CVEs from 2015
Total
7,313
critical
critical 1,306
high
high 1,666
medium
medium 3,617
low
low 554
% Critical
17.9%
% with KEV
0.6%
% with exploit
0.8%
Top vendors
Top products
- firefox 4,609
- flash_player 3,392
- php 1,526
- moodle 1,087
- acrobat_reader 878
- acrobat 878
- safari 736
- internet_explorer 712
| CVE | Severity | CVSS | Risk | Published | Description | Impact |
|---|---|---|---|---|---|---|
| CVE-2015-2313 | high | 7.5 | 7.5 | 9y ago | Sandstorm Cap'n Proto before 0.4.1.1 and 0.5.x before 0.5.1.2, when an application invokes the totalSize method on an object reader, allows remote peers to cause a denial of service (CPU consumption)… | |
| CVE-2015-2312 | high | 7.5 | 7.5 | 9y ago | Sandstorm Cap'n Proto before 0.4.1.1 and 0.5.x before 0.5.1.1 allows remote peers to cause a denial of service (CPU and possibly general resource consumption) via a list with a large number of elemen… | |
| CVE-2015-0785 | high | 7.5 | 7.5 | 9y ago | com.novell.zenworks.inventory.rtr.actionclasses.wcreports in Novell ZENworks Configuration Management (ZCM) allows remote attackers to read arbitrary folders via the dirname variable. | |
| CVE-2015-0784 | high | 7.5 | 7.5 | 9y ago | Rtrlet.class in Novell ZENworks Configuration Management (ZCM) allows remote attackers to obtain Session IDs of logged in users via a value of ShowLogins for the maintenance variable. | |
| CVE-2015-7764 | high | 7.5 | 7.5 | 9y ago | Lemur 0.1.4 does not use sufficient entropy in its IV when encrypting AES in CBC mode. | |
| CVE-2015-4165 | high | 7.5 | 7.5 | 9y ago | Improper Access Control in Elasticsearch | |
| CVE-2015-3405 | high | 7.5 | 7.5 | 9y ago | ntp-keygen in ntp 4.2.8px before 4.2.8p2-RC2 and 4.3.x before 4.3.12 does not generate MD5 keys with sufficient entropy on big endian machines when the lowest order byte of the temp variable is betwe… | |
| CVE-2015-7704 | high | 7.5 | 7.5 | 9y ago | The ntpd client in NTP 4.x before 4.2.8p4 and 4.3.x before 4.3.77 allows remote attackers to cause a denial of service via a number of crafted "KOD" messages. | |
| CVE-2015-7701 | high | 7.5 | 7.5 | 9y ago | Memory leak in the CRYPTO_ASSOC function in ntpd in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote attackers to cause a denial of service (memory consumption). | |
| CVE-2015-7692 | high | 7.5 | 7.5 | 9y ago | The crypto_xmit function in ntpd in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote attackers to cause a denial of service (crash). NOTE: This vulnerability exists due to an incomple… | |
| CVE-2015-7691 | high | 7.5 | 7.5 | 9y ago | The crypto_xmit function in ntpd in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote attackers to cause a denial of service (crash) via crafted packets containing particular autokey op… | |
| CVE-2015-7875 | high | 7.5 | 7.5 | 9y ago | ctools 6.x-1.x before 6.x-1.14 and 7.x-1.x before 7.x-1.8 in Drupal does not verify the "edit" permission for the "content type" plugins that are used on Panels and similar systems to place content a… | |
| CVE-2015-1378 | high | 7.5 | 7.5 | 9y ago | cmdlineopts.clp in grml-debootstrap in Debian 0.54, 0.68.x before 0.68.1, 0.7x before 0.78 is sourced without checking that the local directory is writable by non-root users. | |
| CVE-2015-8013 | high | 7.5 | 7.5 | 9y ago | OpenPGP 1.2.0 and earlier decrypts arbitrary messages | |
| CVE-2015-1417 | high | 7.5 | 7.5 | 9y ago | The inet module in FreeBSD 10.2x before 10.2-PRERELEASE, 10.2-BETA2-p2, 10.2-RC1-p1, 10.1x before 10.1-RELEASE-p16, 9.x before 9.3-STABLE, 9.3-RELEASE-p21, and 8.x before 8.4-STABLE, 8.4-RELEASE-p35 … | |
