| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
10051 |
CVE-2015-4469 |
119 |
|
DoS Overflow |
2015-06-11 |
2016-06-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The chmd_read_headers function in chmd.c in libmspack before 0.5 does not validate name lengths, which allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted CHM file. |
|
10052 |
CVE-2015-4468 |
189 |
|
DoS Overflow |
2015-06-11 |
2016-06-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Multiple integer overflows in the search_chunk function in chmd.c in libmspack before 0.5 allow remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted CHM file. |
|
10053 |
CVE-2015-4467 |
189 |
|
DoS |
2015-06-11 |
2016-06-27 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The chmd_init_decomp function in chmd.c in libmspack before 0.5 does not properly validate the reset interval, which allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a crafted CHM file. |
|
10054 |
CVE-2015-4465 |
79 |
|
XSS |
2015-06-10 |
2015-06-11 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the zM Ajax Login & Register plugin before 1.1.0 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
10055 |
CVE-2015-4463 |
434 |
|
Bypass |
2017-07-25 |
2017-08-10 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
The file_manager component in eFront CMS before 3.6.15.5 allows remote authenticated users to bypass intended file-upload restrictions by appending a crafted parameter to the file URL. |
|
10056 |
CVE-2015-4462 |
434 |
|
|
2017-07-25 |
2017-08-10 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
Absolute path traversal vulnerability in the file_manager component of eFront CMS before 3.6.15.5 allows remote authenticated users to read arbitrary files via a full pathname in the "Upload file from url" field in the file manager for professor.php. |
|
10057 |
CVE-2015-4461 |
22 |
|
Dir. Trav. +Info |
2018-02-05 |
2018-02-26 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
Absolute path traversal vulnerability in eFront CMS 3.6.15.4 and earlier allows remote Professor users to obtain sensitive information via a full pathname in the other parameter. |
|
10058 |
CVE-2015-4458 |
310 |
|
|
2015-07-18 |
2017-09-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The TLS implementation in the Cavium cryptographic-module firmware, as distributed with Cisco Adaptive Security Appliance (ASA) Software 9.1(5.21) and other products, does not verify the MAC field, which allows man-in-the-middle attackers to spoof TLS content by modifying packets, aka Bug ID CSCuu52976. |
|
10059 |
CVE-2015-4425 |
22 |
|
Dir. Trav. |
2015-08-18 |
2015-08-19 |
4.9 |
None |
Remote |
Medium |
Single system |
None |
Partial |
Partial |
|
Directory traversal vulnerability in pimcore before build 3473 allows remote authenticated users with the "assets" permission to create or write to arbitrary files via a .. (dot dot) in the dir parameter to admin/asset/add-asset-compatibility. |
|
10060 |
CVE-2015-4420 |
79 |
|
XSS |
2015-06-18 |
2016-06-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in Opsview 4.6.2 and earlier allow remote attackers to inject arbitrary web script or HTML via a (1) crafted check plugin, the (2) description in a host profile, or the (3) plugin_args parameter to a Test service check page. |
|
10061 |
CVE-2015-4413 |
79 |
|
XSS |
2015-06-24 |
2016-12-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the new_fb_sign_button function in nextend-facebook-connect.php in Nextend Facebook Connect plugin before 1.5.6 for WordPress allows remote attackers to inject arbitrary web script or HTML via the redirect_to parameter. |
|
10062 |
CVE-2015-4389 |
264 |
|
Bypass |
2015-06-15 |
2016-06-09 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
The Open Graph Importer (og_tag_importer) 7.x-1.x for Drupal does not properly check the create permission for content types created during import, which allows remote authenticated users to bypass intended restrictions by leveraging the "import og_tag_importer" permission. |
|
10063 |
CVE-2015-4386 |
79 |
|
XSS |
2015-06-15 |
2015-06-26 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in unspecified administration pages in the EntityBulkDelete module 7.x-1.0 for Drupal allow remote attackers to inject arbitrary web script or HTML via unknown vectors involving creating or editing (1) comments, (2) taxonomy terms, or (3) nodes. |
|
10064 |
CVE-2015-4375 |
