CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In 2015 (CVSS score >= 7)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2015-2679 89 1 Exec Code Sql 2015-03-23 2016-12-02
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in MetalGenix GeniXCMS before 0.0.2 allow remote attackers to execute arbitrary SQL commands via the (1) page parameter to index.php or (2) username parameter to gxadmin/login.php.
2 CVE-2015-2216 89 1 Exec Code Sql 2015-03-05 2016-12-02
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in ecomm-sizes.php in the Photocrati theme 4.x for WordPress allows remote attackers to execute arbitrary SQL commands via the prod_id parameter.
3 CVE-2015-2208 77 1 Exec Code 2015-03-12 2015-03-12
7.5
None Remote Low Not required Partial Partial Partial
The saveObject function in moadmin.php in phpMoAdmin 1.1.2 allows remote attackers to execute arbitrary commands via shell metacharacters in the object parameter.
4 CVE-2015-2196 89 1 Exec Code Sql 2015-03-03 2015-03-04
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in Spider Event Calendar 1.4.9 for WordPress allows remote attackers to execute arbitrary SQL commands via the cat_id parameter in a spiderbigcalendar_month action to wp-admin/admin-ajax.php.
5 CVE-2015-2183 89 1 Exec Code Sql 2015-03-10 2015-07-28
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in the administrative backend in ZeusCart 4 allow remote administrators to execute arbitrary SQL commands via the id parameter in a (1) disporders detail or (2) subadminmgt edit action or (3) cid parameter in an editcurrency action to admin/.
6 CVE-2015-2102 89 1 Exec Code Sql 2015-02-27 2018-10-09
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in view_item.php in ClipBucket 2.7 RC3 (2.7.0.4.v2929-rc3) allows remote attackers to execute arbitrary SQL commands via the item parameter.
7 CVE-2015-2090 89 1 Exec Code Sql 2015-02-26 2016-11-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the ajax_survey function in settings.php in the WordPress Survey and Poll plugin 1.1.7 for Wordpress allows remote attackers to execute arbitrary SQL commands via the survey_id parameter in an ajax_survey action to wp-admin/admin-ajax.php.
8 CVE-2015-2070 89 1 Exec Code Sql 2015-02-24 2016-11-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in eTouch SamePage Enterprise Edition 4.4.0.0.239 allows remote attackers to execute arbitrary SQL commands via the catId parameter to cm/blogrss/feed.
9 CVE-2015-2065 89 1 Exec Code Sql 2015-02-24 2016-11-29
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in videogalleryrss.php in the Apptha WordPress Video Gallery (contus-video-gallery) plugin before 2.8 for WordPress allows remote attackers to execute arbitrary SQL commands via the vid parameter in a rss action to wp-admin/admin-ajax.php.
10 CVE-2015-2055 20 1 DoS 2015-02-23 2016-11-29
7.8
None Remote Low Not required None None Complete
Zhone GPON 2520 with firmware R4.0.2.566b allows remote attackers to cause a denial of service via a long string in the oldpassword parameter.
11 CVE-2015-1587 1 Exec Code 2015-02-19 2015-02-20
7.5
None Remote Low Not required Partial Partial Partial
Unrestricted file upload vulnerability in file_to_index.php in Maarch LetterBox 2.8 and earlier and GEC/GED 1.4 and earlier allows remote attackers to execute arbitrary PHP code by uploading a file with a PHP extension, then accessing it via a request to a predictable filename in tmp/.
12 CVE-2015-1518 89 1 Exec Code Sql 2015-02-11 2018-10-09
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the search_post function in includes/search.php in Redaxscript before 2.3.0 allows remote attackers to execute arbitrary SQL commands via the search_terms parameter.
13 CVE-2015-1515 264 1 +Priv 2015-02-19 2015-02-20
7.2
None Local Low Not required Complete Complete Complete
The dwall.sys driver in SoftSphere DefenseWall Personal Firewall 3.24 allows local users to write data to arbitrary memory locations, and consequently gain privileges, via a crafted 0x00222000, 0x00222004, 0x00222008, 0x0022200c, or 0x00222010 IOCTL call.
14 CVE-2015-1497 94 2 Exec Code 2015-02-16 2017-09-02
10.0
None Remote Low Not required Complete Complete Complete
radexecd.exe in Persistent Systems Radia Client Automation (RCA) 7.9, 8.1, 9.0, and 9.1 allows remote attackers to execute arbitrary commands via a crafted request to TCP port 3465.
