Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2015-5502

Summary
Assigner-mitre
Assigner Org ID-8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At-18 Aug, 2015 | 17:00
Updated At-06 Aug, 2024 | 06:50
Rejected At-
Credits

The Storage API module 7.x-1.x before 7.x-1.8 for Drupal does not properly restrict access to Storage API fields attached to entities that are not nodes, which allows remote attackers to have unspecified impact via unknown vectors.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mitre
Assigner Org ID:8254265b-2729-46b6-b9e3-3dfca2d5bfca
Published At:18 Aug, 2015 | 17:00
Updated At:06 Aug, 2024 | 06:50
Rejected At:
▼CVE Numbering Authority (CNA)

The Storage API module 7.x-1.x before 7.x-1.8 for Drupal does not properly restrict access to Storage API fields attached to entities that are not nodes, which allows remote attackers to have unspecified impact via unknown vectors.

Affected Products
Vendor
n/a
Product
n/a
Versions
Affected
  • n/a
Problem Types
TypeCWE IDDescription
textN/An/a
Type: text
CWE ID: N/A
Description: n/a
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
http://www.securityfocus.com/bid/74867
vdb-entry
x_refsource_BID
https://www.drupal.org/node/2495895
x_refsource_CONFIRM
https://www.drupal.org/node/2495903
x_refsource_MISC
http://www.openwall.com/lists/oss-security/2015/07/04/4
mailing-list
x_refsource_MLIST
Hyperlink: http://www.securityfocus.com/bid/74867
Resource:
vdb-entry
x_refsource_BID
Hyperlink: https://www.drupal.org/node/2495895
Resource:
x_refsource_CONFIRM
Hyperlink: https://www.drupal.org/node/2495903
Resource:
x_refsource_MISC
Hyperlink: http://www.openwall.com/lists/oss-security/2015/07/04/4
Resource:
mailing-list
x_refsource_MLIST
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
http://www.securityfocus.com/bid/74867
vdb-entry
x_refsource_BID
x_transferred
https://www.drupal.org/node/2495895
x_refsource_CONFIRM
x_transferred
https://www.drupal.org/node/2495903
x_refsource_MISC
x_transferred
http://www.openwall.com/lists/oss-security/2015/07/04/4
mailing-list
x_refsource_MLIST
x_transferred
Hyperlink: http://www.securityfocus.com/bid/74867
Resource:
vdb-entry
x_refsource_BID
x_transferred
Hyperlink: https://www.drupal.org/node/2495895
Resource:
x_refsource_CONFIRM
x_transferred
Hyperlink: https://www.drupal.org/node/2495903
Resource:
x_refsource_MISC
x_transferred
Hyperlink: http://www.openwall.com/lists/oss-security/2015/07/04/4
Resource:
mailing-list
x_refsource_MLIST
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cve@mitre.org
Published At:18 Aug, 2015 | 18:00
Updated At:12 Apr, 2025 | 10:46

The Storage API module 7.x-1.x before 7.x-1.8 for Drupal does not properly restrict access to Storage API fields attached to entities that are not nodes, which allows remote attackers to have unspecified impact via unknown vectors.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary2.07.5HIGH
AV:N/AC:L/Au:N/C:P/I:P/A:P
Type: Primary
Version: 2.0
Base score: 7.5
Base severity: HIGH
Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P
CPE Matches
storage_api_project
storage_api_project
>>storage_api>>7.x-1.0
cpe:2.3:a:storage_api_project:storage_api:7.x-1.0:*:*:*:*:drupal:*:*
storage_api_project
storage_api_project
>>storage_api>>7.x-1.1
cpe:2.3:a:storage_api_project:storage_api:7.x-1.1:*:*:*:*:drupal:*:*
storage_api_project
storage_api_project
>>storage_api>>7.x-1.2
cpe:2.3:a:storage_api_project:storage_api:7.x-1.2:*:*:*:*:drupal:*:*
storage_api_project
storage_api_project
>>storage_api>>7.x-1.3
cpe:2.3:a:storage_api_project:storage_api:7.x-1.3:*:*:*:*:drupal:*:*
storage_api_project
storage_api_project
>>storage_api>>7.x-1.4
cpe:2.3:a:storage_api_project:storage_api:7.x-1.4:*:*:*:*:drupal:*:*
storage_api_project
storage_api_project
>>storage_api>>7.x-1.5
cpe:2.3:a:storage_api_project:storage_api:7.x-1.5:*:*:*:*:drupal:*:*
storage_api_project
storage_api_project
>>storage_api>>7.x-1.6
cpe:2.3:a:storage_api_project:storage_api:7.x-1.6:*:*:*:*:drupal:*:*
storage_api_project
storage_api_project
>>storage_api>>7.x-1.7
cpe:2.3:a:storage_api_project:storage_api:7.x-1.7:*:*:*:*:drupal:*:*
Weaknesses
CWE IDTypeSource
CWE-284Primarynvd@nist.gov
CWE ID: CWE-284
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
http://www.openwall.com/lists/oss-security/2015/07/04/4cve@mitre.org
N/A
http://www.securityfocus.com/bid/74867cve@mitre.org
N/A
https://www.drupal.org/node/2495895cve@mitre.org
Patch
https://www.drupal.org/node/2495903cve@mitre.org
Patch
Vendor Advisory
http://www.openwall.com/lists/oss-security/2015/07/04/4af854a3a-2127-422b-91ae-364da2661108
N/A
http://www.securityfocus.com/bid/74867af854a3a-2127-422b-91ae-364da2661108
N/A
https://www.drupal.org/node/2495895af854a3a-2127-422b-91ae-364da2661108
Patch
https://www.drupal.org/node/2495903af854a3a-2127-422b-91ae-364da2661108
Patch
Vendor Advisory
Hyperlink: http://www.openwall.com/lists/oss-security/2015/07/04/4
Source: cve@mitre.org
Resource: N/A
Hyperlink: http://www.securityfocus.com/bid/74867
Source: cve@mitre.org
Resource: N/A
Hyperlink: https://www.drupal.org/node/2495895
Source: cve@mitre.org
Resource:
Patch
Hyperlink: https://www.drupal.org/node/2495903
Source: cve@mitre.org
Resource:
Patch
Vendor Advisory
Hyperlink: http://www.openwall.com/lists/oss-security/2015/07/04/4
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A
Hyperlink: http://www.securityfocus.com/bid/74867
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A
Hyperlink: https://www.drupal.org/node/2495895
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Patch
Hyperlink: https://www.drupal.org/node/2495903
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Patch
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

