CVEs from 2015
Total
7,313
critical
critical 1,306
high
high 1,666
medium
medium 3,617
low
low 554
% Critical
17.9%
% with KEV
0.6%
% with exploit
0.8%
Top vendors
Top products
- firefox 4,609
- flash_player 3,392
- php 1,526
- moodle 1,087
- acrobat_reader 878
- acrobat 878
- safari 736
- internet_explorer 712
| CVE | Severity | CVSS | Risk | Published | Description | Impact |
|---|---|---|---|---|---|---|
| CVE-2015-6547 | high | — | 8.3 | 11y ago | The management console on Symantec Web Gateway (SWG) appliances with software before 5.2.2 DB 5.0.0.1277 allows remote authenticated users to execute arbitrary commands at boot time via unspecified v… | |
| CVE-2015-2904 | high | — | 8.3 | 11y ago | Actiontec GT784WN modems with firmware before NCS01-1.0.13 have hardcoded credentials, which makes it easier for remote attackers to obtain root access by connecting to the web administration interfa… | |
| CVE-2015-5611 | high | — | 8.3 | 11y ago | Unspecified vulnerability in Uconnect before 15.26.1, as used in certain Fiat Chrysler Automobiles (FCA) from 2013 to 2015 models, allows remote attackers in the same cellular network to control vehi… | |
| CVE-2015-2233 | high | — | 8.3 | 11y ago | Lenovo System Update (formerly ThinkVantage System Update) before 5.06.0034 does not properly validate CA chains during signature validation, which allows man-in-the-middle attackers to upload and ex… | |
| CVE-2015-0675 | high | — | 8.3 | 11y ago | The failover ipsec implementation in Cisco Adaptive Security Appliance (ASA) Software 9.1 before 9.1(6), 9.2 before 9.2(3.3), and 9.3 before 9.3(3) does not properly validate failover communication m… | |
| CVE-2015-2247 | high | — | 8.3 | 11y ago | Unspecified vulnerability in Boosted Boards skateboards allows physically proximate attackers to modify skateboard movement, cause human injury, or cause physical damage via vectors related to an "in… | |
| CVE-2015-0008 | high | — | 8.3 | 12y ago | The UNC implementation in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows… | |
| CVE-2015-8813 | high | 8.2 | 8.2 | 9y ago | Umbraco CMS vulnerable to CSRF | |
| CVE-2015-1000002 | high | 8.2 | 8.2 | 10y ago | Open Proxy in filedownload v1.4 wordpress plugin | |
| CVE-2015-8550 | high | 8.2 | 8.2 | 10y ago | Xen, when used on a system providing PV backends, allows local guest OS administrators to cause a denial of service (host OS crash) or gain privileges by writing to memory shared between the frontend… | |
| CVE-2015-8397 | high | 8.2 | 8.2 | 11y ago | The JPEGLSCodec::DecodeExtent function in MediaStorageAndFileFormat/gdcmJPEGLSCodec.cxx in Grassroots DICOM (aka GDCM) before 2.6.2 allows remote attackers to obtain sensitive information from proces… | |
| CVE-2015-3637 | high | 8.1 | 8.1 | 9y ago | SQL injection vulnerability in phpMyBackupPro when run in multi-user mode before 2.5 allows remote attackers to execute arbitrary SQL commands via the username and password parameters. | |
| CVE-2015-5246 | high | 8.1 | 8.1 | 9y ago | The LDAP Authentication functionality in Foreman might allow remote attackers with knowledge of old passwords to gain access via vectors involving the password lifetime period in Active Directory. | |
| CVE-2015-5263 | high | 8.1 | 8.1 | 9y ago | pulp-consumer-client 2.4.0 through 2.6.3 does not check the server's TLS certificate signatures when retrieving the server's public key upon registration. | |
| CVE-2015-4075 | high | 8.1 | 8.1 | 9y ago | The Helpdesk Pro plugin before 1.4.0 for Joomla! allows remote attackers to write to arbitrary .ini files via a crafted language.save task. | |
