Vulnerability Summary for the Week of September 28, 2015
Released
Oct 05, 2015
Document ID
SB15-278
The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. NVD is sponsored by CISA. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.
Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
- High: vulnerabilities with a CVSS base score of 7.0–10.0
- Medium: vulnerabilities with a CVSS base score of 4.0–6.9
- Low: vulnerabilities with a CVSS base score of 0.0–3.9
Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis.
High Vulnerabilities
| Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| apport_project -- apport | kernel_crashdump in Apport before 2.19 allows local users to cause a denial of service (disk consumption) or possibly gain privileges via a (1) symlink or (2) hard link attack on /var/crash/vmcore.log. | 2015-10-01 | 7.2 | CVE-2015-1338 CONFIRM EXPLOIT-DB CONFIRM UBUNTU MISC FULLDISC MISC |
| bisonware -- bisonftp | Directory traversal vulnerability in BisonWare BisonFTP 3.5 allows remote attackers to read arbitrary files via a ../ (dot dot slash) in a RETR command. | 2015-09-29 | 7.8 | CVE-2015-7602 EXPLOIT-DB |
| cisco -- ios | The IPv6 snooping functionality in the first-hop security subsystem in Cisco IOS 12.2, 15.0, 15.1, 15.2, 15.3, 15.4, and 15.5 and IOS XE 3.2SE, 3.3SE, 3.3XO, 3.4SG, 3.5E, and 3.6E before 3.6.3E; 3.7E before 3.7.2E; 3.9S and 3.10S before 3.10.6S; 3.11S before 3.11.4S; 3.12S and 3.13S before 3.13.3S; and 3.14S before 3.14.2S does not properly implement the Control Plane Protection (aka CPPr) feature, which allows remote attackers to cause a denial of service (device reload) via a flood of ND packets, aka Bug ID CSCus19794. | 2015-09-27 | 7.8 | CVE-2015-6278 CONFIRM CISCO |
| cisco -- ios | The IPv6 snooping functionality in the first-hop security subsystem in Cisco IOS 12.2, 15.0, 15.1, 15.2, 15.3, 15.4, and 15.5 and IOS XE 3.2SE, 3.3SE, 3.3XO, 3.4SG, 3.5E, and 3.6E before 3.6.3E; 3.7E before 3.7.2E; 3.9S and 3.10S before 3.10.6S; 3.11S before 3.11.4S; 3.12S and 3.13S before 3.13.3S; and 3.14S before 3.14.2S allows remote attackers to cause a denial of service (device reload) via a malformed ND packet with the Cryptographically Generated Address (CGA) option, aka Bug ID CSCuo04400. | 2015-09-27 | 7.8 | CVE-2015-6279 CONFIRM CISCO |
| cisco -- ios | The SSHv2 functionality in Cisco IOS 15.2, 15.3, 15.4, and 15.5 and IOS XE 3.6E before 3.6.3E, 3.7E before 3.7.1E, 3.10S before 3.10.6S, 3.11S before 3.11.4S, 3.12S before 3.12.3S, 3.13S before 3.13.3S, and 3.14S before 3.14.1S does not properly implement RSA authentication, which allows remote attackers to obtain login access by leveraging knowledge of a username and the associated public key, aka Bug ID CSCus73013. | 2015-09-27 | 9.3 | CVE-2015-6280 CONFIRM CISCO |
| cisco -- ios_xe | Cisco IOS XE 2.x and 3.x before 3.10.6S, 3.11.xS through 3.13.xS before 3.13.3S, and 3.14.xS through 3.15.xS before 3.15.1S allows remote attackers to cause a denial of service (device reload) via IPv4 packets that require NAT and MPLS actions, aka Bug ID CSCut96933. | 2015-09-25 | 7.8 | CVE-2015-6282 CISCO |
| cisco -- anyconnect_secure_mobility_client | Untrusted search path vulnerability in the CMainThread::launchDownloader function in vpndownloader.exe in Cisco AnyConnect Secure Mobility Client 2.0 through 4.1 on Windows allows local users to gain privileges via a Trojan horse DLL in the current working directory, as demonstrated by dbghelp.dll, aka Bug ID CSCuv01279. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-4211. | 2015-09-25 | 7.2 | CVE-2015-6305 MISC CISCO |
| cisco -- anyconnect_secure_mobility_client | Cisco AnyConnect Secure Mobility Client 4.1(8) on OS X and Linux does not verify pathnames before installation actions, which allows local users to obtain root privileges via a crafted installation file, aka Bug ID CSCuv11947. | 2015-09-25 | 7.2 | CVE-2015-6306 CISCO |
| codepeople -- appointment_booking_calendar | SQL injection vulnerability in cpabc_appointments_admin_int_calendar_list.inc.php in the Appointment Booking Calendar plugin before 1.1.8 for WordPress allows remote attackers to execute arbitrary SQL commands via unspecified vectors related to updating the username. | 2015-09-29 | 7.5 | CVE-2015-7319 CONFIRM BUGTRAQ |
| datalex -- airline_booking_software | Datalex airline booking software before 2015-09-03 allows remote attackers to read or write to arbitrary user data via a modified profileId parameter to (1) ValidateFormAction.do or (2) ProfileConfirmEditAddressAction.do. | 2015-10-01 | 7.5 | CVE-2015-2858 CERT-VN |
