Vulnerability Summary for the Week of April 13, 2015

Please Note:

• The vulnerabilities are cattegorized by their level of severity which is either High, Medium or Low.

• The CVE indentity number is the publicly known ID given to that particular vulnerability. Therefore you can search the status of that particular vulnerability using that ID.

• The CVSS (Common Vulnerability Scoring System) score is a standard scoring system used to determine the severity of the vulnerability.

High Severity Vulnerabilities The Primary Vendor --- Description Date CVSS The CVE Product Published Score Identity adobe -- flash_player Double free vulnerability in Adobe Flash Player 2015-04-14 10.0 CVE-2015-0346 CONFIRM (link before 13.0.0.281 and 14.x through 17.x before is external) 17.0.0.169 on Windows and OS X and before 11.2.202.457 on Linux allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-0359. adobe -- flash_player Adobe Flash Player before 13.0.0.281 and 14.x 2015-04-14 10.0 CVE-2015-0347 CONFIRM (link through 17.x before 17.0.0.169 on Windows and is external) OS X and before 11.2.202.457 on Linux allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-0350, CVE-2015-0352, CVE-2015- 0353, CVE-2015-0354, CVE-2015-0355, CVE- 2015-0360, CVE-2015-3038, CVE-2015-3041, CVE-2015-3042, and CVE-2015-3043. adobe -- flash_player Buffer overflow in Adobe Flash Player before 2015-04-14 10.0 CVE-2015-0348 CONFIRM (link 13.0.0.281 and 14.x through 17.x before is external) 17.0.0.169 on Windows and OS X and before 11.2.202.457 on Linux allows attackers to execute arbitrary code via unspecified vectors. adobe -- flash_player Use-after-free vulnerability in Adobe Flash Player 2015-04-14 10.0 CVE-2015-0349 CONFIRM (link before 13.0.0.281 and 14.x through 17.x before is external) 17.0.0.169 on Windows and OS X and before 11.2.202.457 on Linux allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-0351, CVE- 2015-0358, and CVE-2015-3039. adobe -- flash_player Adobe Flash Player before 13.0.0.281 and 14.x 2015-04-14 10.0 CVE-2015-0350 CONFIRM (link through 17.x before 17.0.0.169 on Windows and is external) OS X and before 11.2.202.457 on Linux allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-0347, CVE-2015-0352, CVE-2015- 0353, CVE-2015-0354, CVE-2015-0355, CVE- 2015-0360, CVE-2015-3038, CVE-2015-3041, CVE-2015-3042, and CVE-2015-3043. adobe -- flash_player Use-after-free vulnerability in Adobe Flash Player 2015-04-14 10.0 CVE-2015-0351 CONFIRM (link before 13.0.0.281 and 14.x through 17.x before is external) 17.0.0.169 on Windows and OS X and before 11.2.202.457 on Linux allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-0349, CVE- 2015-0358, and CVE-2015-3039. adobe -- flash_player Adobe Flash Player before 13.0.0.281 and 14.x 2015-04-14 10.0 CVE-2015-0352 CONFIRM (link through 17.x before 17.0.0.169 on Windows and is external) OS X and before 11.2.202.457 on Linux allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-0347, CVE-2015-0350, CVE-2015- 0353, CVE-2015-0354, CVE-2015-0355, CVE- 2015-0360, CVE-2015-3038, CVE-2015-3041, CVE-2015-3042, and CVE-2015-3043. adobe -- flash_player Adobe Flash Player before 13.0.0.281 and 14.x 2015-04-14 10.0 CVE-2015-0353 CONFIRM (link through 17.x before 17.0.0.169 on Windows and is external) OS X and before 11.2.202.457 on Linux allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-0347, CVE-2015-0350, CVE-2015- 0352, CVE-2015-0354, CVE-2015-0355, CVE- 2015-0360, CVE-2015-3038, CVE-2015-3041, CVE-2015-3042, and CVE-2015-3043. adobe -- flash_player Adobe Flash Player before 13.0.0.281 and 14.x 2015-04-14 10.0 CVE-2015-0354 CONFIRM (link through 17.x before 17.0.0.169 on Windows and is external) OS X and before 11.2.202.457 on Linux allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-0347, CVE-2015-0350, CVE-2015- 0352, CVE-2015-0353, CVE-2015-0355, CVE- 2015-0360, CVE-2015-3038, CVE-2015-3041, CVE-2015-3042, and CVE-2015-3043. adobe -- flash_player Adobe Flash Player before 13.0.0.281 and 14.x 2015-04-14 10.0 CVE-2015-0355 CONFIRM (link through 17.x before 17.0.0.169 on Windows and is external) OS X and before 11.2.202.457 on Linux allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-0347, CVE-2015-0350, CVE-2015- 0352, CVE-2015-0353, CVE-2015-0354, CVE- 2015-0360, CVE-2015-3038, CVE-2015-3041, CVE-2015-3042, and CVE-2015-3043. adobe -- flash_player Adobe Flash Player before 13.0.0.281 and 14.x 2015-04-14 10.0 CVE-2015-0356 CONFIRM (link through 17.x before 17.0.0.169 on Windows and is external) OS X and before 11.2.202.457 on Linux allows attackers to execute arbitrary code by leveraging an unspecified "type confusion." adobe -- flash_player Use-after-free vulnerability in Adobe Flash Player 2015-04-14 10.0 CVE-2015-0358 CONFIRM (link before 13.0.0.281 and 14.x through 17.x before is external) 17.0.0.169 on Windows and OS X and before 11.2.202.457 on Linux allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-0349, CVE- 2015-0351, and CVE-2015-3039. adobe -- flash_player Double free vulnerability in Adobe Flash Player 2015-04-14 10.0 CVE-2015-0359 CONFIRM (link before 13.0.0.281 and 14.x through 17.x before is external) 17.0.0.169 on Windows and OS X and before 11.2.202.457 on Linux allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-0346. adobe -- flash_player Adobe Flash Player before 13.0.0.281 and 14.x 2015-04-14 10.0 CVE-2015-0360 CONFIRM (link through 17.x before 17.0.0.169 on Windows and is external) OS X and before 11.2.202.457 on Linux allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-0347, CVE-2015-0350, CVE-2015- 0352, CVE-2015-0353, CVE-2015-0354, CVE- 2015-0355, CVE-2015-3038, CVE-2015-3041, CVE-2015-3042, and CVE-2015-3043. adobe -- flash_player Adobe Flash Player before 13.0.0.281 and 14.x 2015-04-14 10.0 CVE-2015-3038 CONFIRM (link through 17.x before 17.0.0.169 on Windows and is external) OS X and before 11.2.202.457 on Linux allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-0347, CVE-2015-0350, CVE-2015- 0352, CVE-2015-0353, CVE-2015-0354, CVE- 2015-0355, CVE-2015-0360, CVE-2015-3041, CVE-2015-3042, and CVE-2015-3043. adobe -- flash_player Use-after-free vulnerability in Adobe Flash Player 2015-04-14 10.0 CVE-2015-3039 CONFIRM (link before 13.0.0.281 and 14.x through 17.x before is external) 17.0.0.169 on Windows and OS X and before 11.2.202.457 on Linux allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-0349, CVE- 2015-0351, and CVE-2015-0358. adobe -- flash_player Adobe Flash Player before 13.0.0.281 and 14.x 2015-04-14 10.0 CVE-2015-3041 CONFIRM (link through 17.x before 17.0.0.169 on Windows and is external) OS X and before 11.2.202.457 on Linux allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-0347, CVE-2015-0350, CVE-2015- 0352, CVE-2015-0353, CVE-2015-0354, CVE- 2015-0355, CVE-2015-0360, CVE-2015-3038, CVE-2015-3042, and CVE-2015-3043. adobe -- flash_player Adobe Flash Player before 13.0.0.281 and 14.x 2015-04-14 10.0 CVE-2015-3042 CONFIRM (link through 17.x before 17.0.0.169 on Windows and is external) OS X and before 11.2.202.457 on Linux allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-0347, CVE-2015-0350, CVE-2015- 0352, CVE-2015-0353, CVE-2015-0354, CVE- 2015-0355, CVE-2015-0360, CVE-2015-3038, CVE-2015-3041, and CVE-2015-3043. adobe -- flash_player Adobe Flash Player before 13.0.0.281 and 14.x 2015-04-14 10.0 CVE-2015-3043 CONFIRM (link through 17.x before 17.0.0.169 on Windows and is external) OS X and before 11.2.202.457 on Linux allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, as exploited in the wild in April 2015, a different vulnerability than CVE- 2015-0347, CVE-2015-0350, CVE-2015-0352, CVE-2015-0353, CVE-2015-0354, CVE-2015-0355, CVE-2015-0360, CVE-2015-3038, CVE-2015-3041, and CVE-2015-3042. apple -- apple_tv IOHIDFamily in Apple iOS before 8.3, Apple OS X 2015-04-10 7.2 CVE-2015-1095 CONFIRM (link before 10.10.3, and Apple TV before 7.2 allows is external) physically proximate attackers to execute CONFIRM (link arbitrary code or cause a denial of service is external) CONFIRM (link (memory corruption) via a crafted HID device. is external) SECTRACK (link is external) APPLE (link is external) APPLE (link is external) APPLE (link is external) apple -- apple_tv The kernel in Apple iOS before 8.3, Apple OS X 2015-04-10 7.1 CVE-2015-1102 CONFIRM (link before 10.10.3, and Apple TV before 7.2 does not is external) properly handle TCP headers, which allows man- CONFIRM (link is external) in-the-middle attackers to cause a denial of CONFIRM (link service via unspecified vectors. is external) SECTRACK (link is external) APPLE (link is external) APPLE (link is external) APPLE (link is external) apple -- apple_tv The kernel in Apple iOS before 8.3, Apple OS X 2015-04-10 7.5 CVE-2015-1103 CONFIRM (link before 10.10.3, and Apple TV before 7.2 makes is external) routing changes in response to ICMP_REDIRECT CONFIRM (link messages, which allows remote attackers to is external) CONFIRM (link cause a denial of service (network outage) or is external) obtain sensitive packet-content information via SECTRACK a crafted ICMP packet. (link is external) APPLE (link is external) APPLE (link is external) APPLE (link is external) apple -- mac_os_x The XPC implementation in Admin Framework in 2015-04-10 7.2 CVE-2015-1130 CONFIRM (link Apple OS X before 10.10.3 allows local users to is external) bypass authentication and obtain admin SECTRACK privileges via unspecified vectors. (link is external) APPLE (link is external) apple -- mac_os_x fontd in Apple Type Services (ATS) in Apple OS X 2015-04-10 7.2 CVE-2015-1131 CONFIRM (link before 10.10.3 allows local users to gain is external) privileges via unspecified vectors, a different SECTRACK vulnerability than CVE-2015-1132, CVE-2015- (link is external) APPLE (link is 1133, CVE-2015-1134, and CVE-2015-1135. external) apple -- mac_os_x fontd in Apple Type Services (ATS) in Apple OS X 2015-04-10 10.0 CVE-2015-1132 CONFIRM (link before 10.10.3 allows local users to gain is external) privileges via unspecified vectors, a different SECTRACK vulnerability than CVE-2015-1131, CVE-2015- (link is external) APPLE (link is 1133, CVE-2015-1134, and CVE-2015-1135. external) apple -- mac_os_x fontd in Apple Type Services (ATS) in Apple OS X 2015-04-10 7.2 CVE-2015-1133 CONFIRM (link before 10.10.3 allows local users to gain is external) SECTRACK privileges via unspecified vectors, a different (link is external) vulnerability than CVE-2015-1131, CVE-2015- APPLE (link is 1132, CVE-2015-1134, and CVE-2015-1135. external) apple -- mac_os_x fontd in Apple Type Services (ATS) in Apple OS X 2015-04-10 7.2 CVE-2015-1134 CONFIRM (link before 10.10.3 allows local users to gain is external) privileges via unspecified vectors, a different SECTRACK vulnerability than CVE-2015-1131, CVE-2015- (link is external) APPLE (link is 1132, CVE-2015-1133, and CVE-2015-1135. external) apple -- mac_os_x fontd in Apple Type Services (ATS) in Apple OS X 2015-04-10 7.2 CVE-2015-1135 CONFIRM (link before 10.10.3 allows local users to gain is external) privileges via unspecified vectors, a different SECTRACK vulnerability