| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
19101 |
CVE-2015-3890 |
416 |
|
|
2017-09-20 |
2020-07-31 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Use-after-free vulnerability in Open Litespeed before 1.3.10. |
|
19102 |
CVE-2015-3888 |
284 |
|
|
2018-01-12 |
2018-02-01 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Jolla Sailfish OS before 1.1.2.16 allows remote attackers to spoof phone numbers and trigger calls to arbitrary numbers via spaces in a tel: URL. |
|
19103 |
CVE-2015-3882 |
200 |
|
+Info |
2017-03-17 |
2017-03-20 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
qdPM 8.3 allows remote attackers to obtain sensitive information via invalid ID value to index.php/users/info/id/[ID], which reveals the installation path in an error message. |
|
19104 |
CVE-2015-3881 |
200 |
|
+Info |
2017-03-17 |
2017-03-20 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Information disclosure issue in qdPM 8.3 allows remote attackers to obtain sensitive information via a direct request to (1) core/config/databases.yml, (2) core/log/qdPM_prod.log, or (3) core/apps/qdPM/config/settings.yml. |
|
19105 |
CVE-2015-3880 |
601 |
|
|
2017-09-19 |
2017-09-27 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Open redirect vulnerability in phpBB before 3.0.14 and 3.1.x before 3.1.4 allows remote attackers to redirect users of Google Chrome to arbitrary web sites and conduct phishing attacks via unspecified vectors. |
|
19106 |
CVE-2015-3862 |
|
|
DoS |
2015-10-06 |
2015-10-07 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
mediaserver in Android before 5.1.1 LMY48T allows attackers to cause a denial of service (process crash) via unspecified vectors, aka internal bug 22954006. |
|
19107 |
CVE-2015-3861 |
189 |
|
DoS Overflow |
2015-10-01 |
2015-10-01 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Multiple integer overflows in the addVorbisCodecInfo function in matroska/MatroskaExtractor.cpp in libstagefright in mediaserver in Android before 5.1.1 LMY48M allow remote attackers to cause a denial of service (device inoperability) via crafted Matroska data, aka internal bug 21296336. |
|
19108 |
CVE-2015-3854 |
284 |
|
Bypass |
2016-08-07 |
2016-08-10 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
packages/SystemUI/src/com/android/systemui/power/PowerNotificationWarnings.java in Android 5.x allows attackers to bypass a DEVICE_POWER permission requirement via a broadcast intent with the PNW.stopSaver action, aka internal bug 20918350. |
|
19109 |
CVE-2015-3826 |
119 |
|
DoS Overflow |
2015-10-01 |
2017-09-21 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The MPEG4Extractor::parse3GPPMetaData function in MPEG4Extractor.cpp in libstagefright in Android before 5.1.1 LMY48I does not enforce a minimum size for UTF-16 strings containing a Byte Order Mark (BOM), which allows remote attackers to cause a denial of service (integer underflow, buffer over-read, and mediaserver process crash) via crafted 3GPP metadata, aka internal bug 20923261, a related issue to CVE-2015-3828. |
|
19110 |
CVE-2015-3815 |
119 |
|
DoS Overflow |
2015-05-26 |
2017-07-01 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The detect_version function in wiretap/logcat.c in the Android Logcat file parser in Wireshark 1.12.x before 1.12.5 does not check the length of the payload, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a packet with a crafted payload, as demonstrated by a length of zero, a different vulnerability than CVE-2015-3906. |
|
19111 |
CVE-2015-3814 |
189 |
|
DoS |
2015-05-26 |
2017-07-01 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The (1) dissect_tfs_request and (2) dissect_tfs_response functions in epan/dissectors/packet-ieee80211.c in the IEEE 802.11 dissector in Wireshark 1.10.x before 1.10.14 and 1.12.x before 1.12.5 interpret a zero value as a length rather than an error condition, which allows remote attackers to cause a denial of service (infinite loop) via a crafted packet. |
|
19112 |
CVE-2015-3813 |
399 |
|
DoS |
2015-05-26 |
2018-01-05 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The fragment_add_work function in epan/reassemble.c in the packet-reassembly feature in Wireshark 1.12.x before 1.12.5 does not properly determine the defragmentation state in a case of an insufficient snapshot length, which allows remote attackers to cause a denial of service (memory consumption) via a crafted packet. |
|
19113 |
CVE-2015-3811 |
