CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In July 2017

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2014-7953 362 Exec Code 2017-07-07 2018-10-09
6.9
None Local Medium Not required Complete Complete Complete
Race condition in the bindBackupAgent method in the ActivityManagerService in Android 4.4.4 allows local users with adb shell access to execute arbitrary code or any valid package as system by running "pm install" with the target apk, and simultaneously running a crafted script to process logcat's output looking for a dexopt line, which once found should execute bindBackupAgent with the uid member of the ApplicationInfo parameter set to 1000.
2 CVE-2014-7954 22 Dir. Trav. 2017-07-07 2018-10-09
2.1
None Local Low Not required None Partial None
Directory traversal vulnerability in the doSendObjectInfo method in frameworks/av/media/mtp/MtpServer.cpp in Android 4.4.4 allows physically proximate attackers with a direct connection to the target Android device to upload files outside of the sdcard via a .. (dot dot) in a name parameter of an MTP request.
3 CVE-2015-0249 94 Exec Code 2017-07-17 2017-07-27
6.5
None Remote Low ??? Partial Partial Partial
The weblog page template in Apache Roller 5.1 through 5.1.1 allows remote authenticated users with admin privileges for a weblog to execute arbitrary Java code via crafted Velocity Text Language (aka VTL).
4 CVE-2015-0674 79 XSS 2017-07-25 2017-07-31
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the Alert Service of Cisco Cloud Web Security base revision allows remote attackers to inject arbitrary web script or HTML via unspecified parameters.
5 CVE-2015-0904 295 +Info 2017-07-25 2017-07-31
4.3
None Remote Medium Not required Partial None None
The Restaurant Karaoke SHIDAX app 1.3.3 and earlier on Android does not verify SSL certificates, which allows remote attackers to obtain sensitive information via a man-in-the-middle attack.
6 CVE-2015-1323 200 +Info 2017-07-21 2017-07-25
4.9
None Local Low Not required Complete None None
The simulate dbus method in aptdaemon before 1.1.1+bzr982-0ubuntu3.1 as packaged in Ubuntu 15.04, before 1.1.1+bzr980-0ubuntu1.1 as packaged in Ubuntu 14.10, before 1.1.1-1ubuntu5.2 as packaged in Ubuntu 14.04 LTS, before 0.43+bzr805-0ubuntu10 as packaged in Ubuntu 12.04 LTS allows local users to obtain sensitive information, or access files with root permissions.
7 CVE-2015-1332 119 DoS Exec Code Overflow 2017-07-25 2017-08-10
6.8
None Remote Medium Not required Partial Partial Partial
The oxide::JavaScriptDialogManager function in oxide-qt before 1.9.1 as packaged in Ubuntu 15.04 and Ubuntu 14.04 allows remote attackers to cause a denial of service (application crash) or execute arbitrary code via a crafted website.
8 CVE-2015-1417 400 DoS 2017-07-25 2019-03-20
5.0
None Remote Low Not required None None Partial
The inet module in FreeBSD 10.2x before 10.2-PRERELEASE, 10.2-BETA2-p2, 10.2-RC1-p1, 10.1x before 10.1-RELEASE-p16, 9.x before 9.3-STABLE, 9.3-RELEASE-p21, and 8.x before 8.4-STABLE, 8.4-RELEASE-p35 on systems with VNET enabled and at least 16 VNET instances allows remote attackers to cause a denial of service (mbuf consumption) via multiple concurrent TCP connections.
9 CVE-2015-1438 119 Exec Code Overflow 2017-07-25 2017-07-31
7.2
None Local Low Not required Complete Complete Complete
Heap-based buffer overflow in Panda Security Kernel Memory Access Driver 1.0.0.13 allows attackers to execute arbitrary code with kernel privileges via a crafted size input for allocated kernel paged pool and allocated non-paged pool buffers.
10 CVE-2015-1847 22 Dir. Trav. 2017-07-25 2017-08-04
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in the web request/response interface in Appserver before 1.0.3 allows remote attackers to read normally inaccessible files via a .. (dot dot) in a crafted URL.
11 CVE-2015-2279 78 Exec Code 2017-07-25 2018-10-09
10.0
None Remote Low Not required Complete Complete Complete
cgi_test.cgi in AirLive BU-2015 with firmware 1.03.18, BU-3026 with firmware 1.43, and MD-3025 with firmware 1.81 allows remote attackers to execute arbitrary OS commands via shell metacharacters after an "&" (ampersand) in the write_mac write_pid, write_msn, write_tan, or write_hdv parameter.