164Records found
CVE-2015-1253
Matching Score-4
Assigner-Chrome
ShareView Details
Matching Score-4
Assigner-Chrome
CVSS Score-7.5||HIGH
EPSS-1.13% / 77.45%
||
7 Day CHG~0.00%
Published-20 May, 2015 | 10:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

core/html/parser/HTMLConstructionSite.cpp in the DOM implementation in Blink, as used in Google Chrome before 43.0.2357.65, allows remote attackers to bypass the Same Origin Policy via crafted JavaScript code that appends a child to a SCRIPT element, related to the insert and executeReparentTask functions.

Action-Not Available
Vendor-n/aGoogle LLCDebian GNU/Linux
Product-debian_linuxchromen/a
CWE ID-CWE-284
Improper Access Control
CVE-2015-1173
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.39% / 59.25%
||
7 Day CHG~0.00%
Published-16 Sep, 2015 | 18:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Unit4 Polska TETA Web (formerly TETA Galactica) 22.62.3.4 does not properly restrict access to the (1) Design Mode and (2) Debug Logger mode modules, which allows remote attackers to gain privileges via crafted "received parameters."

Action-Not Available
Vendor-unit4n/a
Product-teta_webn/a
CWE ID-CWE-284
Improper Access Control
CVE-2015-0150
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.61% / 68.88%
||
7 Day CHG~0.00%
Published-12 Apr, 2018 | 21:00
Updated-06 Aug, 2024 | 04:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The remote administration UI in D-Link DIR-815 devices with firmware before 2.07.B01 allows remote attackers to bypass intended access restrictions via unspecified vectors.

Action-Not Available
Vendor-n/aD-Link Corporation
Product-dir-815_firmwaredir-815n/a
CWE ID-CWE-284
Improper Access Control
CVE-2014-9513
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-6.55% / 90.75%
||
7 Day CHG~0.00%
Published-28 Aug, 2017 | 15:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Insecure use of temporary files in xbindkeys-config 0.1.3-2 allows remote attackers to execute arbitrary code.

Action-Not Available
Vendor-n/aDebian GNU/Linux
Product-xbindkeys-confign/a
CWE ID-CWE-284
Improper Access Control
CVE-2014-9148
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-24.23% / 95.87%
||
7 Day CHG~0.00%
Published-16 Oct, 2017 | 15:00
Updated-20 Apr, 2025 | 01:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Fiyo CMS 2.0.1.8 allows remote attackers to bypass intended access restrictions and execute the (1) "Install and Update" or (2) Backup super administrator function via the view parameter in a direct request to fiyo/dapur.

Action-Not Available
Vendor-fiyon/a
Product-fiyo_cmsn/a
CWE ID-CWE-284
Improper Access Control
CVE-2014-9572
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.92% / 75.08%
||
7 Day CHG~0.00%
Published-26 Jan, 2015 | 15:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

MantisBT before 1.2.19 and 1.3.x before 1.3.0-beta.2 does not properly restrict access to /*/install.php, which allows remote attackers to obtain database credentials via the install parameter with the value 4.