than CVE-2015-1131, CVE-2015- (link is external) APPLE (link is 1132, CVE-2015-1133, and CVE-2015-1134. external) apple -- mac_os_x The NVIDIA graphics driver in Apple OS X before 2015-04-10 7.2 CVE-2015-1137 CONFIRM (link 10.10.3 allows local users to gain privileges or is external) cause a denial of service (NULL pointer SECTRACK dereference) via an unspecified IOService (link is external) APPLE (link is userclient type. external) apple -- mac_os_x Buffer overflow in IOHIDFamily in Apple OS X 2015-04-10 7.2 CVE-2015-1140 CONFIRM (link before 10.10.3 allows local users to gain is external) privileges via unspecified vectors. SECTRACK (link is external) APPLE (link is external) apple -- mac_os_x LaunchServices in Apple OS X before 10.10.3 2015-04-10 7.2 CVE-2015-1143 CONFIRM (link allows local users to gain privileges via a crafted is external) localized string, related to a "type confusion" SECTRACK issue. (link is external) APPLE (link is external) apple -- mac_os_x Buffer overflow in the UniformTypeIdentifiers 2015-04-10 7.2 CVE-2015-1144 CONFIRM (link component in Apple OS X before 10.10.3 allows is external) local users to gain privileges via a crafted SECTRACK Uniform Type Identifier. (link is external) APPLE (link is external) apple -- xcode Integer overflow in the simulator in Swift in 2015-04-10 7.5 CVE-2015-1149 CONFIRM (link Apple Xcode before 6.3 allows context- is external) SECTRACK dependent attackers to cause a denial of service (link is external) or possibly have unspecified other impact by APPLE (link is triggering an incorrect result of a type external) conversion. bittorrent -- sync BitTorrent Sync allows remote attackers to 2015-04-13 9.3 CVE-2015-2846 MISC (link is execute arbitrary commands via a crafted external) btsync: link. boosted -- Unspecified vulnerability in Boosted Boards 2015-04-10 8.3 CVE-2015-2247 MISC (link is boosted_boards skateboards allows physically proximate external) attackers to modify skateboard movement, MISC (link is cause human injury, or cause physical damage external) MISC (link is via vectors related to an "injection attack" that external) blocks and hijacks a Bluetooth signal. MISC (link is external) cisco -- The failover ipsec implementation in Cisco 2015-04-12 8.3 CVE-2015-0675 SECTRACK adaptive_security_applia Adaptive Security Appliance (ASA) Software 9.1 (link is external) nce_software before 9.1(6), 9.2 before 9.2(3.3), and 9.3 before CISCO (link is 9.3(3) does not properly validate failover external) communication messages, which allows remote attackers to reconfigure an ASA device, and consequently obtain administrative control, by sending crafted UDP packets over the local network to the failover interface, aka Bug ID CSCur21069. cisco -- The DNS implementation in Cisco Adaptive 2015-04-12 7.1 CVE-2015-0676 SECTRACK adaptive_security_applia Security Appliance (ASA) Software 7.2 before (link is external) nce_software 7.2(5.16), 8.2 before 8.2(5.57), 8.3 before CISCO (link is 8.3(2.44), 8.4 before 8.4(7.28), 8.5 before external) 8.5(1.24), 8.6 before 8.6(1.17), 8.7 before 8.7(1.16), 9.0 before 9.0(4.33), 9.1 before 9.1(6.1), 9.2 before 9.2(3.4), and 9.3 before 9.3(3) allows man-in-the-middle attackers to cause a denial of service (memory consumption or device outage) by triggering outbound DNS queries and then sending crafted responses to these queries, aka Bug ID CSCuq77655. cisco -- The XML parser in Cisco Adaptive Security 2015-04-12 7.8 CVE-2015-0677 SECTRACK adaptive_security_applia Appliance (ASA) Software 8.4 before 8.4(7.28), (link is external) CISCO (link is nce_software 8.6 before 8.6(1.17), 9.0 before 9.0(4.33), 9.1 external) before 9.1(6), 9.2 before 9.2(3.4), and 9.3 before 9.3(3), when Clientless SSL VPN, AnyConnect SSL VPN, or AnyConnect IKEv2 VPN is used, allows remote attackers to cause a denial of service (VPN outage or device reload) via a crafted XML document, aka Bug ID CSCus95290. cisco -- asa_cx_context- The virtualization layer in Cisco ASA FirePOWER 2015-04-10 7.8 CVE-2015-0678 SECTRACK aware_security_software Software before 5.3.1.2 and 5.4.x before 5.4.0.1 (link is external) and ASA Context-Aware (CX) Software before CISCO (link is 9.3.2.1-9 allows remote attackers to cause a external) denial of service (device reload) by rapidly sending crafted packets to the management interface, aka Bug IDs CSCus11007 and CSCun56954. cisco -- secure_desktop A certain Cisco JAR file, as distributed in Cache 2015-04-16 9.3 CVE-2015-0691 CISCO (link is Cleaner in Cisco Secure Desktop (CSD), allows external) remote attackers to execute arbitrary commands via a crafted web site, aka Bug ID CSCup83001. cisco -- Cisco Web Security Appliance (WSA) devices 2015-04-10 7.2 CVE-2015-0692 CISCO (link is web_security_appliance with software 8.5.0-ise-147 do not properly external) restrict use of the pickle Python module during certain tunnel-status checks, which allows local users to execute arbitrary Python code and gain privileges via crafted serialized objects, aka Bug ID CSCut39230. cisco -- Cisco Web Security Appliance (WSA) devices 2015-04-15 7.2 CVE-2015-0693 CISCO (link is web_security_appliance with software 8.5.0-ise-147 do not properly external) restrict use of the pickle Python module during certain tunnel-status checks, which allows local users to execute arbitrary Python code and gain privileges via a crafted pickle file, aka Bug ID CSCut39259. cisco -- ios_xr Cisco IOS XR 4.3.4 through 5.3.0 on ASR 9000 2015-04-16 7.8 CVE-2015-0695 CISCO (link is devices, when uRPF, PBR, QoS, or an ACL is external) configured, does not properly handle bridge- group virtual interface (BVI) traffic, which allows remote attackers to cause a denial of service (chip and card hangs and reloads) by triggering use of a BVI interface for IPv4 packets, aka Bug ID CSCur62957. das_watchdog_project -- Buffer overflow in das_watchdog 0.9.0 allows 2015-04-14 7.2 CVE-2015-2831 CONFIRM (link das_watchdog local users to execute arbitrary code with root is external) privileges via a large string in the XAUTHORITY MLIST (link is environment variable. external) MLIST (link is external) DEBIAN debian -- dbd-firebird Multiple stack-based buffer overflows in the 2015-04-14 10.0 CVE-2015-2788 CONFIRM ib_fill_isqlda function in dbdimp.c in DBD- CONFIRM Firebird before 1.19 allow remote attackers to MLIST (link is have unspecified impact via unknown vectors external) MLIST (link is that trigger an error condition, related to external) binding octets to columns. DEBIAN emc -- networker Buffer overflow in an unspecified function in 2015-04-16 7.2 CVE-2015-0530 BUGTRAQ nsr_render_log in EMC NetWorker before 8.0.4.3, 8.1.x before 8.1.2.6, and 8.2.x before 8.2.1.2 allows local users to gain privileges via unknown vectors. fiyo -- fiyo_cms Multiple SQL injection vulnerabilities in Fiyo CMS 2015-04-14 7.5 CVE-2014-9145 MISC (link is 2.0.1.8 allow remote attackers to execute external) arbitrary SQL commands via the (1) id parameter in an edit action to dapur/index.php; (2) cat, (3) user, or (4) level parameter to dapur/apps/app_article/controller/article_list.ph p; or (5) email parameter in an email action or (6) username parameter in a user action to dapur/apps/app_user/controller/check_user.ph p. glpi-project -- glpi Directory traversal vulnerability in 2015-04-14 7.5 CVE-2014-8360 CONFIRM (link inc/autoload.function.php in GLPI before 0.84.8 is external) allows remote attackers to include and execute MANDRIVA arbitrary local files via a .._ (dot dot underscore) (link is external) CONFIRM in an item type to the getItemForItemtype, as MISC demonstrated by the itemtype parameter in CONFIRM ajax/common.tabs.php. gnu -- less The is_utf8_well_formed function in GNU less 2015-04-14 10.0 CVE-2014-9488 MISC before 475 allows remote attackers to have MANDRIVA unspecified impact via malformed UTF-8 (link is external) characters, which triggers an out-of-bounds SUSE CONFIRM read. gnu -- mailman Directory traversal vulnerability in GNU Mailman 2015-04-13 7.6 CVE-2015-2775 MLIST before 2.1.20, when not using a static alias, MLIST allows remote attackers to execute arbitrary files MLIST via a .. (dot dot) in a list name. CONFIRM (link is external) UBUNTU (link is external) SECTRACK (link is external) DEBIAN gnu -- libtasn1 Stack-based buffer overflow in 2015-04-10 10.0 CVE-2015-2806 UBUNTU (link asn1_der_decoding in libtasn1 before 4.4 allows is external) remote attackers to have unspecified impact via MLIST (link is unknown vectors. external) MLIST (link is external) MANDRIVA (link is external) DEBIAN CONFIRM hp -- easy_tools Unspecified vulnerability in HP Easy Deploy, as 2015-04-14 9.0 CVE-2015-2112 HP (link is distributed standalone and in HP Easy Tools external) before 3.0.1.1650, on HP Thin Client t5540, t5740, and t5740e devices and HP Flexible Thin Client t510, t520, t610, t620, and t820 devices allows remote authenticated users to execute arbitrary code via unknown vectors. hp -- easy_tools Unspecified vulnerability in HP Easy Deploy, as 2015-04-14 10.0 CVE-2015-2113 HP (link is distributed standalone and in HP Easy Tools external) before 3.0.1.1650, on HP Thin Client t5540, t5740, and t5740e devices and HP Flexible Thin Client t510, t520, t610, t620, and t820 devices allows remote attackers to execute arbitrary code via unknown vectors. ibm -- Stack-based buffer overflow in the 2015-04-15 7.2 CVE-2015-1897 CONFIRM (link tivoli_storage_manager_f FastBackMount process in IBM Tivoli Storage is external) astback Manager FastBack 6.1 before 6.1.11.1 allows local users to gain privileges via unspecified vectors, a different vulnerability than CVE-2015- 1898. ibm -- Stack-based buffer overflow in the 2015-04-15 7.2 CVE-2015-1898 CONFIRM (link tivoli_storage_manager_f FastBackMount process in IBM Tivoli Storage is external) astback Manager FastBack 6.1 before 6.1.11.1 allows local users to gain privileges via unspecified vectors, a different vulnerability than CVE-2015- 1897. juniper -- junos Juniper Junos 12.1X44 before 12.1X44-D45, 2015-04-10 7.2 CVE-2015-3003 CONFIRM (link 12.1X46 before 12.1X46-D30, 12.1X47 before is external) 12.1X47-D20, 12.3 before 12.3R9, 12.3X48 before SECTRACK 12.3X48-D10, 13.2 before 13.2R6, 13.3 before (link is external) 13.3R5, 14.1 before 14.1R3, and 14.2 before 14.2R1 allows local users to gain privileges via crafted combinations of CLI commands and arguments. mediawiki -- mediawiki MediaWiki 1.24.x before 1.24.2, when using 2015-04-13 7.1 CVE-2015-2936 MLIST PBKDF2 for password hashing, allows remote CONFIRM attackers to cause a denial of service (CPU MLIST (link is consumption) via a long password. external) MLIST (link is external) MANDRIVA (link is external) mediawiki -- mediawiki MediaWiki before 1.19.24, 1.2x before 1.23.9, 2015-04-13 7.1 CVE-2015-2937 MLIST and 1.24.x before 1.24.2, when using HHVM or CONFIRM Zend PHP, allows remote attackers to cause a MLIST (link is denial of service ("quadratic blowup" and external) MLIST (link is memory consumption) via an XML file external) containing an entity declaration with long MANDRIVA replacement text and many references to this (link is