CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 2 and 2.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1501 CVE-2015-7416 20 DoS 2016-01-02 2016-01-05
2.1
None Local Low Not required None None Partial
AFP Workbench Viewer in IBM i Access 7.1 on Windows allows remote attackers to cause a denial of service (viewer crash) via a crafted workbench file.
1502 CVE-2015-7412 200 +Info 2015-11-08 2015-11-09
2.6
None Remote High Not required Partial None None
The GatewayScript modules on IBM DataPower Gateways with software 7.2.0.x before 7.2.0.1, when the GatewayScript decryption API or a JWE decrypt action is enabled, do not require signed ciphertext data, which makes it easier for remote attackers to obtain plaintext data via a padding-oracle attack.
1503 CVE-2015-7408 264 2016-02-14 2016-03-10
2.6
None Remote High Not required Partial None None
The server in IBM Spectrum Protect (aka Tivoli Storage Manager) 5.5 and 6.x before 6.3.5.1 and 7.x before 7.1.4 does not properly restrict use of the ASNODENAME option, which allows remote attackers to read or write to backup data by leveraging proxy authority.
1504 CVE-2015-7403 DoS 2016-01-02 2018-10-11
2.1
None Local Low Not required None None Partial
IBM Spectrum Scale 4.1.1.x before 4.1.1.3 and General Parallel File System (GPFS) 3.5.x before 3.5.0.29 and 4.1.x through 4.1.0.8 on AIX allow local users to cause a denial of service (incorrect pointer dereference and node crash) via unspecified vectors.
1505 CVE-2015-7368 200 +Info 2015-10-14 2018-10-09
2.1
None Local Low Not required Partial None None
Revive Adserver before 3.2.2 does not send the appropriate Cache-Control HTTP headers in responses for admin UI pages, which allows local users to obtain sensitive information via the web browser cache.
1506 CVE-2015-7304 79 XSS 2015-09-21 2015-09-22
2.6
None Remote High Not required None Partial None
Cross-site scripting (XSS) vulnerability in the amoCRM module 7.x-1.x before 7.x-1.2 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified HTTP POST data.
1507 CVE-2015-7238 264 +Info 2015-09-18 2015-09-22
2.1
None Local Low Not required Partial None None
The Secondary server in Threat Intelligence Exchange (TIE) before 1.2.0 uses weak permissions for unspecified (1) configuration files and (2) installation logs, which allows local users to obtain sensitive information by reading the files.
1508 CVE-2015-7232 79 XSS 2015-09-17 2015-09-18
2.6
None Remote High Not required None Partial None
Cross-site scripting (XSS) vulnerability in unspecified administration pages in the OSF module 7.x-3.x before 7.x-3.1 for Drupal, when the OSF Ontology module is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
1509 CVE-2015-7094 20 Bypass 2015-12-11 2017-09-12
2.6
None Remote High Not required None Partial None
CFNetwork HTTPProtocol in Apple iOS before 9.2 and OS X before 10.11.2 allows man-in-the-middle attackers to bypass the HSTS protection mechanism via a crafted URL.
1510 CVE-2015-7080 200 Bypass +Info 2015-12-11 2016-12-07
2.1
None Local Low Not required Partial None None
Siri in Apple iOS before 9.2 allows physically proximate attackers to bypass an intended client-side protection mechanism and obtain sensitive content-notification information by listening to a device in the lock-screen state.
1511 CVE-2015-7067 DoS 2015-12-11 2017-09-12
2.1
None Local Low Not required None None Partial
IOThunderboltFamily in Apple OS X before 10.11.2 allows local users to cause a denial of service (NULL pointer dereference) via an unspecified userclient type.
1512 CVE-2015-7046 200 Bypass +Info 2015-12-11 2017-09-12
2.6
None Remote High Not required Partial None None
The Sandbox feature in xnu in Apple iOS before 9.2, OS X before 10.11.2, tvOS before 9.1, and watchOS before 2.1 does not properly implement privilege separation, which allows attackers to bypass the ASLR protection mechanism via a crafted app with root privileges.
1513 CVE-2015-7000 200 +Info 2015-10-23 2016-12-23
2.1
None Local Low Not required Partial None None
Notification Center in Apple iOS before 9.1 mishandles changes to "Show on Lock Screen" settings, which allows physically proximate attackers to obtain sensitive information by looking for a (1) Phone or (2) Messages notification on the lock screen soon after a setting was disabled.