| CVE-2015-3314 | high | 8.1 | 8.1 | 9y ago | SQL injection vulnerability in WordPress Tune Library plugin before 1.5.5. | |
| CVE-2015-5948 | high | 8.1 | 8.1 | 9y ago | Race condition in SuiteCRM before 7.2.3 allows remote attackers to execute arbitrary code. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-5947. | |
| CVE-2015-5947 | high | 8.1 | 8.1 | 9y ago | SuiteCRM before 7.2.3 allows remote attackers to execute arbitrary code. | |
| CVE-2015-3206 | high | 8.1 | 8.1 | 9y ago | The checkPassword function in python-kerberos does not authenticate the KDC it attempts to communicate with, which allows remote attackers to cause a denial of service (bad response), or have other u… | |
| CVE-2015-7887 | high | 8.1 | 8.1 | 9y ago | NetApp SnapCenter Server 1.0 allows remote authenticated users to list and delete backups. | |
| CVE-2015-0839 | high | 8.1 | 8.1 | 9y ago | The hp-plugin utility in HP Linux Imaging and Printing (HPLIP) makes it easier for man-in-the-middle attackers to execute arbitrary code by leveraging use of a short GPG key id from a keyserver to ve… | |
| CVE-2015-5152 | high | 8.1 | 8.1 | 9y ago | Foreman after 1.1 and before 1.9.0-RC1 does not redirect HTTP requests to HTTPS when the require_ssl setting is set to true, which allows remote attackers to obtain user credentials via a man-in-the-… | |
| CVE-2015-5232 | high | 8.1 | 8.1 | 9y ago | Race conditions in opa-fm before 10.4.0.0.196 and opa-ff before 10.4.0.0.197. | |
| CVE-2015-6817 | high | 8.1 | 8.1 | 9y ago | PgBouncer 1.6.x before 1.6.1, when configured with auth_user, allows remote attackers to gain login access as auth_user via an unknown username. | |
| CVE-2015-8764 | high | 8.1 | 8.1 | 9y ago | Off-by-one error in the EAP-PWD module in FreeRADIUS 3.0 through 3.0.8, which triggers a buffer overflow. | |
| CVE-2015-8763 | high | 8.1 | 8.1 | 9y ago | The EAP-PWD module in FreeRADIUS 3.0 through 3.0.8 allows remote attackers to have unspecified impact via a crafted (1) commit or (2) confirm message, which triggers an out-of-bounds read. | |
| CVE-2015-8983 | high | 8.1 | 8.1 | 9y ago | Integer overflow in the _IO_wstr_overflow function in libio/wstrops.c in the GNU C Library (aka glibc or libc6) before 2.22 allows context-dependent attackers to cause a denial of service (applicatio… | |
| CVE-2015-8982 | high | 8.1 | 8.1 | 9y ago | Integer overflow in the strxfrm function in the GNU C Library (aka glibc or libc6) before 2.21 allows context-dependent attackers to cause a denial of service (crash) or possibly execute arbitrary co… | |
| CVE-2015-7599 | high | 8.1 | 8.1 | 9y ago | Integer overflow in the _authenticate function in svc_auth.c in Wind River VxWorks 5.5 through 6.9.4.1, when the Remote Procedure Call (RPC) protocol is enabled, allows remote attackers to cause a de… | |
| CVE-2015-8960 | high | 8.1 | 8.1 | 10y ago | The TLS protocol 1.2 and earlier supports the rsa_fixed_dh, dss_fixed_dh, rsa_fixed_ecdh, and ecdsa_fixed_ecdh values for ClientCertificateType but does not directly document the ability to compute t… | |
| CVE-2015-7611 | high | 8.1 | 8.1 | 10y ago | Apache James Server OS Command Injection | |
| CVE-2015-5348 | high | 8.1 | 8.1 | 10y ago | Apache Camel can allow remote attackers to execute arbitrary commands | |
| CVE-2015-7999 | high | 8.1 | 8.1 | 10y ago | Multiple SQL injection vulnerabilities in the Administration Web UI servlets in Citrix Command Center before 5.1 Build 36.7 and 5.2 before Build 44.11 allow remote authenticated users to execute arbi… | |
| CVE-2015-6184 | high | 8.1 | 8.1 | 10y ago | The CAttrArray object implementation in Microsoft Internet Explorer 7 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and memory corruption) … | |
