CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In January 2015 (CVSS score >= 6)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2015-1424 352 1 CSRF 2015-01-29 2017-09-08
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in Gecko CMS 2.2 and 2.3 allows remote attackers to hijack the authentication of administrators for requests that add an administrator user via a newuser request to admin/index.php.
2 CVE-2015-1423 89 1 Exec Code Sql 2015-01-29 2017-09-08
6.5
None Remote Low ??? Partial Partial Partial
Multiple SQL injection vulnerabilities in Gecko CMS 2.2 and 2.3 allow remote administrators to execute arbitrary SQL commands via the (1) jak_delete_log[] or (2) ssp parameter to admin/index.php.
3 CVE-2015-1375 264 1 2015-01-28 2018-10-09
7.5
None Remote Low Not required Partial Partial Partial
pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress does not properly restrict access to the upload functionality, which allows remote attackers to write to arbitrary files.
4 CVE-2015-1374 352 Sql XSS CSRF 2015-01-27 2015-01-28
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in admin.php in ferretCMS 1.0.4-alpha allow remote attackers to hijack the authentication of administrators for requests that conduct (1) cross-site scripting (XSS), (2) SQL injection, or (3) unrestricted file upload attacks.
5 CVE-2015-1372 89 Exec Code Sql 2015-01-27 2015-01-28
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in ferretCMS 1.0.4-alpha allows remote attackers to execute arbitrary SQL commands via the p parameter in an update action to admin.php.
6 CVE-2015-1371 20 Exec Code 2015-01-27 2015-01-28
7.5
None Remote Low Not required Partial Partial Partial
Unrestricted file upload vulnerability in ferretCMS 1.0.4-alpha allows remote administrators to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in custom/uploads/.
7 CVE-2015-1369 89 Exec Code Sql 2015-01-27 2015-01-28
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in Sequelize before 2.0.0-rc7 for Node.js allows remote attackers to execute arbitrary SQL commands via the order parameter.
8 CVE-2015-1367 89 Exec Code Sql 2015-01-27 2018-10-09
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in index.php in CatBot 0.4.2 allows remote attackers to execute arbitrary SQL commands via the lastcatbot parameter.
9 CVE-2015-1364 89 1 Exec Code Sql 2015-01-27 2015-01-28
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the getProfile function in system/profile.functions.php in Free Reprintables ArticleFR 3.0.5 allows remote attackers to execute arbitrary SQL commands via the username parameter to register/.
10 CVE-2015-1362 119 1 Exec Code Overflow 2015-01-27 2015-01-28
7.5
None Remote Low Not required Partial Partial Partial
Buffer overflow in the Customize 35mm tab in Two Pilots Exif Pilot 4.7.2 allows remote attackers to execute arbitrary code via a long string in the maker element in an XML file.
11 CVE-2015-1361 17 DoS 2015-01-27 2015-02-21
6.8
None Remote Medium Not required Partial Partial Partial
platform/image-decoders/ImageFrame.h in Blink, as used in Google Chrome before 40.0.2214.91, does not initialize a variable that is used in calls to the Skia SkBitmap::setAlphaType function, which might allow remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted HTML document, a different vulnerability than CVE-2015-1205.
12 CVE-2015-1360 119 DoS Overflow 2015-01-27 2015-02-21
7.5
None Remote Low Not required Partial Partial Partial
Skia, as used in Google Chrome before 40.0.2214.91, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via crafted data that is improperly handled during text drawing, related to gpu/GrBitmapTextContext.cpp and gpu/GrDistanceFieldTextContext.cpp, a different vulnerability than CVE-2015-1205.
13 CVE-2015-1359 189 DoS Overflow 2015-01-27 2015-02-21
6.8
None Remote Medium Not required Partial Partial Partial
Multiple off-by-one errors in fpdfapi/fpdf_font/font_int.h in PDFium, as used in Google Chrome before 40.0.2214.91, allow remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a crafted PDF document, related to an "intra-object-overflow" issue, a different vulnerability than CVE-2015-1205.
