ECI Networks

is a leading award winning developer of e-business systems and software that enable companies and organizations to effectively collaborate and communicate with their trading partners, market their products and services online, generate new business opportunities and efficiently transact business globally.

Learn More

ecommerce-hands-globe-300

ECI Global

An American Export Trading and Management Company for manufacturers, producers, service providers wholesalers, foreign & domestic buyers, distributors and agents desiring entry to international markets. We are equipped to help you enter the global marketplace at whatever pace suits your business.

ECI Global

grid splash_measured_rsp

ECI Financial

We have developed an innovative suite of business solutions for financial management based on innovative infrastructure, networks, management resources, and eCommerce payment solutions that allow businesses to better extract profits from cash flows.

Learn More

grid 82319_001-200x200

E3 Technologies

To focus interdisciplinary effort on research in nanotechnology, autonomous systems, software, networks, water management, sustainable energy, information technology, biotechnology, and materials engineering.

Learn More

grid gene

BL-2-OC

BL2OC – (B)usiness (L)everage -2- (O)rganize (C)ommunities. Our purpose is simple and our results are sustainable.

Learn More

pic01_1

ECI Communiversity

Massive Open Online Courses, or MOOCs: Internet-based teaching programs designed to handle thousands of students simultaneously

Learn More

What We Do

Business-Security-Technology
Original release date: April 13, 2015

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High – Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 – 10.0
  • Medium – Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 – 6.9
  • Low – Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 – 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

