CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 6 and 6.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
6201 CVE-2015-5642 89 Exec Code Sql 2015-10-05 2015-10-07
6.5
None Remote Low Single system Partial Partial Partial
Multiple SQL injection vulnerabilities in ICZ MATCHA INVOICE before 2.5.7 allow remote authenticated users to execute arbitrary SQL commands via unspecified vectors.
6202 CVE-2015-5641 89 Exec Code Sql 2015-10-05 2015-10-06
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in baserCMS before 3.0.8 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.
6203 CVE-2015-5640 264 2015-10-05 2015-10-06
6.5
None Remote Low Single system Partial Partial Partial
baserCMS before 3.0.8 allows remote authenticated users to modify arbitrary user settings via a crafted request.
6204 CVE-2015-5637 264 Bypass 2015-09-20 2015-09-23
6.8
None Remote Medium Not required Partial Partial Partial
The Newphoria Photon application before 1.2 for Android allows attackers to bypass a URL whitelist protection mechanism and obtain API access via unspecified vectors.
6205 CVE-2015-5636 264 Bypass 2015-09-20 2015-09-23
6.8
None Remote Medium Not required Partial Partial Partial
The Newphoria Reversi application before 1.0.3 for Android and before 1.2 for iOS allows attackers to bypass a URL whitelist protection mechanism and obtain API access via unspecified vectors.
6206 CVE-2015-5635 264 Bypass 2015-09-20 2015-09-23
6.8
None Remote Medium Not required Partial Partial Partial
The Newphoria Koritore application before 1.1 for Android and before 1.1 for iOS allows attackers to bypass a URL whitelist protection mechanism and obtain API access via unspecified vectors.
6207 CVE-2015-5634 264 Bypass 2015-09-20 2015-09-23
6.8
None Remote Medium Not required Partial Partial Partial
The Newphoria MEGAPHONE MUSIC application before 1.1 for Android and before 1.1 for iOS allows attackers to bypass a URL whitelist protection mechanism and obtain API access via unspecified vectors.
6208 CVE-2015-5633 264 Bypass 2015-09-20 2015-09-23
6.8
None Remote Medium Not required Partial Partial Partial
The Newphoria Auction Camera application for iOS and before 1.2 for Android allows attackers to bypass a URL whitelist protection mechanism and obtain API access via unspecified vectors.
6209 CVE-2015-5632 264 Bypass 2015-09-20 2015-09-23
6.8
None Remote Medium Not required Partial Partial Partial
The runtime engine in the Newphoria applican framework before 1.12.3 for Android and before 1.12.2 for iOS allows attackers to bypass a whitelist.xml URL whitelist protection mechanism and obtain API access via unspecified vectors.
6210 CVE-2015-5631 352 CSRF 2015-09-11 2015-09-14
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in the Remote UI on Canon PIXMA MG7500 printers allows remote attackers to hijack the authentication of administrators.
6211 CVE-2015-5629 264 Bypass 2015-09-11 2015-10-29
6.8
None Remote Medium Not required Partial Partial Partial
The NTT Broadband Platform Japan Connected-free Wi-Fi application 1.6.0 and earlier for Android and 1.0.2 and earlier for iOS allows attackers to bypass a URL whitelist protection mechanism and obtain API access via unspecified vectors.
6212 CVE-2015-5624 119 Exec Code Overflow 2015-09-07 2015-09-08
6.8
None Remote Medium Not required Partial Partial Partial
Buffer overflow in the ExecCall method in c2lv6.ocx in the FreeBit ELPhoneBtnV6 ActiveX control allows remote attackers to execute arbitrary code via a crafted HTML document, related to the discontinued "Click to Live" service.
6213 CVE-2015-5609 22 Dir. Trav. 2017-05-23 2017-06-08
6.4
None Remote Low Not required Partial Partial None
Absolute path traversal vulnerability in the Image Export plugin 1.1 for WordPress allows remote attackers to read and delete arbitrary files via a full pathname in the file parameter to download.php.
6214 CVE-2015-5607 352 CSRF 2017-09-20 2017-10-05
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery in the REST API in IPython 2 and 3.
