# |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
351 |
CVE-2015-0267 |
|
|
|
2015-05-19 |
2016-11-28 |
3.6 |
None |
Local |
Low |
Not required |
None |
Partial |
Partial |
The Red Hat module-setup.sh script for kexec-tools, as distributed in the kexec-tools before 2.0.7-19 packages in Red Hat Enterprise Linux, allows local users to write to arbitrary files via a symlink attack on a temporary file. |
352 |
CVE-2015-0257 |
264 |
|
+Info |
2015-05-01 |
2016-06-28 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
Red Hat Enterprise Virtualization (RHEV) Manager before 3.5.1 uses weak permissions on the directories shared by the ovirt-engine-dwhd service and a plugin during service startup, which allows local users to obtain sensitive information by reading files in the directory. |
353 |
CVE-2015-0237 |
264 |
|
DoS |
2015-05-01 |
2016-04-11 |
6.8 |
None |
Remote |
Low |
??? |
None |
None |
Complete |
Red Hat Enterprise Virtualization (RHEV) Manager before 3.5.1 ignores the permission to deny snapshot creation during live storage migration between domains, which allows remote authenticated users to cause a denial of service (prevent host start) by creating a long snapshot chain. |
354 |
CVE-2015-0200 |
200 |
|
+Info |
2015-05-29 |
2019-09-30 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
IBM WebSphere Commerce 6.x through 6.0.0.11 and 7.x before 7.0.0.8 IF2 allows local users to obtain sensitive database information via unspecified vectors. |
355 |
CVE-2015-0193 |
79 |
|
XSS |
2015-05-30 |
2015-06-02 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in IBM Business Process Manager (BPM) 7.5.x through 7.5.1.2, 8.0.x through 8.0.1.3, and 8.5.x through 8.5.5.0 and WebSphere Lombardi Edition (WLE) 7.2.x through 7.2.0.5 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL that triggers an error condition. |
356 |
CVE-2015-0189 |
399 |
|
DoS |
2015-05-20 |
2017-01-03 |
4.0 |
None |
Remote |
Low |
??? |
None |
None |
Partial |
The cluster repository manager in IBM WebSphere MQ 7.5 before 7.5.0.5 and 8.0 before 8.0.0.2 allows remote authenticated administrators to cause a denial of service (memory overwrite and daemon outage) by triggering multiple transmit-queue records. |
357 |
CVE-2015-0180 |
284 |
|
Bypass |
2015-05-25 |
2015-05-26 |
5.5 |
None |
Remote |
Low |
??? |
None |
Partial |
Partial |
The Connector Migration Tool in IBM InfoSphere Information Server 8.1 through 11.3 allows remote authenticated users to bypass intended restrictions on job creation and modification via unspecified vectors. |
358 |
CVE-2015-0171 |
22 |
|
Dir. Trav. |
2015-05-25 |
2015-05-26 |
5.5 |
None |
Remote |
Low |
??? |
None |
Partial |
Partial |
Directory traversal vulnerability in IBM Security SiteProtector System 3.0 before 3.0.0.7, 3.1 before 3.1.0.4, and 3.1.1 before 3.1.1.2 allows remote authenticated users to write to arbitrary files via unspecified vectors. |
359 |
CVE-2015-0170 |
200 |
|
+Info |
2015-05-25 |
2015-05-26 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
IBM Security SiteProtector System 3.0 before 3.0.0.7, 3.1 before 3.1.0.4, and 3.1.1 before 3.1.1.2 allows local users to obtain sensitive information by reading cached data. |
360 |
CVE-2015-0169 |
74 |
|
|
2015-05-25 |
2015-05-26 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
IBM Security SiteProtector System 3.0 before 3.0.0.7, 3.1 before 3.1.0.4, and 3.1.1 before 3.1.1.2 allows remote authenticated users to inject arguments via unspecified vectors. |
361 |
CVE-2015-0168 |
79 |
|
XSS |
2015-05-25 |
2015-05-26 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in IBM Security SiteProtector System 3.0 before 3.0.0.7, 3.1 before 3.1.0.4, and 3.1.1 before 3.1.1.2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. |
362 |
CVE-2015-0161 |
89 |
|
Exec Code Sql |
