Total
5482 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2014-9749 | 2 Opensuse, Squid-cache | 2 Opensuse, Squid | 2025-04-12 | 4.0 MEDIUM | N/A |
|
Squid 3.4.4 through 3.4.11 and 3.5.0.1 through 3.5.1, when Digest authentication is used, allow remote authenticated users to retain access by leveraging a stale nonce, aka "Nonce replay vulnerability."
|
|||||
| CVE-2015-2363 | 1 Microsoft | 8 Windows 2003 Server, Windows 7, Windows 8 and 5 more | 2025-04-12 | 7.2 HIGH | N/A |
|
win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2 and R2 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012, and Windows RT allows local users to gain privileges via a crafted application, aka "Win32k Elevation of Privilege Vulnerability."
|
|||||
| CVE-2015-1029 | 1 Puppet | 2 Puppet Enterprise, Stdlib | 2025-04-12 | 6.5 MEDIUM | N/A |
|
The puppetlabs-stdlib module 2.1 through 3.0 and 4.1.0 through 4.5.x before 4.5.1 for Puppet 2.8.8 and earlier allows remote authenticated users to gain privileges or obtain sensitive information by prepopulating the fact cache.
|
|||||
| CVE-2014-1383 | 1 Apple | 1 Tvos | 2025-04-12 | 5.5 MEDIUM | N/A |
|
Apple TV before 6.1.2 allows remote authenticated users to bypass an intended password requirement for iTunes Store purchase transactions via unspecified vectors.
|
|||||
| CVE-2016-7384 | 2 Microsoft, Nvidia | 2 Windows, Gpu Driver | 2025-04-12 | 7.2 HIGH | 7.8 HIGH |
|
For the NVIDIA Quadro, NVS, and GeForce products, NVIDIA Windows GPU Display Driver R340 before 342.00 and R375 before 375.63 contains a vulnerability in the kernel mode layer (nvlddmkm.sys) where unchecked input/output lengths in UVMLiteController Device IO Control handling may lead to denial of service or potential escalation of privileges.
|
|||||
| CVE-2016-3169 | 2 Debian, Drupal | 2 Debian Linux, Drupal | 2025-04-12 | 6.8 MEDIUM | 8.1 HIGH |
|
The User module in Drupal 6.x before 6.38 and 7.x before 7.43 allows remote attackers to gain privileges by leveraging contributed or custom code that calls the user_save function with an explicit category and loads all roles into the array.
|
|||||
| CVE-2012-5487 | 1 Plone | 1 Plone | 2025-04-12 | 8.5 HIGH | N/A |
|
The sandbox whitelisting function (allowmodule.py) in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with certain privileges to bypass the Python sandbox restriction and execute arbitrary Python code via vectors related to importing.
|
|||||
| CVE-2015-3335 | 2 Google, Opensuse | 2 Chrome, Opensuse | 2025-04-12 | 7.5 HIGH | N/A |
|
The NaClSandbox::InitializeLayerTwoSandbox function in components/nacl/loader/sandbox_linux/nacl_sandbox_linux.cc in Google Chrome before 42.0.2311.90 does not have RLIMIT_AS and RLIMIT_DATA limits for Native Client (aka NaCl) processes, which might make it easier for remote attackers to conduct row-hammer attacks or have unspecified other impact by leveraging the ability to run a crafted program in the NaCl sandbox.
|
|||||
| CVE-2015-8267 | 1 Dovestones | 1 Ad Self Password Reset | 2025-04-12 | 7.5 HIGH | 10.0 CRITICAL |
|
The PasswordReset.Controllers.ResetController.ChangePasswordIndex method in PasswordReset.dll in Dovestones AD Self Password Reset before 3.0.4.0 allows remote attackers to reset arbitrary passwords via a crafted request with a valid username.
|
|||||
| CVE-2014-9885 | 1 Google | 1 Android | 2025-04-12 | 6.8 MEDIUM | 7.8 HIGH |
|
Format string vulnerability in drivers/thermal/qpnp-adc-tm.c in the Qualcomm components in Android before 2016-08-05 on Nexus 5 devices allows attackers to gain privileges via a crafted application that provides format string specifiers in a name, aka Android internal bug 28769959 and Qualcomm internal bug CR562261.
