# |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
46001 |
CVE-2015-3003 |
264 |
|
+Priv |
2015-04-10 |
2016-12-02 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
Juniper Junos 12.1X44 before 12.1X44-D45, 12.1X46 before 12.1X46-D30, 12.1X47 before 12.1X47-D20, 12.3 before 12.3R9, 12.3X48 before 12.3X48-D10, 13.2 before 13.2R6, 13.3 before 13.3R5, 14.1 before 14.1R3, and 14.2 before 14.2R1 allows local users to gain privileges via crafted combinations of CLI commands and arguments. |
46002 |
CVE-2015-3002 |
17 |
|
|
2015-04-10 |
2016-12-02 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
Juniper Junos 12.1X44 before 12.1X44-D45, 12.1X46 before 12.1X46-D30, 12.1X47 before 12.1X47-D15, and 12.3X48 before 12.3X48-D10 on SRX series devices does not properly enforce the log-out-on-disconnect feature when configured in the [system port console] stanza, which allows physically proximate attackers to reconnect to the console port and gain administrative access by leveraging access to the device. |
46003 |
CVE-2015-3001 |
255 |
|
Bypass |
2015-06-08 |
2018-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
SysAid Help Desk before 15.2 uses a hardcoded password of Password1 for the sa SQL Server Express user account, which allows remote authenticated users to bypass intended access restrictions by leveraging knowledge of this password. |
46004 |
CVE-2015-3000 |
399 |
|
DoS |
2015-06-08 |
2018-10-09 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
SysAid Help Desk before 15.2 allows remote attackers to cause a denial of service (CPU and memory consumption) via a large number of nested entity references in an XML document to (1) /agententry, (2) /rdsmonitoringresponse, or (3) /androidactions, aka an XML Entity Expansion (XEE) attack. |
46005 |
CVE-2015-2999 |
89 |
|
Exec Code Sql |
2015-06-08 |
2018-10-09 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
Multiple SQL injection vulnerabilities in SysAid Help Desk before 15.2 allow remote administrators to execute arbitrary SQL commands via the (1) groupFilter parameter in an AssetDetails report to /genericreport, customSQL parameter in a (2) TopAdministratorsByAverageTimer report or an (3) ActiveRequests report to /genericreport, (4) dir parameter to HelpDesk.jsp, or (5) grantSQL parameter to RFCGantt.jsp. |
46006 |
CVE-2015-2998 |
200 |
|
+Info |
2015-06-08 |
2018-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
SysAid Help Desk before 15.2 uses a hardcoded encryption key, which makes it easier for remote attackers to obtain sensitive information, as demonstrated by decrypting the database password in WEB-INF/conf/serverConf.xml. |
46007 |
CVE-2015-2997 |
200 |
|
Dir. Trav. +Info |
2015-06-08 |
2018-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
SysAid Help Desk before 15.2 allows remote attackers to obtain sensitive information via an invalid value in the accountid parameter to getAgentLogFile, as demonstrated by a large directory traversal sequence, which reveals the installation path in an error message. |
46008 |
CVE-2015-2996 |
22 |
|
DoS Dir. Trav. |
2015-06-08 |
2018-10-09 |
8.5 |
None |
Remote |
Low |
Not required |
Partial |
None |
Complete |
Multiple directory traversal vulnerabilities in SysAid Help Desk before 15.2 allow remote attackers to (1) read arbitrary files via a .. (dot dot) in the fileName parameter to getGfiUpgradeFile or (2) cause a denial of service (CPU and memory consumption) via a .. (dot dot) in the fileName parameter to calculateRdsFileChecksum. |
46009 |
CVE-2015-2995 |
22 |
|
Dir. Trav. |
2015-06-08 |
2018-10-09 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
The RdsLogsEntry servlet in SysAid Help Desk before 15.2 does not properly check file extensions, which allows remote attackers to upload and execute arbitrary files via a NULL byte after the extension, as demonstrated by a .war%00 file. |
46010 |
CVE-2015-2994 |
|
|
Exec Code |
2015-06-08 |
2018-10-09 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