High Vulnerabilities

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
antlabs — inngate The ANTlabs InnGate firmware on IG 3100, IG 3101, InnGate 3.00 E, InnGate 3.01 E, InnGate 3.02 E, InnGate 3.10 E, InnGate 3.01 G, and InnGate 3.10 G devices does not require authentication for rsync sessions, which allows remote attackers to read or write to arbitrary files via TCP traffic on port 873. 2015-04-04 10.0 CVE-2015-0932
CERT-VN
CONFIRM (link is external)
MISC (link is external)
MISC (link is external)
apache — subversion The mod_dav_svn server in Subversion 1.8.0 through 1.8.11 allows remote attackers to cause a denial of service (memory consumption) via a large number of REPORT requests, which trigger the traversal of FSFS repository nodes. 2015-04-08 7.8 CVE-2015-0202
MANDRIVA (link is external)
CONFIRM
apache — cassandra The default configuration in Apache Cassandra 1.2.0 through 1.2.19, 2.0.0 through 2.0.13, and 2.1.0 through 2.1.3 binds an unauthenticated JMX/RMI interface to all network interfaces, which allows remote attackers to execute arbitrary Java code via an RMI request. 2015-04-03 7.5 CVE-2015-0225
BUGTRAQ (link is external)
MLIST
MISC (link is external)
apple — apple_tv IOHIDFamily in Apple iOS before 8.3, Apple OS X before 10.10.3, and Apple TV before 7.2 allows physically proximate attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted HID device. 2015-04-10 7.2 CVE-2015-1095
CONFIRM (link is external)
CONFIRM (link is external)
CONFIRM (link is external)
APPLE (link is external)
APPLE (link is external)
APPLE (link is external)
apple — apple_tv The kernel in Apple iOS before 8.3, Apple OS X before 10.10.3, and Apple TV before 7.2 does not properly handle TCP headers, which allows man-in-the-middle attackers to cause a denial of service via unspecified vectors. 2015-04-10 7.1 CVE-2015-1102
CONFIRM (link is external)
CONFIRM (link is external)
CONFIRM (link is external)
APPLE (link is external)
APPLE (link is external)
APPLE (link is external)
apple — apple_tv The kernel in Apple iOS before 8.3, Apple OS X before 10.10.3, and Apple TV before 7.2 makes routing changes in response to ICMP_REDIRECT messages, which allows remote attackers to cause a denial of service (network outage) or obtain sensitive packet-content information via a crafted ICMP packet. 2015-04-10 7.5 CVE-2015-1103
CONFIRM (link is external)
CONFIRM (link is external)
CONFIRM (link is external)
APPLE (link is external)
APPLE (link is external)
APPLE (link is external)
apple — mac_os_x The XPC implementation in Admin Framework in Apple OS X before 10.10.3 allows local users to bypass authentication and obtain admin privileges via unspecified vectors. 2015-04-10 7.2 CVE-2015-1130
CONFIRM (link is external)
APPLE (link is external)
apple — mac_os_x fontd in Apple Type Services (ATS) in Apple OS X before 10.10.3 allows local users to gain privileges via unspecified vectors, a different vulnerability than CVE-2015-1132, CVE-2015-1133, CVE-2015-1134, and CVE-2015-1135. 2015-04-10 7.2 CVE-2015-1131
CONFIRM (link is external)
APPLE (link is external)
apple — mac_os_x fontd in Apple Type Services (ATS) in Apple OS X before 10.10.3 allows local users to gain privileges via unspecified vectors, a different vulnerability than CVE-2015-1131, CVE-2015-1133, CVE-2015-1134, and CVE-2015-1135. 2015-04-10 10.0 CVE-2015-1132
CONFIRM (link is external)
APPLE (link is external)
apple — mac_os_x fontd in Apple Type Services (ATS) in Apple OS X before 10.10.3 allows local users to gain privileges via unspecified vectors, a different vulnerability than CVE-2015-1131, CVE-2015-1132, CVE-2015-1134, and CVE-2015-1135. 2015-04-10 7.2 CVE-2015-1133
CONFIRM (link is external)
APPLE (link is external)
apple — mac_os_x fontd in Apple Type Services (ATS) in Apple OS X before 10.10.3 allows local users to gain privileges via unspecified vectors, a different vulnerability than CVE-2015-1131, CVE-2015-1132, CVE-2015-1133, and CVE-2015-1135. 2015-04-10 7.2 CVE-2015-1134
CONFIRM (link is external)
APPLE (link is external)
apple — mac_os_x fontd in Apple Type Services (ATS) in Apple OS X before 10.10.3 allows local users to gain privileges via unspecified vectors, a different vulnerability than CVE-2015-1131, CVE-2015-1132, CVE-2015-1133, and CVE-2015-1134. 2015-04-10 7.2 CVE-2015-1135
CONFIRM (link is external)
APPLE (link is external)
apple — mac_os_x The NVIDIA graphics driver in Apple OS X before 10.10.3 allows local users to gain privileges or cause a denial of service (NULL pointer dereference) via an unspecified IOService userclient type. 2015-04-10 7.2 CVE-2015-1137
CONFIRM (link is external)
APPLE (link is external)
apple — mac_os_x Buffer overflow in IOHIDFamily in Apple OS X before 10.10.3 allows local users to gain privileges via unspecified vectors. 2015-04-10 7.2 CVE-2015-1140
CONFIRM (link is external)
APPLE (link is external)
apple — mac_os_x LaunchServices in Apple OS X before 10.10.3 allows local users to gain privileges via a crafted localized string, related to a “type confusion” issue. 2015-04-10 7.2 CVE-2015-1143
CONFIRM (link is external)
APPLE (link is external)
apple — mac_os_x Buffer overflow in the UniformTypeIdentifiers component in Apple OS X before 10.10.3 allows local users to gain privileges via a crafted Uniform Type Identifier. 2015-04-10 7.2 CVE-2015-1144
CONFIRM (link is external)
APPLE (link is external)
apple — xcode Integer overflow in the simulator in Swift in Apple Xcode before 6.3 allows context-dependent attackers to cause a denial of service or possibly have unspecified other impact by triggering an incorrect result of a type conversion. 2015-04-10 7.5 CVE-2015-1149
CONFIRM (link is external)
APPLE (link is external)
arj_software — arj_archiver Buffer overflow in Open-source ARJ archiver 3.10.22 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted ARJ archive. 2015-04-08 7.5 CVE-2015-2782
MLIST (link is external)
MLIST (link is external)
DEBIAN
c-board_moyuku_project — c-board_moyuku Unrestricted file upload vulnerability in app/lib/mlf.pl in C-BOARD Moyuku before 1.03b3 allows remote attackers to execute arbitrary code by uploading a file with a \0 character in its name. 2015-04-05 7.5 CVE-2015-0877
CONFIRM (link is external)
JVNDB (link is external)
JVN (link is external)
ca — spectrum CA Spectrum 9.2.x and 9.3.x before 9.3 H02 does not properly validate serialized Java objects, which allows remote authenticated users to obtain administrative privileges via crafted object data. 2015-04-07 9.0 CVE-2015-2828
CONFIRM (link is external)
cisco — unity_connection The Connection Conversation Manager (aka CuCsMgr) process in Cisco Unity Connection 8.5 before 8.5(1)SU6, 8.6 before 8.6(2a)SU4, and 9.x before 9.1(2)SU2, when SIP trunk integration is enabled, allows remote attackers to cause a denial of service (SIP outage) via a crafted UDP packet, aka Bug ID CSCuh25062. 2015-04-03 7.1 CVE-2015-0612
