CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 5 and 5.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
6151 CVE-2015-7384 400 DoS 2017-10-10 2017-10-27
5.0
None Remote Low Not required None None Partial
Node.js 4.0.0, 4.1.0, and 4.1.1 allows remote attackers to cause a denial of service.
6152 CVE-2015-7371 264 DoS 2015-10-14 2018-10-09
5.0
None Remote Low Not required None None Partial
Revive Adserver before 3.2.2 does not restrict access to run-mpe.php, which allows remote attackers to run the Maintenance Priority Engine and possibly cause a denial of service (resource consumption) via a direct request.
6153 CVE-2015-7322 200 +Info 2015-10-05 2016-12-07
5.0
None Remote Low Not required Partial None None
The Secure Meeting (Pulse Collaboration) in Pulse Connect Secure (formerly Juniper Junos Pulse) before 7.1R22.1, 7.4, 8.0 before 8.0R11, and 8.1 before 8.1R3 provides different messages for attempts to join a meeting depending on the status of the meeting, which allows remote attackers to enumerate valid meeting ids via a series of requests.
6154 CVE-2015-7318 20 2017-09-25 2017-10-03
5.0
None Remote Low Not required None Partial None
Plone 3.3.0 through 3.3.6 allows remote attackers to inject headers into HTTP responses.
6155 CVE-2015-7305 200 +Info 2015-09-21 2015-09-22
5.0
None Remote Low Not required Partial None None
The Scald module 7.x-1.x before 7.x-1.5 for Drupal does not properly restrict access to fields, which allows remote attackers to obtain sensitive atom property information via vectors involving a "debug context."
6156 CVE-2015-7298 2015-10-26 2015-10-28
5.1
None Remote High Not required Partial Partial Partial
ownCloud Desktop Client before 2.0.1, when compiled with a Qt release after 5.3.x, does not call QNetworkReply::ignoreSslErrors with the list of errors to be ignored, which makes it easier for remote attackers to conduct man-in-the-middle (MITM) attacks by leveraging a server using a self-signed certificate. NOTE: this vulnerability exists because of a partial CVE-2015-4456 regression.
6157 CVE-2015-7295 119 DoS Overflow 2015-11-09 2017-11-03
5.0
None Remote Low Not required None None Partial
hw/virtio/virtio.c in the Virtual Network Device (virtio-net) support in QEMU, when big or mergeable receive buffers are not supported, allows remote attackers to cause a denial of service (guest network consumption) via a flood of jumbo frames on the (1) tuntap or (2) macvtap interface.
6158 CVE-2015-7294 90 2017-09-06 2017-09-11
5.0
None Remote Low Not required Partial None None
ldapauth-fork before 2.3.3 allows remote attackers to perform LDAP injection attacks via a crafted username.
6159 CVE-2015-7285 287 Bypass 2015-11-24 2015-11-25
5.8
None Remote Medium Not required Partial Partial None
CSL DualCom GPRS CS2300-R devices with firmware 1.25 through 3.53 do not require authentication from Alarm Receiving Center (ARC) servers, which allows man-in-the-middle attackers to bypass intended access restrictions via a spoofed HSxx response.
6160 CVE-2015-7279 2015-12-31 2016-11-28
5.0
None Remote Low Not required None Partial None
Amped Wireless R10000 devices with firmware 2.5.2.11 use an improper algorithm for selecting the ID value in the header of a DNS query, which makes it easier for remote attackers to spoof responses by predicting this value.
6161 CVE-2015-7265 284 Bypass 2017-04-09 2018-08-13
5.0
None Remote Low Not required None Partial None
Facebook Proxygen before 2015-11-09 mismanages HTTPMessage.request state, which allows remote attackers to conduct hijacking attacks and bypass ACL checks.
6162 CVE-2015-7263 284 Bypass 2017-04-09 2018-08-13
5.0
None Remote Low Not required None Partial None
The SPDY/2 codec in Facebook Proxygen before 2015-11-09 allows remote attackers to conduct hijacking attacks and bypass ACL checks via a crafted host value.