200 |
|
+Info |
2015-06-15 |
2015-06-16 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The Chaos tool suite (ctools) module 7.x-1.x before 7.x-1.7 for Drupal allows remote attackers to obtain sensitive node titles via (1) an autocomplete search on custom entities without an access query tag or (2) leveraging knowledge of the ID of an entity. |
|
10065 |
CVE-2015-4351 |
264 |
|
|
2015-06-15 |
2016-06-09 |
4.9 |
None |
Remote |
Medium |
Single system |
None |
Partial |
Partial |
|
The Spider Video Player module for Drupal allows remote authenticated users with the "access Spider Video Player administration" permission to delete arbitrary files via a crafted URL. |
|
10066 |
CVE-2015-4347 |
79 |
|
XSS |
2015-06-15 |
2015-06-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the inLinks Integration module for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified path arguments. |
|
10067 |
CVE-2015-4328 |
20 |
|
Exec Code |
2015-08-19 |
2017-01-04 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
Cisco TelePresence Video Communication Server (VCS) Expressway X8.5.2 improperly checks for a user account's read-only attribute, which allows remote authenticated users to execute arbitrary OS commands via crafted HTTP requests, as demonstrated by read or write operations on the Unified Communications lookup page, aka Bug ID CSCuv12552. |
|
10068 |
CVE-2015-4320 |
200 |
|
+Info |
2015-08-19 |
2017-09-20 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
The Configuration Log File component in Cisco TelePresence Video Communication Server (VCS) Expressway X8.5.2 allows remote authenticated users to obtain sensitive information by reading a log file, aka Bug ID CSCuv12340. |
|
10069 |
CVE-2015-4314 |
200 |
|
+Info |
2015-08-19 |
2017-09-20 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
The System Snapshot feature in Cisco TelePresence Video Communication Server (VCS) Expressway X8.5.1 allows remote authenticated users to obtain sensitive password-hash information by reading the snapshot file, aka Bug ID CSCuv40422. |
|
10070 |
CVE-2015-4310 |
79 |
|
XSS |
2015-08-19 |
2017-01-04 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in Cisco Finesse 10.5(1) allow remote attackers to inject arbitrary web script or HTML via unspecified parameters in a (1) GET or (2) POST request, aka Bug IDs CSCuq82322, CSCut95853, and CSCuq73975. |
|
10071 |
CVE-2015-4305 |
264 |
|
Bypass |
2015-09-19 |
2017-01-04 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
The web framework in Cisco Prime Collaboration Assurance before 10.5.1.53684-1 allows remote authenticated users to bypass intended system-database read restrictions, and discover credentials or SNMP communities for arbitrary tenant domains, via a crafted URL, aka Bug ID CSCus62656. |
|
10072 |
CVE-2015-4295 |
200 |
|
+Info |
2015-07-31 |
2015-08-21 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
The Prime Collaboration Deployment component in Cisco Unified Communications Manager 10.5(3.10000.9) allows remote authenticated users to discover root credentials via a direct request to an unspecified URL, aka Bug ID CSCuv21819. |
|
10073 |
CVE-2015-4294 |
79 |
|
XSS |
2015-07-31 |
2015-08-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Cisco IM and Presence Service before 10.5 MR1 allows remote attackers to inject arbitrary web script or HTML by constructing a crafted URL that leverages incomplete filtering of HTML elements, aka Bug ID CSCut41766. |
|
10074 |
CVE-2015-4292 |
79 |
|
XSS |
2015-07-31 |
2015-08-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the management interface in Cisco Prime Central for Hosted Collaboration Solution (PC4HCS) 10.6(2) allows remote attackers to inject arbitrary web script or HTML via an unspecified value, aka Bug ID CSCuv45818. |
|
10075 |
CVE-2015-4290 |
119 |
|
DoS Overflow |
2015-07-29 |
2015-08-21 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
The kernel extension in Cisco AnyConnect Secure Mobility Client 4.0(2049) on OS X allows local users to cause a denial of service (panic) via vectors involving contiguous memory locations, aka Bug ID CSCut12255. |
|
10076 |
CVE-2015-4288 |
310 |
|
+Info |
2015-07-28 |
2015-07-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The LDAP implementation on the Cisco Web Security Appliance (WSA) 8.5.0-000, Email Security Appliance (ESA) 8.5.7-042, and Content Security Management Appliance (SMA) 8.3.6-048 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate, aka Bug IDs CSCuo29561, CSCuv40466, and CSCuv40470. |