SECTRACK (link is external)
CISCO (link is external)
cisco — unity_connection The Connection Conversation Manager (aka CuCsMgr) process in Cisco Unity Connection 8.5 before 8.5(1)SU7, 8.6 before 8.6(2a)SU4, 9.x before 9.1(2)SU2, and 10.0 before 10.0(1)SU1, when SIP trunk integration is enabled, allows remote attackers to cause a denial of service (core dump and restart) via crafted SIP INVITE messages, aka Bug ID CSCul20444. 2015-04-03 7.1 CVE-2015-0613
SECTRACK (link is external)
CISCO (link is external)
cisco — unity_connection The Connection Conversation Manager (aka CuCsMgr) process in Cisco Unity Connection 8.5 before 8.5(1)SU7, 8.6 before 8.6(2a)SU4, 9.x before 9.1(2)SU2, and 10.0 before 10.0(1)SU1, when SIP trunk integration is enabled, allows remote attackers to cause a denial of service (core dump and restart) via crafted SIP INVITE messages, aka Bug ID CSCul26267. 2015-04-03 7.1 CVE-2015-0614
SECTRACK (link is external)
CISCO (link is external)
cisco — unity_connection The call-handling implementation in Cisco Unity Connection 8.5 before 8.5(1)SU7, 8.6 before 8.6(2a)SU4, 9.x before 9.1(2)SU2, and 10.0 before 10.0(1)SU1, when SIP trunk integration is enabled, allows remote attackers to cause a denial of service (port consumption) by improperly terminating SIP sessions, aka Bug ID CSCul28089. 2015-04-03 7.1 CVE-2015-0615
SECTRACK (link is external)
CISCO (link is external)
cisco — unity_connection The Connection Conversation Manager (aka CuCsMgr) process in Cisco Unity Connection 8.5 before 8.5(1)SU7, 8.6 before 8.6(2a)SU4, and 9.x before 9.1(2)SU2, when SIP trunk integration is enabled, allows remote attackers to cause a denial of service (core dump and restart) by improperly terminating SIP TCP connections, aka Bug ID CSCul69819. 2015-04-03 7.1 CVE-2015-0616
SECTRACK (link is external)
CISCO (link is external)
cisco — prime_data_center_network_manager Directory traversal vulnerability in the fmserver servlet in Cisco Prime Data Center Network Manager (DCNM) before 7.1(1) allows remote attackers to read arbitrary files via a crafted pathname, aka Bug ID CSCus00241. 2015-04-03 7.8 CVE-2015-0666
SECTRACK (link is external)
CISCO (link is external)
cisco — ios_xe Cisco IOS XE 3.10.2S on an ASR 1000 device with an Embedded Services Processor (ESP) module, when NAT is enabled, allows remote attackers to cause a denial of service (module crash) via malformed H.323 packets, aka Bug ID CSCup21070. 2015-04-03 7.1 CVE-2015-0688
SECTRACK (link is external)
CISCO (link is external)
gnu — glibc The ADDW macro in stdio-common/vfscanf.c in the GNU C Library (aka glibc or libc6) before 2.21 does not properly consider data-type size during memory allocation, which allows context-dependent attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a long line containing wide characters that are improperly handled in a wscanf call. 2015-04-08 7.5 CVE-2015-1472
MLIST
CONFIRM
MLIST (link is external)
hidemaru — editor Buffer overflow in Saitoh Kikaku Maruo Editor 8.51 and earlier allows remote attackers to execute arbitrary code via a crafted .hmbook file. 2015-04-03 7.5 CVE-2015-0903
JVNDB (link is external)
JVN (link is external)
CONFIRM (link is external)
ibm — rational_clearcase The MSCAPI/MSCNG interface implementation in GSKit in IBM Rational ClearCase 7.1.2.x before 7.1.2.17, 8.0.0.x before 8.0.0.14, and 8.0.1.x before 8.0.1.7 does not properly generate random numbers, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via unspecified vectors. 2015-04-05 9.4 CVE-2014-6221
CONFIRM (link is external)
SECTRACK (link is external)
ibm — domino The LDAP Server in IBM Domino 8.5.x before 8.5.3 FP6 IF6 and 9.x before 9.0.1 FP3 IF1 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, aka SPR KLYH9SLRGM. 2015-04-05 10.0 CVE-2015-0117
CONFIRM (link is external)
SECTRACK (link is external)
ibm — tivoli_storage_manager_fastback FastBack Mount in IBM Tivoli Storage Manager FastBack 6.1.x before 6.1.11.1 allows remote attackers to execute arbitrary code by connecting to the Mount port. 2015-04-05 7.5 CVE-2015-0119
CONFIRM (link is external)
ibm — domino Buffer overflow in the SSLv2 implementation in IBM Domino 8.5.x before 8.5.1 FP5 IF3, 8.5.2 before FP4 IF3, 8.5.3 before FP6 IF6, 9.0 before IF7, and 9.0.1 before FP2 IF3 allows remote attackers to execute arbitrary code via unspecified vectors. 2015-04-05 10.0 CVE-2015-0134
CONFIRM (link is external)
SECTRACK (link is external)
ibm — domino Notes System Diagnostic (NSD) in IBM Domino 8.5.x before 8.5.3 FP6 IF6 and 9.x before 9.0.1 FP3 IF1 allows local users to obtain the System privilege via unspecified vectors, aka SPR TCHL9SST8V. 2015-04-05 7.2 CVE-2015-0179
CONFIRM (link is external)
SECTRACK (link is external)
linux — linux_kernel The IPv4 implementation in the Linux kernel before 3.18.8 does not properly consider the length of the Read-Copy Update (RCU) grace period for redirecting lookups in the absence of caching, which allows remote attackers to cause a denial of service (memory consumption or system crash) via a flood of packets. 2015-04-05 7.8 CVE-2015-1465
CONFIRM (link is external)
CONFIRM (link is external)
UBUNTU (link is external)
UBUNTU (link is external)
MLIST (link is external)
CONFIRM
CONFIRM
oxide_project — oxide Use-after-free vulnerability in Oxide before 1.5.6 and 1.6.x before 1.6.1 allows remote attackers to cause a denial of service (crash) or possible execute arbitrary code by deleting all WebContents while a RenderProcessHost instance still exists. 2015-04-08 7.5 CVE-2015-1317
CONFIRM (link is external)
UBUNTU (link is external)
redhat — openstack The puppet manifests in the Red Hat openstack-puppet-modules package before 2014.2.13-2 uses a default password of CHANGEME for the pcsd daemon, which allows remote attackers to execute arbitrary shell commands via unspecified vectors. 2015-04-10 10.0 CVE-2015-1842
CONFIRM (link is external)
REDHAT (link is external)
REDHAT (link is external)
simple_ads_manager_project — simple_ads_manager Multiple SQL injection vulnerabilities in sam-ajax-admin.php in the Simple Ads Manager plugin 2.5.94 and 2.5.96 for WordPress allow remote attackers to execute arbitrary SQL commands via a (1) hits[][] parameter in a sam_hits action; the (2) cstr parameter in a load_posts action; the (3) searchTerm parameter in a load_combo_data action; or the (4) subscriber, (5) contributor, (6) author, (7) editor, (8) admin, or (9) sadmin parameter in a load_users action. 2015-04-06 7.5 CVE-2015-2824
BUGTRAQ (link is external)
BUGTRAQ (link is external)
FULLDISC
FULLDISC
MISC (link is external)