|
|||||
| CVE-2014-4463 | 1 Apple | 1 Iphone Os | 2025-04-12 | 2.1 LOW | N/A |
|
Apple iOS before 8.1.1 allows physically proximate attackers to bypass the lock-screen protection mechanism, and view or transmit a Photo Library photo, via the FaceTime "Leave a Message" feature.
|
|||||
| CVE-2013-4577 | 1 Gnu | 1 Grub | 2025-04-12 | 2.1 LOW | N/A |
|
A certain Debian patch for GNU GRUB uses world-readable permissions for grub.cfg, which allows local users to obtain password hashes, as demonstrated by reading the password_pbkdf2 directive in the file.
|
|||||
| CVE-2016-6325 | 2 Apache, Redhat | 11 Tomcat, Enterprise Linux, Enterprise Linux Desktop and 8 more | 2025-04-12 | 7.2 HIGH | 7.8 HIGH |
|
The Tomcat package on Red Hat Enterprise Linux (RHEL) 5 through 7, JBoss Web Server 3.0, and JBoss EWS 2 uses weak permissions for (1) /etc/sysconfig/tomcat and (2) /etc/tomcat/tomcat.conf, which allows local users to gain privileges by leveraging membership in the tomcat group.
|
|||||
| CVE-2015-0054 | 1 Microsoft | 1 Internet Explorer | 2025-04-12 | 4.3 MEDIUM | N/A |
|
Microsoft Internet Explorer 7 through 11 allows remote attackers to gain privileges via a crafted web site, aka "Internet Explorer Elevation of Privilege Vulnerability."
|
|||||
| CVE-2016-6420 | 1 Cisco | 1 Firesight System Software | 2025-04-12 | 6.8 MEDIUM | 6.5 MEDIUM |
|
Cisco FireSIGHT System Software 4.10.3 through 5.4.0 in Firepower Management Center allows remote authenticated users to bypass authorization checks and gain privileges via a crafted HTTP request, aka Bug ID CSCur25467.
|
|||||
| CVE-2013-3066 | 1 Linksys | 2 Ea6500, Ea6500 Firmware | 2025-04-12 | 7.1 HIGH | N/A |
|
Linksys EA6500 with firmware 1.1.28.147876 does not properly restrict access, which allows remote attackers to obtain sensitive information (clients and router configuration) via a request to /JNAP/.
|
|||||
| CVE-2014-1264 | 1 Apple | 1 Mac Os X | 2025-04-12 | 3.3 LOW | N/A |
|
Finder in Apple OS X before 10.9.2 does not ensure ACL integrity after the viewing of file ACL information, which allows local users to bypass intended access restrictions in opportunistic circumstances via standard filesystem operations on a file with a damaged ACL.
|
|||||
| CVE-2014-2862 | 1 Paperthin | 1 Commonspot Content Server | 2025-04-12 | 6.5 MEDIUM | N/A |
|
PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 does not check authorization in unspecified situations, which allows remote authenticated users to perform actions via unknown vectors.
|
|||||
| CVE-2016-3341 | 1 Microsoft | 4 Windows 10, Windows 8.1, Windows Rt 8.1 and 1 more | 2025-04-12 | 9.3 HIGH | 7.8 HIGH |
|
The kernel-mode drivers in Transaction Manager in Microsoft Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold, 1511, and 1607 allow local users to gain privileges via a crafted application, aka "Windows Transaction Manager Elevation of Privilege Vulnerability."
|
|||||
| CVE-2015-8004 | 1 Mediawiki | 1 Mediawiki | 2025-04-12 | 4.0 MEDIUM | N/A |
|
MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25.3 does not properly restrict access to revisions, which allows remote authenticated users with the viewsuppressed user right to remove revision suppressions via a crafted revisiondelete action, which returns a valid a change form.