2015-05-25 |
2015-05-26 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
SQL injection vulnerability in IBM Security SiteProtector System 3.0 before 3.0.0.7, 3.1 before 3.1.0.4, and 3.1.1 before 3.1.1.2 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. |
363 |
CVE-2015-0160 |
264 |
|
Exec Code |
2015-05-25 |
2015-05-26 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
IBM Security SiteProtector System 3.0 before 3.0.0.7, 3.1 before 3.1.0.4, and 3.1.1 before 3.1.1.2 allows remote authenticated users to execute arbitrary commands with SYSTEM privileges via unspecified vectors. |
364 |
CVE-2015-0156 |
79 |
|
XSS |
2015-05-25 |
2015-05-27 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in IBM Business Process Manager (BPM) 7.5.x through 7.5.1.2, 8.0.x through 8.0.1.3, and 8.5.x through 8.5.6.0 and WebSphere Lombardi Edition (WLE) 7.2.x through 7.2.0.5 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL. |
365 |
CVE-2015-0140 |
|
|
Exec Code |
2015-05-25 |
2015-05-26 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
An unspecified ActiveX control in IBM SPSS Statistics 22.0 through FP1 on 32-bit platforms allows remote attackers to execute arbitrary code via a crafted HTML document. |
366 |
CVE-2015-0121 |
|
|
|
2015-05-30 |
2016-12-03 |
3.7 |
None |
Local |
High |
Not required |
Partial |
Partial |
Partial |
IBM Rational Requirements Composer 3.0 through 3.0.1.6 and 4.0 through 4.0.7 and Rational DOORS Next Generation (RDNG) 4.0 through 4.0.7 and 5.0 through 5.0.2, when LTPA single sign on is used with WebSphere Application Server, do not terminate a Requirements Management (RM) session upon LTPA token expiration, which allows remote attackers to obtain access by leveraging an unattended workstation. |
367 |
CVE-2015-0120 |
119 |
|
Overflow |
2015-05-25 |
2015-05-26 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
Buffer overflow in the FastBackMount process in IBM Tivoli Storage Manager FastBack 6.1 before 6.1.11.1 has unspecified impact and remote attack vectors. |
368 |
CVE-2014-9727 |
78 |
1
|
Exec Code |
2015-05-29 |
2018-08-13 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
AVM Fritz!Box allows remote attackers to execute arbitrary commands via shell metacharacters in the var:lang parameter to cgi-bin/webcm. |
369 |
CVE-2014-9716 |
79 |
|
XSS |
2015-05-08 |
2019-01-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in WebODF before 0.5.4 allows remote attackers to inject arbitrary web script or HTML via a file name. |
370 |
CVE-2014-9715 |
|
|
DoS |
2015-05-27 |
2016-12-31 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
include/net/netfilter/nf_conntrack_extend.h in the netfilter subsystem in the Linux kernel before 3.14.5 uses an insufficiently large data type for certain extension data, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) via outbound network traffic that triggers extension loading, as demonstrated by configuring a PPTP tunnel in a NAT environment. |
371 |
CVE-2014-9710 |
362 |
|
+Priv Bypass |
2015-05-27 |
2016-12-31 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
The Btrfs implementation in the Linux kernel before 3.19 does not ensure that the visible xattr state is consistent with a requested replacement, which allows local users to bypass intended ACL settings and gain privileges via standard filesystem operations (1) during an xattr-replacement time window, related to a race condition, or (2) after an xattr-replacement attempt that fails because the data does not fit. |
372 |
CVE-2014-9326 |
|
|
|
2015-05-12 |
2017-01-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