15 CVE-2015-1477 89 1 Exec Code Sql 2015-02-04 2015-02-04
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the CMSJunkie J-ClassifiedsManager component for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a viewad task to classifieds/offerring-ads.
16 CVE-2015-1476 89 1 Exec Code Sql 2015-02-04 2015-02-04
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in xlinkerz ecommerceMajor allow remote attackers to execute arbitrary SQL commands via the (1) productbycat parameter to product.php, or (2) username or (3) password parameter to __admin/index.php.
17 CVE-2015-1428 89 1 Exec Code Sql 2015-02-03 2018-10-09
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in Sefrengo before 1.6.2 allow (1) remote attackers to execute arbitrary SQL commands via the sefrengo cookie in a login to backend/main.php or (2) remote authenticated users to execute arbitrary SQL commands via the value_id parameter in a save_value action to backend/main.php.
18 CVE-2015-1375 264 1 2015-01-28 2018-10-09
7.5
None Remote Low Not required Partial Partial Partial
pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress does not properly restrict access to the upload functionality, which allows remote attackers to write to arbitrary files.
19 CVE-2015-1364 89 1 Exec Code Sql 2015-01-27 2015-01-28
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the getProfile function in system/profile.functions.php in Free Reprintables ArticleFR 3.0.5 allows remote attackers to execute arbitrary SQL commands via the username parameter to register/.
20 CVE-2015-1362 119 1 Exec Code Overflow 2015-01-27 2015-01-28
7.5
None Remote Low Not required Partial Partial Partial
Buffer overflow in the Customize 35mm tab in Two Pilots Exif Pilot 4.7.2 allows remote attackers to execute arbitrary code via a long string in the maker element in an XML file.
21 CVE-2015-0554 264 1 DoS +Info 2015-01-21 2015-01-23
9.4
None Remote Low Not required Complete None Complete
The ADB (formerly Pirelli Broadband Solutions) P.DGA4001N router with firmware PDG_TEF_SP_4.06L.6 does not properly restrict access to the web interface, which allows remote attackers to obtain sensitive information or cause a denial of service (device restart) as demonstrated by a direct request to (1) wlsecurity.html or (2) resetrouter.html.
22 CVE-2015-0016 22 1 +Priv Dir. Trav. 2015-01-13 2018-10-12
9.3
None Remote Medium Not required Complete Complete Complete
Directory traversal vulnerability in the TS WebProxy (aka TSWbPrxy) component in Microsoft Windows Vista SP2, Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to gain privileges via a crafted pathname in an executable file, as demonstrated by a transition from Low Integrity to Medium Integrity, aka "Directory Traversal Elevation of Privilege Vulnerability."
23 CVE-2014-100020 89 1 Exec Code Sql 2015-01-13 2017-09-07
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in ChangeEmail.php in iTechClassifieds 3.03.057 allows remote attackers to execute arbitrary SQL commands via the PreviewNum parameter. NOTE: the CatID parameter is already covered by CVE-2008-0685.
24 CVE-2014-100014 119 1 Exec Code Overflow 2015-01-13 2017-09-07
7.5
None Remote Low Not required Partial Partial Partial
Multiple stack-based buffer overflows in pdmwService.exe in SolidWorks Workgroup PDM 2014 SP2 allow remote attackers to execute arbitrary code via a long string in a (1) 2001, (2) 2002, or (3) 2003 opcode to port 3000.
25 CVE-2014-100011 89 1 Exec Code Sql 2015-01-13 2018-10-09
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in /send-to in Sendy 1.1.9.1 allows remote attackers to execute arbitrary SQL commands via the c parameter.
26 CVE-2014-10038 89 1 Exec Code Sql 2015-01-13 2017-09-07
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in agenda/indexdate.php in DomPHP 0.83 and earlier allows remote attackers to execute arbitrary SQL commands via the ids parameter.
27 CVE-2014-10037 22 1 Dir. Trav. 2015-01-13 2017-09-07
7.5
None Remote Low Not required Partial Partial Partial
Directory traversal vulnerability in DomPHP 0.83 and earlier allows remote attackers to have unspecified impact via a .. (dot dot) in the url parameter to photoalbum/index.php.
28 CVE-2014-10031 119 1 Exec Code Overflow 2015-01-13 2017-09-07
7.5
None Remote Low Not required Partial Partial Partial
Buffer overflow in the IMAPd service in Qualcomm Eudora WorldMail 9.0.333.0 allows remote attackers to execute arbitrary code via a long string in a UID command.