Action-Not Available
Vendor-n/aMantis Bug Tracker (MantisBT)
Product-mantisbtn/a
CWE ID-CWE-284
Improper Access Control
CVE-2025-1165
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-0.07% / 22.26%
||
7 Day CHG~0.00%
Published-11 Feb, 2025 | 00:31
Updated-18 Feb, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Lumsoft ERP FileUploadApi.ashx DoWebUpload unrestricted upload

A vulnerability, which was classified as critical, was found in Lumsoft ERP 8. Affected is the function DoUpload/DoWebUpload of the file /Api/FileUploadApi.ashx. The manipulation of the argument file leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-Lumsoft
Product-ERP
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2021-27444
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-9.8||CRITICAL
EPSS-0.30% / 52.66%
||
7 Day CHG~0.00%
Published-16 May, 2022 | 17:15
Updated-16 Apr, 2025 | 16:21
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Weintek EasyWeb cMT Improper Access Control

The Weintek cMT product line is vulnerable to various improper access controls, which may allow an unauthenticated attacker to remotely access and download sensitive information and perform administrative actions on behalf of a legitimate administrator.

Action-Not Available
Vendor-weintekWeintek
Product-cmt-ctrl01cmt3072cmt3103_firmwarecmt-g01cmt3090_firmwarecmt-g02_firmwarecmt-svr-100cmt3090cmt-ctrl01_firmwarecmt-fhd_firmwarecmt3071_firmwarecmt-svr-102cmt-hdmcmt3151_firmwarecmt-g04_firmwarecmt3072_firmwarecmt3151cmt3103cmt-svr-202_firmwarecmt3071cmt-hdm_firmwarecmt-svr-200_firmwarecmt-g03_firmwarecmt-g03cmt-fhdcmt-svr-100_firmwarecmt-svr-200cmt-g02cmt-g04cmt-svr-102_firmwarecmt-svr-202cmt-g01_firmwarecMT-G03/G04cMT-HDMcMT-FHDcMT-SVR-1xx/2xxcMT-CTRL01cMT3071/cMT3072/cMT3090/cMT3103/cMT3151cMT-G01/G02
CWE ID-CWE-284
Improper Access Control
CVE-2016-9835
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-3.91% / 87.82%
||
7 Day CHG~0.00%
Published-05 Dec, 2016 | 08:09
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Directory traversal vulnerability in file "jcss.php" in Zikula 1.3.x before 1.3.11 and 1.4.x before 1.4.4 on Windows allows a remote attacker to launch a PHP object injection by uploading a serialized file.

Action-Not Available
Vendor-zikulan/a
Product-zikula_application_frameworkn/a
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2017-11365
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.36% / 57.12%
||
7 Day CHG~0.00%
Published-23 May, 2019 | 17:20
Updated-05 Aug, 2024 | 18:05
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Certain Symfony products are affected by: Incorrect Access Control. This affects Symfony 2.7.30 and Symfony 2.8.23 and Symfony 3.2.10 and Symfony 3.3.3. The type of exploitation is: remote. The component is: Password validator.

Action-Not Available
Vendor-sensiolabsn/a
Product-symfonyn/a
CWE ID-CWE-284
Improper Access Control
CVE-2016-9157
Matching Score-4
Assigner-Siemens
ShareView Details
Matching Score-4
Assigner-Siemens
CVSS Score-9.8||CRITICAL
EPSS-1.46% / 80.03%
||
7 Day CHG~0.00%
Published-05 Dec, 2016 | 08:09
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A vulnerability in Siemens SICAM PAS (all versions before V8.09) could allow a remote attacker to cause a Denial of Service condition and potentially lead to unauthenticated remote code execution by sending specially crafted packets to port 19234/TCP.

Action-Not Available
Vendor-n/aSiemens AG
Product-sicam_pas\/pqsSiemens SICAM PAS through V8.08
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-284
Improper Access Control
CVE-2017-5212
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-0.59% / 68.17%
||
7 Day CHG~0.00%
Published-23 May, 2019 | 14:26
Updated-05 Aug, 2024 | 14:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Open-Xchange GmbH OX App Suite 7.8.3 is affected by: Incorrect Access Control.

Action-Not Available
Vendor-n/aOpen-Xchange AG
Product-open-xchange_appsuiten/a
CWE ID-CWE-284
Improper Access Control
CVE-2016-4694
Matching Score-4
Assigner-Apple Inc.
ShareView Details
Matching Score-4
Assigner-Apple Inc.
CVSS Score-9.1||CRITICAL
EPSS-0.96% / 75.57%
||
7 Day CHG~0.00%
Published-25 Sep, 2016 | 10:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Apache HTTP Server in Apple OS X before 10.12 and OS X Server before 5.2 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted CGI client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue, a related issue to CVE-2016-5387.

Action-Not Available
Vendor-n/aApple Inc.
Product-os_x_servermac_os_xn/a
CWE ID-CWE-284
Improper Access Control
CVE-2015-7367
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.66% / 70.08%
||
7 Day CHG~0.00%
Published-14 Oct, 2015 | 19:00
Updated-12 Apr, 2025 | 10:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Revive Adserver before 3.2.2 allows remote attackers to perform unspecified actions by leveraging an unexpired session after the user has been (1) deleted or (2) unlinked.

Action-Not Available
Vendor-revive-adservern/a
Product-revive_adservern/a
CWE ID-CWE-284
Improper Access Control
  • Previous
  • 1
  • 2
  • 3
  • 4
  • Next
Details not found