Cross-site scripting (XSS) vulnerability in Splunk Web in Splunk Enterprise 6.2.x before 6.2.6 and Splunk Light 6.2.x before 6.2.6 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Max CVSS
4.3
EPSS Score
0.12%
Published
2015-09-29
Updated
2015-09-30

CVE-2015-7603

Public exploit
Directory traversal vulnerability in Konica Minolta FTP Utility 1.0 allows remote attackers to read arbitrary files via a ..\ (dot dot backslash) in a RETR command.
Max CVSS
7.8
EPSS Score
57.42%
Published
2015-09-29
Updated
2015-09-30

CVE-2015-7602

Public exploit
Directory traversal vulnerability in BisonWare BisonFTP 3.5 allows remote attackers to read arbitrary files via a ../ (dot dot slash) in a RETR command.
Max CVSS
7.8
EPSS Score
50.30%
Published
2015-09-29
Updated
2015-10-13

CVE-2015-7601

Public exploit
Directory traversal vulnerability in PCMan's FTP Server 2.0.7 allows remote attackers to read arbitrary files via a ..// (dot dot double slash) in a RETR command.
Max CVSS
7.8
EPSS Score
65.28%
Published
2015-09-29
Updated
2017-11-07

CVE-2015-7387

Public exploit
ZOHO ManageEngine EventLog Analyzer 10.6 build 10060 and earlier allows remote attackers to bypass intended restrictions and execute arbitrary SQL commands via an allowed query followed by a disallowed one in the query parameter to event/runQuery.do, as demonstrated by "SELECT 1;INSERT INTO." Fixed in Build 11200.
Max CVSS
7.5
EPSS Score
90.25%
Published
2015-09-28
Updated
2020-03-26
Multiple cross-site scripting (XSS) vulnerabilities in includes/metaboxes.php in the Gallery - Photo Albums - Portfolio plugin 1.3.47 for WordPress allow remote authenticated users to inject arbitrary web script or HTML via the (1) Media Title or (2) Media Subtitle fields.
Max CVSS
3.5
EPSS Score
0.08%
Published
2015-09-28
Updated
2015-09-29
Multiple cross-site scripting (XSS) vulnerabilities in Web Reference Database (aka refbase) through 0.9.6 and bleeding-edge through 2015-04-28 allow remote attackers to inject arbitrary web script or HTML via the (1) adminUserName, (2) pathToMYSQL, (3) databaseStructureFile, or (4) pathToBibutils parameter to install.php or the (5) adminUserName parameter to update.php.
Max CVSS
4.3
EPSS Score
0.46%
Published
2015-09-28
Updated
2015-09-29
SQL injection vulnerability in install.php in Web Reference Database (aka refbase) through 0.9.6 allows remote attackers to execute arbitrary SQL commands via the defaultCharacterSet parameter, a different issue than CVE-2015-6009.
Max CVSS
7.5
EPSS Score
0.10%
Published
2015-09-28
Updated
2015-09-29
Multiple PHP remote file inclusion vulnerabilities in install.php in Web Reference Database (aka refbase) through 0.9.6 allow remote attackers to execute arbitrary PHP code via the (1) pathToMYSQL or (2) databaseStructureFile parameter, a different issue than CVE-2015-6008.
Max CVSS
7.5
EPSS Score
0.60%
Published
2015-09-28
Updated
2015-09-29
Schneider Electric InduSoft Web Studio before 8.0 allows remote attackers to execute arbitrary code or cause a denial of service (unhandled runtime exception and application crash) via a crafted Indusoft Project file.
Max CVSS
7.5
EPSS Score
1.00%
Published
2015-09-25
Updated
2015-09-29
The Remote Agent component in Schneider Electric InduSoft Web Studio before 8.0 allows remote attackers to execute arbitrary code via unspecified vectors, aka ZDI-CAN-2649.
Max CVSS
7.5
EPSS Score
7.27%
Published
2015-09-25
Updated
2016-12-08
The editor in IPython Notebook before 3.2.2 and Jupyter Notebook 4.0.x before 4.0.5 allows remote attackers to execute arbitrary JavaScript code via a crafted file, which triggers a redirect to files/, related to MIME types.
Max CVSS
6.8
EPSS Score
1.52%
Published
2015-09-29
Updated
2016-12-07
Mozilla Firefox before 41.0 does not properly restrict the availability of High Resolution Time API times, which allows remote attackers to track last-level cache access, and consequently obtain sensitive information, via crafted JavaScript code that makes performance.now calls.
Max CVSS
4.3
EPSS Score
0.42%
Published
2015-09-24
Updated
2016-12-22
Multiple cross-site scripting (XSS) vulnerabilities in cpabc_appointments_admin_int_bookings_list.inc.php in the Appointment Booking Calendar plugin before 1.1.8 for WordPress allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Max CVSS
4.3
EPSS Score
0.25%
Published
2015-09-29
Updated
2018-10-09
SQL injection vulnerability in cpabc_appointments_admin_int_calendar_list.inc.php in the Appointment Booking Calendar plugin before 1.1.8 for WordPress allows remote attackers to execute arbitrary SQL commands via unspecified vectors related to updating the username.
Max CVSS
7.5
EPSS Score
0.14%
Published
2015-09-29
Updated
2018-10-09
McAfee Enterprise Security Manager (ESM), Enterprise Security Manager/Log Manager (ESMLM), and Enterprise Security Manager/Receiver (ESMREC) before 9.3.2MR18, 9.4.x before 9.4.2MR8, and 9.5.x before 9.5.0MR7 allow remote authenticated users to execute arbitrary OS commands via a crafted filename, which is not properly handled when downloading the file.
Max CVSS
6.5
EPSS Score
0.34%
Published
2015-09-22
Updated
2016-12-08

