| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
6151 |
CVE-2015-7384 |
400 |
|
DoS |
2017-10-10 |
2017-10-27 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Node.js 4.0.0, 4.1.0, and 4.1.1 allows remote attackers to cause a denial of service. |
|
6152 |
CVE-2015-7371 |
264 |
|
DoS |
2015-10-14 |
2018-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Revive Adserver before 3.2.2 does not restrict access to run-mpe.php, which allows remote attackers to run the Maintenance Priority Engine and possibly cause a denial of service (resource consumption) via a direct request. |
|
6153 |
CVE-2015-7322 |
200 |
|
+Info |
2015-10-05 |
2016-12-07 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Secure Meeting (Pulse Collaboration) in Pulse Connect Secure (formerly Juniper Junos Pulse) before 7.1R22.1, 7.4, 8.0 before 8.0R11, and 8.1 before 8.1R3 provides different messages for attempts to join a meeting depending on the status of the meeting, which allows remote attackers to enumerate valid meeting ids via a series of requests. |
|
6154 |
CVE-2015-7318 |
20 |
|
|
2017-09-25 |
2017-10-03 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Plone 3.3.0 through 3.3.6 allows remote attackers to inject headers into HTTP responses. |
|
6155 |
CVE-2015-7305 |
200 |
|
+Info |
2015-09-21 |
2015-09-22 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Scald module 7.x-1.x before 7.x-1.5 for Drupal does not properly restrict access to fields, which allows remote attackers to obtain sensitive atom property information via vectors involving a "debug context." |
|
6156 |
CVE-2015-7298 |
|
|
|
2015-10-26 |
2015-10-28 |
5.1 |
None |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
|
ownCloud Desktop Client before 2.0.1, when compiled with a Qt release after 5.3.x, does not call QNetworkReply::ignoreSslErrors with the list of errors to be ignored, which makes it easier for remote attackers to conduct man-in-the-middle (MITM) attacks by leveraging a server using a self-signed certificate. NOTE: this vulnerability exists because of a partial CVE-2015-4456 regression. |
|
6157 |
CVE-2015-7295 |
119 |
|
DoS Overflow |
2015-11-09 |
2017-11-03 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
hw/virtio/virtio.c in the Virtual Network Device (virtio-net) support in QEMU, when big or mergeable receive buffers are not supported, allows remote attackers to cause a denial of service (guest network consumption) via a flood of jumbo frames on the (1) tuntap or (2) macvtap interface. |
|
6158 |
CVE-2015-7294 |
90 |
|
|
2017-09-06 |
2017-09-11 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
ldapauth-fork before 2.3.3 allows remote attackers to perform LDAP injection attacks via a crafted username. |
|
6159 |
CVE-2015-7285 |
287 |
|
Bypass |
2015-11-24 |
2015-11-25 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
CSL DualCom GPRS CS2300-R devices with firmware 1.25 through 3.53 do not require authentication from Alarm Receiving Center (ARC) servers, which allows man-in-the-middle attackers to bypass intended access restrictions via a spoofed HSxx response. |
|
6160 |
CVE-2015-7279 |
|
|
|
2015-12-31 |
2016-11-28 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Amped Wireless R10000 devices with firmware 2.5.2.11 use an improper algorithm for selecting the ID value in the header of a DNS query, which makes it easier for remote attackers to spoof responses by predicting this value. |
|
6161 |
CVE-2015-7265 |
284 |
|
Bypass |
2017-04-09 |
2018-08-13 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Facebook Proxygen before 2015-11-09 mismanages HTTPMessage.request state, which allows remote attackers to conduct hijacking attacks and bypass ACL checks. |
|
6162 |
CVE-2015-7263 |
284 |
|
Bypass |
2017-04-09 |
2018-08-13 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
The SPDY/2 codec in Facebook Proxygen before 2015-11-09 allows remote attackers to conduct hijacking attacks and bypass ACL checks via a crafted host value. |
|
6163 |
CVE-2015-7255 |
200 |
|
+Info |
2017-08-29 |
2017-09-12 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
ZTE OX-330P, ZXHN H108N, W300V1.0.0S_ZRD_TR1_D68, HG110, GAN9.8T101A-B, MF28G, ZXHN H108N use non-unique X.509 certificates and SSH host keys, which might allow remote attackers to obtain credentials or other sensitive information via a man-in-the-middle attack, passive decryption attack, or impersonating a legitimate device. |
