affect confidentiality via vectors related to KSSL. 2015年01月21日 4.3 CVE-2014-6481
sun -- sunos Unspecified vulnerability in Oracle Solaris 10 allows local users to affect availability via unknown vectors related to Kernel. 2015年01月21日 4.9 CVE-2014-6509
sun -- sunos Unspecified vulnerability in Oracle Solaris 10 and 11 allows local users to affect integrity and availability via vectors related to Unix File System (UFS). 2015年01月21日 6.6 CVE-2014-6518
sun -- sunos Unspecified vulnerability in Oracle Sun Solaris 11 allows local users to affect availability via unknown vectors related to File System, a different vulnerability than CVE-2014-6600 and CVE-2015-0397. 2015年01月21日 4.9 CVE-2014-6570
sun -- sunos Unspecified vulnerability in Oracle Sun Solaris 10 and 11 allows remote attackers to affect availability via unknown vectors related to Network, a different vulnerability than CVE-2004-0230. 2015年01月21日 5.0 CVE-2014-6575
sun -- sunos Unspecified vulnerability in Oracle Sun Solaris 11 allows local users to affect availability via unknown vectors related to File System, a different vulnerability than CVE-2014-6570 and CVE-2015-0397. 2015年01月21日 4.9 CVE-2014-6600
sun -- sunos Unspecified vulnerability in Oracle Sun Solaris 10 and 11 allows remote attackers to affect confidentiality via unknown vectors related to Network. 2015年01月21日 5.0 CVE-2015-0375
sun -- sunos Unspecified vulnerability in Oracle Sun Solaris 10 and 11 allows local users to affect availability via unknown vectors related to Resource Control. 2015年01月21日 4.9 CVE-2015-0428
symantec -- critical_system_protection SQL injection vulnerability in the management server in Symantec Critical System Protection (SCSP) 5.2.9 before MP6 and Symantec Data Center Security: Server Advanced (SDCS:SA) 6.0.x before 6.0 MP1 allows remote authenticated users to execute arbitrary SQL commands via a crafted HTTP request. 2015年01月21日 6.5 CVE-2014-7289
BID
symantec -- critical_system_protection The ajaxswing webui in the management server in Symantec Critical System Protection (SCSP) 5.2.9 through MP6 and Symantec Data Center Security: Server Advanced (SDCS:SA) 6.0.x through 6.0 MP1 allows remote authenticated users to obtain sensitive server information via unspecified vectors. 2015年01月21日 4.0 CVE-2014-9225
BID
sympa -- sympa The newsletter posting area in the web interface in Sympa 6.0.x before 6.0.10 and 6.1.x before 6.1.24 allows remote attackers to read arbitrary files via unspecified vectors. 2015年01月22日 5.0 CVE-2015-1306
MLIST
DEBIAN
SECUNIA
SECUNIA
synck_graphica -- download_log_cgi Directory traversal vulnerability in SYNCK GRAPHICA Download Log CGI 3.0 and earlier allows remote attackers to read arbitrary files via a crafted filename. 2015年01月21日 5.0 CVE-2015-0867
videolan -- vlc_media_player The picture_pool_Delete function in misc/picture_pool.c in VideoLAN VLC media player 2.1.5 allows remote attackers to execute arbitrary code or cause a denial of service (DEP violation and application crash) via a crafted FLV file. 2015年01月21日 6.8 CVE-2014-9597
MISC
MISC
MISC
FULLDISC
videolan -- vlc_media_player The picture_Release function in misc/picture.c in VideoLAN VLC media player 2.1.5 allows remote attackers to execute arbitrary code or cause a denial of service (write access violation) via a crafted M2V file. 2015年01月21日 6.8 CVE-2014-9598
MISC
MISC
MISC
FULLDISC
websitebaker -- websitebaker Cross-site scripting (XSS) vulnerability in admin/pages/modify.php in WebsiteBaker 2.8.3 SP3 allows remote attackers to inject arbitrary web script or HTML via the page_id parameter. 2015年01月21日 4.3 CVE-2015-0553
MISC
BID
MISC
MISC
FULLDISC
MISC
