CVE-2015-1376

Public exploit
pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress does not validate hostnames, which allows remote authenticated users to write to arbitrary files via an upload URL with a host other than pixabay.com.
Max CVSS
4.0
EPSS Score
88.83%
Published
2015-01-28
Updated
2018-10-09

CVE-2015-0925

Public exploit
The client in iPass Open Mobile before 2.4.5 on Windows allows remote authenticated users to execute arbitrary code via a DLL pathname in a crafted Unicode string that is improperly handled by a subprocess reached through a named pipe, as demonstrated by a UNC share pathname.
Max CVSS
9.0
EPSS Score
1.79%
Published
2015-01-22
Updated
2015-01-24

CVE-2015-0922

Public exploit
McAfee ePolicy Orchestrator (ePO) before 4.6.9 and 5.x before 5.1.2 uses the same secret key across different customers' installations, which allows attackers to obtain the administrator password by leveraging knowledge of the encrypted password.
Max CVSS
5.0
EPSS Score
0.81%
Published
2015-01-09
Updated
2017-09-08

CVE-2015-0921

Public exploit
XML external entity (XXE) vulnerability in the Server Task Log in McAfee ePolicy Orchestrator (ePO) before 4.6.9 and 5.x before 5.1.2 allows remote authenticated users to read arbitrary files via the conditionXML parameter to the taskLogTable to orionUpdateTableFilter.do.
Max CVSS
4.0
EPSS Score
2.65%
Published
2015-01-09
Updated
2017-09-08

CVE-2015-0311

Known exploited
Public exploit
Unspecified vulnerability in Adobe Flash Player through 13.0.0.262 and 14.x, 15.x, and 16.x through 16.0.0.287 on Windows and OS X and through 11.2.202.438 on Linux allows remote attackers to execute arbitrary code via unknown vectors, as exploited in the wild in January 2015.
Max CVSS
10.0
EPSS Score
97.28%
Published
2015-01-23
Updated
2015-02-14
CISA KEV Added
2022-04-13

CVE-2015-0235

Public exploit
Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18, allows context-dependent attackers to execute arbitrary code via vectors related to the (1) gethostbyname or (2) gethostbyname2 function, aka "GHOST."
Max CVSS
10.0
EPSS Score
97.52%
Published
2015-01-28
Updated
2022-07-05

CVE-2015-0016

Known exploited
Public exploit
Directory traversal vulnerability in the TS WebProxy (aka TSWbPrxy) component in Microsoft Windows Vista SP2, Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to gain privileges via a crafted pathname in an executable file, as demonstrated by a transition from Low Integrity to Medium Integrity, aka "Directory Traversal Elevation of Privilege Vulnerability."
Max CVSS
9.3
EPSS Score
26.60%
Published
2015-01-13
Updated
2018-10-12
CISA KEV Added
2022-05-25

CVE-2015-0002

Public exploit
The AhcVerifyAdminContext function in ahcache.sys in the Application Compatibility component in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not verify that an impersonation token is associated with an administrative account, which allows local users to gain privileges by running AppCompatCache.exe with a crafted DLL file, aka MSRC ID 20544 or "Microsoft Application Compatibility Infrastructure Elevation of Privilege Vulnerability."
Max CVSS
7.2
EPSS Score
0.04%
Published
2015-01-13
Updated
2018-10-12

CVE-2014-100015

Public exploit
Directory traversal vulnerability in pdmwService.exe in SolidWorks Workgroup PDM 2014 allows remote attackers to write to arbitrary files via a .. (dot dot) in the filename in a file upload.
Max CVSS
6.4
EPSS Score
55.30%
Published
2015-01-13
Updated
2017-09-08

CVE-2014-100005

Public exploit
Multiple cross-site request forgery (CSRF) vulnerabilities in D-Link DIR-600 router (rev. Bx) with firmware before 2.17b02 allow remote attackers to hijack the authentication of administrators for requests that (1) create an administrator account or (2) enable remote management via a crafted configuration module to hedwig.cgi, (3) activate new configuration settings via a SETCFG,SAVE,ACTIVATE action to pigwidgeon.cgi, or (4) send a ping via a ping action to diagnostic.php.
Max CVSS
6.8
EPSS Score
42.13%
Published
2015-01-13
Updated
2023-11-08

CVE-2014-100002

Public exploit
Directory traversal vulnerability in ManageEngine SupportCenter Plus 7.9 before 7917 allows remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the attach parameter to WorkOrder.do in the file attachment for a new ticket.
Max CVSS
5.0
EPSS Score
61.41%
Published
2015-01-13
Updated
2017-09-08

CVE-2014-9583

Public exploit
common.c in infosvr in ASUS WRT firmware 3.0.0.4.376_1071, 3.0.0.376.2524-g0013f52, and other versions, as used in RT-AC66U, RT-N66U, and other routers, does not properly check the MAC address for a request, which allows remote attackers to bypass authentication and execute arbitrary commands via a NET_CMD_ID_MANU_CMD packet to UDP port 9999. NOTE: this issue was incorrectly mapped to CVE-2014-10000, but that ID is invalid due to its use as an example of the 2014 CVE ID syntax change.
Max CVSS
10.0
EPSS Score
96.52%
Published
2015-01-08
Updated
2018-04-27

CVE-2014-9308

Public exploit
Unrestricted file upload vulnerability in inc/amfphp/administration/banneruploaderscript.php in the WP EasyCart (aka WordPress Shopping Cart) plugin before 3.0.9 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in products/banners/.
Max CVSS
6.5
EPSS Score
93.07%
Published
2015-01-15
Updated
2015-01-16

CVE-2014-9195

Public exploit
Phoenix Contact ProConOs and MultiProg do not require authentication, which allows remote attackers to execute arbitrary commands via protocol-compliant traffic.
Max CVSS
7.5
EPSS Score
5.80%
Published
2015-01-17
Updated
2018-11-29

CVE-2014-8636

Public exploit
The XrayWrapper implementation in Mozilla Firefox before 35.0 and SeaMonkey before 2.32 does not properly interact with a DOM object that has a named getter, which might allow remote attackers to execute arbitrary JavaScript code with chrome privileges via unspecified vectors.
Max CVSS
7.5
EPSS Score
93.70%
Published
2015-01-14
Updated
2017-09-08

CVE-2014-6593

Public exploit
Unspecified vulnerability in Oracle Java SE 5.0u75, 6u85, 7u72, and 8u25; Java SE Embedded 7u71 and 8u6; and JRockit 27.8.4 and 28.3.4 allows remote attackers to affect confidentiality and integrity via vectors related to JSSE.
Max CVSS
4.0
EPSS Score
69.76%
Published
2015-01-21
Updated
2022-05-13
16 vulnerabilities found
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!