|
6164 |
CVE-2015-7254 |
22 |
|
Dir. Trav. |
2015-11-06 |
2018-02-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Directory traversal vulnerability on Huawei HG532e, HG532n, and HG532s devices allows remote attackers to read arbitrary files via a .. (dot dot) in an icon/ URI. |
|
6165 |
CVE-2015-7248 |
200 |
|
+Info |
2015-12-30 |
2017-09-12 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_PE allow remote attackers to discover usernames and password hashes by reading the cgi-bin/webproc HTML source code, a different vulnerability than CVE-2015-8703. |
|
6166 |
CVE-2015-7245 |
22 |
|
Dir. Trav. |
2017-04-24 |
2017-04-28 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Directory traversal vulnerability in D-Link DVG-N5402SP with firmware W1000CN-00, W1000CN-03, or W2000EN-00 allows remote attackers to read sensitive information via a .. (dot dot) in the errorpage parameter. |
|
6167 |
CVE-2015-7237 |
22 |
|
Dir. Trav. +Info |
2015-09-18 |
2015-09-22 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Directory traversal vulnerability in the remote log viewing functionality in McAfee Agent (MA) 5.x before 5.0.2 allows remote attackers to obtain sensitive information via unspecified vectors. |
|
6168 |
CVE-2015-7236 |
|
|
DoS |
2015-10-01 |
2017-06-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Use-after-free vulnerability in xprt_set_caller in rpcb_svc_com.c in rpcbind 0.2.1 and earlier allows remote attackers to cause a denial of service (daemon crash) via crafted packets, involving a PMAP_CALLIT code. |
|
6169 |
CVE-2015-7233 |
352 |
|
CSRF |
2015-09-17 |
2015-09-18 |
5.1 |
None |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in the OSF module 7.x-3.x before 7.x-3.1 for Drupal, when the OSF Import module is enabled, allows remote attackers to hijack the authentication of administrators for requests that create new OSF datasets via unspecified vectors. |
|
6170 |
CVE-2015-7231 |
20 |
|
|
2015-09-17 |
2015-09-21 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
The Commerce Commonwealth (CBA) module 7.x-1.x before 7.x-1.5 for Drupal does not properly validate payments, which allows remote attackers to make a failed payment appear valid via a crafted URL, related to a "response from commweb." |
|
6171 |
CVE-2015-7228 |
|
|
+Info |
2015-09-17 |
2015-09-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The RESTful module 7.x-1.x before 7.x-1.3 for Drupal does not properly cache pages of authenticated users when using non-cookie authentication providers, which allows remote attackers to obtain sensitive information via unspecified vectors. |
|
6172 |
CVE-2015-7226 |
200 |
|
+Info |
2015-09-17 |
2016-11-28 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Administration Views module 7.x-1.x before 7.x-1.5 for Drupal checks access permissions based on the router path from the view instead of the display property, which allows remote attackers to obtain sensitive information via vectors related to the access handler. |
|
6173 |
CVE-2015-7219 |
189 |
|
DoS |
2015-12-16 |
2018-10-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The HTTP/2 implementation in Mozilla Firefox before 43.0 allows remote attackers to cause a denial of service (integer underflow, assertion failure, and application exit) via a malformed PushPromise frame that triggers decompressed-buffer length miscalculation and incorrect memory allocation. |
|
6174 |
CVE-2015-7218 |
189 |
|
DoS |
2015-12-16 |
2018-10-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The HTTP/2 implementation in Mozilla Firefox before 43.0 allows remote attackers to cause a denial of service (integer underflow, assertion failure, and application exit) via a single-byte header frame that triggers incorrect memory allocation. |
|
6175 |
CVE-2015-7215 |
200 |
|
Bypass +Info |
2015-12-16 |
2018-10-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The importScripts function in the Web Workers API implementation in Mozilla Firefox before 43.0 allows remote attackers to bypass the Same Origin Policy by triggering use of the no-cors mode in the fetch API to attempt resource access that throws an exception, leading to information disclosure after a rethrow. |
