# |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
36301 |
CVE-2015-2980 |
78 |
|
Exec Code +Info |
2015-08-07 |
2015-08-10 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
The Yodobashi application 1.2.1.0 and earlier for Android allows remote attackers to execute arbitrary Java methods, and consequently obtain sensitive information or execute OS commands, via a crafted HTML document. |
36302 |
CVE-2015-2978 |
287 |
|
Bypass |
2015-07-29 |
2015-07-29 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
Webservice-DIC yoyaku_v41 allows remote attackers to bypass authentication and complete a conference-room reservation via unspecified vectors, as demonstrated by an "unintentional reservation." |
36303 |
CVE-2015-2976 |
79 |
|
XSS |
2015-07-25 |
2015-07-27 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Multiple cross-site scripting (XSS) vulnerabilities in Research Artisan Lite before 1.18 allow remote attackers to inject arbitrary web script or HTML via (1) a crafted HTML document or (2) a crafted URL that is mishandled during access-log analysis. |
36304 |
CVE-2015-2975 |
|
|
|
2015-07-26 |
2015-07-27 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
Research Artisan Lite before 1.18 does not ensure that a user has authenticated, which allows remote attackers to perform unspecified actions via unknown vectors. |
36305 |
CVE-2015-2974 |
20 |
|
|
2015-07-28 |
2015-07-29 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
LEMON-S PHP Gazou BBS plus before 2.36 allows remote attackers to upload arbitrary HTML documents via vectors involving a crafted image file. |
36306 |
CVE-2015-2973 |
79 |
|
XSS |
2015-07-24 |
2016-12-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Multiple cross-site scripting (XSS) vulnerabilities in the Welcart plugin before 1.4.18 for WordPress allow remote attackers to inject arbitrary web script or HTML via the usces_referer parameter to (1) classes/usceshop.class.php, (2) includes/edit-form-advanced.php, (3) includes/edit-form-advanced30.php, (4) includes/edit-form-advanced34.php, (5) includes/member_edit_form.php, (6) includes/order_edit_form.php, (7) includes/order_list.php, or (8) includes/usces_item_master_list.php, related to admin.php. |
36307 |
CVE-2015-2971 |
22 |
|
Dir. Trav. |
2015-07-19 |
2015-07-23 |
5.5 |
None |
Remote |
Low |
Single system |
None |
Partial |
Partial |
Directory traversal vulnerability in Seeds acmailer before 3.8.18 and 3.9.x before 3.9.12 Beta allows remote authenticated users to delete arbitrary files via a crafted string. |
36308 |
CVE-2015-2970 |
22 |
|
Dir. Trav. |
2015-07-10 |
2015-07-13 |
6.4 |
None |
Remote |
Low |
Not required |
None |
Partial |
Partial |
index.php in LEMON-S PHP Simple Oekaki BBS before 1.21 allows remote attackers to delete arbitrary files via the oekakis parameter. |
36309 |
CVE-2015-2969 |
79 |
|
XSS |
2015-07-10 |
2015-07-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in index.php in LEMON-S PHP Simple Oekaki BBS before 1.21 allows remote attackers to inject arbitrary web script or HTML via the oekakis parameter. |
36310 |
CVE-2015-2967 |
79 |
|
XSS |
2015-07-10 |
2016-12-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in settings.php in Cacti before 0.8.8d allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
36311 |
CVE-2015-2966 |
22 |
|
Dir. Trav. |
2015-06-30 |
2015-07-01 |
6.4 |
None |
Remote |
Low |
Not required |
None |
Partial |
Partial |
Directory traversal vulnerability in the Droidware UK Explorer+ File Manager application before 2.3.3 for Android allows remote attackers to write to arbitrary files via unspecified vectors. |
36312 |
CVE-2015-2965 |
22 |
|
Dir. Trav. |
2015-06-28 |
2016-12-02 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
Directory traversal vulnerability in osCommerce Japanese 2.2ms1j-R8 and earlier allows remote authenticated administrators to read arbitrary files via unspecified vectors. |
36313 |
CVE-2015-2964 |
20 |
|
Bypass |
2015-07-04 |
2016-12-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