17 |
|
DoS |
2015-05-26 |
2019-12-27 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
epan/dissectors/packet-wcp.c in the WCP dissector in Wireshark 1.10.x before 1.10.14 and 1.12.x before 1.12.5 improperly refers to previously processed bytes, which allows remote attackers to cause a denial of service (application crash) via a crafted packet, a different vulnerability than CVE-2015-2188. |
|
19114 |
CVE-2015-3801 |
264 |
|
Bypass |
2015-09-18 |
2016-12-22 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
The document.cookie API implementation in the CFNetwork Cookies subsystem in WebKit in Apple iOS before 9 allows remote attackers to bypass an intended single-cookie restriction via unspecified vectors. |
|
19115 |
CVE-2015-3784 |
200 |
|
+Info |
2015-08-16 |
2016-12-24 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Office Viewer in Apple iOS before 8.4.1 and OS X before 10.10.5 allows remote attackers to read arbitrary files via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. |
|
19116 |
CVE-2015-3762 |
200 |
|
+Info |
2015-08-16 |
2017-09-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Text Formats component in Apple OS X before 10.10.5, as used in TextEdit, allows remote attackers to read arbitrary files via a text file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. |
|
19117 |
CVE-2015-3753 |
200 |
|
Bypass +Info |
2015-08-16 |
2019-02-07 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
WebKit in Apple Safari before 6.2.8, 7.x before 7.1.8, and 8.x before 8.0.8, as used in iOS before 8.4.1 and other products, does not properly perform taint checking for CANVAS elements, which allows remote attackers to bypass the Same Origin Policy and obtain sensitive image data by leveraging a redirect to a data:image resource. |
|
19118 |
CVE-2015-3752 |
200 |
|
+Info |
2015-08-16 |
2019-02-07 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Content Security Policy implementation in WebKit in Apple Safari before 6.2.8, 7.x before 7.1.8, and 8.x before 8.0.8, as used in iOS before 8.4.1 and other products, does not properly restrict cookie transmission for report requests, which allows remote attackers to obtain sensitive information via vectors involving (1) a cross-origin request or (2) a private-browsing request. |
|
19119 |
CVE-2015-3751 |
254 |
|
Bypass |
2015-08-16 |
2019-02-07 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
WebKit in Apple Safari before 6.2.8, 7.x before 7.1.8, and 8.x before 8.0.8, as used in iOS before 8.4.1 and other products, allows remote attackers to bypass a Content Security Policy protection mechanism by using a video control in conjunction with an IMG element within an OBJECT element. |
|
19120 |
CVE-2015-3714 |
254 |
|
Bypass |
2015-07-03 |
2017-09-22 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Apple OS X before 10.10.4 does not properly consider custom resource rules during app signature verification, which allows attackers to bypass intended launch restrictions via a modified app. |
|
19121 |
CVE-2015-3675 |
284 |
|
Bypass |
2015-07-03 |
2017-09-22 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The default configuration of the Apache HTTP Server on Apple OS X before 10.10.4 does not enable the mod_hfs_apple module, which allows remote attackers to bypass HTTP authentication via a crafted URL. |
|
19122 |
CVE-2015-3644 |
284 |
|
Bypass |
2015-05-14 |
2016-12-28 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Stunnel 5.00 through 5.13, when using the redirect option, does not redirect client connections to the expected server after the initial connection, which allows remote attackers to bypass authentication. |
|
19123 |
CVE-2015-3641 |
|
|
DoS |
2020-03-12 |
2020-03-18 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
bitcoind and Bitcoin-Qt prior to 0.10.2 allow attackers to cause a denial of service (disabled functionality such as a client application crash) via an "Easy" attack. |
|
19124 |
CVE-2015-3634 |
200 |
|
+Info |
2017-06-08 |
2017-06-15 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The SlideshowPluginSlideshowStylesheet::loadStylesheetByAJAX function in the Slideshow plugin 2.2.8 through 2.2.21 for Wordpress allows remote attackers to read arbitrary Wordpress option values. |
|
19125 |
CVE-2015-3633 |
119 |
|
DoS Overflow Mem. Corr. |
2015-05-01 |
