CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 6 and 6.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
8451 CVE-2015-3666 119 DoS Exec Code Overflow Mem. Corr. 2015-07-02 2016-12-27
6.8
None Remote Medium Not required Partial Partial Partial
QT Media Foundation in Apple QuickTime before 7.7.7, as used in OS X before 10.10.4 and other products, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted file, a different vulnerability than CVE-2015-3661, CVE-2015-3662, CVE-2015-3663, CVE-2015-3667, and CVE-2015-3668.
8452 CVE-2015-3665 119 DoS Exec Code Overflow Mem. Corr. 2015-07-02 2016-12-27
6.8
None Remote Medium Not required Partial Partial Partial
QT Media Foundation in Apple QuickTime before 7.7.7 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted file, a different vulnerability than CVE-2015-3664 and CVE-2015-3669.
8453 CVE-2015-3664 119 DoS Exec Code Overflow Mem. Corr. 2015-07-02 2016-12-27
6.8
None Remote Medium Not required Partial Partial Partial
QT Media Foundation in Apple QuickTime before 7.7.7 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted file, a different vulnerability than CVE-2015-3665 and CVE-2015-3669.
8454 CVE-2015-3663 119 DoS Exec Code Overflow Mem. Corr. 2015-07-02 2016-12-27
6.8
None Remote Medium Not required Partial Partial Partial
QT Media Foundation in Apple QuickTime before 7.7.7, as used in OS X before 10.10.4 and other products, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted file, a different vulnerability than CVE-2015-3661, CVE-2015-3662, CVE-2015-3666, CVE-2015-3667, and CVE-2015-3668.
8455 CVE-2015-3662 119 DoS Exec Code Overflow Mem. Corr. 2015-07-02 2016-12-27
6.8
None Remote Medium Not required Partial Partial Partial
QT Media Foundation in Apple QuickTime before 7.7.7, as used in OS X before 10.10.4 and other products, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted file, a different vulnerability than CVE-2015-3661, CVE-2015-3663, CVE-2015-3666, CVE-2015-3667, and CVE-2015-3668.
8456 CVE-2015-3661 119 DoS Exec Code Overflow Mem. Corr. 2015-07-02 2016-12-27
6.8
None Remote Medium Not required Partial Partial Partial
QT Media Foundation in Apple QuickTime before 7.7.7, as used in OS X before 10.10.4 and other products, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted file, a different vulnerability than CVE-2015-3662, CVE-2015-3663, CVE-2015-3666, CVE-2015-3667, and CVE-2015-3668.
8457 CVE-2015-3659 264 DoS Exec Code 2015-07-02 2016-12-27
6.8
None Remote Medium Not required Partial Partial Partial
The SQLite authorizer in the Storage functionality in WebKit in Apple Safari before 6.2.7, 7.x before 7.1.7, and 8.x before 8.0.7, as used in Apple iOS before 8.4 and other products, does not properly restrict access to SQL functions, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted web site.
8458 CVE-2015-3658 254 Bypass CSRF 2015-07-02 2016-12-27
6.8
None Remote Medium Not required Partial Partial Partial
The Page Loading functionality in WebKit in Apple Safari before 6.2.7, 7.x before 7.1.7, and 8.x before 8.0.7, as used in Apple iOS before 8.4 and other products, does not properly consider redirects during decisions about sending an Origin header, which makes it easier for remote attackers to bypass CSRF protection mechanisms via a crafted web site.
8459 CVE-2015-3657 284 +Priv 2017-08-29 2017-09-06
6.5
None Remote Low Single system Partial Partial Partial
Aruba Networks ClearPass Policy Manager before 6.4.7 and 6.5.x before 6.5.2 allows remote authenticated lower-level administrators to gain "Super Admin" privileges via unspecified vectors.
8460 CVE-2015-3656 285 +Priv 2017-08-29 2017-09-06
6.5
None Remote Low Single system Partial Partial Partial
Aruba Networks ClearPass Policy Manager before 6.4.7 and 6.5.x before 6.5.2 allows remote authenticated lower-level administrators to gain privileges by leveraging failure to properly enforce authorization checks.
8461 CVE-2015-3655 352 CSRF 2017-08-29 2017-09-05
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in Aruba Networks ClearPass Policy Manager before 6.4.7 and 6.5.x before 6.5.2 allows remote attackers to hijack the authentication of administrators by leveraging improper enforcement of the anti-CSRF token.