12 CVE-2015-2280 78 Exec Code 2017-07-25 2018-10-09
9.0
None Remote Low ??? Complete Complete Complete
snwrite.cgi in AirLink101 SkyIPCam1620W Wireless N MPEG4 3GPP network camera with firmware FW_AIC1620W_1.1.0-12_20120709_r1192.pck allows remote authenticated users to execute arbitrary OS commands via shell metacharacters in the mac parameter.
13 CVE-2015-2798 89 Exec Code Sql 2017-07-25 2017-08-10
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in Joomla! Component Contact Form Maker 1.0.1 allows remote attackers to execute arbitrary SQL commands via the id parameter.
14 CVE-2015-3149 59 2017-07-25 2017-07-31
2.1
None Local Low Not required None Partial None
The Hotspot component in OpenJDK8 as packaged in Red Hat Enterprise Linux 6 and 7 allows local users to write to arbitrary files via a symlink attack.
15 CVE-2015-3170 254 DoS 2017-07-21 2017-07-26
2.1
None Local Low Not required None None Partial
selinux-policy when sysctl fs.protected_hardlinks are set to 0 allows local users to cause a denial of service (SSH login prevention) by creating a hardlink to /etc/passwd from a directory named .config, and updating selinux-policy.
16 CVE-2015-3171 200 +Info 2017-07-25 2019-12-11
2.1
None Local Low Not required Partial None None
sosreport 3.2 uses weak permissions for generated sosreport archives, which allows local users with access to /var/tmp/ to obtain sensitive information by reading the contents of the archive.
17 CVE-2015-3198 200 +Info 2017-07-21 2017-08-07
5.0
None Remote Low Not required Partial None None
The Undertow module of WildFly 9.x before 9.0.0.CR2 and 10.x before 10.0.0.Alpha1 allows remote attackers to obtain the source code of a JSP page via a "/" at the end of a URL.
18 CVE-2015-3208 611 2017-07-25 2018-10-17
7.5
None Remote Low Not required Partial Partial Partial
XML external entity (XXE) vulnerability in the XPath selector component in Artemis ActiveMQ before commit 48d9951d879e0c8cbb59d4b64ab59d53ef88310d allows remote attackers to have unspecified impact via unknown vectors.
19 CVE-2015-3243 532 +Info 2017-07-25 2017-07-31
2.1
None Local Low Not required Partial None None
rsyslog uses weak permissions for generating log files, which allows local users to obtain sensitive information by reading files in /var/log/cron.
20 CVE-2015-3278 20 2017-07-25 2017-07-31
7.5
None Remote Low Not required Partial Partial Partial
The cipherstring parsing code in nss_compat_ossl while in multi-keyword mode does not match the expected set of ciphers for a given cipher combination, which allows attackers to have unspecified impact via unknown vectors.
21 CVE-2015-3297 22 Dir. Trav. 2017-07-07 2017-07-14
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in node/utils/Minify.js in Etherpad 1.1.1 through 1.5.2 allows remote attackers to read arbitrary files by leveraging replacement of backslashes with slashes in the path parameter of HTTP API requests.
22 CVE-2015-3421 79 XSS 2017-07-21 2017-07-26
4.3
None Remote Medium Not required None Partial None
The eshop_checkout function in checkout.php in the Wordpress Eshop plugin 6.3.11 and earlier does not validate variables in the "eshopcart" HTTP cookie, which allows remote attackers to perform cross-site scripting (XSS) attacks, or a path disclosure attack via crafted variables named after target PHP variables.
23 CVE-2015-3638 94 Exec Code 2017-07-21 2017-07-25
6.5
None Remote Low ??? Partial Partial Partial
phpMyBackupPro before 2.5 does not validate integer input, which allows remote authenticated users to execute arbitrary PHP code by injecting scripts via the path, filename, and period parameters to scheduled.php, and making requests to injected scripts, or by injecting PHP into a PHP configuration variable via a PHP variable variable.
24 CVE-2015-3639 20 Exec Code 2017-07-21 2017-07-25
6.5
None Remote Low ??? Partial Partial Partial
phpMyBackupPro 2.5 and earlier does not properly sanitize input strings, which allows remote authenticated users to execute arbitrary PHP code by storing a crafted string in a user configuration file.
