CVEs from 2015
Total
7,262
critical
critical 1,306
high
high 1,666
medium
medium 3,617
low
low 554
% Critical
18.0%
% with KEV
0.6%
% with exploit
10.1%
Top vendors
Top products
- firefox 4,609
- flash_player 3,392
- php 1,526
- moodle 1,087
- acrobat_reader 878
- acrobat 878
- safari 736
- internet_explorer 712
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2015-6254 | medium | — | 6.0 | 11y ago | The (1) Service Provider (SP) and (2) Identity Provider (IdP) in PicketLink before 2.7.0 does not ensure that the Destination attribute in a Response element in a SAML assertion matches the location … | |||
| CVE-2015-0277 | medium | — | 6.0 | 11y ago | The Service Provider (SP) in PicketLink before 2.7.0 does not ensure that it is a member of an Audience element when an AudienceRestriction is specified, which allows remote attackers to log in to ot… | |||
| CVE-2015-5531 | medium | — | 6.0 | 11y ago | Improper Limitation of a Pathname to a Restricted Directory in Elasticsearch | |||
| CVE-2015-5696 | medium | — | 6.0 | 11y ago | Dell Netvault Backup before 10.0.5 allows remote attackers to cause a denial of service (crash) via a crafted request. | |||
| CVE-2015-3235 | medium | — | 6.0 | 11y ago | Foreman before 1.9.0 allows remote authenticated users with the edit_users permission to edit administrator users and change their passwords via unspecified vectors. | |||
| CVE-2015-4666 | medium | — | 6.0 | 11y ago | Directory traversal vulnerability in opm/read_sessionlog.php in Xceedium Xsuite 2.4.4.5 and earlier allows remote attackers to read arbitrary files via a ....// (quadruple dot double slash) in the lo… | |||
| CVE-2015-2890 | medium | 6.0 | 6.0 | 11y ago | The BIOS implementation on Dell Latitude, OptiPlex, Precision Mobile Workstation, and Precision Workstation Client Solutions (CS) devices with model-dependent firmware before A21 does not enforce a B… | |||
| CVE-2015-1491 | medium | — | 6.0 | 11y ago | SQL injection vulnerability in the management console in Symantec Endpoint Protection Manager (SEPM) 12.1 before 12.1-RU6-MP1 allows remote authenticated users to execute arbitrary SQL commands via u… | |||
| CVE-2015-2134 | medium | — | 6.0 | 11y ago | Cross-site request forgery (CSRF) vulnerability in HP System Management Homepage (SMH) before 7.5.0 allows remote authenticated users to hijack the authentication of unspecified victims via unknown v… | |||
| CVE-2015-4740 | medium | — | 6.0 | 11y ago | Unspecified vulnerability in the RDBMS Partitioning component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentialit… | |||
| CVE-2015-0468 | medium | — | 6.0 | 11y ago | Unspecified vulnerability in the Core RDBMS component in Oracle Database Server 11.1.0.7, 11.2.0.3, and 12.1.0.1 allows remote authenticated users to affect confidentiality, integrity, and availabili… | |||
| CVE-2015-1936 | medium | — | 6.0 | 11y ago | The administrative console in IBM WebSphere Application Server (WAS) 8.0.0 before 8.0.0.11 and 8.5 before 8.5.5.6, when the Security feature is disabled, allows remote authenticated users to hijack s… | |||
| CVE-2015-5116 | medium | — | 6.0 | 11y ago | Adobe Flash Player before 13.0.0.302 and 14.x through 18.x before 18.0.0.203 on Windows and OS X and before 11.2.202.481 on Linux, Adobe AIR before 18.0.0.180, Adobe AIR SDK before 18.0.0.180, and Ad… | |||
| CVE-2015-4616 | medium | — | 6.0 | 11y ago | Directory traversal vulnerability in includes/MapPinImageSave.php in the Easy2Map plugin before 1.2.5 for WordPress allows remote attackers to create arbitrary files via a .. (dot dot) in the map_id … | |||
| CVE-2015-0115 | medium | — | 6.0 | 11y ago | Cross-site request forgery (CSRF) vulnerability in IBM Leads 7.x, 8.1.0 before 8.1.0.14, 8.2, 8.5.0 before 8.5.0.7.3, 8.6.0 before 8.6.0.8.1, 9.0.0 through 9.0.0.4, 9.1.0 before 9.1.0.6.1, and 9.1.1 … | |||
