| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
6301 |
CVE-2015-5883 |
20 |
|
|
2015-10-09 |
2016-12-07 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
The bidirectional text-display and text-selection implementations in Terminal in Apple OS X before 10.11 interpret directional override formatting characters differently, which allows remote attackers to spoof the content of a text document via a crafted character sequence. |
|
6302 |
CVE-2015-5879 |
20 |
|
DoS Bypass |
2015-09-18 |
2016-12-21 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
XNU in the kernel in Apple iOS before 9 does not properly validate the headers of TCP packets, which allows remote attackers to bypass the sequence-number protection mechanism and cause a denial of service (TCP connection disruption) via a crafted header. |
|
6303 |
CVE-2015-5860 |
200 |
|
Bypass +Info |
2015-09-18 |
2016-12-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The CFNetwork HTTPProtocol component in Apple iOS before 9 mishandles HSTS state, which allows remote attackers to bypass the Safari private-browsing protection mechanism and track users via a crafted web site. |
|
6304 |
CVE-2015-5858 |
200 |
|
Bypass +Info |
2015-09-18 |
2016-12-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The CFNetwork HTTPProtocol component in Apple iOS before 9 allows remote attackers to bypass the HSTS protection mechanism, and consequently obtain sensitive information, via a crafted URL. |
|
6305 |
CVE-2015-5857 |
254 |
|
|
2015-09-18 |
2016-12-21 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Mail in Apple iOS before 9 allows remote attackers to use an address-book contact as a spoofed e-mail sender address via unspecified vectors. |
|
6306 |
CVE-2015-5841 |
74 |
|
|
2015-09-18 |
2016-12-21 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
The CFNetwork Proxies component in Apple iOS before 9 does not properly handle a Set-Cookie header within a response to an HTTP CONNECT request, which allows remote proxy servers to conduct cookie-injection attacks via a crafted response. |
|
6307 |
CVE-2015-5840 |
119 |
|
DoS Overflow |
2015-09-18 |
2016-12-21 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The checkint division routines in removefile in Apple iOS before 9 allow attackers to cause a denial of service (overflow fault and app crash) via crafted data. |
|
6308 |
CVE-2015-5839 |
254 |
|
Bypass |
2015-09-18 |
2016-12-21 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
dyld in Apple iOS before 9 allows attackers to bypass a code-signing protection mechanism via an app that places a crafted signature in an executable file. |
|
6309 |
CVE-2015-5831 |
200 |
|
+Info |
2015-09-18 |
2016-12-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
NetworkExtension in the kernel in Apple iOS before 9 does not properly initialize an unspecified data structure, which allows attackers to obtain sensitive memory-layout information via a crafted app. |
|
6310 |
CVE-2015-5827 |
200 |
|
Bypass +Info |
2015-09-18 |
2016-12-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
WebKit in Apple iOS before 9 allows remote attackers to bypass the Same Origin Policy and obtain an object reference via vectors involving a (1) custom event, (2) message event, or (3) pop state event. |
|
6311 |
CVE-2015-5770 |
264 |
|
|
2015-08-16 |
2016-12-23 |
5.8 |
None |
Remote |
Medium |
Not required |
None |
Partial |
Partial |
|
MobileInstallation in Apple iOS before 8.4.1 does not ensure the uniqueness of universal provisioning profile bundle IDs, which allows attackers to replace arbitrary extensions via a crafted enterprise app. |
|
6312 |
CVE-2015-5766 |
22 |
|
Dir. Trav. |
2015-08-16 |
2016-12-23 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Directory traversal vulnerability in Air Traffic in Apple iOS before 8.4.1 allows attackers to access arbitrary filesystem locations via vectors related to asset handling. |
|
6313 |
CVE-2015-5759 |
254 |
|
|