|
6176 |
CVE-2015-7214 |
200 |
|
Bypass +Info |
2015-12-16 |
2018-10-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Mozilla Firefox before 43.0 and Firefox ESR 38.x before 38.5 allow remote attackers to bypass the Same Origin Policy via data: and view-source: URIs. |
|
6177 |
CVE-2015-7211 |
20 |
|
|
2015-12-16 |
2018-10-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Mozilla Firefox before 43.0 mishandles the # (number sign) character in a data: URI, which allows remote attackers to spoof web sites via unspecified vectors. |
|
6178 |
CVE-2015-7208 |
200 |
|
+Info |
2015-12-16 |
2018-10-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Mozilla Firefox before 43.0 stores cookies containing vertical tab characters, which allows remote attackers to obtain sensitive information by reading HTTP Cookie headers. |
|
6179 |
CVE-2015-7207 |
200 |
|
Bypass +Info |
2015-12-16 |
2018-10-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Mozilla Firefox before 43.0 does not properly restrict the availability of IFRAME Resource Timing API times, which allows remote attackers to bypass the Same Origin Policy and obtain sensitive information via crafted JavaScript code that leverages history.back and performance.getEntries calls, a related issue to CVE-2015-1300. |
|
6180 |
CVE-2015-7197 |
264 |
|
Bypass |
2015-11-05 |
2016-12-07 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Mozilla Firefox before 42.0 and Firefox ESR 38.x before 38.4 improperly control the ability of a web worker to create a WebSocket object, which allows remote attackers to bypass intended mixed-content restrictions via crafted JavaScript code. |
|
6181 |
CVE-2015-7195 |
200 |
|
+Info |
2015-11-05 |
2016-12-07 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The URL parsing implementation in Mozilla Firefox before 42.0 improperly recognizes escaped characters in hostnames within Location headers, which allows remote attackers to obtain sensitive information via vectors involving a redirect. |
|
6182 |
CVE-2015-7190 |
200 |
|
+Info |
2015-11-05 |
2016-12-07 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Search feature in Mozilla Firefox before 42.0 on Android through 4.4 supports search-engine URL registration through an intent and can access this URL in a privileged context in conjunction with the crash reporter, which allows attackers to read log files and visit file: URLs of HTML documents via a crafted application. |
|
6183 |
CVE-2015-7081 |
|
|
|
2015-12-11 |
2017-09-12 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
iBooks in Apple iOS before 9.2 and OS X before 10.11.2 allows remote attackers to read arbitrary files via an iBooks file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. |
|
6184 |
CVE-2015-7056 |
200 |
|
+Info |
2015-12-11 |
2016-12-07 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
IDE SCM in Apple Xcode before 7.2 does not recognize .gitignore files, which allows remote attackers to obtain sensitive information in opportunistic circumstances by leveraging the presence of a file matching an ignore pattern. |
|
6185 |
CVE-2015-7045 |
17 |
|
|
2015-12-11 |
2017-09-12 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Keychain Access in Apple OS X before 10.11.2 and tvOS before 9.1 improperly interacts with Keychain Agent, which allows attackers to spoof the Keychain Server via unspecified vectors. |
|
6186 |
CVE-2015-7037 |
22 |
|
Dir. Trav. |
2015-12-11 |
2016-12-07 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Directory traversal vulnerability in Mobile Backup in Photos in Apple iOS before 9.2 allows attackers to read arbitrary files via a crafted pathname. |
|
6187 |
CVE-2015-7031 |
264 |
|
Bypass |
2015-10-23 |
2016-12-23 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
The Web Service component in Apple OS X Server before 5.0.15 omits an unspecified HTTP header configuration, which allows remote attackers to bypass intended access restrictions via unknown vectors. |
|
6188 |
CVE-2015-7023 |
17 |
|
|
2015-10-23 |
2016-12-23 |
5.8 |
None |
Remote |
Medium |
Not required |
None |
Partial |
Partial |
|
CFNetwork in Apple iOS before 9.1 and OS X before 10.11.1 does not properly consider the uppercase-versus-lowercase distinction during cookie parsing, which allows remote web servers to overwrite cookies via unspecified vectors. |