Medium Vulnerabilities

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
apache — subversion The (1) mod_dav_svn and (2) svnserve servers in Subversion 1.6.0 through 1.7.19 and 1.8.0 through 1.8.11 allow remote attackers to cause a denial of service (assertion failure and abort) via crafted parameter combinations related to dynamically evaluated revision numbers. 2015-04-08 5.0 CVE-2015-0248
MANDRIVA (link is external)
CONFIRM
apache — subversion The mod_dav_svn server in Subversion 1.5.0 through 1.7.19 and 1.8.0 through 1.8.11 allows remote authenticated users to spoof the svn:author property via a crafted v1 HTTP protocol request sequences. 2015-04-08 4.0 CVE-2015-0251
MANDRIVA (link is external)
CONFIRM
apache — flex Cross-site scripting (XSS) vulnerability in asdoc/templates/index.html in Apache Flex before 4.14.1 allows remote attackers to inject arbitrary web script or HTML by providing a crafted URI to JavaScript code generated by the asdoc component. 2015-04-07 4.3 CVE-2015-1773
BUGTRAQ
apple — iphone_os CFURL in Apple iOS before 8.3 and Apple OS X before 10.10.3 does not properly validate URLs, which allows remote attackers to execute arbitrary code via a crafted web site. 2015-04-10 6.8 CVE-2015-1088
CONFIRM (link is external)
CONFIRM (link is external)
APPLE (link is external)
APPLE (link is external)
apple — iphone_os CFNetwork in Apple iOS before 8.3 and Apple OS X before 10.10.3 does not properly handle cookies during processing of redirects in HTTP responses, which allows remote attackers to bypass the Same Origin Policy via a crafted web site. 2015-04-10 5.0 CVE-2015-1089
CONFIRM (link is external)
CONFIRM (link is external)
APPLE (link is external)
APPLE (link is external)
apple — iphone_os CFNetwork in Apple iOS before 8.3 does not delete HTTP Strict Transport Security (HSTS) state information in response to a Safari history-clearing action, which allows attackers to obtain sensitive information by reading a history file. 2015-04-10 5.0 CVE-2015-1090
CONFIRM (link is external)
APPLE (link is external)
apple — iphone_os The CFNetwork Session component in Apple iOS before 8.3 and Apple OS X before 10.10.3 does not properly handle request headers during processing of redirects in HTTP responses, which allows remote attackers to bypass the Same Origin Policy via a crafted web site. 2015-04-10 4.3 CVE-2015-1091
CONFIRM (link is external)
CONFIRM (link is external)
APPLE (link is external)
APPLE (link is external)
apple — apple_tv NSXMLParser in Foundation in Apple iOS before 8.3 and Apple TV before 7.2 allows remote attackers to read arbitrary files via an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. 2015-04-10 5.0 CVE-2015-1092
CONFIRM (link is external)
CONFIRM (link is external)
APPLE (link is external)
APPLE (link is external)
apple — iphone_os FontParser in Apple iOS before 8.3 and Apple OS X before 10.10.3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted font file. 2015-04-10 6.8 CVE-2015-1093
CONFIRM (link is external)
CONFIRM (link is external)
APPLE (link is external)
APPLE (link is external)
apple — iphone_os iWork in Apple iOS before 8.3 and Apple OS X before 10.10.3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted iWork file. 2015-04-10 6.8 CVE-2015-1098
CONFIRM (link is external)
CONFIRM (link is external)
APPLE (link is external)
APPLE (link is external)
apple — apple_tv The kernel in Apple iOS before 8.3, Apple OS X before 10.10.3, and Apple TV before 7.2 does not properly determine whether an IPv6 packet had a local origin, which allows remote attackers to bypass an intended network-filtering protection mechanism via a crafted packet. 2015-04-10 5.0 CVE-2015-1104
CONFIRM (link is external)
CONFIRM (link is external)
CONFIRM (link is external)
APPLE (link is external)
APPLE (link is external)
APPLE (link is external)
apple — apple_tv The TCP implementation in the kernel in Apple iOS before 8.3, Apple OS X before 10.10.3, and Apple TV before 7.2 does not properly implement the Urgent (aka out-of-band data) mechanism, which allows remote attackers to cause a denial of service via crafted packets. 2015-04-10 5.0 CVE-2015-1105
CONFIRM (link is external)
CONFIRM (link is external)
CONFIRM (link is external)
APPLE (link is external)
APPLE (link is external)
APPLE (link is external)
apple — apple_tv The Podcasts component in Apple iOS before 8.3 and Apple TV before 7.2 allows remote attackers to discover unique identifiers by reading asset-download request data. 2015-04-10 5.0 CVE-2015-1110
CONFIRM (link is external)
CONFIRM (link is external)
APPLE (link is external)
APPLE (link is external)
apple — iphone_os Safari in Apple iOS before 8.3 does not delete Recently Closed Tabs data in response to a history-clearing action, which allows attackers to obtain sensitive information by reading a history file. 2015-04-10 5.0 CVE-2015-1111
CONFIRM (link is external)
APPLE (link is external)
apple — safari Apple Safari before 6.2.5, 7.x before 7.1.5, and 8.x before 8.0.5, as used on iOS before 8.3 and other platforms, does not properly delete browsing-history data from the history.plist file, which allows attackers to obtain sensitive information by reading this file. 2015-04-10 5.0 CVE-2015-1112
CONFIRM (link is external)
CONFIRM (link is external)
APPLE (link is external)
APPLE (link is external)
apple — apple_tv libnetcore in Apple iOS before 8.3, Apple OS X before 10.10.3, and Apple TV before 7.2 allows attackers to cause a denial of service (memory corruption and application crash) via a crafted configuration profile. 2015-04-10 5.0 CVE-2015-1118
CONFIRM (link is external)
CONFIRM (link is external)
CONFIRM (link is external)
APPLE (link is external)
APPLE (link is external)
APPLE (link is external)
apple — apple_tv WebKit, as used in Apple iOS before 8.3, Apple TV before 7.2, and Apple Safari before 6.2.5, 7.x before 7.1.5, and 8.x before 8.0.5, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2015-04-08-1, APPLE-SA-2015-04-08-3, and APPLE-SA-2015-04-08-4. 2015-04-10 6.8 CVE-2015-1119