|
10077 |
CVE-2015-4278 |
20 |
|
DoS |
2015-07-16 |
2018-10-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Cisco Email Security Appliance (ESA) devices with software 8.5.6-106 and 9.5.0-201 allow remote attackers to cause a denial of service (per-domain e-mail reception outage) by placing malformed DMARC policy data in DNS TXT records for a domain, aka Bug ID CSCuv14806. |
|
10078 |
CVE-2015-4277 |
399 |
|
DoS |
2015-08-19 |
2017-09-20 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
The global-configuration implementation on Cisco ASR 9000 devices with software 5.1.3 and 5.3.0 improperly closes vty sessions after a commit/end operation, which allows local users to cause a denial of service (tmp/*config file creation, memory consumption, and device hang) via unspecified vectors, aka Bug ID CSCut93842. |
|
10079 |
CVE-2015-4272 |
79 |
|
XSS |
2015-07-14 |
2016-12-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in the ccmivr page in Cisco Unified Communications Manager (formerly CallManager) 10.5(2.10000.5) allow remote attackers to inject arbitrary web script or HTML via a crafted parameter, aka Bug ID CSCut19580. |
|
10080 |
CVE-2015-4270 |
79 |
|
XSS |
2015-07-14 |
2016-12-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in Cisco FireSIGHT System Software 5.3.1.5 and 6.0.0 allow remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug IDs CSCuv22557, CSCuv22583, CSCuv22632, CSCuv22641, CSCuv22650, CSCuv22662, CSCuv22697, and CSCuv22702. |
|
10081 |
CVE-2015-4269 |
399 |
|
DoS |
2015-07-14 |
2016-12-28 |
4.0 |
None |
Remote |
Low |
Single system |
None |
None |
Partial |
|
The Tomcat throttling feature in Cisco Unified Communications Manager 10.5(1.99995.9) allows remote authenticated users to cause a denial of service (management outage) by sending many requests, aka Bug ID CSCuu99709. |
|
10082 |
CVE-2015-4268 |
79 |
|
XSS |
2015-07-14 |
2016-12-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in the Infra Admin UI in Cisco Identity Services Engine (ISE) 1.2(1.198) and 1.3(0.876) allow remote attackers to inject arbitrary web script or HTML via unspecified parameters in a (1) GET or (2) POST request, aka Bug ID CSCus16052. |
|
10083 |
CVE-2015-4266 |
20 |
|
XSS |
2015-07-16 |
2017-09-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The web interface in Cisco Identity Services Engine (ISE) 1.1(4.1), 1.3(106.146), and 1.3(120.135) does not properly restrict use of IFRAME elements, which makes it easier for remote attackers to conduct clickjacking attacks and unspecified other attacks via a crafted web site, related to a "cross-frame scripting (XFS)" issue, aka Bug ID CSCut04556. |
|
10084 |
CVE-2015-4265 |
399 |
|
DoS |
2015-10-12 |
2016-12-08 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
Cisco Unified Computing System (UCS) B Blade Server Software 2.2.x before 2.2.6 allows local users to cause a denial of service (host OS or BMC hang) by sending crafted packets over the Inter-IC (I2C) bus, aka Bug ID CSCuq77241. |
|
10085 |
CVE-2015-4263 |
200 |
|
+Info |
2015-07-10 |
2016-12-28 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
The Control and Provisioning functionality in Cisco Mobility Services Engine (MSE) 10.0(0.1) allows remote authenticated users to obtain sensitive information by reading log files, aka Bug ID CSCut36851. |
|
10086 |
CVE-2015-4260 |
79 |
|
XSS |
2015-07-10 |
2016-12-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Cisco Hosted Collaboration Solution 10.6(1) allows remote attackers to inject arbitrary web script or HTML via a crafted value in a URL, aka Bug ID CSCuu14862. |
|
10087 |
CVE-2015-4259 |
310 |
|
Bypass |
2015-07-10 |
2016-12-28 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The Integrated Management Controller on Cisco Unified Computing System (UCS) C servers with software 1.5(3) and 1.6(0.16) has a default SSL certificate, which makes it easier for man-in-the-middle attackers to bypass cryptographic protection mechanisms by leveraging knowledge of a private key, aka Bug IDs CSCum56133 and CSCum56177. |
|
10088 |
CVE-2015-4249 |
79 |
|
XSS |
2015-07-13 |
2015-07-13 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in Cisco WebEx Meeting Center allow remote attackers to inject arbitrary web script or HTML via unspecified parameters in a (1) GET or (2) POST request, aka Bug ID CSCuv01955. |