| easyio -- easyio-30p-sf | EasyIO EasyIO-30P-SF controllers with firmware before 0.5.21 and 2.x before 2.0.5.21, as used in Accutrol, Bar-Tech Automation, Infocon/EasyIO, Honeywell Automation India, Johnson Controls, SyxthSENSE, Transformative Wave Technologies, Tridium Asia Pacific, and Tridium Europe products, have a hardcoded password, which makes it easier for remote attackers to obtain access via unspecified vectors. | 2015-09-27 | 9.0 | CVE-2015-3974 MISC |
| emc -- rsa_certificate_manager | Directory traversal vulnerability in EMC RSA OneStep 6.9 before build 559, as used in RSA Certificate Manager and RSA Registration Manager through 6.9 build 558 and other products, allows remote attackers to read arbitrary files via a crafted KCSOSC_ERROR_PAGE parameter. | 2015-10-01 | 7.8 | CVE-2015-4546 BUGTRAQ |
| endian_firewall -- endian_firewall | Endian Firewall before 3.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) NEW_PASSWORD_1 or (2) NEW_PASSWORD_2 parameter to cgi-bin/chpasswd.cgi. | 2015-09-28 | 10.0 | CVE-2015-5082 EXPLOIT-DB EXPLOIT-DB EXPLOIT-DB MISC |
| google -- android | Integer overflow in SampleTable.cpp in libstagefright in Android before 5.0.0 has unspecified impact and attack vectors, aka internal bug 15328708. | 2015-09-30 | 10.0 | CVE-2014-7915 CONFIRM MISC |
| google -- android | Integer overflow in SampleTable.cpp in libstagefright in Android before 5.0.0 has unspecified impact and attack vectors, aka internal bug 15342751. | 2015-09-30 | 10.0 | CVE-2014-7916 CONFIRM MISC |
| google -- android | Integer overflow in SampleTable.cpp in libstagefright in Android before 5.0.0 has unspecified impact and attack vectors, aka internal bug 15342615. | 2015-09-30 | 10.0 | CVE-2014-7917 CONFIRM MISC |
| google -- android | Integer overflow in the native_handle_create function in libcutils/native_handle.c in Android before 5.1.1 LMY48M allows attackers to obtain a different application's privileges or cause a denial of service (Binder heap memory corruption) via a crafted application, aka internal bug 19334482. | 2015-09-30 | 9.3 | CVE-2015-1528 MLIST CONFIRM CONFIRM |
| google -- android | Integer overflow in the Bitmap_createFromParcel function in core/jni/android/graphics/Bitmap.cpp in Android before 5.1.1 LMY48I allows attackers to cause a denial of service (system_server crash) or obtain sensitive system_server memory-content information via a crafted application that leverages improper unmarshalling of bitmaps, aka internal bug 19666945. | 2015-09-30 | 8.5 | CVE-2015-1536 MLIST CONFIRM |
| google -- android | Integer overflow in the SampleTable::setSampleToChunkParams function in SampleTable.cpp in libstagefright in Android before 5.1.1 LMY48I allows remote attackers to execute arbitrary code via crafted atoms in MP4 data that trigger an unchecked multiplication, aka internal bug 20139950, a related issue to CVE-2015-4496. | 2015-09-30 | 10.0 | CVE-2015-1538 MLIST CONFIRM |
| google -- android | Multiple integer underflows in the ESDS::parseESDescriptor function in ESDS.cpp in libstagefright in Android before 5.1.1 LMY48I allow remote attackers to execute arbitrary code via crafted ESDS atoms, aka internal bug 20139950, a related issue to CVE-2015-4493. | 2015-09-30 | 10.0 | CVE-2015-1539 MLIST CONFIRM |
| google -- android | The MPEG4Extractor::parseChunk function in MPEG4Extractor.cpp in libstagefright in Android before 5.1.1 LMY48I does not properly restrict size addition, which allows remote attackers to execute arbitrary code or cause a denial of service (integer overflow and memory corruption) via a crafted MPEG-4 tx3g atom, aka internal bug 20923261. | 2015-09-30 | 10.0 | CVE-2015-3824 MLIST CONFIRM |
| google -- android | The MPEG4Extractor::parseChunk function in MPEG4Extractor.cpp in libstagefright in Android before 5.1.1 LMY48I does not validate the relationship between chunk sizes and skip sizes, which allows remote attackers to execute arbitrary code or cause a denial of service (integer underflow and memory corruption) via crafted MPEG-4 covr atoms, aka internal bug 20923261. | 2015-09-30 | 9.3 | CVE-2015-3827 MLIST CONFIRM |
| google -- android | The MPEG4Extractor::parse3GPPMetaData function in MPEG4Extractor.cpp in libstagefright in Android before 5.1.1 LMY48I does not enforce a minimum size for UTF-16 strings containing a Byte Order Mark (BOM), which allows remote attackers to execute arbitrary code or cause a denial of service (integer underflow and memory corruption) via crafted 3GPP metadata, aka internal bug 20923261, a related issue to CVE-2015-3826. | 2015-09-30 | 10.0 | CVE-2015-3828 MLIST CONFIRM |
