CVSS: 5.0EPSS: 0%CPEs: 3EXPL: 0CVE-2015-0798
https://notcve.org/view.php?id=CVE-2015-0798
The Reader mode feature in Mozilla Firefox before 37.0.1 on Android, and Desktop Firefox pre-release, does not properly handle privileged URLs, which makes it easier for remote attackers to execute arbitrary JavaScript code with chrome privileges by leveraging the ability to bypass the Same Origin Policy. La característica Reader mode en Mozilla Firefox anterior a 37.0.1 en Android, y el prelanzamiento de Desktop Firefox, no maneja correctamente las URLs privilegiadas, lo que facilita a atacantes remotos ejecutar código JavaScript arbitrario con privilegios chrome mediante el aprovechamiento de la habilidad de evadir Same Origin Policy. • http://www.mozilla.org/security/announce/2015/mfsa2015-43.html http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html http://www.securitytracker.com/id/1032029 https://bugzilla.mozilla.org/show_bug.cgi?id=1147597 https://security.gentoo.org/glsa/201512-10 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.0EPSS: 2%CPEs: 64EXPL: 0CVE-2015-0248 – subversion: (mod_dav_svn) remote denial of service with certain requests with dynamically evaluated revision numbers
https://notcve.org/view.php?id=CVE-2015-0248
The (1) mod_dav_svn and (2) svnserve servers in Subversion 1.6.0 through 1.7.19 and 1.8.0 through 1.8.11 allow remote attackers to cause a denial of service (assertion failure and abort) via crafted parameter combinations related to dynamically evaluated revision numbers. Los servidores (1) mod_dav_svn yd (2) svnserve en Subversion 1.6.0 hasta 1.7.19 y 1.8.0 hasta 1.8.11 permiten a atacantes remotos causar una denegación de servicio (fallo de aserción y abortar) a través de combinaciones de parámetros relacionadas con números de revisión evaluados dinámicamente. An assertion failure flaw was found in the way the SVN server processed certain requests with dynamically evaluated revision numbers. A remote attacker could use this flaw to cause the SVN server (both svnserve and httpd with the mod_dav_svn module) to crash. • http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html http://lists.opensuse.org/opensuse-updates/2015-04/msg00008.html http://rhn.redhat.com/errata/RHSA-2015-1633.html http://rhn.redhat.com/errata/RHSA-2015-1742.html http://subversion.apache.org/security/CVE-2015-0248-advisory.txt http://www.debian.org/security/2015/dsa-3231 http://www.mandriva.com/security/advisories?name=MDVSA-2015:192 http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html • CWE-399: Resource Management Errors CWE-617: Reachable Assertion •
CVSS: 4.0EPSS: 0%CPEs: 73EXPL: 0CVE-2015-0251 – subversion: (mod_dav_svn) spoofing svn:author property values for new revisions
https://notcve.org/view.php?id=CVE-2015-0251
The mod_dav_svn server in Subversion 1.5.0 through 1.7.19 and 1.8.0 through 1.8.11 allows remote authenticated users to spoof the svn:author property via a crafted v1 HTTP protocol request sequences. El servidor mod_dav_svn en Subversion 1.5.0 hasta 1.7.19 y 1.8.0 hasta 1.8.11 permite a usuarios remotos autenticados falsificar la propiedad svn:author a través de secuencias manipuladas de solicitudes del protocolo v1 HTTP. It was found that the mod_dav_svn module did not properly validate the svn:author property of certain requests. An attacker able to create new revisions could use this flaw to spoof the svn:author property. • http://lists.apple.com/archives/security-announce/2015/Sep/msg00002.html http://lists.opensuse.org/opensuse-updates/2015-04/msg00008.html http://rhn.redhat.com/errata/RHSA-2015-1633.html http://rhn.redhat.com/errata/RHSA-2015-1742.html http://seclists.org/fulldisclosure/2015/Jun/32 http://subversion.apache.org/security/CVE-2015-0251-advisory.txt http://www.debian.org/security/2015/dsa-3231 http://www.mandriva.com/security/advisories?name=MDVSA-2015:192 http://www.oracle.com& • CWE-345: Insufficient Verification of Data Authenticity CWE-348: Use of Less Trusted Source •
CVSS: 5.0EPSS: 1%CPEs: 36EXPL: 0CVE-2015-2316
https://notcve.org/view.php?id=CVE-2015-2316
The utils.html.strip_tags function in Django 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1, when using certain versions of Python, allows remote attackers to cause a denial of service (infinite loop) by increasing the length of the input string. La función utils.html.strip_tags en Django 1.6.x anterior a 1.6.11, 1.7.x anterior a 1.7.7, y 1.8.x anterior a 1.8c1, cuando utiliza ciertos versiones de Python, permite a atacantes remotos causar una denegación de servicio (bucle infinito) mediante el incremento de la longitud de la cadena de entradas. • http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155421.html http://lists.opensuse.org/opensuse-updates/2015-04/msg00001.html http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html http://www.securityfocus.com/bid/73322 http://www.ubuntu.com/usn/USN-2539-1 https://www.djangoproject.com/weblog/2015/mar/18/security-releases • CWE-399: Resource Management Errors •
CVSS: 4.3EPSS: 0%CPEs: 53EXPL: 0CVE-2015-2317
https://notcve.org/view.php?id=CVE-2015-2317
The utils.http.is_safe_url function in Django before 1.4.20, 1.5.x, 1.6.x before 1.6.11, 1.7.x before 1.7.7, and 1.8.x before 1.8c1 does not properly validate URLs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a control character in a URL, as demonstrated by a \x08javascript: URL. La función utils.http.is_safe_url en Django anterior a 1.4.20, 1.5.x, 1.6.x anterior a 1.6.11, 1.7.x anterior a 1.7.7, y 1.8.x anterior a 1.8c1 no valida correctamente las URLs, lo que permite a atacantes remotos realizar ataques de XSS a través de un caracter de control en una URL, tal y como fue demostrado por una URL \x08javascript. • http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155421.html http://lists.fedoraproject.org/pipermail/package-announce/2015-June/160263.html http://lists.opensuse.org/opensuse-updates/2015-04/msg00001.html http://lists.opensuse.org/opensuse-updates/2015-09/msg00035.html http://ubuntu.com/usn/usn-2539-1 http://www.debian.org/security/2015/dsa-3204 http://www.mandriva.com/security/advisories?name=MDVSA-2015:195 http://www.oracle.com/technetwork/topics/security/bulletinapr2015& • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •