CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 5 and 5.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
8601 CVE-2015-7410 17 +Info 2016-01-01 2016-11-28
5.8
None Remote Medium Not required Partial Partial None
The Health Check tool in IBM Sterling B2B Integrator 5.2 does not properly use cookies in conjunction with HTTPS sessions, which allows man-in-the-middle attackers to obtain sensitive information or modify data via unspecified vectors.
8602 CVE-2015-7399 200 +Info 2016-01-11 2016-12-05
5.0
None Remote Low Not required Partial None None
IBM WebSphere Message Broker 7 before 7.0.0.8 and 8 before 8.0.0.6 and IBM Integration Bus 9 before 9.0.0.3 and 10 before 10.0.0.0 allow remote attackers to obtain sensitive information about the HTTP server via unspecified vectors.
8603 CVE-2015-7397 2016-01-09 2016-12-07
5.8
None Remote Medium Not required Partial Partial None
Multiple open redirect vulnerabilities in the Aurora starter store in IBM WebSphere Commerce 7.0 through Feature Pack 8 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the referrer parameter.
8604 CVE-2015-7396 264 Bypass +Info 2016-01-02 2016-01-06
5.5
None Remote Low Single system Partial Partial None
The Scheduler in IBM Maximo Asset Management 7.5 before 7.5.0.8 IF6 and 7.6 before 7.6.0.1 FP1 and Maximo Asset Management 7.5 before 7.5.0.8 IF6, 7.5.1, and 7.6 before 7.6.0.1 FP1 for SmartCloud Control Desk allows remote authenticated users to bypass intended access restrictions, and obtain sensitive information or modify data, via unspecified vectors.
8605 CVE-2015-7384 400 DoS 2017-10-10 2017-10-27
5.0
None Remote Low Not required None None Partial
Node.js 4.0.0, 4.1.0, and 4.1.1 allows remote attackers to cause a denial of service.
8606 CVE-2015-7371 264 DoS 2015-10-14 2018-10-09
5.0
None Remote Low Not required None None Partial
Revive Adserver before 3.2.2 does not restrict access to run-mpe.php, which allows remote attackers to run the Maintenance Priority Engine and possibly cause a denial of service (resource consumption) via a direct request.
8607 CVE-2015-7322 200 +Info 2015-10-05 2016-12-07
5.0
None Remote Low Not required Partial None None
The Secure Meeting (Pulse Collaboration) in Pulse Connect Secure (formerly Juniper Junos Pulse) before 7.1R22.1, 7.4, 8.0 before 8.0R11, and 8.1 before 8.1R3 provides different messages for attempts to join a meeting depending on the status of the meeting, which allows remote attackers to enumerate valid meeting ids via a series of requests.
8608 CVE-2015-7318 20 2017-09-25 2017-10-03
5.0
None Remote Low Not required None Partial None
Plone 3.3.0 through 3.3.6 allows remote attackers to inject headers into HTTP responses.
8609 CVE-2015-7305 200 +Info 2015-09-21 2015-09-22
5.0
None Remote Low Not required Partial None None
The Scald module 7.x-1.x before 7.x-1.5 for Drupal does not properly restrict access to fields, which allows remote attackers to obtain sensitive atom property information via vectors involving a "debug context."
8610 CVE-2015-7298 2015-10-26 2015-10-28
5.1
None Remote High Not required Partial Partial Partial
ownCloud Desktop Client before 2.0.1, when compiled with a Qt release after 5.3.x, does not call QNetworkReply::ignoreSslErrors with the list of errors to be ignored, which makes it easier for remote attackers to conduct man-in-the-middle (MITM) attacks by leveraging a server using a self-signed certificate. NOTE: this vulnerability exists because of a partial CVE-2015-4456 regression.
8611 CVE-2015-7295 119 DoS Overflow 2015-11-09 2017-11-03
5.0
None Remote Low Not required None None Partial
hw/virtio/virtio.c in the Virtual Network Device (virtio-net) support in QEMU, when big or mergeable receive buffers are not supported, allows remote attackers to cause a denial of service (guest network consumption) via a flood of jumbo frames on the (1) tuntap or (2) macvtap interface.