| CVE-2015-1847 | high | 7.5 | 7.5 | 9y ago | Directory traversal vulnerability in the web request/response interface in Appserver before 1.0.3 allows remote attackers to read normally inaccessible files via a .. (dot dot) in a crafted URL. | |
| CVE-2015-7703 | high | 7.5 | 7.5 | 9y ago | The "pidfile" or "driftfile" directives in NTP ntpd 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77, when ntpd is configured to allow remote configuration, allows remote attackers with an IP address th… | |
| CVE-2015-5300 | high | 7.5 | 7.5 | 9y ago | The panic_gate check in NTP before 4.2.8p5 is only re-enabled after the first change to the system clock that was greater than 128 milliseconds by default, which allows remote attackers to set NTP to… | |
| CVE-2015-5219 | high | 7.5 | 7.5 | 9y ago | The ULOGTOD function in ntp.d in SNTP before 4.2.7p366 does not properly perform type conversions from a precision value to a double, which allows remote attackers to cause a denial of service (infin… | |
| CVE-2015-5195 | high | 7.5 | 7.5 | 9y ago | ntp_openssl.m4 in ntpd in NTP before 4.2.7p112 allows remote attackers to cause a denial of service (segmentation fault) via a crafted statistics or filegen configuration command that is not enabled … | |
| CVE-2015-5194 | high | 7.5 | 7.5 | 9y ago | The log_config_command function in ntp_parser.y in ntpd in NTP before 4.2.7p42 allows remote attackers to cause a denial of service (ntpd crash) via crafted logconfig commands. | |
| CVE-2015-3640 | high | 7.5 | 7.5 | 9y ago | phpMyBackupPro 2.5 and earlier does not properly escape the "." character in request parameters, which allows remote authenticated users with knowledge of a web-accessible and web-writeable directory… | |
| CVE-2015-3198 | high | 7.5 | 7.5 | 9y ago | The Undertow module of WildFly allows source code disclosure | |
| CVE-2015-3297 | high | 7.5 | 7.5 | 9y ago | Directory traversal vulnerability in node/utils/Minify.js in Etherpad 1.1.1 through 1.5.2 allows remote attackers to read arbitrary files by leveraging replacement of backslashes with slashes in the … | |
| CVE-2015-7781 | high | 7.5 | 7.5 | 9y ago | ManageEngine Firewall Analyzer before 8.0 does not restrict access permissions. | |
| CVE-2015-5180 | high | 7.5 | 7.5 | 9y ago | res_query in libresolv in glibc before 2.25 allows remote attackers to cause a denial of service (NULL pointer dereference and process crash). | |
| CVE-2015-2245 | high | 7.5 | 7.5 | 9y ago | Huawei Ascend P7 allows remote attackers to cause a denial of service (phone process crash). | |
| CVE-2015-3215 | high | 7.5 | 7.5 | 9y ago | The NetKVM Windows Virtio driver allows remote attackers to cause a denial of service (guest crash) via a crafted length value in an IP packet, as demonstrated by a value that does not account for th… | |
| CVE-2015-7732 | high | 7.5 | 7.5 | 9y ago | The Avira Mobile Security app before 1.5.11 for iOS sends sensitive login information in cleartext. | |
| CVE-2015-3913 | high | 7.5 | 7.5 | 9y ago | The IP stack in multiple Huawei Campus series switch models allows remote attackers to cause a denial of service (reboot) via a crafted ICMP request message. | |
| CVE-2015-3634 | high | 7.5 | 7.5 | 9y ago | The SlideshowPluginSlideshowStylesheet::loadStylesheetByAJAX function in the Slideshow plugin 2.2.8 through 2.2.21 for Wordpress allows remote attackers to read arbitrary Wordpress option values. | |
| CVE-2015-1379 | high | 7.5 | 7.5 | 9y ago | The signal handler implementations in socat before 1.7.3.0 and 2.0.0-b8 allow remote attackers to cause a denial of service (process freeze or crash). | |
