CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Fedoraproject » Fedora : Security Vulnerabilities Published In 2015

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2015-8393 200 +Info 2015-12-01 2017-06-30
5.0
None Remote Low Not required Partial None None
pcregrep in PCRE before 8.38 mishandles the -q option for binary files, which might allow remote attackers to obtain sensitive information via a crafted file, as demonstrated by a CGI script that sends stdout data to a client.
2 CVE-2015-8390 119 DoS Overflow 2015-12-01 2017-06-30
7.5
None Remote Low Not required Partial Partial Partial
PCRE before 8.38 mishandles the [: and \\ substrings in character classes, which allows remote attackers to cause a denial of service (uninitialized memory read) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.
3 CVE-2015-8389 119 DoS Overflow 2015-12-01 2017-06-30
7.5
None Remote Low Not required Partial Partial Partial
PCRE before 8.38 mishandles the /(?:|a|){100}x/ pattern and related patterns, which allows remote attackers to cause a denial of service (infinite recursion) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.
4 CVE-2015-8387 189 DoS Overflow 2015-12-01 2017-06-30
7.5
None Remote Low Not required Partial Partial Partial
PCRE before 8.38 mishandles (?123) subroutine calls and related subroutine calls, which allows remote attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.
5 CVE-2015-8386 119 DoS Overflow 2015-12-01 2018-01-04
7.5
None Remote Low Not required Partial Partial Partial
PCRE before 8.38 mishandles the interaction of lookbehind assertions and mutually recursive subpatterns, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.
6 CVE-2015-8383 119 DoS Overflow 2015-12-01 2018-01-04
7.5
None Remote Low Not required Partial Partial Partial
PCRE before 8.38 mishandles certain repeated conditional groups, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.
7 CVE-2015-8380 119 DoS Overflow 2015-12-01 2017-06-30
7.5
None Remote Low Not required Partial Partial Partial
The pcre_exec function in pcre_exec.c in PCRE before 8.38 mishandles a // pattern with a \01 string, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror.
8 CVE-2015-8370 264 DoS Mem. Corr. Bypass +Info 2015-12-16 2016-12-07
6.9
None Local Medium Not required Complete Complete Complete
Multiple integer underflows in Grub2 1.98 through 2.02 allow physically proximate attackers to bypass authentication, obtain sensitive information, or cause a denial of service (disk corruption) via backspace characters in the (1) grub_username_get function in grub-core/normal/auth.c or the (2) grub_password_get function in lib/crypto.c, which trigger an "Off-by-two" or "Out of bounds overwrite" memory error.
9 CVE-2015-7496 264 Bypass 2015-11-24 2018-01-04
7.2
None Local Low Not required Complete Complete Complete
GNOME Display Manager (gdm) before 3.18.2 allows physically proximate attackers to bypass the lock screen by holding the Escape key.
10 CVE-2015-7223 264 +Priv XSS +Info 2015-12-16 2016-12-07
4.0
None Remote High Not required Partial Partial None
The WebExtension APIs in Mozilla Firefox before 43.0 allow remote attackers to gain privileges, and possibly obtain sensitive information or conduct cross-site scripting (XSS) attacks, via a crafted web site.
11 CVE-2015-7222 189 DoS Exec Code Overflow 2015-12-16 2016-12-07
6.8
None Remote Medium Not required Partial Partial Partial
Integer underflow in the Metadata::setData function in MetaData.cpp in libstagefright in Mozilla Firefox before 43.0 and Firefox ESR 38.x before 38.5 allows remote attackers to execute arbitrary code or cause a denial of service (incorrect memory allocation and application crash) via an MP4 video file with crafted covr metadata that triggers a buffer overflow.
12 CVE-2015-7221 119 DoS Overflow 2015-12-16 2016-12-07
10.0
None Remote Low Not required Complete Complete Complete
Buffer overflow in the nsDeque::GrowCapacity function in xpcom/glue/nsDeque.cpp in Mozilla Firefox before 43.0 might allow remote attackers to cause a denial of service or possibly have unspecified other impact by triggering a deque size change.
13 CVE-2015-7220 119 DoS Overflow 2015-12-16 2016-12-07
10.0
None Remote Low Not required Complete Complete Complete
Buffer overflow in the XDRBuffer::grow function in js/src/vm/Xdr.cpp in Mozilla Firefox before 43.0 might allow remote attackers to cause a denial of service or possibly have unspecified other impact via crafted JavaScript code.
