CVEs from 2015
Total
7,313
critical
critical 1,306
high
high 1,666
medium
medium 3,617
low
low 554
% Critical
17.9%
% with KEV
0.6%
% with exploit
0.8%
Top vendors
Top products
- firefox 4,609
- flash_player 3,392
- php 1,526
- moodle 1,087
- acrobat 878
- acrobat_reader 878
- safari 736
- internet_explorer 712
| CVE | Severity | CVSS | Risk | Published | Description | Impact |
|---|---|---|---|---|---|---|
| CVE-2015-0318 | critical | — | 10.0 | 12y ago | Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0.0.305 on Windows and OS X and before 11.2.202.442 on Linux allows attackers to execute arbitrary code or cause a denial of servi… | |
| CVE-2015-0317 | critical | — | 10.0 | 12y ago | Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0.0.305 on Windows and OS X and before 11.2.202.442 on Linux allows attackers to execute arbitrary code by leveraging an unspecifi… | |
| CVE-2015-0316 | critical | — | 10.0 | 12y ago | Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0.0.305 on Windows and OS X and before 11.2.202.442 on Linux allows attackers to execute arbitrary code or cause a denial of servi… | |
| CVE-2015-0315 | critical | — | 10.0 | 12y ago | Use-after-free vulnerability in Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0.0.305 on Windows and OS X and before 11.2.202.442 on Linux allows attackers to execute arbitrary… | |
| CVE-2015-0314 | critical | — | 10.0 | 12y ago | Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0.0.305 on Windows and OS X and before 11.2.202.442 on Linux allows attackers to execute arbitrary code or cause a denial of servi… | |
| CVE-2015-0930 | critical | — | 10.0 | 12y ago | The web interface on SerVision HVG Video Gateway devices with firmware before 2.2.26a100 has a hardcoded administrative password, which makes it easier for remote attackers to obtain access via an HT… | |
| CVE-2015-0929 | critical | — | 10.0 | 12y ago | time.htm in the web interface on SerVision HVG Video Gateway devices with firmware before 2.2.26a78 allows remote attackers to bypass authentication and obtain administrative access by leveraging a c… | |
| CVE-2015-1449 | critical | — | 10.0 | 12y ago | Buffer overflow in the integrated web server on Siemens Ruggedcom WIN51xx devices with firmware before SS4.4.4624.35, WIN52xx devices with firmware before SS4.4.4624.35, WIN70xx devices with firmware… | |
| CVE-2015-1448 | critical | — | 10.0 | 12y ago | The integrated management service on Siemens Ruggedcom WIN51xx devices with firmware before SS4.4.4624.35, WIN52xx devices with firmware before SS4.4.4624.35, WIN70xx devices with firmware before BS4… | |
| CVE-2015-0235 | critical | — | 10.0 | 12y ago | Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18, allows context-dependent attackers to execute arbitrary code via vectors relate… | |
| CVE-2015-1311 | critical | — | 10.0 | 12y ago | The Extended Application Services (XS) in SAP HANA allows remote attackers to inject arbitrary ABAP code via unspecified vectors, aka SAP Note 2098906. NOTE: the provenance of this information is un… | |
| CVE-2015-0408 | critical | — | 10.0 | 12y ago | Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to RMI. | |
| CVE-2015-0309 | critical | — | 10.0 | 12y ago | Heap-based buffer overflow in Adobe Flash Player before 13.0.0.260 and 14.x through 16.x before 16.0.0.257 on Windows and OS X and before 11.2.202.429 on Linux, Adobe AIR before 16.0.0.245 on Windows… | |
| CVE-2015-0308 | critical | — | 10.0 | 12y ago | Use-after-free vulnerability in Adobe Flash Player before 13.0.0.260 and 14.x through 16.x before 16.0.0.257 on Windows and OS X and before 11.2.202.429 on Linux, Adobe AIR before 16.0.0.245 on Windo… | |
| CVE-2015-0306 | critical | — | 10.0 | 12y ago | Adobe Flash Player before 13.0.0.260 and 14.x through 16.x before 16.0.0.257 on Windows and OS X and before 11.2.202.429 on Linux, Adobe AIR before 16.0.0.245 on Windows and OS X and before 16.0.0.27… | |