2015-08-16 |
2016-12-23 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
WebKit in Apple iOS before 8.4.1 allows remote attackers to spoof clicks via a crafted web site that leverages tap events. |
|
6314 |
CVE-2015-5752 |
59 |
|
Bypass |
2015-08-16 |
2016-12-23 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Backup in Apple iOS before 8.4.1 allows attackers to bypass intended restrictions on filesystem access via a crafted app that creates a symlink. |
|
6315 |
CVE-2015-5746 |
284 |
|
Bypass |
2015-08-16 |
2016-12-23 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
AppleFileConduit in Apple iOS before 8.4.1 allows attackers to bypass intended restrictions on filesystem access via an afc command that leverages symlink mishandling. |
|
6316 |
CVE-2015-5730 |
200 |
|
+Info |
2015-11-09 |
2017-09-20 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The sanitize_widget_instance function in wp-includes/class-wp-customize-widgets.php in WordPress before 4.2.4 does not use a constant-time comparison for widgets, which allows remote attackers to conduct a timing side-channel attack by measuring the delay before inequality is calculated. |
|
6317 |
CVE-2015-5729 |
200 |
|
Bypass +Info |
2017-03-23 |
2017-04-04 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Soft Access Point (AP) feature in Samsung Smart TVs X10P, X12, X14H, X14J, and NT14U and Xpress M288OFW printers generate weak WPA2 PSK keys, which makes it easier for remote attackers to obtain sensitive information or bypass authentication via a brute-force attack. |
|
6318 |
CVE-2015-5726 |
20 |
|
DoS |
2016-05-13 |
2016-05-16 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The BER decoder in Botan 0.10.x before 1.10.10 and 1.11.x before 1.11.19 allows remote attackers to cause a denial of service (application crash) via an empty BIT STRING in ASN.1 data. |
|
6319 |
CVE-2015-5717 |
310 |
|
+Info |
2015-08-31 |
2015-11-04 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
The Siemens COMPAS Mobile application before 1.6 for Android does not properly verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. |
|
6320 |
CVE-2015-5713 |
200 |
|
+Info |
2015-10-28 |
2016-12-07 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Spotfire Parsing Library and Spotfire Security Filter in TIBCO Spotfire Server 5.5.x before 5.5.4, 6.0.x before 6.0.5, 6.5.x before 6.5.4, and 7.0.x before 7.0.1 and Spotfire Analytics Platform before 7.0.2 for AWS Marketplace allow remote attackers to obtain sensitive log information by visiting an unspecified URL. |
|
6321 |
CVE-2015-5705 |
59 |
|
|
2017-09-06 |
2017-09-13 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Argument injection vulnerability in devscripts before 2.15.7 allows remote attackers to write to arbitrary files via a crafted symlink and crafted filename. |
|
6322 |
CVE-2015-5701 |
59 |
|
|
2017-08-25 |
2017-09-12 |
5.6 |
None |
Local |
Low |
Not required |
Partial |
Complete |
None |
|
mktexlsr revision 36855, and before revision 36626 as packaged in texlive allows local users to write to arbitrary files via a symlink attack. NOTE: this vulnerability exists due to the reversion of a fix of CVE-2015-5700. |
|
6323 |
CVE-2015-5700 |
59 |
|
|
2017-08-25 |
2018-10-12 |
5.6 |
None |
Local |
Low |
Not required |
Partial |
Complete |
None |
|
mktexlsr revision 22855 through revision 36625 as packaged in texlive allows local users to write to arbitrary files via a symlink attack. |
|
6324 |
CVE-2015-5696 |
20 |
|
DoS |
2015-08-14 |
2018-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Dell Netvault Backup before 10.0.5 allows remote attackers to cause a denial of service (crash) via a crafted request. |
|
6325 |
CVE-2015-5688 |
22 |
|
Dir. Trav. |
2015-09-04 |
2015-09-04 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the PATH_INFO to the default URI. |
|
6326 |
CVE-2015-5682 |
264 |
|
|
2017-05-23 |
2017-06-08 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