CONFIRM (link is external)
CONFIRM (link is external)
CONFIRM (link is external)
APPLE (link is external)
APPLE (link is external)
APPLE (link is external)
apple — apple_tv WebKit, as used in Apple iOS before 8.3, Apple TV before 7.2, and Apple Safari before 6.2.5, 7.x before 7.1.5, and 8.x before 8.0.5, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2015-04-08-1, APPLE-SA-2015-04-08-3, and APPLE-SA-2015-04-08-4. 2015-04-10 6.8 CVE-2015-1120
CONFIRM (link is external)
CONFIRM (link is external)
CONFIRM (link is external)
APPLE (link is external)
APPLE (link is external)
APPLE (link is external)
apple — apple_tv WebKit, as used in Apple iOS before 8.3, Apple TV before 7.2, and Apple Safari before 6.2.5, 7.x before 7.1.5, and 8.x before 8.0.5, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2015-04-08-1, APPLE-SA-2015-04-08-3, and APPLE-SA-2015-04-08-4. 2015-04-10 6.8 CVE-2015-1121
CONFIRM (link is external)
CONFIRM (link is external)
CONFIRM (link is external)
APPLE (link is external)
APPLE (link is external)
APPLE (link is external)
apple — apple_tv WebKit, as used in Apple iOS before 8.3, Apple TV before 7.2, and Apple Safari before 6.2.5, 7.x before 7.1.5, and 8.x before 8.0.5, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2015-04-08-1, APPLE-SA-2015-04-08-3, and APPLE-SA-2015-04-08-4. 2015-04-10 6.8 CVE-2015-1122
CONFIRM (link is external)
CONFIRM (link is external)
CONFIRM (link is external)
APPLE (link is external)
APPLE (link is external)
APPLE (link is external)
apple — apple_tv WebKit, as used in Apple iOS before 8.3 and Apple TV before 7.2, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2015-04-08-3 and APPLE-SA-2015-04-08-4. 2015-04-10 6.8 CVE-2015-1123
CONFIRM (link is external)
CONFIRM (link is external)
APPLE (link is external)
APPLE (link is external)
apple — apple_tv WebKit, as used in Apple iOS before 8.3, Apple TV before 7.2, and Apple Safari before 6.2.5, 7.x before 7.1.5, and 8.x before 8.0.5, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2015-04-08-1, APPLE-SA-2015-04-08-3, and APPLE-SA-2015-04-08-4. 2015-04-10 6.8 CVE-2015-1124
CONFIRM (link is external)
CONFIRM (link is external)
CONFIRM (link is external)
APPLE (link is external)
APPLE (link is external)
APPLE (link is external)
apple — iphone_os The touch-events implementation in WebKit in Apple iOS before 8.3 allows remote attackers to trigger an association between a tap and an unintended web resource via a crafted web site. 2015-04-10 4.3 CVE-2015-1125
CONFIRM (link is external)
APPLE (link is external)
apple — safari WebKit, as used in Apple iOS before 8.3 and Apple Safari before 6.2.5, 7.x before 7.1.5, and 8.x before 8.0.5, does not properly handle the userinfo field in FTP URLs, which allows remote attackers to trigger incorrect resource access via unspecified vectors. 2015-04-10 4.3 CVE-2015-1126
CONFIRM (link is external)
CONFIRM (link is external)
APPLE (link is external)
APPLE (link is external)
apple — safari The private-browsing implementation in Apple Safari before 6.2.5, 7.x before 7.1.5, and 8.x before 8.0.5 allows attackers to obtain sensitive browsing-history information via vectors involving push-notification requests. 2015-04-10 5.0 CVE-2015-1128
CONFIRM (link is external)
APPLE (link is external)
apple — safari Apple Safari before 6.2.5, 7.x before 7.1.5, and 8.x before 8.0.5 does not properly select X.509 client certificates, which makes it easier for remote attackers to track users via a crafted web site. 2015-04-10 4.3 CVE-2015-1129
CONFIRM (link is external)
APPLE (link is external)
apple — mac_os_x Use-after-free vulnerability in CoreAnimation in Apple OS X before 10.10.3 allows remote attackers to execute arbitrary code by leveraging improper use of a mutex. 2015-04-10 6.8 CVE-2015-1136
CONFIRM (link is external)
APPLE (link is external)
apple — mac_os_x Hypervisor in Apple OS X before 10.10.3 allows local users to cause a denial of service via unspecified vectors. 2015-04-10 4.9 CVE-2015-1138
CONFIRM (link is external)
APPLE (link is external)
apple — mac_os_x ImageIO in Apple OS X before 10.10.3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted .sgi file. 2015-04-10 6.8 CVE-2015-1139
CONFIRM (link is external)
APPLE (link is external)
apple — mac_os_x The mach_vm_read functionality in the kernel in Apple OS X before 10.10.3 allows local users to cause a denial of service (system crash) via unspecified vectors. 2015-04-10 4.9 CVE-2015-1141
CONFIRM (link is external)
APPLE (link is external)
apple — mac_os_x Open Directory Client in Apple OS X before 10.10.3 sends unencrypted password-change requests in certain circumstances involving missing certificates, which allows remote attackers to obtain sensitive information by sniffing the network. 2015-04-10 5.0 CVE-2015-1147
CONFIRM (link is external)
APPLE (link is external)
apple — mac_os_x Screen Sharing in Apple OS X before 10.10.3 stores the password of a user in a log file, which might allow context-dependent attackers to obtain sensitive information by reading this file. 2015-04-10 5.0 CVE-2015-1148
CONFIRM (link is external)
APPLE (link is external)
arj_software — arj_archiver Open-source ARJ archiver 3.10.22 allows remote attackers to conduct directory traversal attacks via a symlink attack in an ARJ archive. 2015-04-08 5.8 CVE-2015-0556
CONFIRM
MLIST (link is external)
MLIST (link is external)
DEBIAN
arj_software — arj_archiver Open-source ARJ archiver 3.10.22 does not properly remove leading slashes from paths, which allows remote attackers to conduct absolute path traversal attacks and write to arbitrary files via multiple leading slashes in a path in an ARJ archive. 2015-04-08 5.8 CVE-2015-0557
CONFIRM
MLIST (link is external)
MLIST (link is external)
DEBIAN
bblog_project — bblog Cross-site request forgery (CSRF) vulnerability in bBlog allows remote attackers to hijack the authentication of arbitrary users. 2015-04-07 6.8 CVE-2015-0905
MISC (link is external)
JVNDB (link is external)
JVN (link is external)