6215 CVE-2015-5603 94 Exec Code 2015-09-21 2018-10-09
6.5
None Remote Low Single system Partial Partial Partial
The HipChat for JIRA plugin before 6.30.0 for Atlassian JIRA allows remote authenticated users to execute arbitrary Java code via unspecified vectors, related to "Velocity Template Injection Vulnerability."
6216 CVE-2015-5534 352 XSS CSRF 2015-11-02 2018-10-09
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in Oxwall before 1.8 allow remote attackers to hijack the authentication of administrators for requests that (1) put the website under maintenance via the maintenance_enable parameter or (2) conduct cross-site scripting (XSS) attacks via the maintenance_text parameter to admin/pages/maintenance.
6217 CVE-2015-5533 89 Exec Code Sql CSRF 2017-10-23 2018-10-09
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in counter-options.php in the Count Per Day plugin before 3.4.1 for WordPress allows remote authenticated administrators to execute arbitrary SQL commands via the cpd_keep_month parameter to wp-admin/options-general.php. NOTE: this can be leveraged using CSRF to allow remote attackers to execute arbitrary SQL commands.
6218 CVE-2015-5530 352 CSRF 2015-07-16 2015-07-21
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in Free Reprintables ArticleFR 3.0.6 allow remote attackers to hijack the authentication of administrators for requests that add an administrator account via a request to dashboard/users/create/.
6219 CVE-2015-5522 119 DoS Overflow 2015-08-11 2016-12-07
6.8
None Remote Medium Not required Partial Partial Partial
Heap-based buffer overflow in the ParseValue function in lexer.c in tidy before 4.9.31 allows remote attackers to cause a denial of service (crash) via vectors involving a command character in an href.
6220 CVE-2015-5509 264 Bypass 2015-08-18 2016-11-28
6.0
None Remote Medium Single system Partial Partial Partial
The Administration Views module 7.x-1.x before 7.x-1.4 for Drupal, when used with other unspecified modules, does not properly grant access to administration pages, which allows remote administrators to bypass intended restrictions via unspecified vectors.
6221 CVE-2015-5505 17 2015-08-18 2017-07-25
6.8
None Remote Medium Not required Partial Partial Partial
The HTTP Strict Transport Security (HSTS) module 6.x-1.x before 6.x-1.1 and 7.x-1.x before 7.x-1.2 for Drupal does not properly implement the "include subdomains" directive, which causes the HSTS policy to not be applied to subdomains and allows man-in-the-middle attackers to have unspecified impact via unknown vectors.
6222 CVE-2015-5461 2015-07-08 2016-12-07
6.4
None Remote Low Not required Partial Partial None
Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for WordPress allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter.
6223 CVE-2015-5459 89 Exec Code Sql 2015-07-08 2016-12-07
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in the AdvanceSearch.class in AdventNetPassTrix.jar in ManageEngine Password Manager Pro (PMP) before 8.1 Build 8101 allows remote authenticated users to execute arbitrary SQL commands via the ANDOR parameter, as demonstrated by a request to STATE_ID/1425543888647/SQLAdvancedALSearchResult.cc.
6224 CVE-2015-5458 2015-07-08 2018-10-09
6.8
None Remote Medium Not required Partial Partial Partial
Session fixation vulnerability in fileupload.php in PivotX before 2.3.11 allows remote attackers to hijack web sessions via the sess parameter.
6225 CVE-2015-5453 77 Exec Code 2015-07-08 2016-11-28
6.5
None Remote Low Single system Partial Partial Partial
Watchguard XCS 9.2 and 10.0 before build 150522 allow remote authenticated users to execute arbitrary commands via shell metacharacters in the id parameter to ADMIN/mailqueue.spl.
6226 CVE-2015-5451 352 CSRF 2015-11-22 2016-12-07
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in HP Operations Orchestration Central 10.x before 10.22.001 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
6227 CVE-2015-5445 352 CSRF 2016-01-05 2016-12-07
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in HP StoreOnce Backup system software before 3.13.1 allows remote authenticated users to hijack the authentication of unspecified victims via unknown vectors.
