CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In 2015(Gain Information)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2015-8703 200 Bypass +Info 2015-12-30 2016-11-28
4.0
None Remote Low Single system Partial None None
ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_PE and ZXV10 W300 devices W300V1.0.0f_ER1_PE allow remote authenticated users to bypass intended access restrictions, and discover credentials and keys, by reading the configuration file, a different vulnerability than CVE-2015-7248.
2 CVE-2015-8669 200 +Info 2015-12-26 2016-12-07
5.0
None Remote Low Not required Partial None None
libraries/config/messages.inc.php in phpMyAdmin 4.0.x before 4.0.10.12, 4.4.x before 4.4.15.2, and 4.5.x before 4.5.3.1 allows remote attackers to obtain sensitive information via a crafted request, which reveals the full path in an error message.
3 CVE-2015-8602 200 Bypass +Info 2015-12-17 2015-12-18
3.5
None Remote Medium Single system Partial None None
The Token Insert Entity module 7.x-1.x before 7.x-1.1 for Drupal does not properly check permissions, which allows remote authenticated users with certain permissions to bypass intended access restrictions and possibly obtain sensitive information by inserting a token, which embeds a rendered entity in the main node.
4 CVE-2015-8601 200 Bypass +Info 2015-12-17 2015-12-18
5.0
None Remote Low Not required Partial None None
The Chat Room module 7.x-2.x before 7.x-2.2 for Drupal does not properly check permissions when setting up a websocket for chat messages, which allows remote attackers to bypass intended access restrictions and read messages from arbitrary Chat Rooms via unspecified vectors.
5 CVE-2015-8600 264 +Priv Bypass +Info 2015-12-17 2015-12-18
7.5
None Remote Low Not required Partial Partial Partial
The SysAdminWebTool servlets in SAP Mobile Platform allow remote attackers to bypass authentication and obtain sensitive information, gain privileges, or have unspecified other impact via unknown vectors, aka SAP Security Note 2227855.
6 CVE-2015-8569 200 Bypass +Info 2015-12-28 2016-12-07
1.9
None Local Medium Not required Partial None None
The (1) pptp_bind and (2) pptp_connect functions in drivers/net/ppp/pptp.c in the Linux kernel through 4.3.3 do not verify an address length, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism via a crafted application.
7 CVE-2015-8453 200 Bypass +Info 2015-12-10 2017-02-16
4.3
None Remote Medium Not required Partial None None
Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before 20.0.0.228 on Windows and OS X and before 11.2.202.554 on Linux, Adobe AIR before 20.0.0.204, Adobe AIR SDK before 20.0.0.204, and Adobe AIR SDK & Compiler before 20.0.0.204 allow attackers to bypass the ASLR protection mechanism via JIT data, a different vulnerability than CVE-2015-8409 and CVE-2015-8440.
8 CVE-2015-8393 200 +Info 2015-12-01 2017-06-30
5.0
None Remote Low Not required Partial None None
pcregrep in PCRE before 8.38 mishandles the -q option for binary files, which might allow remote attackers to obtain sensitive information via a crafted file, as demonstrated by a CGI script that sends stdout data to a client.
9 CVE-2015-8382 119 DoS Overflow +Info 2015-12-01 2016-12-27
6.4
None Remote Low Not required Partial None Partial
The match function in pcre_exec.c in PCRE before 8.37 mishandles the /(?:((abcd))|(((?:(?:(?:(?:abc|(?:abcdef))))b)abcdefghi)abc)|((*ACCEPT)))/ pattern and related patterns involving (*ACCEPT), which allows remote attackers to obtain sensitive information from process memory or cause a denial of service (partially initialized memory and application crash) via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror, aka ZDI-CAN-2547.
10 CVE-2015-8374 200 +Info 2015-12-28 2016-12-07
2.1
None Local Low Not required Partial None None
fs/btrfs/inode.c in the Linux kernel before 4.3.3 mishandles compressed inline extents, which allows local users to obtain sensitive pre-truncation information from a file via a clone action.
11 CVE-2015-8370 264 DoS Mem. Corr. Bypass +Info 2015-12-16 2016-12-07
6.9
None Local Medium Not required Complete Complete Complete
Multiple integer underflows in Grub2 1.98 through 2.02 allow physically proximate attackers to bypass authentication, obtain sensitive information, or cause a denial of service (disk corruption) via backspace characters in the (1) grub_username_get function in grub-core/normal/auth.c or the (2) grub_password_get function in lib/crypto.c, which trigger an "Off-by-two" or "Out of bounds overwrite" memory error.
