CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In January 2015 (CVSS score >= 5)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2015-1424 352 1 CSRF 2015-01-29 2017-09-08
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in Gecko CMS 2.2 and 2.3 allows remote attackers to hijack the authentication of administrators for requests that add an administrator user via a newuser request to admin/index.php.
2 CVE-2015-1423 89 1 Exec Code Sql 2015-01-29 2017-09-08
6.5
None Remote Low ??? Partial Partial Partial
Multiple SQL injection vulnerabilities in Gecko CMS 2.2 and 2.3 allow remote administrators to execute arbitrary SQL commands via the (1) jak_delete_log[] or (2) ssp parameter to admin/index.php.
3 CVE-2015-1419 Bypass 2015-01-28 2018-10-30
5.0
None Remote Low Not required None Partial None
Unspecified vulnerability in vsftpd 3.0.2 and earlier allows remote attackers to bypass access restrictions via unknown vectors, related to deny_file parsing.
4 CVE-2015-1375 264 1 2015-01-28 2018-10-09
7.5
None Remote Low Not required Partial Partial Partial
pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress does not properly restrict access to the upload functionality, which allows remote attackers to write to arbitrary files.
5 CVE-2015-1374 352 Sql XSS CSRF 2015-01-27 2015-01-28
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in admin.php in ferretCMS 1.0.4-alpha allow remote attackers to hijack the authentication of administrators for requests that conduct (1) cross-site scripting (XSS), (2) SQL injection, or (3) unrestricted file upload attacks.
6 CVE-2015-1372 89 Exec Code Sql 2015-01-27 2015-01-28
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in ferretCMS 1.0.4-alpha allows remote attackers to execute arbitrary SQL commands via the p parameter in an update action to admin.php.
7 CVE-2015-1371 20 Exec Code 2015-01-27 2015-01-28
7.5
None Remote Low Not required Partial Partial Partial
Unrestricted file upload vulnerability in ferretCMS 1.0.4-alpha allows remote administrators to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in custom/uploads/.
8 CVE-2015-1369 89 Exec Code Sql 2015-01-27 2015-01-28
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in Sequelize before 2.0.0-rc7 for Node.js allows remote attackers to execute arbitrary SQL commands via the order parameter.
9 CVE-2015-1367 89 Exec Code Sql 2015-01-27 2018-10-09
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in index.php in CatBot 0.4.2 allows remote attackers to execute arbitrary SQL commands via the lastcatbot parameter.
10 CVE-2015-1365 22 1 Dir. Trav. 2015-01-27 2018-10-09
5.0
None Remote Low Not required None Partial None
Directory traversal vulnerability in pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress allows remote attackers to write to arbitrary files via a .. (dot dot) in the q parameter.
11 CVE-2015-1364 89 1 Exec Code Sql 2015-01-27 2015-01-28
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the getProfile function in system/profile.functions.php in Free Reprintables ArticleFR 3.0.5 allows remote attackers to execute arbitrary SQL commands via the username parameter to register/.
12 CVE-2015-1362 119 1 Exec Code Overflow 2015-01-27 2015-01-28
7.5
None Remote Low Not required Partial Partial Partial
Buffer overflow in the Customize 35mm tab in Two Pilots Exif Pilot 4.7.2 allows remote attackers to execute arbitrary code via a long string in the maker element in an XML file.
13 CVE-2015-1361 17 DoS 2015-01-27 2015-02-21
6.8
None Remote Medium Not required Partial Partial Partial
platform/image-decoders/ImageFrame.h in Blink, as used in Google Chrome before 40.0.2214.91, does not initialize a variable that is used in calls to the Skia SkBitmap::setAlphaType function, which might allow remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted HTML document, a different vulnerability than CVE-2015-1205.
14 CVE-2015-1360 119 DoS Overflow 2015-01-27 2015-02-21
7.5
None Remote Low Not required Partial Partial Partial
Skia, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via crafted data that is improperly handled during text drawing, related to gpu/GrBitmapTextContext.cpp and gpu/GrDistanceFieldTextContext.cpp, a different vulnerability than CVE-2015-1205.