| google -- android | Off-by-one error in the MPEG4Extractor::parseChunk function in MPEG4Extractor.cpp in libstagefright in Android before 5.1.1 LMY48I allows remote attackers to execute arbitrary code or cause a denial of service (integer overflow and memory corruption) via crafted MPEG-4 covr atoms with a size equal to SIZE_MAX, aka internal bug 20923261. | 2015-09-30 | 10.0 | CVE-2015-3829 MLIST CONFIRM |
| google -- android | Buffer overflow in the readAt function in BpMediaHTTPConnection in media/libmedia/IMediaHTTPConnection.cpp in the mediaserver service in Android before 5.1.1 LMY48I allows attackers to execute arbitrary code via a crafted application, aka internal bug 19400722. | 2015-09-30 | 9.3 | CVE-2015-3831 MLIST CONFIRM |
| google -- android | Multiple buffer overflows in MPEG4Extractor.cpp in libstagefright in Android before 5.1.1 LMY48I allow remote attackers to execute arbitrary code via invalid size values of NAL units in MP4 data, aka internal bug 19641538. | 2015-09-30 | 10.0 | CVE-2015-3832 MLIST CONFIRM |
| google -- android | Multiple integer overflows in the BnHDCP::onTransact function in media/libmedia/IHDCP.cpp in libstagefright in Android before 5.1.1 LMY48I allow attackers to execute arbitrary code via a crafted application that uses HDCP encryption, leading to a heap-based buffer overflow, aka internal bug 20222489. | 2015-09-30 | 10.0 | CVE-2015-3834 MLIST CONFIRM |
| google -- android | Buffer overflow in the OMXNodeInstance::emptyBuffer function in omx/OMXNodeInstance.cpp in libstagefright in Android before 5.1.1 LMY48I allows attackers to execute arbitrary code via a crafted application, aka internal bug 20634516. | 2015-09-30 | 9.3 | CVE-2015-3835 MLIST CONFIRM CONFIRM |
| google -- android | The Parse_wave function in arm-wt-22k/lib_src/eas_mdls.c in the Sonivox DLS-to-EAS converter in Android before 5.1.1 LMY48I does not reject a negative value for a certain size field, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow) via crafted XMF data, aka internal bug 21132860. | 2015-09-30 | 10.0 | CVE-2015-3836 MLIST CONFIRM |
| google -- android | The OpenSSLX509Certificate class in org/conscrypt/OpenSSLX509Certificate.java in Android before 5.1.1 LMY48I improperly includes certain context data during serialization and deserialization, which allows attackers to execute arbitrary code via an application that sends a crafted Intent, aka internal bug 21437603. | 2015-09-30 | 9.3 | CVE-2015-3837 MLIST CONFIRM |
| google -- android | Multiple heap-based buffer overflows in libeffects in the Audio Policy Service in mediaserver in Android before 5.1.1 LMY48I allow attackers to execute arbitrary code via a crafted application, aka internal bug 21953516. | 2015-09-30 | 9.3 | CVE-2015-3842 MLIST CONFIRM |
| google -- android | The SIM Toolkit (STK) framework in Android before 5.1.1 LMY48I allows attackers to (1) intercept or (2) emulate unspecified Telephony STK SIM commands via an application that sends a crafted Intent, related to com/android/internal/telephony/cat/AppInterface.java, aka internal bug 21697171. | 2015-09-30 | 9.3 | CVE-2015-3843 MLIST CONFIRM CONFIRM CONFIRM CONFIRM |
| google -- android | The Region_createFromParcel function in core/jni/android/graphics/Region.cpp in Region in Android before 5.1.1 LMY48M does not check the return values of certain read operations, which allows attackers to execute arbitrary code via an application that sends a crafted message to a service, aka internal bug 21585255. | 2015-09-30 | 9.3 | CVE-2015-3849 MLIST CONFIRM CONFIRM |
| google -- android | The checkDestination function in internal/telephony/SMSDispatcher.java in Android before 5.1.1 LMY48M relies on an obsolete permission name for an authorization check, which allows attackers to bypass an intended user-confirmation requirement for SMS short-code messaging via a crafted application, aka internal bug 22314646. | 2015-09-30 | 9.3 | CVE-2015-3858 MLIST CONFIRM |
| google -- android | packages/Keyguard/res/layout/keyguard_password_view.xml in Lockscreen in Android 5.x before 5.1.1 LMY48M does not restrict the number of characters in the passwordEntry input field, which allows physically proximate attackers to bypass intended access restrictions via a long password that triggers a SystemUI crash, aka internal bug 22214934. | 2015-09-30 | 7.2 | CVE-2015-3860 MLIST CONFIRM CONFIRM MISC |
