CVE-2015-3043

Known exploited
Public exploit
Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0.0.169 on Windows and OS X and before 11.2.202.457 on Linux allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, as exploited in the wild in April 2015, a different vulnerability than CVE-2015-0347, CVE-2015-0350, CVE-2015-0352, CVE-2015-0353, CVE-2015-0354, CVE-2015-0355, CVE-2015-0360, CVE-2015-3038, CVE-2015-3041, and CVE-2015-3042.
Max CVSS
10.0
EPSS Score
2.53%
Published
2015-04-14
Updated
2018-10-30
CISA KEV Added
2022-03-03

CVE-2015-3035

Known exploited
Public exploit
Directory traversal vulnerability in TP-LINK Archer C5 (1.2) with firmware before 150317, C7 (2.0) with firmware before 150304, and C8 (1.0) with firmware before 150316, Archer C9 (1.0), TL-WDR3500 (1.0), TL-WDR3600 (1.0), and TL-WDR4300 (1.0) with firmware before 150302, TL-WR740N (5.0) and TL-WR741ND (5.0) with firmware before 150312, and TL-WR841N (9.0), TL-WR841N (10.0), TL-WR841ND (9.0), and TL-WR841ND (10.0) with firmware before 150310 allows remote attackers to read arbitrary files via a .. (dot dot) in the PATH_INFO to login/.
Max CVSS
7.8
EPSS Score
58.99%
Published
2015-04-22
Updated
2018-10-09
CISA KEV Added
2022-03-25

CVE-2015-1701

Known exploited
Public exploit
Used for ransomware
Win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Vista SP2, and Server 2008 SP2 allows local users to gain privileges via a crafted application, as exploited in the wild in April 2015, aka "Win32k Elevation of Privilege Vulnerability."
Max CVSS
7.2
EPSS Score
0.53%
Published
2015-04-21
Updated
2020-05-14
CISA KEV Added
2022-03-03

CVE-2015-1635

Known exploited
Public exploit
HTTP.sys in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 allows remote attackers to execute arbitrary code via crafted HTTP requests, aka "HTTP.sys Remote Code Execution Vulnerability."
Max CVSS
10.0
EPSS Score
97.54%
Published
2015-04-14
Updated
2019-05-14
CISA KEV Added
2022-02-10

CVE-2015-1318

Public exploit
The crash reporting feature in Apport 2.13 through 2.17.x before 2.17.1 allows local users to gain privileges via a crafted usr/share/apport/apport file in a namespace (container).
Max CVSS
7.2
EPSS Score
0.06%
Published
2015-04-17
Updated
2018-02-08

CVE-2015-1130

Known exploited
Public exploit
The XPC implementation in Admin Framework in Apple OS X before 10.10.3 allows local users to bypass authentication and obtain admin privileges via unspecified vectors.
Max CVSS
7.2
EPSS Score
0.05%
Published
2015-04-10
Updated
2015-09-17
CISA KEV Added
2022-02-10

CVE-2015-1126

Public exploit
WebKit, as used in Apple iOS before 8.3 and Apple Safari before 6.2.5, 7.x before 7.1.5, and 8.x before 8.0.5, does not properly handle the userinfo field in FTP URLs, which allows remote attackers to trigger incorrect resource access via unspecified vectors.
Max CVSS
4.3
EPSS Score
94.23%
Published
2015-04-10
Updated
2015-09-11

CVE-2015-0816

Public exploit
Mozilla Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunderbird before 31.6 do not properly restrict resource: URLs, which makes it easier for remote attackers to execute arbitrary JavaScript code with chrome privileges by leveraging the ability to bypass the Same Origin Policy, as demonstrated by the resource: URL associated with PDF.js.
Max CVSS
5.0
EPSS Score
96.39%
Published
2015-04-01
Updated
2017-09-17

CVE-2015-0802

Public exploit
Mozilla Firefox before 37.0 relies on docshell type information instead of page principal information for Window.webidl access control, which might allow remote attackers to execute arbitrary JavaScript code with chrome privileges via certain content navigation that leverages the reachability of a privileged window with an unintended persistence of access to restricted internal methods.
Max CVSS
5.0
EPSS Score
39.65%
Published
2015-04-01
Updated
2018-10-30