upload.php in the Powerplay Gallery plugin 3.3 for WordPress allows remote attackers to create arbitrary directories via vectors related to the targetDir variable. |
|
6327 |
CVE-2015-5671 |
264 |
|
Bypass |
2015-10-29 |
2015-10-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Techno Project Japan Enisys Gw before 1.4.1 allows remote attackers to bypass intended access restrictions and read arbitrary uploaded files via unspecified vectors. |
|
6328 |
CVE-2015-5665 |
352 |
|
CSRF |
2015-10-26 |
2015-10-27 |
5.1 |
None |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in LOCKON EC-CUBE 2.11.0 through 2.13.3 allows remote attackers to hijack the authentication of arbitrary users for requests that write to PHP scripts, related to the doValidToken function. |
|
6329 |
CVE-2015-5655 |
310 |
|
+Info |
2015-11-09 |
2015-11-10 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
The Adways Party Track SDK before 1.6.6 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. |
|
6330 |
CVE-2015-5650 |
22 |
|
Dir. Trav. |
2015-10-05 |
2015-10-06 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Directory traversal vulnerability in AjaXplorer 2.0 allows remote attackers to read arbitrary files via unspecified vectors. |
|
6331 |
CVE-2015-5639 |
295 |
|
|
2017-10-10 |
2017-11-05 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
niconico App for iOS before 6.38 does not verify SSL certificates which could allow remote attackers to execute man-in-the-middle attacks. |
|
6332 |
CVE-2015-5608 |
601 |
|
|
2017-09-20 |
2017-09-22 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Open redirect vulnerability in Joomla! CMS 3.0.0 through 3.4.1. |
|
6333 |
CVE-2015-5605 |
17 |
|
DoS Overflow |
2015-07-22 |
2018-10-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The regular-expression implementation in Google V8, as used in Google Chrome before 44.0.2403.89, mishandles interrupts, which allows remote attackers to cause a denial of service (application crash) via crafted JavaScript code, as demonstrated by an error in garbage collection during allocation of a stack-overflow exception message. |
|
6334 |
CVE-2015-5576 |
200 |
|
Bypass +Info |
2015-09-22 |
2017-02-16 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Adobe Flash Player before 18.0.0.241 and 19.x before 19.0.0.185 on Windows and OS X and before 11.2.202.521 on Linux, Adobe AIR before 19.0.0.190, Adobe AIR SDK before 19.0.0.190, and Adobe AIR SDK & Compiler before 19.0.0.190 do not properly restrict discovery of memory addresses, which allows attackers to bypass the ASLR protection mechanism via unspecified vectors. |
|
6335 |
CVE-2015-5572 |
200 |
|
Bypass +Info |
2015-09-22 |
2017-02-16 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Adobe Flash Player before 18.0.0.241 and 19.x before 19.0.0.185 on Windows and OS X and before 11.2.202.521 on Linux, Adobe AIR before 19.0.0.190, Adobe AIR SDK before 19.0.0.190, and Adobe AIR SDK & Compiler before 19.0.0.190 allow attackers to bypass intended access restrictions and obtain sensitive information via unspecified vectors. |
|
6336 |
CVE-2015-5531 |
22 |
|
Dir. Trav. |
2015-08-17 |
2018-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Directory traversal vulnerability in Elasticsearch before 1.6.1 allows remote attackers to read arbitrary files via unspecified vectors related to snapshot API calls. |
|
6337 |
CVE-2015-5512 |
284 |
|
|
2015-08-18 |
2016-11-28 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The me aliases module 6.x-2.x before 6.x-2.10 and 7.x-1.x before 7.x-1.2 for Drupal allows remote attackers to access Views using the "me" user argument handler by substituting "me" for a user id in a URL. |
|
6338 |
CVE-2015-5511 |
264 |
|
Bypass |
2015-08-18 |
2016-11-28 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
The HybridAuth Social Login module 7.x-2.x before 7.x-2.13 for Drupal allows remote attackers to bypass the user registration by administrator only configuration and create an account via a social login. |
