Total
11829 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2015-8730 | 1 Wireshark | 1 Wireshark | 2025-04-12 | 4.3 MEDIUM | 5.5 MEDIUM |
|
epan/dissectors/packet-nbap.c in the NBAP dissector in Wireshark 1.12.x before 1.12.9 and 2.0.x before 2.0.1 does not validate the number of items, which allows remote attackers to cause a denial of service (invalid read operation and application crash) via a crafted packet.
|
|||||
| CVE-2016-3764 | 1 Google | 1 Android | 2025-04-12 | 5.0 MEDIUM | 4.0 MEDIUM |
|
media/libmediaplayerservice/MetadataRetrieverClient.cpp in mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-07-01 allows attackers to obtain sensitive pointer information via a crafted application, aka internal bug 28377502.
|
|||||
| CVE-2014-2107 | 1 Cisco | 1 Ios | 2025-04-12 | 7.1 HIGH | N/A |
|
Cisco IOS 12.2 and 15.0 through 15.3, when used with the Kailash FPGA before 2.6 on RSP720-3C-10GE and RSP720-3CXL-10GE devices, allows remote attackers to cause a denial of service (route switch processor outage) via crafted IP packets, aka Bug ID CSCug84789.
|
|||||
| CVE-2014-9751 | 6 Apple, Debian, Linux and 3 more | 8 Macos, Debian Linux, Linux Kernel and 5 more | 2025-04-12 | 6.8 MEDIUM | N/A |
|
The read_network_packet function in ntp_io.c in ntpd in NTP 4.x before 4.2.8p1 on Linux and OS X does not properly determine whether a source IP address is an IPv6 loopback address, which makes it easier for remote attackers to spoof restricted packets, and read or write to the runtime state, by leveraging the ability to reach the ntpd machine's network interface with a packet from the ::1 address.
|
|||||
| CVE-2015-8702 | 2 Debian, Inspircd | 2 Debian Linux, Inspircd | 2025-04-12 | 7.8 HIGH | 8.6 HIGH |
|
The DNS::GetResult function in dns.cpp in InspIRCd before 2.0.19 allows remote DNS servers to cause a denial of service (netsplit) via an invalid character in a PTR response, as demonstrated by a "\032" (whitespace) character in a hostname.
|
|||||
| CVE-2015-5296 | 3 Canonical, Debian, Samba | 3 Ubuntu Linux, Debian Linux, Samba | 2025-04-12 | 4.3 MEDIUM | 5.4 MEDIUM |
|
Samba 3.x and 4.x before 4.1.22, 4.2.x before 4.2.7, and 4.3.x before 4.3.3 supports connections that are encrypted but unsigned, which allows man-in-the-middle attackers to conduct encrypted-to-unencrypted downgrade attacks by modifying the client-server data stream, related to clidfs.c, libsmb_server.c, and smbXcli_base.c.
|
|||||
| CVE-2016-2170 | 1 Apache | 1 Ofbiz | 2025-04-12 | 7.5 HIGH | 9.8 CRITICAL |
|
Apache OFBiz 12.04.x before 12.04.06 and 13.07.x before 13.07.03 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections library.
|
|||||
| CVE-2014-3273 | 1 Cisco | 1 Ios | 2025-04-12 | 6.1 MEDIUM | N/A |
|
The LLDP implementation in Cisco IOS allows remote attackers to cause a denial of service (device reload) via a malformed packet, aka Bug ID CSCum96282.
|
|||||
| CVE-2016-5284 | 1 Mozilla | 1 Firefox | 2025-04-12 | 4.3 MEDIUM | 7.4 HIGH |
|
Mozilla Firefox before 49.0, Firefox ESR 45.x before 45.4, and Thunderbird < 45.4 rely on unintended expiration dates for Preloaded Public Key Pinning, which allows man-in-the-middle attackers to spoof add-on updates by leveraging possession of an X.509 server certificate for addons.mozilla.org signed by an arbitrary built-in Certification Authority.