| CVE-2015-5065 | medium | — | 6.0 | 11y ago | Absolute path traversal vulnerability in proxy.php in the google currency lookup in the Paypal Currency Converter Basic For WooCommerce plugin before 1.4 for WordPress allows remote attackers to read… | |||
| CVE-2015-3897 | medium | — | 6.0 | 11y ago | Directory traversal vulnerability in Bonita BPM Portal before 6.5.3 allows remote attackers to read arbitrary files via a .. (dot dot) in the theme parameter and a file path in the location parameter… | |||
| CVE-2015-4414 | medium | — | 6.0 | 11y ago | Directory traversal vulnerability in download_audio.php in the SE HTML5 Album Audio Player (se-html5-album-audio-player) plugin 1.1.0 and earlier for WordPress allows remote attackers to read arbitra… | |||
| CVE-2015-4393 | medium | — | 6.0 | 11y ago | The resource/endpoint for uploading files in the Services module 7.x-3.x before 7.x-3.12 for Drupal allows remote authenticated users with the "Save file information" permission to execute arbitrary … | |||
| CVE-2015-4348 | medium | — | 6.0 | 11y ago | SQL injection vulnerability in the Spider Contacts module for Drupal allows remote authenticated users with the "access Spider Contacts category administration" permission to execute arbitrary SQL co… | |||
| CVE-2015-4153 | medium | — | 6.0 | 11y ago | Directory traversal vulnerability in the zM Ajax Login & Register plugin before 1.1.0 for WordPress allows remote attackers to include and execute arbitrary php files via a relative path in the templ… | |||
| CVE-2015-4148 | medium | — | 6.0 | 11y ago | The do_soap_call function in ext/soap/soap.c in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 does not verify that the uri property is a string, which allows remote attackers to obta… | |||
| CVE-2015-3001 | medium | — | 6.0 | 11y ago | SysAid Help Desk before 15.2 uses a hardcoded password of Password1 for the sa SQL Server Express user account, which allows remote authenticated users to bypass intended access restrictions by lever… | |||
| CVE-2015-2998 | medium | — | 6.0 | 11y ago | SysAid Help Desk before 15.2 uses a hardcoded encryption key, which makes it easier for remote attackers to obtain sensitive information, as demonstrated by decrypting the database password in WEB-IN… | |||
| CVE-2015-2997 | medium | — | 6.0 | 11y ago | SysAid Help Desk before 15.2 allows remote attackers to obtain sensitive information via an invalid value in the accountid parameter to getAgentLogFile, as demonstrated by a large directory traversal… | |||
| CVE-2015-1700 | medium | — | 6.0 | 11y ago | Microsoft SharePoint Server 2007 SP3, SharePoint Foundation 2010 SP2, SharePoint Server 2010 SP2, and SharePoint Foundation 2013 SP1 allow remote authenticated users to execute arbitrary code via cra… | |||
| CVE-2015-3013 | medium | — | 6.0 | 11y ago | ownCloud Server before 5.0.19, 6.x before 6.0.7, and 7.x before 7.0.5 allows remote authenticated users to bypass the file blacklist and upload arbitrary files via a file path with UTF-8 encoding, as… | |||
| CVE-2015-0482 | medium | — | 6.0 | 11y ago | Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 12.1.2.0 and 12.1.3.0 allows remote authenticated users to affect confidentiality, integrity, and availab… | |||
| CVE-2015-2166 | medium | — | 6.0 | 11y ago | Directory traversal vulnerability in the Instance Monitor in Ericsson Drutt Mobile Service Delivery Platform (MSDP) 4, 5, and 6 allows remote attackers to read arbitrary files via a ..%2f (dot dot en… | |||
| CVE-2015-2841 | medium | — | 6.0 | 11y ago | Citrix NetScaler AppFirewall, as used in NetScaler 10.5, allows remote attackers to bypass intended firewall restrictions via a crafted Content-Type header, as demonstrated by the application/octet-s… | |||
| CVE-2015-0816 | medium | — | 6.0 | 11y ago | Mozilla Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunderbird before 31.6 do not properly restrict resource: URLs, which makes it easier for remote attackers to execute arbitrary JavaScr… | |||