|
6339 |
CVE-2015-5510 |
|
|
|
2015-08-18 |
2015-09-03 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Open redirect vulnerability in the Content Construction Kit (CCK) 6.x-2.x before 6.x-2.10 for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the destinations parameter, related to administration pages. |
|
6340 |
CVE-2015-5508 |
352 |
|
CSRF |
2015-08-18 |
2016-11-28 |
5.1 |
None |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in the XC NCIP Provider module in the eXtensible Catalog (XC) Drupal Toolkit allows remote attackers to hijack the authentication of users with the "administer ncip providers" permission for requests that alter NCIP providers via a crafted request. |
|
6341 |
CVE-2015-5506 |
200 |
|
+Info |
2015-08-18 |
2016-11-28 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Apache Solr Real-Time module 7.x-1.x before 7.x-1.2 for Drupal does not check the status of an entity when indexing, which allows remote attackers to obtain information about unpublished content via a search. |
|
6342 |
CVE-2015-5503 |
|
|
|
2015-08-18 |
2015-09-03 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Open redirect vulnerability in the Chamilo integration module 7.x-1.x before 7.x-1.2 for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified parameters. |
|
6343 |
CVE-2015-5498 |
264 |
|
+Info |
2015-08-18 |
2015-09-03 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Shipwire API module 7.x-1.x before 7.x-1.03 for Drupal does not check the view permission for the shipments overview (admin/shipwire/shipments), which allows remote attackers to obtain sensitive information via a request to the page. |
|
6344 |
CVE-2015-5496 |
264 |
|
|
2015-08-18 |
2016-11-28 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The pass2pdf module for Drupal does not restrict access to generated PDF files, which allows remote attackers to obtain user passwords via unspecified vectors. |
|
6345 |
CVE-2015-5493 |
264 |
|
|
2015-08-18 |
2015-08-19 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Entityform Block module 7.x-1.x before 7.x-1.3 for Drupal does not properly check permissions when a form is locked to a role, which allows remote attackers to obtain access to certain entityforms via unspecified vectors. |
|
6346 |
CVE-2015-5490 |
200 |
|
Bypass +Info |
2015-08-18 |
2016-11-28 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The _views_fetch_data method in includes/cache.inc in the Views module 7.x-3.5 through 7.x-3.10 for Drupal does not rebuild the full cache if the static cache is not empty, which allows remote attackers to bypass intended filters and obtain access to hidden content via unspecified vectors. |
|
6347 |
CVE-2015-5471 |
22 |
|
Dir. Trav. |
2016-01-12 |
2016-11-28 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Absolute path traversal vulnerability in include/user/download.php in the Swim Team plugin 1.44.10777 for WordPress allows remote attackers to read arbitrary files via a full pathname in the file parameter. |
|
6348 |
CVE-2015-5469 |
22 |
|
Dir. Trav. |
2017-05-23 |
2017-05-31 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Absolute path traversal vulnerability in the MDC YouTube Downloader plugin 2.1.0 for WordPress allows remote attackers to read arbitrary files via a full pathname in the file parameter to includes/download.php. |
|
6349 |
CVE-2015-5468 |
22 |
|
Dir. Trav. |
2017-05-23 |
2017-06-01 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Directory traversal vulnerability in the WP e-Commerce Shop Styling plugin before 2.6 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the filename parameter to includes/download.php. |
|
6350 |
CVE-2015-5446 |
|
|
Exec Code |
2016-01-05 |
2016-12-07 |
5.8 |
None |
Local Network |
High |
Not required |
Partial |
Partial |
Complete |
|
HP StoreOnce Backup system software before 3.13.1 allows remote attackers to execute arbitrary code via unspecified vectors. |