| CVE-2015-2800 | high | 7.5 | 7.5 | 9y ago | The user authentication module in Huawei Campus switches S5700, S5300, S6300, and S6700 with software before V200R001SPH012 and S7700, S9300, and S9700 with software before V200R001SPH015 allows remo… | |
| CVE-2015-2251 | high | 7.5 | 7.5 | 9y ago | The DeviceManager in Huawei OceanStor UDS devices with software before V100R002C01SPC102 might allow remote attackers to obtain sensitive information via a crafted UDS patch with JavaScript. | |
| CVE-2015-8235 | high | 7.5 | 7.5 | 9y ago | Directory traversal vulnerability in Spiffy before 5.4. | |
| CVE-2015-5175 | high | 7.5 | 7.5 | 9y ago | Apache CXF Fediz application plugins are vulnerable to Denial of Service (DoS) attacks | |
| CVE-2015-7888 | high | 7.5 | 7.5 | 9y ago | Directory traversal vulnerability in the WifiHs20UtilityService on the Samsung S6 Edge LRX22G.G925VVRU1AOE2 allows remote attackers to overwrite or create arbitrary files as the system-level user via… | |
| CVE-2015-6586 | high | 7.5 | 7.5 | 9y ago | The mDNS module in Huawei WLAN AC6005, AC6605, and ACU2 devices with software before V200R006C00SPC100 allows remote attackers to obtain sensitive information by leveraging failure to restrict proces… | |
| CVE-2015-5682 | high | 7.5 | 7.5 | 9y ago | upload.php in the Powerplay Gallery plugin 3.3 for WordPress allows remote attackers to create arbitrary directories via vectors related to the targetDir variable. | |
| CVE-2015-5469 | high | 7.5 | 7.5 | 9y ago | Absolute path traversal vulnerability in the MDC YouTube Downloader plugin 2.1.0 for WordPress allows remote attackers to read arbitrary files via a full pathname in the file parameter to includes/do… | |
| CVE-2015-5468 | high | 7.5 | 7.5 | 9y ago | Directory traversal vulnerability in the WP e-Commerce Shop Styling plugin before 2.6 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the filename parameter to inc… | |
| CVE-2015-5401 | high | 7.5 | 7.5 | 9y ago | Teradata Gateway before 15.00.03.02-1 and 15.10.x before 15.10.00.01-1 and TD Express before 15.00.02.08_Sles10 and 15.00.02.08_Sles11 allow remote attackers to cause a denial of service (database cr… | |
| CVE-2015-5383 | high | 7.5 | 7.5 | 9y ago | Roundcube Webmail 1.1.x before 1.1.2 allows remote attackers to obtain sensitive information by reading files in the (1) config, (2) temp, or (3) logs directory. | |
| CVE-2015-4704 | high | 7.5 | 7.5 | 9y ago | Directory traversal vulnerability in the Download Zip Attachments plugin 1.0 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the File parameter to download.php. | |
| CVE-2015-4054 | high | 7.5 | 7.5 | 9y ago | PgBouncer before 1.5.5 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) by sending a password packet before a startup packet. | |
| CVE-2015-1529 | high | 7.5 | 7.5 | 9y ago | Integer overflow in soundtrigger/ISoundTriggerHwService.cpp in Android allows attacks to cause a denial of service via unspecified vectors. | |
| CVE-2015-5436 | high | 7.5 | 7.5 | 9y ago | A potential security vulnerability has been identified with HP Integrated Lights-Out 4 (iLO 4) firmware version 2.11 and later, but prior to version 2.30. The vulnerability could be exploited remotel… | |
| CVE-2015-7245 | high | 7.5 | 7.5 | 9y ago | Directory traversal vulnerability in D-Link DVG-N5402SP with firmware W1000CN-00, W1000CN-03, or W2000EN-00 allows remote attackers to read sensitive information via a .. (dot dot) in the errorpage p… | |