|
|||||
| CVE-2016-9638 | 1 Bmc | 1 Patrol | 2025-04-12 | 7.2 HIGH | 7.8 HIGH |
|
In BMC Patrol before 9.13.10.02, the binary "listguests64" is configured with the setuid bit. However, when executing it, it will look for a binary named "virsh" using the PATH environment variable. The "listguests64" program will then run "virsh" using root privileges. This allows local users to elevate their privileges to root.
|
|||||
| CVE-2016-6717 | 1 Google | 1 Android | 2025-04-12 | 7.6 HIGH | 7.0 HIGH |
|
An elevation of privilege vulnerability in Mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, 6.x before 2016-11-01, and 7.0 before 2016-11-01 could enable a local malicious application to execute arbitrary code within the context of a privileged process. This issue is rated as Moderate because it first requires exploitation of a separate vulnerability. Android ID: A-31350239.
|
|||||
| CVE-2014-0116 | 1 Apache | 1 Struts | 2025-04-12 | 5.8 MEDIUM | N/A |
|
CookieInterceptor in Apache Struts 2.x before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and modify session state via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0113.
|
|||||
| CVE-2014-2321 | 1 Zte | 2 F460, F660 | 2025-04-12 | 10.0 HIGH | N/A |
|
web_shell_cmd.gch on ZTE F460 and F660 cable modems allows remote attackers to obtain administrative access via sendcmd requests, as demonstrated by using "set TelnetCfg" commands to enable a TELNET service with specified credentials.
|
|||||
| CVE-2012-4230 | 1 Tinymce | 1 Tinymce | 2025-04-12 | 4.3 MEDIUM | N/A |
|
The bbcode plugin in TinyMCE 3.5.8 does not properly enforce the TinyMCE security policy for the (1) encoding directive and (2) valid_elements attribute, which allows attackers to conduct cross-site scripting (XSS) attacks via application-specific vectors, as demonstrated using a textarea element.
|
|||||
| CVE-2014-9476 | 1 Mediawiki | 1 Mediawiki | 2025-04-12 | 5.0 MEDIUM | N/A |
|
MediaWiki 1.2x before 1.22.15, 1.23.x before 1.23.8, and 1.24.x before 1.24.1 allows remote attackers to bypass CORS restrictions in $wgCrossSiteAJAXdomains via a domain that has a partial match to an allowed origin, as demonstrated by "http://en.wikipedia.org.evilsite.example/."
|
|||||
| CVE-2015-6034 | 1 Epson | 1 Network Utility | 2025-04-12 | 6.9 MEDIUM | N/A |
|
EPSON Network Utility 4.10 uses weak permissions (Everyone: Full Control) for eEBSVC.exe, which allows local users to gain privileges via a Trojan horse file.
|
|||||
| CVE-2014-3160 | 2 Debian, Google | 2 Debian Linux, Chrome | 2025-04-12 | 6.8 MEDIUM | N/A |
|
The ResourceFetcher::canRequest function in core/fetch/ResourceFetcher.cpp in Blink, as used in Google Chrome before 36.0.1985.125, does not properly restrict subresource requests associated with SVG files, which allows remote attackers to bypass the Same Origin Policy via a crafted file.
|
|||||
| CVE-2011-2514 | 1 Redhat | 2 Icedtea-web, Icedtea6 | 2025-04-12 | 6.8 MEDIUM | N/A |
|
The Java Network Launching Protocol (JNLP) implementation in IcedTea6 1.9.x before 1.9.9 and before 1.8.9, and IcedTea-Web 1.1.x before 1.1.1 and before 1.0.4, allows remote attackers to trick victims into granting access to local files by modifying the content of the Java Web Start Security Warning dialog box to represent a different filename than the file for which access will be granted.
|
|||||
| CVE-2014-8115 | 1 Redhat | 1 Kie Workbench | 2025-04-12 | 6.5 MEDIUM | N/A |
|
The default authorization constrains in KIE Workbench 6.0.x allows remote authenticated users to read or write to arbitrary files, bypass intended access restrictions, and possibly have other unspecified impact via unknown vectors.
