| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
19451 |
CVE-2015-1110 |
200 |
|
+Info |
2015-04-10 |
2019-03-08 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Podcasts component in Apple iOS before 8.3 and Apple TV before 7.2 allows remote attackers to discover unique identifiers by reading asset-download request data. |
|
19452 |
CVE-2015-1105 |
20 |
|
DoS |
2015-04-10 |
2019-03-08 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The TCP implementation in the kernel in Apple iOS before 8.3, Apple OS X before 10.10.3, and Apple TV before 7.2 does not properly implement the Urgent (aka out-of-band data) mechanism, which allows remote attackers to cause a denial of service via crafted packets. |
|
19453 |
CVE-2015-1104 |
20 |
|
Bypass |
2015-04-10 |
2019-03-08 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
The kernel in Apple iOS before 8.3, Apple OS X before 10.10.3, and Apple TV before 7.2 does not properly determine whether an IPv6 packet had a local origin, which allows remote attackers to bypass an intended network-filtering protection mechanism via a crafted packet. |
|
19454 |
CVE-2015-1100 |
119 |
|
DoS Overflow +Info |
2015-04-10 |
2019-03-08 |
5.4 |
None |
Local |
Medium |
Not required |
Partial |
None |
Complete |
|
The kernel in Apple iOS before 8.3, Apple OS X before 10.10.3, and Apple TV before 7.2 allows attackers to cause a denial of service (out-of-bounds memory access) or obtain sensitive memory-content information via a crafted app. |
|
19455 |
CVE-2015-1092 |
|
|
|
2015-04-10 |
2019-03-08 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
NSXMLParser in Foundation in Apple iOS before 8.3 and Apple TV before 7.2 allows remote attackers to read arbitrary files via an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. |
|
19456 |
CVE-2015-1090 |
200 |
|
+Info |
2015-04-10 |
2017-01-03 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
CFNetwork in Apple iOS before 8.3 does not delete HTTP Strict Transport Security (HSTS) state information in response to a Safari history-clearing action, which allows attackers to obtain sensitive information by reading a history file. |
|
19457 |
CVE-2015-1089 |
200 |
|
Bypass +Info |
2015-04-10 |
2017-01-03 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
CFNetwork in Apple iOS before 8.3 and Apple OS X before 10.10.3 does not properly handle cookies during processing of redirects in HTTP responses, which allows remote attackers to bypass the Same Origin Policy via a crafted web site. |
|
19458 |
CVE-2015-1084 |
17 |
|
|
2015-03-18 |
2015-09-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
The user interface in WebKit, as used in Apple Safari before 6.2.4, 7.x before 7.1.4, and 8.x before 8.0.4, does not display URLs consistently, which makes it easier for remote attackers to conduct phishing attacks via a crafted URL. |
|
19459 |
CVE-2015-1065 |
119 |
|
Exec Code Overflow |
2015-03-12 |
2016-12-08 |
5.4 |
None |
Local Network |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Multiple buffer overflows in iCloud Keychain in Apple iOS before 8.2 and Apple OS X through 10.10.2 allow man-in-the-middle attackers to execute arbitrary code by modifying the client-server data stream during keychain recovery. |
|
19460 |
CVE-2015-1062 |
19 |
|
|
2015-03-12 |
2019-03-08 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
MobileStorageMounter in Apple iOS before 8.2 and Apple TV before 7.1 does not delete invalid disk-image folders, which allows attackers to create folders in arbitrary filesystem locations via a crafted app. |
|
19461 |
CVE-2015-1060 |
|
1
|
|
2015-01-16 |
2017-09-08 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Open redirect vulnerability in lib/Cake/Controller/Controller.php in AdaptCMS 3.0.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the HTTP Referer header. |
|
19462 |
CVE-2015-1051 |
|
|
|
2015-01-15 |
2016-08-23 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Open redirect vulnerability in the Context UI module in the Context module 7.x-3.x before 7.x-3.6 for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the destination parameter. |
|
19463 |
CVE-2015-1047 |
20 |
|
DoS |
2015-10-12 |
2018-08-12 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