6163 CVE-2015-7255 200 +Info 2017-08-29 2017-09-12
5.0
None Remote Low Not required Partial None None
ZTE OX-330P, ZXHN H108N, W300V1.0.0S_ZRD_TR1_D68, HG110, GAN9.8T101A-B, MF28G, ZXHN H108N use non-unique X.509 certificates and SSH host keys, which might allow remote attackers to obtain credentials or other sensitive information via a man-in-the-middle attack, passive decryption attack, or impersonating a legitimate device.
6164 CVE-2015-7254 22 Dir. Trav. 2015-11-06 2018-02-09
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability on Huawei HG532e, HG532n, and HG532s devices allows remote attackers to read arbitrary files via a .. (dot dot) in an icon/ URI.
6165 CVE-2015-7248 200 +Info 2015-12-30 2017-09-12
5.0
None Remote Low Not required Partial None None
ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_PE allow remote attackers to discover usernames and password hashes by reading the cgi-bin/webproc HTML source code, a different vulnerability than CVE-2015-8703.
6166 CVE-2015-7245 22 Dir. Trav. 2017-04-24 2017-04-28
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in D-Link DVG-N5402SP with firmware W1000CN-00, W1000CN-03, or W2000EN-00 allows remote attackers to read sensitive information via a .. (dot dot) in the errorpage parameter.
6167 CVE-2015-7237 22 Dir. Trav. +Info 2015-09-18 2015-09-22
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in the remote log viewing functionality in McAfee Agent (MA) 5.x before 5.0.2 allows remote attackers to obtain sensitive information via unspecified vectors.
6168 CVE-2015-7236 DoS 2015-10-01 2017-06-30
5.0
None Remote Low Not required None None Partial
Use-after-free vulnerability in xprt_set_caller in rpcb_svc_com.c in rpcbind 0.2.1 and earlier allows remote attackers to cause a denial of service (daemon crash) via crafted packets, involving a PMAP_CALLIT code.
6169 CVE-2015-7233 352 CSRF 2015-09-17 2015-09-18
5.1
None Remote High Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in the OSF module 7.x-3.x before 7.x-3.1 for Drupal, when the OSF Import module is enabled, allows remote attackers to hijack the authentication of administrators for requests that create new OSF datasets via unspecified vectors.
6170 CVE-2015-7231 20 2015-09-17 2015-09-21
5.0
None Remote Low Not required None Partial None
The Commerce Commonwealth (CBA) module 7.x-1.x before 7.x-1.5 for Drupal does not properly validate payments, which allows remote attackers to make a failed payment appear valid via a crafted URL, related to a "response from commweb."
6171 CVE-2015-7228 +Info 2015-09-17 2015-09-21
5.0
None Remote Low Not required Partial None None
The RESTful module 7.x-1.x before 7.x-1.3 for Drupal does not properly cache pages of authenticated users when using non-cookie authentication providers, which allows remote attackers to obtain sensitive information via unspecified vectors.
6172 CVE-2015-7226 200 +Info 2015-09-17 2016-11-28
5.0
None Remote Low Not required Partial None None
The Administration Views module 7.x-1.x before 7.x-1.5 for Drupal checks access permissions based on the router path from the view instead of the display property, which allows remote attackers to obtain sensitive information via vectors related to the access handler.
6173 CVE-2015-7219 189 DoS 2015-12-16 2018-10-30
5.0
None Remote Low Not required None None Partial
The HTTP/2 implementation in Mozilla Firefox before 43.0 allows remote attackers to cause a denial of service (integer underflow, assertion failure, and application exit) via a malformed PushPromise frame that triggers decompressed-buffer length miscalculation and incorrect memory allocation.
6174 CVE-2015-7218 189 DoS 2015-12-16 2018-10-30
5.0
None Remote Low Not required None None Partial
The HTTP/2 implementation in Mozilla Firefox before 43.0 allows remote attackers to cause a denial of service (integer underflow, assertion failure, and application exit) via a single-byte header frame that triggers incorrect memory allocation.
6175 CVE-2015-7215 200 Bypass +Info 2015-12-16 2018-10-30
5.0
None Remote Low Not required Partial None None
The importScripts function in the Web Workers API implementation in Mozilla Firefox before 43.0 allows remote attackers to bypass the Same Origin Policy by triggering use of the no-cors mode in the fetch API to attempt resource access that throws an exception, leading to information disclosure after a rethrow.