| CVE-2015-1522 | high | 7.5 | 7.5 | 9y ago | analyzer/protocol/dnp3/DNP3.cc in Bro before 2.3.2 does not reject certain non-zero values of a packet length, which allows remote attackers to cause a denial of service (buffer overflow or buffer ov… | |
| CVE-2015-1521 | high | 7.5 | 7.5 | 9y ago | analyzer/protocol/dnp3/DNP3.cc in Bro before 2.3.2 does not properly handle zero values of a packet length, which allows remote attackers to cause a denial of service (buffer overflow or buffer over-… | |
| CVE-2015-8285 | high | 7.5 | 7.5 | 9y ago | The webssx.sys driver in QuickHeal 16.00 allows remote attackers to cause a denial of service. | |
| CVE-2015-8619 | high | 7.5 | 7.5 | 9y ago | The Human Monitor Interface support in QEMU allows remote attackers to cause a denial of service (out-of-bounds write and application crash). | |
| CVE-2015-4646 | high | 7.5 | 7.5 | 9y ago | (1) unsquash-1.c, (2) unsquash-2.c, (3) unsquash-3.c, and (4) unsquash-4.c in Squashfs and sasquatch allow remote attackers to cause a denial of service (application crash) via a crafted input. | |
| CVE-2015-8270 | high | 7.5 | 7.5 | 9y ago | The AMF3ReadString function in amf.c in RTMPDump 2.4 allows remote RTMP Media servers to cause a denial of service (invalid pointer dereference and process crash). | |
| CVE-2015-7825 | high | 7.5 | 7.5 | 9y ago | botan before 1.11.22 improperly validates certificate paths, which allows remote attackers to cause a denial of service (infinite loop and memory consumption) via a certificate with a loop in the cer… | |
| CVE-2015-7824 | high | 7.5 | 7.5 | 9y ago | botan 1.11.x before 1.11.22 makes it easier for remote attackers to decrypt TLS ciphertext data via a padding-oracle attack against TLS CBC ciphersuites. | |
| CVE-2015-8378 | high | 7.5 | 7.5 | 9y ago | In KeePassX before 0.4.4, a cleartext copy of password data is created upon a cancel of an XML export action. This allows context-dependent attackers to obtain sensitive information by reading the .x… | |
| CVE-2015-8258 | high | 7.5 | 7.5 | 9y ago | AXIS Communications products with firmware through 5.80.x allow remote attackers to modify arbitrary files as root via vectors involving Open Script Editor, aka a "resource injection vulnerability." | |
| CVE-2015-7265 | high | 7.5 | 7.5 | 9y ago | Facebook Proxygen before 2015-11-09 mismanages HTTPMessage.request state, which allows remote attackers to conduct hijacking attacks and bypass ACL checks. | |
| CVE-2015-7263 | high | 7.5 | 7.5 | 9y ago | The SPDY/2 codec in Facebook Proxygen before 2015-11-09 allows remote attackers to conduct hijacking attacks and bypass ACL checks via a crafted host value. | |
| CVE-2015-2886 | high | 7.5 | 7.5 | 9y ago | iBaby M6 allows remote attackers to obtain sensitive information, related to the ibabycloud.com service. | |
| CVE-2015-2884 | high | 7.5 | 7.5 | 9y ago | Philips In.Sight B120/37 allows remote attackers to obtain sensitive information via a direct request, related to yoics.net URLs, stream.m3u8 URIs, and cam_service_enable.cgi. | |
| CVE-2015-4680 | high | 7.5 | 7.5 | 9y ago | FreeRADIUS 2.2.x before 2.2.8 and 3.0.x before 3.0.9 does not properly check revocation of intermediate CA certificates. | |
| CVE-2015-1612 | high | 7.5 | 7.5 | 9y ago | OpenFlow plugin for OpenDaylight LLDP Relay | |
| CVE-2015-1611 | high | 7.5 | 7.5 | 9y ago | OpenFlow plugin for OpenDaylight allows spoofing the SDN topology | |
| CVE-2015-7844 | high | 7.5 | 7.5 | 9y ago | Huawei FusionAccess with software V100R005C10,V100R005C20 could allow attackers to craft and send a malformed HDP protocol packet to cause the virtual cloud desktop to be displaying an error and not … | |
