CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In April 2015

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
301 CVE-2015-1103 20 DoS +Info 2015-04-10 2019-03-08
7.5
None Remote Low Not required Partial Partial Partial
The kernel in Apple iOS before 8.3, Apple OS X before 10.10.3, and Apple TV before 7.2 makes routing changes in response to ICMP_REDIRECT messages, which allows remote attackers to cause a denial of service (network outage) or obtain sensitive packet-content information via a crafted ICMP packet.
302 CVE-2015-1102 20 DoS 2015-04-10 2019-03-08
7.1
None Remote Medium Not required None None Complete
The kernel in Apple iOS before 8.3, Apple OS X before 10.10.3, and Apple TV before 7.2 does not properly handle TCP headers, which allows man-in-the-middle attackers to cause a denial of service via unspecified vectors.
303 CVE-2015-1101 DoS Exec Code Mem. Corr. 2015-04-10 2019-03-08
6.9
None Local Medium Not required Complete Complete Complete
The kernel in Apple iOS before 8.3, Apple OS X before 10.10.3, and Apple TV before 7.2 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app.
304 CVE-2015-1100 119 DoS Overflow +Info 2015-04-10 2019-03-08
5.4
None Local Medium Not required Partial None Complete
The kernel in Apple iOS before 8.3, Apple OS X before 10.10.3, and Apple TV before 7.2 allows attackers to cause a denial of service (out-of-bounds memory access) or obtain sensitive memory-content information via a crafted app.
305 CVE-2015-1099 362 DoS 2015-04-10 2019-03-08
4.0
None Local High Not required None None Complete
Race condition in the setreuid system-call implementation in the kernel in Apple iOS before 8.3, Apple OS X before 10.10.3, and Apple TV before 7.2 allows attackers to cause a denial of service via a crafted app.
306 CVE-2015-1098 119 DoS Exec Code Overflow Mem. Corr. 2015-04-10 2019-09-27
6.8
None Remote Medium Not required Partial Partial Partial
iWork in Apple iOS before 8.3 and Apple OS X before 10.10.3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted iWork file.
307 CVE-2015-1097 200 +Info 2015-04-10 2019-03-08
1.9
None Local Medium Not required Partial None None
IOMobileFramebuffer in Apple iOS before 8.3 and Apple TV before 7.2 allows attackers to obtain sensitive information about kernel memory via a crafted app.
308 CVE-2015-1096 200 +Info 2015-04-10 2019-03-08
1.9
None Local Medium Not required Partial None None
IOHIDFamily in Apple iOS before 8.3, Apple OS X before 10.10.3, and Apple TV before 7.2 allows attackers to obtain sensitive information about kernel memory via a crafted app.
309 CVE-2015-1095 DoS Exec Code Mem. Corr. 2015-04-10 2019-03-08
7.2
None Local Low Not required Complete Complete Complete
IOHIDFamily in Apple iOS before 8.3, Apple OS X before 10.10.3, and Apple TV before 7.2 allows physically proximate attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted HID device.
310 CVE-2015-1094 200 +Info 2015-04-10 2019-03-08
1.9
None Local Medium Not required Partial None None
IOAcceleratorFamily in Apple iOS before 8.3 and Apple TV before 7.2 allows attackers to obtain sensitive information about kernel memory via a crafted app.
311 CVE-2015-1093 DoS Exec Code Mem. Corr. 2015-04-10 2019-01-31
6.8
None Remote Medium Not required Partial Partial Partial
FontParser in Apple iOS before 8.3 and Apple OS X before 10.10.3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted font file.
312 CVE-2015-1092 2015-04-10 2019-03-08
5.0
None Remote Low Not required Partial None None
NSXMLParser in Foundation in Apple iOS before 8.3 and Apple TV before 7.2 allows remote attackers to read arbitrary files via an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
313 CVE-2015-1091 200 Bypass +Info 2015-04-10 2017-01-03
4.3
None Remote Medium Not required Partial None None
The CFNetwork Session component in Apple iOS before 8.3 and Apple OS X before 10.10.3 does not properly handle request headers during processing of redirects in HTTP responses, which allows remote attackers to bypass the Same Origin Policy via a crafted web site.
314 CVE-2015-1090 200 +Info 2015-04-10 2017-01-03
5.0
None Remote Low Not required Partial None None
CFNetwork in Apple iOS before 8.3 does not delete HTTP Strict Transport Security (HSTS) state information in response to a Safari history-clearing action, which allows attackers to obtain sensitive information by reading a history file.
315 CVE-2015-1089 200 Bypass +Info 2015-04-10 2017-01-03
5.0
None Remote Low Not required Partial None None
CFNetwork in Apple iOS before 8.3 and Apple OS X before 10.10.3 does not properly handle cookies during processing of redirects in HTTP responses, which allows remote attackers to bypass the Same Origin Policy via a crafted web site.