1514 CVE-2015-6987 20 DoS 2015-10-23 2015-10-26
2.1
None Local Low Not required None None Partial
The File Bookmark component in Apple OS X before 10.11.1 allows local users to cause a denial of service (application crash) via crafted bookmark metadata in a folder.
1515 CVE-2015-6921 79 XSS 2015-09-11 2015-09-14
2.6
None Remote High Not required None Partial None
Cross-site scripting (XSS) vulnerability in the Zendesk Feedback Tab module 7.x-1.x before 7.x-1.1 for Drupal allows remote administrators with the "Configure Zendesk Feedback Tab" permission to inject arbitrary web script or HTML via unspecified vectors.
1516 CVE-2015-6847 200 +Info 2015-11-18 2016-12-07
2.1
None Local Low Not required Partial None None
The default configuration of EMC VPLEX GeoSynchrony 5.4 SP1 before P3 stores cleartext NAVISPHERE GUI passwords in a log file, which allows local users to obtain sensitive information by reading this file.
1517 CVE-2015-6839 20 2017-10-23 2017-11-17
2.1
None Local Low Not required None Partial None
The parse function in MSA vot.Ar 3.1 does not check whether a candidate receives more than one vote, which allows physically proximate attackers to cast multiple votes for a candidate via a crafted RFID ballot tag.
1518 CVE-2015-6807 79 XSS 2015-09-04 2015-09-04
2.1
None Remote High Single system None Partial None
Cross-site scripting (XSS) vulnerability in the Mass Contact module 6.x-1.x before 6.x-1.6 and 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with the "administer mass contact" permission to inject arbitrary web script or HTML via a category label.
1519 CVE-2015-6754 79 XSS 2015-08-31 2015-09-01
2.1
None Remote High Single system None Partial None
Cross-site scripting (XSS) vulnerability in the administration interface in the Path Breadcrumbs module 7.x-3.x before 7.x-3.3 for Drupal allows remote authenticated users with the "Administer Path Breadcrumbs" permission to inject arbitrary web script or HTML via unspecified vectors.
1520 CVE-2015-6752 79 XSS 2015-08-31 2015-09-01
2.1
None Remote High Single system None Partial None
Cross-site scripting (XSS) vulnerability in the Search API Autocomplete module 7.x-1.x before 7.x-1.3 for Drupal, when the search index is configured to use the HTML filter processor, allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via unspecified vectors, which are not properly handled in the returned suggestions.
1521 CVE-2015-6746 200 +Info 2015-08-31 2015-08-31
2.1
None Local Low Not required Partial None None
Basware Banking (Maksuliikenne) before 8.90.07.X stores private keys in plaintext in the SQL database, which allows remote attackers to spoof communications with banks via unspecified vectors. NOTE: this identifier was SPLIT from CVE-2015-0942 per ADT2 due to different vulnerability types.
1522 CVE-2015-6654 264 DoS 2015-09-03 2016-12-07
2.1
None Local Low Not required None None Partial
The xenmem_add_to_physmap_one function in arch/arm/mm.c in Xen 4.5.x, 4.4.x, and earlier does not limit the number of printk console messages when reporting a failure to retrieve a reference on a foreign page, which allows remote domains to cause a denial of service by leveraging permissions to map the memory of a foreign guest.
1523 CVE-2015-6641 200 +Info 2016-01-06 2016-12-07
2.9
None Local Network Medium Not required Partial None None
Bluetooth in Android 6.0 before 2016-01-01 allows remote attackers to obtain sensitive Contacts information by leveraging pairing, aka internal bug 23607427.
1524 CVE-2015-6627 200 +Info 2015-12-08 2015-12-09
2.6
None Remote High Not required Partial None None
The Audio component in Android before 5.1.1 LMY48Z and 6.0 before 2015-12-01 allows remote attackers to obtain sensitive information via a crafted audio file, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 24211743.