NAMSHI | JOSE 5.0.0 and earlier allows remote attackers to bypass signature verification via crafted tokens in a JSON Web Tokens (JWT) header. |
36314 |
CVE-2015-2963 |
79 |
|
XSS |
2015-07-10 |
2016-12-02 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
The thoughtbot paperclip gem before 4.2.2 for Ruby does not consider the content-type value during media-type validation, which allows remote attackers to upload HTML documents and conduct cross-site scripting (XSS) attacks via a spoofed value, as demonstrated by image/jpeg. |
36315 |
CVE-2015-2961 |
352 |
|
CSRF |
2015-06-08 |
2016-12-30 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Cross-site request forgery (CSRF) vulnerability in Zoho NetFlow Analyzer build 10250 and earlier allows remote attackers to hijack the authentication of administrators. |
36316 |
CVE-2015-2960 |
79 |
|
XSS |
2015-06-08 |
2016-12-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in Zoho NetFlow Analyzer build 10250 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
36317 |
CVE-2015-2958 |
264 |
|
Bypass |
2015-06-13 |
2016-12-02 |
6.4 |
None |
Remote |
Low |
Not required |
None |
Partial |
Partial |
Igreks MilkyStep Light 0.94 and earlier and Professional 1.82 and earlier allows remote attackers to bypass intended access restrictions and modify settings via unspecified vectors, a different vulnerability than CVE-2015-2952 and CVE-2015-2953. |
36318 |
CVE-2015-2957 |
79 |
|
XSS |
2015-06-13 |
2016-12-02 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in Igreks MilkyStep Light 0.94 and earlier and Professional 1.82 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
36319 |
CVE-2015-2954 |
352 |
|
CSRF |
2015-06-13 |
2016-12-02 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Cross-site request forgery (CSRF) vulnerability in Igreks MilkyStep Light 0.94 and earlier and Professional 1.82 and earlier allows remote attackers to hijack the authentication of arbitrary users. |
36320 |
CVE-2015-2953 |
264 |
|
Bypass |
2015-06-13 |
2016-12-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
Igreks MilkyStep Light 0.94 and earlier and Professional 1.82 and earlier allows remote attackers to bypass intended access restrictions and read files via unspecified vectors, a different vulnerability than CVE-2015-2952 and CVE-2015-2958. |
36321 |
CVE-2015-2952 |
284 |
|
Bypass |
2015-06-13 |
2016-12-02 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
The user-information management functionality in Igreks MilkyStep Light 0.94 and earlier and Professional 1.82 and earlier allows remote authenticated users to bypass intended access restrictions and modify administrative credentials via unspecified vectors, a different vulnerability than CVE-2015-2953 and CVE-2015-2958. |
36322 |
CVE-2015-2951 |
20 |
|
Bypass |
2015-06-05 |
2016-12-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
JWT.php in F21 JWT before 2.0 allows remote attackers to bypass signature verification via crafted tokens. |
36323 |
CVE-2015-2950 |
22 |
|
Dir. Trav. |
2015-06-05 |
2016-12-02 |
6.4 |
None |
Remote |
Low |
Not required |
None |
Partial |
Partial |
Directory traversal vulnerability in the Brandon Bowles Open Explorer application before 0.254 Beta for Android allows remote attackers to write to arbitrary files via a crafted filename. |
36324 |
CVE-2015-2949 |
79 |
|
XSS |
2015-05-31 |
2016-12-02 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in ZenPhoto20 1.1.3 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
36325 |
CVE-2015-2948 |
79 |
|
XSS |
2015-05-31 |
2016-12-02 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the image processor in Zenphoto before 1.4.8 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
36326 |
CVE-2015-2947 |
441 |
|
|
2017-04-13 |
2017-04-25 |
6.4 |
None |
Remote |
Low |
Not required |
None |
Partial |
Partial |
KanColleViewer versions 3.8.1 and earlier operates as an open proxy which allows remote attackers to trigger outbound network traffic. |
36327 |
CVE-2015-2946 |
119 |
|
Exec Code Overflow |
2015-05-25 |