2017-01-03 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Foxit Reader, Enterprise Reader, and PhantomPDF before 7.1.5 allow remote attackers to cause a denial of service (memory corruption and crash) via vectors related to digital signatures. |
|
19126 |
CVE-2015-3624 |
352 |
|
CSRF |
2015-06-09 |
2018-10-09 |
5.8 |
None |
Remote |
Medium |
Not required |
None |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in Test/WorkArea/DmsMenu/menuActions/MenuActions.aspx in Ektron Content Management System (CMS) before 9.10 SP1 (Build 9.1.0.184.1.120) allows remote attackers to hijack the authentication of content administrators for requests that delete content via a delete action. |
|
19127 |
CVE-2015-3614 |
200 |
|
+Info |
2017-08-11 |
2017-08-26 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Fortinet FortiManager 5.0.x before 5.0.11, 5.2.x before 5.2.2 allows remote attackers to obtain arbitrary files via vectors involving another unspecified vulnerability. |
|
19128 |
CVE-2015-3610 |
310 |
|
+Info |
2015-05-07 |
2015-05-07 |
5.4 |
None |
Local Network |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The Siemens HomeControl for Room Automation application before 2.0.1 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information or modify data via a crafted certificate. |
|
19129 |
CVE-2015-3457 |
287 |
|
Bypass |
2015-04-29 |
2016-12-06 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Magento Community Edition (CE) 1.9.1.0 and Enterprise Edition (EE) 1.14.1.0 allow remote attackers to bypass authentication via the forwarded parameter. |
|
19130 |
CVE-2015-3454 |
200 |
|
XSS +Info |
2017-09-06 |
2017-09-07 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
TelescopeJS before 0.15 leaks user bcrypt password hashes in websocket messages, which might allow remote attackers to obtain password hashes via a cross-site scripting attack. |
|
19131 |
CVE-2015-3451 |
611 |
|
|
2015-05-12 |
2020-04-29 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The _clone function in XML::LibXML before 2.0119 does not properly set the expand_entities option, which allows remote attackers to conduct XML external entity (XXE) attacks via crafted XML data to the (1) new or (2) load_xml function. |
|
19132 |
CVE-2015-3418 |
369 |
|
DoS |
2016-12-13 |
2018-01-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The ProcPutImage function in dix/dispatch.c in X.Org Server (aka xserver and xorg-server) before 1.16.4 allows attackers to cause a denial of service (divide-by-zero and crash) via a zero-height PutImage request. |
|
19133 |
CVE-2015-3412 |
200 |
|
Bypass +Info |
2016-05-16 |
2019-04-22 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 does not ensure that pathnames lack %00 sequences, which might allow remote attackers to read arbitrary files via crafted input to an application that calls the stream_resolve_include_path function in ext/standard/streamsfuncs.c, as demonstrated by a filename\0.extension attack that bypasses an intended configuration in which client users may read files with only one specific extension. |
|
19134 |
CVE-2015-3407 |
284 |
|
Bypass |
2015-05-19 |
2017-11-04 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Module::Signature before 0.74 allows remote attackers to bypass signature verification for files via a signature file that does not list the files. |
|
19135 |
CVE-2015-3405 |
331 |
|
|
2017-08-09 |
2020-05-28 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
ntp-keygen in ntp 4.2.8px before 4.2.8p2-RC2 and 4.3.x before 4.3.12 does not generate MD5 keys with sufficient entropy on big endian machines when the lowest order byte of the temp variable is between 0x20 and 0x7f and not #, which might allow remote attackers to obtain the value of generated MD5 keys via a brute force attack with the 93 possible keys. |
|
19136 |
CVE-2015-3393 |
|
|
|
2015-04-21 |
2017-09-08 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Open redirect vulnerability in the Commerce WeDeal module before 7.x-1.3 for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via an unspecified parameter. |
|
19137 |
CVE-2015-3391 |
200 |
|
Bypass +Info |
2015-04-21 |
2018-04-07 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Path Breadcrumbs module before 7.x-3.2 for Drupal allows remote attackers to bypass intended access restrictions and obtain sensitive node titles by reading a 403 Not Found page. |
|
19138 |
CVE-2015-3388 |
352 |
|
CSRF |
2015-04-21 |
2016-12-06 |
5.8 |
None |
Remote |
Medium |
Not required |