|
|||||
| CVE-2014-2744 | 2 Lightwitch, Prosody | 2 Metronome, Prosody | 2025-04-12 | 7.8 HIGH | N/A |
|
plugins/mod_compression.lua in (1) Prosody before 0.9.4 and (2) Lightwitch Metronome through 3.4 negotiates stream compression while a session is unauthenticated, which allows remote attackers to cause a denial of service (resource consumption) via compressed XML elements in an XMPP stream, aka an "xmppbomb" attack.
|
|||||
| CVE-2016-4782 | 2 Google, Lenovo | 2 Android, Shareit | 2025-04-12 | 9.3 HIGH | 8.8 HIGH |
|
Lenovo SHAREit before 3.5.98_ww on Android before 4.2 allows remote attackers to have unspecified impact via a crafted intent: URL, aka an "intent scheme URL attack."
|
|||||
| CVE-2016-3739 | 1 Haxx | 1 Curl | 2025-04-12 | 2.6 LOW | 5.3 MEDIUM |
|
The (1) mbed_connect_step1 function in lib/vtls/mbedtls.c and (2) polarssl_connect_step1 function in lib/vtls/polarssl.c in cURL and libcurl before 7.49.0, when using SSLv3 or making a TLS connection to a URL that uses a numerical IP address, allow remote attackers to spoof servers via an arbitrary valid certificate.
|
|||||
| CVE-2016-1345 | 1 Cisco | 2 Asa With Firepower Services, Firesight System Software | 2025-04-12 | 5.0 MEDIUM | 7.5 HIGH |
|
Cisco FireSIGHT System Software 5.4.0 through 6.0.1 and ASA with FirePOWER Services 5.4.0 through 6.0.0.1 allow remote attackers to bypass malware protection via crafted fields in HTTP headers, aka Bug ID CSCux22726.
|
|||||
| CVE-2015-5311 | 1 Powerdns | 1 Authoritative | 2025-04-12 | 5.0 MEDIUM | N/A |
|
PowerDNS (aka pdns) Authoritative Server 3.4.4 before 3.4.7 allows remote attackers to cause a denial of service (assertion failure and server crash) via crafted query packets.
|
|||||
| CVE-2015-7789 | 1 Asus | 2 Wl-330nul, Wl-33nul Firmware | 2025-04-12 | 3.3 LOW | 4.3 MEDIUM |
|
ASUS Japan WL-330NUL devices with firmware before 3.0.0.42 allow remote attackers to cause a denial of service via unspecified vectors.
|
|||||
| CVE-2015-8717 | 1 Wireshark | 1 Wireshark | 2025-04-12 | 4.3 MEDIUM | 5.5 MEDIUM |
|
The dissect_sdp function in epan/dissectors/packet-sdp.c in the SDP dissector in Wireshark 1.12.x before 1.12.9 does not prevent use of a negative media count, which allows remote attackers to cause a denial of service (application crash) via a crafted packet.
|
|||||
| CVE-2016-4421 | 1 Wireshark | 1 Wireshark | 2025-04-12 | 4.3 MEDIUM | 5.9 MEDIUM |
|
epan/dissectors/packet-ber.c in the ASN.1 BER dissector in Wireshark 1.12.x before 1.12.10 and 2.x before 2.0.2 allows remote attackers to cause a denial of service (deep recursion, stack consumption, and application crash) via a packet that specifies deeply nested data.
|
|||||
| CVE-2015-3621 | 1 Sap | 1 Enterprise Central Component | 2025-04-12 | 9.3 HIGH | N/A |
|
Untrusted search path vulnerability in SAP Enterprise Central Component (ECC) allows local users to gain privileges via a Trojan horse program.
|
|||||
| CVE-2015-2472 | 1 Microsoft | 9 Windows 10, Windows 7, Windows 8 and 6 more | 2025-04-12 | 4.3 MEDIUM | N/A |
|
Remote Desktop Session Host (RDSH) in Remote Desktop Protocol (RDP) through 8.1 in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not properly verify certificates, which allows man-in-the-middle attackers to spoof clients via a crafted certificate with valid Issuer and Serial Number fields, aka "Remote Desktop Session Host Spoofing Vulnerability."