8462 CVE-2015-3640 94 2017-07-21 2017-07-25
6.0
None Remote Medium Single system Partial Partial Partial
phpMyBackupPro 2.5 and earlier does not properly escape the "." character in request parameters, which allows remote authenticated users with knowledge of a web-accessible and web-writeable directory on the target system to inject and execute arbitrary PHP scripts by injecting scripts via the path, filename, and dirs parameters to scheduled.php, and making requests to injected scripts.
8463 CVE-2015-3639 20 Exec Code 2017-07-21 2017-07-25
6.5
None Remote Low Single system Partial Partial Partial
phpMyBackupPro 2.5 and earlier does not properly sanitize input strings, which allows remote authenticated users to execute arbitrary PHP code by storing a crafted string in a user configuration file.
8464 CVE-2015-3638 94 Exec Code 2017-07-21 2017-07-25
6.5
None Remote Low Single system Partial Partial Partial
phpMyBackupPro before 2.5 does not validate integer input, which allows remote authenticated users to execute arbitrary PHP code by injecting scripts via the path, filename, and period parameters to scheduled.php, and making requests to injected scripts, or by injecting PHP into a PHP configuration variable via a PHP variable variable.
8465 CVE-2015-3637 89 Exec Code Sql 2017-12-27 2018-01-11
6.8
None Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in phpMyBackupPro when run in multi-user mode before 2.5 allows remote attackers to execute arbitrary SQL commands via the username and password parameters.
8466 CVE-2015-3623 2015-09-16 2018-10-09
6.4
None Remote Low Not required Partial Partial None
XML external entity (XXE) vulnerability in QlikTech Qlikview before 11.20 SR12 allows remote attackers to conduct server-side request forgery (SSRF) attacks and read arbitrary files via crafted XML data in a request to AccessPoint.aspx.
8467 CVE-2015-3458 264 2015-04-29 2016-12-05
6.5
None Remote Low Single system Partial Partial Partial
The fetchView function in the Mage_Core_Block_Template_Zend class in Magento Community Edition (CE) 1.9.1.0 and Enterprise Edition (EE) 1.14.1.0 does not restrict the stream wrapper used in a template path, which allows remote administrators to include and execute arbitrary PHP files via the phar:// stream wrapper, related to the setScriptPath function. NOTE: it is not clear whether this issue crosses privilege boundaries, since administrators might already have privileges to include arbitrary files.
8468 CVE-2015-3450 119 DoS Exec Code Overflow Mem. Corr. 2017-09-06 2017-09-10
6.8
None Remote Medium Not required Partial Partial Partial
Heap-based buffer overflow in libaxl 0.6.9 allows attackers to cause a denial of service (memory corruption) or execute arbitrary code via a crafted XML document.
8469 CVE-2015-3436 59 2015-06-09 2016-12-05
6.6
None Local Low Not required None Complete Complete
provider/server/ECServer.cpp in Zarafa Collaboration Platform (ZCP) before 7.1.13 and 7.2.x before 7.2.1 allows local users to write to arbitrary files via a symlink attack on /tmp/zarafa-upgrade-lock.
8470 CVE-2015-3417 DoS 2015-04-24 2017-06-30
6.8
None Remote Medium Not required Partial Partial Partial
Use-after-free vulnerability in the ff_h264_free_tables function in libavcodec/h264.c in FFmpeg before 2.3.6 allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted H.264 data in an MP4 file, as demonstrated by an HTML VIDEO element that references H.264 data.
8471 CVE-2015-3411 20 Bypass 2016-05-16 2019-04-22
6.4
None Remote Low Not required Partial Partial None
PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 does not ensure that pathnames lack %00 sequences, which might allow remote attackers to read or write to arbitrary files via crafted input to an application that calls (1) a DOMDocument load method, (2) the xmlwriter_open_uri function, (3) the finfo_file function, or (4) the hash_hmac_file function, as demonstrated by a filename\0.xml attack that bypasses an intended configuration in which client users may read only .xml files.
8472 CVE-2015-3395 119 Overflow 2015-06-16 2017-06-30
6.8
None Remote Medium Not required Partial Partial Partial
The msrle_decode_pal4 function in msrledec.c in Libav before 10.7 and 11.x before 11.4 and FFmpeg before 2.0.7, 2.2.x before 2.2.15, 2.4.x before 2.4.8, 2.5.x before 2.5.6, and 2.6.x before 2.6.2 allows remote attackers to have unspecified impact via a crafted image, related to a pixel pointer, which triggers an out-of-bounds array access.
