| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Microsoft Internet Explorer 7 through 11 allows remote attackers to gain privileges via a crafted web site, aka "Internet Explorer Elevation of Privilege Vulnerability." |
| Topline Opportunity Form (aka XLS Opp form) before 2015-02-15 does not properly restrict access to database-connection strings, which allows attackers to read the cleartext version of sensitive credential and e-mail address information via unspecified vectors. |
| The Siemens SPCanywhere application for iOS allows physically proximate attackers to bypass intended access restrictions by leveraging a filesystem architectural error. |
| The stack randomization feature in the Linux kernel before 3.19.1 on 64-bit platforms uses incorrect data types for the results of bitwise left-shift operations, which makes it easier for attackers to bypass the ASLR protection mechanism by predicting the address of the top of the stack, related to the randomize_stack_top function in fs/binfmt_elf.c and the stack_maxrandom_size function in arch/x86/mm/mmap.c. |
| Directory traversal vulnerability in Aruba Networks ClearPass Policy Manager (CPPM) before 6.4.4 allows remote administrators to read arbitrary files via unspecified vectors. |
| The ActiveMQ Broker in Samsung Security Manager (SSM) before 1.31 allows remote attackers to delete arbitrary files, and consequently cause a denial of service, via a DELETE request. |
| Persistent Systems Radia Client Automation does not properly restrict access to certain request, which allows remote attackers to (1) enumerate user accounts via a getUsers request, (2) assign a role to a user account via an addAssigneesToRole request, (3) remove a role from a user account via a removeAssigneesFromRole request, or (4) have other unspecified impact. |
| The management console in Symantec Endpoint Protection Manager (SEPM) 12.1 before 12.1-RU6-MP1 allows remote authenticated users to gain privileges via unspecified vectors. |
| The SOAP web interface in SCADA Engine BACnet OPC Server before 2.1.371.24 allows remote attackers to bypass authentication and read or write to arbitrary database fields via unspecified vectors. |
| X-Cart before 5.1.11 allows remote authenticated users to read or delete address data of arbitrary accounts via a modified (1) update or (2) remove request. |
| The ANTlabs InnGate firmware on IG 3100, IG 3101, InnGate 3.00 E, InnGate 3.01 E, InnGate 3.02 E, InnGate 3.10 E, InnGate 3.01 G, and InnGate 3.10 G devices does not require authentication for rsync sessions, which allows remote attackers to read or write to arbitrary files via TCP traffic on port 873. |
| Multiple array index errors in the Stream Control Transmission Protocol (SCTP) module in FreeBSD 10.1 before p5, 10.0 before p17, 9.3 before p9, and 8.4 before p23 allow local users to (1) gain privileges via the stream id to the setsockopt function, when setting the SCTIP_SS_VALUE option, or (2) read arbitrary kernel memory via the stream id to the getsockopt function, when getting the SCTP_SS_PRIORITY option. |
| AndroidManifest.xml in Android before 5.0.0 does not require the SEND_SMS permission for the SmsReceiver receiver, which allows attackers to send stored SMS messages, and consequently transmit arbitrary new draft SMS messages or trigger additional per-message charges from a network operator for old messages, via a crafted application that broadcasts an intent with the com.android.mms.transaction.MESSAGE_SENT action, aka Bug 17671795. |
| Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) in EMC Avamar Server before 7.3.0-233 use weak permissions for unspecified directories, which allows local users to obtain root access by replacing a script with a Trojan horse program. |
| The addAccount method in src/com/android/settings/accounts/AddAccountSettings.java in the Settings application in Android before 5.0.0 does not properly create a PendingIntent, which allows attackers to use the SYSTEM uid for broadcasting an intent with arbitrary component, action, or category information via a third-party authenticator in a crafted application, aka Bug 17356824. |
| The XCloner plugin 3.1.1 for WordPress and 3.5.1 for Joomla! stores database backup files with predictable names under the web root with insufficient access control, which allows remote attackers to obtain sensitive information via a direct request to a backup file in administrators/backups/. |
| Citrix NetScaler Application Delivery Controller and NetScaler Gateway 10.5.50.10 before 10.5-52.11, 10.1.122.17 before 10.1-129.11, and 10.1-120.1316.e before 10.1-129.1105.e, when using unspecified configurations, allows remote authenticated users to access "network resources" of other users via unknown vectors. |
| EMC Data Domain OS 5.4 through 5.7 before 5.7.2.0 allows remote authenticated users to bypass intended password-change restrictions by leveraging access to (1) a different account with the same role as a target account or (2) an account's session at an unattended workstation. |
| EMC Data Domain OS 5.4 through 5.7 before 5.7.2.0 has a default no_root_squash option for NFS exports, which makes it easier for remote attackers to obtain filesystem access by leveraging client root privileges. |
| EMC Data Domain OS 5.5 before 5.5.4.0, 5.6 before 5.6.1.004, and 5.7 before 5.7.2.0 stores session identifiers of GUI users in a world-readable file, which allows local users to hijack arbitrary accounts via unspecified vectors. |