external) entity, a different vulnerability than CVE-2015- 2942. mediawiki -- mediawiki MediaWiki before 1.19.24, 1.2x before 1.23.9, 2015-04-13 7.1 CVE-2015-2942 MLIST and 1.24.x before 1.24.2, when using HHVM, CONFIRM allows remote attackers to cause a denial of MLIST (link is service (CPU and memory consumption) via a external) MLIST (link is large number of nested entity references in an external) (1) SVG file or (2) XMP metadata in a PDF file, aka a "billion laughs attack," a different vulnerability than CVE-2015-2937. microsoft -- windows_7 Task Scheduler in Microsoft Windows 7 SP1 and 2015-04-14 7.2 CVE-2015-0098 MS (link is Windows Server 2008 R2 SP1 allows local users external) to gain privileges by triggering application execution by an invalid task, aka "Task Scheduler Elevation of Privilege Vulnerability." microsoft -- windows_7 HTTP.sys in Microsoft Windows 7 SP1, Windows 2015-04-14 10.0 CVE-2015-1635 MS (link is Server 2008 R2 SP1, Windows 8, Windows 8.1, external) and Windows Server 2012 Gold and R2 allows remote attackers to execute arbitrary code via crafted HTTP requests, aka "HTTP.sys Remote Code Execution Vulnerability." microsoft -- office Microsoft Word 2007 SP3, Office 2010 SP2, Word 2015-04-14 9.3 CVE-2015-1641 MS (link is 2010 SP2, Word 2013 SP1, Word 2013 RT SP1, external) Word for Mac 2011, Office Compatibility Pack SP3, Word Automation Services on SharePoint Server 2010 SP2 and 2013 SP1, and Office Web Apps Server 2010 SP2 and 2013 SP1 allow remote attackers to execute arbitrary code via a crafted RTF document, aka "Microsoft Office Memory Corruption Vulnerability." microsoft -- windows_7 Microsoft Windows Server 2003 R2, Windows 2015-04-14 7.2 CVE-2015-1643 MS (link is Vista SP2, Windows Server 2008 SP2 and R2 SP1, external) Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 do not properly constrain impersonation levels, which allows local users to gain privileges via a crafted application, aka "NtCreateTransactionManager Type Confusion Vulnerability." microsoft -- windows_7 Microsoft Windows Server 2003 SP2, Windows 2015-04-14 7.2 CVE-2015-1644 MS (link is Vista SP2, Windows Server 2008 SP2 and R2 SP1, external) Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 do not properly constrain impersonation levels, which allows local users to gain privileges via a crafted application, aka "Windows MS-DOS Device Name Vulnerability." microsoft -- windows_7 Microsoft Windows Server 2003 SP2, Windows 2015-04-14 9.3 CVE-2015-1645 MS (link is Vista SP2, Windows Server 2008 SP2 and R2 SP1, external) and Windows 7 SP1 allow remote attackers to execute arbitrary code via a crafted Enhanced Metafile (EMF) image, aka "EMF Processing Remote Code Execution Vulnerability." microsoft -- office Use-after-free vulnerability in Microsoft Word 2015-04-14 9.3 CVE-2015-1649 MS (link is 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word external) Viewer, Office Compatibility Pack SP3, Word Automation Services on SharePoint Server 2010 SP2, and Office Web Apps Server 2010 SP2 allows remote attackers to execute arbitrary code via a crafted Office document, aka "Microsoft Office Component Use After Free Vulnerability." microsoft -- office Use-after-free vulnerability in Microsoft Word 2015-04-14 9.3 CVE-2015-1650 MS (link is 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word external) 2013 SP1, Word 2013 RT SP1, Word Viewer, Office Compatibility Pack SP3, Word Automation Services on SharePoint Server 2010 SP2 and 2013 SP1, and Office Web Apps Server 2010 SP2 and 2013 SP1 allows remote attackers to execute arbitrary code via a crafted Office document, aka "Microsoft Office Component Use After Free Vulnerability." microsoft -- Use-after-free vulnerability in Microsoft Word 2015-04-14 9.3 CVE-2015-1651 MS (link is office_compatibility_pack 2007 SP3, Word Viewer, and Office Compatibility external) Pack SP3 allows remote attackers to execute arbitrary code via a crafted Office document, aka "Microsoft Office Component Use After Free Vulnerability." microsoft -- Microsoft Internet Explorer 6 through 11 allows 2015-04-14 9.3 CVE-2015-1652 MS (link is internet_explorer remote attackers to execute arbitrary code or external) cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2015-1666. microsoft -- Microsoft Internet Explorer 9 through 11 allows 2015-04-14 9.3 CVE-2015-1657 MS (link is internet_explorer remote attackers to execute arbitrary code or external) cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." microsoft -- Microsoft Internet Explorer 11 allows remote 2015-04-14 9.3 CVE-2015-1659 MS (link is internet_explorer attackers to execute arbitrary code or cause a external) denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2015-1662 and CVE-2015- 1665. microsoft -- Microsoft Internet Explorer 9 allows remote 2015-04-14 9.3 CVE-2015-1660 MS (link is internet_explorer attackers to execute arbitrary code or cause a external) denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." microsoft -- Microsoft Internet Explorer 11 allows remote 2015-04-14 9.3 CVE-2015-1662 MS (link is internet_explorer attackers to execute arbitrary code or cause a external) denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2015-1659 and CVE-2015- 1665. microsoft -- Microsoft Internet Explorer 11 allows remote 2015-04-14 9.3 CVE-2015-1665 MS (link is internet_explorer attackers to execute arbitrary code or cause a external) denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2015-1659 and CVE-2015- 1662. microsoft -- Microsoft Internet Explorer 6 through 11 allows 2015-04-14 9.3 CVE-2015-1666 MS (link is internet_explorer remote attackers to execute arbitrary code or external) cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2015-1652. microsoft -- Microsoft Internet Explorer 8 through 11 allows 2015-04-14 9.3 CVE-2015-1667 MS (link is internet_explorer remote attackers to execute arbitrary code or external) cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." microsoft -- Microsoft Internet Explorer 10 and 11 allows 2015-04-14 9.3 CVE-2015-1668 MS (link is internet_explorer remote attackers to execute arbitrary code or external) cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability." oracle -- solaris Unspecified vulnerability in Oracle Sun Solaris 2015-04-16 7.2 CVE-2015-0448 CONFIRM (link 11.2 allows local users to affect confidentiality, is external) integrity, and availability via vectors related to ZFS File system. oracle -- database_server Unspecified vulnerability in the Java VM 2015-04-16 9.0 CVE-2015-0457 CONFIRM (link component in Oracle Database Server 11.1.0.7, is external) 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors. oracle -- jdk Unspecified vulnerability in in Oracle Java SE 2015-04-16 7.6 CVE-2015-0458 CONFIRM (link 6u91, 7u76, and 8u40 allows remote attackers to is external) affect confidentiality, integrity, and availability via unknown vectors related to Deployment. oracle -- javafx Unspecified vulnerability in Oracle Java SE 2015-04-16 10.0 CVE-2015-0459 CONFIRM (link 5.0u81, 6u91, 7u76, and 8u40, and JavaFX 2.2.76, is external) allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D, a different vulnerability than CVE- 2015-0491. oracle -- jdk Unspecified vulnerability in Oracle Java SE 2015-04-16 9.3 CVE-2015-0460 CONFIRM (link 5.0u81, 6u91, 7u76, and 8u40 allows remote is external) attackers to affect confidentiality, integrity, and availability via unknown vectors related to Hotspot. oracle -- Unspecified vulnerability in the Oracle Access 2015-04-16 7.0 CVE-2015-0461 CONFIRM (link fusion_middleware Manager component in Oracle Fusion is external) Middleware 11.1.1.5 and 11.1.1.7 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Authentication Engine. oracle -- jdk Unspecified vulnerability in Oracle Java SE 2015-04-16 10.0 CVE-2015-0469 CONFIRM (link 5.0u81, 6u91, 7u76, and 8u40 allows remote is external) attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D. oracle -- javafx Unspecified vulnerability in Oracle Java SE 2015-04-16 10.0 CVE-2015-0491 CONFIRM (link 5.0u81, 6u91, 7u76, and 8u40, and Java FX is external) 2.2.76, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D, a different vulnerability than CVE-2015-0459. oracle -- javafx Unspecified vulnerability in Oracle Java SE 7u76 2015-04-16 9.3 CVE-2015-0492 CONFIRM (link and 8u40, and JavaFX 2.2.76, allows remote is external) attackers to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2015-0484. oracle -- solaris Unspecified vulnerability in Oracle Sun Solaris 10 2015-04-16 7.2 CVE-2015-2577 CONFIRM (link allows local users to affect confidentiality, is external) integrity, and availability via unknown vectors related to Accounting commands. oracle -- solaris Unspecified vulnerability in Oracle Sun Solaris 2015-04-16 7.1 CVE-2015-2578 CONFIRM (link 11.2 allows remote attackers to affect availability is external) via vectors related to Kernel IDMap. Medium Severity Vulnerabilities The Primary Description Date Published CVSS The CVE Vendor --- Product Score Identity adobe -- coldfusion Cross-site scripting (XSS) vulnerability in Adobe 2015-04-15 4.3 CVE-2015-0345 CONFIRM (link ColdFusion 10 before Update 16 and 11 before is external) Update 5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. adobe -- Adobe Flash Player before 13.0.0.281 and 14.x 2015-04-14 5.0 CVE-2015-0357 CONFIRM (link flash_player through 17.x before 17.0.0.169 on Windows and OS is external) X and before 11.2.202.457 on Linux does not properly restrict discovery of memory addresses, which allows attackers to bypass the ASLR protection mechanism via unspecified vectors, a different vulnerability than CVE-2015-3040. adobe -- Adobe Flash Player before 13.0.0.281 and 14.x 2015-04-14 5.0 CVE-2015-3040 CONFIRM (link flash_player through 17.x before 17.0.0.169 on Windows and OS is external) X and before 11.2.202.457 on Linux does not properly restrict discovery of memory addresses, which allows attackers to bypass the ASLR protection mechanism via unspecified vectors, a different vulnerability than CVE-2015-0357. adobe -- Adobe Flash Player before 13.0.0.281 and 14.x 2015-04-14 5.0 CVE-2015-3044 CONFIRM (link flash_player through 17.x before 17.0.0.169 on Windows and OS is external) X and before 11.2.202.457 on Linux allows attackers to bypass intended access restrictions and obtain sensitive information via unspecified vectors. apple -- apple_tv The Audio Drivers subsystem in Apple iOS before 2015-04-10 6.9 CVE-2015-1086 CONFIRM (link 8.3 and Apple TV before 7.2 does not properly is external) validate IOKit object metadata, which allows CONFIRM (link attackers to execute arbitrary code in a privileged is external) SECTRACK context via a crafted app. (link is external) APPLE (link is external) APPLE (link is external) apple -- iphone_os CFURL in Apple iOS before 8.3 and Apple OS X 2015-04-10 6.8 CVE-2015-1088 CONFIRM (link before 10.10.3 does not properly validate URLs, is external) CONFIRM (link which allows remote attackers to execute arbitrary is external) code via a crafted web site. SECTRACK (link is external) APPLE (link is