| CVE-2015-0802 | medium | — | 6.0 | 11y ago | Mozilla Firefox before 37.0 relies on docshell type information instead of page principal information for Window.webidl access control, which might allow remote attackers to execute arbitrary JavaScr… | |||
| CVE-2015-2682 | medium | — | 6.0 | 11y ago | Citrix Command Center before 5.1 Build 35.4 and 5.2 before Build 42.7 allows remote attackers to obtain credentials via a direct request to conf/securitydbData.xml. | |||
| CVE-2015-2153 | medium | — | 6.0 | 11y ago | The rpki_rtr_pdu_print function in print-rpki-rtr.c in the TCP printer in tcpdump before 4.7.2 allows remote attackers to cause a denial of service (out-of-bounds read or write and crash) via a craft… | |||
| CVE-2015-0252 | medium | — | 6.0 | 11y ago | internal/XMLReader.cpp in Apache Xerces-C before 3.1.2 allows remote attackers to cause a denial of service (segmentation fault and crash) via crafted XML data. | |||
| CVE-2015-2184 | medium | — | 6.0 | 11y ago | ZeusCart 4 allows remote attackers to obtain configuration information via a getphpinfo action to admin/, which calls the phpinfo function. | |||
| CVE-2015-0894 | medium | — | 6.0 | 11y ago | SQL injection vulnerability in the All In One WP Security & Firewall plugin before 3.8.8 for WordPress allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | |||
| CVE-2015-2067 | medium | — | 6.0 | 11y ago | MAGMI plugin for Magento Server Directory Traversal | |||
| CVE-2015-0923 | medium | — | 6.0 | 12y ago | The ContentBlockEx method in Workarea/ServerControlWS.asmx in Ektron Content Management System (CMS) 8.5 and 8.7 before 8.7sp2 and 9.0 before sp1 allows remote attackers to read arbitrary files via a… | |||
| CVE-2015-1579 | medium | — | 6.0 | 12y ago | Directory traversal vulnerability in the Elegant Themes Divi theme for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the img parameter in a revslider_show_image acti… | |||
| CVE-2015-1482 | medium | — | 6.0 | 12y ago | Ansible Tower (aka Ansible UI) before 2.0.5 allows remote attackers to bypass authentication and obtain sensitive information via a websocket connection to socket.io/1/. | |||
| CVE-2015-1365 | medium | — | 6.0 | 12y ago | Directory traversal vulnerability in pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress allows remote attackers to write to arbitrary files via a .. (dot dot) in the q parameter. | |||
| CVE-2015-0393 | medium | — | 6.0 | 12y ago | Unspecified vulnerability in the Oracle Applications DBA component in Oracle E-Business Suite 11.5.10.2, 12.0.6, 12.1.3, 12.2.2, 12.2.3, and 12.2.4 allows remote authenticated users to affect confide… | |||
| CVE-2015-0514 | medium | — | 6.0 | 12y ago | EMC M&R (aka Watch4Net) before 6.5u1 and ViPR SRM before 3.6.1 might allow remote attackers to obtain cleartext data-center discovery credentials by leveraging certain SRM access to conduct a decrypt… | |||
| CVE-2015-0922 | medium | — | 6.0 | 12y ago | McAfee ePolicy Orchestrator (ePO) before 4.6.9 and 5.x before 5.1.2 uses the same secret key across different customers' installations, which allows attackers to obtain the administrator password by … | |||
| CVE-2015-3229 | medium | 5.9 | 5.9 | 9y ago | fedora-cloud-atomic.ks in spin-kickstarts allows remote attackers to conduct man-in-the-middle attacks by leveraging use of HTTP to download Fedora Atomic updates. | |||
| CVE-2015-6358 | medium | 5.9 | 5.9 | 9y ago | Multiple Cisco embedded devices use hardcoded X.509 certificates and SSH host keys embedded in the firmware, which allows remote attackers to defeat cryptographic protection mechanisms and conduct ma… | |||
| CVE-2015-7778 | medium | 5.9 | 5.9 | 9y ago | Gurunavi App for iOS before 6.0.0 does not verify SSL certificates which could allow remote attackers to perform man-in-the-middle attacks. | |||
| CVE-2015-1027 | medium | 5.9 | 5.9 | 9y ago | The version checking subroutine in percona-toolkit before 2.2.13 and xtrabackup before 2.2.9 was vulnerable to silent HTTP downgrade attacks and Man In The Middle attacks in which the server response… | |||