15 CVE-2015-1359 189 DoS Overflow 2015-01-27 2015-02-21
6.8
None Remote Medium Not required Partial Partial Partial
Multiple off-by-one errors in fpdfapi/fpdf_font/font_int.h in PDFium, as used in Google Chrome before 40.0.2214.91, allow remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a crafted PDF document, related to an "intra-object-overflow" issue, a different vulnerability than CVE-2015-1205.
16 CVE-2015-1346 DoS 2015-01-22 2017-09-08
7.5
None Remote Low Not required Partial Partial Partial
Multiple unspecified vulnerabilities in Google V8 before 3.30.33.15, as used in Google Chrome before 40.0.2214.91, allow attackers to cause a denial of service or possibly have other impact via unknown vectors.
17 CVE-2015-1312 264 +Priv +Info 2015-01-22 2018-12-10
7.5
None Remote Low Not required Partial Partial Partial
The Dealer Portal in SAP ERP does not properly restrict access, which allows remote attackers to obtain sensitive information, gain privileges, and possibly have other unspecified impact via unknown vectors, aka SAP Note 2000401. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
18 CVE-2015-1311 94 2015-01-22 2018-12-10
10.0
None Remote Low Not required Complete Complete Complete
The Extended Application Services (XS) in SAP HANA allows remote attackers to inject arbitrary ABAP code via unspecified vectors, aka SAP Note 2098906. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
19 CVE-2015-1310 89 Exec Code Sql 2015-01-22 2018-12-10
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in SAP Adaptive Server Enterprise (Sybase ASE) allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Note 2113333. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
20 CVE-2015-1309 2015-01-22 2018-12-10
5.0
None Remote Low Not required Partial None None
XML external entity vulnerability in the Extended Computer Aided Test Tool (eCATT) in SAP NetWeaver AS ABAP 7.31 and earlier allows remote attackers to access arbitrary files via a crafted XML request, related to ECATT_DISPLAY_XMLSTRING_REMOTE, aka SAP Note 2016638.
21 CVE-2015-1306 200 +Info 2015-01-22 2015-11-19
5.0
None Remote Low Not required Partial None None
The newsletter posting area in the web interface in Sympa 6.0.x before 6.0.10 and 6.1.x before 6.1.24 allows remote attackers to read arbitrary files via unspecified vectors.
22 CVE-2015-1205 DoS 2015-01-22 2017-01-03
7.5
None Remote Low Not required Partial Partial Partial
Multiple unspecified vulnerabilities in Google Chrome before 40.0.2214.91 allow attackers to cause a denial of service or possibly have other impact via unknown vectors.
23 CVE-2015-1201 DoS 2015-01-20 2015-01-22
5.0
None Remote Low Not required None None Partial
Privoxy before 3.0.22 allows remote attackers to cause a denial of service (file descriptor consumption) via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
24 CVE-2015-1195 22 Dir. Trav. 2015-01-21 2019-02-04
6.5
None Remote Low ??? Partial Partial Partial
The V2 API in OpenStack Image Registry and Delivery Service (Glance) before 2014.1.4 and 2014.2.x before 2014.2.2 allows remote authenticated users to read or delete arbitrary files via a full pathname in a filesystem: URL in the image location property. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-9493.
25 CVE-2015-1193 22 Dir. Trav. 2015-01-21 2015-01-23
5.0
None Remote Low Not required None Partial None
Multiple directory traversal vulnerabilities in pax 1:20140703 allow remote attackers to write to arbitrary files via a (1) full pathname or (2) .. (dot dot) in an archive.
26 CVE-2015-1192 22 Dir. Trav. 2015-01-21 2015-01-23
5.0
None Remote Low Not required None Partial None
Absolute path traversal vulnerability in kgb 1.0b4 allows remote attackers to write to arbitrary files via a full pathname in a crafted archive.