external) APPLE (link is external) apple -- iphone_os CFNetwork in Apple iOS before 8.3 and Apple OS X 2015-04-10 5.0 CVE-2015-1089 CONFIRM (link before 10.10.3 does not properly handle cookies is external) during processing of redirects in HTTP responses, CONFIRM (link which allows remote attackers to bypass the Same is external) SECTRACK Origin Policy via a crafted web site. (link is external) APPLE (link is external) APPLE (link is external) apple -- iphone_os CFNetwork in Apple iOS before 8.3 does not delete 2015-04-10 5.0 CVE-2015-1090 CONFIRM (link HTTP Strict Transport Security (HSTS) state is external) information in response to a Safari history-clearing SECTRACK action, which allows attackers to obtain sensitive (link is external) APPLE (link is information by reading a history file. external) apple -- iphone_os The CFNetwork Session component in Apple iOS 2015-04-10 4.3 CVE-2015-1091 CONFIRM (link before 8.3 and Apple OS X before 10.10.3 does not is external) properly handle request headers during processing CONFIRM (link of redirects in HTTP responses, which allows remote is external) SECTRACK attackers to bypass the Same Origin Policy via a (link is external) crafted web site. APPLE (link is external) APPLE (link is external) apple -- apple_tv NSXMLParser in Foundation in Apple iOS before 8.3 2015-04-10 5.0 CVE-2015-1092 CONFIRM (link and Apple TV before 7.2 allows remote attackers to is external) read arbitrary files via an external entity declaration CONFIRM (link in conjunction with an entity reference, related to is external) SECTRACK an XML External Entity (XXE) issue. (link is external) APPLE (link is external) APPLE (link is external) apple -- iphone_os FontParser in Apple iOS before 8.3 and Apple OS X 2015-04-10 6.8 CVE-2015-1093 before 10.10.3 allows remote attackers to execute CONFIRM (link is external) arbitrary code or cause a denial of service (memory CONFIRM (link corruption) via a crafted font file. is external) SECTRACK (link is external) APPLE (link is external) APPLE (link is external) apple -- iphone_os iWork in Apple iOS before 8.3 and Apple OS X 2015-04-10 6.8 CVE-2015-1098 CONFIRM (link before 10.10.3 allows remote attackers to execute is external) arbitrary code or cause a denial of service (memory CONFIRM (link corruption) via a crafted iWork file. is external) SECTRACK (link is external) APPLE (link is external) APPLE (link is external) apple -- apple_tv Race condition in the setreuid system-call 2015-04-10 4.0 CVE-2015-1099 CONFIRM (link implementation in the kernel in Apple iOS before is external) 8.3, Apple OS X before 10.10.3, and Apple TV before CONFIRM (link 7.2 allows attackers to cause a denial of service via a is external) CONFIRM (link crafted app. is external) SECTRACK (link is external) APPLE (link is external) APPLE (link is external) APPLE (link is external) apple -- apple_tv The kernel in Apple iOS before 8.3, Apple OS X 2015-04-10 5.4 CVE-2015-1100 CONFIRM (link before 10.10.3, and Apple TV before 7.2 allows is external) attackers to cause a denial of service (out-of- CONFIRM (link bounds memory access) or obtain sensitive is external) CONFIRM (link memory-content information via a crafted app. is external) SECTRACK (link is external) APPLE (link is external) APPLE (link is external) APPLE (link is external) apple -- apple_tv The kernel in Apple iOS before 8.3, Apple OS X 2015-04-10 6.9 CVE-2015-1101 CONFIRM (link before 10.10.3, and Apple TV before 7.2 allows is external) attackers to execute arbitrary code in a privileged CONFIRM (link context or cause a denial of service (memory is external) CONFIRM (link corruption) via a crafted app. is external) SECTRACK (link is external) APPLE (link is external) APPLE (link is external) APPLE (link is external) apple -- apple_tv The kernel in Apple iOS before 8.3, Apple OS X 2015-04-10 5.0 CVE-2015-1104 CONFIRM (link before 10.10.3, and Apple TV before 7.2 does not is external) properly determine whether an IPv6 packet had a CONFIRM (link local origin, which allows remote attackers to is external) CONFIRM (link bypass an intended network-filtering protection is external) mechanism via a crafted packet. SECTRACK (link is external) APPLE (link is external) APPLE (link is external) APPLE (link is external) apple -- apple_tv The TCP implementation in the kernel in Apple iOS 2015-04-10 5.0 CVE-2015-1105 CONFIRM (link before 8.3, Apple OS X before 10.10.3, and Apple TV is external) before 7.2 does not properly implement the Urgent CONFIRM (link (aka out-of-band data) mechanism, which allows is external) CONFIRM (link remote attackers to cause a denial of service via is external) crafted packets. SECTRACK (link is external) APPLE (link is external) APPLE (link is external) APPLE (link is external) apple -- apple_tv The Podcasts component in Apple iOS before 8.3 2015-04-10 5.0 CVE-2015-1110 CONFIRM (link and Apple TV before 7.2 allows remote attackers to is external) discover unique identifiers by reading asset- CONFIRM (link download request data. is external) SECTRACK (link is external) APPLE (link is external) APPLE (link is external) apple -- iphone_os Safari in Apple iOS before 8.3 does not delete 2015-04-10 5.0 CVE-2015-1111 CONFIRM (link Recently Closed Tabs data in response to a history- is external) clearing action, which allows attackers to obtain SECTRACK sensitive information by reading a history file. (link is external) APPLE (link is external) apple -- safari Apple Safari before 6.2.5, 7.x before 7.1.5, and 8.x 2015-04-10 5.0 CVE-2015-1112 CONFIRM (link before 8.0.5, as used on iOS before 8.3 and other is external) platforms, does not properly delete browsing- CONFIRM (link history data from the history.plist file, which allows is external) SECTRACK attackers to obtain sensitive information by reading (link is external) this file. APPLE (link is external) APPLE (link is external) apple -- iphone_os The Telephony component in Apple iOS before 8.3 2015-04-10 4.4 CVE-2015-1115 CONFIRM (link allows attackers to bypass a sandbox protection is external) mechanism and access unintended telephone SECTRACK capabilities via a crafted app. (link is external) APPLE (link is external) apple -- apple_tv The (1) setreuid and (2) setregid system-call 2015-04-10 6.9 CVE-2015-1117 CONFIRM (link implementations in the kernel in Apple iOS before is external) 8.3, Apple OS X before 10.10.3, and Apple TV before CONFIRM (link 7.2 do not properly perform privilege drops, which is external) CONFIRM (link makes it easier for attackers to execute code with is external) unintended user or group privileges via a crafted SECTRACK app. (link is external) APPLE (link is external) APPLE (link is external) APPLE (link is external) apple -- apple_tv libnetcore in Apple iOS before 8.3, Apple OS X 2015-04-10 5.0 CVE-2015-1118 CONFIRM (link before 10.10.3, and Apple TV before 7.2 allows is external) attackers to cause a denial of service (memory CONFIRM (link corruption and application crash) via a crafted is external) configuration profile. CONFIRM (link is external) SECTRACK (link is external) APPLE (link is external) APPLE (link is external) APPLE (link is external) apple -- apple_tv WebKit, as used in Apple iOS before 8.3, Apple TV 2015-04-10 6.8 CVE-2015-1119 CONFIRM (link before 7.2, and Apple Safari before 6.2.5, 7.x before is external) 7.1.5, and 8.x before 8.0.5, allows remote attackers CONFIRM (link to execute arbitrary code or cause a denial of is external) CONFIRM (link service (memory corruption and application crash) is external) via a crafted web site, a different vulnerability than SECTRACK other WebKit CVEs listed in APPLE-SA-2015-04-08-1, (link is external) APPLE-SA-2015-04-08-3, and APPLE-SA-2015-04- APPLE (link is external) 08-4. APPLE (link is external) APPLE (link is external) apple -- apple_tv WebKit, as used in Apple iOS before 8.3, Apple TV 2015-04-10 6.8 CVE-2015-1120 CONFIRM (link before 7.2, and Apple Safari before 6.2.5, 7.x before is external) 7.1.5, and 8.x before 8.0.5, allows remote attackers CONFIRM (link to execute arbitrary code or cause a denial of is external) CONFIRM (link service (memory corruption and application crash) is external) via a crafted web site, a different vulnerability than SECTRACK other WebKit CVEs listed in APPLE-SA-2015-04-08-1, (link is external) APPLE-SA-2015-04-08-3, and APPLE-SA-2015-04- APPLE (link is external) 08-4. APPLE (link is external) APPLE (link is external) apple -- apple_tv WebKit, as used in Apple iOS before 8.3, Apple TV 2015-04-10 6.8 CVE-2015-1121 CONFIRM (link before 7.2, and Apple Safari before 6.2.5, 7.x before is external) 7.1.5, and 8.x before 8.0.5, allows remote attackers CONFIRM (link to execute arbitrary code or cause a denial of is external) CONFIRM (link service (memory corruption and application crash) is external) via a crafted web site, a different vulnerability than SECTRACK other WebKit CVEs listed in APPLE-SA-2015-04-08-1, (link is external) APPLE-SA-2015-04-08-3, and APPLE-SA-2015-04- APPLE (link is external) 08-4. APPLE (link is external) APPLE (link is external) apple -- apple_tv WebKit, as used in Apple iOS before 8.3, Apple TV 2015-04-10 6.8 CVE-2015-1122 CONFIRM (link before 7.2, and Apple Safari before 6.2.5, 7.x before is external) 7.1.5, and 8.x before 8.0.5, allows remote attackers CONFIRM (link to execute arbitrary code or cause a denial of is external) CONFIRM (link service (memory corruption and application crash) is external) via a crafted web site, a different vulnerability than SECTRACK other WebKit CVEs listed in APPLE-SA-2015-04-08-1, (link is external) APPLE-SA-2015-04-08-3, and APPLE-SA-2015-04- APPLE (link is external) 08-4. APPLE (link is external) APPLE (link is external) apple -- apple_tv WebKit, as used in Apple iOS before 8.3 and Apple 2015-04-10 6.8 CVE-2015-1123 CONFIRM (link TV before 7.2, allows remote attackers to execute is external) arbitrary code or cause a denial of service (memory CONFIRM (link corruption and application crash) via a crafted web is external) SECTRACK site, a different vulnerability than other WebKit (link is external) CVEs listed in APPLE-SA-2015-04-08-3 and APPLE- APPLE (link is SA-2015-04-08-4. external) APPLE (link is external) apple -- apple_tv WebKit, as used in Apple iOS before 8.3, Apple TV 2015-04-10 6.8 CVE-2015-1124 CONFIRM (link before 7.2, and Apple Safari before 6.2.5, 7.x before is external) 7.1.5, and 8.x before 8.0.5, allows remote attackers CONFIRM (link to execute arbitrary code or cause a denial of is external) CONFIRM (link service (memory corruption and application crash) is external) via a crafted web site, a different vulnerability than SECTRACK other WebKit CVEs listed in APPLE-SA-2015-04-08-1, (link is external) APPLE-SA-2015-04-08-3, and APPLE-SA-2015-04- APPLE (link is external) 08-4. APPLE (link is external) APPLE (link is external) apple -- iphone_os The touch-events implementation in WebKit in 2015-04-10 4.3 CVE-2015-1125 CONFIRM (link Apple iOS before 8.3 allows remote attackers to is external) trigger an association between a tap and an SECTRACK unintended web resource via a crafted web site. (link is