zlib -- pigz Multiple directory traversal vulnerabilities in pigz 2.3.1 allow remote attackers to write to arbitrary files via a (1) full pathname or (2) .. (dot dot) in an archive. 2015年01月21日 5.0 CVE-2015-1191
CONFIRM
CONFIRM
MLIST
Back to top

Low Vulnerabilities

Primary
Vendor -- Product		DescriptionPublishedCVSS ScoreSource & Patch Info
crea8social -- crea8social Cross-site scripting (XSS) vulnerability in the Games feature in Crea8Social 2.0 allows remote authenticated users to inject arbitrary web script or HTML via the Game Content field in Add Game. 2015年01月16日 3.5 CVE-2015-1054
XF
EXPLOIT-DB
MISC
OSVDB
CONFIRM
CONFIRM
emc -- vipr_srm Multiple cross-site scripting (XSS) vulnerabilities in the administrative user interface in EMC M&R (aka Watch4Net) before 6.5u1 and ViPR SRM before 3.6.1 allow remote authenticated users to inject arbitrary web script or HTML by leveraging privileged access to set crafted values of unspecified fields. 2015年01月21日 3.5 CVE-2015-0513
BUGTRAQ
ibm -- tivoli_netcool/omnibus Cross-site scripting (XSS) vulnerability in the Web GUI in IBM Tivoli Netcool/OMNIbus 7.3.0 before 7.3.0.6, 7.3.1 before 7.3.1.7, and 7.4.0 before 7.4.0.3 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL. 2015年01月17日 3.5 CVE-2014-3032
XF
ibm -- serverguide IBM ServerGuide before 9.63, UpdateXpress System Packs Installer (UXSPI) before 9.63, and ToolsCenter Suite before 9.63 place credentials in logs, which allows local users to obtain sensitive information by reading a file. 2015年01月17日 2.1 CVE-2014-4835
XF
ibm -- business_process_manager Cross-site scripting (XSS) vulnerability in the Process Portal in IBM Business Process Manager 8.0 through 8.0.1.3, 8.5.0 through 8.5.0.1, and 8.5.5 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL, a different vulnerability than CVE-2014-8914. 2015年01月21日 3.5 CVE-2014-8913
XF
ibm -- business_process_manager Cross-site scripting (XSS) vulnerability in the Process Portal in IBM Business Process Manager 8.0 through 8.0.1.3, 8.5.0 through 8.5.0.1, and 8.5.5 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL, a different vulnerability than CVE-2014-8913. 2015年01月21日 3.5 CVE-2014-8914
XF
mediawiki -- mediawiki Cross-site scripting (XSS) vulnerability in the preview in the ExpandTemplates extension for MediaWiki, when $wgRawHTML is set to true, allows remote attackers to inject arbitrary web script or HTML via the wpInput parameter to the Special:ExpandTemplates page. 2015年01月16日 2.6 CVE-2014-9478
CONFIRM
MLIST
MLIST
oracle -- peoplesoft_products Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.53 allows remote authenticated users to affect integrity via vectors related to PIA Core Technology. 2015年01月21日 3.5 CVE-2014-4279
oracle -- e-business_suite Unspecified vulnerability in the Oracle Web Applications Desktop Integrator component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.3, 12.2.2, 12.2.3, and 12.2.4 allows remote authenticated users to affect integrity via unknown vectors related to Templates. 2015年01月21日 3.5 CVE-2014-6525
oracle -- mysql Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier, and 5.6.21 and earlier, allows remote authenticated users to affect availability via vectors related to Server : InnoDB : DML. 2015年01月21日 3.5 CVE-2014-6568
oracle -- jdk Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality via unknown vectors reelated to 2D, a different vulnerability than CVE-2014-6591. 2015年01月21日 2.6 CVE-2014-6585
oracle -- vm_virtualbox Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 4.3.20 allows local users to affect integrity and availability via vectors related to VMSVGA virtual graphics device, a different vulnerability than CVE-2014-6589, CVE-2014-6590, CVE-2014-6595, and CVE-2015-0427. 2015年01月21日 3.2 CVE-2014-6588