| CVE-2015-4624 | high | 7.5 | 7.5 | 9y ago | Hak5 WiFi Pineapple 2.0 through 2.3 uses predictable CSRF tokens. | |
| CVE-2015-4556 | high | 7.5 | 7.5 | 9y ago | The string-translate* procedure in the data-structures unit in CHICKEN before 4.10.0 allows remote attackers to cause a denial of service (crash). | |
| CVE-2015-8625 | high | 7.5 | 7.5 | 9y ago | MediaWiki before 1.23.12, 1.24.x before 1.24.5, 1.25.x before 1.25.4, and 1.26.x before 1.26.1 do not properly sanitize parameters when calling the cURL library, which allows remote attackers to read… | |
| CVE-2015-3881 | high | 7.5 | 7.5 | 9y ago | Information disclosure issue in qdPM 8.3 allows remote attackers to obtain sensitive information via a direct request to (1) core/config/databases.yml, (2) core/log/qdPM_prod.log, or (3) core/apps/qd… | |
| CVE-2015-8895 | high | 7.5 | 7.5 | 9y ago | Integer overflow in coders/icon.c in ImageMagick 6.9.1-3 and later allows remote attackers to cause a denial of service (application crash) via a crafted length value, which triggers a buffer overflo… | |
| CVE-2015-8990 | high | 7.5 | 7.5 | 9y ago | Detection bypass vulnerability in Intel Security Advanced Threat Defense (ATD) 3.4.6 and earlier allows malware samples to bypass ATD detection via renaming the malware. | |
| CVE-2015-2330 | high | 7.5 | 7.5 | 9y ago | Late TLS certificate verification in WebKitGTK+ prior to 2.6.6 allows remote attackers to view a secure HTTP request, including, for example, secure cookies. | |
| CVE-2015-8994 | high | 7.5 | 7.5 | 9y ago | An issue was discovered in PHP 5.x and 7.x, when the configuration uses apache2handler/mod_php or php-fpm with OpCache enabled. With 5.x after 5.6.28 or 7.x after 7.0.13, the issue is resolved in a n… | |
| CVE-2015-4057 | high | 7.5 | 7.5 | 9y ago | The "Plug-in for VMware vCenter" in VCE Vision Intelligent Operations before 2.6.5 sends a cleartext HTTP response upon a request for the Settings screen, which allows remote attackers to discover th… | |
| CVE-2015-8979 | high | 7.5 | 7.5 | 9y ago | Stack-based buffer overflow in the parsePresentationContext function in storescp in DICOM dcmtk-3.6.0 and earlier allows remote attackers to cause a denial of service (segmentation fault) via a long … | |
| CVE-2015-8544 | high | 7.5 | 7.5 | 9y ago | NetApp SnapDrive for Windows before 7.0.2P4, 7.0.3, and 7.1 before 7.1.3P1 allows remote attackers to obtain sensitive information via unspecified vectors. | |
| CVE-2015-8977 | high | 7.5 | 7.5 | 9y ago | MyBB (aka MyBulletinBoard) before 1.6.18 and 1.8.x before 1.8.6 and MyBB Merge System before 1.8.6 allow remote attackers to obtain the installation path via vectors involving error log files. | |
| CVE-2015-7979 | high | 7.5 | 7.5 | 10y ago | NTP before 4.2.8p6 and 4.3.x before 4.3.90 allows remote attackers to cause a denial of service (client-server association tear down) by sending broadcast packets with invalid authentication to a bro… | |
| CVE-2015-7978 | high | 7.5 | 7.5 | 10y ago | NTP before 4.2.8p6 and 4.3.0 before 4.3.90 allows a remote attackers to cause a denial of service (stack exhaustion) via an ntpdc relist command, which triggers recursive traversal of the restriction… | |
| CVE-2015-8860 | high | 7.5 | 7.5 | 10y ago | The tar package before 2.0.0 for Node.js allows remote attackers to write to arbitrary files via a symlink attack in an archive. | |
| CVE-2015-8858 | high | 7.5 | 7.5 | 10y ago | The uglify-js package before 2.6.0 for Node.js allows attackers to cause a denial of service (CPU consumption) via crafted input in a parse call, aka a "regular expression denial of service (ReDoS)." | |