316 CVE-2015-1088 20 Exec Code 2015-04-10 2017-01-03
6.8
None Remote Medium Not required Partial Partial Partial
CFURL in Apple iOS before 8.3 and Apple OS X before 10.10.3 does not properly validate URLs, which allows remote attackers to execute arbitrary code via a crafted web site.
317 CVE-2015-1087 22 Dir. Trav. 2015-04-10 2017-01-03
2.1
None Local Low Not required Partial None None
Directory traversal vulnerability in Backup in Apple iOS before 8.3 allows attackers to read arbitrary files via a crafted relative path.
318 CVE-2015-1086 20 Exec Code 2015-04-10 2019-03-08
6.9
None Local Medium Not required Complete Complete Complete
The Audio Drivers subsystem in Apple iOS before 8.3 and Apple TV before 7.2 does not properly validate IOKit object metadata, which allows attackers to execute arbitrary code in a privileged context via a crafted app.
319 CVE-2015-1085 264 2015-04-10 2017-01-03
1.9
None Local Medium Not required Partial None None
AppleKeyStore in Apple iOS before 8.3 does not properly restrict a certain passcode-confirmation interface, which makes it easier for attackers to verify correct passcode guesses via a crafted app.
320 CVE-2015-0995 255 2015-04-03 2015-04-03
5.0
None Remote Low Not required Partial None None
Inductive Automation Ignition 7.7.2 uses MD5 password hashes, which makes it easier for context-dependent attackers to obtain access via a brute-force attack.
321 CVE-2015-0994 254 Bypass 2015-04-03 2015-04-03
4.0
None Remote Low ??? None Partial None
Inductive Automation Ignition 7.7.2 allows remote authenticated users to bypass a brute-force protection mechanism by using different session ID values in a series of HTTP requests.
322 CVE-2015-0993 254 Bypass 2015-04-03 2015-04-03
6.4
None Remote Low Not required Partial Partial None
Inductive Automation Ignition 7.7.2 does not terminate a session upon a logout action, which allows remote attackers to bypass intended access restrictions by leveraging an unattended workstation.
323 CVE-2015-0992 200 +Info 2015-04-03 2015-04-03
2.1
None Local Low Not required Partial None None
Inductive Automation Ignition 7.7.2 stores cleartext OPC Server credentials, which allows local users to obtain sensitive information via unspecified vectors.
324 CVE-2015-0991 200 +Info 2015-04-03 2015-04-03
5.0
None Remote Low Not required Partial None None
Inductive Automation Ignition 7.7.2 allows remote attackers to obtain sensitive information by reading an error message about an unhandled exception, as demonstrated by pathname information.
325 CVE-2015-0990 +Priv 2015-04-03 2015-04-03
4.4
None Local Medium Not required Partial Partial Partial
Untrusted search path vulnerability in Ecava IntegraXor SCADA Server before 4.2.4488 allows local users to gain privileges via a renamed DLL in the default install directory.
326 CVE-2015-0976 79 XSS 2015-04-03 2015-04-03
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Inductive Automation Ignition 7.7.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
327 CVE-2015-0970 352 CSRF 2015-04-18 2019-09-27
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in SearchBlox before 8.2 allows remote attackers to hijack the authentication of arbitrary users.
328 CVE-2015-0969 200 +Info 2015-04-18 2015-04-20
5.0
None Remote Low Not required Partial None None
SearchBlox before 8.2 allows remote attackers to obtain sensitive information via a pretty=true action to the _cluster/health URI.
329 CVE-2015-0968 Exec Code 2015-04-18 2015-04-20
7.5
None Remote Low Not required Partial Partial Partial
Unrestricted file upload vulnerability in admin/uploadImage.html in SearchBlox before 8.2 allows remote attackers to execute arbitrary code by uploading a file with an executable extension and the image/jpeg content type, a different vulnerability than CVE-2013-3590.
330 CVE-2015-0967 79 XSS 2015-04-18 2015-04-20
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in SearchBlox before 8.2 allow remote attackers to inject arbitrary web script or HTML via (1) the search field in plugin/index.html or (2) the title field in the Create Featured Result form in admin/main.jsp.
331 CVE-2015-0951 264 2015-04-05 2015-04-06
6.5
None Remote Low ??? Partial Partial Partial
X-Cart before 5.1.11 allows remote authenticated users to read or delete address data of arbitrary accounts via a modified (1) update or (2) remove request.
332 CVE-2015-0950 79 XSS 2015-04-05 2015-04-06
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in admin.php in X-Cart 5.1.6 through 5.1.10 allows remote attackers to inject arbitrary web script or HTML via the substring parameter.
333 CVE-2015-0938 200 Bypass +Info 2015-04-17 2016-12-08
5.0
None Remote Low Not required Partial None None
search.php on the Blue Coat Malware Analysis appliance with software before 4.2.4.20150312-RELEASE allows remote attackers to bypass intended access restrictions, and list or read arbitrary documents, by providing matching keywords in conjunction with a crafted parameter.
