Search Results (10733 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2015-3195 9 Apple, Canonical, Debian and 6 more 28 Mac Os X, Ubuntu Linux, Debian Linux and 25 more 2025-04-12 5.3 Medium
The ASN1_TFLG_COMBINE implementation in crypto/asn1/tasn_dec.c in OpenSSL before 0.9.8zh, 1.0.0 before 1.0.0t, 1.0.1 before 1.0.1q, and 1.0.2 before 1.0.2e mishandles errors caused by malformed X509_ATTRIBUTE data, which allows remote attackers to obtain sensitive information from process memory by triggering a decoding failure in a PKCS#7 or CMS application.
CVE-2015-3197 3 Openssl, Oracle, Redhat 13 Openssl, Exalogic Infrastructure, Oss Support Tools and 10 more 2025-04-12 N/A
ssl/s2_srvr.c in OpenSSL 1.0.1 before 1.0.1r and 1.0.2 before 1.0.2f does not prevent use of disabled ciphers, which makes it easier for man-in-the-middle attackers to defeat cryptographic protection mechanisms by performing computations on SSLv2 traffic, related to the get_client_master_key and get_client_hello functions.
CVE-2015-3201 1 Redhat 2 Rhel Software Collections, Thermostat 2025-04-12 N/A
Thermostat before 2.0.0 uses world-readable permissions for the web.xml configuration file, which allows local users to obtain user credentials by reading the file.
CVE-2015-3231 2 Debian, Drupal 2 Debian Linux, Drupal 2025-04-12 N/A
The Render cache system in Drupal 7.x before 7.38, when used to cache content by user role, allows remote authenticated users to obtain private content viewed by user 1 by reading the cache.
CVE-2015-3236 1 Haxx 2 Curl, Libcurl 2025-04-12 N/A
cURL and libcurl 7.40.0 through 7.42.1 send the HTTP Basic authentication credentials for a previous connection when reusing a reset (curl_easy_reset) connection handle to send a request to the same host name, which allows remote attackers to obtain sensitive information via unspecified vectors.
CVE-2015-3238 3 Linux-pam, Oracle, Redhat 3 Linux-pam, Sparc-opl Service Processor, Enterprise Linux 2025-04-12 N/A
The _unix_run_helper_binary function in the pam_unix module in Linux-PAM (aka pam) before 1.2.1, when unable to directly access passwords, allows local users to enumerate usernames or cause a denial of service (hang) via a large password.
CVE-2015-3244 1 Redhat 1 Jboss Enterprise Portal Platform 2025-04-12 N/A
The Portlet Bridge for JavaServer Faces in Red Hat JBoss Portal 6.2.0, when used in portlets with the default resource serving for GenericPortlet, does not properly restrict access to restricted resources, which allows remote attackers to obtain sensitive information via a URL with a modified resource ID.
CVE-2015-3251 1 Apache 1 Cloudstack 2025-04-12 N/A
Apache CloudStack before 4.5.2 might allow remote authenticated administrators to obtain sensitive password information for root accounts of virtual machines via unspecified vectors related to API calls.
CVE-2015-3269 2 Adobe, Hp 2 Livecycle Data Services, Business Service Management 2025-04-12 N/A
Apache Flex BlazeDS, as used in flex-messaging-core.jar in Adobe LiveCycle Data Services (LCDS) 3.0.x before 3.0.0.354170, 4.5 before 4.5.1.354169, 4.6.2 before 4.6.2.354169, and 4.7 before 4.7.0.354169 and other products, allows remote attackers to read arbitrary files via an AMF message containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
CVE-2015-3271 1 Apache 1 Tika 2025-04-12 N/A
Apache Tika server (aka tika-server) in Apache Tika 1.9 might allow remote attackers to read arbitrary files via the HTTP fileUrl header.
CVE-2015-3282 1 Openafs 1 Openafs 2025-04-12 N/A
vos in OpenAFS before 1.6.13, when updating VLDB entries, allows remote attackers to obtain stack data by sniffing the network.
CVE-2015-3284 1 Openafs 1 Openafs 2025-04-12 N/A
pioctls in OpenAFS 1.6.x before 1.6.13 allows local users to read kernel memory via crafted commands.
CVE-2015-3293 1 Fortinet 1 Fortimail 2025-04-12 N/A
FortiMail 5.0.3 through 5.2.3 allows remote administrators to obtain credentials via the "diag debug application httpd" command.
CVE-2015-3319 1 Hotspotexpress 1 Hotex Billing Manager 2025-04-12 N/A
Hotspot Express hotEx Billing Manager 73 does not include the HTTPOnly flag in a Set-Cookie header, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.
CVE-2015-3320 1 Lenovo 1 Usb Enhanced Performance Keyboard 2025-04-12 N/A
Lenovo USB Enhanced Performance Keyboard software before 2.0.2.2 includes active debugging code in SKHOOKS.DLL, which allows local users to obtain keypress information by accessing debug output.
CVE-2015-3340 5 Debian, Fedoraproject, Opensuse and 2 more 9 Debian Linux, Fedora, Opensuse and 6 more 2025-04-12 N/A
Xen 4.2.x through 4.5.x does not initialize certain fields, which allows certain remote service domains to obtain sensitive information from memory via a (1) XEN_DOMCTL_gettscinfo or (2) XEN_SYSCTL_getdomaininfolist request.
CVE-2015-3373 1 Amazon Aws Project 1 Amazon Aws 2025-04-12 N/A
The Amazon AWS module before 7.x-1.3 for Drupal uses the base URL and AWS access key to generate the access token, which makes it easier for remote attackers to guess the token value and create backups via a crafted URL.
CVE-2015-3391 1 Path Breadcrumbs Project 1 Path Breadcrumbs 2025-04-12 N/A
The Path Breadcrumbs module before 7.x-3.2 for Drupal allows remote attackers to bypass intended access restrictions and obtain sensitive node titles by reading a 403 Not Found page.
CVE-2015-3404 1 Certify Project 1 Certify 2025-04-12 N/A
The Certify module before 6.x-2.3 for Drupal does not properly perform node access checks, which allows remote authenticated users to bypass intended access restrictions and obtain sensitive PDF certificate information via vectors related to "showing (and creating) the PDF certificates."
CVE-2015-3412 2 Php, Redhat 9 Php, Enterprise Linux, Enterprise Linux Desktop and 6 more 2025-04-12 N/A
PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 does not ensure that pathnames lack %00 sequences, which might allow remote attackers to read arbitrary files via crafted input to an application that calls the stream_resolve_include_path function in ext/standard/streamsfuncs.c, as demonstrated by a filename\0.extension attack that bypasses an intended configuration in which client users may read files with only one specific extension.