27 CVE-2015-1191 22 Dir. Trav. 2015-01-21 2016-12-03
5.0
None Remote Low Not required None Partial None
Multiple directory traversal vulnerabilities in pigz 2.3.1 allow remote attackers to write to arbitrary files via a (1) full pathname or (2) .. (dot dot) in an archive.
28 CVE-2015-1182 DoS Exec Code 2015-01-27 2018-10-30
7.5
None Remote Low Not required Partial Partial Partial
The asn1_get_sequence_of function in library/asn1parse.c in PolarSSL 1.0 through 1.2.12 and 1.3.x through 1.3.9 does not properly initialize a pointer in the asn1_sequence linked list, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted ASN.1 sequence in a certificate.
29 CVE-2015-1060 1 2015-01-16 2017-09-08
5.8
None Remote Medium Not required Partial Partial None
Open redirect vulnerability in lib/Cake/Controller/Controller.php in AdaptCMS 3.0.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the HTTP Referer header.
30 CVE-2015-1059 94 1 Exec Code 2015-01-16 2017-09-08
6.5
None Remote Low ??? Partial Partial Partial
Unrestricted file upload vulnerability in admin/files/add in AdaptCMS 3.0.3 allows remote authenticated users to execute arbitrary PHP code by uploading a file with a PHP extension, then accessing it via a direct request to the file in /app/webroot/uploads.
31 CVE-2015-1055 89 Exec Code Sql 2015-01-16 2019-07-08
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the Photo Gallery plugin 1.2.7 for WordPress allows remote attackers to execute arbitrary SQL commands via the order_by parameter in a GalleryBox action to wp-admin/admin-ajax.php.
32 CVE-2015-1051 2015-01-15 2016-08-23
5.8
None Remote Medium Not required Partial Partial None
Open redirect vulnerability in the Context UI module in the Context module 7.x-3.x before 7.x-3.6 for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the destination parameter.
33 CVE-2015-1038 59 2015-01-21 2017-09-08
5.8
None Remote Medium Not required None Partial Partial
p7zip 9.20.1 allows remote attackers to write to arbitrary files via a symlink attack in an archive.
34 CVE-2015-1030 399 DoS 2015-01-20 2015-02-04
5.0
None Remote Low Not required None None Partial
Memory leak in the rfc2553_connect_to function in jbsocket.c in Privoxy before 3.0.22 allows remote attackers to cause a denial of service (memory consumption) via a large number of requests that are rejected because the socket limit is reached.
35 CVE-2015-1029 264 +Priv +Info 2015-01-16 2019-07-11
6.5
None Remote Low ??? Partial Partial Partial
The puppetlabs-stdlib module 2.1 through 3.0 and 4.1.0 through 4.5.x before 4.5.1 for Puppet 2.8.8 and earlier allows remote authenticated users to gain privileges or obtain sensitive information by prepopulating the fact cache.
36 CVE-2015-0973 119 Exec Code Overflow 2015-01-18 2016-10-20
7.5
None Remote Low Not required Partial Partial Partial
Buffer overflow in the png_read_IDAT_data function in pngrutil.c in libpng before 1.5.21 and 1.6.x before 1.6.16 allows context-dependent attackers to execute arbitrary code via IDAT data with a large width, a different vulnerability than CVE-2014-9495.
37 CVE-2015-0925 94 Exec Code 2015-01-22 2015-01-24
9.0
None Remote Low ??? Complete Complete Complete
The client in iPass Open Mobile before 2.4.5 on Windows allows remote authenticated users to execute arbitrary code via a DLL pathname in a crafted Unicode string that is improperly handled by a subprocess reached through a named pipe, as demonstrated by a UNC share pathname.
38 CVE-2015-0924 255 2015-01-17 2017-05-27
7.8
None Remote Low Not required None Complete None
Ceragon FibeAir IP-10 bridges have a default password for the root account, which makes it easier for remote attackers to obtain access via a (1) HTTP, (2) SSH, (3) TELNET, or (4) CLI session.