| CVE-2015-5346 | high | 8.1 | 8.1 | 10y ago | Improper Neutralization of Input During Web Page Generation in Apache Tomcat | |
| CVE-2015-7547 | high | 8.1 | 8.1 | 10y ago | Multiple stack-based buffer overflows in the (1) send_dg and (2) send_vc functions in the libresolv library in the GNU C Library (aka glibc or libc6) before 2.23 allow remote attackers to cause a den… | |
| CVE-2015-7914 | high | 8.1 | 8.1 | 10y ago | Sauter EY-WS505F0x0 moduWeb Vision before 1.6.0 allows remote attackers to bypass authentication by leveraging knowledge of a password hash without knowledge of the associated password. | |
| CVE-2015-6467 | high | 8.1 | 8.1 | 11y ago | Advantech WebAccess before 8.1 allows remote attackers to execute arbitrary code via vectors involving a browser plugin. | |
| CVE-2015-3947 | high | 8.1 | 8.1 | 11y ago | SQL injection vulnerability in Advantech WebAccess before 8.1 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. | |
| CVE-2015-7754 | high | 8.1 | 8.1 | 11y ago | Juniper ScreenOS before 6.3.0r21, when ssh-pka is configured and enabled, allows remote attackers to cause a denial of service (system crash) or execute arbitrary code via crafted SSH negotiation. | |
| CVE-2015-7283 | high | 8.1 | 8.1 | 11y ago | The web administration interface on ZyXEL NBG-418N devices with firmware 1.00(AADZ.3)C0 has a default password of 1234 for the admin account, which allows remote attackers to obtain administrative pr… | |
| CVE-2015-5600 | high | 8.1 | 8.1 | 11y ago | The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processing of keyboard-interactive devices within a single connection, which makes it ea… | |
| CVE-2015-2142 | high | 8.0 | 8.0 | 9y ago | Multiple cross-site request forgery (CSRF) vulnerabilities in Issuetracker phpBugTracker before 1.7.0 allow remote authenticated users to (1) hijack the authentication of users for requests that caus… | |
| CVE-2015-8356 | high | 8.0 | 8.0 | 9y ago | Multiple SQL injection vulnerabilities in the mcart.xls module 6.5.2 and earlier for Bitrix allow remote authenticated users to execute arbitrary SQL commands via the (1) xls_profile parameter to adm… | |
| CVE-2015-0864 | high | 8.0 | 8.0 | 9y ago | Samsung Account (AKA com.osp.app.signin) before 1.6.0069 and 2.x before 2.1.0069 allows man-in-the-middle attackers to obtain sensitive information and execute arbitrary code. | |
| CVE-2015-0863 | high | 8.0 | 8.0 | 9y ago | GALAXY Apps (aka Samsung Apps, Samsung Updates, or com.sec.android.app.samsungapps) before 14120405.03.012 allows man-in-the-middle attackers to obtain sensitive information and execute arbitrary cod… | |
| CVE-2015-0721 | high | 8.0 | 8.0 | 10y ago | Cisco NX-OS 4.0 through 7.3 on Multilayer Director and Nexus 1000V, 2000, 3000, 3500, 4000, 5000, 5500, 5600, 6000, 7000, 7700, and 9000 devices allows remote authenticated users to bypass intended A… | |
| CVE-2015-8798 | high | 8.0 | 8.0 | 10y ago | Directory traversal vulnerability in the Management Server in Symantec Embedded Security: Critical System Protection (SES:CSP) 1.0.x before 1.0 MP5, Embedded Security: Critical System Protection for … | |
| CVE-2015-8152 | high | 8.0 | 8.0 | 10y ago | Cross-site request forgery (CSRF) vulnerability in Symantec Endpoint Protection Manager (SEPM) 12.1 before RU6-MP4 allows remote authenticated users to hijack the authentication of administrators for… | |
| CVE-2015-5018 | high | 8.0 | 8.0 | 11y ago | IBM Security Access Manager for Web 7.0.0 before FP19 and 8.0 before 8.0.1.3 IF3, and Security Access Manager 9.0 before 9.0.0.0 IF1, allows remote authenticated users to execute arbitrary OS command… | |
