| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
9051 |
CVE-2015-3753 |
200 |
|
Bypass +Info |
2015-08-16 |
2016-12-23 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
WebKit in Apple Safari before 6.2.8, 7.x before 7.1.8, and 8.x before 8.0.8, as used in iOS before 8.4.1 and other products, does not properly perform taint checking for CANVAS elements, which allows remote attackers to bypass the Same Origin Policy and obtain sensitive image data by leveraging a redirect to a data:image resource. |
|
9052 |
CVE-2015-3752 |
200 |
|
+Info |
2015-08-16 |
2016-12-23 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Content Security Policy implementation in WebKit in Apple Safari before 6.2.8, 7.x before 7.1.8, and 8.x before 8.0.8, as used in iOS before 8.4.1 and other products, does not properly restrict cookie transmission for report requests, which allows remote attackers to obtain sensitive information via vectors involving (1) a cross-origin request or (2) a private-browsing request. |
|
9053 |
CVE-2015-3751 |
254 |
|
Bypass |
2015-08-16 |
2016-12-23 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
WebKit in Apple Safari before 6.2.8, 7.x before 7.1.8, and 8.x before 8.0.8, as used in iOS before 8.4.1 and other products, allows remote attackers to bypass a Content Security Policy protection mechanism by using a video control in conjunction with an IMG element within an OBJECT element. |
|
9054 |
CVE-2015-3714 |
254 |
|
Bypass |
2015-07-02 |
2017-09-21 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Apple OS X before 10.10.4 does not properly consider custom resource rules during app signature verification, which allows attackers to bypass intended launch restrictions via a modified app. |
|
9055 |
CVE-2015-3675 |
284 |
|
Bypass |
2015-07-02 |
2017-09-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The default configuration of the Apache HTTP Server on Apple OS X before 10.10.4 does not enable the mod_hfs_apple module, which allows remote attackers to bypass HTTP authentication via a crafted URL. |
|
9056 |
CVE-2015-3644 |
284 |
|
Bypass |
2015-05-13 |
2016-12-27 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Stunnel 5.00 through 5.13, when using the redirect option, does not redirect client connections to the expected server after the initial connection, which allows remote attackers to bypass authentication. |
|
9057 |
CVE-2015-3634 |
200 |
|
+Info |
2017-06-08 |
2017-06-15 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The SlideshowPluginSlideshowStylesheet::loadStylesheetByAJAX function in the Slideshow plugin 2.2.8 through 2.2.21 for Wordpress allows remote attackers to read arbitrary Wordpress option values. |
|
9058 |
CVE-2015-3633 |
119 |
|
DoS Overflow Mem. Corr. |
2015-05-01 |
2017-01-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Foxit Reader, Enterprise Reader, and PhantomPDF before 7.1.5 allow remote attackers to cause a denial of service (memory corruption and crash) via vectors related to digital signatures. |
|
9059 |
CVE-2015-3624 |
352 |
|
CSRF |
2015-06-09 |
2018-10-09 |
5.8 |
None |
Remote |
Medium |
Not required |
None |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in Test/WorkArea/DmsMenu/menuActions/MenuActions.aspx in Ektron Content Management System (CMS) before 9.10 SP1 (Build 9.1.0.184.1.120) allows remote attackers to hijack the authentication of content administrators for requests that delete content via a delete action. |
|
9060 |
CVE-2015-3614 |
200 |
|
+Info |
2017-08-11 |
2017-08-25 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Fortinet FortiManager 5.0.x before 5.0.11, 5.2.x before 5.2.2 allows remote attackers to obtain arbitrary files via vectors involving another unspecified vulnerability. |
|
9061 |
CVE-2015-3610 |
310 |
|
+Info |
2015-05-07 |
2015-05-07 |
5.4 |
None |
Local Network |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The Siemens HomeControl for Room Automation application before 2.0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information or modify data via a crafted certificate. |
|
9062 |
CVE-2015-3457 |
287 |
|
Bypass |
2015-04-29 |
2016-12-05 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Magento Community Edition (CE) 1.9.1.0 and Enterprise Edition (EE) 1.14.1.0 allow remote attackers to bypass authentication via the forwarded parameter. |
|