| CVE-2015-7256 | medium | 5.9 | 5.9 | 9y ago | ZyXEL NWA1100-N, NWA1100-NH, NWA1121-NI, NWA1123-AC, and NWA1123-NI access points; P-660HN-51, P-663HN-51, VMG1312-B10A, VMG1312-B30A, VMG1312-B30B, VMG4380-B10A, VMG8324-B10A, VMG8924-B10A, VMG8924-… | |||
| CVE-2015-0874 | medium | 5.9 | 5.9 | 9y ago | Smartphone Passbook 1.0.0 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to obtain sensitive information from encrypted communications via a crafted cer… | |||
| CVE-2015-8251 | medium | 5.9 | 5.9 | 9y ago | OpenStage 60 and OpenScape Desk Phone IP 55G SIP V3, OpenStage 15, 20E, 20 and 40 and OpenScape Desk Phone IP 35G SIP V3, OpenScape Desk Phone IP 35G Eco SIP V3, OpenStage 60 and OpenScape Desk Phone… | |||
| CVE-2015-7785 | medium | 5.9 | 5.9 | 9y ago | GANMA! App for iOS does not verify SSL certificates. | |||
| CVE-2015-5666 | medium | 5.9 | 5.9 | 9y ago | ANA App for Android 3.1.1 and earlier, and ANA App for iOS 3.3.6 and earlier does not verify SSL certificates. | |||
| CVE-2015-7315 | medium | 5.9 | 5.9 | 9y ago | Plone 3.3.0 through 3.3.6, 4.0.0 through 4.0.10, 4.1.0 through 4.1.6, 4.2.0 through 4.2.7, 4.3.0 through 4.3.6, and 5.0rc1 allows remote attackers to add a new member to a Plone site with registratio… | |||
| CVE-2015-1849 | medium | 5.9 | 5.9 | 9y ago | AdvancedLdapLodinMogule in Red Hat JBoss Enterprise Application Platform (EAP) before 6.4.1 allows attackers to obtain sensitive information via vectors involving logging the LDAP bind credential pas… | |||
| CVE-2015-3420 | medium | 5.9 | 5.9 | 9y ago | The ssl-proxy-openssl.c function in Dovecot before 2.2.17, when SSLv3 is disabled, allow remote attackers to cause a denial of service (login process crash) via vectors related to handshake failures. | |||
| CVE-2015-8316 | medium | 5.9 | 5.9 | 9y ago | Array index error in LightDM (aka Light Display Manager) 1.14.3, 1.16.x before 1.16.6 when the XDMCP server is enabled allows remote attackers to cause a denial of service (process crash) via an XDMC… | |||
| CVE-2015-2943 | medium | 5.9 | 5.9 | 9y ago | Honda Moto LINC 1.6.1 does not verify SSL certificates. | |||
| CVE-2015-0210 | medium | 5.9 | 5.9 | 9y ago | wpa_supplicant 2.0-16 does not properly check certificate subject name, which allows remote attackers to cause a man-in-the-middle attack. | |||
| CVE-2015-5293 | medium | 5.9 | 5.9 | 9y ago | Red Hat Enterprise Virtualization Manager 3.6 and earlier gives valid SLAAC IPv6 addresses to interfaces when "boot protocol" is set to None, which might allow remote attackers to communicate with a … | |||
| CVE-2015-2674 | medium | 5.9 | 5.9 | 9y ago | Restkit allows man-in-the-middle attackers to spoof TLS servers by leveraging use of the ssl.wrap_socket function in Python with the default CERT_NONE value for the cert_reqs argument. | |||
| CVE-2015-7852 | medium | 5.9 | 5.9 | 9y ago | ntpq in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote attackers to cause a denial of service (crash) via crafted mode 6 response packets. | |||
| CVE-2015-3642 | medium | 5.9 | 5.9 | 9y ago | The TLS and DTLS processing functionality in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway devices with firmware 9.x before 9.3 Build 68.5, 10.0 through Build 78.6, 10.… | |||
| CVE-2015-0904 | medium | 5.9 | 5.9 | 9y ago | The Restaurant Karaoke SHIDAX app 1.3.3 and earlier on Android does not verify SSL certificates, which allows remote attackers to obtain sensitive information via a man-in-the-middle attack. | |||
| CVE-2015-2255 | medium | 5.9 | 5.9 | 9y ago | Huawei AR1220 routers with software before V200R005SPH006 allow remote attackers to cause a denial of service (board reset) via vectors involving a large amount of traffic from the GE port to the FE … | |||
| CVE-2015-8762 | medium | 5.9 | 5.9 | 9y ago | The EAP-PWD module in FreeRADIUS 3.0 through 3.0.8 allows remote attackers to cause a denial of service (NULL pointer dereference and server crash) via a zero-length EAP-PWD packet. | |||