external) APPLE (link is external) apple -- safari WebKit, as used in Apple iOS before 8.3 and Apple 2015-04-10 4.3 CVE-2015-1126 CONFIRM (link Safari before 6.2.5, 7.x before 7.1.5, and 8.x before is external) 8.0.5, does not properly handle the userinfo field in CONFIRM (link FTP URLs, which allows remote attackers to trigger is external) SECTRACK incorrect resource access via unspecified vectors. (link is external) APPLE (link is external) APPLE (link is external) apple -- safari The private-browsing implementation in Apple 2015-04-10 5.0 CVE-2015-1128 CONFIRM (link Safari before 6.2.5, 7.x before 7.1.5, and 8.x before is external) 8.0.5 allows attackers to obtain sensitive browsing- SECTRACK history information via vectors involving push- (link is external) APPLE (link is notification requests. external) apple -- safari Apple Safari before 6.2.5, 7.x before 7.1.5, and 8.x 2015-04-10 4.3 CVE-2015-1129 CONFIRM (link before 8.0.5 does not properly select X.509 client is external) certificates, which makes it easier for remote SECTRACK attackers to track users via a crafted web site. (link is external) APPLE (link is external) apple -- mac_os_x Use-after-free vulnerability in CoreAnimation in 2015-04-10 6.8 CVE-2015-1136 CONFIRM (link Apple OS X before 10.10.3 allows remote attackers is external) to execute arbitrary code by leveraging improper SECTRACK use of a mutex. (link is external) APPLE (link is external) apple -- mac_os_x Hypervisor in Apple OS X before 10.10.3 allows local 2015-04-10 4.9 CVE-2015-1138 CONFIRM (link users to cause a denial of service via unspecified is external) vectors. SECTRACK (link is external) APPLE (link is external) apple -- mac_os_x ImageIO in Apple OS X before 10.10.3 allows remote 2015-04-10 6.8 CVE-2015-1139 CONFIRM (link attackers to execute arbitrary code or cause a denial is external) of service (memory corruption) via a crafted .sgi file. SECTRACK (link is external) APPLE (link is external) apple -- mac_os_x The mach_vm_read functionality in the kernel in 2015-04-10 4.9 CVE-2015-1141 Apple OS X before 10.10.3 allows local users to CONFIRM (link is external) cause a denial of service (system crash) via SECTRACK unspecified vectors. (link is external) APPLE (link is external) apple -- mac_os_x Open Directory Client in Apple OS X before 10.10.3 2015-04-10 5.0 CVE-2015-1147 CONFIRM (link sends unencrypted password-change requests in is external) certain circumstances involving missing certificates, SECTRACK which allows remote attackers to obtain sensitive (link is external) APPLE (link is information by sniffing the network. external) apple -- mac_os_x Screen Sharing in Apple OS X before 10.10.3 stores 2015-04-10 5.0 CVE-2015-1148 CONFIRM (link the password of a user in a log file, which might is external) allow context-dependent attackers to obtain SECTRACK sensitive information by reading this file. (link is external) APPLE (link is external) apple -- xcode Clang in LLVM, as used in Apple Xcode before 6.3, 2015-04-10 5.0 CVE-2015-3027 CONFIRM (link performs incorrect register allocation in a way that is external) triggers stack storage for stack cookie pointers, SECTRACK which might allow context-dependent attackers to (link is external) APPLE (link is bypass a stack-guard protection mechanism via external) crafted input to an affected C program. blue_coat -- Cross-site scripting (XSS) vulnerability in search.php 2015-04-16 4.3 CVE-2015-0937 CERT-VN malware_analysis_a on the Blue Coat Malware Analysis appliance with ppliance software before 4.2.4.20150312-RELEASE allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. blue_coat -- search.php on the Blue Coat Malware Analysis 2015-04-16 5.0 CVE-2015-0938 CERT-VN malware_analysis_a appliance with software before 4.2.4.20150312- ppliance RELEASE allows remote attackers to bypass intended access restrictions, and list or read arbitrary documents, by providing matching keywords in conjunction with a crafted parameter. cisco -- asr_9001 Cisco ASR 9000 devices with software 5.3.0.BASE do 2015-04-10 5.0 CVE-2015-0694 SECTRACK not recognize that certain ACL entries have a single- (link is external) host constraint, which allows remote attackers to CISCO (link is bypass intended network-resource access external) restrictions by using an address that was not supposed to have been allowed, aka Bug ID CSCur28806. cisco -- Cross-site scripting (XSS) vulnerability in the login 2015-04-15 4.3 CVE-2015-0696 CISCO (link is telepresence_tc_sof page in Cisco TC Software before 7.1.0 on Cisco external) tware TelePresence Collaboration Desk and Room Endpoints devices allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka Bug ID CSCuq94977. cisco -- Open redirect vulnerability in the login page in 2015-04-15 5.8 CVE-2015-0697 CISCO (link is telepresence_tc_sof Cisco TC Software before 6.3-26 and 7.x before 7.3.0 external) tware on Cisco TelePresence Collaboration Desk and Room Endpoints devices allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors, aka Bug ID CSCuq94980. cisco -- Multiple cross-site scripting (XSS) vulnerabilities in 2015-04-15 4.3 CVE-2015-0698 CISCO (link is web_security_appli filter search forms in admin web pages on Cisco external) ance Web Security Appliance (WSA) devices with software 8.5.0-497 allow remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug ID CSCut39213. cisco -- SQL injection vulnerability in the Interactive Voice 2015-04-15 5.0 CVE-2015-0699 CISCO (link is unified_communica Response (IVR) component in Cisco Unified external) tions_domain_man Communications Manager (UCM) 10.5(1.98991.13) ager allows remote attackers to execute arbitrary SQL commands via unspecified vectors, aka Bug ID CSCut21563. cisco -- Cross-site request forgery (CSRF) vulnerability in the 2015-04-16 6.8 CVE-2015-0700 CISCO (link is secure_access_cont Dashboard page in the monitoring-and-report external) rol_server section in Cisco Secure Access Control Server Solution Engine before 5.5(0.46.5) allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCuj62924. debian -- dpkg The dpkg-source command in Debian dpkg before 2015-04-13 4.3 CVE-2015-0840 UBUNTU (link 1.16.16 and 1.17.x before 1.17.25 allows remote is external) attackers to bypass signature verification via a DEBIAN crafted Debian source control file (.dsc). digium -- asterisk Asterisk Open Source 1.8 before 1.8.32.3, 11.x 2015-04-10 4.3 CVE-2015-3008 SECTRACK before 11.17.1, 12.x before 12.8.2, and 13.x before 13.3.2 and Certified Asterisk 1.8.28 before 1.8.28- (link is external) BUGTRAQ cert5, 11.6 before 11.6-cert11, and 13.1 before 13.1- (link is external) cert2, when registering a SIP TLS device, does not FULLDISC properly handle a null byte in a domain name in the MISC (link is external) subject's Common Name (CN) field of an X.509 CONFIRM certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. facebook -- Cross-site scripting (XSS) vulnerability in the 2015-04-13 4.3 CVE-2014-9714 CONFIRM hiphop_virtual_mac WddxPacket::recursiveAddVar function in HHVM MLIST hine (aka the HipHop Virtual Machine) before 3.5.0 CONFIRM (link allows remote attackers to inject arbitrary web is external) CONFIRM (link script or HTML via a crafted string to the is external) wddx_serialize_value function. MLIST (link is external) MLIST (link is external) fiyo -- fiyo_cms Multiple cross-site scripting (XSS) vulnerabilities in 2015-04-14 4.3 CVE-2014-9146 MISC (link is Fiyo CMS 2.0.1.8 allow remote attackers to inject external) arbitrary web script or HTML via the (1) view, (2) id, (3) page, or (4) app parameter to the default URI or the (5) act parameter to dapur/index.php. fortinet -- fortimail FortiMail 5.0.3 through 5.2.3 allows remote 2015-04-14 4.0 CVE-2015-3293 CONFIRM (link administrators to obtain credentials via the "diag is external) debug application httpd" command. glpi-project -- glpi GLPI before 0.84.7 does not properly restrict access 2015-04-14 5.0 CVE-2014-5032 CONFIRM (link to cost information, which allows remote attackers is external) to obtain sensitive information via the cost criteria MANDRIVA in the search bar. (link is external) CONFIRM CONFIRM hotspot_express -- Cross-site scripting (XSS) vulnerability in cgi- 2015-04-14 4.3 CVE-2015-2781 BUGTRAQ hotex_billing_mana bin/hotspotlogin.cgi in Hotspot Express hotEx (link is external) ger Billing Manager 73 allows remote attackers to inject FULLDISC arbitrary web script or HTML via the reply MISC (link is external) parameter. hotspotexpress -- Hotspot Express hotEx Billing Manager 73 does not 2015-04-16 5.0 CVE-2015-3319 BUGTRAQ hotex_billing_mana include the HTTPOnly flag in a Set-Cookie header, (link is external) ger which makes it easier for remote attackers to obtain FULLDISC MISC (link is potentially sensitive information via script access to external) this cookie. hp -- HP Support Solution Framework before 11.51.0049 2015-04-14 6.8 CVE-2015-2114 HP (link is support_solution_fr allows remote attackers to download an arbitrary external) amework program onto a client machine and execute this program via unspecified vectors. juniper -- junos Juniper Junos 12.1X44 before 12.1X44-D45, 12.1X46 2015-04-10 6.9 CVE-2015-3002 CONFIRM (link before 12.1X46-D30, 12.1X47 before 12.1X47-D15, is external) and 12.3X48 before 12.3X48-D10 on SRX series SECTRACK devices does not properly enforce the log-out-on- (link is external) disconnect feature when configured in the [system port console] stanza, which allows physically proximate attackers to reconnect to the console port and gain administrative access by leveraging access to the device. juniper -- junos J-Web in Juniper Junos 11.4 before 11.4R12, 2015-04-10 4.3 CVE-2015-3004 CONFIRM (link 12.1X44 before 12.1X44-D35, 12.1X46 before is external) 12.1X46-D25, 12.1X47 before 12.1X47-D10, 12.3X48 SECTRACK before 12.3X48-D10, 12.2 before 12.2R9, 12.3 (link is external) before 12.3R7, 13.2 before 13.2R6, 13.2X51 before 13.2X51-D20, 13.3 before 13.3R5, 14.1 before 14.1R3, 14.1X53 before 14.1X53-D10, and 14.2 before 14.2R1 allows remote attackers to conduct clickjacking attacks via an X-Frame-Options header. juniper -- junos Cross-site scripting (XSS) vulnerability in the 2015-04-10 4.3 CVE-2015-3005 CONFIRM (link Dynamic VPN in Juniper Junos 12.1X44 before is external) 12.1X44-D45, 12.1X46 before 12.1X46-D30, 12.1X47 SECTRACK before 12.1X47-D20, and 12.3X48 before 12.3X48- (link is external) D10 on SRX series devices allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. kanaka -- novnc noVNC before 0.5 does not set the secure flag for a 2015-04-10 4.3 CVE-2013-7436 CONFIRM (link cookie in an https session, which makes it easier for is external) remote attackers to capture this cookie by CONFIRM (link intercepting its transmission within an http session. is external) MLIST (link is external) MLIST (link is external) REDHAT (link is external) lhaplus -- lhaplus Directory traversal vulnerability in Lhaplus before 2015-04-15 5.8 CVE-2015-0906 CONFIRM (link 1.70 allows remote attackers to write to arbitrary is external) files via a crafted archive. JVNDB (link is external) JVN (link is external) CONFIRM (link