oracle -- vm_virtualbox Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 4.3.20 allows local users to affect integrity and availability via vectors related to VMSVGA virtual graphics device, a different vulnerability than CVE-2014-6588, CVE-2014-6590, CVE-2014-6595, and CVE-2015-0427. 2015年01月21日 3.2 CVE-2014-6589
oracle -- vm_virtualbox Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 4.3.20 allows local users to affect integrity and availability via vectors related to VMSVGA virtual graphics device, a different vulnerability than CVE-2014-6588, CVE-2014-6589, CVE-2014-6595, and CVE-2015-0427. 2015年01月21日 3.2 CVE-2014-6590
oracle -- jdk Unspecified vulnerability in the Java SE component in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality via unknown vectors related to 2D, a different vulnerability than CVE-2014-6585. 2015年01月21日 2.6 CVE-2014-6591
oracle -- fusion_middleware Unspecified vulnerability in the Oracle OpenSSO component in Oracle Fusion Middleware 8.0 Update 2 Patch 5 allows remote authenticated users to affect integrity via vectors related to SAML, a different vulnerability than CVE-2015-0389. 2015年01月21日 3.5 CVE-2014-6592
oracle -- vm_virtualbox Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 4.3.20 allows local users to affect integrity and availability via vectors related to VMSVGA virtual graphics device, a different vulnerability than CVE-2014-6588, CVE-2014-6589, CVE-2014-6590, and CVE-2015-0427. 2015年01月21日 3.2 CVE-2014-6595
oracle -- siebel_crm Unspecified vulnerability in the Siebel Core - Common Components component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote authenticated users to affect confidentiality via unknown vectors related to Email. 2015年01月21日 3.5 CVE-2014-6599
oracle -- siebel_crm Unspecified vulnerability in the Siebel Core - EAI component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote authenticated users to affect availability via unknown vectors related to Integration Business Services. 2015年01月21日 3.5 CVE-2015-0364
oracle -- database_server Unspecified vulnerability in the Core RDBMS component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, and 12.1.0.1 allows remote authenticated users to affect integrity via unknown vectors. 2015年01月21日 3.5 CVE-2015-0370
oracle -- mysql Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier and 5.6.21 and earlier allows remote authenticated users to affect confidentiality via unknown vectors related to Server : Security : Privileges : Foreign Key. 2015年01月21日 3.5 CVE-2015-0374
oracle -- siebel_crm Unspecified vulnerability in the Siebel Public Sector component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote authenticated users to affect integrity via unknown vectors related to Public Sector Portal. 2015年01月21日 3.5 CVE-2015-0384
oracle -- mysql Unspecified vulnerability in Oracle MySQL Server 5.6.21 and earlier allows remote authenticated users to affect availability via unknown vectors related to Pluggable Auth. 2015年01月21日 3.5 CVE-2015-0385
oracle -- fusion_middleware Unspecified vulnerability in the Oracle OpenSSO component in Oracle Fusion Middleware 8.0 Update 2 Patch 5 allows remote authenticated users to affect integrity via vectors related to SAML, a different vulnerability than CVE-2014-6592. 2015年01月21日 3.5 CVE-2015-0389
oracle -- jdk Unspecified vulnerability in Oracle Java SE 7u72 and 8u25 allows local users to affect integrity via unknown vectors related to Serviceability. 2015年01月21日 1.9 CVE-2015-0413