| CVE-2015-0304 | critical | — | 10.0 | 12y ago | Heap-based buffer overflow in Adobe Flash Player before 13.0.0.260 and 14.x through 16.x before 16.0.0.257 on Windows and OS X and before 11.2.202.429 on Linux, Adobe AIR before 16.0.0.245 on Windows… | |
| CVE-2015-0303 | critical | — | 10.0 | 12y ago | Adobe Flash Player before 13.0.0.260 and 14.x through 16.x before 16.0.0.257 on Windows and OS X and before 11.2.202.429 on Linux, Adobe AIR before 16.0.0.245 on Windows and OS X and before 16.0.0.27… | |
| CVE-2015-0301 | critical | — | 10.0 | 12y ago | Adobe Flash Player before 13.0.0.260 and 14.x through 16.x before 16.0.0.257 on Windows and OS X and before 11.2.202.429 on Linux, Adobe AIR before 16.0.0.245 on Windows and OS X and before 16.0.0.27… | |
| CVE-2015-0014 | critical | — | 10.0 | 12y ago | Buffer overflow in the Telnet service in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold … | |
| CVE-2015-7411 | critical | 9.9 | 9.9 | 10y ago | The portal client in IBM Tivoli Monitoring (ITM) 6.2.2 through FP9, 6.2.3 through FP5, and 6.3.0 through FP6 allows remote authenticated users to gain privileges via unspecified vectors. | |
| CVE-2015-7926 | critical | 9.9 | 9.9 | 11y ago | eWON devices with firmware before 10.1s0 omit RBAC for I/O server information and status requests, which allows remote attackers to obtain sensitive information via an unspecified URL. | |
| CVE-2015-7669 | critical | 9.8 | 9.8 | 9y ago | Multiple directory traversal vulnerabilities in (1) includes/MapImportCSV2.php and (2) includes/MapImportCSV.php in the Easy2Map plugin before 1.3.0 for WordPress allow remote attackers to include an… | |
| CVE-2015-6237 | critical | 9.8 | 9.8 | 9y ago | The RPC service in Tripwire (formerly nCircle) IP360 VnE Manager 7.2.2 before 7.2.6 allows remote attackers to bypass authentication and (1) enumerate users, (2) reset passwords, or (3) manipulate IP… | |
| CVE-2015-7224 | critical | 9.8 | 9.8 | 9y ago | puppetlabs-mysql 3.1.0 through 3.6.0 allow remote attackers to bypass authentication by leveraging creation of a database account without a password when a 'mysql_user' user parameter contains a host… | |
| CVE-2015-3934 | critical | 9.8 | 9.8 | 9y ago | Multiple SQL injection vulnerabilities in Fiyo CMS 2.0_1.9.1 allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to apps/app_article/controller/rating.php or (2) user pa… | |
| CVE-2015-7501 | critical | 9.8 | 9.8 | 9y ago | Deserialization of Untrusted Data in Apache commons collections | |
| CVE-2015-3933 | critical | 9.8 | 9.8 | 9y ago | MetalGenix GeniXCMS vulnerable to SQL Injection | |
| CVE-2015-9245 | critical | 9.8 | 9.8 | 9y ago | Insecure default configuration in Progress Software OpenEdge 10.2x and 11.x allows unauthenticated remote attackers to specify arbitrary URLs from which to load and execute malicious Java classes via… | |
| CVE-2015-3249 | critical | 9.8 | 9.8 | 9y ago | The HTTP/2 experimental feature in Apache Traffic Server 5.3.x before 5.3.1 allows remote attackers to cause a denial of service (out-of-bounds access and daemon crash) or possibly execute arbitrary … | |
| CVE-2015-5172 | critical | 9.8 | 9.8 | 9y ago | Cloud Foundry Runtime has Weak Password Recovery Mechanism for Forgotten Password | |
| CVE-2015-5171 | critical | 9.8 | 9.8 | 9y ago | Cloud Foundry Runtime Insufficient Session Expiration vulnerability | |
| CVE-2015-5740 | critical | 9.8 | 9.8 | 9y ago | Request smuggling due to improper header parsing in net/http | |
| CVE-2015-5739 | critical | 9.8 | 9.8 | 9y ago | Request smuggling due to improper header parsing in net/http | |
| CVE-2015-5376 | critical | 9.8 | 9.8 | 9y ago | SQL injection vulnerability in the login form in GSI WiNPAT Portal 3.2.0.1001 through 3.6.1.0 allows remote attackers to execute arbitrary SQL commands via the username field. | |
| CVE-2015-7806 | critical | 9.8 | 9.8 | 9y ago | Eval injection vulnerability in the fm_saveHelperGatherItems function in ajax.php in the Form Manager plugin before 1.7.3 for WordPress allows remote attackers to execute arbitrary code via unspecifi… | |