8612 CVE-2015-7294 90 2017-09-06 2017-09-11
5.0
None Remote Low Not required Partial None None
ldapauth-fork before 2.3.3 allows remote attackers to perform LDAP injection attacks via a crafted username.
8613 CVE-2015-7285 287 Bypass 2015-11-24 2015-11-25
5.8
None Remote Medium Not required Partial Partial None
CSL DualCom GPRS CS2300-R devices with firmware 1.25 through 3.53 do not require authentication from Alarm Receiving Center (ARC) servers, which allows man-in-the-middle attackers to bypass intended access restrictions via a spoofed HSxx response.
8614 CVE-2015-7279 2015-12-31 2016-11-28
5.0
None Remote Low Not required None Partial None
Amped Wireless R10000 devices with firmware 2.5.2.11 use an improper algorithm for selecting the ID value in the header of a DNS query, which makes it easier for remote attackers to spoof responses by predicting this value.
8615 CVE-2015-7265 284 Bypass 2017-04-09 2018-08-13
5.0
None Remote Low Not required None Partial None
Facebook Proxygen before 2015-11-09 mismanages HTTPMessage.request state, which allows remote attackers to conduct hijacking attacks and bypass ACL checks.
8616 CVE-2015-7263 284 Bypass 2017-04-09 2018-08-13
5.0
None Remote Low Not required None Partial None
The SPDY/2 codec in Facebook Proxygen before 2015-11-09 allows remote attackers to conduct hijacking attacks and bypass ACL checks via a crafted host value.
8617 CVE-2015-7255 200 +Info 2017-08-29 2017-09-12
5.0
None Remote Low Not required Partial None None
ZTE OX-330P, ZXHN H108N, W300V1.0.0S_ZRD_TR1_D68, HG110, GAN9.8T101A-B, MF28G, ZXHN H108N use non-unique X.509 certificates and SSH host keys, which might allow remote attackers to obtain credentials or other sensitive information via a man-in-the-middle attack, passive decryption attack, or impersonating a legitimate device.
8618 CVE-2015-7254 22 Dir. Trav. 2015-11-06 2018-12-15
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability on Huawei HG532e, HG532n, and HG532s devices allows remote attackers to read arbitrary files via a .. (dot dot) in an icon/ URI.
8619 CVE-2015-7248 200 +Info 2015-12-30 2017-09-12
5.0
None Remote Low Not required Partial None None
ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_PE allow remote attackers to discover usernames and password hashes by reading the cgi-bin/webproc HTML source code, a different vulnerability than CVE-2015-8703.
8620 CVE-2015-7245 22 Dir. Trav. 2017-04-24 2017-04-28
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in D-Link DVG-N5402SP with firmware W1000CN-00, W1000CN-03, or W2000EN-00 allows remote attackers to read sensitive information via a .. (dot dot) in the errorpage parameter.
8621 CVE-2015-7237 22 Dir. Trav. +Info 2015-09-18 2015-09-22
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in the remote log viewing functionality in McAfee Agent (MA) 5.x before 5.0.2 allows remote attackers to obtain sensitive information via unspecified vectors.
8622 CVE-2015-7236 DoS 2015-10-01 2017-06-30
5.0
None Remote Low Not required None None Partial
Use-after-free vulnerability in xprt_set_caller in rpcb_svc_com.c in rpcbind 0.2.1 and earlier allows remote attackers to cause a denial of service (daemon crash) via crafted packets, involving a PMAP_CALLIT code.
8623 CVE-2015-7233 352 CSRF 2015-09-17 2015-09-18
5.1
None Remote High Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in the OSF module 7.x-3.x before 7.x-3.1 for Drupal, when the OSF Import module is enabled, allows remote attackers to hijack the authentication of administrators for requests that create new OSF datasets via unspecified vectors.
8624 CVE-2015-7231 20 2015-09-17 2015-09-21
5.0
None Remote Low Not required None Partial None
The Commerce Commonwealth (CBA) module 7.x-1.x before 7.x-1.5 for Drupal does not properly validate payments, which allows remote attackers to make a failed payment appear valid via a crafted URL, related to a "response from commweb."
8625 CVE-2015-7228 +Info 2015-09-17 2015-09-21
5.0
None Remote Low Not required Partial None None
The RESTful module 7.x-1.x before 7.x-1.3 for Drupal does not properly cache pages of authenticated users when using non-cookie authentication providers, which allows remote attackers to obtain sensitive information via unspecified vectors.