oracle -- fusion_middleware Unspecified vulnerability in the Oracle SOA Suite component in Oracle Fusion Middleware 11.1.1.7 and 12.1.3.0 allows remote authenticated users to affect confidentiality via unknown vectors related to Fabric Layer. 2015年01月21日 3.5 CVE-2015-0414
oracle -- supply_chain_products_suite Unspecified vulnerability in the Oracle Agile PLM component in Oracle Supply Chain Products Suite 9.3.3 allows remote authenticated users to affect integrity via unknown vectors related to Roles & Privileges. 2015年01月21日 3.5 CVE-2015-0416
oracle -- vm_virtualbox Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox prior to 3.2.26, 4.0.28, 4.1.36, and 4.2.28 allows local users to affect availability via unknown vectors related to Core, a different vulnerability than CVE-2015-0377. 2015年01月21日 2.1 CVE-2015-0418
oracle -- vm_virtualbox Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox prior to 4.3.20 allows local users to affect integrity and availability via vectors related to VMSVGA virtual graphics device, a different vulnerability than CVE-2014-6588, CVE-2014-6589, CVE-2014-6590, and CVE-2014-6595. 2015年01月21日 3.2 CVE-2015-0427
pivotal_software -- rabbitmq_management Multiple cross-site scripting (XSS) vulnerabilities in the management web UI in the RabbitMQ management plugin before 3.4.3 allow remote authenticated users to inject arbitrary web script or HTML via (1) message details when a message is unqueued, such as headers or arguments; (2) policy names, which are not properly handled when viewing policies; (3) details for AMQP network clients, such as the version; allow remote authenticated administrators to inject arbitrary web script or HTML via (4) user names, (5) the cluster name; or allow RabbitMQ cluster administrators to (6) modify unspecified content. 2015年01月18日 3.5 CVE-2015-0862
sun -- sunos Unspecified vulnerability in Oracle Sun Solaris 11 allows local users to affect availability via unknown vectors related to Libc. 2015年01月21日 2.1 CVE-2015-0378
sun -- sunos Unspecified vulnerability in Oracle Sun Solaris 11 allows local users to affect availability via unknown vectors related to File System, a different vulnerability than CVE-2014-6570 and CVE-2014-6600. 2015年01月21日 2.1 CVE-2015-0397
sun -- sunos Unspecified vulnerability in Oracle Sun Solaris 10 and 11 allows local users to affect integrity and availability via vectors related to RPC Utility. 2015年01月21日 3.3 CVE-2015-0429
sun -- sunos Unspecified vulnerability in Oracle Sun Solaris 10 and 11 allows local users to affect confidentiality via vectors related to RPC Utility. 2015年01月21日 1.9 CVE-2015-0430
symantec -- critical_system_protection Cross-site scripting (XSS) vulnerability in the ajaxswing webui in the Management Console server in the management server in Symantec Critical System Protection (SCSP) 5.2.9 through MP6 and Symantec Data Center Security: Server Advanced (SDCS:SA) 6.0.x through 6.0 MP1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. 2015年01月21日 3.5 CVE-2014-9224
BID
websvn -- websvn WebSVN 2.3.3 allows remote authenticated users to read arbitrary files via a symlink attack in a commit. 2015年01月21日 3.5 CVE-2013-6892
MISC
SECUNIA
Back to top

This product is provided subject to this Notification and this Privacy & Use policy.

This email was sent to linux-security@xxxxxxxxxxx using GovDelivery, on behalf of: United States Computer Emergency Readiness Team (US-CERT) · 245 Murray Lane SW Bldg 410 · Washington, DC 20598 · (703) 235-5110 Powered by GovDelivery
[Index of Archives] [Fedora Announce] [Linux Crypto] [Kernel] [Netfilter] [Bugtraq] [USB] [Fedora Security]

(追記) (追記ここまで)
Powered by Linux

AltStyle によって変換されたページ (->オリジナル) /