The automatic signature update functionality in the (1) Phone Home feature in F5 BIG-IP LTM, AAM, AFM, Analytics, APM, GTM, and Link Controller 11.5.0 through 11.6.0, ASM 10.0.0 through 11.6.0, and PEM 11.3.0 through 11.6.0 and the (2) Call Home feature in ASM 10.0.0 through 11.6.0 and PEM 11.3.0 through 11.6.0 does not properly validate server SSL certificates, which allows remote attackers to conduct man-in-the-middle attacks via a crafted certificate. |
373 |
CVE-2014-9204 |
119 |
|
Exec Code Overflow |
2015-05-17 |
2018-04-10 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
Stack-based buffer overflow in OPCTest.exe in Rockwell Automation RSLinx Classic before 3.73.00 allows remote attackers to execute arbitrary code via a crafted CSV file. |
374 |
CVE-2014-9160 |
119 |
|
Exec Code Overflow |
2015-05-13 |
2017-01-03 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
Multiple heap-based buffer overflows in Adobe Reader and Acrobat 10.x before 10.1.14 and 11.x before 11.0.11 on Windows and OS X allow attackers to execute arbitrary code via unknown vectors. |
375 |
CVE-2014-8927 |
399 |
|
DoS |
2015-05-25 |
2015-05-26 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
Common Inventory Technology (CIT) before 2.7.0.2050 in IBM License Metric Tool 7.2.2, 7.5, and 9; Endpoint Manger for Software Use Analysis 9; and Tivoli Asset Discovery for Distributed 7.2.2 and 7.5 allows remote attackers to cause a denial of service (CPU consumption or application crash) via a crafted XML query, a different vulnerability than CVE-2014-8926. |
376 |
CVE-2014-8926 |
399 |
|
DoS |
2015-05-25 |
2015-05-26 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
Common Inventory Technology (CIT) before 2.7.0.2050 in IBM License Metric Tool 7.2.2, 7.5, and 9; Endpoint Manger for Software Use Analysis 9; and Tivoli Asset Discovery for Distributed 7.2.2 and 7.5 allows remote attackers to cause a denial of service (CPU consumption or application crash) via a crafted XML query, a different vulnerability than CVE-2014-8927. |
377 |
CVE-2014-8924 |
|
|
|
2015-05-20 |
2017-01-03 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
The server in IBM License Metric Tool 7.2.2 before IF15 and 7.5 before IF24 and Tivoli Asset Discovery for Distributed 7.2.2 before IF15 and 7.5 before IF24 allows remote attackers to read arbitrary files or send TCP requests to intranet servers via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. |
378 |
CVE-2014-8619 |
79 |
|
XSS |
2015-05-12 |
2017-01-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the autolearn configuration page in Fortinet FortiWeb 5.1.2 through 5.3.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
379 |
CVE-2014-8618 |
79 |
|
XSS |
2015-05-12 |
2017-01-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the theme login page in Fortinet FortiADC D models before 4.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
380 |
CVE-2014-8616 |
79 |
|
XSS |
2015-05-12 |
2017-01-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Multiple cross-site scripting (XSS) vulnerabilities in Fortinet FortiOS 5.2.x before 5.2.3 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors to the (1) user group or (2) vpn template menus. |
381 |
CVE-2014-8384 |
|
|
|
2015-05-18 |
2015-05-19 |
9.4 |
None |
Remote |
Low |
Not required |
None |
Complete |
Complete |
The InFocus IN3128HD projector with firmware 0.26 does not restrict access to cgi-bin/webctrl.cgi.elf, which allows remote attackers to modify the DHCP server and device IP configuration, reboot the device, change the device name, and have other unspecified impact via a crafted request. |
382 |
CVE-2014-8383 |
|
|
Bypass |
2015-05-18 |
2015-05-19 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
The InFocus IN3128HD projector with firmware 0.26 allows remote attackers to bypass authentication via a direct request to main.html. |
383 |
CVE-2014-8361 |
20 |
|
Exec Code |
2015-05-01 |
2021-04-09 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
