CVE-2015-2952
CVE-2015-2952 is a medium-severity vulnerability in Igreks Milkystep Light with a CVSS 2.0 base score of 6.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-284.
Key facts
- Severity: Medium (CVSS 2.0 base score 6.5)
- EPSS exploit prediction: 1% (64th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-284
- Affected product: Igreks Milkystep Light
- Published:
- Last modified:
Description
The user-information management functionality in Igreks MilkyStep Light 0.94 and earlier and Professional 1.82 and earlier allows remote authenticated users to bypass intended access restrictions and modify administrative credentials via unspecified vectors, a different vulnerability than CVE-2015-2953 and CVE-2015-2958.
Frequently asked questions
- What is CVE-2015-2952?
- The user-information management functionality in Igreks MilkyStep Light 0.94 and earlier and Professional 1.82 and earlier allows remote authenticated users to bypass intended access restrictions and modify administrative credentials via unspecified vectors, a different vulnerability than CVE-2015-2953 and CVE-2015-2958.
- How severe is CVE-2015-2952?
- CVE-2015-2952 has a CVSS 2.0 base score of 6.5, rated medium severity.
- Is CVE-2015-2952 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (64th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2015-2952?
- CVE-2015-2952 primarily affects Igreks Milkystep Light. In total, 3 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2015-2952?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2015-2952 published?
- CVE-2015-2952 was published on 2015-06-13 and last updated on 2026-06-17.
References
- http://jvn.jp/en/jp/JVN19732015/995646/index.html
- http://jvn.jp/en/jp/JVN19732015/index.html
- http://jvndb.jvn.jp/jvndb/JVNDB-2015-000077
- http://www.securityfocus.com/bid/75184
Affected products (3)
- cpe:2.3:a:igreks:milkystep_light:*:*:*:*:*:*:*:*
- cpe:2.3:a:igreks:milkystep_professional:*:*:*:*:*:*:*:*
- cpe:2.3:a:igreks:milkystep_professional_oem:*:*:*:*:*:*:*:*
More vulnerabilities in Igreks Milkystep Light
- CVE-2015-2956 — High (CVSS 7.5): SQL injection vulnerability in Igreks MilkyStep Light 0.94 and earlier and Professional 1.82 and earlier allows remote…
- CVE-2015-2955 — High (CVSS 7.5): Igreks MilkyStep Light 0.94 and earlier and Professional 1.82 and earlier allows remote attackers to execute arbitrary…
- CVE-2015-2954 — Medium (CVSS 6.8): Cross-site request forgery (CSRF) vulnerability in Igreks MilkyStep Light 0.94 and earlier and Professional 1.82 and…
- CVE-2015-2958 — Medium (CVSS 6.4): Igreks MilkyStep Light 0.94 and earlier and Professional 1.82 and earlier allows remote attackers to bypass intended…
- CVE-2015-2953 — Medium (CVSS 5.0): Igreks MilkyStep Light 0.94 and earlier and Professional 1.82 and earlier allows remote attackers to bypass intended…
- CVE-2015-2957 — Medium (CVSS 4.3): Cross-site scripting (XSS) vulnerability in Igreks MilkyStep Light 0.94 and earlier and Professional 1.82 and earlier…
All CVEs affecting Igreks Milkystep Light →
Other CWE-284 (Improper Access Control) vulnerabilities
- CVE-2026-50746 — Critical (CVSS 10.0): A malicious actor with access to the network could exploit an Improper Access Control vulnerability found in UniFi…
- CVE-2026-46978 — Critical (CVSS 10.0): Vulnerability in the Oracle Solaris product of Oracle Systems (component: Remote Administration Daemon). The…
- CVE-2026-35308 — Critical (CVSS 10.0): Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Centralized Third Party Jars).…
- CVE-2026-35307 — Critical (CVSS 10.0): Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Core). Supported versions that…
- CVE-2026-46695 — Critical (CVSS 10.0): Boxlite is a sandbox service that allows users to create lightweight virtual machines (Boxes) and launch OCI containers…
- CVE-2026-46840 — Critical (CVSS 10.0): Vulnerability in Oracle REST Data Services (component: Backend-as-a-Service). Supported versions that are affected are…
Browse all CWE-284 (Improper Access Control) vulnerabilities →