1525 CVE-2015-6557 200 +Info 2015-08-22 2015-08-24
2.1
None Local Low Not required Partial None None
IBM Tivoli Storage Manager for Databases: Data Protection for Microsoft SQL Server 5.5 before 5.5.6.1, 6.3 before 6.3.1.5, 6.4 before 6.4.1.7, and 7.1 before 7.1.2; Tivoli Storage Manager for Mail: Data Protection for Microsoft Exchange Server 5.5 before 5.5.1.1, 6.1 before 6.1.3.7, 6.3 before 6.3.1.5, 6.4 before 6.4.1.7, and 7.1 before 7.1.2; and Tivoli Storage FlashCopy Manager 3.1 before 3.1.1.5, 3.2 before 3.2.1.7, and 4.1 before 4.1.2, when application tracing is used, place cleartext passwords in exception messages, which allows physically proximate attackers to obtain sensitive information by reading trace output, a different vulnerability than CVE-2015-4949.
1526 CVE-2015-6556 200 +Info 2015-12-18 2015-12-18
2.3
None Local Network Medium Single system Partial None None
EACommunicatorSrv.exe in the Framework Service in the client in Symantec Endpoint Encryption (SEE) before 11.1.0 allows remote authenticated users to discover credentials by triggering a memory dump.
1527 CVE-2015-6414 200 +Info 2015-12-12 2016-12-07
2.1
None Local Low Not required Partial None None
Cisco TelePresence Video Communication Server (VCS) X8.6 uses the same encryption key across different customers' installations, which makes it easier for local users to defeat cryptographic protection mechanisms by leveraging knowledge of a key from another installation, aka Bug ID CSCuw64516.
1528 CVE-2015-6375 200 +Info 2015-11-21 2016-11-28
2.1
None Local Low Not required Partial None None
The debug-logging (aka debug cns) feature in Cisco Networking Services (CNS) for IOS 15.2(2)E3 allows local users to obtain sensitive information by reading an unspecified file, aka Bug ID CSCux18010.
1529 CVE-2015-6252 399 DoS 2015-10-19 2017-11-03
2.1
None Local Low Not required None None Partial
The vhost_dev_ioctl function in drivers/vhost/vhost.c in the Linux kernel before 4.1.5 allows local users to cause a denial of service (memory consumption) via a VHOST_SET_LOG_FD ioctl call that triggers permanent file-descriptor allocation.
1530 CVE-2015-6113 254 Bypass 2015-11-11 2019-05-16
2.1
None Local Low Not required None Partial None
The kernel in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, and Windows 10 Gold and 1511 allows local users to bypass intended filesystem permissions by leveraging Low Integrity access, aka "Windows Kernel Security Feature Bypass Vulnerability."
1531 CVE-2015-6109 200 Bypass +Info 2015-11-11 2019-05-15
2.1
None Local Low Not required Partial None None
The kernel in Microsoft Windows 8.1, Windows Server 2012 R2, Windows RT 8.1, and Windows 10 Gold and 1511 allows local users to bypass the KASLR protection mechanism, and consequently discover a driver base address, via a crafted application, aka "Windows Kernel Memory Information Disclosure Vulnerability."
1532 CVE-2015-6102 200 Bypass +Info 2015-11-11 2019-05-16
2.1
None Local Low Not required Partial None None
The kernel in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT Gold and 8.1, and Windows 10 Gold and 1511 allows local users to bypass the KASLR protection mechanism, and consequently discover a driver base address, via a crafted application, aka "Windows Kernel Memory Information Disclosure Vulnerability."
1533 CVE-2015-5969 200 +Info 2016-04-08 2018-10-30
2.1
None Local Low Not required Partial None None
The mysql-systemd-helper script in the mysql-community-server package before 5.6.28-2.17.1 in openSUSE 13.2 and before 5.6.28-13.1 in openSUSE Leap 42.1 and the mariadb package before 10.0.22-2.21.2 in openSUSE 13.2 and before 10.0.22-3.1 in SUSE Linux Enterprise (SLE) 12.1 and openSUSE Leap 42.1 allows local users to discover database credentials by listing a process and its arguments.
1534 CVE-2015-5923 200 +Info 2015-10-09 2016-12-07
2.1
None Local Low Not required Partial None None
Apple iOS before 9.0.2 does not properly restrict the options available on the lock screen, which allows physically proximate attackers to read contact data or view photos via unspecified vectors.
1535 CVE-2015-5907 310 2015-09-18 2016-12-21
2.6
None Remote High Not required None Partial None
WebKit in Apple iOS before 9 allows man-in-the-middle attackers to conduct redirection attacks by leveraging the mishandling of the resource cache of an SSL web site with an invalid X.509 certificate.