| CVE-2015-7687 | critical | 9.8 | 9.8 | 9y ago | Use-after-free vulnerability in OpenSMTPD before 5.7.2 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via vectors involving req_ca_vrfy_smtp and req_ca_vrfy_mt… | |
| CVE-2015-4650 | critical | 9.8 | 9.8 | 9y ago | Aruba Networks ClearPass Policy Manager before 6.4.7 and 6.5.x before 6.5.2 allows remote attackers to gain shell access and execute arbitrary code with root privileges via unspecified vectors. | |
| CVE-2015-2780 | critical | 9.8 | 9.8 | 9y ago | Unrestricted file upload vulnerability in Berta CMS allows remote attackers to execute arbitrary code by uploading a crafted image file with an executable extension, then accessing it via a direct re… | |
| CVE-2015-2147 | critical | 9.8 | 9.8 | 9y ago | Multiple SQL injection vulnerabilities in Issuetracker phpBugTracker before 1.7.0 allow remote attackers to execute arbitrary SQL commands via unspecified parameters. | |
| CVE-2015-2146 | critical | 9.8 | 9.8 | 9y ago | Multiple SQL injection vulnerabilities in Issuetracker phpBugTracker before 1.7.0 allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to project.php, the (2) group_id pa… | |
| CVE-2015-7841 | critical | 9.8 | 9.8 | 9y ago | The login page of the server on Huawei FusionServer rack servers RH2288 V3 with software before V100R003C00SPC603, RH2288H V3 with software before V100R003C00SPC503, XH628 V3 with software before V10… | |
| CVE-2015-8249 | critical | 9.8 | 9.8 | 9y ago | The FileUploadServlet class in ManageEngine Desktop Central 9 before build 91093 allows remote attackers to upload and execute arbitrary files via the ConnectionId parameter. | |
| CVE-2015-7670 | critical | 9.8 | 9.8 | 9y ago | Multiple SQL injection vulnerabilities in includes/update.php in the Support Ticket System plugin before 1.2.1 for WordPress allow remote attackers to execute arbitrary SQL commands via the (1) user … | |
| CVE-2015-7390 | critical | 9.8 | 9.8 | 9y ago | SQL injection vulnerability in TestLink before 1.9.14 allows remote attackers to execute arbitrary SQL commands via the apikey parameter to lnl.php. | |
| CVE-2015-8707 | critical | 9.8 | 9.8 | 9y ago | Password reset tokens in Magento CE before 1.9.2.2, and Magento EE before 1.14.2.2 are passed via a GET request and not canceled after use, which allows remote attackers to obtain user passwords via … | |
| CVE-2015-7510 | critical | 9.8 | 9.8 | 9y ago | Stack-based buffer overflow in the getpwnam and getgrnam functions of the NSS module nss-mymachines in systemd. | |
| CVE-2015-4667 | critical | 9.8 | 9.8 | 9y ago | Multiple hardcoded credentials in Xsuite 2.x. | |
| CVE-2015-5284 | critical | 9.8 | 9.8 | 9y ago | ipa-kra-install in FreeIPA before 4.2.2 puts the CA agent certificate and private key in /etc/httpd/alias/kra-agent.pem, which is world readable. | |
| CVE-2015-6673 | critical | 9.8 | 9.8 | 9y ago | Use-after-free vulnerability in Decoder.cpp in libpgf before 6.15.32. | |
| CVE-2015-4073 | critical | 9.8 | 9.8 | 9y ago | Multiple SQL injection vulnerabilities in the Helpdesk Pro plugin before 1.4.0 for Joomla! allow remote attackers to execute arbitrary SQL commands via the (1) ticket_code or (2) email parameter or (… | |
| CVE-2015-4683 | critical | 9.8 | 9.8 | 9y ago | Polycom RealPresence Resource Manager (aka RPRM) before 8.4 allows attackers to obtain sensitive information and potentially gain privileges by leveraging use of session identifiers as parameters wit… | |
| CVE-2015-3431 | critical | 9.8 | 9.8 | 9y ago | Pydio (formerly AjaXplorer) before 6.0.7 allows remote attackers to execute arbitrary commands via unspecified vectors, aka "Pydio OS Command Injection Vulnerabilities." | |
| CVE-2015-5206 | critical | 9.8 | 9.8 | 9y ago | Unspecified vulnerability in the HTTP/2 experimental feature in Apache Traffic Server before 5.3.x before 5.3.2 has unknown impact and attack vectors, a different vulnerability than CVE-2015-5168. | |