2016-12-02 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Stack-based buffer overflow in the Open CAD Format Council SXF common library before 3.30 allows remote attackers to execute arbitrary code via a crafted CAD file. |
36328 |
CVE-2015-2944 |
79 |
|
XSS |
2015-06-02 |
2016-12-02 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Multiple cross-site scripting (XSS) vulnerabilities in Apache Sling API before 2.2.2 and Apache Sling Servlets Post before 2.1.2 allow remote attackers to inject arbitrary web script or HTML via the URI, related to (1) org/apache/sling/api/servlets/HtmlResponse and (2) org/apache/sling/servlets/post/HtmlResponse. |
36329 |
CVE-2015-2943 |
295 |
|
|
2017-09-06 |
2017-09-08 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
Honda Moto LINC 1.6.1 does not verify SSL certificates. |
36330 |
CVE-2015-2941 |
79 |
|
XSS |
2015-04-13 |
2016-12-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2, when using HHVM, allows remote attackers to inject arbitrary web script or HTML via an invalid parameter in a wddx format request to api.php, which is not properly handled in an error message, related to unsafe calls to wddx_serialize_value. |
36331 |
CVE-2015-2940 |
352 |
|
CSRF |
2015-04-13 |
2016-12-07 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Cross-site request forgery (CSRF) vulnerability in the CheckUser extension for MediaWiki allows remote attackers to hijack the authentication of certain users for requests that retrieve sensitive user information via unspecified vectors. |
36332 |
CVE-2015-2939 |
79 |
|
XSS |
2015-04-13 |
2016-12-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the Scribunto extension for MediaWiki allows remote attackers to inject arbitrary web script or HTML via a function name, which is not properly handled in a Lua error backtrace. |
36333 |
CVE-2015-2938 |
79 |
|
XSS |
2015-04-13 |
2016-12-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 allows remote attackers to inject arbitrary web script or HTML via a custom JavaScript file, which is not properly handled when previewing the file. |
36334 |
CVE-2015-2935 |
200 |
|
Bypass +Info |
2015-04-13 |
2016-12-07 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 allows remote attackers to bypass the SVG filtering and obtain sensitive user information via a mixed case @import in a style element in an SVG file, as demonstrated by "@imporT." |
36335 |
CVE-2015-2934 |
79 |
|
XSS |
2015-04-13 |
2016-12-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 does not properly handle when the Zend interpreter xml_parse function does not expand entities, which allows remote attackers to inject arbitrary web script or HTML via a crafted SVG file. |
36336 |
CVE-2015-2933 |
79 |
|
XSS |
2015-04-13 |
2016-12-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the Html class in MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 allows remote attackers to inject arbitrary web script or HTML via a LanguageConverter substitution string when using a language variant. |
36337 |
CVE-2015-2932 |
79 |
|
XSS |
2015-04-13 |
2016-12-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Incomplete blacklist vulnerability in MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 allows remote attackers to inject arbitrary web script or HTML via an animated href XLink element. |
36338 |
CVE-2015-2931 |
79 |
|
XSS |
2015-04-13 |
2016-12-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Incomplete blacklist vulnerability in includes/upload/UploadBase.php in MediaWiki before 1.19.24, 1.2x before 1.23.9, and 1.24.x before 1.24.2 allows remote attackers to inject arbitrary web script or HTML via an application/xml MIME type for a nested SVG with a data: URI. |
36339 |
CVE-2015-2927 |
399 |
|
DoS |
2017-09-20 |
2017-10-03 |
6.8 |
None |
Remote |
Low |
Single system |
None |
None |
Complete |
node 0.3.2 and URONode before 1.0.5r3 allows remote attackers to cause a denial of service (bandwidth consumption). |
36340 |
CVE-2015-2926 |
79 |
|
XSS |
2015-04-14 |
2018-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in Php/stats/statsRecent.inc.php in phpTrafficA 2.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the HTTP User-Agent header to index.php. |