cisco — unified_communications_domain_manager Cisco Unified Communications Domain Manager 8.1(4) allows remote authenticated users to execute arbitrary code by visiting a “deprecated page,” aka Bug ID CSCup90168. 2015-04-03 6.5 CVE-2015-0682
SECTRACK (link is external)
CISCO (link is external)
cisco — unified_communications_domain_manager Cisco Unified Communications Domain Manager 8.1(4) allows remote authenticated users to obtain sensitive information via a file-inclusion attack, aka Bug ID CSCup94744. 2015-04-03 4.0 CVE-2015-0683
SECTRACK (link is external)
CISCO (link is external)
cisco — unified_communications_domain_manager SQL injection vulnerability in the Image Management component in Cisco Unified Communications Domain Manager 8.1(4) allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, aka Bug ID CSCuq52515. 2015-04-03 6.5 CVE-2015-0684
SECTRACK (link is external)
CISCO (link is external)
cisco — wireless_lan_controller_software Cross-site scripting (XSS) vulnerability in the HTML help system on Cisco Wireless LAN Controller (WLC) devices before 8.0 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug ID CSCun95178. 2015-04-06 4.3 CVE-2015-0690
SECTRACK (link is external)
CISCO (link is external)
emc — powerpath_virtual_appliance EMC PowerPath Virtual Appliance (aka vApp) before 2.0 has default passwords for the (1) emcupdate and (2) svcuser accounts, which makes it easier for remote attackers to obtain potentially sensitive information via a login session. 2015-04-04 5.0 CVE-2015-0529
BUGTRAQ
MISC (link is external)
ericsson — drutt_mobile_service_delivery_platform Multiple cross-site scripting (XSS) vulnerabilities in the Report Viewer in Ericsson Drutt Mobile Service Delivery Platform (MSDP) 4, 5, and 6 allow remote attackers to inject arbitrary web script or HTML via the (1) portal, (2) fromDate, (3) toDate, (4) fromTime, (5) toTime, (6) kword, (7) uname, (8) pname, (9) sname, (10) atype, or (11) atitle parameter to top-links.jsp; (12) portal or (13) uid parameter to (a) page-summary.jsp or (b) service-summary.jsp; (14) portal, (15) fromDate, (16) toDate, (17) fromTime, (18) toTime, (19) sortDirection, (20) kword, (21) uname, (22) pname, (23) sname, (24) file, (25) atype, or (26) atitle parameter to (a) top-useragent-devices.jsp or (b) top-interest-areas.jsp; (27) fromDate, (28) toDate, (29) fromTime, (30) toTime, (31) sortDirection, (32) kword, (33) uname, (34) pname, (35) sname, (36) file, (37) atype, or (38) atitle parameter to top-message-services.jsp; (39) portal, (40) fromDate, (41) toDate, (42) fromTime, (43) toTime, (44) orderBy, (45) sortDirection, (46) kword, (47) uname, (48) pname, (49) sname, (50) file, (51) atype, or (52) atitle parameter to (a) user-statistics.jsp, (b) top-web-pages.jsp, (c) top-devices.jsp, (d) top-pages.jsp, (e) session-summary.jsp, (f) top-providers.jsp, (g) top-modules.jsp, or (h) top-services.jsp; (53) fromDate, (54) toDate, (55) fromTime, (56) toTime, (57) orderBy, (58) sortDirection, (59) uid, (60) uid2, (61) kword, (62) uname, (63) pname, (64) sname, (65) file, (66) atype, or (67) atitle parameter to message-shortcode-summary.jsp; (68) fromDate, (69) toDate, (70) fromTime, (71) toTime, (72) orderBy, (73) sortDirection, (74) uid, (75) kword, (76) uname, (77) pname, (78) sname, (79) file, (80) atype, or (81) atitle parameter to (a) message-providers-summary.jsp or (b) message-services-summary.jsp; (82) kword, (83) uname, (84) pname, (85) sname, (86) file, (87) atype, or (88) atitle parameter to license-summary.jsp; (89) portal, (90) fromDate, (91) toDate, (92) fromTime, (93) toTime, (94) orderBy, (95) sortDirection, (96) uid, (97) uid2, (98) kword, (99) uname, (100) pname, (101) sname, (102) file, (103) atype, or (104) atitle parameter to useragent-device-summary.jsp; (105) fromDate, (106) toDate, (107) fromTime, (108) toTime, (109) orderBy, (110) sortDirection, (111) kword, (112) uname, (113) pname, (114) sname, (115) file, (116) atype, or (117) atitle parameter to (a) top-message-providers.jsp, (b) top-message-devices.jsp, (c) top-message-assets.jsp, (d) top-message-downloads.jsp, or (e) top-message-shortcode.jsp; (118) fromDate, (119) toDate, (120) fromTime, (121) toTime, (122) kword, (123) uname, (124) pname, (125) sname, (126) file, (127) atype, or (128) atitle parameter to request-summary.jsp; (129) portal parameter to link-summary-select.jsp, (130) provider-summary-select.jsp, or (131) module-summary-select.jsp; (132) portal, (133) uid, (134) kword, (135) uname, (136) pname, (137) sname, (138) file, (139) atype, or (140) atitle parameter to link-summary.jsp; (141) portal, (142) fromDate, (143) toDate, (144) fromTime, (145) toTime, (146) orderBy, (147) sortDirection, (148) uid, (149) kword, (150) uname, (151) pname, (152) sname, (153) file, (154) atype, or (155) atitle parameter to (a) provider-summary.jsp or (b) module-summary.jsp in reports/pages/. 2015-04-06 4.3 CVE-2015-2165
MISC (link is external)
ericsson — drutt_mobile_service_delivery_platform Directory traversal vulnerability in the Instance Monitor in Ericsson Drutt Mobile Service Delivery Platform (MSDP) 4, 5, and 6 allows remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the default URI. 2015-04-06 5.0 CVE-2015-2166
MISC (link is external)
ericsson — drutt_mobile_service_delivery_platform Open redirect vulnerability in the 3PI Manager in Ericsson Drutt Mobile Service Delivery Platform (MSDP) 4, 5, and 6 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter to jsp/start-3pi-manager.jsp. 2015-04-06 5.8 CVE-2015-2167
MISC (link is external)
gnu — glibc The ADDW macro in stdio-common/vfscanf.c in the GNU C Library (aka glibc or libc6) before 2.21 does not properly consider data-type size during a risk-management decision for use of the alloca function, which might allow context-dependent attackers to cause a denial of service (segmentation violation) or overwrite memory locations beyond the stack boundary via a long line containing wide characters that are improperly handled in a wscanf call. 2015-04-08 6.4 CVE-2015-1473
CONFIRM
MLIST (link is external)