9063 |
CVE-2015-3454 |
200 |
|
XSS +Info |
2017-09-06 |
2017-09-07 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
TelescopeJS before 0.15 leaks user bcrypt password hashes in websocket messages, which might allow remote attackers to obtain password hashes via a cross-site scripting attack. |
|
9064 |
CVE-2015-3451 |
|
|
|
2015-05-12 |
2018-10-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The _clone function in XML::LibXML before 2.0119 does not properly set the expand_entities option, which allows remote attackers to conduct XML external entity (XXE) attacks via crafted XML data to the (1) new or (2) load_xml function. |
|
9065 |
CVE-2015-3418 |
369 |
|
DoS |
2016-12-13 |
2018-01-29 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The ProcPutImage function in dix/dispatch.c in X.Org Server (aka xserver and xorg-server) before 1.16.4 allows attackers to cause a denial of service (divide-by-zero and crash) via a zero-height PutImage request. |
|
9066 |
CVE-2015-3412 |
254 |
|
Bypass |
2016-05-16 |
2019-04-22 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 does not ensure that pathnames lack %00 sequences, which might allow remote attackers to read arbitrary files via crafted input to an application that calls the stream_resolve_include_path function in ext/standard/streamsfuncs.c, as demonstrated by a filename\0.extension attack that bypasses an intended configuration in which client users may read files with only one specific extension. |
|
9067 |
CVE-2015-3407 |
284 |
|
Bypass |
2015-05-19 |
2017-11-03 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Module::Signature before 0.74 allows remote attackers to bypass signature verification for files via a signature file that does not list the files. |
|
9068 |
CVE-2015-3405 |
331 |
|
|
2017-08-09 |
2018-08-28 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
ntp-keygen in ntp 4.2.8px before 4.2.8p2-RC2 and 4.3.x before 4.3.12 does not generate MD5 keys with sufficient entropy on big endian machines when the lowest order byte of the temp variable is between 0x20 and 0x7f and not #, which might allow remote attackers to obtain the value of generated MD5 keys via a brute force attack with the 93 possible keys. |
|
9069 |
CVE-2015-3393 |
|
|
|
2015-04-21 |
2017-09-07 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Open redirect vulnerability in the Commerce WeDeal module before 7.x-1.3 for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via an unspecified parameter. |
|
9070 |
CVE-2015-3391 |
200 |
|
Bypass +Info |
2015-04-21 |
2018-04-06 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Path Breadcrumbs module before 7.x-3.2 for Drupal allows remote attackers to bypass intended access restrictions and obtain sensitive node titles by reading a 403 Not Found page. |
|
9071 |
CVE-2015-3388 |
352 |
|
CSRF |
2015-04-21 |
2016-12-05 |
5.8 |
None |
Remote |
Medium |
Not required |
None |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in the Commerce Balanced Payments module for Drupal allows remote attackers to hijack the authentication of arbitrary users for requests that delete the user's configured bank accounts via unspecified vectors. |
|
9072 |
CVE-2015-3383 |
|
|
|
2015-04-21 |
2016-12-05 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Open redirect vulnerability in the Node basket module for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. |
|
9073 |
CVE-2015-3382 |
352 |
|
CSRF |
2015-04-21 |
2016-12-05 |
5.8 |
None |
Remote |
Medium |
Not required |
None |
Partial |
Partial |
|
Multiple cross-site request forgery (CSRF) vulnerabilities in the Node basket module for Drupal allow remote attackers to hijack the authentication of arbitrary users for requests that (1) add or (2) remove nodes from a basket via unspecified vectors. |
|
9074 |
CVE-2015-3380 |
352 |
|
CSRF |
2015-04-21 |
2016-12-05 |
5.8 |
None |
Remote |
Medium |
Not required |
None |
Partial |
Partial |
|
Multiple cross-site request forgery (CSRF) vulnerabilities in the Feature Set module for Drupal allow remote attackers to hijack the authentication of administrators for requests that (1) enable or (2) disable a module via unspecified vectors. |
|
9075 |
CVE-2015-3375 |
352 |
|
CSRF |
2015-04-21 |
2016-12-05 |
5.8 |
None |
Remote |
Medium |
Not required |