is external) lhaplus -- lhaplus Buffer overflow in Lhaplus before 1.70 allows 2015-04-15 6.8 CVE-2015-0907 CONFIRM (link remote attackers to execute arbitrary code via a is external) crafted archive. JVNDB (link is external) JVN (link is external) CONFIRM (link is external) mediawiki -- Incomplete blacklist vulnerability in 2015-04-13 4.3 CVE-2015-2931 MLIST mediawiki includes/upload/UploadBase.php in MediaWiki CONFIRM before 1.19.24, 1.2x before 1.23.9, and 1.24.x before MLIST (link is 1.24.2 allows remote attackers to inject arbitrary external) MLIST (link is web script or HTML via an application/xml MIME external) type for a nested SVG with a data: URI. MANDRIVA (link is external) mediawiki -- Incomplete blacklist vulnerability in MediaWiki 2015-04-13 4.3 CVE-2015-2932 MLIST mediawiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before CONFIRM 1.24.2 allows remote attackers to inject arbitrary MLIST (link is web script or HTML via an animated href XLink external) MLIST (link is element. external) MANDRIVA (link is external) mediawiki -- Cross-site scripting (XSS) vulnerability in the Html 2015-04-13 4.3 CVE-2015-2933 CONFIRM mediawiki class in MediaWiki before 1.19.24, 1.2x before MLIST 1.23.9, and 1.24.x before 1.24.2 allows remote MLIST (link is attackers to inject arbitrary web script or HTML via a external) MLIST (link is LanguageConverter substitution string when using external) a language variant. MANDRIVA (link is external) mediawiki -- MediaWiki before 1.19.24, 1.2x before 1.23.9, and 2015-04-13 4.3 CVE-2015-2934 mediawiki 1.24.x before 1.24.2 does not properly handle when MLIST CONFIRM the Zend interpreter xml_parse function does not MLIST (link is expand entities, which allows remote attackers to external) inject arbitrary web script or HTML via a crafted SVG MLIST (link is external) file. MANDRIVA (link is external) mediawiki -- MediaWiki before 1.19.24, 1.2x before 1.23.9, and 2015-04-13 5.0 CVE-2015-2935 MLIST mediawiki 1.24.x before 1.24.2 allows remote attackers to CONFIRM bypass the SVG filtering and obtain sensitive user MLIST (link is information via a mixed case @import in a style external) MLIST (link is element in an SVG file, as demonstrated by external) "@imporT." MANDRIVA (link is external) mediawiki -- Cross-site scripting (XSS) vulnerability in MediaWiki 2015-04-13 4.3 CVE-2015-2938 MLIST mediawiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before CONFIRM 1.24.2 allows remote attackers to inject arbitrary MLIST (link is web script or HTML via a custom JavaScript file, external) MLIST (link is which is not properly handled when previewing the external) file. MANDRIVA (link is external) mediawiki -- Cross-site scripting (XSS) vulnerability in the 2015-04-13 4.3 CVE-2015-2939 MLIST scribunto Scribunto extension for MediaWiki allows remote CONFIRM attackers to inject arbitrary web script or HTML via a MLIST (link is function name, which is not properly handled in a external) MLIST (link is Lua error backtrace. external) MANDRIVA (link is external) mediawiki -- Cross-site request forgery (CSRF) vulnerability in the 2015-04-13 6.8 CVE-2015-2940 MLIST checkuser CheckUser extension for MediaWiki allows remote CONFIRM attackers to hijack the authentication of certain MLIST (link is users for requests that retrieve sensitive user external) MLIST (link is information via unspecified vectors. external) MANDRIVA (link is external) mediawiki -- Cross-site scripting (XSS) vulnerability in MediaWiki 2015-04-13 4.3 CVE-2015-2941 MLIST mediawiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before CONFIRM 1.24.2, when using HHVM, allows remote attackers MLIST (link is to inject arbitrary web script or HTML via an invalid external) MLIST (link is parameter in a wddx format request to api.php, external) which is not properly handled in an error message, related to unsafe calls to wddx_serialize_value. microsoft -- Microsoft Active Directory Federation Services (AD 2015-04-14 5.8 CVE-2015-1638 MS (link is windows_server_20 FS) 3.0 on Windows Server 2012 R2 does not external) 12 properly handle logoff actions, which allows remote attackers to bypass intended access restrictions by leveraging an unattended workstation, aka "Active Directory Federation Services Information Disclosure Vulnerability." microsoft -- office Cross-site scripting (XSS) vulnerability in Microsoft 2015-04-14 4.3 CVE-2015-1639 MS (link is Office for Mac 2011 allows remote attackers to external) inject arbitrary web script or HTML via unspecified vectors, aka "Microsoft Outlook App for Mac XSS Vulnerability." microsoft -- Cross-site scripting (XSS) vulnerability in Microsoft 2015-04-14 4.3 CVE-2015-1640 MS (link is project_server Project Server 2010 SP2 and 2013 SP1 allows external) remote attackers to inject arbitrary web script or HTML via a crafted request, aka "Microsoft SharePoint XSS Vulnerability." microsoft -- Microsoft XML Core Services (aka MSXML) 3.0 allows 2015-04-14 4.3 CVE-2015-1646 MS (link is xml_core_services remote attackers to bypass the Same Origin Policy external) and obtain sensitive information via a crafted DTD, aka "MSXML3 Same Origin Policy SFB Vulnerability." microsoft -- Cross-site scripting (XSS) vulnerability in Microsoft 2015-04-14 4.3 CVE-2015-1653 MS (link is sharepoint_foundat SharePoint Foundation 2013 SP1 and SharePoint external) ion Server 2013 SP1 allows remote attackers to inject arbitrary web script or HTML via a crafted request, aka "Microsoft SharePoint XSS Vulnerability." microsoft -- Microsoft Internet Explorer 6 through 11 allows 2015-04-14 4.3 CVE-2015-1661 MS (link is internet_explorer remote attackers to bypass the ASLR protection external) mechanism via a crafted web site, aka "Internet Explorer ASLR Bypass Vulnerability." mysql -- mysql Unspecified vulnerability in the MySQL Connectors 2015-04-16 4.9 CVE-2015-2575 CONFIRM (link component in Oracle MySQL 5.1.34 and earlier is external) allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Connector/J. oracle -- mysql Unspecified vulnerability in Oracle MySQL Server 2015-04-16 4.0 CVE-2015-0405 CONFIRM (link 5.6.22 and earlier allows remote authenticated is external) users to affect availability via unknown vectors related to XA. oracle -- mysql Unspecified vulnerability in Oracle MySQL Server 2015-04-16 4.0 CVE-2015-0423 CONFIRM (link 5.6.22 and earlier allows remote authenticated is external) users to affect availability via unknown vectors related to Optimizer. oracle -- mysql Unspecified vulnerability in Oracle MySQL Server 2015-04-16 4.0 CVE-2015-0433 CONFIRM (link 5.5.41 and earlier, and 5.6.22 and earlier, allows is external) remote authenticated users to affect availability via vectors related to InnoDB : DML. oracle -- mysql Unspecified vulnerability in Oracle MySQL Server 2015-04-16 4.0 CVE-2015-0438 CONFIRM (link 5.6.22 and earlier allows remote authenticated is external) users to affect availability via unknown vectors related to Server : Partition. oracle -- mysql Unspecified vulnerability in Oracle MySQL Server 2015-04-16 4.0 CVE-2015-0439 CONFIRM (link 5.6.22 and earlier allows remote authenticated is external) users to affect availability via unknown vectors related to Server : InnoDB. oracle -- Unspecified vulnerability in the Oracle Knowledge 2015-04-16 5.0 CVE-2015-0440 CONFIRM (link right_now_service_ component in Oracle Right Now Service Cloud is external) cloud 8.2.3.10.1 and 8.4.7.2 allows remote attackers to affect integrity via unknown vectors related to Information Manager Console. oracle -- mysql Unspecified vulnerability in Oracle MySQL Server 2015-04-16 4.0 CVE-2015-0441 CONFIRM (link 5.5.41 and earlier, and 5.6.22 and earlier, allows is external) remote authenticated users to affect availability via unknown vectors related to Server : Security : Encryption. oracle -- e- Unspecified vulnerability in the Oracle Applications 2015-04-16 4.3 CVE-2015-0447 CONFIRM (link business_suite Technology Stack component in Oracle E-Business is external) Suite 11.5.10.2, 12.0.6, 12.1.3, 12.2.3, and 12.2.4 allows remote attackers to affect confidentiality via vectors related to Configurator DMZ rules. oracle -- Unspecified vulnerability in the Oracle WebLogic 2015-04-16 5.0 CVE-2015-0449 CONFIRM (link fusion_middleware Server component in Oracle Fusion Middleware is external) 10.3.6.0, 12.1.1.0, and 12.1.2.0 allows remote attackers to affect integrity via unknown vectors related to Console. oracle -- Unspecified vulnerability in the Oracle WebCenter 2015-04-16 4.3 CVE-2015-0450 CONFIRM (link fusion_middleware Portal component in Oracle Fusion Middleware is external) 11.1.1.8.0 allows remote attackers to affect integrity via unknown vectors related to WebCenter Spaces Application. oracle -- vm_server Unspecified vulnerability in the Oracle VM Server 2015-04-16 4.3 CVE-2015-0452 CONFIRM (link for SPARC component in Oracle Sun Systems is external) Products Suite 3.1 and 3.2 allows remote attackers to affect confidentiality via unknown vectors related to Ldom Manager. oracle -- Unspecified vulnerability in the XDB - XML Database 2015-04-16 6.8 CVE-2015-0455 CONFIRM (link database_server component in Oracle Database Server 11.2.0.3, is external) 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors. oracle -- Unspecified vulnerability in the Oracle WebCenter 2015-04-16 4.3 CVE-2015-0456 CONFIRM (link fusion_middleware Portal component in Oracle Fusion Middleware is external) 11.1.1.8.0 allows remote attackers to affect integrity via unknown vectors related to Portlet Services. oracle -- Unspecified vulnerability in the Oracle 2015-04-16 4.0 CVE-2015-0462 CONFIRM (link supply_chain_prod Transportation Management component in Oracle is external) ucts_suite Supply Chain Products Suite 6.1, 6.2, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, and 6.3.6 allows remote authenticated users to affect confidentiality via unknown vectors related to Security. oracle -- Unspecified vulnerability in the Oracle 2015-04-16 4.0 CVE-2015-0463 CONFIRM (link supply_chain_prod Transportation Management component in Oracle is external) ucts_suite Supply Chain Products Suite 6.2, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, and 6.3.6 allows remote authenticated users to affect confidentiality via unknown vectors related to Security. oracle -- Unspecified vulnerability in the Oracle 2015-04-16 5.0 CVE-2015-0464 CONFIRM (link supply_chain_prod Transportation Management component in Oracle is external) ucts_suite Supply Chain Products Suite 6.1, 6.2, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, and 6.3.6 allows remote attackers to affect confidentiality via unknown vectors related to Security. oracle -- Unspecified vulnerability in the Oracle 2015-04-16 4.0 CVE-2015-0465 CONFIRM (link supply_chain_prod Transportation Management component in Oracle is external) ucts_suite Supply Chain Products Suite 6.1, 6.2, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, and 6.3.6 allows remote authenticated users to affect confidentiality via unknown vectors related to UI Infrastructure. oracle -- Unspecified vulnerability in the Oracle Retail