vpxd in VMware vCenter Server 5.0 before u3e, 5.1 before u3, and 5.5 before u2 allows remote attackers to cause a denial of service via a long heartbeat message. |
|
19464 |
CVE-2015-1042 |
|
|
|
2015-02-10 |
2021-01-12 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
The string_sanitize_url function in core/string_api.php in MantisBT 1.2.0a3 through 1.2.18 uses an incorrect regular expression, which allows remote attackers to conduct open redirect and phishing attacks via a URL with a ":/" (colon slash) separator in the return parameter to login_page.php, a different vulnerability than CVE-2014-6316. |
|
19465 |
CVE-2015-1038 |
59 |
|
|
2015-01-21 |
2017-09-08 |
5.8 |
None |
Remote |
Medium |
Not required |
None |
Partial |
Partial |
|
p7zip 9.20.1 allows remote attackers to write to arbitrary files via a symlink attack in an archive. |
|
19466 |
CVE-2015-1030 |
399 |
|
DoS |
2015-01-20 |
2015-02-04 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Memory leak in the rfc2553_connect_to function in jbsocket.c in Privoxy before 3.0.22 allows remote attackers to cause a denial of service (memory consumption) via a large number of requests that are rejected because the socket limit is reached. |
|
19467 |
CVE-2015-1012 |
200 |
|
+Info |
2019-03-25 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Wireless keys are stored in plain text on version 5 of the Hospira LifeCare PCA Infusion System. According to Hospira, version 3 of the LifeCare PCA Infusion System is not indicated for wireless use, is not shipped with wireless capabilities, and should not be modified to be used in a wireless capacity in a clinical setting. Hospira has developed a new version of the PCS Infusion System, version 7.0 that addresses the identified vulnerabilities. Version 7.0 has Port 20/FTP and Port 23/TELNET closed by default to prevent unauthorized access. |
|
19468 |
CVE-2015-1011 |
200 |
|
+Info |
2015-07-06 |
2015-07-08 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Hospira LifeCare PCA Infusion System before 7.0 has hardcoded credentials, which makes it easier for remote attackers to obtain access via unspecified vectors. |
|
19469 |
CVE-2015-1003 |
22 |
|
Dir. Trav. |
2015-10-25 |
2015-10-27 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Directory traversal vulnerability in IniNet embeddedWebServer (aka eWebServer) before 2.02 allows remote attackers to read arbitrary files via a crafted pathname. |
|
19470 |
CVE-2015-0997 |
200 |
|
+Info |
2015-03-29 |
2021-05-14 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Schneider Electric InduSoft Web Studio before 7.1.3.4 SP3 Patch 4 and InTouch Machine Edition 2014 before 7.1.3.4 SP3 Patch 4 provide an HMI user interface that lists all valid usernames, which makes it easier for remote attackers to obtain access via a brute-force password-guessing attack. |
|
19471 |
CVE-2015-0995 |
255 |
|
|
2015-04-03 |
2015-04-03 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Inductive Automation Ignition 7.7.2 uses MD5 password hashes, which makes it easier for context-dependent attackers to obtain access via a brute-force attack. |
|
19472 |
CVE-2015-0991 |
200 |
|
+Info |
2015-04-03 |
2015-04-03 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Inductive Automation Ignition 7.7.2 allows remote attackers to obtain sensitive information by reading an error message about an unhandled exception, as demonstrated by pathname information. |
|
19473 |
CVE-2015-0987 |
200 |
|
+Info |
2015-10-06 |
2015-10-07 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Omron CX-One CX-Programmer before 9.6, CJ2M PLC devices before 2.1, and CJ2H PLC devices before 1.5 rely on cleartext password transmission, which allows remote attackers to obtain sensitive information by sniffing the network during a PLC unlock request. |
|
19474 |
CVE-2015-0972 |
255 |
|
DoS |
2015-06-23 |
2015-06-24 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Pearson ProctorCache before 2015.1.17 uses the same hardcoded password across different customers' installations, which allows remote attackers to modify test metadata or cause a denial of service (test disruption) by leveraging knowledge of this password. |
|
19475 |
CVE-2015-0971 |
399 |
|
DoS |
2015-05-14 |
2015-05-15 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The DER parser in Suricata before 2.0.8 allows remote attackers to cause a denial of service (crash) via vectors related to SSL/TLS certificates. |