14 CVE-2015-1346 DoS 2015-01-22 2017-09-08
7.5
None Remote Low Not required Partial Partial Partial
Multiple unspecified vulnerabilities in Google V8 before 3.30.33.15, as used in Google Chrome before 40.0.2214.91, allow attackers to cause a denial of service or possibly have other impact via unknown vectors.
15 CVE-2015-1312 264 +Priv +Info 2015-01-22 2018-12-10
7.5
None Remote Low Not required Partial Partial Partial
The Dealer Portal in SAP ERP does not properly restrict access, which allows remote attackers to obtain sensitive information, gain privileges, and possibly have other unspecified impact via unknown vectors, aka SAP Note 2000401. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
16 CVE-2015-1311 94 2015-01-22 2018-12-10
10.0
None Remote Low Not required Complete Complete Complete
The Extended Application Services (XS) in SAP HANA allows remote attackers to inject arbitrary ABAP code via unspecified vectors, aka SAP Note 2098906. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
17 CVE-2015-1310 89 Exec Code Sql 2015-01-22 2018-12-10
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in SAP Adaptive Server Enterprise (Sybase ASE) allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Note 2113333. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
18 CVE-2015-1205 DoS 2015-01-22 2017-01-03
7.5
None Remote Low Not required Partial Partial Partial
Multiple unspecified vulnerabilities in Google Chrome before 40.0.2214.91 allow attackers to cause a denial of service or possibly have other impact via unknown vectors.
19 CVE-2015-1195 22 Dir. Trav. 2015-01-21 2019-02-04
6.5
None Remote Low ??? Partial Partial Partial
The V2 API in OpenStack Image Registry and Delivery Service (Glance) before 2014.1.4 and 2014.2.x before 2014.2.2 allows remote authenticated users to read or delete arbitrary files via a full pathname in a filesystem: URL in the image location property. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-9493.
20 CVE-2015-1182 DoS Exec Code 2015-01-27 2018-10-30
7.5
None Remote Low Not required Partial Partial Partial
The asn1_get_sequence_of function in library/asn1parse.c in PolarSSL 1.0 through 1.2.12 and 1.3.x through 1.3.9 does not properly initialize a pointer in the asn1_sequence linked list, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted ASN.1 sequence in a certificate.
21 CVE-2015-1059 94 1 Exec Code 2015-01-16 2017-09-08
6.5
None Remote Low ??? Partial Partial Partial
Unrestricted file upload vulnerability in admin/files/add in AdaptCMS 3.0.3 allows remote authenticated users to execute arbitrary PHP code by uploading a file with a PHP extension, then accessing it via a direct request to the file in /app/webroot/uploads.
22 CVE-2015-1055 89 Exec Code Sql 2015-01-16 2019-07-08
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the Photo Gallery plugin 1.2.7 for WordPress allows remote attackers to execute arbitrary SQL commands via the order_by parameter in a GalleryBox action to wp-admin/admin-ajax.php.
23 CVE-2015-1029 264 +Priv +Info 2015-01-16 2019-07-11
6.5
None Remote Low ??? Partial Partial Partial
The puppetlabs-stdlib module 2.1 through 3.0 and 4.1.0 through 4.5.x before 4.5.1 for Puppet 2.8.8 and earlier allows remote authenticated users to gain privileges or obtain sensitive information by prepopulating the fact cache.
24 CVE-2015-0973 119 Exec Code Overflow 2015-01-18 2016-10-20
7.5
None Remote Low Not required Partial Partial Partial
Buffer overflow in the png_read_IDAT_data function in pngrutil.c in libpng before 1.5.21 and 1.6.x before 1.6.16 allows context-dependent attackers to execute arbitrary code via IDAT data with a large width, a different vulnerability than CVE-2014-9495.
25 CVE-2015-0925 94 Exec Code 2015-01-22 2015-01-24
9.0
None Remote Low ??? Complete Complete Complete
The client in iPass Open Mobile before 2.4.5 on Windows allows remote authenticated users to execute arbitrary code via a DLL pathname in a crafted Unicode string that is improperly handled by a subprocess reached through a named pipe, as demonstrated by a UNC share pathname.