The miniigd SOAP service in Realtek SDK allows remote attackers to execute arbitrary code via a crafted NewInternalClient request. |
384 |
CVE-2014-8162 |
|
|
|
2015-05-14 |
2016-11-28 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
XML external entity (XXE) in the RPC interface in Spacewalk and Red Hat Network (RHN) Satellite 5.7 and earlier allows remote attackers to read arbitrary files and possibly have other unspecified impact via unknown vectors. |
385 |
CVE-2014-8147 |
189 |
|
DoS Exec Code |
2015-05-25 |
2019-04-23 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
The resolveImplicitLevels function in common/ubidi.c in the Unicode Bidirectional Algorithm implementation in ICU4C in International Components for Unicode (ICU) before 55.1 uses an integer data type that is inconsistent with a header file, which allows remote attackers to cause a denial of service (incorrect malloc followed by invalid free) or possibly execute arbitrary code via crafted text. |
386 |
CVE-2014-8146 |
119 |
|
DoS Exec Code Overflow |
2015-05-25 |
2019-04-23 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
The resolveImplicitLevels function in common/ubidi.c in the Unicode Bidirectional Algorithm implementation in ICU4C in International Components for Unicode (ICU) before 55.1 does not properly track directionally isolated pieces of text, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly execute arbitrary code via crafted text. |
387 |
CVE-2014-6628 |
|
|
Exec Code |
2015-05-28 |
2015-05-29 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
Aruba Networks ClearPass Policy Manager (CPPM) before 6.5.0 allows remote administrators to execute arbitrary code via unspecified vectors. |
388 |
CVE-2014-6211 |
200 |
|
+Info |
2015-05-20 |
2019-09-30 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
The command-line scripts in IBM WebSphere Commerce 6.0 through 6.0.0.11, 7.0 through 7.0.0.9, and 7.0 Feature Pack 2 through 8, when debugging is configured, do not properly restrict the logging of personal data, which allows local users to obtain sensitive information by reading a log file. |
389 |
CVE-2014-6192 |
79 |
|
XSS |
2015-05-25 |
2015-05-26 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in IBM Curam Social Program Management 6.0 SP2 before EP26, 6.0.4 before 6.0.4.5 iFix10, 6.0.5 before 6.0.5.6, and 6.0.5.5a before 6.0.5.8 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL. |
390 |
CVE-2014-6190 |
200 |
|
+Info |
2015-05-25 |
2015-05-26 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
The log viewer in IBM Workload Deployer 3.1 before 3.1.0.7 allows remote attackers to obtain sensitive information via a direct request for the URL of a log document. |
391 |
CVE-2014-4778 |
20 |
|
|
2015-05-25 |
2015-05-26 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
IBM License Metric Tool 9 before 9.1.0.2 and Endpoint Manager for Software Use Analysis 9 before 9.1.0.2 do not send an X-Frame-Options HTTP header in response to requests for the login page, which allows remote attackers to conduct clickjacking attacks via vectors involving a FRAME element. |
392 |
CVE-2014-4776 |
200 |
|
+Info |
2015-05-20 |
2017-01-03 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
IBM License Metric Tool 9 before 9.1.0.2 does not have an off autocomplete attribute for authentication fields, which makes it easier for remote attackers to obtain access by leveraging an unattended workstation. |
393 |
CVE-2014-4774 |
352 |
|
CSRF |
2015-05-25 |
2015-05-26 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Cross-site request forgery (CSRF) vulnerability in the login page in IBM License Metric Tool 9 before 9.1.0.2 and Endpoint Manager for Software Use Analysis 9 before 9.1.0.2 allows remote attackers to hijack the authentication of arbitrary users via vectors involving a FRAME element. |