14 CVE-2015-7219 189 DoS 2015-12-16 2016-12-07
5.0
None Remote Low Not required None None Partial
The HTTP/2 implementation in Mozilla Firefox before 43.0 allows remote attackers to cause a denial of service (integer underflow, assertion failure, and application exit) via a malformed PushPromise frame that triggers decompressed-buffer length miscalculation and incorrect memory allocation.
15 CVE-2015-7218 189 DoS 2015-12-16 2016-12-07
5.0
None Remote Low Not required None None Partial
The HTTP/2 implementation in Mozilla Firefox before 43.0 allows remote attackers to cause a denial of service (integer underflow, assertion failure, and application exit) via a single-byte header frame that triggers incorrect memory allocation.
16 CVE-2015-7217 119 DoS Overflow 2015-12-16 2016-12-07
4.3
None Remote Medium Not required None None Partial
The gdk-pixbuf configuration in Mozilla Firefox before 43.0 on Linux GNOME platforms incorrectly enables the TGA decoder, which allows remote attackers to cause a denial of service (heap-based buffer overflow) via a crafted Truevision TGA image.
17 CVE-2015-7216 20 DoS 2015-12-16 2016-12-07
6.8
None Remote Medium Not required Partial Partial Partial
The gdk-pixbuf configuration in Mozilla Firefox before 43.0 on Linux GNOME platforms incorrectly enables the JasPer decoder, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted JPEG 2000 image.
18 CVE-2015-7215 200 Bypass +Info 2015-12-16 2016-12-07
5.0
None Remote Low Not required Partial None None
The importScripts function in the Web Workers API implementation in Mozilla Firefox before 43.0 allows remote attackers to bypass the Same Origin Policy by triggering use of the no-cors mode in the fetch API to attempt resource access that throws an exception, leading to information disclosure after a rethrow.
19 CVE-2015-7214 200 Bypass +Info 2015-12-16 2017-03-23
5.0
None Remote Low Not required Partial None None
Mozilla Firefox before 43.0 and Firefox ESR 38.x before 38.5 allow remote attackers to bypass the Same Origin Policy via data: and view-source: URIs.
20 CVE-2015-7213 189 Exec Code Overflow 2015-12-16 2017-03-23
6.8
None Remote Medium Not required Partial Partial Partial
Integer overflow in the MPEG4Extractor::readMetaData function in MPEG4Extractor.cpp in libstagefright in Mozilla Firefox before 43.0 and Firefox ESR 38.x before 38.5 on 64-bit platforms allows remote attackers to execute arbitrary code via a crafted MP4 video file that triggers a buffer overflow.
21 CVE-2015-7212 189 Exec Code Overflow 2015-12-16 2017-03-23
7.5
None Remote Low Not required Partial Partial Partial
Integer overflow in the mozilla::layers::BufferTextureClient::AllocateForSurface function in Mozilla Firefox before 43.0 and Firefox ESR 38.x before 38.5 allows remote attackers to execute arbitrary code by triggering a graphics operation that requires a large texture allocation.
22 CVE-2015-7211 20 2015-12-16 2016-12-07
5.0
None Remote Low Not required None Partial None
Mozilla Firefox before 43.0 mishandles the # (number sign) character in a data: URI, which allows remote attackers to spoof web sites via unspecified vectors.
23 CVE-2015-7210 Exec Code 2015-12-16 2016-12-07
7.5
None Remote Low Not required Partial Partial Partial
Use-after-free vulnerability in Mozilla Firefox before 43.0 and Firefox ESR 38.x before 38.5 allows remote attackers to execute arbitrary code by triggering attempted use of a data channel that has been closed by a WebRTC function.
24 CVE-2015-7208 200 +Info 2015-12-16 2017-09-09
5.0
None Remote Low Not required Partial None None
Mozilla Firefox before 43.0 stores cookies containing vertical tab characters, which allows remote attackers to obtain sensitive information by reading HTTP Cookie headers.
25 CVE-2015-7207 200 Bypass +Info 2015-12-16 2016-12-07
5.0
None Remote Low Not required Partial None None
Mozilla Firefox before 43.0 does not properly restrict the availability of IFRAME Resource Timing API times, which allows remote attackers to bypass the Same Origin Policy and obtain sensitive information via crafted JavaScript code that leverages history.back and performance.getEntries calls, a related issue to CVE-2015-1300.