| google -- android | Multiple integer overflows in the Blob class in keystore/keystore.cpp in Keystore in Android before 5.1.1 LMY48M allow attackers to execute arbitrary code and read arbitrary Keystore keys via an application that uses a crafted blob in an insert operation, aka internal bug 22802399. | 2015-09-30 | 9.3 | CVE-2015-3863 MLIST CONFIRM |
| google -- android | Integer underflow in the MPEG4Extractor::parseChunk function in MPEG4Extractor.cpp in libstagefright in mediaserver in Android before 5.1.1 LMY48M allows remote attackers to execute arbitrary code via crafted MPEG-4 data, aka internal bug 23034759. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-3824. | 2015-09-30 | 10.0 | CVE-2015-3864 MLIST CONFIRM |
| google -- android | libstagefright in Android through 5.1.1 LMY48M allows remote attackers to execute arbitrary code via crafted metadata in a (1) MP3 or (2) MP4 file. | 2015-10-01 | 9.3 | CVE-2015-3876 MISC MISC |
| google -- android | SampleTable.cpp in libstagefright in Android before 5.1.1 LMY48I does not properly consider integer promotion, which allows remote attackers to execute arbitrary code or cause a denial of service (integer overflow and memory corruption) via crafted atoms in MP4 data, aka internal bug 20139950, a different vulnerability than CVE-2015-1538. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-7915, CVE-2014-7916, and/or CVE-2014-7917. | 2015-09-30 | 10.0 | CVE-2015-6575 MLIST CONFIRM |
| google -- android | libutils in Android through 5.1.1 LMY48M allows remote attackers to execute arbitrary code via crafted metadata in a (1) MP3 or (2) MP4 file, as demonstrated by an attack against use of libutils by libstagefright in Android 5.x. | 2015-10-01 | 9.3 | CVE-2015-6602 MISC MISC |
| h5ai_project -- h5ai | Unrestricted file upload vulnerability in h5ai before 0.25.0 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in the directory specified by the href parameter. | 2015-09-28 | 7.5 | CVE-2015-3203 EXPLOIT-DB CONFIRM |
| indusoft -- web_studio | The Remote Agent component in Schneider Electric InduSoft Web Studio before 8.0 allows remote attackers to execute arbitrary code via unspecified vectors, aka ZDI-CAN-2649. | 2015-09-25 | 7.5 | CVE-2015-7374 CONFIRM |
| indusoft -- web_studio | Schneider Electric InduSoft Web Studio before 8.0 allows remote attackers to execute arbitrary code or cause a denial of service (unhandled runtime exception and application crash) via a crafted Indusoft Project file. | 2015-09-25 | 7.5 | CVE-2015-7375 CONFIRM |
| konicaminolta -- ftp_utility | Directory traversal vulnerability in Konica Minolta FTP Utility 1.0 allows remote attackers to read arbitrary files via a ..\ (dot dot backslash) in a RETR command. | 2015-09-29 | 7.8 | CVE-2015-7603 EXPLOIT-DB MISC |
| linuxcontainers -- lxc | lxc-start in lxc before 1.0.8 and 1.1.x before 1.1.4 allows local container administrators to escape AppArmor confinement via a symlink attack on a (1) mount target or (2) bind mount source. | 2015-10-01 | 7.2 | CVE-2015-1335 MLIST CONFIRM CONFIRM UBUNTU MLIST |
| pcman's_ftp_server_project -- pcman's_ftp_server | Directory traversal vulnerability in PCMan's FTP Server 2.0.7 allows remote attackers to read arbitrary files via a ..// (dot dot double slash) in a RETR command. | 2015-09-29 | 7.8 | CVE-2015-7601 EXPLOIT-DB |
| qemu -- qemu | Heap-based buffer overflow in the ne2000_receive function in hw/net/ne2000.c in QEMU before 2.4.0.1 allows guest OS users to cause a denial of service (instance crash) or possibly execute arbitrary code via vectors related to receiving packets. | 2015-09-28 | 7.2 | CVE-2015-5279 MLIST SECTRACK MLIST CONFIRM |
| refbase -- refbase | install.php in Web Reference Database (aka refbase) through 0.9.6 allows remote attackers to execute arbitrary commands via the adminPassword parameter, a different issue than CVE-2015-7381. | 2015-09-27 | 7.5 | CVE-2015-6008 CERT-VN |
| refbase -- refbase | Multiple SQL injection vulnerabilities in Web Reference Database (aka refbase) through 0.9.6 allow remote attackers to execute arbitrary SQL commands via (1) the where parameter to rss.php or (2) the sqlQuery parameter to search.php, a different issue than CVE-2015-7382. | 2015-09-27 | 7.5 | CVE-2015-6009 CERT-VN |
| refbase -- refbase | Multiple PHP remote file inclusion vulnerabilities in install.php in Web Reference Database (aka refbase) through 0.9.6 allow remote attackers to execute arbitrary PHP code via the (1) pathToMYSQL or (2) databaseStructureFile parameter, a different issue than CVE-2015-6008. | 2015-09-27 | 7.5 | CVE-2015-7381 CERT-VN |