Unrestricted file upload vulnerability in ChangePhoto.jsp in SysAid Help Desk before 15.2 allows remote administrators to execute arbitrary code by uploading a file with a .jsp extension, then accessing it via a direct request to the file in icons/user_photo/. |
46011 |
CVE-2015-2993 |
264 |
|
|
2015-06-08 |
2018-10-09 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
SysAid Help Desk before 15.2 does not properly restrict access to certain functionality, which allows remote attackers to (1) create administrator accounts via a crafted request to /createnewaccount or (2) write to arbitrary files via the fileName parameter to /userentry. |
46012 |
CVE-2015-2991 |
119 |
|
Exec Code Overflow |
2015-09-04 |
2015-09-08 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Buffer overflow in NScripter before 3.00 allows remote attackers to execute arbitrary code via crafted save data. |
46013 |
CVE-2015-2990 |
22 |
|
Dir. Trav. |
2015-09-04 |
2015-09-11 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
Directory traversal vulnerability in zhtml.cgi in NEOJAPAN desknet NEO 2.0R1.0 through 2.5R1.4 allows remote authenticated users to read arbitrary files via a crafted parameter. |
46014 |
CVE-2015-2989 |
79 |
|
XSS |
2015-09-07 |
2015-09-08 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in index.php in LEMON-S PHP Twit BBS allows remote attackers to inject arbitrary web script or HTML via the imagetitle parameter. |
46015 |
CVE-2015-2988 |
295 |
|
|
2017-10-10 |
2017-11-03 |
4.0 |
None |
Remote |
High |
Not required |
Partial |
Partial |
None |
Rakuten card App for iOS 5.2.0 through 5.2.4 does not verify SSL certificates which might allow remote attackers to execute man-in-the-middle attacks. |
46016 |
CVE-2015-2986 |
79 |
|
XSS |
2015-09-05 |
2015-09-08 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in rakuto.net hitSuji (rktSNS2) 0.2.2b allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
46017 |
CVE-2015-2985 |
79 |
|
XSS |
2015-09-05 |
2015-09-08 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in guide-park.com BBS X102 1.03 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
46018 |
CVE-2015-2984 |
264 |
|
DoS |
2015-08-22 |
2016-11-28 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
I-O DATA DEVICE WN-G54/R2 routers with firmware before 1.03 and NP-BBRS routers allow remote attackers to cause a denial of service (SSDP reflection) via UPnP requests. |
46019 |
CVE-2015-2983 |
352 |
|
CSRF |
2015-08-22 |
2015-08-24 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Cross-site request forgery (CSRF) vulnerability in admin.php in PHP Kobo Photo Gallery CMS for PC, smartphone and feature phone 1.0.1 Free and earlier allows remote attackers to hijack the authentication of arbitrary users. |
46020 |
CVE-2015-2982 |
79 |
|
XSS |
2015-08-22 |
2015-08-24 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in jquery.lightbox-0.5.min.js in PHP Kobo Photo Gallery CMS for PC, smartphone and feature phone 1.0.1 Free and earlier allows remote authenticated users to inject arbitrary web script or HTML via unspecified input to admin.php. |
46021 |
CVE-2015-2981 |
295 |
|
+Info |
2018-01-12 |
2018-02-01 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
The Yodobashi App for Android 1.2.1.0 and earlier does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. |
46022 |
CVE-2015-2980 |
78 |
|
Exec Code +Info |
2015-08-07 |
2015-08-10 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
The Yodobashi application 1.2.1.0 and earlier for Android allows remote attackers to execute arbitrary Java methods, and consequently obtain sensitive information or execute OS commands, via a crafted HTML document. |
46023 |
CVE-2015-2979 |
78 |
|
Exec Code |
2015-07-29 |
2015-07-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
Webservice-DIC yoyaku_v41 allows remote attackers to execute arbitrary OS commands via unspecified vectors. |
46024 |
CVE-2015-2978 |
287 |
|
Bypass |
2015-07-29 |
2015-07-29 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
Webservice-DIC yoyaku_v41 allows remote attackers to bypass authentication and complete a conference-room reservation via unspecified vectors, as demonstrated by an "unintentional reservation." |