39 CVE-2015-0922 200 +Info 2015-01-09 2017-09-08
5.0
None Remote Low Not required Partial None None
McAfee ePolicy Orchestrator (ePO) before 4.6.9 and 5.x before 5.1.2 uses the same secret key across different customers' installations, which allows attackers to obtain the administrator password by leveraging knowledge of the encrypted password.
40 CVE-2015-0920 352 XSS CSRF 2015-01-08 2017-09-08
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in the Banner Effect Header plugin 1.2.6 for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the banner_effect_email parameter in the BannerEffectOptions page to wp-admin/options-general.php.
41 CVE-2015-0919 89 Exec Code Sql 2015-01-08 2015-01-08
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in the administrative backend in Sefrengo before 1.6.1 allow remote administrators to execute arbitrary SQL commands via the (1) idcat or (2) idclient parameter to backend/main.php.
42 CVE-2015-0867 22 Dir. Trav. 2015-01-21 2015-01-23
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in SYNCK GRAPHICA Download Log CGI 3.0 and earlier allows remote attackers to read arbitrary files via a crafted filename.
43 CVE-2015-0591 399 DoS 2015-01-15 2017-09-08
5.0
None Remote Low Not required None None Partial
Cisco Unified Communications Domain Manager (UCDM) 10 allows remote attackers to cause a denial of service (daemon hang and GUI outage) via a flood of malformed TCP packets, aka Bug ID CSCur44177.
44 CVE-2015-0590 200 +Info 2015-01-17 2017-09-08
5.0
None Remote Low Not required Partial None None
Cisco WebEx Meeting Center allows remote attackers to activate disabled meeting attributes, and consequently obtain sensitive information, by providing crafted parameters during a meeting-join action, aka Bug ID CSCuo34165.
45 CVE-2015-0588 352 CSRF 2015-01-15 2017-09-08
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in Cisco Unified Communications Domain Manager (UCDM) 10 allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCuo77055.
46 CVE-2015-0586 399 DoS 2015-01-28 2017-09-08
7.8
None Remote Low Not required None None Complete
The Network-Based Application Recognition (NBAR) protocol implementation in Cisco IOS 15.3(100)M and earlier on Cisco 2900 Integrated Services Router (aka Cisco Internet Router) devices allows remote attackers to cause a denial of service (NBAR process hang) via IPv4 packets, aka Bug ID CSCuo73682.
47 CVE-2015-0583 200 +Info 2015-01-14 2017-09-08
5.0
None Remote Low Not required Partial None None
Cisco WebEx Meeting Center does not properly restrict the content of URLs, which allows remote attackers to obtain sensitive information via vectors related to file: URIs, aka Bug ID CSCus18281.
48 CVE-2015-0582 20 DoS 2015-01-10 2017-09-08
5.0
None Remote Low Not required None None Partial
The High Availability (HA) subsystem in Cisco NX-OS on MDS 9000 devices allows remote attackers to cause a denial of service via crafted traffic, aka Bug ID CSCuo09129.
49 CVE-2015-0581 DoS 2015-01-28 2015-09-17
7.5
None Remote Low ??? Complete None Partial
The XML parser in Cisco Prime Service Catalog before 10.1 allows remote authenticated users to read arbitrary files or cause a denial of service (CPU and memory consumption) via an external entity declaration in conjunction with an entity reference, as demonstrated by reading private keys, related to an XML External Entity (XXE) issue, aka Bug ID CSCup92880.
50 CVE-2015-0579 399 DoS 2015-01-14 2017-01-06
5.0
None Remote Low Not required None None Partial
Cisco TelePresence Video Communication Server (VCS) and Cisco Expressway allow remote attackers to cause a denial of service (memory and CPU consumption, and partial outage) via crafted SIP packets, aka Bug ID CSCur12473.
Total number of vulnerabilities : 435   Page : 1 (This Page)2 3 4 5 6 7 8 9
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.