8473 CVE-2015-3370 352 CSRF 2015-04-21 2016-12-05
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in the Node Invite module before 6.x-2.5 for Drupal allows remote attackers to hijack the authentication of users with the "node_invite_can_manage_invite" permission for requests that re-enable node invitations via unspecified vectors.
8474 CVE-2015-3367 352 CSRF 2015-04-21 2016-12-05
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in the Patterns module before 7.x-2.2 for Drupal allow remote attackers to hijack the authentication of administrators for requests that (1) restore, (2) publish, or (3) unpublish a pattern via unspecified vectors.
8475 CVE-2015-3363 352 CSRF 2015-04-21 2016-12-05
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in the Contact Form Fields module before 6.x-2.3 for Drupal allows remote attackers to hijack the authentication of administrators for requests that delete fields via unspecified vectors.
8476 CVE-2015-3356 352 CSRF 2015-04-21 2016-12-05
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in the Tadaa! module before 7.x-1.4 for Drupal allow remote attackers to hijack the authentication of arbitrary users for requests that (1) enable or (2) disable modules or (3) change variables via unspecified vectors.
8477 CVE-2015-3355 352 CSRF 2015-04-21 2016-12-05
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in the Batch Jobs module before 7.x-1.2 for Drupal allow remote attackers to hijack the authentication of certain users for requests that (1) delete a batch job record or (2) execute a task via unspecified vectors.
8478 CVE-2015-3352 352 CSRF 2015-04-21 2016-12-05
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in the Jammer module before 6.x-1.8 and 7.x-1.x before 7.x-1.4 for Drupal allow remote attackers to hijack the authentication of administrators for requests that delete a setting for (1) hidden form elements or (2) status messages via unspecified vectors, related to "report administration."
8479 CVE-2015-3351 352 CSRF 2015-04-21 2016-12-05
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in the Log Watcher module before 6.x-1.2 for Drupal allow remote attackers to hijack the authentication of administrators for requests that (1) enable, (2) disable, or (3) delete a report via unspecified vectors.
8480 CVE-2015-3350 352 CSRF 2015-04-21 2016-12-05
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in the Todo Filter module before 6.x-1.1 and 7.x-1.x before 7.x-1.1 for Drupal allows remote attackers to hijack the authentication of arbitrary users for requests that toggle a task via unspecified vectors.
8481 CVE-2015-3349 352 CSRF 2015-04-21 2016-12-05
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in the Htaccess module before 7.x-2.3 for Drupal allow remote attackers to hijack the authentication of administrators for requests that (1) deploy or (2) delete an .htaccess file via unspecified vectors.
8482 CVE-2015-3347 352 CSRF 2015-04-21 2016-12-05
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in the Cloudwords for Multilingual Drupal module before 7.x-2.3 for Drupal allows remote attackers to hijack the authentication of unspecified victims via an unknown menu callback.
8483 CVE-2015-3345 89 Exec Code Sql 2015-04-21 2016-12-30
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in the PHPlist Integration Module before 6.x-1.7 for Drupal allows remote administrators to execute arbitrary SQL commands via unspecified vectors, related to the "phpList database."
8484 CVE-2015-3343 352 CSRF 2015-04-21 2016-12-05
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in the OPAC module before 7.x-2.3 for Drupal allows remote attackers to hijack the authentication of unspecified victims for requests that remove a mapping via unknown vectors.
8485 CVE-2015-3339 362 +Priv 2015-05-27 2016-12-30
6.2
None Local High Not required Complete Complete Complete
Race condition in the prepare_binprm function in fs/exec.c in the Linux kernel before 3.19.6 allows local users to gain privileges by executing a setuid program at a time instant when a chown to root is in progress, and the ownership is changed but the setuid bit is not yet stripped.
8486 CVE-2015-3330 20 DoS Exec Code 2015-06-09 2019-04-22
6.8
None Remote Medium Not required Partial Partial Partial
The php_handler function in sapi/apache2handler/sapi_apache2.c in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8, when the Apache HTTP Server 2.4.x is used, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via pipelined HTTP requests that result in a "deconfigured interpreter."
8487 CVE-2015-3314 89 Sql 2017-09-07 2017-09-11
6.8
None Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in WordPress Tune Library plugin before 1.5.5.