46025 |
CVE-2015-2977 |
20 |
|
Exec Code |
2015-07-29 |
2015-07-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
Webservice-DIC yoyaku_v41 allows remote attackers to create arbitrary files, and consequently execute arbitrary code, via unspecified vectors. |
46026 |
CVE-2015-2976 |
79 |
|
XSS |
2015-07-25 |
2015-07-27 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Multiple cross-site scripting (XSS) vulnerabilities in Research Artisan Lite before 1.18 allow remote attackers to inject arbitrary web script or HTML via (1) a crafted HTML document or (2) a crafted URL that is mishandled during access-log analysis. |
46027 |
CVE-2015-2975 |
|
|
|
2015-07-26 |
2015-07-27 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
Research Artisan Lite before 1.18 does not ensure that a user has authenticated, which allows remote attackers to perform unspecified actions via unknown vectors. |
46028 |
CVE-2015-2974 |
20 |
|
|
2015-07-28 |
2015-07-29 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
LEMON-S PHP Gazou BBS plus before 2.36 allows remote attackers to upload arbitrary HTML documents via vectors involving a crafted image file. |
46029 |
CVE-2015-2973 |
79 |
|
XSS |
2015-07-24 |
2016-12-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Multiple cross-site scripting (XSS) vulnerabilities in the Welcart plugin before 1.4.18 for WordPress allow remote attackers to inject arbitrary web script or HTML via the usces_referer parameter to (1) classes/usceshop.class.php, (2) includes/edit-form-advanced.php, (3) includes/edit-form-advanced30.php, (4) includes/edit-form-advanced34.php, (5) includes/member_edit_form.php, (6) includes/order_edit_form.php, (7) includes/order_list.php, or (8) includes/usces_item_master_list.php, related to admin.php. |
46030 |
CVE-2015-2972 |
89 |
|
Exec Code Sql |
2015-07-19 |
2015-07-20 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
Multiple SQL injection vulnerabilities in Sysphonic Thetis before 2.3.0 allow remote attackers to execute arbitrary SQL commands via unspecified vectors. |
46031 |
CVE-2015-2971 |
22 |
|
Dir. Trav. |
2015-07-19 |
2015-07-23 |
5.5 |
None |
Remote |
Low |
Single system |
None |
Partial |
Partial |
Directory traversal vulnerability in Seeds acmailer before 3.8.18 and 3.9.x before 3.9.12 Beta allows remote authenticated users to delete arbitrary files via a crafted string. |
46032 |
CVE-2015-2970 |
22 |
|
Dir. Trav. |
2015-07-10 |
2015-07-13 |
6.4 |
None |
Remote |
Low |
Not required |
None |
Partial |
Partial |
index.php in LEMON-S PHP Simple Oekaki BBS before 1.21 allows remote attackers to delete arbitrary files via the oekakis parameter. |
46033 |
CVE-2015-2969 |
79 |
|
XSS |
2015-07-10 |
2015-07-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in index.php in LEMON-S PHP Simple Oekaki BBS before 1.21 allows remote attackers to inject arbitrary web script or HTML via the oekakis parameter. |
46034 |
CVE-2015-2967 |
79 |
|
XSS |
2015-07-10 |
2016-12-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in settings.php in Cacti before 0.8.8d allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
46035 |
CVE-2015-2966 |
22 |
|
Dir. Trav. |
2015-06-30 |
2015-07-01 |
6.4 |
None |
Remote |
Low |
Not required |
None |
Partial |
Partial |
Directory traversal vulnerability in the Droidware UK Explorer+ File Manager application before 2.3.3 for Android allows remote attackers to write to arbitrary files via unspecified vectors. |
46036 |
CVE-2015-2965 |
22 |
|
Dir. Trav. |
2015-06-28 |
2016-12-02 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
Directory traversal vulnerability in osCommerce Japanese 2.2ms1j-R8 and earlier allows remote authenticated administrators to read arbitrary files via unspecified vectors. |
46037 |
CVE-2015-2964 |
20 |
|
Bypass |
2015-07-04 |
2016-12-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
NAMSHI | JOSE 5.0.0 and earlier allows remote attackers to bypass signature verification via crafted tokens in a JSON Web Tokens (JWT) header. |