12 CVE-2015-8357 22 DoS Dir. Trav. +Info 2015-12-16 2016-12-07
6.5
None Remote Low Single system Partial Partial Partial
Directory traversal vulnerability in the bitrix.xscan module before 1.0.4 for Bitrix allows remote authenticated users to rename arbitrary files, and consequently obtain sensitive information or cause a denial of service, via a .. (dot dot) in the file parameter to admin/bitrix.xscan_worker.php.
13 CVE-2015-8328 119 DoS Overflow +Priv +Info 2015-11-24 2015-11-25
6.6
None Local Medium Not required Complete Partial Complete
Unspecified vulnerability in the NVAPI support layer in the NVIDIA GPU graphics driver R340 before 341.92, R352 before 354.35, and R358 before 358.87 on Windows allows local users to obtain sensitive information, cause a denial of service (crash), or possibly gain privileges via unknown vectors. NOTE: this identifier was SPLIT from CVE-2015-7869 per ADT2 and ADT3 due to different vulnerability types and affected versions.
14 CVE-2015-8317 119 Overflow +Info 2015-12-15 2017-09-13
5.0
None Remote Low Not required Partial None None
The xmlParseXMLDecl function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to obtain sensitive information via an (1) unterminated encoding value or (2) incomplete XML declaration in XML data, which triggers an out-of-bounds heap read.
15 CVE-2015-8253 200 +Info 2015-12-26 2015-12-28
4.3
None Remote Medium Not required Partial None None
The Frontel protocol before 3 on RSI Video Technologies Videofied devices sets up AES encryption but sends all traffic in cleartext, which allows remote attackers to obtain sensitive (1) message or (2) MJPEG video data by sniffing the network.
16 CVE-2015-8252 200 +Info 2015-12-26 2015-12-28
4.3
None Remote Medium Not required Partial None None
The Frontel protocol before 3 on RSI Video Technologies Videofied devices sends a cleartext serial number, which allows remote attackers to determine a hardcoded key by sniffing the network and performing a "jumbled up" calculation with this number.
17 CVE-2015-8242 119 DoS Overflow +Info 2015-12-15 2017-09-13
5.8
None Remote Medium Not required Partial None Partial
The xmlSAX2TextNode function in SAX2.c in the push interface in the HTML parser in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service (stack-based buffer over-read and application crash) or obtain sensitive information via crafted XML data.
18 CVE-2015-8241 119 DoS Overflow +Info 2015-12-15 2017-09-13
6.4
None Remote Low Not required Partial None Partial
The xmlNextChar function in libxml2 2.9.2 does not properly check the state, which allows context-dependent attackers to cause a denial of service (heap-based buffer over-read and application crash) or obtain sensitive information via crafted XML data.
19 CVE-2015-8232 200 +Info 2015-11-17 2015-11-18
4.3
None Remote Medium Not required Partial None None
The UC Profile module 6.x-1.x before 6.x-1.3 for Drupal does not properly check access to profiles in certain circumstances, which might allow remote attackers to obtain sensitive information from the anonymous user profile via unspecified vectors.
20 CVE-2015-8227 20 DoS +Info 2015-11-24 2016-09-13
8.5
None Remote Medium Single system Complete Complete Complete
The built-in web server in Huawei VP9660 multi-point control unit with software before V200R001C30SPC700 allows remote administrators to obtain sensitive information or cause a denial of service via a crafted message.
21 CVE-2015-8213 200 +Info 2015-12-07 2016-12-07
5.0
None Remote Low Not required Partial None None
The get_format function in utils/formats.py in Django before 1.7.x before 1.7.11, 1.8.x before 1.8.7, and 1.9.x before 1.9rc2 might allow remote attackers to obtain sensitive application secrets via a settings key in place of a date/time format setting, as demonstrated by SECRET_KEY.
22 CVE-2015-8100 200 +Info 2015-11-09 2016-12-07
2.1
None Local Low Not required Partial None None
The net-snmp package in OpenBSD through 5.8 uses 0644 permissions for snmpd.conf, which allows local users to obtain sensitive community information by reading this file.
23 CVE-2015-8095 200 +Info 2015-11-09 2015-11-10
5.0
None Remote Low Not required Partial None None
The recycle bin feature in the Monster Menus module 7.x-1.21 before 7.x-1.24 for Drupal does not properly remove nodes from view, which allows remote attackers to obtain sensitive information via an unspecified URL pattern.