334 CVE-2015-0937 79 XSS 2015-04-17 2016-12-08
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in search.php on the Blue Coat Malware Analysis appliance with software before 4.2.4.20150312-RELEASE allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
335 CVE-2015-0932 264 2015-04-05 2015-04-15
10.0
None Remote Low Not required Complete Complete Complete
The ANTlabs InnGate firmware on IG 3100, IG 3101, InnGate 3.00 E, InnGate 3.01 E, InnGate 3.02 E, InnGate 3.10 E, InnGate 3.01 G, and InnGate 3.10 G devices does not require authentication for rsync sessions, which allows remote attackers to read or write to arbitrary files via TCP traffic on port 873.
336 CVE-2015-0911 22 Dir. Trav. 2015-04-24 2015-04-24
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in TAGAWA Takao TransmitMail 1.0.11 through 1.5.8 allows remote attackers to read arbitrary files via vectors related to attachment handling.
337 CVE-2015-0910 79 XSS 2015-04-24 2015-04-24
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in TAGAWA Takao TransmitMail 1.0.11 through 1.5.8 allows remote attackers to inject arbitrary web script or HTML via a crafted filename.
338 CVE-2015-0907 119 Exec Code Overflow 2015-04-15 2015-04-15
6.8
None Remote Medium Not required Partial Partial Partial
Buffer overflow in Lhaplus before 1.70 allows remote attackers to execute arbitrary code via a crafted archive.
339 CVE-2015-0906 22 Dir. Trav. 2015-04-15 2015-04-15
5.8
None Remote Medium Not required None Partial Partial
Directory traversal vulnerability in Lhaplus before 1.70 allows remote attackers to write to arbitrary files via a crafted archive.
340 CVE-2015-0905 352 CSRF 2015-04-08 2015-11-24
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in bBlog allows remote attackers to hijack the authentication of arbitrary users.
341 CVE-2015-0903 119 Exec Code Overflow 2015-04-03 2015-04-06
7.5
None Remote Low Not required Partial Partial Partial
Buffer overflow in Saitoh Kikaku Maruo Editor 8.51 and earlier allows remote attackers to execute arbitrary code via a crafted .hmbook file.
342 CVE-2015-0902 200 +Info 2015-04-03 2015-04-03
5.0
None Remote Low Not required Partial None None
The Semper Fi All in One SEO Pack plugin before 2.2.6 for WordPress does not consider the presence of password protection during generation of the Meta Description field, which allows remote attackers to obtain sensitive information by reading HTML source code.
343 CVE-2015-0877 Exec Code 2015-04-06 2015-04-06
7.5
None Remote Low Not required Partial Partial Partial
Unrestricted file upload vulnerability in app/lib/mlf.pl in C-BOARD Moyuku before 1.03b3 allows remote attackers to execute arbitrary code by uploading a file with a \0 character in its name.
344 CVE-2015-0876 79 XSS 2015-04-07 2015-04-07
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the print_language_selectbox function in classes/adminpage.inc.php in Saurus CMS Community Edition before 4.7 2015-02-04 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
345 CVE-2015-0846 200 +Info 2015-04-24 2015-04-27
5.0
None Remote Low Not required Partial None None
django-markupfield before 1.3.2 uses the default docutils RESTRUCTUREDTEXT_FILTER_SETTINGS settings, which allows remote attackers to include and read arbitrary files via unspecified vectors.
346 CVE-2015-0845 94 Exec Code 2015-04-17 2015-10-09
7.5
None Remote Low Not required Partial Partial Partial
Format string vulnerability in Movable Type Pro, Open Source, and Advanced before 5.2.13 and Pro and Advanced 6.0.x before 6.0.8 allows remote attackers to execute arbitrary code via vectors related to localization of templates.
347 CVE-2015-0844 200 +Info 2015-04-14 2016-06-28
5.0
None Remote Low Not required Partial None None
The WML/Lua API in Battle for Wesnoth 1.7.x through 1.11.x and 1.12.x before 1.12.2 allows remote attackers to read arbitrary files via a crafted (1) campaign or (2) map file.
348 CVE-2015-0840 284 Bypass 2015-04-13 2017-01-03
4.3
None Remote Medium Not required None Partial None
The dpkg-source command in Debian dpkg before 1.16.16 and 1.17.x before 1.17.25 allows remote attackers to bypass signature verification via a crafted Debian source control file (.dsc).
349 CVE-2015-0816 264 Exec Code Bypass 2015-04-01 2017-09-17
5.0
None Remote Low Not required None Partial None
Mozilla Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunderbird before 31.6 do not properly restrict resource: URLs, which makes it easier for remote attackers to execute arbitrary JavaScript code with chrome privileges by leveraging the ability to bypass the Same Origin Policy, as demonstrated by the resource: URL associated with PDF.js.
350 CVE-2015-0815 DoS Exec Code Mem. Corr. 2015-04-01 2017-01-03
7.5
None Remote Low Not required Partial Partial Partial
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunderbird before 31.6 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.
Total number of vulnerabilities : 538   Page : 1 2 3 4 5 6 7 (This Page)8 9 10 11
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.