26 CVE-2015-0924 255 2015-01-17 2017-05-27
7.8
None Remote Low Not required None Complete None
Ceragon FibeAir IP-10 bridges have a default password for the root account, which makes it easier for remote attackers to obtain access via a (1) HTTP, (2) SSH, (3) TELNET, or (4) CLI session.
27 CVE-2015-0920 352 XSS CSRF 2015-01-08 2017-09-08
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in the Banner Effect Header plugin 1.2.6 for WordPress allows remote attackers to hijack the authentication of administrators for requests that conduct cross-site scripting (XSS) attacks via the banner_effect_email parameter in the BannerEffectOptions page to wp-admin/options-general.php.
28 CVE-2015-0919 89 Exec Code Sql 2015-01-08 2015-01-08
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in the administrative backend in Sefrengo before 1.6.1 allow remote administrators to execute arbitrary SQL commands via the (1) idcat or (2) idclient parameter to backend/main.php.
29 CVE-2015-0588 352 CSRF 2015-01-15 2017-09-08
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in Cisco Unified Communications Domain Manager (UCDM) 10 allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCuo77055.
30 CVE-2015-0586 399 DoS 2015-01-28 2017-09-08
7.8
None Remote Low Not required None None Complete
The Network-Based Application Recognition (NBAR) protocol implementation in Cisco IOS 15.3(100)M and earlier on Cisco 2900 Integrated Services Router (aka Cisco Internet Router) devices allows remote attackers to cause a denial of service (NBAR process hang) via IPv4 packets, aka Bug ID CSCuo73682.
31 CVE-2015-0581 DoS 2015-01-28 2015-09-17
7.5
None Remote Low ??? Complete None Partial
The XML parser in Cisco Prime Service Catalog before 10.1 allows remote authenticated users to read arbitrary files or cause a denial of service (CPU and memory consumption) via an external entity declaration in conjunction with an entity reference, as demonstrated by reading private keys, related to an XML External Entity (XXE) issue, aka Bug ID CSCup92880.
32 CVE-2015-0554 264 1 DoS +Info 2015-01-21 2015-01-23
9.4
None Remote Low Not required Complete None Complete
The ADB (formerly Pirelli Broadband Solutions) P.DGA4001N router with firmware PDG_TEF_SP_4.06L.6 does not properly restrict access to the web interface, which allows remote attackers to obtain sensitive information or cause a denial of service (device restart) as demonstrated by a direct request to (1) wlsecurity.html or (2) resetrouter.html.
33 CVE-2015-0552 22 Dir. Trav. 2015-01-15 2018-10-30
6.4
None Remote Low Not required None Partial Partial
Directory traversal vulnerability in the gcab_folder_extract function in libgcab/gcab-folder.c in gcab 0.4 allows remote attackers to write to arbitrary files via crafted path in a CAB file, as demonstrated by "\tmp\moo."
34 CVE-2015-0515 Exec Code 2015-01-21 2017-01-03
6.5
None Remote Low ??? Partial Partial Partial
Unrestricted file upload vulnerability in EMC M&R (aka Watch4Net) before 6.5u1 and ViPR SRM before 3.6.1 allows remote authenticated users to execute arbitrary code by uploading and then accessing an executable file.
35 CVE-2015-0437 2015-01-21 2022-05-13
9.3
None Remote Medium Not required Complete Complete Complete
Unspecified vulnerability in Oracle Java SE 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.
36 CVE-2015-0435 2015-01-21 2017-09-08
6.8
None Remote Low ??? Complete None None
Unspecified vulnerability in the Oracle Transportation Management component in Oracle Supply Chain Products Suite 6.1, 6.2, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, and 6.3.5 allows remote authenticated users to affect confidentiality via unknown vectors related to Security.
