Total
5482 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2014-3772 | 1 Teampass | 1 Teampass | 2025-04-12 | 7.5 HIGH | N/A |
|
TeamPass before 2.1.20 allows remote attackers to bypass access restrictions via a request to index.php followed by a direct request to a file that calls the session_start function before checking the CPM key, as demonstrated by a request to sources/upload/upload.files.php.
|
|||||
| CVE-2014-3309 | 1 Cisco | 2 Ios, Ios Xe | 2025-04-12 | 5.0 MEDIUM | N/A |
|
The NTP implementation in Cisco IOS and IOS XE does not properly support use of the access-group command for a "deny all" configuration, which allows remote attackers to bypass intended restrictions on time synchronization via a standard query, aka Bug ID CSCuj66318.
|
|||||
| CVE-2016-3187 | 1 Prepopulate Project | 1 Prepopulate | 2025-04-12 | 7.5 HIGH | 7.3 HIGH |
|
The Prepopulate module 7.x-2.x before 7.x-2.1 for Drupal allows remote attackers to modify the REQUEST superglobal array, and consequently have unspecified impact, via a base64-encoded pp parameter.
|
|||||
| CVE-2015-5618 | 1 Chiyutw | 2 Bf-630, Bf-630w | 2025-04-12 | 7.5 HIGH | N/A |
|
Chiyu BF-630 and BF-630W fingerprint access-control devices allow remote attackers to bypass authentication and (1) read or (2) modify (a) Voice Time Set configuration settings via a request to voice.htm or (b) UniFinger configuration settings via a request to bf.htm, a different vulnerability than CVE-2015-2871.
|
|||||
| CVE-2014-3499 | 2 Docker, Fedoraproject | 2 Docker, Fedora | 2025-04-12 | 7.2 HIGH | N/A |
|
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.
|
|||||
| CVE-2016-0843 | 1 Google | 1 Android | 2025-04-12 | 7.2 HIGH | 8.4 HIGH |
|
The Qualcomm ARM processor performance-event manager in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 allows attackers to gain privileges via a crafted application, aka internal bug 25801197.
|
|||||
| CVE-2014-2197 | 1 Cisco | 2 Unified Cdm Application Software, Unified Communications Domain Manager | 2025-04-12 | 9.0 HIGH | N/A |
|
The Administration GUI in the web framework in Cisco Unified Communications Domain Manager (CDM) in Unified CDM Application Software before 8.1.4 does not properly implement access control, which allows remote authenticated users to modify administrative credentials via a crafted URL, aka Bug ID CSCun49862.
|
|||||
| CVE-2016-3876 | 1 Google | 1 Android | 2025-04-12 | 7.2 HIGH | 6.8 MEDIUM |
|
providers/settings/SettingsProvider.java in Android 6.x before 2016-09-01 and 7.0 before 2016-09-01 allows physically proximate attackers to bypass the SAFE_BOOT_DISALLOWED protection mechanism and boot to safe mode via the Android Debug Bridge (adb) tool, aka internal bug 29900345.
|
|||||
| CVE-2014-3124 | 1 Xen | 1 Xen | 2025-04-12 | 6.7 MEDIUM | N/A |
|
The HVMOP_set_mem_type control in Xen 4.1 through 4.4.x allows local guest HVM administrators to cause a denial of service (hypervisor crash) or possibly execute arbitrary code by leveraging a separate qemu-dm vulnerability to trigger invalid page table translations for unspecified memory page types.
|
|||||
| CVE-2015-3029 | 1 Mcafee | 1 Advanced Threat Defense | 2025-04-12 | 4.0 MEDIUM | N/A |
|
The web interface in McAfee Advanced Threat Defense (MATD) before 3.4.4.63 does not properly restrict access, which allows remote authenticated users to obtain sensitive information via unspecified vectors.