|
19476 |
CVE-2015-0969 |
200 |
|
+Info |
2015-04-18 |
2015-04-20 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
SearchBlox before 8.2 allows remote attackers to obtain sensitive information via a pretty=true action to the _cluster/health URI. |
|
19477 |
CVE-2015-0943 |
200 |
|
+Info |
2015-08-31 |
2015-08-31 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Basware Banking (Maksuliikenne) before 9.10.0.0 does not encrypt communication between the client and the backend server, which allows man-in-the-middle attackers to obtain encryption keys, user credentials, and other sensitive information by sniffing the network or modify this traffic by inserting packets into the client-server data stream. |
|
19478 |
CVE-2015-0938 |
200 |
|
Bypass +Info |
2015-04-17 |
2016-12-08 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
search.php on the Blue Coat Malware Analysis appliance with software before 4.2.4.20150312-RELEASE allows remote attackers to bypass intended access restrictions, and list or read arbitrary documents, by providing matching keywords in conjunction with a crafted parameter. |
|
19479 |
CVE-2015-0928 |
476 |
|
DoS |
2017-08-28 |
2020-03-05 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
libhtp 0.5.15 allows remote attackers to cause a denial of service (NULL pointer dereference). |
|
19480 |
CVE-2015-0923 |
|
|
|
2015-02-14 |
2015-02-17 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The ContentBlockEx method in Workarea/ServerControlWS.asmx in Ektron Content Management System (CMS) 8.5 and 8.7 before 8.7sp2 and 9.0 before sp1 allows remote attackers to read arbitrary files via an external entity declaration in conjunction with an entity reference within an XML document named in the xslt parameter, related to an XML External Entity (XXE) issue. |
|
19481 |
CVE-2015-0922 |
200 |
|
+Info |
2015-01-09 |
2017-09-08 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
McAfee ePolicy Orchestrator (ePO) before 4.6.9 and 5.x before 5.1.2 uses the same secret key across different customers' installations, which allows attackers to obtain the administrator password by leveraging knowledge of the encrypted password. |
|
19482 |
CVE-2015-0914 |
284 |
|
|
2015-05-01 |
2015-05-01 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
EasyCTF before 1.4 does not validate the session ID, which allows remote attackers to obtain access via a crafted HTTP request. |
|
19483 |
CVE-2015-0911 |
22 |
|
Dir. Trav. |
2015-04-24 |
2015-04-24 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Directory traversal vulnerability in TAGAWA Takao TransmitMail 1.0.11 through 1.5.8 allows remote attackers to read arbitrary files via vectors related to attachment handling. |
|
19484 |
CVE-2015-0906 |
22 |
|
Dir. Trav. |
2015-04-15 |
2015-04-15 |
5.8 |
None |
Remote |
Medium |
Not required |
None |
Partial |
Partial |
|
Directory traversal vulnerability in Lhaplus before 1.70 allows remote attackers to write to arbitrary files via a crafted archive. |
|
19485 |
CVE-2015-0902 |
200 |
|
+Info |
2015-04-03 |
2015-04-03 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Semper Fi All in One SEO Pack plugin before 2.2.6 for WordPress does not consider the presence of password protection during generation of the Meta Description field, which allows remote attackers to obtain sensitive information by reading HTML source code. |
|
19486 |
CVE-2015-0899 |
20 |
|
Bypass |
2016-07-04 |
2018-07-01 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
The MultiPageValidator implementation in Apache Struts 1 1.1 through 1.3.10 allows remote attackers to bypass intended access restrictions via a modified page parameter. |
|
19487 |
CVE-2015-0890 |
|
|
Bypass |
2015-03-03 |
2015-03-03 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
The BestWebSoft Google Captcha (aka reCAPTCHA) plugin before 1.13 for WordPress allows remote attackers to bypass the CAPTCHA protection mechanism and obtain administrative access via unspecified vectors. |
|
19488 |
CVE-2015-0886 |
190 |
|
Overflow |
2015-02-28 |
2021-09-24 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Integer overflow in the crypt_raw method in the key-stretching implementation in jBCrypt before 0.4 makes it easier for remote attackers to determine cleartext values of password hashes via a brute-force attack against hashes associated with the maximum exponent. |