| CVE-2015-7284 | high | 8.0 | 8.0 | 11y ago | Cross-site request forgery (CSRF) vulnerability on ZyXEL NBG-418N devices with firmware 1.00(AADZ.3)C0 allows remote attackers to hijack the authentication of arbitrary users. | |
| CVE-2015-6020 | high | 8.0 | 8.0 | 11y ago | ZyXEL PMG5318-B20A devices with firmware 1.00AANC0b5 allow remote authenticated users to obtain administrative privileges by leveraging access to the user account. | |
| CVE-2015-7925 | high | 8.0 | 8.0 | 11y ago | Cross-site request forgery (CSRF) vulnerability on eWON devices with firmware through 10.1s0 allows remote attackers to hijack the authentication of administrators for requests that trigger firmware … | |
| CVE-2015-4545 | high | 8.0 | 8.0 | 11y ago | EMC Isilon OneFS 7.1 before 7.1.1.8, 7.2.0 before 7.2.0.4, and 7.2.1 before 7.2.1.1 allows remote authenticated administrators to bypass a SmartLock root-login restriction by creating a root account … | |
| CVE-2015-1935 | high | — | 8.0 | 11y ago | The scalar-function implementation in IBM DB2 9.7 through FP10, 9.8 through FP5, 10.1 before FP5, and 10.5 through FP5 on Linux, UNIX, and Windows allows remote attackers to cause a denial of service… | |
| CVE-2015-8666 | high | 7.9 | 7.9 | 9y ago | Heap-based buffer overflow in QEMU, when built with the Q35-chipset-based PC system emulator. | |
| CVE-2015-5693 | high | — | 7.9 | 11y ago | The management console on Symantec Web Gateway (SWG) appliances with software before 5.2.2 DB 5.0.0.1277 allows remote authenticated users to execute arbitrary commands via vectors related to "traffi… | |
| CVE-2015-5692 | high | — | 7.9 | 11y ago | admin_messages.php in the management console on Symantec Web Gateway (SWG) appliances with software before 5.2.2 DB 5.0.0.1277 allows remote authenticated users to execute arbitrary code by uploading… | |
| CVE-2015-4034 | high | — | 7.9 | 11y ago | The createFromParcel method in the com.absolute.android.persistence.MethodSpec class in Samsung Galaxy S5s allows remote attackers to execute arbitrary files via a crafted Parcelable object in a seri… | |
| CVE-2015-0658 | high | — | 7.9 | 11y ago | The DHCP implementation in the PowerOn Auto Provisioning (POAP) feature in Cisco NX-OS does not properly restrict the initialization process, which allows remote attackers to execute arbitrary comman… | |
| CVE-2015-7529 | high | 7.8 | 7.8 | 4y ago | sosreport in SoS 3.x allows local users to obtain sensitive information from sosreport files or gain privileges via a symlink attack on an archive file in a temporary directory, as demonstrated by so… | |
| CVE-2015-5699 | high | 7.8 | 7.8 | 9y ago | The Switch Configuration Tools Backend (clcmd_server) in Cumulus Linux 2.5.3 and earlier allows local users to execute arbitrary commands via shell metacharacters in a cl-rctl command label. | |
| CVE-2015-5675 | high | 7.8 | 7.8 | 9y ago | The sys_amd64 IRET Handler in the kernel in FreeBSD 9.3 and 10.1 allows local users to gain privileges or cause a denial of service (kernel panic). | |
| CVE-2015-2158 | high | 7.8 | 7.8 | 9y ago | Off-by-one error in the pngcrush_measure_idat function in pngcrush.c in pngcrush before 1.7.84 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary c… | |
| CVE-2015-7359 | high | 7.8 | 7.8 | 9y ago | The (1) IsVolumeAccessibleByCurrentUser and (2) MountDevice methods in Ntdriver.c in TrueCrypt 7.0, VeraCrypt before 1.15, and CipherShed, when running on Windows, do not check the impersonation leve… | |