| refbase -- refbase | SQL injection vulnerability in install.php in Web Reference Database (aka refbase) through 0.9.6 allows remote attackers to execute arbitrary SQL commands via the defaultCharacterSet parameter, a different issue than CVE-2015-6009. | 2015-09-27 | 7.5 | CVE-2015-7382 CERT-VN |
| roaring_penguin -- remind | Buffer overflow in the DumpSysVar function in var.c in Remind before 3.1.15 allows attackers to have unspecified impact via a long name. | 2015-09-28 | 10.0 | CVE-2015-5957 MLIST MLIST MLIST SUSE |
| x2engine -- x2crm | Incomplete blacklist vulnerability in the FileUploadsFilter class in protected/components/filters/FileUploadsFilter.php in X2Engine X2CRM before 5.0.9 allows remote authenticated users to execute arbitrary PHP code by uploading a file with a .pht extension. | 2015-09-29 | 7.5 | CVE-2015-5074 MISC CONFIRM FULLDISC |
| zohocorp -- manageengine_eventlog_analyzer | ZOHO ManageEngine EventLog Analyzer 10.6 build 10060 and earlier allows remote attackers to bypass intended restrictions and execute arbitrary SQL commands via an allowed query followed by a disallowed one in the query parameter to event/runQuery.do, as demonstrated by "SELECT 1;INSERT INTO." | 2015-09-28 | 7.5 | CVE-2015-7387 EXPLOIT-DB FULLDISC MISC |
Medium Vulnerabilities
| Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| adnovum -- nevisauth | The SAML 2.0 implementation in AdNovum nevisAuth 4.13.0.0 before 4.18.3.1, when using SAML POST-Binding, does not match all attributes of the X.509 certificate embedded in the assertion against the certificate from the identity provider (IdP), which allows remote attackers to inject arbitrary SAML assertions via a crafted certificate. | 2015-09-28 | 5.0 | CVE-2015-5372 BUGTRAQ MISC MISC MISC |
| advantech -- webaccess | Multiple stack-based buffer overflows in an unspecified DLL file in Advantech WebAccess before 8.0_20150816 allow remote attackers to execute arbitrary code via a crafted file that triggers long string arguments to functions. | 2015-09-27 | 6.9 | CVE-2014-9202 MISC |
| cisco -- wireless_lan_controller_software | The RADIUS functionality on Cisco Wireless LAN Controller (WLC) devices with software 7.0(250.0) and 7.0(252.0) allows remote attackers to disconnect arbitrary sessions via crafted Disconnect-Request UDP packets, aka Bug ID CSCuw29419. | 2015-09-25 | 5.0 | CVE-2015-6302 CISCO |
| cisco -- firepower | Cisco FirePOWER (formerly Sourcefire) 7000 and 8000 devices with software 5.4.0.1 allow remote attackers to cause a denial of service (inspection-engine outage) via crafted packets, aka Bug ID CSCuu10871. | 2015-09-27 | 6.1 | CVE-2015-6307 CISCO |
| codepeople -- appointment_booking_calendar | Multiple cross-site scripting (XSS) vulnerabilities in cpabc_appointments_admin_int_bookings_list.inc.php in the Appointment Booking Calendar plugin before 1.1.8 for WordPress allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 2015-09-29 | 4.3 | CVE-2015-7320 CONFIRM BUGTRAQ BUGTRAQ |
| codewrights -- hart_comm_dtm | CodeWrights HART Comm DTM components, as used with Endress+Hauser FieldCare, allow remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via a longtag XML schema containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. | 2015-09-27 | 5.8 | CVE-2015-6463 MISC |
| cubecart -- cubecart | classes/admin.class.php in CubeCart 5.2.12 through 5.2.16 and 6.x before 6.0.7 does not properly validate that a password reset request was made, which allows remote attackers to change the administrator password via a recovery request with a space character in the validate parameter and the administrator email in the email parameter. | 2015-09-28 | 6.8 | CVE-2015-6928 CONFIRM FULLDISC MISC |
| emc -- rsa_identity_management_and_governance | Multiple cross-site scripting (XSS) vulnerabilities in EMC RSA Identity Management & Governance (IMG) before 7.0.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 2015-09-25 | 4.3 | CVE-2015-4539 BUGTRAQ |
| emc -- rsa_archer_grc | EMC RSA Archer GRC 5.x before 5.5.3 allows remote authenticated users to bypass intended access restrictions, and read or modify Discussion Forum Fields messages, via unspecified vectors. | 2015-09-25 | 6.5 | CVE-2015-4542 BUGTRAQ |
| emc -- rsa_archer_grc | EMC RSA Archer GRC 5.x before 5.5.3 uses cleartext for stored passwords in unspecified circumstances, which allows remote authenticated users to obtain sensitive information by reading database fields. | 2015-09-25 | 4.0 | CVE-2015-4543 BUGTRAQ |
| everest -- peakhmi | Everest PeakHMI before 8.7.0.2, when the video server is used, allows remote attackers to cause a denial of service (incorrect pointer dereference and daemon crash) via a crafted packet. | 2015-09-25 | 5.0 | CVE-2015-6454 MISC |