|
|||||
| CVE-2016-8807 | 2 Microsoft, Nvidia | 2 Windows, Gpu Driver | 2025-04-12 | 7.2 HIGH | 7.8 HIGH |
|
For the NVIDIA Quadro, NVS, and GeForce products, NVIDIA Windows GPU Display Driver R340 before 342.00 and R375 before 375.63 contains a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgDdiEscape ID 0x10000e9 where a value is passed from an user to the driver is used without validation as the size input to memcpy() causing a stack buffer overflow, leading to denial of service or potential escalation of privileges.
|
|||||
| CVE-2015-4542 | 1 Emc | 1 Rsa Archer Grc | 2025-04-12 | 6.5 MEDIUM | N/A |
|
EMC RSA Archer GRC 5.x before 5.5.3 allows remote authenticated users to bypass intended access restrictions, and read or modify Discussion Forum Fields messages, via unspecified vectors.
|
|||||
| CVE-2015-7489 | 1 Ibm | 1 Spss Statistics | 2025-04-12 | 7.2 HIGH | 7.8 HIGH |
|
IBM SPSS Statistics 22.0.0.2 before IF10 and 23.0.0.2 before IF7 uses weak permissions (Everyone: Write) for Python scripts, which allows local users to gain privileges by modifying a script.
|
|||||
| CVE-2014-6350 | 1 Microsoft | 1 Internet Explorer | 2025-04-12 | 4.3 MEDIUM | N/A |
|
Microsoft Internet Explorer 10 and 11 allows remote attackers to gain privileges via a crafted web site, aka "Internet Explorer Elevation of Privilege Vulnerability," a different vulnerability than CVE-2014-6349.
|
|||||
| CVE-2014-9141 | 1 Thomsonreuters | 1 Fixed Assets Cs | 2025-04-12 | 7.2 HIGH | N/A |
|
The installer in Thomson Reuters Fixed Assets CS 13.1.4 and earlier uses weak permissions for connectbgdl.exe, which allows local users to execute arbitrary code by modifying this program.
|
|||||
| CVE-2014-2520 | 1 Emc | 1 Documentum Content Server | 2025-04-12 | 6.3 MEDIUM | N/A |
|
EMC Documentum Content Server before 6.7 SP2 P16 and 7.x before 7.1 P07, when Oracle Database is used, does not properly restrict DQL hints, which allows remote authenticated users to conduct DQL injection attacks and read sensitive database content via a crafted request.
|
|||||
| CVE-2016-3843 | 1 Google | 1 Android | 2025-04-12 | 9.3 HIGH | 7.8 HIGH |
|
Android before 2016-08-05 does not properly restrict code execution in a kernel context, which allows attackers to gain privileges via a crafted application, as demonstrated by the kernel performance subsystem and the Qualcomm performance component, aka Android internal bugs 28086229 and 29119870 and Qualcomm internal bug CR1011071.
|
|||||
| CVE-2015-6643 | 1 Google | 1 Android | 2025-04-12 | 7.2 HIGH | 6.6 MEDIUM |
|
Setup Wizard in Android 5.x before 5.1.1 LMY49F and 6.0 before 2016-01-01 allows physically proximate attackers to modify settings or bypass a reset protection mechanism via unspecified vectors, aka internal bug 25290269.
|
|||||
| CVE-2016-3931 | 1 Google | 1 Android | 2025-04-12 | 9.3 HIGH | 7.8 HIGH |
|
drivers/misc/qseecom.c in the Qualcomm QSEE Communicator driver in Android before 2016-10-05 on Nexus 5X, Nexus 6, Nexus 6P, and Android One devices allows attackers to gain privileges via a crafted application, aka Android internal bug 29157595 and Qualcomm internal bug CR 1036418.
|
|||||
| CVE-2015-2524 | 1 Microsoft | 6 Windows 10, Windows 8, Windows 8.1 and 3 more | 2025-04-12 | 7.2 HIGH | N/A |
|
Microsoft Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, and Windows 10 do not properly constrain impersonation levels, which allows local users to gain privileges via a crafted application, aka "Windows Task Management Elevation of Privilege Vulnerability," a different vulnerability than CVE-2015-2528.
|
|||||