CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In February 2016

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
301 CVE-2015-7769 78 Exec Code 2016-02-19 2016-03-03
6.5
None Remote Low ??? Partial Partial Partial
baserCMS 3.0.2 through 3.0.8 allows remote authenticated users to execute arbitrary OS commands via unspecified vectors.
302 CVE-2015-7680 200 +Info 2016-02-10 2016-02-18
5.0
None Remote Low Not required Partial None None
Ipswitch MOVEit DMZ before 8.2 provides different error messages for authentication attempts depending on whether the user account exists, which allows remote attackers to enumerate usernames via a series of SOAP requests to machine.aspx.
303 CVE-2015-7679 79 XSS 2016-02-10 2016-02-18
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Ipswitch MOVEit Mobile before 1.2.2 allows remote attackers to inject arbitrary web script or HTML via the query string to mobile/.
304 CVE-2015-7678 352 CSRF 2016-02-10 2016-02-18
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in Ipswitch MOVEit Mobile 1.2.0.962 and earlier allow remote attackers to hijack the authentication of unspecified victims via unknown vectors.
305 CVE-2015-7677 200 +Info 2016-02-10 2016-02-12
4.0
None Remote Low ??? Partial None None
The MOVEitISAPI service in Ipswitch MOVEit DMZ before 8.2 provides different error messages depending on whether a FileID exists, which allows remote authenticated users to enumerate FileIDs via the X-siLock-FileID parameter in a download action to MOVEitISAPI/MOVEitISAPI.dll.
306 CVE-2015-7675 200 Bypass +Info 2016-02-10 2016-02-18
4.0
None Remote Low ??? Partial None None
The "Send as attachment" feature in Ipswitch MOVEit DMZ before 8.2 and MOVEit Mobile before 1.2.2 allow remote authenticated users to bypass authorization and read uploaded files via a valid FileID in the (1) serverFileIds parameter to mobile/sendMsg or (2) arg01 parameter to human.aspx.
307 CVE-2015-7581 399 DoS 2016-02-16 2019-08-08
5.0
None Remote Low Not required None None Partial
actionpack/lib/action_dispatch/routing/route_set.rb in Action Pack in Ruby on Rails 4.x before 4.2.5.1 and 5.x before 5.0.0.beta1.1 allows remote attackers to cause a denial of service (superfluous caching and memory consumption) by leveraging an application's use of a wildcard controller route.
308 CVE-2015-7580 79 XSS 2016-02-16 2019-08-08
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in lib/rails/html/scrubbers.rb in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via a crafted CDATA node.
309 CVE-2015-7579 79 XSS 2016-02-16 2019-08-08
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem 1.0.2 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via an HTML entity that is mishandled by the Rails::Html::FullSanitizer class.
310 CVE-2015-7578 79 XSS 2016-02-16 2019-08-08
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via crafted tag attributes.
311 CVE-2015-7577 284 Bypass 2016-02-16 2019-08-08
5.0
None Remote Low Not required None Partial None
activerecord/lib/active_record/nested_attributes.rb in Active Record in Ruby on Rails 3.1.x and 3.2.x before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly implement a certain destroy option, which allows remote attackers to bypass intended change restrictions by leveraging use of the nested attributes feature.
312 CVE-2015-7576 254 Bypass 2016-02-16 2019-08-08
4.3
None Remote Medium Not required Partial None None
The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not use a constant-time algorithm for verifying credentials, which makes it easier for remote attackers to bypass authentication by measuring timing differences.
313 CVE-2015-7566 DoS 2016-02-08 2018-10-09
4.9
None Local Low Not required None None Complete
The clie_5_attach function in drivers/usb/serial/visor.c in the Linux kernel through 4.4.1 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by inserting a USB device that lacks a bulk-out endpoint.
314 CVE-2015-7550 362 DoS 2016-02-08 2017-11-04
4.9
None Local Low Not required None None Complete
The keyctl_read_key function in security/keys/keyctl.c in the Linux kernel before 4.3.4 does not properly use a semaphore, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted application that leverages a race condition between keyctl_revoke and keyctl_read calls.