|
|||||
| CVE-2016-2456 | 1 Google | 2 Android, Android One | 2025-04-12 | 5.1 MEDIUM | 7.0 HIGH |
|
The MediaTek Wi-Fi driver in Android before 2016-05-01 on Android One devices allows attackers to gain privileges via a crafted application, aka internal bug 27275187.
|
|||||
| CVE-2014-1296 | 1 Apple | 4 Iphone Os, Mac Os X, Mac Os X Server and 1 more | 2025-04-12 | 4.3 MEDIUM | N/A |
|
CFNetwork in Apple iOS before 7.1.1, Apple OS X through 10.9.2, and Apple TV before 6.1.1 does not ensure that a Set-Cookie HTTP header is complete before interpreting the header's value, which allows remote attackers to bypass intended access restrictions by triggering the closing of a TCP connection during transmission of a header, as demonstrated by an HTTPOnly restriction.
|
|||||
| CVE-2016-7142 | 2 Debian, Inspircd | 2 Debian Linux, Inspircd | 2025-04-12 | 4.3 MEDIUM | 5.9 MEDIUM |
|
The m_sasl module in InspIRCd before 2.0.23, when used with a service that supports SASL_EXTERNAL authentication, allows remote attackers to spoof certificate fingerprints and consequently log in as another user via a crafted SASL message.
|
|||||
| CVE-2015-1856 | 2 Canonical, Openstack | 2 Ubuntu Linux, Swift | 2025-04-12 | 5.5 MEDIUM | N/A |
|
OpenStack Object Storage (Swift) before 2.3.0, when allow_version is configured, allows remote authenticated users to delete the latest version of an object by leveraging listing access to the x-versions-location container.
|
|||||
| CVE-2016-3917 | 1 Google | 1 Android | 2025-04-12 | 7.2 HIGH | 7.8 HIGH |
|
The fingerprint login feature in Android 6.0.1 before 2016-10-01 and 7.0 before 2016-10-01 does not track the user account during the authentication process, which allows physically proximate attackers to authenticate as an arbitrary user by leveraging lockscreen access, aka internal bug 30744668.
|
|||||
| CVE-2015-5251 | 1 Openstack | 1 Image Registry And Delivery Service \(glance\) | 2025-04-12 | 5.5 MEDIUM | N/A |
|
OpenStack Image Service (Glance) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) allow remote authenticated users to change the status of their images and bypass access restrictions via the HTTP x-image-meta-status header to images/*.
|
|||||
| CVE-2016-2491 | 1 Google | 1 Android | 2025-04-12 | 9.3 HIGH | 7.8 HIGH |
|
The NVIDIA camera driver in Android before 2016-06-01 on Nexus 9 devices allows attackers to gain privileges via a crafted application, aka internal bug 27556408.
|
|||||
| CVE-2014-4626 | 1 Emc | 1 Documentum Content Server | 2025-04-12 | 9.0 HIGH | N/A |
|
EMC Documentum Content Server before 6.7 SP1 P29, 6.7 SP2 before P18, 7.0 before P16, and 7.1 before P09 allows remote authenticated users to gain privileges by (1) placing a command in a dm_job object and setting this object's owner to a privileged user or placing a rename action in a dm_job_request object and waiting for a (2) dm_UserRename or (3) dm_GroupRename service task, aka ESA-2014-105. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2515.
|
|||||
| CVE-2014-2829 | 1 Erlang-solutions | 1 Mongooseim | 2025-04-12 | 7.8 HIGH | N/A |
|
Erlang Solutions MongooseIM through 1.3.1 rev. 2 does not properly restrict the processing of compressed XML elements, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XMPP stream, aka an "xmppbomb" attack.
|
|||||
| CVE-2014-9675 | 6 Canonical, Debian, Fedoraproject and 3 more | 11 Ubuntu Linux, Debian Linux, Fedora and 8 more | 2025-04-12 | 5.0 MEDIUM | N/A |
|
bdf/bdflib.c in FreeType before 2.5.4 identifies property names by only verifying that an initial substring is present, which allows remote attackers to discover heap pointer values and bypass the ASLR protection mechanism via a crafted BDF font.