| freeimage_project -- freeimage | Multiple integer underflows in PluginPCX.cpp in FreeImage 3.17.0 and earlier allow remote attackers to cause a denial of service (heap memory corruption) via vectors related to the height and width of a window. | 2015-09-29 | 5.0 | CVE-2015-0852 CONFIRM MLIST FEDORA |
| gnu -- glibc | Buffer overflow in the gethostbyname_r and other unspecified NSS functions in the GNU C Library (aka glibc or libc6) before 2.22 allows context-dependent attackers to cause a denial of service (crash) or execute arbitrary code via a crafted DNS response, which triggers a call with a misaligned buffer. | 2015-09-28 | 6.8 | CVE-2015-1781 MLIST CONFIRM CONFIRM REDHAT BID SUSE |
| gnu -- gnu_screen | The MScrollV function in ansi.c in GNU screen 4.3.1 and earlier does not properly limit recursion, which allows remote attackers to cause a denial of service (stack consumption) via an escape sequence with a large repeat count value. | 2015-09-28 | 5.0 | CVE-2015-6806 CONFIRM MLIST MLIST MLIST DEBIAN CONFIRM |
| google -- android | The AppWidgetServiceImpl implementation in com/android/server/appwidget/AppWidgetServiceImpl.java in the Settings application in Android before 5.1.1 LMY48I allows attackers to obtain a URI permission via an application that sends an Intent with a (1) FLAG_GRANT_READ_URI_PERMISSION or (2) FLAG_GRANT_WRITE_URI_PERMISSION flag, as demonstrated by bypassing intended restrictions on reading contacts, aka internal bug 19618745. | 2015-09-30 | 4.3 | CVE-2015-1541 MLIST CONFIRM |
| google -- android | The MPEG4Extractor::parse3GPPMetaData function in MPEG4Extractor.cpp in libstagefright in Android before 5.1.1 LMY48I does not enforce a minimum size for UTF-16 strings containing a Byte Order Mark (BOM), which allows remote attackers to cause a denial of service (integer underflow, buffer over-read, and mediaserver process crash) via crafted 3GPP metadata, aka internal bug 20923261, a related issue to CVE-2015-3828. | 2015-09-30 | 5.0 | CVE-2015-3826 MLIST CONFIRM |
| google -- android | The getRunningAppProcesses function in services/core/java/com/android/server/am/ActivityManagerService.java in Android before 5.1.1 LMY48I allows attackers to bypass intended getRecentTasks restrictions and discover the name of the foreground application via a crafted application, aka internal bug 20034603. | 2015-09-30 | 4.3 | CVE-2015-3833 MLIST CONFIRM MISC |
| google -- android | The getProcessRecordLocked method in services/core/java/com/android/server/am/ActivityManagerService.java in ActivityManager in Android before 5.1.1 LMY48I allows attackers to trigger incorrect process loading via a crafted application, as demonstrated by interfering with use of the Settings application, aka internal bug 21669445. | 2015-09-30 | 6.8 | CVE-2015-3844 MLIST CONFIRM |
| google -- android | The Parcel::appendFrom function in libs/binder/Parcel.cpp in Binder in Android before 5.1.1 LMY48M does not consider parcel boundaries during identification of binder objects in an append operation, which allows attackers to obtain a different application's privileges via a crafted application, aka internal bug 17312693. | 2015-09-30 | 6.8 | CVE-2015-3845 MLIST CONFIRM |
| google -- android | Multiple integer overflows in the addVorbisCodecInfo function in matroska/MatroskaExtractor.cpp in libstagefright in mediaserver in Android before 5.1.1 LMY48M allow remote attackers to cause a denial of service (device inoperability) via crafted Matroska data, aka internal bug 21296336. | 2015-09-30 | 5.0 | CVE-2015-3861 MLIST CONFIRM |
| hp -- integrated_lights-out_3_firmware | Unspecified vulnerability in HP Integrated Lights-Out (iLO) firmware 3 before 1.85 and 4 before 2.22 allows remote authenticated users to cause a denial of service via unknown vectors. | 2015-09-29 | 4.0 | CVE-2015-5435 HP |
| hp -- software_update | Unspecified vulnerability in HP Software Update before 5.005.002.002 allows local users to gain privileges via unknown vectors. | 2015-09-29 | 4.6 | CVE-2015-5442 HP |
| ibc_solar -- danfoss_tlx_pro+ | The interpreter in IBC Solar ServeMaster TLP+ and Danfoss TLX Pro+ allows remote attackers to discover script source code via unspecified vectors. | 2015-09-25 | 5.0 | CVE-2015-6469 MISC |
| ibc_solar -- danfoss_tlx_pro+ | IBC Solar ServeMaster TLP+ and Danfoss TLX Pro+ allow remote attackers to discover cleartext passwords by reading HTML source code. | 2015-09-25 | 5.0 | CVE-2015-6474 MISC |