CVE-2015-7309

Public exploit
The theme editor in Bolt before 2.2.5 does not check the file extension when renaming files, which allows remote authenticated users to execute arbitrary code by renaming a crafted file and then directly accessing it.
Max CVSS
6.5
EPSS Score
46.23%
Published
2015-09-22
Updated
2021-01-04
Cross-site scripting (XSS) vulnerability in the CMS Updater module 7.x-1.x before 7.x-1.3 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving the configuration page.
Max CVSS
4.3
EPSS Score
0.12%
Published
2015-09-21
Updated
2015-09-23
The CMS Updater module 7.x-1.x before 7.x-1.3 for Drupal does not properly check access permissions, which allows remote authenticated users to access and change settings by leveraging the "access administration pages" permission.
Max CVSS
4.9
EPSS Score
0.09%
Published
2015-09-21
Updated
2015-09-23
The Scald module 7.x-1.x before 7.x-1.5 for Drupal does not properly restrict access to fields, which allows remote attackers to obtain sensitive atom property information via vectors involving a "debug context."
Max CVSS
5.0
EPSS Score
0.15%
Published
2015-09-21
Updated
2015-09-23
Cross-site scripting (XSS) vulnerability in the amoCRM module 7.x-1.x before 7.x-1.2 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified HTTP POST data.
Max CVSS
2.6
EPSS Score
0.12%
Published
2015-09-21
Updated
2015-09-23
Use-after-free vulnerability in the Update Manager service in Avira Management Console allows remote attackers to execute arbitrary code via a large header.
Max CVSS
10.0
EPSS Score
0.48%
Published
2015-09-21
Updated
2015-09-23
Securifi Almond devices with firmware before AL1-R201EXP10-L304-W34 and Almond-2015 devices with firmware before AL2-R088M use a linear algorithm for selecting the ID value in the header of a DNS query performed on behalf of the device itself, which makes it easier for remote attackers to spoof responses by including this ID value, as demonstrated by a response containing the address of the firmware update server, a different vulnerability than CVE-2015-2914.
Max CVSS
4.3
EPSS Score
0.19%
Published
2015-09-21
Updated
2015-09-30

CVE-2015-7243

Public exploit
Buffer overflow in Boxoft WAV to MP3 Converter allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted WAV file.
Max CVSS
7.5
EPSS Score
81.87%
Published
2015-09-18
Updated
2018-07-06
SQL injection vulnerability in the BP_FIND_JOBS_WITH_PROGRAM function module in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
Max CVSS
7.5
EPSS Score
0.14%
Published
2015-09-18
Updated
2018-12-10
493 vulnerabilities found
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!