6176 CVE-2015-7214 200 Bypass +Info 2015-12-16 2018-10-30
5.0
None Remote Low Not required Partial None None
Mozilla Firefox before 43.0 and Firefox ESR 38.x before 38.5 allow remote attackers to bypass the Same Origin Policy via data: and view-source: URIs.
6177 CVE-2015-7211 20 2015-12-16 2018-10-30
5.0
None Remote Low Not required None Partial None
Mozilla Firefox before 43.0 mishandles the # (number sign) character in a data: URI, which allows remote attackers to spoof web sites via unspecified vectors.
6178 CVE-2015-7208 200 +Info 2015-12-16 2018-10-30
5.0
None Remote Low Not required Partial None None
Mozilla Firefox before 43.0 stores cookies containing vertical tab characters, which allows remote attackers to obtain sensitive information by reading HTTP Cookie headers.
6179 CVE-2015-7207 200 Bypass +Info 2015-12-16 2018-10-30
5.0
None Remote Low Not required Partial None None
Mozilla Firefox before 43.0 does not properly restrict the availability of IFRAME Resource Timing API times, which allows remote attackers to bypass the Same Origin Policy and obtain sensitive information via crafted JavaScript code that leverages history.back and performance.getEntries calls, a related issue to CVE-2015-1300.
6180 CVE-2015-7197 264 Bypass 2015-11-05 2016-12-07
5.0
None Remote Low Not required None Partial None
Mozilla Firefox before 42.0 and Firefox ESR 38.x before 38.4 improperly control the ability of a web worker to create a WebSocket object, which allows remote attackers to bypass intended mixed-content restrictions via crafted JavaScript code.
6181 CVE-2015-7195 200 +Info 2015-11-05 2016-12-07
5.0
None Remote Low Not required Partial None None
The URL parsing implementation in Mozilla Firefox before 42.0 improperly recognizes escaped characters in hostnames within Location headers, which allows remote attackers to obtain sensitive information via vectors involving a redirect.
6182 CVE-2015-7190 200 +Info 2015-11-05 2016-12-07
5.0
None Remote Low Not required Partial None None
The Search feature in Mozilla Firefox before 42.0 on Android through 4.4 supports search-engine URL registration through an intent and can access this URL in a privileged context in conjunction with the crash reporter, which allows attackers to read log files and visit file: URLs of HTML documents via a crafted application.
6183 CVE-2015-7081 2015-12-11 2017-09-12
5.0
None Remote Low Not required Partial None None
iBooks in Apple iOS before 9.2 and OS X before 10.11.2 allows remote attackers to read arbitrary files via an iBooks file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
6184 CVE-2015-7056 200 +Info 2015-12-11 2016-12-07
5.0
None Remote Low Not required Partial None None
IDE SCM in Apple Xcode before 7.2 does not recognize .gitignore files, which allows remote attackers to obtain sensitive information in opportunistic circumstances by leveraging the presence of a file matching an ignore pattern.
6185 CVE-2015-7045 17 2015-12-11 2017-09-12
5.0
None Remote Low Not required None Partial None
Keychain Access in Apple OS X before 10.11.2 and tvOS before 9.1 improperly interacts with Keychain Agent, which allows attackers to spoof the Keychain Server via unspecified vectors.
6186 CVE-2015-7037 22 Dir. Trav. 2015-12-11 2016-12-07
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in Mobile Backup in Photos in Apple iOS before 9.2 allows attackers to read arbitrary files via a crafted pathname.
6187 CVE-2015-7031 264 Bypass 2015-10-23 2016-12-23
5.0
None Remote Low Not required None Partial None
The Web Service component in Apple OS X Server before 5.0.15 omits an unspecified HTTP header configuration, which allows remote attackers to bypass intended access restrictions via unknown vectors.
6188 CVE-2015-7023 17 2015-10-23 2016-12-23
5.8
None Remote Medium Not required None Partial Partial
CFNetwork in Apple iOS before 9.1 and OS X before 10.11.1 does not properly consider the uppercase-versus-lowercase distinction during cookie parsing, which allows remote web servers to overwrite cookies via unspecified vectors.