Back 2015-04-16 4.3 CVE-2015-0466 CONFIRM (link retail_applications Office component in Oracle Retail Applications 12.0, is external) 12.0IN, 13.0, 13.1, 13.2, 13.3, 13.4, 14.0, and 14.1 allows remote attackers to affect integrity via unknown vectors. oracle -- jdk Unspecified vulnerability in Oracle Java SE 8u40 2015-04-16 4.3 CVE-2015-0470 CONFIRM (link allows remote attackers to affect integrity via is external) unknown vectors related to Hotspot. oracle -- solaris Unspecified vulnerability in Oracle Sun Solaris 10 2015-04-16 4.4 CVE-2015-0471 CONFIRM (link and 11.2 allows local users to affect confidentiality, is external) integrity, and availability via unknown vectors related to libelfsign. oracle -- Unspecified vulnerability in the Enterprise Manager 2015-04-16 4.3 CVE-2015-0473 CONFIRM (link enterprise_manager Base Platform component in Oracle Enterprise is external) _grid_control Manager Grid Control MOS 12.1.0.5 and 12.1.0.6 allows remote attackers to affect integrity via unknown vectors related to My Oracle Support Plugin. oracle -- Unspecified vulnerability in the JD Edwards 2015-04-16 4.0 CVE-2015-0475 CONFIRM (link jd_edwards_produc EnterpriseOne Technology component in Oracle JD is external) ts Edwards Products 9.1 allows remote authenticated users to affect confidentiality via unknown vectors related to Web Runtime Security. oracle -- Unspecified vulnerability in the SQL Trace Analyzer 2015-04-16 5.5 CVE-2015-0476 CONFIRM (link sql_trace_analyzer component in Oracle Support Tools before 12.1.11 is external) allows remote authenticated users to affect confidentiality and integrity via unknown vectors. oracle -- jdk Unspecified vulnerability in Oracle Java SE 5.0u81, 2015-04-16 4.3 CVE-2015-0477 CONFIRM (link 6u91, 7u76, and 8u40 allows remote attackers to is external) affect integrity via unknown vectors related to Beans. oracle -- jdk Unspecified vulnerability in Oracle Java SE 5.0u81, 2015-04-16 4.3 CVE-2015-0478 CONFIRM (link 6u91, 7u76, and 8u40, and JRockit R28.3.5, allows is external) remote attackers to affect confidentiality via vectors related to JCE. oracle -- Unspecified vulnerability in the XDK and XDB - XML 2015-04-16 4.0 CVE-2015-0479 CONFIRM (link database_server Database component in Oracle Database Server is external) 11.2.0.3, 11.2.0.4, and 12.1.0.1 allows remote authenticated users to affect availability via unknown vectors. oracle -- jdk Unspecified vulnerability in Oracle Java SE 5.0u81, 2015-04-16 5.8 CVE-2015-0480 CONFIRM (link 6u91, 7u76, and 8u40 allows remote attackers to is external) affect integrity and availability via unknown vectors related to Tools. oracle -- Unspecified vulnerability in the Oracle WebLogic 2015-04-16 6.0 CVE-2015-0482 CONFIRM (link fusion_middleware Server component in Oracle Fusion Middleware is external) 12.1.2.0 and 12.1.3.0 allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to WLS-WebServices. oracle -- Unspecified vulnerability in the Core RDBMS 2015-04-16 4.0 CVE-2015-0483 CONFIRM (link database_server component in Oracle Database Server 11.1.0.7, is external) 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect integrity via unknown vectors. oracle -- javafx Unspecified vulnerability in Oracle Java SE 7u76 and 2015-04-16 6.8 CVE-2015-0484 CONFIRM (link 8u40, and Java FX 2.2.76, allows remote attackers to is external) affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2015-0492. oracle -- jdk Unspecified vulnerability in Oracle Java SE 8u40 2015-04-16 5.0 CVE-2015-0486 CONFIRM (link allows remote attackers to affect confidentiality via is external) unknown vectors related to Deployment. oracle -- Unspecified vulnerability in the PeopleSoft 2015-04-16 4.0 CVE-2015-0487 CONFIRM (link peoplesoft_product Enterprise PeopleTools component in Oracle is external) s PeopleSoft Products 8.53 and 8.54 allows remote authenticated users to affect integrity via vectors related to PIA Core Technology, a different vulnerability than CVE-2015-0472. oracle -- jdk Unspecified vulnerability in Oracle Java SE 5.0u81, 2015-04-16 5.0 CVE-2015-0488 CONFIRM (link 6u91, 7u76, and 8u40, and JRockit R28.3.5, allows is external) remote attackers to affect availability via vectors related to JSSE. oracle -- Unspecified vulnerability in the Oracle Agile 2015-04-16 4.9 CVE-2015-0490 CONFIRM (link supply_chain_prod Engineering Data Management component in is external) ucts_suite Oracle Supply Chain Products Suite 6.1.3.0 allows remote authenticated users to affect confidentiality and integrity via vectors related to BAS - Base Component. oracle -- Unspecified vulnerability in the Oracle Retail 2015-04-16 4.3 CVE-2015-0494 CONFIRM (link retail_applications Central Office component in Oracle Retail is external) Applications 13.1, 13.2, 13.3, 13.4, 14.0, and 14.1 allows remote attackers to affect integrity via unknown vectors. oracle -- Unspecified vulnerability in the PeopleSoft 2015-04-16 4.0 CVE-2015-0496 CONFIRM (link peoplesoft_product Enterprise PeopleTools component in Oracle is external) s PeopleSoft Products 8.53 and 8.54 allows remote authenticated users to affect confidentiality via vectors related to PIA Search Functionality. oracle -- Unspecified vulnerability in the PeopleSoft 2015-04-16 4.3 CVE-2015-0497 CONFIRM (link peoplesoft_product Enterprise Portal Interaction Hub component in is external) s Oracle PeopleSoft Products 9.1.00 allows remote attackers to affect integrity via unknown vectors related to Enterprise Portal. oracle -- mysql Unspecified vulnerability in Oracle MySQL Server 2015-04-16 4.0 CVE-2015-0500 CONFIRM (link 5.6.23 and earlier allows remote authenticated is external) users to affect availability via unknown vectors. oracle -- mysql Unspecified vulnerability in Oracle MySQL Server 2015-04-16 5.7 CVE-2015-0501 CONFIRM (link 5.5.42 and earlier, and 5.6.23 and earlier, allows is external) remote authenticated users to affect availability via unknown vectors related to Server : Compiling. oracle -- siebel_crm Unspecified vulnerability in the Siebel UI 2015-04-16 4.3 CVE-2015-0502 CONFIRM (link Framework component in Oracle Siebel CRM 8.1 is external) and 8.2 allows remote attackers to affect integrity via unknown vectors related to Portal Framework. oracle -- mysql Unspecified vulnerability in Oracle MySQL Server 2015-04-16 4.0 CVE-2015-0503 CONFIRM (link 5.6.23 and earlier allows remote authenticated is external) users to affect availability via unknown vectors related to Server : Partition. oracle -- mysql Unspecified vulnerability in Oracle MySQL Server 2015-04-16 4.0 CVE-2015-0508 CONFIRM (link 5.6.23 and earlier allows remote authenticated is external) users to affect availability via unknown vectors related to Server : InnoDB, a different vulnerability than CVE-2015-0506. oracle -- hyperion Unspecified vulnerability in the Oracle Hyperion BI+ 2015-04-16 4.3 CVE-2015-0509 CONFIRM (link component in Oracle Hyperion 11.1.2.2 and 11.1.2.3 is external) allows remote attackers to affect integrity via unknown vectors related to Reporting and Analysis. oracle -- Unspecified vulnerability in the Oracle Commerce 2015-04-16 4.3 CVE-2015-0510 CONFIRM (link commerce_platfor Platform component in Oracle Commerce Platform is external) m 9.4, 10.0, and 10.2 allows remote attackers to affect integrity via vectors related to Dynamo Application Framework - HTML Admin User Interface. oracle -- e- Unspecified vulnerability in the Oracle Installed 2015-04-16 4.3 CVE-2015-2565 CONFIRM (link business_suite Base component in Oracle E-Business Suite is external) 11.5.10.2, 12.0.4, 12.0.6, 12.1.1, 12.1.2, and 12.1.3 allows remote attackers to affect integrity via unknown vectors related to Create Item Instance. oracle -- mysql Unspecified vulnerability in Oracle MySQL Server 2015-04-16 5.0 CVE-2015-2568 CONFIRM (link 5.5.41 and earlier, and 5.6.22 and earlier, allows is external) remote attackers to affect availability via unknown vectors related to Server : Security : Privileges. oracle -- Unspecified vulnerability in the Oracle Demand 2015-04-16 6.5 CVE-2015-2570 CONFIRM (link supply_chain_prod Planning component in Oracle Supply Chain is external) ucts_suite Products Suite 11.5.10, 12.0, 12.1, and 12.2 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to Security. oracle -- mysql Unspecified vulnerability in Oracle MySQL Server 2015-04-16 4.0 CVE-2015-2571 CONFIRM (link 5.5.42 and earlier, and 5.6.23 and earlier, allows is external) remote authenticated users to affect availability via unknown vectors related to Server : Optimizer. oracle -- Unspecified vulnerability in the Oracle Hyperion 2015-04-16 4.6 CVE-2015-2572 CONFIRM (link hyperion_smart_vie Smart View for Office component in Oracle is external) w_for_office Hyperion 11.1.2.x, when running on Windows, allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Core. oracle -- mysql Unspecified vulnerability in Oracle MySQL Server 2015-04-16 4.0 CVE-2015-2573 CONFIRM (link 5.5.41 and earlier, and 5.6.22 and earlier, allows is external) remote authenticated users to affect availability via vectors related to DDL. palo_alto_networks Multiple cross-site scripting (XSS) vulnerabilities in 2015-04-14 4.3 CVE-2015-2223 MISC (link is -- traps Palo Alto Networks Traps (formerly Cyvera Endpoint external) Protection) 3.1.2.1546 allow remote attackers to inject arbitrary web script or HTML via the (1) Arguments, (2) FileName, or (3) URL parameter in a SOAP request. quassel-irc -- Stack consumption vulnerability in the message 2015-04-10 5.0 CVE-2015-2779 CONFIRM (link quassel splitting functionality in Quassel before 0.12-rc1 is external) allows remote attackers to cause a denial of service MLIST (link is (uncontrolled recursion) via a crafted massage. external) MLIST (link is external) MLIST (link is external) SUSE tuxfamily -- chrony Heap-based buffer overflow in chrony before 1.31.1 2015-04-16 6.5 CVE-2015-1821 MLIST allows remote authenticated users to cause a denial DEBIAN of service (chronyd crash) or possibly execute arbitrary code by configuring the (1) NTP or (2) cmdmon access with a subnet size that is indivisible by four and an address with a nonzero bit in the subnet remainder. tuxfamily -- chrony chrony before 1.31.1 does not initialize the last 2015-04-16 6.5 CVE-2015-1822 MLIST "next" pointer when saving unacknowledged DEBIAN replies to command requests, which allows remote authenticated users to cause a denial of service (uninitialized pointer dereference and daemon crash) or possibly execute arbitrary code via a large number of command requests. wesnoth -- The WML/Lua API in Battle for Wesnoth 1.7.x 2015-04-14 5.0 CVE-2015-0844 DEBIAN battle_for_wesnoth through 1.11.x and 1.12.x before 1.12.2 allows CONFIRM remote attackers to read arbitrary files via a crafted CONFIRM (1) campaign or (2) map file. zoneo-soft -- Cross-site scripting (XSS) vulnerability in 2015-04-14 4.3 CVE-2015-2926 BUGTRAQ phptraffica Php/stats/statsRecent.inc.php in phpTrafficA 2.3 (link is external) and earlier allows remote attackers to inject MISC (link is arbitrary web script or HTML via the HTTP User- external) Agent header to index.php.