29 CVE-2014-10023 89 1 Exec Code Sql 2015-01-13 2017-09-07
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in TopicsViewer 3.0 Beta 1 allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) edit_block.php, (2) edit_cat.php, (3) edit_note.php, or (4) rmv_topic.php in admincp/.
30 CVE-2014-10021 1 Exec Code 2015-01-13 2018-10-30
7.5
None Remote Low Not required Partial Partial Partial
Unrestricted file upload vulnerability in UploadHandler.php in the WP Symposium plugin 14.11 for WordPress allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in server/php/.
31 CVE-2014-10020 89 1 Exec Code Sql 2015-01-13 2017-09-07
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in login.php in Simple e-document 1.31 allows remote attackers to execute arbitrary SQL commands via the username parameter.
32 CVE-2014-10013 89 1 Exec Code Sql 2015-01-13 2017-09-07
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the Another WordPress Classifieds Plugin plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the keywordphrase parameter in a dosearch action.
33 CVE-2014-9727 78 1 Exec Code 2015-05-29 2018-08-13
10.0
None Remote Low Not required Complete Complete Complete
AVM Fritz!Box allows remote attackers to execute arbitrary commands via shell metacharacters in the var:lang parameter to cgi-bin/webcm.
34 CVE-2014-9643 264 1 +Priv 2015-02-06 2015-02-09
7.2
None Local Low Not required Complete Complete Complete
K7Sentry.sys in K7 Computing Ultimate Security, Anti-Virus Plus, and Total Security before 14.2.0.253 allows local users to write to arbitrary memory locations, and consequently gain privileges, via a crafted 0x95002570, 0x95002574, 0x95002580, 0x950025a8, 0x950025ac, or 0x950025c8 IOCTL call.
35 CVE-2014-9642 264 1 +Priv 2015-02-06 2015-02-09
7.2
None Local Low Not required Complete Complete Complete
bdagent.sys in BullGuard Antivirus, Internet Security, Premium Protection, and Online Backup before 15.0.288 allows local users to write data to arbitrary memory locations, and consequently gain privileges, via a crafted 0x0022405c IOCTL call.
36 CVE-2014-9641 264 1 +Priv 2015-02-06 2015-02-09
7.2
None Local Low Not required Complete Complete Complete
The tmeext.sys driver before 2.0.0.1015 in Trend Micro Antivirus Plus, Internet Security, and Maximum Security allows local users to write to arbitrary memory locations, and consequently gain privileges, via a crafted 0x00222400 IOCTL call.
37 CVE-2014-9633 264 1 +Priv 2015-02-03 2015-02-04
7.5
None Remote Low Not required Partial Partial Partial
The bdisk.sys driver in COMODO Backup before 4.4.1.23 allows remote attackers to gain privileges via a crafted device handle, which triggers a NULL pointer dereference.
38 CVE-2014-9632 264 1 +Priv 2015-02-06 2015-02-17
7.2
None Local Low Not required Complete Complete Complete
The TDI driver (avgtdix.sys) in AVG Internet Security before 2013.3495 Hot Fix 18 and 2015.x before 2015.5315 and Protection before 2015.5315 allows local users to write to arbitrary memory locations, and consequently gain privileges, via a crafted 0x830020f8 IOCTL call.
39 CVE-2014-9583 264 1 Exec Code Bypass 2015-01-08 2018-04-26
10.0
None Remote Low Not required Complete Complete Complete
common.c in infosvr in ASUS WRT firmware 3.0.0.4.376_1071, 3.0.0.376.2524-g0013f52, and other versions, as used in RT-AC66U, RT-N66U, and other routers, does not properly check the MAC address for a request, which allows remote attackers to bypass authentication and execute arbitrary commands via a NET_CMD_ID_MANU_CMD packet to UDP port 9999. NOTE: this issue was incorrectly mapped to CVE-2014-10000, but that ID is invalid due to its use as an example of the 2014 CVE ID syntax change.
40 CVE-2014-9567 94 2 Exec Code 2015-01-07 2017-09-07
7.5
None Remote Low Not required Partial Partial Partial
Unrestricted file upload vulnerability in process-upload.php in ProjectSend (formerly cFTP) r100 through r561 allows remote attackers to execute arbitrary PHP code by uploading a file with a PHP extension, then accessing it via a direct request to the file in the upload/files/ or upload/temp/ directory.