26 CVE-2015-7205 189 DoS +Info 2015-12-16 2017-03-23
10.0
None Remote Low Not required Complete Complete Complete
Integer underflow in the RTPReceiverVideo::ParseRtpPacket function in Mozilla Firefox before 43.0 and Firefox ESR 38.x before 38.5 might allow remote attackers to obtain sensitive information, cause a denial of service, or possibly have unspecified other impact by triggering a crafted WebRTC RTP packet.
27 CVE-2015-7204 17 Exec Code 2015-12-16 2016-12-07
6.8
None Remote Medium Not required Partial Partial Partial
Mozilla Firefox before 43.0 does not properly store the properties of unboxed objects, which allows remote attackers to execute arbitrary code via crafted JavaScript variable assignments.
28 CVE-2015-7203 119 DoS Overflow 2015-12-16 2016-12-07
10.0
None Remote Low Not required Complete Complete Complete
Buffer overflow in the DirectWriteFontInfo::LoadFontFamilyData function in gfx/thebes/gfxDWriteFontList.cpp in Mozilla Firefox before 43.0 might allow remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted font-family name.
29 CVE-2015-7202 119 DoS Exec Code Overflow Mem. Corr. 2015-12-16 2016-12-07
10.0
None Remote Low Not required Complete Complete Complete
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 43.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.
30 CVE-2015-7201 119 DoS Exec Code Overflow Mem. Corr. 2015-12-16 2017-03-23
10.0
None Remote Low Not required Complete Complete Complete
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 43.0 and Firefox ESR 38.x before 38.5 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.
31 CVE-2015-6938 79 XSS CSRF 2015-09-21 2016-12-08
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the file browser in notebook/notebookapp.py in IPython Notebook before 3.2.2 and Jupyter Notebook 4.0.x before 4.0.5 allows remote attackers to inject arbitrary web script or HTML via a folder name. NOTE: this was originally reported as a cross-site request forgery (CSRF) vulnerability, but this may be inaccurate.
32 CVE-2015-6855 264 DoS 2015-11-06 2017-06-30
10.0
None Remote Low Not required Complete Complete Complete
hw/ide/core.c in QEMU does not properly restrict the commands accepted by an ATAPI device, which allows guest users to cause a denial of service or possibly have unspecified other impact via certain IDE commands, as demonstrated by a WIN_READ_NATIVE_MAX command to an empty drive, which triggers a divide-by-zero error and instance crash.
33 CVE-2015-6665 79 XSS 2015-08-24 2016-12-23
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the Ajax handler in Drupal 7.x before 7.39 and the Ctools module 6.x-1.x before 6.x-1.14 for Drupal allows remote attackers to inject arbitrary web script or HTML via vectors involving a whitelisted HTML element, possibly related to the "a" tag.
34 CVE-2015-6524 255 2015-08-24 2016-12-09
5.0
None Remote Low Not required Partial None None
The LDAPLoginModule implementation in the Java Authentication and Authorization Service (JAAS) in Apache ActiveMQ 5.x before 5.10.1 allows wildcard operators in usernames, which allows remote attackers to obtain credentials via a brute force attack. NOTE: this identifier was SPLIT from CVE-2014-3612 per ADT2 due to different vulnerability types.
35 CVE-2015-5400 264 Bypass 2015-09-28 2017-09-21
6.8
None Remote Medium Not required Partial Partial Partial
Squid before 3.5.6 does not properly handle CONNECT method peer responses when configured with cache_peer, which allows remote attackers to bypass intended restrictions and gain access to a backend proxy via a CONNECT request.
36 CVE-2015-5262 399 DoS 2015-10-27 2018-03-14
4.3
None Remote Medium Not required None None Partial
http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors.
37 CVE-2015-5235 20 Bypass 2015-10-09 2016-12-07
4.3
None Remote Medium Not required None Partial None
IcedTea-Web before 1.5.3 and 1.6.x before 1.6.1 does not properly determine the origin of unsigned applets, which allows remote attackers to bypass the approval process or trick users into approving applet execution via a crafted web page.
38 CVE-2015-5234 20 Bypass 2015-10-09 2016-12-07
6.8
None Remote Medium Not required Partial Partial Partial
IcedTea-Web before 1.5.3 and 1.6.x before 1.6.1 does not properly sanitize applet URLs, which allows remote attackers to inject applets into the .appletTrustSettings configuration file and bypass user approval to execute the applet via a crafted web page, possibly related to line breaks.