|
|||||
| CVE-2011-3603 | 1 Litech | 1 Router Advertisement Daemon | 2025-04-12 | 4.4 MEDIUM | N/A |
|
The router advertisement daemon (radvd) before 1.8.2 does not properly handle errors in the privsep_init function, which causes the radvd daemon to run as root and has an unspecified impact.
|
|||||
| CVE-2013-4427 | 1 Leon Weber | 1 Pyxtrlock | 2025-04-12 | 2.1 LOW | N/A |
|
pyxtrlock before 0.2 does not properly check the return values of the (1) xcb_grab_pointer and (2) xcb_grab_keyboard XCB library functions, which allows physically proximate attackers to gain access to the keyboard or mouse without unlocking the screen via unspecified vectors.
|
|||||
| CVE-2015-8733 | 1 Wireshark | 1 Wireshark | 2025-04-12 | 4.3 MEDIUM | 5.5 MEDIUM |
|
The ngsniffer_process_record function in wiretap/ngsniffer.c in the Sniffer file parser in Wireshark 1.12.x before 1.12.9 and 2.0.x before 2.0.1 does not validate the relationships between record lengths and record header lengths, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted file.
|
|||||
| CVE-2011-4720 | 1 Hillstone Software | 1 Hs Tftp Server | 2025-04-12 | 5.0 MEDIUM | N/A |
|
Hillstone HS TFTP Server 1.3.2 allows remote attackers to cause a denial of service (daemon crash) via a long filename in a (1) RRQ or (2) WRQ operation.
|
|||||
| CVE-2016-1334 | 1 Cisco | 1 Small Business Wireless Access Points Firmware | 2025-04-12 | 5.0 MEDIUM | 5.3 MEDIUM |
|
Cisco Small Business 500 Wireless Access Point devices with firmware 1.0.4.4 allow remote attackers to set the system time via a crafted POST request, aka Bug ID CSCuy01457.
|
|||||
| CVE-2016-5987 | 1 Ibm | 1 Maximo Asset Management | 2025-04-12 | 5.0 MEDIUM | 5.3 MEDIUM |
|
IBM Maximo Asset Management 7.1 through 7.1.1.13, 7.5 before 7.5.0.10 IF4, and 7.6 before 7.6.0.5 IF3 allows remote attackers to obtain sensitive information via a crafted HTTP request that triggers construction of a runtime error message.
|
|||||
| CVE-2015-3411 | 2 Php, Redhat | 8 Php, Enterprise Linux, Enterprise Linux Desktop and 5 more | 2025-04-12 | 6.4 MEDIUM | 6.5 MEDIUM |
|
PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 does not ensure that pathnames lack %00 sequences, which might allow remote attackers to read or write to arbitrary files via crafted input to an application that calls (1) a DOMDocument load method, (2) the xmlwriter_open_uri function, (3) the finfo_file function, or (4) the hash_hmac_file function, as demonstrated by a filename\0.xml attack that bypasses an intended configuration in which client users may read only .xml files.
|
|||||
| CVE-2014-6369 | 1 Microsoft | 1 Internet Explorer | 2025-04-12 | 9.3 HIGH | N/A |
|
Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability."
|
|||||
| CVE-2015-7375 | 1 Indusoft | 1 Web Studio | 2025-04-12 | 7.5 HIGH | N/A |
|
Schneider Electric InduSoft Web Studio before 8.0 allows remote attackers to execute arbitrary code or cause a denial of service (unhandled runtime exception and application crash) via a crafted Indusoft Project file.
|
|||||
| CVE-2016-6440 | 1 Cisco | 1 Unified Communications Manager | 2025-04-12 | 4.3 MEDIUM | 6.5 MEDIUM |
|
The Cisco Unified Communications Manager (CUCM) may be vulnerable to data that can be displayed inside an iframe within a web page, which in turn could lead to a clickjacking attack. More Information: CSCuz64683 CSCuz64698. Known Affected Releases: 11.0(1.10000.10), 11.5(1.10000.6), 11.5(0.99838.4). Known Fixed Releases: 11.0(1.22048.1), 11.5(0.98000.1070), 11.5(0.98000.284)11.5(0.98000.346), 11.5(0.98000.768), 11.5(1.10000.3), 11.5(1.10000.6), 11.5(2.10000.2).