|
19489 |
CVE-2015-0885 |
399 |
|
DoS |
2015-02-28 |
2015-09-24 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
checkpw 1.02 and earlier allows remote attackers to cause a denial of service (infinite loop) via a -- (dash dash) in a username. |
|
19490 |
CVE-2015-0878 |
22 |
|
Dir. Trav. |
2015-02-20 |
2015-02-20 |
5.8 |
None |
Remote |
Medium |
Not required |
None |
Partial |
Partial |
|
Directory traversal vulnerability in CREAR AL-Mail32 before 1.13d allows remote attackers to write to arbitrary files via a crafted filename of an attachment. |
|
19491 |
CVE-2015-0867 |
22 |
|
Dir. Trav. |
2015-01-21 |
2015-01-23 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Directory traversal vulnerability in SYNCK GRAPHICA Download Log CGI 3.0 and earlier allows remote attackers to read arbitrary files via a crafted filename. |
|
19492 |
CVE-2015-0852 |
189 |
|
DoS Mem. Corr. |
2015-09-29 |
2019-01-16 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Multiple integer underflows in PluginPCX.cpp in FreeImage 3.17.0 and earlier allow remote attackers to cause a denial of service (heap memory corruption) via vectors related to the height and width of a window. |
|
19493 |
CVE-2015-0851 |
189 |
|
DoS |
2015-08-12 |
2016-11-28 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
XMLTooling-C before 1.5.5, as used in OpenSAML-C and Shibboleth Service Provider (SP), does not properly handle integer conversion exceptions, which allows remote attackers to cause a denial of service (crash) via schema-invalid XML data. |
|
19494 |
CVE-2015-0846 |
200 |
|
+Info |
2015-04-24 |
2015-04-27 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
django-markupfield before 1.3.2 uses the default docutils RESTRUCTUREDTEXT_FILTER_SETTINGS settings, which allows remote attackers to include and read arbitrary files via unspecified vectors. |
|
19495 |
CVE-2015-0844 |
200 |
|
+Info |
2015-04-14 |
2016-06-28 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The WML/Lua API in Battle for Wesnoth 1.7.x through 1.11.x and 1.12.x before 1.12.2 allows remote attackers to read arbitrary files via a crafted (1) campaign or (2) map file. |
|
19496 |
CVE-2015-0841 |
193 |
|
DoS |
2019-12-09 |
2019-12-11 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Off-by-one error in the readBuf function in listener.cpp in libcapsinetwork and monopd before 0.9.8, allows remote attackers to cause a denial of service (crash) via a long line. |
|
19497 |
CVE-2015-0832 |
254 |
|
Bypass |
2015-02-25 |
2018-10-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Mozilla Firefox before 36.0 does not properly recognize the equivalence of domain names with and without a trailing . (dot) character, which allows man-in-the-middle attackers to bypass the HPKP and HSTS protection mechanisms by constructing a URL with this character and leveraging access to an X.509 certificate for a domain with this character. |
|
19498 |
CVE-2015-0830 |
399 |
|
DoS |
2015-02-25 |
2018-10-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The WebGL implementation in Mozilla Firefox before 36.0 does not properly allocate memory for copying an unspecified string to a shader's compilation log, which allows remote attackers to cause a denial of service (application crash) via crafted WebGL content. |
|
19499 |
CVE-2015-0824 |
119 |
|
DoS Overflow |
2015-02-25 |
2018-10-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The mozilla::layers::BufferTextureClient::AllocateForSurface function in Mozilla Firefox before 36.0 allows remote attackers to cause a denial of service (out-of-bounds write of zero values, and application crash) via vectors that trigger use of DrawTarget and the Cairo library for image drawing. |
|
19500 |
CVE-2015-0816 |
264 |
|
Exec Code Bypass |
2015-04-01 |
2017-09-17 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Mozilla Firefox before 37.0, Firefox ESR 31.x before 31.6, and Thunderbird before 31.6 do not properly restrict resource: URLs, which makes it easier for remote attackers to execute arbitrary JavaScript code with chrome privileges by leveraging the ability to bypass the Same Origin Policy, as demonstrated by the resource: URL associated with PDF.js. |