6228 CVE-2015-5434 264 DoS Bypass 2016-01-05 2016-11-28
6.4
None Remote Low Not required None Partial Partial
HPE Networking Products, originally branded as Comware 5, Comware 7, H3C, or HP, allow remote attackers to bypass intended access restrictions or cause a denial of service via "Virtual routing and forwarding (VRF) hopping."
6229 CVE-2015-5431 +Info 2015-08-26 2015-08-27
6.5
None Remote Low Single system Partial Partial Partial
HP Matrix Operating Environment before 7.5.0 allows remote authenticated users to obtain sensitive information or modify data via unspecified vectors.
6230 CVE-2015-5412 352 CSRF 2015-08-26 2016-12-21
6.0
None Remote Medium Single system Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in HP Version Control Repository Manager (VCRM) before 7.5.0 allows remote authenticated users to hijack the authentication of unspecified victims via unknown vectors.
6231 CVE-2015-5411 200 +Info 2015-08-26 2016-12-21
6.8
None Remote Low Single system Complete None None
HP Version Control Repository Manager (VCRM) before 7.5.0 allows remote authenticated users to obtain sensitive information via unspecified vectors.
6232 CVE-2015-5410 DoS Exec Code 2015-08-26 2016-12-21
6.5
None Remote Low Single system Partial Partial Partial
HP Version Control Repository Manager (VCRM) before 7.5.0 allows remote authenticated users to execute arbitrary code or cause a denial of service via unspecified vectors.
6233 CVE-2015-5408 +Info 2015-08-22 2016-11-28
6.0
None Local High Single system Complete Complete Complete
HP CentralView Fraud Risk Management 11.1, 11.2, and 11.3; CentralView Revenue Leakage Control 4.1, 4.2, and 4.3; CentralView Dealer Performance Audit 2.0 and 2.1; CentralView Credit Risk Control 2.1, 2.2, and 2.3; CentralView Roaming Fraud Control 2.1, 2.2, and 2.3; and CentralView Subscription Fraud Prevention 2.0 and 2.1 allow remote attackers to obtain sensitive information via unspecified vectors, a different vulnerability than CVE-2015-5406 and CVE-2015-5407.
6234 CVE-2015-5407 +Info 2015-08-22 2016-11-28
6.0
None Local High Single system Complete Complete Complete
HP CentralView Fraud Risk Management 11.1, 11.2, and 11.3; CentralView Revenue Leakage Control 4.1, 4.2, and 4.3; CentralView Dealer Performance Audit 2.0 and 2.1; CentralView Credit Risk Control 2.1, 2.2, and 2.3; CentralView Roaming Fraud Control 2.1, 2.2, and 2.3; and CentralView Subscription Fraud Prevention 2.0 and 2.1 allow remote attackers to obtain sensitive information via unspecified vectors, a different vulnerability than CVE-2015-5406 and CVE-2015-5408.
6235 CVE-2015-5405 DoS +Info 2015-08-26 2015-08-27
6.5
None Remote Low Single system Partial Partial Partial
HP Systems Insight Manager (SIM) before 7.5.0, as used in HP Matrix Operating Environment before 7.5.0 and other products, allows remote authenticated users to obtain sensitive information, modify data, or cause a denial of service via unspecified vectors.
6236 CVE-2015-5400 264 Bypass 2015-09-28 2017-09-21
6.8
None Remote Medium Not required Partial Partial Partial
Squid before 3.5.6 does not properly handle CONNECT method peer responses when configured with cache_peer, which allows remote attackers to bypass intended restrictions and gain access to a backend proxy via a CONNECT request.
6237 CVE-2015-5397 352 CSRF 2015-07-14 2016-12-07
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in Joomla! 3.2.0 through 3.3.x and 3.4.x before 3.4.2 allows remote attackers to hijack the authentication of unspecified victims for requests that upload code via unknown vectors.
6238 CVE-2015-5395 352 CSRF 2017-09-20 2017-09-28
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in SOGo before 3.1.0.
6239 CVE-2015-5367 264 +Priv 2015-08-27 2017-09-19
6.9
None Local Medium Not required Complete Complete Complete
The HP lt4112 LTE/HSPA+ Gobi 4G module with firmware before 12.500.00.15.1803 on EliteBook, ElitePad, Elite, ProBook, Spectre, ZBook, and mt41 Thin Client devices allows local users to gain privileges via unspecified vectors.