315 CVE-2015-7547 119 DoS Exec Code Overflow 2016-02-18 2022-01-25
6.8
None Remote Medium Not required Partial Partial Partial
Multiple stack-based buffer overflows in the (1) send_dg and (2) send_vc functions in the libresolv library in the GNU C Library (aka glibc or libc6) before 2.23 allow remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted DNS response that triggers a call to the getaddrinfo function with the AF_UNSPEC or AF_INET6 address family, related to performing "dual A/AAAA DNS queries" and the libnss_dns.so.2 NSS module.
316 CVE-2015-7546 522 Bypass 2016-02-03 2020-06-02
6.0
None Remote Medium ??? Partial Partial Partial
The identity service in OpenStack Identity (Keystone) before 2015.1.3 (Kilo) and 8.0.x before 8.0.2 (Liberty) and keystonemiddleware (formerly python-keystoneclient) before 1.5.4 (Kilo) and Liberty before 2.3.3 does not properly invalidate authorization tokens when using the PKI or PKIZ token providers, which allows remote authenticated users to bypass intended access restrictions and gain access to cloud resources by manipulating byte fields within a revoked token.
317 CVE-2015-7539 345 Exec Code 2016-02-03 2019-12-17
7.6
None Remote High Not required Complete Complete Complete
The Plugins Manager in Jenkins before 1.640 and LTS before 1.625.2 does not verify checksums for plugin files referenced in update site data, which makes it easier for man-in-the-middle attackers to execute arbitrary code via a crafted plugin.
318 CVE-2015-7538 Bypass CSRF 2016-02-03 2019-12-17
6.8
None Remote Medium Not required Partial Partial Partial
Jenkins before 1.640 and LTS before 1.625.2 allow remote attackers to bypass the CSRF protection mechanism via unspecified vectors.
319 CVE-2015-7537 352 CSRF 2016-02-03 2019-12-17
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote attackers to hijack the authentication of administrators for requests that have unspecified impact via vectors related to the HTTP GET method.
320 CVE-2015-7536 79 XSS 2016-02-03 2016-06-14
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in Jenkins before 1.640 and LTS before 1.625.2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors related to workspaces and archived artifacts.
321 CVE-2015-7513 369 DoS 2016-02-08 2021-12-10
4.9
None Local Low Not required None None Complete
arch/x86/kvm/x86.c in the Linux kernel before 4.4 does not reset the PIT counter values during state restoration, which allows guest OS users to cause a denial of service (divide-by-zero error and host OS crash) via a zero value, related to the kvm_vm_ioctl_set_pit and kvm_vm_ioctl_set_pit2 functions.
322 CVE-2015-7492 79 XSS 2016-02-15 2016-03-10
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in Reference Data Management (RDM) in IBM InfoSphere Master Data Management 10.1, 11.0 before FP5, 11.3, 11.4, and 11.5 before FP1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.
323 CVE-2015-7491 79 XSS 2016-02-29 2016-03-02
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 8.0.x before 8.0.0.1 CF20 and 8.5.x before 8.5.0.0 CF09 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.
324 CVE-2015-7472 2016-02-15 2016-12-03
6.4
None Remote Low Not required Partial Partial None
IBM WebSphere Portal 6.1.0 through 6.1.0.6 CF27, 6.1.5 through 6.1.5.3 CF27, 7.0.0 through 7.0.0.2 CF29, 8.0.0 before 8.0.0.1 CF20, and 8.5.0 before CF10 allows remote attackers to conduct LDAP injection attacks, and consequently read or write to repository data, via unspecified vectors.
325 CVE-2015-7457 79 XSS 2016-02-29 2016-03-02
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 8.0.x before 8.0.0.1 CF20 and 8.5.x before 8.5.0.0 CF09 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.