| CVE-2015-7358 | high | 7.8 | 7.8 | 9y ago | The IsDriveLetterAvailable method in Driver/Ntdriver.c in TrueCrypt 7.0, VeraCrypt before 1.15, and CipherShed, when running on Windows, does not properly validate drive letter symbolic links, which … | |
| CVE-2015-6971 | high | 7.8 | 7.8 | 9y ago | Lenovo System Update (formerly ThinkVantage System Update) before 5.07.0013 allows local users to submit commands to the System Update service (SUService.exe) and gain privileges by launching signed … | |
| CVE-2015-3643 | high | 7.8 | 7.8 | 9y ago | usb-creator before 0.2.38.3ubuntu0.1 on Ubuntu 12.04 LTS, before 0.2.56.3ubuntu0.1 on Ubuntu 14.04 LTS, before 0.2.62ubuntu0.3 on Ubuntu 14.10, and before 0.2.67ubuntu0.1 on Ubuntu 15.04 allows local… | |
| CVE-2015-1537 | high | 7.8 | 7.8 | 9y ago | Integer overflow in IHDCP.cpp in the media_server component in Android allows remote attackers to execute arbitrary code via a crafted application. | |
| CVE-2015-1336 | high | 7.8 | 7.8 | 9y ago | The daily mandb cleanup job in Man-db before 2.7.6.1-1 as packaged in Ubuntu and Debian allows local users with access to the man account to gain privileges via vectors involving insecure chown use. | |
| CVE-2015-5704 | high | 7.8 | 7.8 | 9y ago | scripts/licensecheck.pl in devscripts before 2.15.7 allows local users to execute arbitrary shell commands. | |
| CVE-2015-4669 | high | 7.8 | 7.8 | 9y ago | The MySQL "root" user in Xsuite 2.x does not have a password set, which allows local users to access databases on the system. | |
| CVE-2015-3887 | high | 7.8 | 7.8 | 9y ago | Untrusted search path vulnerability in ProxyChains-NG before 4.9 allows local users to gain privileges via a Trojan horse libproxychains4.so library in the current working directory, which is referen… | |
| CVE-2015-4681 | high | 7.8 | 7.8 | 9y ago | Polycom RealPresence Resource Manager (aka RPRM) before 8.4 allows local users to have unspecified impact via vectors related to weak passwords. | |
| CVE-2015-1527 | high | 7.8 | 7.8 | 9y ago | Integer overflow in IAudioPolicyService.cpp in Android allows local users to gain privileges via a crafted application, aka Android Bug ID 19261727. | |
| CVE-2015-1590 | high | 7.8 | 7.8 | 9y ago | The kamcmd administrative utility and default configuration in kamailio before 4.3.0 use /tmp/kamailio_ctl. | |
| CVE-2015-2210 | high | 7.8 | 7.8 | 9y ago | The help window in Epicor CRS Retail Store before 3.2.03.01.008 allows local users to execute arbitrary code by injecting Javascript into the window source to create a button that spawns a command sh… | |
| CVE-2015-8300 | high | 7.8 | 7.8 | 9y ago | Polycom BToE Connector before 3.0.0 uses weak permissions (Everyone: Full Control) for "Program Files (x86)\polycom\polycom btoe connector\plcmbtoesrv.exe," which allows local users to gain privilege… | |
| CVE-2015-0974 | high | 7.8 | 7.8 | 9y ago | Untrusted search path vulnerability in ZTE Datacard MF19 0V1.0.0B04 allows local users to gain privilege by modifying the 'Ucell Internet' directory to reference a malicious mms_dll_r.dll or mediapla… | |
| CVE-2015-0114 | high | 7.8 | 7.8 | 9y ago | Stack-based buffer overflow in IBM V5R4, and IBM i Access for Windows 6.1 and 7.1. | |
| CVE-2015-1324 | high | 7.8 | 7.8 | 9y ago | Apport before 2.17.2-0ubuntu1.1 as packaged in Ubuntu 15.04, before 2.14.70ubuntu8.5 as packaged in Ubuntu 14.10, before 2.14.1-0ubuntu3.11 as packaged in Ubuntu 14.04 LTS, and before 2.0.1-0ubuntu17… | |
| CVE-2015-8308 | high | 7.8 | 7.8 | 9y ago | LXDM before 0.5.2 did not start X server with -auth, which allows local users to bypass authentication with X connections. | |