| CVE-2015-5168 | critical | 9.8 | 9.8 | 9y ago | Unspecified vulnerability in the HTTP/2 experimental feature in Apache Traffic Server 5.3.x before 5.3.2 has unknown impact and attack vectors, a different vulnerability than CVE-2015-5206. | |
| CVE-2015-4689 | critical | 9.8 | 9.8 | 9y ago | Ellucian (formerly SunGard) Banner Student 8.5.1.2 through 8.7 allows remote attackers to reset arbitrary passwords via unspecified vectors, aka "Weak Password Reset." | |
| CVE-2015-7877 | critical | 9.8 | 9.8 | 9y ago | Multiple SQL injection vulnerabilities in the User Dashboard module 7.x before 7.x-1.4 for Drupal allow remote attackers to execute arbitrary SQL commands via unspecified vectors. | |
| CVE-2015-5052 | critical | 9.8 | 9.8 | 9y ago | SQL injection vulnerability in Sefrengo before 1.6.5 beta2. | |
| CVE-2015-4629 | critical | 9.8 | 9.8 | 9y ago | Huawei E5756S before V200R002B146D23SP00C00 allows remote attackers to read device configuration information, enable PIN/PUK authentication, and perform other unspecified actions. | |
| CVE-2015-4627 | critical | 9.8 | 9.8 | 9y ago | SQL injection vulnerability in Pragyan CMS 3.0. | |
| CVE-2015-3991 | critical | 9.8 | 9.8 | 9y ago | strongSwan 5.2.2 and 5.3.0 allows remote attackers to cause a denial of service (daemon crash) or execute arbitrary code. | |
| CVE-2015-3313 | critical | 9.8 | 9.8 | 9y ago | SQL injection vulnerability in WordPress Community Events plugin before 1.4. | |
| CVE-2015-3442 | critical | 9.8 | 9.8 | 9y ago | Soreco Xpert.Line 3.0 allows local users to spoof users and consequently gain privileges by intercepting a Windows API call. | |
| CVE-2015-7241 | critical | 9.8 | 9.8 | 9y ago | XML External Entity (XXE) vulnerability in SAP Netweaver before 7.01. | |
| CVE-2015-5959 | critical | 9.8 | 9.8 | 9y ago | Froxlor before 0.9.33.2 with the default configuration/setup might allow remote attackers to obtain the database password by reading /logs/sql-error.log. | |
| CVE-2015-7746 | critical | 9.8 | 9.8 | 9y ago | NetApp Data ONTAP before 8.2.4, when operating in 7-Mode, allows remote attackers to bypass authentication and (1) obtain sensitive information from or (2) modify volumes via vectors related to UTF-8… | |
| CVE-2015-7700 | critical | 9.8 | 9.8 | 9y ago | Double-free vulnerability in the sPLT chunk structure and png.c in pngcrush before 1.7.87 allows attackers to have unspecified impact via unknown vectors. | |
| CVE-2015-8299 | critical | 9.8 | 9.8 | 9y ago | Buffer overflow in the Group messages monitor (Falcon) in KNX ETS 4.1.5 (Build 3246) allows remote attackers to execute arbitrary code via a crafted KNXnet/IP UDP packet. | |
| CVE-2015-7517 | critical | 9.8 | 9.8 | 9y ago | Multiple SQL injection vulnerabilities in the Double Opt-In for Download plugin before 2.0.9 for WordPress allow remote attackers to execute arbitrary SQL commands via the ver parameter to (1) class-… | |
| CVE-2015-1430 | critical | 9.8 | 9.8 | 9y ago | Buffer overflow in xymon 4.3.17-1. | |
| CVE-2015-1401 | critical | 9.8 | 9.8 | 9y ago | Improper Authentication vulnerability in the "LDAP / SSO Authentication" (ig_ldap_sso_auth) extension 2.0.0 for TYPO3. | |
| CVE-2015-8352 | critical | 9.8 | 9.8 | 9y ago | Directory traversal vulnerability in Zen Cart 1.5.4 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the act parameter to ajax.php. | |
| CVE-2015-1801 | critical | 9.8 | 9.8 | 9y ago | The samsung_extdisp driver in the Samsung S4 (GT-I9500) I9500XXUEMK8 kernel 3.4 and earlier allows attackers to cause a denial of service (memory corruption) or gain privileges. | |
| CVE-2015-5224 | critical | 9.8 | 9.8 | 9y ago | The mkostemp function in login-utils in util-linux when used incorrectly allows remote attackers to cause file name collision and possibly other attacks. | |
| CVE-2015-6473 | critical | 9.8 | 9.8 | 9y ago | WAGO IO 750-849 01.01.27 and WAGO IO 750-881 01.02.05 do not contain privilege separation. | |