326 CVE-2015-7455 264 2016-02-29 2016-03-02
4.0
None Remote Low ??? None Partial None
IBM WebSphere Portal 7.x through 7.0.0.2 CF29, 8.0.x before 8.0.0.1 CF20, and 8.5.x before 8.5.0.0 CF09 uses weak permissions for content items, which allows remote authenticated users to make modifications via the authoring UI.
327 CVE-2015-7444 200 +Info 2016-02-15 2016-03-02
5.0
None Remote Low Not required Partial None None
The Update Installer in IBM WebSphere Commerce Enterprise 7.0.0.8 and 7.0.0.9 does not properly replicate the search index, which allows attackers to obtain sensitive information via unspecified vectors.
328 CVE-2015-7428 2016-02-29 2016-03-02
5.8
None Remote Medium Not required Partial Partial None
Open redirect vulnerability in IBM WebSphere Portal 8.0.x before 8.0.0.1 CF20 and 8.5.x before 8.5.0.0 CF09 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a crafted URL.
329 CVE-2015-7425 264 2016-02-21 2016-11-28
10.0
None Remote Low Not required Complete Complete Complete
The Data Protection component in the VMware vSphere GUI in IBM Tivoli Storage Manager for Virtual Environments: Data Protection for VMware (aka Spectrum Protect for Virtual Environments) 6.3 before 6.3.2.5, 6.4 before 6.4.3.1, and 7.1 before 7.1.4 and Tivoli Storage FlashCopy Manager for VMware (aka Spectrum Protect Snapshot) 3.1 before 3.1.1.3, 3.2 before 3.2.0.6, and 4.1 before 4.1.4 allows remote attackers to obtain administrative privileges via a crafted URL that triggers back-end function execution.
330 CVE-2015-7408 264 2016-02-15 2016-03-10
2.6
None Remote High Not required Partial None None
The server in IBM Spectrum Protect (aka Tivoli Storage Manager) 5.5 and 6.x before 6.3.5.1 and 7.x before 7.1.4 does not properly restrict use of the ASNODENAME option, which allows remote attackers to read or write to backup data by leveraging proxy authority.
331 CVE-2015-7398 79 XSS 2016-02-15 2016-02-26
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in IBM Emptoris Contract Management 9.5.0.x before 9.5.0.6 iFix15, 10.0.0.x and 10.0.1.x before 10.0.1.5 iFix5, 10.0.2.x before 10.0.2.7 iFix4, and 10.0.4.x before 10.0.4.0 iFix3 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.
332 CVE-2015-7262 18 +Priv 2016-02-27 2016-03-11
8.5
None Remote Medium ??? Complete Complete Complete
QNAP iArtist Lite before 1.4.54, as distributed with QNAP Signage Station before 2.0.1, allows remote authenticated users to gain privileges by registering an executable file, and then waiting for this file to be run in a privileged context after a reboot.
333 CVE-2015-7261 255 2016-02-27 2016-03-11
7.5
None Remote Low Not required Partial Partial Partial
The FTP service in QNAP iArtist Lite before 1.4.54, as distributed with QNAP Signage Station before 2.0.1, has hardcoded credentials, which makes it easier for remote attackers to obtain access via a session on TCP port 21.
334 CVE-2015-6398 399 DoS 2016-02-07 2016-12-06
7.8
None Remote Low Not required None None Complete
Cisco Nexus 9000 Application Centric Infrastructure (ACI) Mode switches with software before 11.0(1c) allow remote attackers to cause a denial of service (device reload) via an IPv4 ICMP packet with the IP Record Route option, aka Bug ID CSCuq57512.
335 CVE-2015-6036 Bypass 2016-02-27 2016-03-02
5.0
None Remote Low Not required None Partial None
QNAP Signage Station before 2.0.1 allows remote attackers to bypass authentication, and consequently upload files, via a spoofed HTTP request.