8626 CVE-2015-7226 200 +Info 2015-09-17 2016-11-28
5.0
None Remote Low Not required Partial None None
The Administration Views module 7.x-1.x before 7.x-1.5 for Drupal checks access permissions based on the router path from the view instead of the display property, which allows remote attackers to obtain sensitive information via vectors related to the access handler.
8627 CVE-2015-7219 189 DoS 2015-12-16 2018-10-30
5.0
None Remote Low Not required None None Partial
The HTTP/2 implementation in Mozilla Firefox before 43.0 allows remote attackers to cause a denial of service (integer underflow, assertion failure, and application exit) via a malformed PushPromise frame that triggers decompressed-buffer length miscalculation and incorrect memory allocation.
8628 CVE-2015-7218 189 DoS 2015-12-16 2018-10-30
5.0
None Remote Low Not required None None Partial
The HTTP/2 implementation in Mozilla Firefox before 43.0 allows remote attackers to cause a denial of service (integer underflow, assertion failure, and application exit) via a single-byte header frame that triggers incorrect memory allocation.
8629 CVE-2015-7215 200 Bypass +Info 2015-12-16 2018-10-30
5.0
None Remote Low Not required Partial None None
The importScripts function in the Web Workers API implementation in Mozilla Firefox before 43.0 allows remote attackers to bypass the Same Origin Policy by triggering use of the no-cors mode in the fetch API to attempt resource access that throws an exception, leading to information disclosure after a rethrow.
8630 CVE-2015-7214 200 Bypass +Info 2015-12-16 2018-10-30
5.0
None Remote Low Not required Partial None None
Mozilla Firefox before 43.0 and Firefox ESR 38.x before 38.5 allow remote attackers to bypass the Same Origin Policy via data: and view-source: URIs.
8631 CVE-2015-7211 20 2015-12-16 2018-10-30
5.0
None Remote Low Not required None Partial None
Mozilla Firefox before 43.0 mishandles the # (number sign) character in a data: URI, which allows remote attackers to spoof web sites via unspecified vectors.
8632 CVE-2015-7208 200 +Info 2015-12-16 2018-10-30
5.0
None Remote Low Not required Partial None None
Mozilla Firefox before 43.0 stores cookies containing vertical tab characters, which allows remote attackers to obtain sensitive information by reading HTTP Cookie headers.
8633 CVE-2015-7207 200 Bypass +Info 2015-12-16 2018-10-30
5.0
None Remote Low Not required Partial None None
Mozilla Firefox before 43.0 does not properly restrict the availability of IFRAME Resource Timing API times, which allows remote attackers to bypass the Same Origin Policy and obtain sensitive information via crafted JavaScript code that leverages history.back and performance.getEntries calls, a related issue to CVE-2015-1300.
8634 CVE-2015-7197 264 Bypass 2015-11-05 2016-12-07
5.0
None Remote Low Not required None Partial None
Mozilla Firefox before 42.0 and Firefox ESR 38.x before 38.4 improperly control the ability of a web worker to create a WebSocket object, which allows remote attackers to bypass intended mixed-content restrictions via crafted JavaScript code.
8635 CVE-2015-7195 200 +Info 2015-11-05 2016-12-07
5.0
None Remote Low Not required Partial None None
The URL parsing implementation in Mozilla Firefox before 42.0 improperly recognizes escaped characters in hostnames within Location headers, which allows remote attackers to obtain sensitive information via vectors involving a redirect.
8636 CVE-2015-7190 200 +Info 2015-11-05 2016-12-07
5.0
None Remote Low Not required Partial None None
The Search feature in Mozilla Firefox before 42.0 on Android through 4.4 supports search-engine URL registration through an intent and can access this URL in a privileged context in conjunction with the crash reporter, which allows attackers to read log files and visit file: URLs of HTML documents via a crafted application.
8637 CVE-2015-7081 2015-12-11 2017-09-12
5.0
None Remote Low Not required Partial None None
iBooks in Apple iOS before 9.2 and OS X before 10.11.2 allows remote attackers to read arbitrary files via an iBooks file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
8638 CVE-2015-7056 200 +Info 2015-12-11 2016-12-07
5.0
None Remote Low Not required Partial None None
IDE SCM in Apple Xcode before 7.2 does not recognize .gitignore files, which allows remote attackers to obtain sensitive information in opportunistic circumstances by leveraging the presence of a file matching an ignore pattern.