394 |
CVE-2014-3598 |
399 |
|
DoS |
2015-05-01 |
2018-10-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
The Jpeg2KImagePlugin plugin in Pillow before 2.5.3 allows remote attackers to cause a denial of service via a crafted image. |
395 |
CVE-2014-2174 |
284 |
|
|
2015-05-25 |
2015-05-26 |
8.3 |
None |
Local Network |
Low |
Not required |
Complete |
Complete |
Complete |
Cisco TelePresence T, TelePresence TE, and TelePresence TC before 7.1 do not properly implement access control, which allows remote attackers to obtain root privileges by sending packets on the local network and allows physically proximate attackers to obtain root privileges via unspecified vectors, aka Bug ID CSCub67651. |
396 |
CVE-2014-1902 |
79 |
|
XSS |
2015-05-14 |
2015-05-15 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
Multiple cross-site scripting (XSS) vulnerabilities in Y-Cam camera models SD range YCB003, YCK003, and YCW003; S range YCB004, YCK004, YCW004; EyeBall YCEB03; Bullet VGA YCBL03 and YCBLB3; Bullet HD 720 YCBLHD5; Y-cam Classic Range YCB002, YCK002, and YCW003; and Y-cam Original Range YCB001, YCW001, running firmware 4.30 and earlier, allow remote authenticated users to inject arbitrary web script or HTML via the (1) SYSCONTACT parameter to form/identityApply, as triggered using en/identity.asp; (2) PASSWD parameter to form/accAdd, as triggered using en/account/accedit.asp; (3) NTPSERVER parameter to form/clockApply, as triggered using en/clock.asp; (4) SERVER parameter to form/smtpclientApply, as triggered using en/smtpclient.asp; (5) SERVER parameter to form/ftpApply, as triggered using en/ftp.asp; or (6) SERVER parameter to form/httpEventApply, as triggered using en/httpevent.asp. |
397 |
CVE-2014-1901 |
20 |
|
DoS |
2015-05-14 |
2015-05-15 |
6.8 |
None |
Remote |
Low |
??? |
None |
None |
Complete |
Y-Cam camera models SD range YCB003, YCK003, and YCW003; S range YCB004, YCK004, YCW004; EyeBall YCEB03; Bullet VGA YCBL03 and YCBLB3; Bullet HD 720 YCBLHD5; Y-cam Classic Range YCB002, YCK002, and YCW003; and Y-cam Original Range YCB001, YCW001, running firmware 4.30 and earlier, allow remote authenticated users to cause a denial of service (reboot) via a malformed (1) path parameter to en/store_main.asp, (2) item parameter to en/account/accedit.asp, or (3) emailid parameter to en/smtpclient.asp. NOTE: this issue can be exploited without authentication by leveraging CVE-2014-1900. |
398 |
CVE-2014-1900 |
200 |
|
Bypass +Info |
2015-05-14 |
2015-05-15 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
Y-Cam camera models SD range YCB003, YCK003, and YCW003; S range YCB004, YCK004, YCW004; EyeBall YCEB03; Bullet VGA YCBL03 and YCBLB3; Bullet HD 720 YCBLHD5; Y-cam Classic Range YCB002, YCK002, and YCW003; and Y-cam Original Range YCB001, YCW001, running firmware 4.30 and earlier, allow remote attackers to bypass authentication and obtain sensitive information via a leading "/./" in a request to en/account/accedit.asp. |
399 |
CVE-2014-0919 |
200 |
|
+Info |
2015-05-08 |
2016-11-28 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
IBM DB2 9.5 through 10.5 on Linux, UNIX, and Windows stores passwords during the processing of certain SQL statements by the monitoring and audit facilities, which allows remote authenticated users to obtain sensitive information via commands associated with these facilities. |
400 |
CVE-2013-7441 |
399 |
|
DoS |
2015-05-29 |
2016-12-31 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
The modern style negotiation in Network Block Device (nbd-server) 2.9.22 through 3.3 allows remote attackers to cause a denial of service (root process termination) by (1) closing the connection during negotiation or (2) specifying a name for a non-existent export. |