CVE-2015-0359

Public exploit
Double free vulnerability in Adobe Flash Player before 13.0.0.281 and 14.x through 17.x before 17.0.0.169 on Windows and OS X and before 11.2.202.457 on Linux allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-0346.
Max CVSS
10.0
EPSS Score
97.47%
Published
2015-04-14
Updated
2017-10-07
The communication module on the Hospira LifeCare PCA Infusion System before 7.0 does not require authentication for root TELNET sessions, which allows remote attackers to modify the pump configuration via unspecified commands.
Max CVSS
10.0
EPSS Score
2.21%
Published
2015-04-29
Updated
2017-01-03
The fetchView function in the Mage_Core_Block_Template_Zend class in Magento Community Edition (CE) 1.9.1.0 and Enterprise Edition (EE) 1.14.1.0 does not restrict the stream wrapper used in a template path, which allows remote administrators to include and execute arbitrary PHP files via the phar:// stream wrapper, related to the setScriptPath function. NOTE: it is not clear whether this issue crosses privilege boundaries, since administrators might already have privileges to include arbitrary files.
Max CVSS
6.5
EPSS Score
0.49%
Published
2015-04-29
Updated
2016-12-06
Magento Community Edition (CE) 1.9.1.0 and Enterprise Edition (EE) 1.14.1.0 allow remote attackers to bypass authentication via the forwarded parameter.
Max CVSS
5.0
EPSS Score
49.75%
Published
2015-04-29
Updated
2016-12-06
REST client for Ruby (aka rest-client) before 1.7.3 logs usernames and passwords, which allows local users to obtain sensitive information by reading the log.
Max CVSS
2.1
EPSS Score
0.04%
Published
2015-04-29
Updated
2016-12-06
Multiple cross-site scripting (XSS) vulnerabilities in macIpSpoofView.html in Dell SonicWall SonicOS 7.5.0.12 and 6.x allow remote attackers to inject arbitrary web script or HTML via the (1) searchSpoof or (2) searchSpoofIpDet parameter.
Max CVSS
4.3
EPSS Score
0.33%
Published
2015-04-29
Updated
2018-10-09
Use-after-free vulnerability in the ff_h264_free_tables function in libavcodec/h264.c in FFmpeg before 2.3.6 allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted H.264 data in an MP4 file, as demonstrated by an HTML VIDEO element that references H.264 data.
Max CVSS
6.8
EPSS Score
1.68%
Published
2015-04-24
Updated
2017-07-01
The sqlite3VXPrintf function in printf.c in SQLite before 3.8.9 does not properly handle precision and width values during floating-point conversions, which allows context-dependent attackers to cause a denial of service (integer overflow and stack-based buffer overflow) or possibly have unspecified other impact via large integers in a crafted printf function call in a SELECT statement.
Max CVSS
7.5
EPSS Score
0.52%
Published
2015-04-24
Updated
2022-08-16
The sqlite3VdbeExec function in vdbe.c in SQLite before 3.8.9 does not properly implement comparison operators, which allows context-dependent attackers to cause a denial of service (invalid free operation) or possibly have unspecified other impact via a crafted CHECK clause, as demonstrated by CHECK(0&O>O) in a CREATE TABLE statement.
Max CVSS
7.5
EPSS Score
0.83%
Published
2015-04-24
Updated
2022-08-16
SQLite before 3.8.9 does not properly implement the dequoting of collation-sequence names, which allows context-dependent attackers to cause a denial of service (uninitialized memory access and application crash) or possibly have unspecified other impact via a crafted COLLATE clause, as demonstrated by COLLATE"""""""" at the end of a SELECT statement.
Max CVSS
7.5
EPSS Score
0.83%
Published
2015-04-24
Updated
2022-08-16
The Certify module before 6.x-2.3 for Drupal does not properly perform node access checks, which allows remote authenticated users to bypass intended access restrictions and obtain sensitive PDF certificate information via vectors related to "showing (and creating) the PDF certificates."
Max CVSS
4.0
EPSS Score
0.14%
Published
2015-04-22
Updated
2016-12-06
Open redirect vulnerability in the Commerce WeDeal module before 7.x-1.3 for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via an unspecified parameter.
Max CVSS
5.8
EPSS Score
0.35%
Published
2015-04-21
Updated
2017-09-08
Cross-site scripting (XSS) vulnerability in the Ajax Timeline module before 7.x-1.1 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via a node title.
Max CVSS
3.5
EPSS Score
0.11%
Published
2015-04-21
Updated
2017-09-08
The Path Breadcrumbs module before 7.x-3.2 for Drupal allows remote attackers to bypass intended access restrictions and obtain sensitive node titles by reading a 403 Not Found page.
Max CVSS
5.0
EPSS Score
0.44%
Published
2015-04-21
Updated
2018-04-07
Cross-site scripting (XSS) vulnerability in the Facebook Album Fetcher module for Drupal allows remote authenticated users with the "access administration pages" permission to inject arbitrary web script or HTML via unspecified vectors.
Max CVSS
3.5
EPSS Score
0.10%
Published
2015-04-21
Updated
2017-09-08
Cross-site scripting (XSS) vulnerability in the Download counts report page in the Public Download Count module (pubdlcnt) 7.x-1.x-dev and earlier for Drupal allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
Max CVSS
3.5
EPSS Score
0.10%
Published
2015-04-21
Updated
2017-09-08
538 vulnerabilities found
1 2 3 4 5 6 ...... 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!