None |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in the Shibboleth Authentication module before 6.x-4.1 and 7.x-4.x before 7.x-4.1 for Drupal allows remote attackers to hijack the authentication of administrators for requests that delete user role matching rules via unspecified vectors. |
|
9076 |
CVE-2015-3374 |
352 |
|
CSRF |
2015-04-21 |
2016-12-05 |
5.8 |
None |
Remote |
Medium |
Not required |
None |
Partial |
Partial |
|
Multiple cross-site request forgery (CSRF) vulnerabilities in the Corner module for Drupal allow remote attackers to hijack the authentication of administrators for requests that (1) enable or (2) disable corners via unspecified vectors. |
|
9077 |
CVE-2015-3373 |
200 |
|
+Info |
2015-04-21 |
2016-12-05 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Amazon AWS module before 7.x-1.3 for Drupal uses the base URL and AWS access key to generate the access token, which makes it easier for remote attackers to guess the token value and create backups via a crafted URL. |
|
9078 |
CVE-2015-3371 |
|
|
|
2015-04-21 |
2016-12-05 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Open redirect vulnerability in the Node Invite module before 6.x-2.5 for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the destination parameter. |
|
9079 |
CVE-2015-3366 |
352 |
|
CSRF |
2015-04-21 |
2016-12-05 |
5.8 |
None |
Remote |
Medium |
Not required |
None |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in the Alfresco module before 6.x-1.3 for Drupal allows remote attackers to hijack the authentication of arbitrary users for requests that delete an alfresco node via unspecified vectors. |
|
9080 |
CVE-2015-3358 |
|
|
|
2015-04-21 |
2016-12-05 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Multiple open redirect vulnerabilities in the Tadaa! module before 7.x-1.4 for Drupal allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in a destination parameter, related to callbacks that (1) enable and disable modules or (2) change variables. |
|
9081 |
CVE-2015-3354 |
352 |
|
CSRF |
2015-04-21 |
2016-12-05 |
5.8 |
None |
Remote |
Medium |
Not required |
None |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in the Wishlist module before 6.x-2.7 and 7.x-2.x before 7.x-2.7 for Drupal allows remote attackers to hijack the authentication of arbitrary users for requests that delete wishlist purchase intentions via unspecified vectors. |
|
9082 |
CVE-2015-3342 |
|
|
|
2015-04-21 |
2015-04-23 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Open redirect vulnerability in the Ubercart Currency Conversion module before 6.x-1.2 for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the destination query parameter. |
|
9083 |
CVE-2015-3326 |
|
|
Bypass |
2015-05-13 |
2017-01-02 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Trend Micro ScanMail for Microsoft Exchange (SMEX) 10.2 before Hot Fix Build 3318 and 11.0 before Hot Fix Build 4180 creates session IDs for the web console using a random number generator with predictable values, which makes it easier for remote attackers to bypass authentication via a brute force attack. |
|
9084 |
CVE-2015-3323 |
20 |
|
DoS |
2015-04-16 |
2016-12-05 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The ThinkServer System Manager (TSM) Baseboard Management Controller before firmware 1.27.73476 for ThinkServer RD350, RD450, RD550, RD650, and TD350 allows remote attackers to cause a denial of service (web interface crash) via a malformed HTTP request during authentication. |
|
9085 |
CVE-2015-3322 |
310 |
|
|
2015-04-16 |
2017-01-17 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Lenovo ThinkServer RD350, RD450, RD550, RD650, and TD350 servers before 1.26.0 use weak encryption to store (1) user and (2) administrator BIOS passwords, which allows attackers to decrypt the passwords via unspecified vectors. |
|
9086 |
CVE-2015-3319 |
200 |
|
+Info |
2015-04-16 |
2018-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Hotspot Express hotEx Billing Manager 73 does not include the HTTPOnly flag in a Set-Cookie header, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie. |
|
9087 |
CVE-2015-3302 |
284 |
|
+Info |
2017-12-29 |
2018-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The TheCartPress eCommerce Shopping Cart (aka The Professional WordPress eCommerce Plugin) plugin for WordPress before 1.3.9.3 allows remote attackers to obtain sensitive order detail information by leveraging a "broken authentication mechanism." |