39 CVE-2015-5225 119 DoS Exec Code Overflow Mem. Corr. 2015-11-06 2017-11-03
7.2
None Local Low Not required Complete Complete Complete
Buffer overflow in the vnc_refresh_server_surface function in the VNC display driver in QEMU before 2.4.0.1 allows guest users to cause a denial of service (heap memory corruption and process crash) or possibly execute arbitrary code on the host via unspecified vectors, related to refreshing the server display surface.
40 CVE-2015-5166 264 +Priv 2015-08-12 2016-12-21
7.2
None Local Low Not required Complete Complete Complete
Use-after-free vulnerability in QEMU in Xen 4.5.x and earlier does not completely unplug emulated block devices, which allows local HVM guest users to gain privileges by unplugging a block device twice.
41 CVE-2015-5165 200 +Info 2015-08-12 2017-11-03
5.0
None Remote Low Not required Partial None None
The C+ mode offload emulation in the RTL8139 network card device model in QEMU, as used in Xen 4.5.x and earlier, allows remote attackers to read process heap memory via unspecified vectors.
42 CVE-2015-5154 119 Exec Code Overflow 2015-08-12 2017-12-27
7.2
None Local Low Not required Complete Complete Complete
Heap-based buffer overflow in the IDE subsystem in QEMU, as used in Xen 4.5.x and earlier, when the container has a CDROM drive enabled, allows local guest users to execute arbitrary code on the host via unspecified ATAPI commands.
43 CVE-2015-4625 189 Overflow +Priv 2015-10-26 2016-12-07
4.6
None Local Low Not required Partial Partial Partial
Integer overflow in the authentication_agent_new_cookie function in PolicyKit (aka polkit) before 0.113 allows local users to gain privileges by creating a large number of connections, which triggers the issuance of a duplicate cookie value.
44 CVE-2015-4588 119 DoS Exec Code Overflow 2015-07-01 2017-09-21
6.8
None Remote Medium Not required Partial Partial Partial
Heap-based buffer overflow in the DecodeImage function in libwmf 0.2.8.4 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted "run-length count" in an image in a WMF file.
45 CVE-2015-4491 189 DoS Exec Code Overflow 2015-08-15 2016-12-23
6.8
None Remote Medium Not required Partial Partial Partial
Integer overflow in the make_filter_table function in pixops/pixops.c in gdk-pixbuf before 2.31.5, as used in Mozilla Firefox before 40.0 and Firefox ESR 38.x before 38.2 on Linux, Google Chrome on Linux, and other products, allows remote attackers to execute arbitrary code or cause a denial of service (heap-based buffer overflow and application crash) via crafted bitmap dimensions that are mishandled during scaling.
46 CVE-2015-4454 89 Exec Code Sql 2015-06-17 2017-11-03
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the get_hash_graph_template function in lib/functions.php in Cacti before 0.8.8d allows remote attackers to execute arbitrary SQL commands via the graph_template_id parameter to graph_templates.php.
47 CVE-2015-4342 89 Exec Code Sql 2015-06-17 2017-11-07
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in Cacti before 0.8.8d allows remote attackers to execute arbitrary SQL commands via unspecified vectors involving a cdef id.
48 CVE-2015-3885 189 DoS Overflow 2015-05-19 2017-06-30
4.3
None Remote Medium Not required None None Partial
Integer overflow in the ljpeg_start function in dcraw 7.00 and earlier allows remote attackers to cause a denial of service (crash) via a crafted image, which triggers a buffer overflow, related to the len variable.
49 CVE-2015-3622 119 DoS Overflow 2015-05-12 2018-01-04
4.3
None Remote Medium Not required None None Partial
The _asn1_extract_der_octet function in lib/decoding.c in GNU Libtasn1 before 4.5 allows remote attackers to cause a denial of service (out-of-bounds heap read) via a crafted certificate.
50 CVE-2015-3455 20 2015-05-18 2016-12-21
2.6
None Remote High Not required None Partial None
Squid 3.2.x before 3.2.14, 3.3.x before 3.3.14, 3.4.x before 3.4.13, and 3.5.x before 3.5.4, when configured with client-first SSL-bump, do not properly validate the domain or hostname fields of X.509 certificates, which allows man-in-the-middle attackers to spoof SSL servers via a valid certificate.
Total number of vulnerabilities : 138   Page : 1 (This Page)2 3
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.