6189 CVE-2015-7020 119 DoS Overflow +Info 2015-10-23 2015-10-26
5.6
None Local Low Not required Partial None Complete
The NVIDIA driver in the Graphics Drivers subsystem in Apple OS X before 10.11.1 allows local users to obtain sensitive information from kernel memory or cause a denial of service (out-of-bounds read and system crash) via unspecified vectors, a different vulnerability than CVE-2015-7019.
6190 CVE-2015-7019 119 DoS Overflow +Info 2015-10-23 2015-10-26
5.6
None Local Low Not required Partial None Complete
The NVIDIA driver in the Graphics Drivers subsystem in Apple OS X before 10.11.1 allows local users to obtain sensitive information from kernel memory or cause a denial of service (out-of-bounds read and system crash) via unspecified vectors, a different vulnerability than CVE-2015-7020.
6191 CVE-2015-6999 254 2015-10-23 2016-12-23
5.0
None Remote Low Not required None Partial None
The OCSP client in Apple iOS before 9.1 does not check for certificate expiry, which allows remote attackers to spoof a valid certificate by leveraging access to a revoked certificate.
6192 CVE-2015-6961 601 2017-10-18 2017-10-31
5.8
None Remote Medium Not required Partial Partial None
Open redirect vulnerability in gluon/tools.py in Web2py 2.9.11 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the _next parameter to user/logout.
6193 CVE-2015-6941 534 +Info 2017-08-09 2017-08-21
5.0
None Remote Low Not required Partial None None
win_useradd, salt-cloud and the Linode driver in salt 2015.5.x before 2015.5.6, and 2015.8.x before 2015.8.1 leak password information in debug logs.
6194 CVE-2015-6940 200 +Info 2015-09-22 2018-10-09
5.0
None Remote Low Not required Partial None None
The GetResource servlet in Pentaho Business Analytics (BA) Suite 4.5.x, 4.8.x, and 5.0.x through 5.2.x and Pentaho Data Integration (PDI) Suite 4.3.x, 4.4.x, and 5.0.x through 5.2.x does not restrict access to files in the pentaho-solutions/system folder, which allows remote attackers to obtain passwords and other sensitive information via a file name in the resource parameter.
6195 CVE-2015-6932 310 +Info 2015-09-18 2016-12-21
5.8
None Remote Medium Not required Partial Partial None
VMware vCenter Server 5.5 before u3 and 6.0 before u1 does not verify X.509 certificates from TLS LDAP servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
6196 CVE-2015-6926 287 2018-01-19 2018-02-06
5.0
None Remote Low Not required None Partial None
The OpenID Single Sign-On authentication functionality in OXID eShop before 4.5.0 allows remote attackers to impersonate users via the email address in a crafted authentication token.
6197 CVE-2015-6925 399 DoS 2016-01-22 2016-01-25
5.0
None Remote Low Not required None None Partial
wolfSSL (formerly CyaSSL) before 3.6.8 allows remote attackers to cause a denial of service (resource consumption or traffic amplification) via a crafted DTLS cookie in a ClientHello message.
6198 CVE-2015-6908 20 DoS 2015-09-11 2016-12-21
5.0
None Remote Low Not required None None Partial
The ber_get_next function in libraries/liblber/io.c in OpenLDAP 2.4.42 and earlier allows remote attackers to cause a denial of service (reachable assertion and application crash) via crafted BER data, as demonstrated by an attack against slapd.
6199 CVE-2015-6843 200 +Info 2015-10-18 2016-12-08
5.0
None Remote Low Not required Partial None None
Reviewer in EMC SourceOne Email Supervisor before 7.2 does not properly limit attempts to authenticate, which makes it easier for remote attackers to obtain access via a brute-force approach.
6200 CVE-2015-6838 DoS 2016-05-16 2017-11-03
5.0
None Remote Low Not required None None Partial
The xsl_ext_function_php function in ext/xsl/xsltprocessor.c in PHP before 5.4.45, 5.5.x before 5.5.29, and 5.6.x before 5.6.13, when libxml2 before 2.9.2 is used, does not consider the possibility of a NULL valuePop return value before proceeding with a free operation after the principal argument loop, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted XML document, a different vulnerability than CVE-2015-6837.
Total number of vulnerabilities : 21278   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 (This Page)125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.