|
|||||
| CVE-2016-2445 | 1 Google | 2 Android, Nexus 9 | 2025-04-12 | 7.6 HIGH | 7.0 HIGH |
|
The NVIDIA media driver in Android before 2016-05-01 on Nexus 9 devices allows attackers to gain privileges via a crafted application, aka internal bug 27253079.
|
|||||
| CVE-2014-9226 | 2 Broadcom, Symantec | 2 Symantec Critical System Protection, Data Center Security | 2025-04-12 | 7.2 HIGH | N/A |
|
The management server in Symantec Critical System Protection (SCSP) 5.2.9 through MP6 and Symantec Data Center Security: Server Advanced (SDCS:SA) 6.0.x through 6.0 MP1 allows local users to bypass intended Protection Policies via unspecified vectors.
|
|||||
| CVE-2016-2809 | 2 Microsoft, Mozilla | 2 Windows, Firefox | 2025-04-12 | 5.8 MEDIUM | 5.5 MEDIUM |
|
The Mozilla Maintenance Service updater in Mozilla Firefox before 46.0 on Windows allows user-assisted remote attackers to delete arbitrary files by leveraging certain local file execution.
|
|||||
| CVE-2016-6730 | 1 Google | 1 Android | 2025-04-12 | 9.3 HIGH | 7.3 HIGH |
|
An elevation of privilege vulnerability in the NVIDIA GPU driver in Android before 2016-11-05 could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Android ID: A-30904789. References: NVIDIA N-CVE-2016-6730.
|
|||||
| CVE-2015-0069 | 1 Microsoft | 1 Internet Explorer | 2025-04-12 | 4.3 MEDIUM | N/A |
|
Microsoft Internet Explorer 10 and 11 allows remote attackers to bypass the ASLR protection mechanism via a crafted web site, aka "Internet Explorer ASLR Bypass Vulnerability."
|
|||||
| CVE-2016-3846 | 1 Google | 1 Android | 2025-04-12 | 7.6 HIGH | 7.0 HIGH |
|
The Serial Peripheral Interface driver in Android before 2016-08-05 on Nexus 5X and 6P devices allows attackers to gain privileges via a crafted application, aka internal bug 28817378.
|
|||||
| CVE-2013-5356 | 1 Sharetronix | 1 Sharetronix | 2025-04-12 | 7.5 HIGH | N/A |
|
Sharetronix 3.1.1.3, 3.1.1, and earlier does not properly restrict access to unspecified AJAX functionality, which allows remote attackers to bypass authentication via unknown vectors.
|
|||||
| CVE-2013-2027 | 2 Jython Project, Opensuse | 2 Jython, Opensuse | 2025-04-12 | 4.6 MEDIUM | N/A |
|
Jython 2.2.1 uses the current umask to set the privileges of the class cache files, which allows local users to bypass intended access restrictions via unspecified vectors.
|
|||||
| CVE-2015-7788 | 1 Asus | 2 Wl-330nul, Wl-330nul Firmware | 2025-04-12 | 5.8 MEDIUM | 7.3 HIGH |
|
ASUS Japan WL-330NUL devices with firmware before 3.0.0.42 allow remote attackers to execute arbitrary commands via unspecified vectors.
|
|||||
| CVE-2014-1501 | 4 Google, Mozilla, Oracle and 1 more | 6 Android, Firefox, Solaris and 3 more | 2025-04-12 | 5.8 MEDIUM | N/A |
|
Mozilla Firefox before 28.0 on Android allows remote attackers to bypass the Same Origin Policy and access arbitrary file: URLs via vectors involving the "Open Link in New Tab" menu selection.
|
|||||
| CVE-2014-0592 | 2 Crowbar, Novell | 2 Barclamp, Suse Cloud | 2025-04-12 | 7.5 HIGH | N/A |
|
Barclamp (aka barclamp-network) 1.7 for the Crowbar Framework, as used in SUSE Cloud 3, does not enable netfilter on bridges when creating new instances, which allows remote attackers to bypass security group restrictions via unspecified vectors, related to floating IPs.