41 CVE-2014-9566 89 1 Exec Code Sql 2015-03-10 2015-03-11
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwinds Orion Platform 2015.1, as used in Network Performance Monitor (NPM) before 11.5, NetFlow Traffic Analyzer (NTA) before 4.1, Network Configuration Manager (NCM) before 7.3.2, IP Address Manager (IPAM) before 4.3, User Device Tracker (UDT) before 3.2, VoIP & Network Quality Manager (VNQM) before 4.2, Server & Application Manager (SAM) before 6.2, Web Performance Monitor (WPM) before 2.2, and possibly other Solarwinds products, allow remote authenticated users to execute arbitrary SQL commands via the (1) dir or (2) sort parameter to the (a) GetAccounts or (b) GetAccountGroups endpoint.
42 CVE-2014-9528 89 1 Exec Code Sql XSS 2015-01-06 2017-09-07
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the actionIndex function in protected/modules_core/notification/controllers/ListController.php in HumHub 0.10.0-rc.1 and earlier allows remote authenticated users to execute arbitrary SQL commands via the from parameter to index.php. NOTE: this can be leveraged for cross-site scripting (XSS) attacks via a request that causes an error.
43 CVE-2014-9456 119 1 Overflow 2015-01-02 2019-04-15
10.0
None Remote Low Not required Complete Complete Complete
Buffer overflow in NotePad++ 6.6.9 allows remote attackers to have unspecified impact via a long Time attribute in an Event element in an XML file. NOTE: this issue was originally incorrectly mapped to CVE-2014-1004; see CVE-2014-1004 for more information.
44 CVE-2014-9448 119 2 DoS Exec Code Overflow 2015-01-02 2015-01-05
7.5
None Remote Low Not required Partial Partial Partial
Buffer overflow in Mini-stream RM-MP3 Converter 3.1.2.1.2010.03.30 allows remote attackers to execute arbitrary code or cause a denial of service (crash) via a long string in a WAX file.
45 CVE-2014-9445 89 1 Exec Code Sql XSS 2015-01-02 2017-09-07
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in incl/create.inc.php in Installatron GQ File Manager 0.2.5 allows remote attackers to execute arbitrary SQL commands via the create parameter to index.php. NOTE: this can be leveraged for cross-site scripting (XSS) attacks by creating a file that generates an error. NOTE: this issue was originally incorrectly mapped to CVE-2014-1137; see CVE-2014-1137 for more information.
46 CVE-2014-9440 89 1 Exec Code Sql 2015-01-02 2017-09-07
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in browse.php in phpMyRecipes 1.2.2 allows remote attackers to execute arbitrary SQL commands via the category parameter.
47 CVE-2014-8835 19 1 Exec Code 2015-01-30 2017-09-07
9.3
None Remote Medium Not required Complete Complete Complete
The xpc_data_get_bytes function in libxpc in Apple OS X before 10.10.2 does not verify that a dictionary's Attributes key has the xpc_data data type, which allows attackers to execute arbitrary code by providing a crafted dictionary to sysmond, related to an "XPC type confusion" issue.
48 CVE-2014-8386 119 1 Exec Code Overflow 2015-01-20 2015-01-21
7.5
None Remote Low Not required Partial Partial Partial
Multiple stack-based buffer overflows in Advantech AdamView 4.3 and earlier allow remote attackers to execute arbitrary code via a crafted (1) display properties or (2) conditional bitmap parameter in a GNI file.
49 CVE-2014-7288 264 1 Exec Code 2015-01-31 2017-09-07
9.0
None Remote Low Single system Complete Complete Complete
Symantec PGP Universal Server and Encryption Management Server before 3.3.2 MP7 allow remote authenticated administrators to execute arbitrary shell commands via a crafted command line in a database-backup restore action.
50 CVE-2014-4492 19 1 Exec Code 2015-01-30 2016-12-06
7.5
None Remote Low Not required Partial Partial Partial
libnetcore in Apple iOS before 8.1.3, Apple OS X before 10.10.2, and Apple TV before 7.0.3 does not verify that certain values have the expected data type, which allows attackers to execute arbitrary code in an _networkd context via a crafted XPC message from a sandboxed app, as demonstrated by lack of verification of the XPC dictionary data type.
Total number of vulnerabilities : 52   Page : 1 (This Page)2
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.