| CVE-2015-8985 | medium | 5.9 | 5.9 | 9y ago | The pop_fail_stack function in the GNU C Library (aka glibc or libc6) allows context-dependent attackers to cause a denial of service (assertion failure and application crash) via vectors related to … | |||
| CVE-2015-8984 | medium | 5.9 | 5.9 | 9y ago | The fnmatch function in the GNU C Library (aka glibc or libc6) before 2.22 might allow context-dependent attackers to cause a denial of service (application crash) via a malformed pattern, which trig… | |||
| CVE-2015-6671 | medium | 5.9 | 5.9 | 9y ago | Open edX edx-platform before 2015-08-25 requires use of the database for storage of SAML SSO secrets, which makes it easier for context-dependent attackers to obtain sensitive information by leveragi… | |||
| CVE-2015-8158 | medium | 5.9 | 5.9 | 10y ago | The getresponse function in ntpq in NTP versions before 4.2.8p9 and 4.3.x before 4.3.90 allows remote attackers to cause a denial of service (infinite loop) via crafted packets with incorrect values. | |||
| CVE-2015-7977 | medium | 5.9 | 5.9 | 10y ago | ntpd in NTP before 4.2.8p6 and 4.3.x before 4.3.90 allows remote attackers to cause a denial of service (NULL pointer dereference) via a ntpdc reslist command. | |||
| CVE-2015-8288 | medium | 5.9 | 5.9 | 10y ago | NETGEAR D3600 devices with firmware 1.0.0.49 and D6000 devices with firmware 1.0.0.49 and earlier use the same hardcoded private key across different customers' installations, which allows remote att… | |||
| CVE-2015-8878 | medium | 5.9 | 5.9 | 10y ago | main/php_open_temporary_file.c in PHP before 5.5.28 and 5.6.x before 5.6.12 does not ensure thread safety, which allows remote attackers to cause a denial of service (race condition and heap memory c… | |||
| CVE-2015-8838 | medium | 5.9 | 5.9 | 10y ago | ext/mysqlnd/mysqlnd.c in PHP before 5.4.43, 5.5.x before 5.5.27, and 5.6.x before 5.6.11 uses a client SSL option to mean that SSL is optional, which allows man-in-the-middle attackers to spoof serve… | |||
| CVE-2015-3152 | medium | 5.9 | 5.9 | 10y ago | Oracle MySQL before 5.7.3, Oracle MySQL Connector/C (aka libmysqlclient) before 6.1.3, and MariaDB before 5.5.44 use the --ssl option to mean that SSL is optional, which allows man-in-the-middle atta… | |||
| CVE-2015-8099 | medium | 5.9 | 5.9 | 10y ago | F5 BIG-IP LTM, AFM, Analytics, APM, ASM, Link Controller, and PEM 11.3.x, 11.4.x before 11.4.1 HF10, 11.5.x before 11.5.4, 11.6.x before 11.6.1, and 12.x before 12.0.0 HF1; BIG-IP AAM 11.4.x before 1… | |||
| CVE-2015-6551 | medium | 5.9 | 5.9 | 10y ago | Veritas NetBackup 7.x through 7.5.0.7 and 7.6.0.x through 7.6.0.4 and NetBackup Appliance through 2.5.4 and 2.6.0.x through 2.6.0.4 do not use TLS for administration-console traffic to the NBU server… | |||
| CVE-2015-5370 | medium | 5.9 | 5.9 | 10y ago | Samba 3.x and 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 does not properly implement the DCE-RPC layer, which allows remote attackers to perform protocol-downgrade attacks, cause a… | |||
| CVE-2015-2774 | medium | 5.9 | 5.9 | 10y ago | Erlang/OTP before 18.0-rc1 does not properly check CBC padding bytes when terminating connections, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle … | |||
| CVE-2015-3197 | medium | 5.9 | 5.9 | 10y ago | ssl/s2_srvr.c in OpenSSL 1.0.1 before 1.0.1r and 1.0.2 before 1.0.2f does not prevent use of disabled ciphers, which makes it easier for man-in-the-middle attackers to defeat cryptographic protection… | |||
| CVE-2015-7488 | medium | 5.9 | 5.9 | 11y ago | IBM Spectrum Scale 4.1.1.x before 4.1.1.4 and 4.2.x before 4.2.0.1, in certain LDAP File protocol configurations, allows remote attackers to discover an LDAP password via unspecified vectors. | |||
| CVE-2015-7744 | medium | 5.9 | 5.9 | 11y ago | wolfSSL (formerly CyaSSL) before 3.6.8 does not properly handle faults associated with the Chinese Remainder Theorem (CRT) process when allowing ephemeral key exchange without low memory optimization… | |||