|
|||||
| CVE-2016-7391 | 2 Microsoft, Nvidia | 2 Windows, Gpu Driver | 2025-04-12 | 7.2 HIGH | 7.8 HIGH |
|
For the NVIDIA Quadro, NVS, and GeForce products, NVIDIA Windows GPU Display Driver R340 before 342.00 and R375 before 375.63 contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgDdiEscape ID 0x100010b where a missing array bounds check can allow a user to write to kernel memory, leading to denial of service or potential escalation of privileges.
|
|||||
| CVE-2014-0519 | 4 Adobe, Apple, Linux and 1 more | 5 Adobe Air, Flash Player, Mac Os X and 2 more | 2025-04-12 | 7.5 HIGH | N/A |
|
Adobe Flash Player before 13.0.0.214 on Windows and OS X and before 11.2.202.359 on Linux, Adobe AIR SDK before 13.0.0.111, and Adobe AIR SDK & Compiler before 13.0.0.111 allow attackers to bypass intended access restrictions via unspecified vectors, a different vulnerability than CVE-2014-0517, CVE-2014-0518, and CVE-2014-0520.
|
|||||
| CVE-2016-2363 | 1 Fonality | 1 Fonality | 2025-04-12 | 7.2 HIGH | 7.8 HIGH |
|
Fonality (previously trixbox Pro) 12.6 through 14.1i before 2016-06-01 uses weak permissions for the /var/www/rpc/surun script, which allows local users to obtain root access for unspecified command execution by leveraging access to the nobody account.
|
|||||
| CVE-2016-1949 | 1 Mozilla | 1 Firefox | 2025-04-12 | 6.8 MEDIUM | 8.8 HIGH |
|
Mozilla Firefox before 44.0.2 does not properly restrict the interaction between Service Workers and plugins, which allows remote attackers to bypass the Same Origin Policy via a crafted web site that triggers spoofed responses to requests that use NPAPI, as demonstrated by a request for a crossdomain.xml file.
|
|||||
| CVE-2015-2465 | 1 Microsoft | 9 Windows 10, Windows 7, Windows 8 and 6 more | 2025-04-12 | 2.1 LOW | N/A |
|
The Windows shell in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, and Windows 10 does not properly constrain impersonation levels, which allows local users to gain privileges via a crafted application, aka "Windows Shell Security Feature Bypass Vulnerability."
|
|||||
| CVE-2014-7832 | 1 Moodle | 1 Moodle | 2025-04-12 | 4.0 MEDIUM | N/A |
|
mod/lti/launch.php in the LTI module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 performs access control at the course level rather than at the activity level, which allows remote authenticated users to bypass the mod/lti:view capability requirement by viewing an activity instance.
|
|||||
| CVE-2015-1984 | 1 Ibm | 1 Infosphere Master Data Management | 2025-04-12 | 4.0 MEDIUM | N/A |
|
IBM InfoSphere Master Data Management Collaborative Edition 9.1, 10.1, 11.0, 11.3, and 11.4 before FP03 allows remote authenticated users to bypass intended access restrictions and read arbitrary profiles via unspecified vectors, as demonstrated by discovering usernames for use in brute-force attacks.
|
|||||
| CVE-2015-1489 | 1 Symantec | 1 Endpoint Protection Manager | 2025-04-12 | 8.5 HIGH | N/A |
|
The management console in Symantec Endpoint Protection Manager (SEPM) 12.1 before 12.1-RU6-MP1 allows remote authenticated users to gain privileges via unspecified vectors.
|
|||||
| CVE-2014-2746 | 1 Tigase | 1 Tigase | 2025-04-12 | 7.8 HIGH | N/A |
|
net/IOService.java in Tigase before 5.2.1 does not properly restrict the processing of compressed XML elements, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XMPP stream, aka an "xmppbomb" attack.
|
|||||