46038 |
CVE-2015-2963 |
79 |
|
XSS |
2015-07-10 |
2016-12-02 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
The thoughtbot paperclip gem before 4.2.2 for Ruby does not consider the content-type value during media-type validation, which allows remote attackers to upload HTML documents and conduct cross-site scripting (XSS) attacks via a spoofed value, as demonstrated by image/jpeg. |
46039 |
CVE-2015-2962 |
20 |
|
Exec Code |
2015-06-13 |
2016-12-02 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
CGI RESCUE BloBee 1.20 and earlier allows remote attackers to write to arbitrary files, and consequently execute arbitrary code, via unspecified vectors. |
46040 |
CVE-2015-2961 |
352 |
|
CSRF |
2015-06-08 |
2016-12-30 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Cross-site request forgery (CSRF) vulnerability in Zoho NetFlow Analyzer build 10250 and earlier allows remote attackers to hijack the authentication of administrators. |
46041 |
CVE-2015-2960 |
79 |
|
XSS |
2015-06-08 |
2016-12-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in Zoho NetFlow Analyzer build 10250 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
46042 |
CVE-2015-2959 |
284 |
|
+Info |
2015-06-08 |
2016-12-30 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
Zoho NetFlow Analyzer build 10250 and earlier does not check for administrative authorization, which allows remote attackers to obtain sensitive information, modify passwords, or remove accounts by leveraging the guest role. |
46043 |
CVE-2015-2958 |
264 |
|
Bypass |
2015-06-13 |
2016-12-02 |
6.4 |
None |
Remote |
Low |
Not required |
None |
Partial |
Partial |
Igreks MilkyStep Light 0.94 and earlier and Professional 1.82 and earlier allows remote attackers to bypass intended access restrictions and modify settings via unspecified vectors, a different vulnerability than CVE-2015-2952 and CVE-2015-2953. |
46044 |
CVE-2015-2957 |
79 |
|
XSS |
2015-06-13 |
2016-12-02 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in Igreks MilkyStep Light 0.94 and earlier and Professional 1.82 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
46045 |
CVE-2015-2956 |
89 |
|
Exec Code Sql |
2015-06-13 |
2016-12-02 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
SQL injection vulnerability in Igreks MilkyStep Light 0.94 and earlier and Professional 1.82 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors. |
46046 |
CVE-2015-2955 |
78 |
|
Exec Code |
2015-06-13 |
2016-12-02 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
Igreks MilkyStep Light 0.94 and earlier and Professional 1.82 and earlier allows remote attackers to execute arbitrary OS commands via unspecified vectors. |
46047 |
CVE-2015-2954 |
352 |
|
CSRF |
2015-06-13 |
2016-12-02 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Cross-site request forgery (CSRF) vulnerability in Igreks MilkyStep Light 0.94 and earlier and Professional 1.82 and earlier allows remote attackers to hijack the authentication of arbitrary users. |
46048 |
CVE-2015-2953 |
264 |
|
Bypass |
2015-06-13 |
2016-12-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
Igreks MilkyStep Light 0.94 and earlier and Professional 1.82 and earlier allows remote attackers to bypass intended access restrictions and read files via unspecified vectors, a different vulnerability than CVE-2015-2952 and CVE-2015-2958. |
46049 |
CVE-2015-2952 |
284 |
|
Bypass |
2015-06-13 |
2016-12-02 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
The user-information management functionality in Igreks MilkyStep Light 0.94 and earlier and Professional 1.82 and earlier allows remote authenticated users to bypass intended access restrictions and modify administrative credentials via unspecified vectors, a different vulnerability than CVE-2015-2953 and CVE-2015-2958. |
46050 |
CVE-2015-2951 |
20 |
|
Bypass |
2015-06-05 |
2016-12-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
JWT.php in F21 JWT before 2.0 allows remote attackers to bypass signature verification via crafted tokens. |