|
|||||
| CVE-2016-6148 | 1 Sap | 1 Hana | 2025-04-12 | 5.0 MEDIUM | 7.5 HIGH |
|
SAP HANA DB 1.00.73.00.389160 allows remote attackers to cause a denial of service (process termination) or execute arbitrary code via vectors related to an IMPORT statement, aka SAP Security Note 2233136.
|
|||||
| CVE-2016-9863 | 1 Phpmyadmin | 1 Phpmyadmin | 2025-04-12 | 5.0 MEDIUM | 7.5 HIGH |
|
An issue was discovered in phpMyAdmin. With a very large request to table partitioning function, it is possible to invoke a Denial of Service (DoS) attack. All 4.6.x versions (prior to 4.6.5) are affected.
|
|||||
| CVE-2014-4390 | 1 Apple | 1 Mac Os X | 2025-04-12 | 9.3 HIGH | N/A |
|
Bluetooth in Apple OS X before 10.9.5 does not properly validate API calls, which allows attackers to execute arbitrary code in a privileged context via a crafted application.
|
|||||
| CVE-2014-9598 | 1 Videolan | 1 Vlc Media Player | 2025-04-12 | 6.8 MEDIUM | N/A |
|
The picture_Release function in misc/picture.c in VideoLAN VLC media player 2.1.5 allows remote attackers to execute arbitrary code or cause a denial of service (write access violation) via a crafted M2V file.
|
|||||
| CVE-2012-6153 | 1 Apache | 1 Commons-httpclient | 2025-04-12 | 4.3 MEDIUM | N/A |
|
http/conn/ssl/AbstractVerifier.java in Apache Commons HttpClient before 4.2.3 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5783.
|
|||||
| CVE-2015-2924 | 1 Networkmanager Project | 1 Networkmanager | 2025-04-12 | 3.3 LOW | N/A |
|
The receive_ra function in rdisc/nm-lndp-rdisc.c in the Neighbor Discovery (ND) protocol implementation in the IPv6 stack in NetworkManager 1.x allows remote attackers to reconfigure a hop-limit setting via a small hop_limit value in a Router Advertisement (RA) message, a similar issue to CVE-2015-2922.
|
|||||
| CVE-2012-5619 | 1 Sleuthkit | 1 The Sleuth Kit | 2025-04-12 | 2.1 LOW | N/A |
|
The Sleuth Kit (TSK) 4.0.1 does not properly handle "." (dotfile) file system entries in FAT file systems and other file systems for which . is not a reserved name, which allows local users to hide activities it more difficult to conduct forensics activities, as demonstrated by Flame.
|
|||||
| CVE-2015-5765 | 1 Apple | 2 Iphone Os, Safari | 2025-04-12 | 4.3 MEDIUM | N/A |
|
The user interface in Safari in Apple iOS before 9 allows remote attackers to spoof URLs via unspecified vectors, a different vulnerability than CVE-2015-5764 and CVE-2015-5767.
|
|||||
| CVE-2015-0693 | 1 Cisco | 1 Web Security Appliance | 2025-04-12 | 7.2 HIGH | N/A |
|
Cisco Web Security Appliance (WSA) devices with software 8.5.0-ise-147 do not properly restrict use of the pickle Python module during certain tunnel-status checks, which allows local users to execute arbitrary Python code and gain privileges via a crafted pickle file, aka Bug ID CSCut39259.
|
|||||
| CVE-2016-2571 | 1 Squid-cache | 1 Squid | 2025-04-12 | 5.0 MEDIUM | 7.5 HIGH |
|
http.cc in Squid 3.x before 3.5.15 and 4.x before 4.0.7 proceeds with the storage of certain data after a response-parsing failure, which allows remote HTTP servers to cause a denial of service (assertion failure and daemon exit) via a malformed response.
|
|||||
| CVE-2014-7899 | 1 Google | 1 Chrome | 2025-04-12 | 5.0 MEDIUM | N/A |
|
Google Chrome before 38.0.2125.101 allows remote attackers to spoof the address bar by placing a blob: substring at the beginning of the URL, followed by the original URI scheme and a long username string.
|
|||||