| CVE-2015-3617 | high | 7.8 | 7.8 | 9y ago | Fortinet FortiManager 5.0 before 5.0.11 and 5.2 before 5.2.2 allow local users to gain privileges via crafted CLI commands. | |
| CVE-2015-7571 | high | 7.8 | 7.8 | 9y ago | Unrestricted file upload vulnerability in Yeager CMS 1.2.1 allows remote attackers to execute arbitrary code by uploading a file with an executable extension. | |
| CVE-2015-5946 | high | 7.8 | 7.8 | 9y ago | Incomplete blacklist vulnerability in SuiteCRM 7.2.2 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension. | |
| CVE-2015-8264 | high | 7.8 | 7.8 | 9y ago | Untrusted search path vulnerability in F-Secure Online Scanner allows remote attackers to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse DLL that is located in the same f… | |
| CVE-2015-6585 | high | 7.8 | 7.8 | 9y ago | hwpapp.dll in Hangul Word Processor allows remote attackers to execute arbitrary code via a crafted heap spray, and by leveraging a "type confusion" via an HWPX file containing a crafted para text ta… | |
| CVE-2015-4035 | high | 7.8 | 7.8 | 9y ago | scripts/xzgrep.in in xzgrep 5.2.x before 5.2.0, before 5.0.0 does not properly process file names containing semicolons, which allows remote attackers to execute arbitrary code by having a user run x… | |
| CVE-2015-1438 | high | 7.8 | 7.8 | 9y ago | Heap-based buffer overflow in Panda Security Kernel Memory Access Driver 1.0.0.13 allows attackers to execute arbitrary code with kernel privileges via a crafted size input for allocated kernel paged… | |
| CVE-2015-3932 | high | 7.8 | 7.8 | 9y ago | Netlock Mokka before 2.7.8.1204 allows remote attackers to perform XML signature wrapping attacks via an e-akta signed document with a ds:Object node with a crafted payload prepended to a valid ds:Ob… | |
| CVE-2015-3931 | high | 7.8 | 7.8 | 9y ago | Microsec e-Szigno before 3.2.7.12 allows remote attackers to perform XML signature wrapping attacks via an e-akta signed document with a ds:Object node with a crafted payload prepended to a valid ds:… | |
| CVE-2015-1795 | high | 7.8 | 7.8 | 9y ago | Red Hat Gluster Storage RPM Package 3.2 allows local users to gain privileges and execute arbitrary code as root. | |
| CVE-2015-1591 | high | 7.8 | 7.8 | 9y ago | The kamailio build in kamailio before 4.2.0-2 process allows local users to gain privileges. | |
| CVE-2015-3315 | high | 7.8 | 7.8 | 9y ago | Automatic Bug Reporting Tool (ABRT) allows local users to read, change the ownership of, or have other unspecified impact on arbitrary files via a symlink attack on (1) /var/tmp/abrt/*/maps, (2) /tmp… | |
| CVE-2015-9033 | high | 7.8 | 7.8 | 9y ago | In all Android releases from CAF using the Linux kernel, a QTEE system call fails to validate a pointer. | |
| CVE-2015-9030 | high | 7.8 | 7.8 | 9y ago | In all Android releases from CAF using the Linux kernel, the Hypervisor API could be misused to bypass authentication. | |
| CVE-2015-9029 | high | 7.8 | 7.8 | 9y ago | In all Android releases from CAF using the Linux kernel, a vulnerability exists in the access control settings of modem memory. | |
| CVE-2015-9028 | high | 7.8 | 7.8 | 9y ago | In all Android releases from CAF using the Linux kernel, a buffer overflow vulnerability exists in a cryptographic routine. | |
| CVE-2015-9027 | high | 7.8 | 7.8 | 9y ago | In all Android releases from CAF using the Linux kernel, an untrusted pointer dereference vulnerability exists in WideVine DRM. | |
| CVE-2015-9026 | high | 7.8 | 7.8 | 9y ago | In all Android releases from CAF using the Linux kernel, an untrusted pointer dereference vulnerability exists in WideVine DRM. |