Vulnerabilities (CVE)

Filtered by CWE-254
Total 409 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2015-7187 1 Mozilla 1 Firefox 2024-11-21 4.3 MEDIUM N/A
The Add-on SDK in Mozilla Firefox before 42.0 misinterprets a "script: false" panel setting, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via inline JavaScript code that is executed within a third-party extension.
CVE-2015-7185 2 Google, Mozilla 2 Android, Firefox 2024-11-21 4.3 MEDIUM N/A
Mozilla Firefox before 42.0 on Android does not ensure that the address bar is restored upon fullscreen-mode exit, which allows remote attackers to spoof the address bar via crafted JavaScript code.
CVE-2015-7044 1 Apple 1 Mac Os X 2024-11-21 7.6 HIGH N/A
The System Integrity Protection feature in Apple OS X before 10.11.2 mishandles union mounts, which allows attackers to execute arbitrary code in a privileged context via a crafted app with root privileges.
CVE-2015-6999 1 Apple 1 Iphone Os 2024-11-21 5.0 MEDIUM N/A
The OCSP client in Apple iOS before 9.1 does not check for certificate expiry, which allows remote attackers to spoof a valid certificate by leveraging access to a revoked certificate.
CVE-2015-6997 1 Apple 2 Iphone Os, Watchos 2024-11-21 4.3 MEDIUM N/A
The X.509 certificate-trust implementation in Apple iOS before 9.1 does not recognize that the kSecRevocationRequirePositiveResponse flag implies a revocation-checking requirement, which makes it easier for man-in-the-middle attackers to spoof endpoints by leveraging access to a revoked certificate.
CVE-2015-6762 1 Google 1 Chrome 2024-11-21 7.5 HIGH N/A
The CSSFontFaceSrcValue::fetch function in core/css/CSSFontFaceSrcValue.cpp in the Cascading Style Sheets (CSS) implementation in Blink, as used in Google Chrome before 46.0.2490.71, does not use the CORS cross-origin request algorithm when a font's URL appears to be a same-origin URL, which allows remote web servers to bypass the Same Origin Policy via a redirect.
CVE-2015-6618 1 Google 1 Android 2024-11-21 4.3 MEDIUM N/A
Bluetooth in Android 4.4 and 5.x before 5.1.1 LMY48Z allows user-assisted remote attackers to execute arbitrary code by leveraging access to the local physical environment, aka internal bug 24595992.
CVE-2015-6592 1 Huawei 2 Uap2105, Uap2105 Firmware 2024-11-21 7.2 HIGH 6.8 MEDIUM
Huawei UAP2105 before V300R012C00SPC160(BootRom) does not require authentication to the serial port or the VxWorks shell.
CVE-2015-6583 1 Google 1 Chrome 2024-11-21 4.3 MEDIUM N/A
Google Chrome before 45.0.2454.85 does not display a location bar for a hosted app's window after navigation away from the installation site, which might make it easier for remote attackers to spoof content via a crafted app, related to browser.cc and hosted_app_browser_controller.cc.
CVE-2015-6582 1 Google 1 Chrome 2024-11-21 6.8 MEDIUM N/A
The decompose function in platform/transforms/TransformationMatrix.cpp in Blink, as used in Google Chrome before 45.0.2454.85, does not verify that a matrix inversion succeeded, which allows remote attackers to cause a denial of service (uninitialized memory access and application crash) or possibly have unspecified other impact via a crafted web site.
CVE-2015-6498 1 Alcatel-lucent 1 Home Device Manager 2024-11-21 5.0 MEDIUM 7.5 HIGH
Alcatel-Lucent Home Device Manager before 4.1.10, 4.2.x before 4.2.2 allows remote attackers to spoof and make calls as target devices.
CVE-2015-6473 1 Wago 4 750-849, 750-849 Firmware, 758-870 and 1 more 2024-11-21 10.0 HIGH 9.8 CRITICAL
WAGO IO 750-849 01.01.27 and WAGO IO 750-881 01.02.05 do not contain privilege separation.
CVE-2015-6427 1 Cisco 1 Firesight System Software 2024-11-21 5.0 MEDIUM N/A
Cisco FireSIGHT Management Center allows remote attackers to bypass the HTTP attack detection feature and avoid triggering Snort IDS rules via an SSL session that is mishandled after decryption, aka Bug ID CSCux53437.
CVE-2015-6113 1 Microsoft 9 Windows 10, Windows 7, Windows 8 and 6 more 2024-11-21 2.1 LOW N/A
The kernel in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, and Windows 10 Gold and 1511 allows local users to bypass intended filesystem permissions by leveraging Low Integrity access, aka "Windows Kernel Security Feature Bypass Vulnerability."
CVE-2015-6029 1 Hp 1 Arcsight Logger 2024-11-21 5.0 MEDIUM N/A
HP ArcSight Logger before 6.0 P2 does not limit attempts to authenticate to the SOAP interface, which makes it easier for remote attackers to obtain access via a brute-force approach.
CVE-2015-5943 1 Apple 1 Mac Os X 2024-11-21 4.3 MEDIUM N/A
SecurityAgent in Apple OS X before 10.11.1 does not prevent synthetic clicks from reaching keychain windows, which allows attackers to bypass intended access restrictions via a crafted app.
CVE-2015-5905 1 Apple 1 Iphone Os 2024-11-21 5.0 MEDIUM N/A
Safari in Apple iOS before 9 allows remote attackers to spoof the relationship between URLs and web content via a crafted window opener on a web site.
CVE-2015-5904 1 Apple 1 Iphone Os 2024-11-21 4.3 MEDIUM N/A
Safari in Apple iOS before 9 allows remote attackers to spoof the relationship between URLs and web content via a crafted web site.
CVE-2015-5900 1 Apple 1 Mac Os X 2024-11-21 7.1 HIGH N/A
The protected range register in the EFI component in Apple OS X before 10.11 has an incorrect value, which allows attackers to cause a denial of service (boot failure) via a crafted app that writes to an unintended address.
CVE-2015-5857 1 Apple 1 Iphone Os 2024-11-21 5.0 MEDIUM N/A
Mail in Apple iOS before 9 allows remote attackers to use an address-book contact as a spoofed e-mail sender address via unspecified vectors.