|
9088 |
CVE-2015-3297 |
22 |
|
Dir. Trav. |
2017-07-07 |
2017-07-14 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Directory traversal vulnerability in node/utils/Minify.js in Etherpad 1.1.1 through 1.5.2 allows remote attackers to read arbitrary files by leveraging replacement of backslashes with slashes in the path parameter of HTTP API requests. |
|
9089 |
CVE-2015-3295 |
284 |
|
|
2017-06-07 |
2017-06-14 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
markdown-it before 4.1.0 does not block data: URLs. |
|
9090 |
CVE-2015-3281 |
119 |
|
Overflow +Info |
2015-07-06 |
2016-12-27 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The buffer_slow_realign function in HAProxy 1.5.x before 1.5.14 and 1.6-dev does not properly realign a buffer that is used for pending outgoing data, which allows remote attackers to obtain sensitive information (uninitialized memory contents of previous requests) via a crafted request. |
|
9091 |
CVE-2015-3277 |
200 |
|
+Info |
2017-08-09 |
2017-08-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The mod_nss module before 1.0.11 in Fedora allows remote attackers to obtain cipher lists due to incorrect parsing of multi-keyword cipherstring. |
|
9092 |
CVE-2015-3276 |
310 |
|
|
2015-12-07 |
2016-10-14 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
The nss_parse_ciphers function in libraries/libldap/tls_m.c in OpenLDAP does not properly parse OpenSSL-style multi-keyword mode cipher strings, which might cause a weaker than intended cipher to be used and allow remote attackers to have unspecified impact via unknown vectors. |
|
9093 |
CVE-2015-3272 |
|
|
|
2016-02-22 |
2017-09-21 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Open redirect vulnerability in the clean_param function in lib/moodlelib.php in Moodle through 2.6.11, 2.7.x before 2.7.9, 2.8.x before 2.8.7, and 2.9.x before 2.9.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via vectors involving an HTTP Referer header that has a substring match with a local URL. |
|
9094 |
CVE-2015-3271 |
200 |
|
+Info |
2016-12-15 |
2016-12-22 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Apache Tika server (aka tika-server) in Apache Tika 1.9 might allow remote attackers to read arbitrary files via the HTTP fileUrl header. |
|
9095 |
CVE-2015-3269 |
200 |
|
+Info |
2015-08-24 |
2018-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Apache Flex BlazeDS, as used in flex-messaging-core.jar in Adobe LiveCycle Data Services (LCDS) 3.0.x before 3.0.0.354170, 4.5 before 4.5.1.354169, 4.6.2 before 4.6.2.354169, and 4.7 before 4.7.0.354169 and other products, allows remote attackers to read arbitrary files via an AMF message containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. |
|
9096 |
CVE-2015-3250 |
200 |
|
+Info |
2017-09-07 |
2017-09-20 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Apache Directory LDAP API before 1.0.0-M31 allows attackers to conduct timing attacks via unspecified vectors. |
|
9097 |
CVE-2015-3238 |
200 |
|
DoS +Info |
2015-08-24 |
2019-01-03 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
None |
Partial |
|
The _unix_run_helper_binary function in the pam_unix module in Linux-PAM (aka pam) before 1.2.1, when unable to directly access passwords, allows local users to enumerate usernames or cause a denial of service (hang) via a large password. |
|
9098 |
CVE-2015-3236 |
200 |
|
+Info |
2015-06-22 |
2018-10-16 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
cURL and libcurl 7.40.0 through 7.42.1 send the HTTP Basic authentication credentials for a previous connection when reusing a reset (curl_easy_reset) connection handle to send a request to the same host name, which allows remote attackers to obtain sensitive information via unspecified vectors. |
|
9099 |
CVE-2015-3233 |
|
|
|
2015-06-22 |
2016-12-02 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Open redirect vulnerability in the Overlay module in Drupal 7.x before 7.38 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. |
|
9100 |
CVE-2015-3232 |
|
|
|
2015-06-22 |
2016-12-02 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Open redirect vulnerability in the Field UI module in Drupal 7.x before 7.38 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the destinations parameter. |