336 CVE-2015-6022 Exec Code 2016-02-27 2016-03-08
9.0
None Remote Low ??? Complete Complete Complete
Unrestricted file upload vulnerability in QNAP Signage Station before 2.0.1 allows remote authenticated users to execute arbitrary code by uploading an executable file, and then accessing this file via an unspecified URL.
337 CVE-2015-5970 94 2016-02-18 2016-03-10
5.0
None Remote Low Not required Partial None None
The ChangePassword RPC method in Novell ZENworks Configuration Management (ZCM) 11.3 and 11.4 allows remote attackers to conduct XPath injection attacks, and read arbitrary text files, via a malformed query involving a system entity reference.
338 CVE-2015-5351 352 Bypass CSRF 2016-02-25 2018-07-19
6.8
None Remote Medium Not required Partial Partial Partial
The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a token.
339 CVE-2015-5346 2016-02-25 2018-07-19
6.8
None Remote Medium Not required Partial Partial Partial
Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java.
340 CVE-2015-5345 22 Dir. Trav. 2016-02-25 2019-04-15
5.0
None Remote Low Not required Partial None None
The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that lacks a trailing / (slash) character.
341 CVE-2015-5344 19 Exec Code 2016-02-03 2019-05-24
7.5
None Remote Low Not required Partial Partial Partial
The camel-xstream component in Apache Camel before 2.15.5 and 2.16.x before 2.16.1 allow remote attackers to execute arbitrary commands via a crafted serialized Java object in an HTTP request.
342 CVE-2015-5342 264 Bypass 2016-02-22 2020-12-01
4.0
None Remote Low ??? None Partial None
The choice module in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 allows remote authenticated users to bypass intended access restrictions by visiting a URL to add or delete responses in the closed state.
343 CVE-2015-5341 264 Bypass 2016-02-22 2020-12-01
4.0
None Remote Low ??? Partial None None
mod_scorm in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 mishandles availability dates, which allows remote authenticated users to bypass intended access restrictions and read SCORM contents via unspecified vectors.
344 CVE-2015-5340 264 +Info 2016-02-22 2020-12-01
4.0
None Remote Low ??? Partial None None
Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 does not consider the moodle/badges:viewbadges capability, which allows remote authenticated users to obtain sensitive badge information via a request involving (1) badges/overview.php or (2) badges/view.php.
345 CVE-2015-5339 264 +Info 2016-02-22 2020-12-01
4.0
None Remote Low ??? Partial None None
The core_enrol_get_enrolled_users web service in enrol/externallib.php in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 does not properly implement group-based access restrictions, which allows remote authenticated users to obtain sensitive course-participant information via a web-service request.
346 CVE-2015-5338 352 CSRF 2016-02-22 2020-12-01
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in the lesson module in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 allow remote attackers to hijack the authentication of arbitrary users for requests to (1) mod/lesson/mediafile.php or (2) mod/lesson/view.php.
347 CVE-2015-5337 79 XSS 2016-02-22 2020-12-01
4.3
None Remote Medium Not required None Partial None
Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 does not properly restrict the availability of Flowplayer, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted .swf file.
348 CVE-2015-5336 79 XSS 2016-02-22 2020-12-01
3.5
None Remote Medium ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the survey module in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 allow remote authenticated users to inject arbitrary web script or HTML by leveraging the student role and entering a crafted survey answer.
349 CVE-2015-5335 352 CSRF 2016-02-22 2020-12-01
4.3
None Remote Medium Not required Partial None None
Cross-site request forgery (CSRF) vulnerability in admin/registration/register.php in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 allows remote attackers to hijack the authentication of administrators for requests that send statistics to an arbitrary hub URL.
350 CVE-2015-5332 399 DoS 2016-02-22 2020-12-01
7.1
None Remote Medium Not required None None Complete
Atto in Moodle 2.8.x before 2.8.9 and 2.9.x before 2.9.3 allows remote attackers to cause a denial of service (disk consumption) by leveraging the guest role and entering drafts with the editor-autosave feature.
Total number of vulnerabilities : 380   Page : 1 2 3 4 5 6 7 (This Page)8
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.