|
6189 |
CVE-2015-7020 |
119 |
|
DoS Overflow +Info |
2015-10-23 |
2015-10-26 |
5.6 |
None |
Local |
Low |
Not required |
Partial |
None |
Complete |
|
The NVIDIA driver in the Graphics Drivers subsystem in Apple OS X before 10.11.1 allows local users to obtain sensitive information from kernel memory or cause a denial of service (out-of-bounds read and system crash) via unspecified vectors, a different vulnerability than CVE-2015-7019. |
|
6190 |
CVE-2015-7019 |
119 |
|
DoS Overflow +Info |
2015-10-23 |
2015-10-26 |
5.6 |
None |
Local |
Low |
Not required |
Partial |
None |
Complete |
|
The NVIDIA driver in the Graphics Drivers subsystem in Apple OS X before 10.11.1 allows local users to obtain sensitive information from kernel memory or cause a denial of service (out-of-bounds read and system crash) via unspecified vectors, a different vulnerability than CVE-2015-7020. |
|
6191 |
CVE-2015-6999 |
254 |
|
|
2015-10-23 |
2016-12-23 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
The OCSP client in Apple iOS before 9.1 does not check for certificate expiry, which allows remote attackers to spoof a valid certificate by leveraging access to a revoked certificate. |
|
6192 |
CVE-2015-6961 |
601 |
|
|
2017-10-18 |
2017-10-31 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Open redirect vulnerability in gluon/tools.py in Web2py 2.9.11 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the _next parameter to user/logout. |
|
6193 |
CVE-2015-6941 |
534 |
|
+Info |
2017-08-09 |
2017-08-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
win_useradd, salt-cloud and the Linode driver in salt 2015.5.x before 2015.5.6, and 2015.8.x before 2015.8.1 leak password information in debug logs. |
|
6194 |
CVE-2015-6940 |
200 |
|
+Info |
2015-09-22 |
2018-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The GetResource servlet in Pentaho Business Analytics (BA) Suite 4.5.x, 4.8.x, and 5.0.x through 5.2.x and Pentaho Data Integration (PDI) Suite 4.3.x, 4.4.x, and 5.0.x through 5.2.x does not restrict access to files in the pentaho-solutions/system folder, which allows remote attackers to obtain passwords and other sensitive information via a file name in the resource parameter. |
|
6195 |
CVE-2015-6932 |
310 |
|
+Info |
2015-09-18 |
2016-12-21 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
VMware vCenter Server 5.5 before u3 and 6.0 before u1 does not verify X.509 certificates from TLS LDAP servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. |
|
6196 |
CVE-2015-6926 |
287 |
|
|
2018-01-19 |
2018-02-06 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
The OpenID Single Sign-On authentication functionality in OXID eShop before 4.5.0 allows remote attackers to impersonate users via the email address in a crafted authentication token. |
|
6197 |
CVE-2015-6925 |
399 |
|
DoS |
2016-01-22 |
2016-01-25 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
wolfSSL (formerly CyaSSL) before 3.6.8 allows remote attackers to cause a denial of service (resource consumption or traffic amplification) via a crafted DTLS cookie in a ClientHello message. |
|
6198 |
CVE-2015-6908 |
20 |
|
DoS |
2015-09-11 |
2016-12-21 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The ber_get_next function in libraries/liblber/io.c in OpenLDAP 2.4.42 and earlier allows remote attackers to cause a denial of service (reachable assertion and application crash) via crafted BER data, as demonstrated by an attack against slapd. |
|
6199 |
CVE-2015-6843 |
200 |
|
+Info |
2015-10-18 |
2016-12-08 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Reviewer in EMC SourceOne Email Supervisor before 7.2 does not properly limit attempts to authenticate, which makes it easier for remote attackers to obtain access via a brute-force approach. |
|
6200 |
CVE-2015-6838 |
|
|
DoS |
2016-05-16 |
2017-11-03 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The xsl_ext_function_php function in ext/xsl/xsltprocessor.c in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13, when libxml2 before 2.9.2 is used, does not consider the possibility of a NULL valuePop return value before proceeding with a free operation after the principal argument loop, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted XML document, a different vulnerability than CVE-2015-6837. |
