CVE-2015-4133

Public exploit
Unrestricted file upload vulnerability in admin/scripts/FileUploader/php.php in the ReFlex Gallery plugin before 3.1.4 for WordPress allows remote attackers to execute arbitrary PHP code by uploading a file with a PHP extension, then accessing it via a direct request to the file in uploads/ directory.
Max CVSS
7.5
EPSS Score
85.69%
Published
2015-05-28
Updated
2016-11-28

CVE-2015-4000

Public exploit
The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the "Logjam" issue.
Max CVSS
4.3
EPSS Score
97.46%
Published
2015-05-21
Updated
2023-02-09

CVE-2015-3337

Public exploit
Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, allows remote attackers to read arbitrary files via unspecified vectors.
Max CVSS
4.3
EPSS Score
96.45%
Published
2015-05-01
Updated
2015-06-25

CVE-2015-3306

Public exploit
The mod_copy module in ProFTPD 1.3.5 allows remote attackers to read and write to arbitrary files via the site cpfr and site cpto commands.
Max CVSS
10.0
EPSS Score
97.19%
Published
2015-05-18
Updated
2021-05-26

CVE-2015-3090

Public exploit
Adobe Flash Player before 13.0.0.289 and 14.x through 17.x before 17.0.0.188 on Windows and OS X and before 11.2.202.460 on Linux, Adobe AIR before 17.0.0.172, Adobe AIR SDK before 17.0.0.172, and Adobe AIR SDK & Compiler before 17.0.0.172 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-3078, CVE-2015-3089, and CVE-2015-3093.
Max CVSS
10.0
EPSS Score
97.38%
Published
2015-05-13
Updated
2017-01-03

CVE-2015-2845

Public exploit
The cpanel function in go_site.php in GoAutoDial GoAdmin CE before 3.3-1421902800 allows remote attackers to execute arbitrary commands via the $type portion of the PATH_INFO.
Max CVSS
10.0
EPSS Score
7.92%
Published
2015-05-12
Updated
2018-10-09

CVE-2015-2843

Public exploit
Multiple SQL injection vulnerabilities in GoAutoDial GoAdmin CE before 3.3-1421902800 allow remote attackers to execute arbitrary SQL commands via the (1) user_name or (2) user_pass parameter in go_login.php or the PATH_INFO to (3) go_login/validate_credentials/admin/ or (4) index.php/go_site/go_get_user_info/.
Max CVSS
7.5
EPSS Score
1.81%
Published
2015-05-12
Updated
2018-10-09

CVE-2015-2219

Public exploit
Lenovo System Update (formerly ThinkVantage System Update) before 5.06.0034 uses predictable security tokens, which allows local users to gain privileges by sending a valid token with a command to the System Update service (SUService.exe) through an unspecified named pipe.
Max CVSS
7.2
EPSS Score
0.09%
Published
2015-05-12
Updated
2016-12-03

CVE-2015-1833

Public exploit
XML external entity (XXE) vulnerability in Apache Jackrabbit before 2.0.6, 2.2.x before 2.2.14, 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.1, and 2.10.x before 2.10.1 allows remote attackers to read arbitrary files and send requests to intranet servers via a crafted WebDAV request.
Max CVSS
6.4
EPSS Score
1.84%
Published
2015-05-29
Updated
2018-10-09

CVE-2015-1155

Public exploit
The history implementation in WebKit, as used in Apple Safari before 6.2.6, 7.x before 7.1.6, and 8.x before 8.0.6, allows remote attackers to bypass the Same Origin Policy and read arbitrary files via a crafted web site.
Max CVSS
4.3
EPSS Score
1.15%
Published
2015-05-08
Updated
2017-01-03

CVE-2014-9727

Public exploit
AVM Fritz!Box allows remote attackers to execute arbitrary commands via shell metacharacters in the var:lang parameter to cgi-bin/webcm.
Max CVSS
10.0
EPSS Score
95.72%
Published
2015-05-29
Updated
2018-08-13

CVE-2014-8361

Known exploited
Public exploit
The miniigd SOAP service in Realtek SDK allows remote attackers to execute arbitrary code via a crafted NewInternalClient request, as exploited in the wild through 2023.
Max CVSS
10.0
EPSS Score
96.93%
Published
2015-05-01
Updated
2023-09-05
CISA KEV Added
2023-09-18
12 vulnerabilities found
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!