25 CVE-2015-3640 94 2017-07-21 2017-07-25
6.0
None Remote Medium ??? Partial Partial Partial
phpMyBackupPro 2.5 and earlier does not properly escape the "." character in request parameters, which allows remote authenticated users with knowledge of a web-accessible and web-writeable directory on the target system to inject and execute arbitrary PHP scripts by injecting scripts via the path, filename, and dirs parameters to scheduled.php, and making requests to injected scripts.
26 CVE-2015-3886 295 2017-07-21 2017-07-25
7.5
None Remote Low Not required Partial Partial Partial
libinfinity before 0.6.6-1 does not validate expired SSL certificates, which allows remote attackers to have unspecified impact via unknown vectors.
27 CVE-2015-3931 91 2017-07-21 2017-07-26
6.8
None Remote Medium Not required Partial Partial Partial
Microsec e-Szigno before 3.2.7.12 allows remote attackers to perform XML signature wrapping attacks via an e-akta signed document with a ds:Object node with a crafted payload prepended to a valid ds:Object.
28 CVE-2015-3932 91 2017-07-21 2017-07-26
6.8
None Remote Medium Not required Partial Partial Partial
Netlock Mokka before 2.7.8.1204 allows remote attackers to perform XML signature wrapping attacks via an e-akta signed document with a ds:Object node with a crafted payload prepended to a valid ds:Object.
29 CVE-2015-4035 20 Exec Code 2017-07-25 2019-04-22
4.6
None Local Low Not required Partial Partial Partial
scripts/xzgrep.in in xzgrep 5.2.x before 5.2.0, before 5.0.0 does not properly process file names containing semicolons, which allows remote attackers to execute arbitrary code by having a user run xzgrep on a crafted file name.
30 CVE-2015-4462 434 2017-07-25 2017-08-10
4.0
None Remote Low ??? Partial None None
Absolute path traversal vulnerability in the file_manager component of eFront CMS before 3.6.15.5 allows remote authenticated users to read arbitrary files via a full pathname in the "Upload file from url" field in the file manager for professor.php.
31 CVE-2015-4463 434 Bypass 2017-07-25 2017-08-10
4.0
None Remote Low ??? None Partial None
The file_manager component in eFront CMS before 3.6.15.5 allows remote authenticated users to bypass intended file-upload restrictions by appending a crafted parameter to the file URL.
32 CVE-2015-4639 352 XSS 2017-07-21 2018-10-18
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site scripting (XSS) vulnerability in opac-addbybiblionumber.pl in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, and 3.20.x before 3.20.1 allows remote attackers to inject arbitrary web script or HTML via a crafted list name.
33 CVE-2015-5152 200 +Info 2017-07-17 2017-07-27
4.3
None Remote Medium Not required Partial None None
Foreman after 1.1 and before 1.9.0-RC1 does not redirect HTTP requests to HTTPS when the require_ssl setting is set to true, which allows remote attackers to obtain user credentials via a man-in-the-middle attack.
34 CVE-2015-5187 200 +Info 2017-07-25 2017-07-31
6.4
None Remote Low Not required Partial None Partial
Candlepin allows remote attackers to obtain sensitive information by obtaining Java exception statements as a result of excessive web traffic.
35 CVE-2015-5191 362 2017-07-28 2017-08-08
3.7
None Local High Not required Partial Partial Partial
VMware Tools prior to 10.0.9 contains multiple file system races in libDeployPkg, related to the use of hard-coded paths under /tmp. Successful exploitation of this issue may result in a local privilege escalation. CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
36 CVE-2015-5194 20 DoS 2017-07-21 2018-05-18
5.0
None Remote Low Not required None None Partial
The log_config_command function in ntp_parser.y in ntpd in NTP before 4.2.7p42 allows remote attackers to cause a denial of service (ntpd crash) via crafted logconfig commands.
37 CVE-2015-5195 20 DoS 2017-07-21 2018-05-18
5.0
None Remote Low Not required None None Partial
ntp_openssl.m4 in ntpd in NTP before 4.2.7p112 allows remote attackers to cause a denial of service (segmentation fault) via a crafted statistics or filegen configuration command that is not enabled during compilation.
38 CVE-2015-5219 704 DoS 2017-07-21 2021-04-19
5.0
None Remote Low Not required None None Partial
The ULOGTOD function in ntp.d in SNTP before 4.2.7p366 does not properly perform type conversions from a precision value to a double, which allows remote attackers to cause a denial of service (infinite loop) via a crafted NTP packet.