36341 |
CVE-2015-2925 |
254 |
|
Bypass |
2015-11-16 |
2018-01-04 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
The prepend_path function in fs/dcache.c in the Linux kernel before 4.2.4 does not properly handle rename actions inside a bind mount, which allows local users to bypass an intended container protection mechanism by renaming a directory, related to a "double-chroot attack." |
36342 |
CVE-2015-2924 |
20 |
|
|
2015-11-16 |
2016-12-07 |
3.3 |
None |
Local Network |
Low |
Not required |
None |
None |
Partial |
The receive_ra function in rdisc/nm-lndp-rdisc.c in the Neighbor Discovery (ND) protocol implementation in the IPv6 stack in NetworkManager 1.x allows remote attackers to reconfigure a hop-limit setting via a small hop_limit value in a Router Advertisement (RA) message, a similar issue to CVE-2015-2922. |
36343 |
CVE-2015-2922 |
17 |
|
|
2015-05-27 |
2018-01-04 |
3.3 |
None |
Local Network |
Low |
Not required |
None |
None |
Partial |
The ndisc_router_discovery function in net/ipv6/ndisc.c in the Neighbor Discovery (ND) protocol implementation in the IPv6 stack in the Linux kernel before 3.19.6 allows remote attackers to reconfigure a hop-limit setting via a small hop_limit value in a Router Advertisement (RA) message. |
36344 |
CVE-2015-2918 |
20 |
|
|
2015-12-31 |
2015-12-31 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
The Studio component in OrientDB Server Community Edition before 2.0.15 and 2.1.x before 2.1.1 does not properly restrict use of FRAME elements, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web site. |
36345 |
CVE-2015-2917 |
20 |
|
|
2015-09-21 |
2015-09-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Securifi Almond devices with firmware before AL1-R201EXP10-L304-W34 and Almond-2015 devices with firmware before AL2-R088M unintentionally omit the X-Frame-Options HTTP header, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web site that contains a (1) FRAME, (2) IFRAME, or (3) OBJECT element. |
36346 |
CVE-2015-2916 |
352 |
|
CSRF |
2015-09-21 |
2015-09-30 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Cross-site request forgery (CSRF) vulnerability on Securifi Almond devices with firmware before AL1-R201EXP10-L304-W34 and Almond-2015 devices with firmware before AL2-R088M allows remote attackers to hijack the authentication of arbitrary users. |
36347 |
CVE-2015-2914 |
|
|
|
2015-09-21 |
2015-09-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
Securifi Almond devices with firmware before AL1-R201EXP10-L304-W34 and Almond-2015 devices with firmware before AL2-R088M use a fixed source-port number in outbound DNS queries performed on behalf of any device, which makes it easier for remote attackers to spoof responses by using this number for the destination port, a different vulnerability than CVE-2015-7296. |
36348 |
CVE-2015-2913 |
200 |
|
+Info |
2015-12-31 |
2015-12-31 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
server/network/protocol/http/OHttpSessionManager.java in the Studio component in OrientDB Server Community Edition before 2.0.15 and 2.1.x before 2.1.1 improperly relies on the java.util.Random class for generation of random Session ID values, which makes it easier for remote attackers to predict a value by determining the internal state of the PRNG in this class. |
36349 |
CVE-2015-2912 |
352 |
|
+Info CSRF |
2015-12-31 |
2015-12-31 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
The JSONP endpoint in the Studio component in OrientDB Server Community Edition before 2.0.15 and 2.1.x before 2.1.1 does not properly restrict callback values, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks, and obtain sensitive information, via a crafted HTTP request. |
36350 |
CVE-2015-2905 |
352 |
|
CSRF |
2015-08-23 |
2015-08-24 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Cross-site request forgery (CSRF) vulnerability on Actiontec GT784WN modems with firmware before NCS01-1.0.13 allows remote attackers to hijack the authentication or intranet connectivity of arbitrary users. |