| CVE-2015-8749 | medium | 5.9 | 5.9 | 11y ago | The volume_utils._parse_volume_info function in OpenStack Compute (Nova) before 2015.1.3 (kilo) and 12.0.x before 12.0.1 (liberty) includes the connection_info dictionary in the StorageError message … | |||
| CVE-2015-7575 | medium | 5.9 | 5.9 | 11y ago | Mozilla Network Security Services (NSS) before 3.20.2, as used in Mozilla Firefox before 43.0.2 and Firefox ESR 38.x before 38.5.2, does not reject MD5 signatures in Server Key Exchange messages in T… | |||
| CVE-2015-2913 | medium | 5.9 | 5.9 | 11y ago | OrientDB Server Community Edition uses insufficiently random values to generate session IDs | |||
| CVE-2015-7249 | medium | 4.9 | 5.9 | 11y ago | ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_PE allow remote authenticated users to bypass intended access restrictions via a modified request, as demonstrated by leveraging the support a… | |||
| CVE-2015-8254 | medium | 5.9 | 5.9 | 11y ago | The Frontel protocol before 3 on RSI Video Technologies Videofied devices does not use integrity protection, which makes it easier for man-in-the-middle attackers to (1) initiate a false alarm or (2)… | |||
| CVE-2015-8252 | medium | 5.9 | 5.9 | 11y ago | The Frontel protocol before 3 on RSI Video Technologies Videofied devices sends a cleartext serial number, which allows remote attackers to determine a hardcoded key by sniffing the network and perfo… | |||
| CVE-2015-6409 | medium | 5.9 | 5.9 | 11y ago | Cisco Jabber 10.6.x, 11.0.x, and 11.1.x on Windows allows man-in-the-middle attackers to conduct STARTTLS downgrade attacks and trigger cleartext XMPP sessions via unspecified vectors, aka Bug ID CSC… | |||
| CVE-2015-5619 | medium | 5.9 | 5.9 | 11y ago | Logstash 1.4.x before 1.4.5 and 1.5.x before 1.5.4 with Lumberjack output or the Logstash forwarder does not validate SSL/TLS certificates from the Logstash server, which might allow attackers to obt… | |||
| CVE-2015-4425 | medium | — | 5.9 | 11y ago | Directory traversal vulnerability in pimcore before build 3473 allows remote authenticated users with the "assets" permission to create or write to arbitrary files via a .. (dot dot) in the dir param… | |||
| CVE-2015-1828 | medium | 5.9 | 5.9 | 11y ago | The Ruby http gem before 0.7.3 does not verify hostnames in SSL connections, which might allow remote attackers to obtain sensitive information via a man-in-the-middle-attack. | |||
| CVE-2015-2145 | medium | 4.8 | 5.8 | 9y ago | Multiple cross-site scripting (XSS) vulnerabilities in Issuetracker phpBugTracker before 1.7.0 allow remote attackers to inject arbitrary web script or HTML via unspecified parameters. | |||
| CVE-2015-7347 | medium | 4.8 | 5.8 | 9y ago | Cross-site scripting (XSS) vulnerability in ZCMS JavaServer Pages Content Management System 1.1. | |||
| CVE-2015-7282 | medium | 5.8 | 5.8 | 11y ago | ReadyNet WRT300N-DD devices with firmware 1.0.26 use the same source port number for every DNS query, which makes it easier for remote attackers to spoof responses by selecting that number for the de… | |||
| CVE-2015-7794 | medium | 5.8 | 5.8 | 11y ago | Corega CG-WLNCM4G devices provide an open DNS resolver, which allows remote attackers to cause a denial of service (traffic amplification) via crafted queries. | |||
| CVE-2015-7793 | medium | 5.8 | 5.8 | 11y ago | Corega CG-WLBARAGM devices provide an open proxy service, which allows remote attackers to trigger outbound network traffic via unspecified vectors. | |||
| CVE-2015-7990 | medium | 5.8 | 5.8 | 11y ago | Race condition in the rds_sendmsg function in net/rds/sendmsg.c in the Linux kernel before 4.3.3 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibl… | |||
| CVE-2015-8242 | medium | — | 5.8 | 11y ago | The xmlSAX2TextNode function in SAX2.c in the push interface in the HTML parser in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service (stack-based buffer over-read a… |