24 CVE-2015-8090 200 +Priv +Info 2015-11-18 2015-11-19
4.0
None Remote Low Single system Partial None None
The Web Server component in TIBCO LogLogic Unity before 1.1.1 allows remote authenticated users to gain privileges, and consequently obtain sensitive information, via an HTTP request.
25 CVE-2015-8081 200 +Info 2015-11-06 2017-01-05
5.0
None Remote Low Not required Partial None None
The Field as Block module 7.x-1.x before 7.x-1.4 for Drupal might allow remote attackers to obtain sensitive field information by reading a cached block.
26 CVE-2015-8076 119 Overflow +Info 2015-12-03 2016-11-29
7.5
None Remote Low Not required Partial Partial Partial
The index_urlfetch function in index.c in Cyrus IMAP 2.3.x before 2.3.19, 2.4.x before 2.4.18, 2.5.x before 2.5.4 allows remote attackers to obtain sensitive information or possibly have unspecified other impact via vectors related to the urlfetch range, which triggers an out-of-bounds heap read.
27 CVE-2015-8074 200 Bypass +Info 2015-11-03 2015-11-03
5.0
None Remote Low Not required Partial None None
mediaserver in Android before 5.1.1 LMY48X allows remote attackers to obtain sensitive information, and consequently bypass an unspecified protection mechanism, via unknown vectors, aka internal bugs 23540907 and 23515142, a different vulnerability than CVE-2015-6611.
28 CVE-2015-8007 200 +Info 2015-11-09 2015-11-10
4.0
None Remote Low Single system Partial None None
The Echo extension for MediWiki does not properly implement the hideuser functionality, which allows remote authenticated users to see hidden usernames in "non-revision based" notifications, as demonstrated by viewing a hidden username in a Thanks notification.
29 CVE-2015-8005 200 +Info 2015-11-09 2015-11-10
5.0
None Remote Low Not required Partial None None
MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25.3 uses the thumbnail ImageMagick command line argument, which allows remote attackers to obtain the installation path by reading the metadata of a PNG thumbnail file.
30 CVE-2015-7998 200 +Info 2015-11-17 2016-12-07
5.0
None Remote Low Not required Partial None None
The administration UI in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway before 10.1 Build 133.9, 10.5 before Build 58.11, and 10.5.e before Build 56.1505.e on NetScaler Service Delivery Appliance Service VM (SVM) devices allows attackers to obtain sensitive information via unspecified vectors.
31 CVE-2015-7996 200 +Info 2015-11-17 2016-12-07
5.0
None Remote Low Not required Partial None None
The Nitro API in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway before 10.1 Build 133.9, 10.5 before Build 58.11, and 10.5.e before Build 56.1505.e on NetScaler Service Delivery Appliance Service VM (SVM) devices allow attackers to obtain credentials via the browser cache.
32 CVE-2015-7991 200 +Info 2015-11-10 2015-11-12
5.0
None Remote Low Not required Partial None None
The Web Dispatcher service in SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) allows remote attackers to read web dispatcher and security trace files and possibly obtain passwords via unspecified vectors, aka SAP Security Note 2148854.
33 CVE-2015-7981 200 +Info 2015-11-24 2017-06-30
5.0
None Remote Low Not required Partial None None
The png_convert_to_rfc1123 function in png.c in libpng 1.0.x before 1.0.64, 1.2.x before 1.2.54, and 1.4.x before 1.4.17 allows remote attackers to obtain sensitive process memory information via crafted tIME chunk data in an image file, which triggers an out-of-bounds read.
34 CVE-2015-7935 200 +Info 2015-12-22 2016-11-28
5.0
None Remote Low Not required Partial None None
Motorola Solutions MOSCAD IP Gateway allows remote attackers to read arbitrary files via unspecified vectors.
35 CVE-2015-7934 200 +Info 2015-12-23 2016-11-28
5.0
None Remote Low Not required Partial None None
The Java client in Adcon Telemetry A840 Telemetry Gateway Base Station allows remote attackers to discover log-file pathnames via unspecified vectors.
36 CVE-2015-7932 200 +Info 2015-12-23 2016-11-28
5.0
None Remote Low Not required Partial None None
Adcon Telemetry A840 Telemetry Gateway Base Station allows remote attackers to obtain sensitive information by sniffing the network.
37 CVE-2015-7931 20 +Info 2015-12-23 2016-11-28
5.8
None Remote Medium Not required Partial Partial None
The Java client in Adcon Telemetry A840 Telemetry Gateway Base Station does not authenticate the station device, which allows man-in-the-middle attackers to spoof devices and obtain sensitive information by reading cleartext packet data, related to the lack of SSL support.