ibm — websphere_datapower_xc10_appliance_firmware The IBM WebSphere DataPower XC10 appliance 2.1 before 2.1.0.3 allows remote attackers to hijack the sessions of arbitrary users, and consequently obtain sensitive information or modify data, via unspecified vectors. 2015-04-05 6.8 CVE-2015-1893
CONFIRM (link is external)
SECTRACK (link is external)
AIXAPAR (link is external)
mcafee — advanced_threat_defense McAfee Advanced Threat Defense (MATD) before 3.4.4.63 allows remote authenticated users to bypass intended restrictions and change or update configuration settings via crafted parameters. 2015-04-08 5.5 CVE-2015-3028
CONFIRM (link is external)
mcafee — advanced_threat_defense The web interface in McAfee Advanced Threat Defense (MATD) before 3.4.4.63 does not properly restrict access, which allows remote authenticated users to obtain sensitive information via unspecified vectors. 2015-04-08 4.0 CVE-2015-3029
CONFIRM (link is external)
mcafee — advanced_threat_defense The web interface in McAfee Advanced Threat Defense (MATD) before 3.4.4.63 allows remote authenticated users to obtain sensitive configuration information via unspecified vectors. 2015-04-08 4.0 CVE-2015-3030
CONFIRM (link is external)
mozilla — firefox The Reader mode feature in Mozilla Firefox before 37.0.1 on Android, and Desktop Firefox pre-release, does not properly handle privileged URLs, which makes it easier for remote attackers to execute arbitrary JavaScript code with chrome privileges by leveraging the ability to bypass the Same Origin Policy. 2015-04-08 5.0 CVE-2015-0798
CONFIRM
CONFIRM
mozilla — firefox The HTTP Alternative Services feature in Mozilla Firefox before 37.0.1 allows man-in-the-middle attackers to bypass an intended X.509 certificate-verification step for an SSL server by specifying that server in the uri-host field of an Alt-Svc HTTP/2 response header. 2015-04-08 4.3 CVE-2015-0799
CONFIRM
CONFIRM
ntp — ntp The symmetric-key feature in the receive function in ntp_proto.c in ntpd in NTP 3.x and 4.x before 4.2.8p2 performs state-variable updates upon receiving certain invalid packets, which makes it easier for man-in-the-middle attackers to cause a denial of service (synchronization loss) by spoofing the source IP address of a peer. 2015-04-08 4.3 CVE-2015-1799
CERT-VN
CONFIRM
CONFIRM
pfsense — pfsense Cross-site request forgery (CSRF) vulnerability in system_firmware_restorefullbackup.php in the WebGUI in pfSense before 2.2.1 allows remote attackers to hijack the authentication of administrators for requests that delete arbitrary files via the deletefile parameter. 2015-04-10 6.8 CVE-2015-2295
CONFIRM
MISC (link is external)
BUGTRAQ (link is external)
MISC (link is external)
qualiteam — x-cart Cross-site scripting (XSS) vulnerability in admin.php in X-Cart 5.1.6 through 5.1.10 allows remote attackers to inject arbitrary web script or HTML via the substring parameter. 2015-04-04 4.3 CVE-2015-0950
CERT-VN
CONFIRM (link is external)
qualiteam — x-cart X-Cart before 5.1.11 allows remote authenticated users to read or delete address data of arbitrary accounts via a modified (1) update or (2) remove request. 2015-04-04 6.5 CVE-2015-0951
CERT-VN
CONFIRM (link is external)
quassel-irc — quassel Quassel before 0.12-rc1 uses an incorrect data-type size when splitting a message, which allows remote attackers to cause a denial of service (crash) via a long CTCP query containing only multibyte characters. 2015-04-10 5.0 CVE-2015-2778
CONFIRM (link is external)
MLIST (link is external)
MLIST (link is external)
MLIST (link is external)
SUSE
redhat — docker The Red Hat docker package before 1.5.0-28, when using the –add-registry option, falls back to HTTP when the HTTPS connection to the registry fails, which allows man-in-the-middle attackers to conduct downgrade attacks and obtain authentication and image data by leveraging a network position between the client and the registry to block HTTPS traffic. NOTE: this vulnerability exists because of a CVE-2014-5277 regression. 2015-04-06 4.3 CVE-2015-1843
CONFIRM (link is external)
REDHAT (link is external)
saurus — saurus_cms Multiple cross-site scripting (XSS) vulnerabilities in the print_language_selectbox function in classes/adminpage.inc.php in Saurus CMS Community Edition before 4.7 2015-02-04 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. 2015-04-06 4.3 CVE-2015-0876
CONFIRM (link is external)
JVNDB (link is external)
JVN (link is external)
schneider-electric — vampset Multiple buffer overflows in Schneider Electric VAMPSET before 2.2.168 allow local users to gain privileges via malformed disturbance-recording data in a (1) CFG or (2) DAT file. 2015-04-03 4.4 CVE-2014-8390
MISC
CONFIRM (link is external)
BUGTRAQ (link is external)
MISC (link is external)
siemens — simatic_step_7 Siemens SIMATIC STEP 7 (TIA Portal) 12 and 13 before 13 SP1 Upd1 allows man-in-the-middle attackers to obtain sensitive information or modify transmitted data via unspecified vectors. 2015-04-05 6.8 CVE-2015-1601
CONFIRM (link is external)
siemens — wincc Siemens SIMATIC HMI Comfort Panels before WinCC (TIA Portal) 13 SP1 Upd2 and SIMATIC WinCC Runtime Advanced before WinCC (TIA Portal) 13 SP1 Upd2 allow man-in-the-middle attackers to cause a denial of service via crafted packets on TCP port 102. 2015-04-08 4.3 CVE-2015-2822
CONFIRM (link is external)
siemens — wincc Siemens SIMATIC HMI Basic Panels 2nd Generation before WinCC (TIA Portal) 13 SP1 Upd2, SIMATIC HMI Comfort Panels before WinCC (TIA Portal) 13 SP1 Upd2, SIMATIC WinCC Runtime Advanced before WinCC (TIA Portal) 13 SP1 Upd2, SIMATIC WinCC Runtime Professional before WinCC (TIA Portal) 13 SP1 Upd2, SIMATIC HMI Basic Panels 1st Generation (WinCC TIA Portal), SIMATIC HMI Mobile Panel 277 (WinCC TIA Portal), SIMATIC HMI Multi Panels (WinCC TIA Portal), and SIMATIC WinCC 7.x before 7.3 Upd4 allow remote attackers to complete authentication by leveraging knowledge of a password hash without knowledge of the associated password. 2015-04-08 6.8 CVE-2015-2823
CONFIRM (link is external)