|
10089 |
CVE-2015-4247 |
79 |
|
XSS |
2015-07-21 |
2015-07-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the admin site component in Cisco WebEx Meeting Center allows remote attackers to inject arbitrary web script or HTML via an unspecified value, aka Bug ID CSCuv01971. |
|
10090 |
CVE-2015-4246 |
79 |
|
XSS |
2015-07-21 |
2015-07-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Cisco WebEx Meeting Center allows remote attackers to inject arbitrary web script or HTML via an unspecified value, aka Bug ID CSCuv01955. |
|
10091 |
CVE-2015-4245 |
|
|
XSS |
2015-07-21 |
2015-07-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Cisco WebEx Training Center allows remote attackers to inject arbitrary web script or HTML via an unspecified value, aka Bug ID CSCut92274. |
|
10092 |
CVE-2015-4237 |
78 |
|
Exec Code |
2015-07-03 |
2016-12-28 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
The CLI parser in Cisco NX-OS 4.1(2)E1(1), 6.2(11b), 6.2(12), 7.2(0)ZZ(99.1), 7.2(0)ZZ(99.3), and 9.1(1)SV1(3.1.8) on Nexus devices allows local users to execute arbitrary OS commands via crafted characters in a filename, aka Bug IDs CSCuv08491, CSCuv08443, CSCuv08480, CSCuv08448, CSCuu99291, CSCuv08434, and CSCuv08436. |
|
10093 |
CVE-2015-4236 |
399 |
|
DoS |
2015-07-10 |
2018-10-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Cisco AsyncOS on Email Security Appliance (ESA) devices with software 8.5.6-073, 8.5.6-074, and 9.0.0-461, when clustering is enabled, allows remote attackers to cause a denial of service (clustering and SSH outage) via a packet flood, aka Bug IDs CSCur13704 and CSCuq05636. |
|
10094 |
CVE-2015-4232 |
264 |
|
Exec Code |
2015-07-03 |
2016-12-28 |
4.6 |
User |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Cisco NX-OS 6.2(10) on Nexus and MDS 9000 devices allows local users to execute arbitrary OS commands by entering crafted tar parameters in the CLI, aka Bug ID CSCus44856. |
|
10095 |
CVE-2015-4225 |
264 |
|
+Info |
2015-06-27 |
2016-12-29 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
Cisco Application Policy Infrastructure Controller (APIC) 1.0(1.110a) and 1.0(1e) on Nexus 9000 devices does not properly implement RBAC health scoring, which allows remote authenticated users to obtain sensitive information via unspecified vectors, aka Bug ID CSCuq77485. |
|
10096 |
CVE-2015-4221 |
264 |
|
Exec Code |
2015-06-26 |
2016-12-28 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
Cisco Unified Communications Manager IM and Presence Service 9.1(1) does not properly restrict access to encrypted passwords, which allows remote attackers to determine cleartext passwords, and consequently execute arbitrary commands, by visiting an unspecified web page and then conducting a decryption attack, aka Bug ID CSCuq46194. |
|
10097 |
CVE-2015-4220 |
79 |
|
XSS |
2015-06-25 |
2016-12-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Cisco Unified Presence Server 9.1(1) allows remote attackers to inject arbitrary web script or HTML via an unspecified value, aka Bug ID CSCuq03773. |
|
10098 |
CVE-2015-4219 |
264 |
|
+Info |
2015-06-24 |
2016-12-29 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
Cisco Secure Access Control System before 5.4(0.46.2) and 5.5 before 5.5(0.46) and Cisco Identity Services Engine 1.0(4.573) do not properly implement access control for support bundles, which allows remote authenticated users to obtain sensitive information via brute-force attempts to send valid credentials, aka Bug IDs CSCue00833 and CSCub40331. |
|
10099 |
CVE-2015-4217 |
310 |
|
|
2015-06-26 |
2016-12-28 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The remote-support feature on Cisco Web Security Virtual Appliance (WSAv), Email Security Virtual Appliance (ESAv), and Security Management Virtual Appliance (SMAv) devices before 2015-06-25 uses the same default SSH host keys across different customers' installations, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging knowledge of a private key from another installation, aka Bug IDs CSCus29681, CSCuu95676, and CSCuu96601. |
|
10100 |
CVE-2015-4214 |
200 |
|
+Info |
2015-06-24 |
2016-12-28 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
Cisco Unified MeetingPlace 8.6(1.2) and 8.6(1.9) allows remote authenticated users to discover cleartext passwords by reading HTML source code, aka Bug ID CSCuu33050. |