1536 CVE-2015-5901 200 +Info 2015-10-09 2016-12-07
2.1
None Local Low Not required Partial None None
The Secure Empty Trash feature in Finder in Apple OS X before 10.11 improperly deletes Trash files, which might allow local users to obtain sensitive information by reading storage media, as demonstrated by reading a flash drive.
1537 CVE-2015-5898 200 +Info 2015-09-18 2016-12-21
2.1
None Local Low Not required Partial None None
CFNetwork in Apple iOS before 9 relies on the hardware UID for its cache encryption key, which makes it easier for physically proximate attackers to obtain sensitive information by obtaining this UID.
1538 CVE-2015-5893 200 +Info 2015-10-09 2016-12-07
2.1
None Local Low Not required Partial None None
SMBClient in SMB in Apple OS X before 10.11 allows local users to obtain sensitive kernel memory-layout information via unspecified vectors.
1539 CVE-2015-5892 200 Bypass +Info 2015-09-18 2016-12-21
2.1
None Local Low Not required Partial None None
Siri in Apple iOS before 9 allows physically proximate attackers to bypass an intended client-side protection mechanism and obtain sensitive content-notification information by listening to a device in the lock-screen state.
1540 CVE-2015-5878 200 +Info 2015-10-09 2016-12-09
2.1
None Local Low Not required Partial None None
Notes in Apple OS X before 10.11 misparses links, which allows local users to obtain sensitive information via unspecified vectors.
1541 CVE-2015-5875 79 XSS 2015-10-09 2016-12-09
2.1
None Local Low Not required None Partial None
Cross-site scripting (XSS) vulnerability in Notes in Apple OS X before 10.11 allows local users to inject arbitrary web script or HTML via crafted text.
1542 CVE-2015-5870 200 +Info 2015-10-09 2016-12-09
2.1
None Local Low Not required Partial None None
The debugging interfaces in the kernel in Apple OS X before 10.11 allow local users to obtain sensitive memory-layout information via unspecified vectors.
1543 CVE-2015-5864 200 +Info 2015-10-09 2016-12-09
2.1
None Local Low Not required Partial None None
IOAudioFamily in Apple OS X before 10.11 allows local users to obtain sensitive kernel memory-layout information via unspecified vectors.
1544 CVE-2015-5863 200 +Info 2015-09-18 2016-12-21
2.1
None Local Low Not required Partial None None
IOStorageFamily in Apple iOS before 9 does not properly initialize an unspecified data structure, which allows local users to obtain sensitive information from kernel memory via unknown vectors.
1545 CVE-2015-5861 284 Bypass 2015-09-18 2016-12-21
2.1
None Local Low Not required None Partial None
SpringBoard in Apple iOS before 9 allows physically proximate attackers to bypass a lock-screen preview-disabled setting, and reply to an audio message, via unspecified vectors.
1546 CVE-2015-5854 200 +Info 2015-10-09 2016-12-09
2.1
None Local Low Not required Partial None None
The backup implementation in Time Machine in Apple OS X before 10.11 allows local users to obtain access to keychain items via unspecified vectors.
1547 CVE-2015-5851 200 +Info 2015-09-18 2016-12-21
2.1
None Local Low Not required Partial None None
The convenience initializer in the Multipeer Connectivity component in Apple iOS before 9 does not require an encrypted session, which allows local users to obtain cleartext multipeer data via an encrypted-to-unencrypted downgrade attack.
1548 CVE-2015-5850 254 2015-09-18 2016-12-21
2.1
None Local Low Not required None Partial None
AppleKeyStore in Apple iOS before 9 allows physically proximate attackers to reset the count of incorrect passcode attempts via a device backup.
1549 CVE-2015-5842 200 +Info 2015-09-18 2016-12-21
2.1
None Local Low Not required Partial None None
XNU in the kernel in Apple iOS before 9 does not properly initialize an unspecified data structure, which allows local users to obtain sensitive memory-layout information via unknown vectors.
1550 CVE-2015-5832 200 +Info 2015-09-18 2016-12-21
2.1
None Local Low Not required Partial None None
The iTunes Store component in Apple iOS before 9 does not properly delete AppleID credentials from the keychain upon a signout action, which might allow physically proximate attackers to obtain sensitive information via unspecified vectors.
Total number of vulnerabilities : 4561   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 (This Page)32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.