| CVE-2015-8855 | high | 7.5 | 7.5 | 10y ago | The semver package before 4.3.2 for Node.js allows attackers to cause a denial of service (CPU consumption) via a long version string, aka a "regular expression denial of service (ReDoS)." | |
| CVE-2015-8854 | high | 7.5 | 7.5 | 10y ago | The marked package before 0.3.4 for Node.js allows attackers to cause a denial of service (CPU consumption) via unspecified vectors that trigger a "catastrophic backtracking issue for the em inline r… | |
| CVE-2015-8315 | high | 7.5 | 7.5 | 10y ago | The ms package before 0.7.1 for Node.js allows attackers to cause a denial of service (CPU consumption) via a long version string, aka a "regular expression denial of service (ReDoS)." | |
| CVE-2015-4626 | high | 7.5 | 7.5 | 10y ago | B.A.S C2Box before 4.0.0 (r19171) relies on client-side validation, which allows remote attackers to "corrupt the business logic" via a negative value in an overdraft. | |
| CVE-2015-6574 | high | 7.5 | 7.5 | 10y ago | The SNAP Lite component in certain SISCO MMS-EASE and AX-S4 ICCP products allows remote attackers to cause a denial of service (CPU consumption) via a crafted packet. | |
| CVE-2015-3418 | high | 7.5 | 7.5 | 10y ago | The ProcPutImage function in dix/dispatch.c in X.Org Server (aka xserver and xorg-server) before 1.16.4 allows attackers to cause a denial of service (divide-by-zero and crash) via a zero-height PutI… | |
| CVE-2015-3217 | high | 7.5 | 7.5 | 10y ago | PCRE 7.8 and 8.32 through 8.37, and PCRE2 10.10 mishandle group empty matches, which might allow remote attackers to cause a denial of service (stack-based buffer overflow) via a crafted regular expr… | |
| CVE-2015-8978 | high | 7.5 | 7.5 | 10y ago | In Soap Lite (aka the SOAP::Lite extension for Perl) 1.14 and earlier, an example attack consists of defining 10 or more XML entities, each defined as consisting of 10 of the previous entity, with th… | |
| CVE-2015-5162 | high | 7.5 | 7.5 | 10y ago | OpenStack Cinder, Glance, and Nova contain Uncontrolled Resource Consumption | |
| CVE-2015-2080 | high | 7.5 | 7.5 | 10y ago | Jetty vulnerable to exposure of sensitive information to unauthenticated remote users | |
| CVE-2015-1000012 | high | 7.5 | 7.5 | 10y ago | Local File Inclusion Vulnerability in mypixs v0.3 wordpress plugin | |
| CVE-2015-1000010 | high | 7.5 | 7.5 | 10y ago | Remote file download in simple-image-manipulator v1.0 wordpress plugin | |
| CVE-2015-1000007 | high | 7.5 | 7.5 | 10y ago | Remote file download vulnerability in wptf-image-gallery v1.03 | |
| CVE-2015-1000006 | high | 7.5 | 7.5 | 10y ago | Remote file download vulnerability in recent-backups v0.7 wordpress plugin | |
| CVE-2015-1000005 | high | 7.5 | 7.5 | 10y ago | Remote file download vulnerability in candidate-application-form v1.0 wordpress plugin | |
| CVE-2015-6393 | high | 7.5 | 7.5 | 10y ago | Cisco NX-OS 4.1 through 7.3 and 11.0 through 11.2 on Nexus 2000, 3000, 3500, 5000, 5500, 5600, 6000, 7000, 7700, and 9000 devices allows remote attackers to cause a denial of service (device crash) v… | |
| CVE-2015-6392 | high | 7.5 | 7.5 | 10y ago | Cisco NX-OS 4.1 through 7.3 and 11.0 through 11.2 on Nexus 2000, 5000, 5500, 5600, 6000, 7000, 7700, and 9000 devices allows remote attackers to cause a denial of service (device crash) via crafted I… | |
| CVE-2015-8930 | high | 7.5 | 7.5 | 10y ago | bsdtar in libarchive before 3.2.0 allows remote attackers to cause a denial of service (infinite loop) via an ISO with a directory that is a member of itself. |