6240 CVE-2015-5351 352 Bypass CSRF 2016-02-24 2018-07-18
6.8
None Remote Medium Not required Partial Partial Partial
The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a token.
6241 CVE-2015-5348 19 Exec Code 2016-04-15 2018-10-09
6.8
None Remote Medium Not required Partial Partial Partial
Apache Camel 2.6.x through 2.14.x, 2.15.x before 2.15.5, and 2.16.x before 2.16.1, when using (1) camel-jetty or (2) camel-servlet as a consumer in Camel routes, allow remote attackers to execute arbitrary commands via a crafted serialized Java object in an HTTP request.
6242 CVE-2015-5346 2016-02-24 2018-07-18
6.8
None Remote Medium Not required Partial Partial Partial
Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java.
6243 CVE-2015-5338 352 CSRF 2016-02-22 2016-03-02
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in the lesson module in Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 allow remote attackers to hijack the authentication of arbitrary users for requests to (1) mod/lesson/mediafile.php or (2) mod/lesson/view.php.
6244 CVE-2015-5323 264 +Priv 2015-11-25 2016-06-13
6.5
None Remote Low Single system Partial Partial Partial
Jenkins before 1.638 and LTS before 1.625.2 do not properly restrict access to API tokens which might allow remote administrators to gain privileges and run scripts by using an API token of another user.
6245 CVE-2015-5318 352 Bypass CSRF 2015-11-25 2016-06-15
6.8
None Remote Medium Not required Partial Partial Partial
Jenkins before 1.638 and LTS before 1.625.2 uses a publicly accessible salt to generate CSRF protection tokens, which makes it easier for remote attackers to bypass the CSRF protection mechanism via a brute force attack.
6246 CVE-2015-5306 254 Exec Code 2015-11-25 2016-12-07
6.8
None Remote Medium Not required Partial Partial Partial
OpenStack Ironic Inspector (aka ironic-inspector or ironic-discoverd), when debug mode is enabled, might allow remote attackers to access the Flask console and execute arbitrary Python code by triggering an error.
6247 CVE-2015-5305 22 Dir. Trav. 2015-11-06 2015-11-09
6.4
None Remote Low Not required None Partial Partial
Directory traversal vulnerability in Kubernetes, as used in Red Hat OpenShift Enterprise 3.0, allows attackers to write to arbitrary files via a crafted object type name, which is not properly handled before passing it to etcd.
6248 CVE-2015-5292 399 DoS 2015-10-29 2016-12-07
6.8
None Remote Low Single system None None Complete
Memory leak in the Privilege Attribute Certificate (PAC) responder plugin (sssd_pac_plugin.so) in System Security Services Daemon (SSSD) 1.10 before 1.13.1 allows remote authenticated users to cause a denial of service (memory consumption) via a large number of logins that trigger parsing of PAC blobs during Kerberos authentication.
6249 CVE-2015-5291 119 DoS Exec Code Overflow 2015-11-02 2017-06-30
6.8
None Remote Medium Not required Partial Partial Partial
Heap-based buffer overflow in PolarSSL 1.x before 1.2.17 and ARM mbed TLS (formerly PolarSSL) 1.3.x before 1.3.14 and 2.x before 2.1.2 allows remote SSL servers to cause a denial of service (client crash) and possibly execute arbitrary code via a long hostname to the server name indication (SNI) extension, which is not properly handled when creating a ClientHello message. NOTE: this identifier has been SPLIT per ADT3 due to different affected version ranges. See CVE-2015-8036 for the session ticket issue that was introduced in 1.3.0.
6250 CVE-2015-5289 119 DoS Overflow 2015-10-26 2017-06-30
6.4
None Remote Low Not required Partial None Partial
Multiple stack-based buffer overflows in json parsing in PostgreSQL before 9.3.x before 9.3.10 and 9.4.x before 9.4.5 allow attackers to cause a denial of service (server crash) via unspecified vectors, which are not properly handled in (1) json or (2) jsonb values.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.