| CVE-2015-6472 | critical | 9.8 | 9.8 | 9y ago | WAGO IO 750-849 01.01.27 and 01.02.05, WAGO IO 750-881, and WAGO IO 758-870 have weak credential management. | |
| CVE-2015-2857 | critical | 9.8 | 9.8 | 9y ago | Accellion File Transfer Appliance before FTA_9_11_210 allows remote attackers to execute arbitrary code via shell metacharacters in the oauth_token parameter. | |
| CVE-2015-9073 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, an untrusted pointer dereference can occur in a TrustZone syscall. | |
| CVE-2015-9072 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, an untrusted pointer dereference can occur in a TrustZone syscall. | |
| CVE-2015-9071 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, a buffer over-read vulnerability exists in a TrustZone syscall. | |
| CVE-2015-9070 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, a buffer over-read vulnerability exists in a TrustZone syscall. | |
| CVE-2015-9069 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, the Secure File System can become corrupted. | |
| CVE-2015-9068 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, an argument to a mink syscall is not properly validated. | |
| CVE-2015-9067 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, a potential compiler optimization of memset() is addressed. | |
| CVE-2015-9066 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, a buffer overflow vulnerability exists in an Inter-RAT procedure. | |
| CVE-2015-9065 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, a UE can respond to a UEInformationRequest before Access Stratum security is established. | |
| CVE-2015-9064 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, the UE can send IMEI or IMEISV to the network on a network request before NAS security has been activated. | |
| CVE-2015-9063 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, a buffer overflow vulnerability exists in a procedure involving a remote UIM client. | |
| CVE-2015-9062 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, an integer overflow to buffer overflow vulnerability exists when loading an ELF file. | |
| CVE-2015-9061 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, playReady DRM failed to check a length potentially leading to unauthorized access to secure memory. | |
| CVE-2015-9060 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, a pointer is not properly validated in a QTEE system call. | |
| CVE-2015-9055 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, an assertion was potentially reachable in a memory management routine. | |
| CVE-2015-9054 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, a NULL pointer can be dereferenced during GAL decoding. | |
| CVE-2015-9053 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, a buffer overflow vulnerability exists in the processing of certain responses from the USIM. | |
| CVE-2015-9052 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, a vulnerability exists in LTE where an assertion can be reached while processing a downlink message. | |
| CVE-2015-9051 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, a vulnerability exists in LTE where an assertion can be reached due to an improper bound on a length in a System Inform… | |
| CVE-2015-9050 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, a vulnerability exists where an array out of bounds access can occur during a CA call. | |
| CVE-2015-9049 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, a vulnerability exists in the processing of certain responses from the USIM. | |
| CVE-2015-9048 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, a vulnerability exists in the processing of lost RTP packets. | |
| CVE-2015-9047 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, a vulnerability exists in GNSS when performing a scan after bootup. | |
| CVE-2015-9046 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, a vulnerability exists in LTE where an assertion can be reached due to an improper bound on the size of a frequency lis… |