Low Severity Vulnerabilities

The Primary Description Date Published CVSS The CVE Vendor --- Product Score Identity apple -- iphone_os AppleKeyStore in Apple iOS before 8.3 does not 2015-04-10 1.9 CVE-2015-1085 properly restrict a certain passcode-confirmation CONFIRM (link interface, which makes it easier for attackers to verify is external) correct passcode guesses via a crafted app. SECTRACK (link is external) APPLE (link is external) apple -- iphone_os Directory traversal vulnerability in Backup in Apple 2015-04-10 2.1 CVE-2015-1087 iOS before 8.3 allows attackers to read arbitrary files CONFIRM (link via a crafted relative path. is external) SECTRACK (link is external) APPLE (link is external) apple -- apple_tv IOAcceleratorFamily in Apple iOS before 8.3 and 2015-04-10 1.9 CVE-2015-1094 Apple TV before 7.2 allows attackers to obtain CONFIRM (link sensitive information about kernel memory via a is external) crafted app. CONFIRM (link is external) SECTRACK (link is external) APPLE (link is external) APPLE (link is external) apple -- apple_tv IOHIDFamily in Apple iOS before 8.3, Apple OS X 2015-04-10 1.9 CVE-2015-1096 before 10.10.3, and Apple TV before 7.2 allows CONFIRM (link attackers to obtain sensitive information about kernel is external) memory via a crafted app. CONFIRM (link is external) CONFIRM (link is external) SECTRACK (link is external) APPLE (link is external) APPLE (link is external) APPLE (link is external) apple -- apple_tv IOMobileFramebuffer in Apple iOS before 8.3 and 2015-04-10 1.9 CVE-2015-1097 Apple TV before 7.2 allows attackers to obtain CONFIRM (link sensitive information about kernel memory via a is external) crafted app. CONFIRM (link is external) SECTRACK (link is external) APPLE (link is external) APPLE (link is external) apple -- iphone_os The QuickType feature in the Keyboards subsystem in 2015-04-10 2.1 CVE-2015-1106 Apple iOS before 8.3 allows physically proximate CONFIRM (link attackers to discover passcodes by reading the lock is external) screen during use of a Bluetooth keyboard. SECTRACK (link is external) APPLE (link is external) apple -- iphone_os The Lock Screen component in Apple iOS before 8.3 2015-04-10 1.9 CVE-2015-1107 does not properly implement the erasure feature for CONFIRM (link incorrect passcode-authentication attempts, which is external) makes it easier for physically proximate attackers to SECTRACK obtain access by making many passcode guesses. (link is external) APPLE (link is external) apple -- iphone_os The Lock Screen component in Apple iOS before 8.3 2015-04-10 2.1 CVE-2015-1108 does not properly enforce the limit on incorrect CONFIRM (link passcode-authentication attempts, which makes it is external) easier for physically proximate attackers to obtain SECTRACK access by making many passcode guesses. (link is external) APPLE (link is external) apple -- iphone_os NetworkExtension in Apple iOS before 8.3 stores 2015-04-10 2.1 CVE-2015-1109 credentials in VPN configuration logs, which makes it CONFIRM (link easier for physically proximate attackers to obtain is external) sensitive information by reading a log file. SECTRACK (link is external) APPLE (link is external) apple -- iphone_os The Sandbox Profiles component in Apple iOS before 2015-04-10 1.9 CVE-2015-1113 8.3 allows attackers to read the (1) telephone number CONFIRM (link or (2) e-mail address of a recent contact via a crafted is external) app. SECTRACK (link is external) APPLE (link is external) apple -- apple_tv The Sandbox Profiles component in Apple iOS before 2015-04-10 1.9 CVE-2015-1114 8.3 and Apple TV before 7.2 allows attackers to CONFIRM (link discover hardware identifiers via a crafted app. is external) CONFIRM (link is external) SECTRACK (link is external) APPLE (link is external) APPLE (link is external) apple -- iphone_os The UIKit View component in Apple iOS before 8.3 2015-04-10 2.1 CVE-2015-1116 displays unblurred application snapshots in the Task CONFIRM (link Switcher, which makes it easier for physically is external) proximate attackers to obtain sensitive information by SECTRACK reading the device screen. (link is external) APPLE (link is external) apple -- safari The private-browsing implementation in WebKit in 2015-04-10 2.1 CVE-2015-1127 Apple Safari before 6.2.5, 7.x before 7.1.5, and 8.x CONFIRM (link before 8.0.5 places browsing history into an index, is external) which might allow local users to obtain sensitive SECTRACK information by reading index entries. (link is external) APPLE (link is external) apple -- mac_os_x LaunchServices in Apple OS X before 10.10.3 allows 2015-04-10 2.1 CVE-2015-1142 local users to cause a denial of service (Finder crash) CONFIRM (link via crafted localization data. is external) SECTRACK (link is external) APPLE (link is external) apple -- mac_os_x The Code Signing implementation in Apple OS X 2015-04-10 1.9 CVE-2015-1145 before 10.10.3 does not properly validate signatures, CONFIRM (link which allows local users to bypass intended access is external) restrictions via a crafted bundle, a different SECTRACK vulnerability than CVE-2015-1146. (link is external) APPLE (link is external) apple -- mac_os_x The Code Signing implementation in Apple OS X 2015-04-10 1.9 CVE-2015-1146 before 10.10.3 does not properly validate signatures, CONFIRM (link which allows local users to bypass intended access is external) restrictions via a crafted bundle, a different SECTRACK vulnerability than CVE-2015-1145. (link is external) APPLE (link is external) lixil -- The LIXIL Corporation My SATIS Genius Toilet 2015-04-16 3.3 CVE-2013-4866 my_satis_genius_toi application for Android has a hardcoded Bluetooth MISC (link is let PIN, which allows physically proximate attackers to external) trigger physical resource consumption (water or heat) MISC (link is or user discomfort. external) MISC (link is external) FULLDISC MISC (link is external) MISC (link is external) microsoft -- Virtual Machine Manager (VMM) in Hyper-V in 2015-04-14 2.1 CVE-2015-1647 windows_8.1 Microsoft Windows 8.1 and Windows Server 2012 R2 MS (link is allows guest OS users to cause a denial of service external) (VMM functionality loss) via a crafted application, aka "Windows Hyper-V DoS Vulnerability." microsoft -- ASP.NET in Microsoft .NET Framework 1.1 SP1, 2.0 2015-04-14 2.6 CVE-2015-1648 .net_framework SP2, 3.5, 3.5.1, 4, 4.5, 4.5.1, and 4.5.2, when the MS (link is customErrors configuration is disabled, allows remote external) attackers to obtain sensitive configuration-file information via a crafted request, aka "ASP.NET Information Disclosure Vulnerability." oracle -- Unspecified vulnerability in the Oracle OpenSSO 2015-04-16 3.5 CVE-2015-0451 fusion_middleware component in Oracle Fusion Middleware 3.0-04 CONFIRM (link allows remote authenticated users to affect is external) confidentiality via vectors related to OpenSSO Web Agents. oracle -- Unspecified vulnerability in the PeopleSoft Enterprise 2015-04-16 3.3 CVE-2015-0453 peoplesoft_products PeopleTools component in Oracle PeopleSoft Products CONFIRM (link 8.53 and 8.54 allows remote attackers to affect is external) confidentiality via vectors related to PORTAL. oracle -- Unspecified vulnerability in the PeopleSoft Enterprise 2015-04-16 3.5 CVE-2015-0472 peoplesoft_products PeopleTools component in Oracle PeopleSoft Products CONFIRM (link 8.53 and 8.54 allows remote authenticated users to is external) affect integrity via vectors related to PIA Core Technology, a different vulnerability than CVE-2015- 0487. oracle -- Unspecified vulnerability in the Oracle Outside In 2015-04-16 1.5 CVE-2015-0474 fusion_middleware Technology component in Oracle Fusion Middleware CONFIRM (link 8.4.1, 8.5.0, and 8.5.1 allows local users to affect is external) availability via unknown vectors related to Outside In Filters, a different vulnerability than CVE-2015-0493. oracle -- Unspecified vulnerability in the PeopleSoft Enterprise 2015-04-16 3.5 CVE-2015-0485 peoplesoft_products SCM Strategic Sourcing component in Oracle CONFIRM (link PeopleSoft Products 9.1 and 9.2 allows remote is external) authenticated users to affect confidentiality via unknown vectors related to Security. oracle -- e- Unspecified vulnerability in the Application 2015-04-16 1.2 CVE-2015-0489 business_suite_amp Management Pack for Oracle E-Business Suite CONFIRM (link component in Oracle E-Business Suite AMP 121030 is external) and 121020 allows local users to affect confidentiality via vectors related to EBS Plugin. oracle -- Unspecified vulnerability in the Oracle Outside In 2015-04-16 1.5 CVE-2015-0493 fusion_middleware Technology component in Oracle Fusion Middleware CONFIRM (link 8.4.1, 8.5.0, and 8.5.1 allows local users to affect is external) availability via unknown vectors related to Outside In Filters, a different vulnerability than CVE-2015-0474. oracle -- mysql Unspecified vulnerability in Oracle MySQL Server 2015-04-16 1.7 CVE-2015-0498 5.6.23 and earlier allows remote authenticated users to CONFIRM (link affect availability via unknown vectors related to is external) Replication. oracle -- mysql Unspecified vulnerability in Oracle MySQL Server 2015-04-16 3.5 CVE-2015-0499 5.5.42 and earlier, and 5.6.23 and earlier, allows CONFIRM (link remote authenticated users to affect availability via is external) unknown vectors related to Server : Federated. oracle -- e- Unspecified vulnerability in the Oracle Application 2015-04-16 2.6 CVE-2015-0504 business_suite Object Library component in Oracle E-Business Suite CONFIRM (link 12.0.6 and 12.1.3 allows remote attackers to affect is external) integrity via unknown vectors related to Error Messages. oracle -- mysql Unspecified vulnerability in Oracle MySQL Server 2015-04-16 3.5 CVE-2015-0505 5.5.42 and earlier, and 5.6.23 and earlier, allows CONFIRM (link remote authenticated users to affect availability via is external) vectors related to DDL. oracle -- mysql Unspecified vulnerability in Oracle MySQL Server 2015-04-16 3.5 CVE-2015-0506 5.6.23 and earlier allows remote authenticated users to CONFIRM (link affect availability via unknown vectors related to is external) InnoDB, a different vulnerability than CVE-2015- 0508. oracle -- mysql Unspecified vulnerability in Oracle MySQL Server 2015-04-16 3.5 CVE-2015-0507 5.6.23 and earlier allows remote authenticated users to CONFIRM (link affect availability via unknown vectors related to is external) Server : Memcached. oracle -- mysql Unspecified vulnerability in Oracle MySQL Server 2015-04-16 2.8 CVE-2015-0511 5.6.23 and earlier allows remote authenticated users to CONFIRM (link affect availability via unknown vectors related to is external) Server : SP. oracle -- mysql Unspecified vulnerability in Oracle MySQL Server 2015-04-16 2.8 CVE-2015-2566 5.6.22 and earlier allows remote authenticated users to CONFIRM (link affect availability via vectors related to DML. is external) oracle -- mysql Unspecified vulnerability in Oracle MySQL Server 2015-04-16 3.5 CVE-2015-2567 5.6.23 and earlier allows remote authenticated users to CONFIRM (link affect availability via unknown vectors related to is external) Server : Security : Privileges. oracle -- solaris Unspecified vulnerability in Oracle Sun Solaris 10 2015-04-16 2.1 CVE-2015-2574 allows local users to affect confidentiality via CONFIRM (link unknown vectors related to Text Utilities. is external) oracle -- mysql Unspecified vulnerability in the MySQL Utilities 2015-04-16 2.1 CVE-2015-2576 component in Oracle MySQL 1.5.1 and earlier, when CONFIRM (link running on Windows, allows local users to affect is external) integrity via unknown vectors related to Installation. oracle -- Unspecified vulnerability in the Oracle Health 2015-04-16 2.1 CVE-2015-2579 health_sciences_app Sciences Argus Safety component in Oracle Health CONFIRM (link lications Sciences Applications 8.0 allows local users to affect is external) confidentiality via vectors related to BIP Installer. shareaholic -- Cross-site scripting (XSS) vulnerability in admin.php 2015-04-14 3.5 CVE-2014-9311 shareaholic in the Shareaholic plugin before 7.6.1.0 for WordPress CONFIRM allows remote authenticated users to inject arbitrary MISC (link is web script or HTML via the location[id] parameter in external) a shareaholic_add_location action to wp- MISC (link is admin/admin-ajax.php. external) usaa -- The USAA Mobile Banking application before 7.10.1 2015-04-16 2.1 CVE-2015-1314 mobile_banking for Android displays the most recently-used screen FULLDISC before prompting the user for login, which might MISC (link is allow physically proximate users to obtain banking external) account numbers and balances. MISC (link is external)

• Sources: http://nvd.nist.gov (For more information visit the National Vulnerabilities Database (NVD) which contains a database of every vulnerability that has ever been published).

Uganda Communications Commission – UGCERT Email: [email protected] Tel + 256 414 302 100/150 Toll Free: 0800 133 911 Website www.ug-cert.ug Face book / Twitter: UGCERT