37 CVE-2015-0424 2015-01-21 2017-09-08
7.5
None Remote Medium ??? Partial Partial Complete
Unspecified vulnerability in the Integrated Lights Out Manager (ILOM) component in Oracle Sun Systems Products Suite ILOM prior to 3.2.4 allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to IPMI.
38 CVE-2015-0421 2015-01-21 2022-05-13
6.9
None Local Medium Not required Complete Complete Complete
Unspecified vulnerability in Oracle Java SE 8u25 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to the installation process.
39 CVE-2015-0412 2015-01-21 2022-05-13
7.2
None Local Low Not required Complete Complete Complete
Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JAX-WS.
40 CVE-2015-0411 2015-01-21 2019-02-01
7.5
None Remote Low Not required Partial Partial Partial
Unspecified vulnerability in Oracle MySQL Server 5.5.40 and earlier, and 5.6.21 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Server : Security : Encryption.
41 CVE-2015-0408 2015-01-21 2022-05-13
10.0
None Remote Low Not required Complete Complete Complete
Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to RMI.
42 CVE-2015-0403 2015-01-21 2022-05-13
6.9
None Local Medium Not required Complete Complete Complete
Unspecified vulnerability in Oracle Java SE 6u85, 7u72, and 8u25 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Deployment.
43 CVE-2015-0396 2015-01-21 2017-09-08
7.5
None Remote Low Not required Partial Partial Partial
Unspecified vulnerability in the Oracle GlassFish Server component in Oracle Fusion Middleware 3.0.1 and 3.1.2 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Admin Console.
44 CVE-2015-0395 2015-01-21 2022-05-13
9.3
None Remote Medium Not required Complete Complete Complete
Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot.
45 CVE-2015-0393 Exec Code +Priv 2015-01-21 2017-09-08
6.0
None Remote Medium ??? Partial Partial Partial
Unspecified vulnerability in the Oracle Applications DBA component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.3, 12.2.2, 12.2.3, and 12.2.4 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to DB Privileges. NOTE: the previous information is from the January 2015 CPU. Oracle has not commented on the researcher's claim that the PUBLIC role is granted the INDEX privilege for the DUAL table during a "seeded install," which allows remote authenticated users to gain SYSDBA privileges and execute arbitrary code.
46 CVE-2015-0390 2015-01-21 2017-09-08
6.8
None Remote Medium Not required Partial Partial Partial
Unspecified vulnerability in the MICROS Retail component in Oracle Retail Applications Xstore: 3.2.1, 3.4.2, 3.5.0, 4.0.1, 4.5.1, 4.8.0, 5.0.3, 5.5.3, 6.0.6, and 6.5.2 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Xstore Point of Sale.
47 CVE-2015-0373 2015-01-21 2017-09-08
6.5
None Remote Low ??? Partial Partial Partial
Unspecified vulnerability in the OJVM component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors.
48 CVE-2015-0361 DoS 2015-01-07 2018-10-30
7.8
None Remote Low Not required None None Complete
Use-after-free vulnerability in Xen 4.2.x, 4.3.x, and 4.4.x allows remote domains to cause a denial of service (system crash) via a crafted hypercall during HVM guest teardown.
49 CVE-2015-0312 415 Exec Code 2015-01-28 2021-09-08
9.3
None Remote Medium Not required Complete Complete Complete
Double free vulnerability in Adobe Flash Player before 13.0.0.264 and 14.x through 16.x before 16.0.0.296 on Windows and OS X and before 11.2.202.440 on Linux allows attackers to execute arbitrary code via unspecified vectors.
50 CVE-2015-0311 Exec Code 2015-01-23 2015-02-14
10.0
None Remote Low Not required Complete Complete Complete
Unspecified vulnerability in Adobe Flash Player through 13.0.0.262 and 14.x, 15.x, and 16.x through 16.0.0.287 on Windows and OS X and through 11.2.202.438 on Linux allows remote attackers to execute arbitrary code via unknown vectors, as exploited in the wild in January 2015.
Total number of vulnerabilities : 306   Page : 1 (This Page)2 3 4 5 6 7
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.