| ibc_solar -- danfoss_tlx_pro+ | Multiple cross-site scripting (XSS) vulnerabilities in IBC Solar ServeMaster TLP+ and Danfoss TLX Pro+ allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 2015-09-25 | 4.3 | CVE-2015-6475 MISC |
| ipython -- notebook | The editor in IPython Notebook before 3.2.2 and Jupyter Notebook 4.0.x before 4.0.5 allows remote attackers to execute arbitrary JavaScript code via a crafted file, which triggers a redirect to files/, related to MIME types. | 2015-09-29 | 6.8 | CVE-2015-7337 CONFIRM CONFIRM CONFIRM MLIST MLIST FEDORA |
| mcafee -- vulnerability_manager | Multiple cross-site request forgery (CSRF) vulnerabilities in the Organizations page in Enterprise Manager in McAfee Vulnerability Manager (MVM) 7.5.9 and earlier allow remote attackers to hijack the authentication of administrators for requests that have unspecified impact via unknown vectors. | 2015-10-01 | 6.8 | CVE-2015-7612 CONFIRM SECTRACK |
| nvidia -- display_driver | The NVIDIA display driver R352 before 353.82 and R340 before 341.81 on Windows; R304 before 304.128, R340 before 340.93, and R352 before 352.41 on Linux; and R352 before 352.46 on GRID vGPU and vSGA allows local users to write to an arbitrary kernel memory location and consequently gain privileges via a crafted ioctl call. | 2015-09-29 | 6.9 | CVE-2015-5950 HP CONFIRM |
| open-xchange -- open-xchange_appsuite | Cross-site scripting (XSS) vulnerability in unspecified dialogs for printing content in the Front End in Open-Xchange Server 6 and OX App Suite before 6.22.8-rev8, 6.22.9 before 6.22.9-rev15m, 7.x before 7.6.1-rev25, and 7.6.2 before 7.6.2-rev20 allows remote attackers to inject arbitrary web script or HTML via unknown vectors related to object properties. | 2015-09-28 | 4.3 | CVE-2015-5375 BUGTRAQ CONFIRM |
| open-xchange_ox_guard -- open-xchange_ox_guard | SQL injection vulnerability in the public key discovery API call in Open-Xchange OX Guard before 2.0.0-rev8 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. | 2015-09-28 | 6.5 | CVE-2015-5703 BUGTRAQ CONFIRM |
| open_source_point_of_sale_project -- open_source_point_of_sale | Multiple cross-site scripting (XSS) vulnerabilities in Open Source Point of Sale 2.3.1 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. | 2015-09-29 | 4.0 | CVE-2015-0299 MISC |
| refbase -- refbase | Cross-site request forgery (CSRF) vulnerability in Web Reference Database (aka refbase) through 0.9.6 allows remote attackers to hijack the authentication of arbitrary users. | 2015-09-27 | 6.8 | CVE-2015-6007 CERT-VN |
| refbase -- refbase | Multiple cross-site scripting (XSS) vulnerabilities in Web Reference Database (aka refbase) through 0.9.6 and bleeding-edge before 2015-01-08 allow remote attackers to inject arbitrary web script or HTML via the (1) errorNo or (2) errorMsg parameter to error.php; the (3) viewType parameter to duplicate_manager.php; the (4) queryAction, (5) displayType, (6) citeOrder, (7) sqlQuery, (8) showQuery, (9) showLinks, (10) showRows, or (11) queryID parameter to query_manager.php; the (12) sourceText or (13) sourceIDs parameter to import.php; or the (14) typeName or (15) fileName parameter to modify.php. | 2015-09-27 | 4.3 | CVE-2015-6010 CERT-VN |
| refbase -- refbase | Web Reference Database (aka refbase) through 0.9.6 and bleeding-edge before 2015-01-08 allows remote attackers to conduct XML injection attacks via (1) the id parameter to unapi.php or (2) the stylesheet parameter to sru.php. | 2015-09-27 | 5.0 | CVE-2015-6011 CERT-VN |
| refbase -- refbase | Multiple open redirect vulnerabilities in Web Reference Database (aka refbase) through 0.9.6 and bleeding-edge before 2015-01-08 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the referrer parameter. | 2015-09-27 | 5.8 | CVE-2015-6012 CERT-VN |
| refbase -- refbase | Multiple cross-site scripting (XSS) vulnerabilities in Web Reference Database (aka refbase) through 0.9.6 and bleeding-edge through 2015-04-28 allow remote attackers to inject arbitrary web script or HTML via the (1) adminUserName, (2) pathToMYSQL, (3) databaseStructureFile, or (4) pathToBibutils parameter to install.php or the (5) adminUserName parameter to update.php. | 2015-09-27 | 4.3 | CVE-2015-7383 CERT-VN |
| resource_data_management_data_manager -- data_manager | Cross-site request forgery (CSRF) vulnerability in Resource Data Management Data Manager before 2.2 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. | 2015-09-25 | 6.8 | CVE-2015-6468 MISC |
| resource_data_management_data_manager -- data_manager | Resource Data Management Data Manager before 2.2 allows remote authenticated users to modify arbitrary passwords via unspecified vectors. | 2015-09-25 | 5.5 | CVE-2015-6470 MISC |