None |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in the Commerce Balanced Payments module for Drupal allows remote attackers to hijack the authentication of arbitrary users for requests that delete the user's configured bank accounts via unspecified vectors. |
|
19139 |
CVE-2015-3383 |
|
|
|
2015-04-21 |
2016-12-06 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Open redirect vulnerability in the Node basket module for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. |
|
19140 |
CVE-2015-3382 |
352 |
|
CSRF |
2015-04-21 |
2016-12-06 |
5.8 |
None |
Remote |
Medium |
Not required |
None |
Partial |
Partial |
|
Multiple cross-site request forgery (CSRF) vulnerabilities in the Node basket module for Drupal allow remote attackers to hijack the authentication of arbitrary users for requests that (1) add or (2) remove nodes from a basket via unspecified vectors. |
|
19141 |
CVE-2015-3380 |
352 |
|
CSRF |
2015-04-21 |
2016-12-06 |
5.8 |
None |
Remote |
Medium |
Not required |
None |
Partial |
Partial |
|
Multiple cross-site request forgery (CSRF) vulnerabilities in the Feature Set module for Drupal allow remote attackers to hijack the authentication of administrators for requests that (1) enable or (2) disable a module via unspecified vectors. |
|
19142 |
CVE-2015-3375 |
352 |
|
CSRF |
2015-04-21 |
2016-12-06 |
5.8 |
None |
Remote |
Medium |
Not required |
None |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in the Shibboleth Authentication module before 6.x-4.1 and 7.x-4.x before 7.x-4.1 for Drupal allows remote attackers to hijack the authentication of administrators for requests that delete user role matching rules via unspecified vectors. |
|
19143 |
CVE-2015-3374 |
352 |
|
CSRF |
2015-04-21 |
2016-12-06 |
5.8 |
None |
Remote |
Medium |
Not required |
None |
Partial |
Partial |
|
Multiple cross-site request forgery (CSRF) vulnerabilities in the Corner module for Drupal allow remote attackers to hijack the authentication of administrators for requests that (1) enable or (2) disable corners via unspecified vectors. |
|
19144 |
CVE-2015-3373 |
200 |
|
+Info |
2015-04-21 |
2016-12-06 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Amazon AWS module before 7.x-1.3 for Drupal uses the base URL and AWS access key to generate the access token, which makes it easier for remote attackers to guess the token value and create backups via a crafted URL. |
|
19145 |
CVE-2015-3371 |
|
|
|
2015-04-21 |
2016-12-06 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Open redirect vulnerability in the Node Invite module before 6.x-2.5 for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the destination parameter. |
|
19146 |
CVE-2015-3366 |
352 |
|
CSRF |
2015-04-21 |
2016-12-06 |
5.8 |
None |
Remote |
Medium |
Not required |
None |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in the Alfresco module before 6.x-1.3 for Drupal allows remote attackers to hijack the authentication of arbitrary users for requests that delete an alfresco node via unspecified vectors. |
|
19147 |
CVE-2015-3358 |
|
|
|
2015-04-21 |
2016-12-06 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Multiple open redirect vulnerabilities in the Tadaa! module before 7.x-1.4 for Drupal allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in a destination parameter, related to callbacks that (1) enable and disable modules or (2) change variables. |
|
19148 |
CVE-2015-3354 |
352 |
|
CSRF |
2015-04-21 |
2016-12-06 |
5.8 |
None |
Remote |
Medium |
Not required |
None |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in the Wishlist module before 6.x-2.7 and 7.x-2.x before 7.x-2.7 for Drupal allows remote attackers to hijack the authentication of arbitrary users for requests that delete wishlist purchase intentions via unspecified vectors. |
|
19149 |
CVE-2015-3342 |
|
|
|
2015-04-21 |
2015-04-23 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Open redirect vulnerability in the Ubercart Currency Conversion module before 6.x-1.2 for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the destination query parameter. |
|
19150 |
CVE-2015-3326 |
|
|
Bypass |
2015-05-14 |
2017-01-03 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Trend Micro ScanMail for Microsoft Exchange (SMEX) 10.2 before Hot Fix Build 3318 and 11.0 before Hot Fix Build 4180 creates session IDs for the web console using a random number generator with predictable values, which makes it easier for remote attackers to bypass authentication via a brute force attack. |