38 CVE-2015-7929 200 +Info 2015-12-23 2016-12-07
5.0
None Remote Low Not required Partial None None
eWON devices with firmware through 10.1s0 support unspecified GET requests, which might allow remote attackers to obtain sensitive information by reading (1) web-server access logs, (2) web-server Referer logs, or (3) the browser history.
39 CVE-2015-7928 200 +Info 2015-12-23 2016-12-07
5.0
None Remote Low Not required Partial None None
eWON devices with firmware before 10.1s0 do not have an off autocomplete attribute for a password field, which makes it easier for remote attackers to obtain access by leveraging an unattended workstation.
40 CVE-2015-7926 200 +Info 2015-12-23 2016-12-07
5.0
None Remote Low Not required Partial None None
eWON devices with firmware before 10.1s0 omit RBAC for I/O server information and status requests, which allows remote attackers to obtain sensitive information via an unspecified URL.
41 CVE-2015-7908 200 +Info 2015-12-21 2015-12-21
9.3
None Remote Medium Not required Complete Complete Complete
Honeywell Midas gas detectors before 1.13b3 and Midas Black gas detectors before 2.13b3 allow remote attackers to discover cleartext passwords by sniffing the network.
42 CVE-2015-7902 200 +Info 2015-10-28 2015-10-28
5.0
None Remote Low Not required Partial None None
Infinite Automation Mango Automation 2.5.x and 2.6.x before 2.6.0 build 430 provides different error messages for failed login attempts in unspecified circumstances, which allows remote attackers to obtain sensitive information via a series of requests.
43 CVE-2015-7900 200 +Info 2015-10-28 2015-10-28
4.3
None Remote Medium Not required Partial None None
Infinite Automation Mango Automation 2.5.x and 2.6.x before 2.6.0 build 430 allows remote attackers to obtain sensitive debugging information by entering a crafted URL to trigger an exception, and then visiting a certain status page.
44 CVE-2015-7899 284 +Info 2015-10-29 2015-10-30
5.0
None Remote Low Not required Partial None None
The com_content component in Joomla! 3.x before 3.4.5 does not properly check ACLs, which allows remote attackers to obtain sensitive information via unspecified vectors.
45 CVE-2015-7885 200 +Info 2015-12-28 2016-12-07
2.1
None Local Low Not required Partial None None
The dgnc_mgmt_ioctl function in drivers/staging/dgnc/dgnc_mgmt.c in the Linux kernel through 4.3.3 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel memory via a crafted application.
46 CVE-2015-7884 200 +Info 2015-12-28 2016-12-07
1.9
None Local Medium Not required Partial None None
The vivid_fb_ioctl function in drivers/media/platform/vivid/vivid-osd.c in the Linux kernel through 4.3.3 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel memory via a crafted application.
47 CVE-2015-7869 189 DoS Overflow +Priv +Info 2015-11-24 2016-08-25
6.6
None Local Medium Not required Complete Partial Complete
Multiple integer overflows in the kernel mode driver for the NVIDIA GPU graphics driver R340 before 341.92, R352 before 354.35, and R358 before 358.87 on Windows and R304 before 304.131, R340 before 340.96, R352 before 352.63, and R358 before 358.16 on Linux allow local users to obtain sensitive information, cause a denial of service (crash), or possibly gain privileges via unknown vectors, which trigger uninitialized or out of bounds memory access. NOTE: this identifier has been SPLIT per ADT2 and ADT3 due to different vulnerability type and affected versions. See CVE-2015-8328 for the vulnerability in the NVAPI support layer in NVIDIA drivers for Windows.
48 CVE-2015-7859 200 +Info 2015-10-29 2015-10-30
5.0
None Remote Low Not required Partial None None
The com_contenthistory component in Joomla! 3.2 before 3.4.5 does not properly check ACLs, which allows remote attackers to obtain sensitive information via unspecified vectors.
49 CVE-2015-7836 200 +Info 2015-10-28 2017-09-14
3.3
None Local Network Low Not required Partial None None
Siemens RUGGEDCOM ROS before 4.2.1 allows remote attackers to obtain sensitive information by sniffing the network for VLAN data within the padding section of an Ethernet frame.
50 CVE-2015-7819 255 +Info 2015-11-11 2015-11-12
5.0
None Remote Low Not required Partial None None
The DB service in IBM System Networking Switch Center (SNSC) before 7.3.1.5 and Lenovo Switch Center before 8.1.2.0 allows remote attackers to obtain sensitive administrator-account information via a request on port 40999, as demonstrated by an improperly encrypted password.
Total number of vulnerabilities : 748   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.