Low Vulnerabilities

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
apple — iphone_os AppleKeyStore in Apple iOS before 8.3 does not properly restrict a certain passcode-confirmation interface, which makes it easier for attackers to verify correct passcode guesses via a crafted app. 2015-04-10 1.9 CVE-2015-1085
CONFIRM (link is external)
APPLE (link is external)
apple — iphone_os Directory traversal vulnerability in Backup in Apple iOS before 8.3 allows attackers to read arbitrary files via a crafted relative path. 2015-04-10 2.1 CVE-2015-1087
CONFIRM (link is external)
APPLE (link is external)
apple — iphone_os The QuickType feature in the Keyboards subsystem in Apple iOS before 8.3 allows physically proximate attackers to discover passcodes by reading the lock screen during use of a Bluetooth keyboard. 2015-04-10 2.1 CVE-2015-1106
CONFIRM (link is external)
APPLE (link is external)
apple — iphone_os The Lock Screen component in Apple iOS before 8.3 does not properly implement the erasure feature for incorrect passcode-authentication attempts, which makes it easier for physically proximate attackers to obtain access by making many passcode guesses. 2015-04-10 1.9 CVE-2015-1107
CONFIRM (link is external)
APPLE (link is external)
apple — iphone_os The Lock Screen component in Apple iOS before 8.3 does not properly enforce the limit on incorrect passcode-authentication attempts, which makes it easier for physically proximate attackers to obtain access by making many passcode guesses. 2015-04-10 2.1 CVE-2015-1108
CONFIRM (link is external)
APPLE (link is external)
apple — iphone_os NetworkExtension in Apple iOS before 8.3 stores credentials in VPN configuration logs, which makes it easier for physically proximate attackers to obtain sensitive information by reading a log file. 2015-04-10 2.1 CVE-2015-1109
CONFIRM (link is external)
APPLE (link is external)
apple — iphone_os The UIKit View component in Apple iOS before 8.3 displays unblurred application snapshots in the Task Switcher, which makes it easier for physically proximate attackers to obtain sensitive information by reading the device screen. 2015-04-10 2.1 CVE-2015-1116
CONFIRM (link is external)
APPLE (link is external)
apple — safari The private-browsing implementation in WebKit in Apple Safari before 6.2.5, 7.x before 7.1.5, and 8.x before 8.0.5 places browsing history into an index, which might allow local users to obtain sensitive information by reading index entries. 2015-04-10 2.1 CVE-2015-1127
CONFIRM (link is external)
APPLE (link is external)
apple — mac_os_x LaunchServices in Apple OS X before 10.10.3 allows local users to cause a denial of service (Finder crash) via crafted localization data. 2015-04-10 2.1 CVE-2015-1142
CONFIRM (link is external)
APPLE (link is external)
apple — mac_os_x The Code Signing implementation in Apple OS X before 10.10.3 does not properly validate signatures, which allows local users to bypass intended access restrictions via a crafted bundle, a different vulnerability than CVE-2015-1146. 2015-04-10 1.9 CVE-2015-1145
CONFIRM (link is external)
APPLE (link is external)
apple — mac_os_x The Code Signing implementation in Apple OS X before 10.10.3 does not properly validate signatures, which allows local users to bypass intended access restrictions via a crafted bundle, a different vulnerability than CVE-2015-1145. 2015-04-10 1.9 CVE-2015-1146
CONFIRM (link is external)
APPLE (link is external)
ca — spectrum Cross-site scripting (XSS) vulnerability in CA Spectrum 9.2.x and 9.3.x before 9.3 H02 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. 2015-04-07 3.5 CVE-2015-2827
CONFIRM (link is external)
freebsd — freebsd The bsdinstall installer in FreeBSD 10.x before 10.1 p9, when configuring full disk encrypted ZFS, uses world-readable permissions for the GELI keyfile (/boot/encryption.key), which allows local users to obtain sensitive key information by reading the file. 2015-04-10 2.1 CVE-2015-1415
FREEBSD
SECTRACK (link is external)
BUGTRAQ (link is external)
MISC (link is external)
hp — intelligent_provisioning Unspecified vulnerability in HP Intelligent Provisioning 1.40 through 1.60 on Windows Server 2008 R2 and 2012 allows local users to obtain sensitive information via unknown vectors. 2015-04-03 2.1 CVE-2015-2111
HP (link is external)
ibm — general_parallel_file_system /usr/lpp/mmfs/bin/gpfs.snap in IBM General Parallel File System (GPFS) 4.1 before 4.1.0.7 produces an archive potentially containing cleartext keys, and lacks a warning about reviewing this archive to detect included keys, which might allow remote attackers to obtain sensitive information by leveraging access to a technical-support data stream. 2015-04-05 3.5 CVE-2015-1890
CONFIRM (link is external)
ntp — ntp The symmetric-key feature in the receive function in ntp_proto.c in ntpd in NTP 4.x before 4.2.8p2 requires a correct MAC only if the MAC field has a nonzero length, which makes it easier for man-in-the-middle attackers to spoof packets by omitting the MAC. 2015-04-08 1.8 CVE-2015-1798
CERT-VN
CONFIRM
CONFIRM
siemens — simatic_step_7 Siemens SIMATIC STEP 7 (TIA Portal) 12 and 13 before 13 SP1 Upd1 improperly stores password data within project files, which makes it easier for local users to determine cleartext (1) protection-level passwords or (2) web-server passwords by leveraging the ability to read these files. 2015-04-05 2.1 CVE-2015-1602
CONFIRM (link is external)
xen — xen drivers/xen/usbback/usbback.c in linux-2.6.18-xen-3.4.0 (aka the Xen 3.4.x support patches for the Linux kernel 2.6.18), as used in the Linux kernel 2.6.x and 3.x in SUSE Linux distributions, allows guest OS users to obtain sensitive information from uninitialized locations in host OS kernel memory via unspecified vectors. 2015-04-05 2.1 CVE-2015-0777
CONFIRM (link is external)
SUSE
Business-Security-Technology
Original release date: March 16, 2015

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week.

Read more ...

Business-Security-Technology

Original release date: March 10, 2015

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week.

Read more ...

xl_BenQ monitor - web

IBM today is publicly disclosing a flaw that it found and reported to Dropbox, impacting the security of the popular file sharing and sync service. Since Dropbox functionality is embedded in multiple applications, the risk and potential impact is larger than just the Dropbox app itself.  The flaw, now identified as CVE-2014-8889, was found inside the Dropbox SDK (software development kit) for Android and could have potentially enabled an attacker to insert an arbitrary access token, to give the attacker access to user information.

Full Article – IBM Exposes Critical Dropbox Vulnerability

Business-Security-Technology

Original release date: March 02, 2015

Read more ...

Business-Security-Technology

Original release date: February 23, 2015

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week.

Read more ...

ECI Networks is a solution provider specializing in state of-the-art, high-performance solutions for Web Applications, Network/Systems infrastructure, and Outsourcing. In strategic partnerships with top industry leaders, ECI develops solutions for use on Mid Market and Enterprise platforms. ECI’s professional services offers system design and implementation, software development and network administration.
learn More

As a management consulting firm focused on information security, ECI Networks offers a wide array of protection services to assure that your organization is secure. With our distinct systems of Audit and Compliance, Risk Management. Network Operations and Incident Response we can work with you to migrating your risks, while advancing from your current state to a secure and sustainable state.

learn More

ECI offers a managed network care solution that reduces the cost of IT-related ownership and performance by 35-50%  as outlined in the Gartner report dated March 10th 2008 – Effective Management Can Cut Total Cost of Ownership for Desktop PCs by 42%.  Our grid based and redundant systems provide high availability, performance, and back up security.  When disaster strikes, down time and disaster recovery has been less than one hour for servers, workstations and access to necessary business data.

More Details

Security Outline

Security Profile & Penetration.

Security assessments are the cornerstone of any strong information security program

Read More

Industries.

Each industry has its unique challenges when having to secure their organization

Read More

 

Privacy.

An effective security program does not equate to a solid privacy program.

Read More

Login