39 CVE-2015-5221 416 DoS 2017-07-25 2018-11-22
4.3
None Remote Medium Not required None None Partial
Use-after-free vulnerability in the mif_process_cmpt function in libjasper/mif/mif_cod.c in the JasPer JPEG-2000 library before 1.900.2 allows remote attackers to cause a denial of service (crash) via a crafted JPEG 2000 image file.
40 CVE-2015-5300 361 DoS 2017-07-21 2018-10-30
5.0
None Remote Low Not required None None Partial
The panic_gate check in NTP before 4.2.8p5 is only re-enabled after the first change to the system clock that was greater than 128 milliseconds by default, which allows remote attackers to set NTP to an arbitrary time when started with the -g option, or to alter the time by up to 900 seconds otherwise by responding to an unspecified number of requests from trusted sources, and leveraging a resulting denial of service (abort and restart).
41 CVE-2015-5594 79 XSS 2017-07-25 2017-07-31
4.3
None Remote Medium Not required None Partial None
The sanitize_string function in ZenPhoto before 1.4.9 utilized the html_entity_decode function after input sanitation, which might allow remote attackers to perform a cross-site scripting (XSS) via a crafted string.
42 CVE-2015-6585 119 Exec Code Overflow 2017-07-25 2017-08-10
6.8
None Remote Medium Not required Partial Partial Partial
hwpapp.dll in Hangul Word Processor allows remote attackers to execute arbitrary code via a crafted heap spray, and by leveraging a "type confusion" via an HWPX file containing a crafted para text tag.
43 CVE-2015-7543 362 2017-07-25 2017-07-31
4.4
None Local Medium Not required Partial Partial Partial
aRts 1.5.10 and kdelibs3 3.5.10 and earlier do not properly create temporary directories, which allows local users to hijack the IPC by pre-creating the temporary directory.
44 CVE-2015-7703 20 2017-07-24 2020-06-18
4.3
None Remote Medium Not required None Partial None
The "pidfile" or "driftfile" directives in NTP ntpd 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77, when ntpd is configured to allow remote configuration, allows remote attackers with an IP address that is allowed to send configuration requests, and with knowledge of the remote configuration password to write to arbitrary files via the :config command.
45 CVE-2015-8009 255 2017-07-25 2017-09-15
5.0
None Remote Low Not required Partial None None
The MWOAuthDataStore::lookup_token function in Extension:OAuth for MediaWiki 1.25.x before 1.25.3, 1.24.x before 1.24.4, and before 1.23.11 does not properly validate the signature when checking the authorization signature, which allows remote registered Consumers to use another Consumer's credentials by leveraging knowledge of the credentials.
46 CVE-2015-8013 310 Bypass 2017-07-25 2017-08-10
5.0
None Remote Low Not required Partial None None
s2k.js in OpenPGP.js will decrypt arbitrary messages regardless of passphrase for crafted PGP keys which allows remote attackers to bypass authentication if message decryption is used as an authentication mechanism via a crafted symmetrically encrypted PGP message.
47 CVE-2016-0238 200 +Info 2017-07-05 2017-07-11
4.3
None Remote Medium Not required Partial None None
IBM Security Guardium 9.0, 9.1, 9.5, 10.0, and 10.1 transmits sensitive data in cleartext in the query of the request. This could allow an attacker to obtain sensitive information using man in the middle techniques. IBM X-Force ID: 110409
48 CVE-2016-0736 310 2017-07-27 2021-06-06
5.0
None Remote Low Not required Partial None None
In Apache HTTP Server versions 2.4.0 to 2.4.23, mod_session_crypto was encrypting its data/cookie using the configured ciphers with possibly either CBC or ECB modes of operation (AES256-CBC by default), hence no selectable or builtin authenticated encryption. This made it vulnerable to padding oracle attacks, particularly with CBC.
49 CVE-2016-0764 362 +Info 2017-07-17 2020-07-01
2.1
None Local Low Not required Partial None None
Race condition in Network Manager before 1.0.12 as packaged in Red Hat Enterprise Linux Desktop 7, Red Hat Enterprise Linux HPC Node 7, Red Hat Enterprise Linux Server 7, and Red Hat Enterprise Linux Workstation 7 allows local users to obtain sensitive connection information by reading temporary files during ifcfg and keyfile changes.
50 CVE-2016-2161 20 2017-07-27 2021-06-06
5.0
None Remote Low Not required None None Partial
In Apache HTTP Server versions 2.4.0 to 2.4.23, malicious input to mod_auth_digest can cause the server to crash, and each instance continues to crash even for subsequently valid requests.
Total number of vulnerabilities : 1280   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.