8639 CVE-2015-7045 17 2015-12-11 2017-09-12
5.0
None Remote Low Not required None Partial None
Keychain Access in Apple OS X before 10.11.2 and tvOS before 9.1 improperly interacts with Keychain Agent, which allows attackers to spoof the Keychain Server via unspecified vectors.
8640 CVE-2015-7037 22 Dir. Trav. 2015-12-11 2016-12-07
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in Mobile Backup in Photos in Apple iOS before 9.2 allows attackers to read arbitrary files via a crafted pathname.
8641 CVE-2015-7031 264 Bypass 2015-10-23 2016-12-23
5.0
None Remote Low Not required None Partial None
The Web Service component in Apple OS X Server before 5.0.15 omits an unspecified HTTP header configuration, which allows remote attackers to bypass intended access restrictions via unknown vectors.
8642 CVE-2015-7023 17 2015-10-23 2016-12-23
5.8
None Remote Medium Not required None Partial Partial
CFNetwork in Apple iOS before 9.1 and OS X before 10.11.1 does not properly consider the uppercase-versus-lowercase distinction during cookie parsing, which allows remote web servers to overwrite cookies via unspecified vectors.
8643 CVE-2015-7020 119 DoS Overflow +Info 2015-10-23 2015-10-26
5.6
None Local Low Not required Partial None Complete
The NVIDIA driver in the Graphics Drivers subsystem in Apple OS X before 10.11.1 allows local users to obtain sensitive information from kernel memory or cause a denial of service (out-of-bounds read and system crash) via unspecified vectors, a different vulnerability than CVE-2015-7019.
8644 CVE-2015-7019 119 DoS Overflow +Info 2015-10-23 2015-10-26
5.6
None Local Low Not required Partial None Complete
The NVIDIA driver in the Graphics Drivers subsystem in Apple OS X before 10.11.1 allows local users to obtain sensitive information from kernel memory or cause a denial of service (out-of-bounds read and system crash) via unspecified vectors, a different vulnerability than CVE-2015-7020.
8645 CVE-2015-6999 254 2015-10-23 2016-12-23
5.0
None Remote Low Not required None Partial None
The OCSP client in Apple iOS before 9.1 does not check for certificate expiry, which allows remote attackers to spoof a valid certificate by leveraging access to a revoked certificate.
8646 CVE-2015-6961 601 2017-10-18 2017-10-31
5.8
None Remote Medium Not required Partial Partial None
Open redirect vulnerability in gluon/tools.py in Web2py 2.9.11 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the _next parameter to user/logout.
8647 CVE-2015-6941 534 +Info 2017-08-09 2017-08-21
5.0
None Remote Low Not required Partial None None
win_useradd, salt-cloud and the Linode driver in salt 2015.5.x before 2015.5.6, and 2015.8.x before 2015.8.1 leak password information in debug logs.
8648 CVE-2015-6940 200 +Info 2015-09-22 2018-10-09
5.0
None Remote Low Not required Partial None None
The GetResource servlet in Pentaho Business Analytics (BA) Suite 4.5.x, 4.8.x, and 5.0.x through 5.2.x and Pentaho Data Integration (PDI) Suite 4.3.x, 4.4.x, and 5.0.x through 5.2.x does not restrict access to files in the pentaho-solutions/system folder, which allows remote attackers to obtain passwords and other sensitive information via a file name in the resource parameter.
8649 CVE-2015-6932 310 +Info 2015-09-18 2016-12-21
5.8
None Remote Medium Not required Partial Partial None
VMware vCenter Server 5.5 before u3 and 6.0 before u1 does not verify X.509 certificates from TLS LDAP servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
8650 CVE-2015-6926 287 2018-01-19 2018-02-06
5.0
None Remote Low Not required None Partial None
The OpenID Single Sign-On authentication functionality in OXID eShop before 4.5.0 allows remote attackers to impersonate users via the email address in a crafted authentication token.
Total number of vulnerabilities : 23746   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 (This Page)174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.