8488 CVE-2015-3294 19 DoS 2015-05-08 2018-10-09
6.4
None Remote Low Not required Partial None Partial
The tcp_request function in Dnsmasq before 2.73rc4 does not properly handle the return value of the setup_reply function, which allows remote attackers to read process memory and cause a denial of service (out-of-bounds read and crash) via a malformed DNS request.
8489 CVE-2015-3283 264 2015-08-12 2017-09-20
6.8
None Remote Medium Not required Partial Partial Partial
OpenAFS before 1.6.13 allows remote attackers to spoof bos commands via unspecified vectors.
8490 CVE-2015-3280 399 DoS 2015-10-26 2018-11-16
6.8
None Remote Low Single system None None Complete
OpenStack Compute (nova) before 2014.2.4 (juno) and 2015.1.x before 2015.1.2 (kilo) does not properly delete instances from compute nodes, which allows remote authenticated users to cause a denial of service (disk consumption) by deleting instances while in the resize state.
8491 CVE-2015-3270 264 +Priv 2015-11-02 2015-11-03
6.5
None Remote Low Single system Partial Partial Partial
Apache Ambari before 2.0.2 or 2.1.x before 2.1.1 allows remote authenticated users to gain administrative privileges via unspecified vectors, possibly related to changing passwords.
8492 CVE-2015-3259 264 Overflow +Priv 2015-07-16 2018-10-30
6.8
None Local Low Single system Complete Complete Complete
Stack-based buffer overflow in the xl command line utility in Xen 4.1.x through 4.5.x allows local guest administrators to gain privileges via a long configuration argument.
8493 CVE-2015-3252 255 2016-02-08 2018-10-09
6.0
None Remote Medium Single system Partial Partial Partial
Apache CloudStack before 4.5.2 does not properly preserve VNC passwords when migrating KVM virtual machines, which allows remote attackers to gain access by connecting to the VNC server.
8494 CVE-2015-3247 119 DoS Exec Code Overflow Mem. Corr. 2015-09-08 2019-04-22
6.9
None Local Medium Not required Complete Complete Complete
Race condition in the worker_update_monitors_config function in SPICE 0.12.4 allows a remote authenticated guest user to cause a denial of service (heap-based memory corruption and QEMU-KVM crash) or possibly execute arbitrary code on the host via unspecified vectors.
8495 CVE-2015-3241 399 DoS 2015-09-08 2018-11-16
6.8
None Remote Low Single system None None Complete
OpenStack Compute (nova) 2015.1 through 2015.1.1, 2014.2.3, and earlier does not stop the migration process when the instance is deleted, which allows remote authenticated users to cause a denial of service (disk, network, and other resource consumption) by resizing and then deleting an instance.
8496 CVE-2015-3237 20 DoS +Info 2015-06-22 2018-10-16
6.4
None Remote Low Not required Partial None Partial
The smb_request_state function in cURL and libcurl 7.40.0 through 7.42.1 allows remote SMB servers to obtain sensitive information from memory or cause a denial of service (out-of-bounds read and crash) via crafted length and offset values.
8497 CVE-2015-3235 264 2015-08-14 2015-08-18
6.0
None Remote Medium Single system Partial Partial Partial
Foreman before 1.9.0 allows remote authenticated users with the edit_users permission to edit administrator users and change their passwords via unspecified vectors.
8498 CVE-2015-3228 189 DoS Overflow 2015-08-11 2017-09-20
6.8
None Remote Medium Not required Partial Partial Partial
Integer overflow in the gs_heap_alloc_bytes function in base/gsmalloc.c in Ghostscript 9.15 and earlier allows remote attackers to cause a denial of service (crash) via a crafted Postscript (ps) file, as demonstrated by using the ps2pdf command, which triggers an out-of-bounds read or write.
8499 CVE-2015-3222 264 Exec Code 2017-09-07 2017-09-13
6.9
None Local Medium Not required Complete Complete Complete
syscheck/seechanges.c in OSSEC 2.7 through 2.8.1 on NIX systems allows local users to execute arbitrary code as root.
8500 CVE-2015-3214 119 Exec Code Overflow 2015-08-31 2017-11-03
6.9
None Local Medium Not required Complete Complete Complete
The pit_ioport_read in i8254.c in the Linux kernel before 2.6.33 and QEMU before 2.3.1 does not distinguish between read lengths and write lengths, which might allow guest OS users to execute arbitrary code on the host OS by triggering use of an invalid index.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.