| rpcbind_project -- rpcbind | Use-after-free vulnerability in xprt_set_caller in rpcb_svc_com.c in rpcbind 0.2.1 and earlier allows remote attackers to cause a denial of service (daemon crash) via crafted packets, involving a PMAP_CALLIT code. | 2015-10-01 | 5.0 | CVE-2015-7236 FREEBSD UBUNTU MLIST MLIST MLIST DEBIAN |
| splunk -- splunk | Cross-site scripting (XSS) vulnerability in Splunk Web in Splunk Enterprise 6.2.x before 6.2.6 and Splunk Light 6.2.x before 6.2.6 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 2015-09-29 | 4.3 | CVE-2015-7604 CONFIRM SECTRACK |
| squid-cache -- squid | Squid before 3.5.6 does not properly handle CONNECT method peer responses when configured with cache_peer, which allows remote attackers to bypass intended restrictions and gain access to a backend proxy via a CONNECT request. | 2015-09-28 | 6.8 | CVE-2015-5400 CONFIRM CONFIRM CONFIRM CONFIRM MLIST MLIST MLIST MLIST DEBIAN |
| standards_based_linux_instrumentation -- sblim-sfcb | The lookupProviders function in providerMgr.c in sblim-sfcb 1.3.4 and 1.3.18 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty className in a packet. | 2015-09-28 | 5.0 | CVE-2015-5185 MLIST SUSE |
| tibco -- managed_file_transfer_command_center | TIBCO Managed File Transfer Internet Server before 7.2.5, Managed File Transfer Command Center before 7.2.5, Slingshot before 1.9.4, and Vault before 2.0.1 allow remote authenticated users to obtain sensitive information via a crafted HTTP request. | 2015-09-29 | 4.0 | CVE-2015-5711 CONFIRM CONFIRM |
| x2engine -- x2crm | Cross-site request forgery (CSRF) vulnerability in X2Engine X2CRM before 5.2 allows remote attackers to hijack the authentication of administrators for requests that create an administrative account via a crafted request to index.php/users/create. | 2015-09-29 | 6.8 | CVE-2015-5075 MISC FULLDISC |
| x2engine -- x2crm | Multiple cross-site scripting (XSS) vulnerabilities in X2Engine X2CRM before 5.0.9 allow remote attackers to inject arbitrary web script or HTML via the (1) version parameter in protected/views/admin/formEditor.php; the (2) importId parameter in protected/views/admin/rollbackImport.php; the (3) bc, (4) fg, (5) bgc, or (6) font parameter in protected/views/site/listener.php; the (7) Services[*] parameter in protected/components/views/webForm.php; the (8) file parameter in protected/components/TranslationManager.php; the (9) x2_key parameter in protected/tests/webscripts/x2WebTrackingTestPages/customWebLeadCaptureScriptTest.php; the (10) id parameter in protected/modules/contacts/controllers/ContactsController.php; or the (11) lastEventId parameter to index.php/profile/getEvents. | 2015-09-29 | 4.3 | CVE-2015-5076 MISC CONFIRM FULLDISC |
Low Vulnerabilities
| Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| emc -- rsa_identity_management_and_governance | Multiple cross-site scripting (XSS) vulnerabilities in EMC RSA Identity Management & Governance (IMG) before 6.8.1 P18 and 6.9.x before 6.9.1 P6 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. | 2015-09-25 | 3.5 | CVE-2015-4540 BUGTRAQ |
| emc -- rsa_archer_grc | Multiple cross-site scripting (XSS) vulnerabilities in EMC RSA Archer GRC 5.x before 5.5.3 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. | 2015-09-25 | 3.5 | CVE-2015-4541 BUGTRAQ |
| ghozylab -- gallery_-_photo_albums_-_portfolio | Multiple cross-site scripting (XSS) vulnerabilities in includes/metaboxes.php in the Gallery - Photo Albums - Portfolio plugin 1.3.47 for WordPress allow remote authenticated users to inject arbitrary web script or HTML via the (1) Media Title or (2) Media Subtitle fields. | 2015-09-28 | 3.5 | CVE-2015-7386 MISC MISC |
| openvz -- vzctl | vzctl before 4.9.4 determines the virtual environment (VE) layout based on the presence of root.hdd/DiskDescriptor.xml in the VE private directory, which allows local simfs container (CT) root users to change the root password for arbitrary ploop containers, as demonstrated by a symlink attack on the ploop container root.hdd file and then access a control panel. | 2015-09-28 | 3.6 | CVE-2015-6927 CONFIRM CONFIRM DEBIAN |
| xen -- xen | libxl in Xen 4.1.x through 4.6.x does not properly handle the readonly flag on disks when using the qemu-xen device model, which allows local guest users to write to a read-only disk image. | 2015-10-01 | 3.6 | CVE-2015-7311 CONFIRM CONFIRM SECTRACK FEDORA FEDORA FEDORA |
Please share your thoughts
We recently updated our anonymous product survey; we’d welcome your feedback.