The chunked upload API (ApiUpload) in MediaWiki before 1.23.11, 1.24.x before 1.24.4, and 1.25.x before 1.25.3 does not restrict the uploaded data to the claimed file size, which allows remote authenticated users to cause a denial of service via a chunk that exceeds the file size.
Source: MITRE
Max CVSS
3.5
EPSS Score
0.25%
Published
2015-11-09
Updated
2015-11-10
Exemys Telemetry Web Server relies on an HTTP Location header to indicate that a client is unauthorized, which allows remote attackers to bypass intended access restrictions by disregarding this header and processing the response body.
Source: ICS-CERT
Max CVSS
7.8
EPSS Score
0.30%
Published
2015-11-19
Updated
2015-11-19
The com_content component in Joomla! 3.x before 3.4.5 does not properly check ACLs, which allows remote attackers to obtain sensitive information via unspecified vectors.
Source: MITRE
Max CVSS
5.0
EPSS Score
0.26%
Published
2015-10-29
Updated
2015-10-30
The Colorbox module 7.x-2.x before 7.x-2.10 for Drupal allows remote authenticated users with certain permissions to bypass intended access restrictions and "add unexpected content to a Colorbox" via unspecified vectors, possibly related to a link in a comment.
Source: MITRE
Max CVSS
3.5
EPSS Score
0.08%
Published
2015-10-26
Updated
2015-10-28
nvSCPAPISvr.exe in the Stereoscopic 3D Driver Service in the NVIDIA GPU graphics driver R340 before 341.92, R352 before 354.35, and R358 before 358.87 on Windows does not properly restrict access to the stereosvrpipe named pipe, which allows local users to gain privileges via a commandline in a number 2 command, which is stored in the HKEY_LOCAL_MACHINE explorer Run registry key, a different vulnerability than CVE-2011-4784.
Source: MITRE
Max CVSS
7.7
EPSS Score
0.09%
Published
2015-11-24
Updated
2019-02-13

CVE-2015-7755

Public exploit
Juniper ScreenOS 6.2.0r15 through 6.2.0r18, 6.3.0r12 before 6.3.0r12b, 6.3.0r13 before 6.3.0r13b, 6.3.0r14 before 6.3.0r14b, 6.3.0r15 before 6.3.0r15b, 6.3.0r16 before 6.3.0r16b, 6.3.0r17 before 6.3.0r17b, 6.3.0r18 before 6.3.0r18b, 6.3.0r19 before 6.3.0r19b, and 6.3.0r20 before 6.3.0r21 allows remote attackers to obtain administrative access by entering an unspecified password during a (1) SSH or (2) TELNET session.
Source: MITRE
Max CVSS
10.0
EPSS Score
97.05%
Published
2015-12-19
Updated
2016-12-07
IBM Maximo Asset Management 7.1 through 7.1.1.13, 7.5.0 before 7.5.0.8 IFIX005, and 7.6.0 before 7.6.0.2 FP002; Maximo Asset Management 7.5.0 before 7.5.0.8 IFIX005, 7.5.1, and 7.6.0 before 7.6.0.2 FP002 for SmartCloud Control Desk; and Maximo Asset Management 7.1 through 7.1.1.13 and 7.2 for Tivoli IT Asset Management for IT and certain other products allow remote authenticated users to bypass intended work-order change restrictions via unspecified vectors.
Source: IBM Corporation
Max CVSS
4.0
EPSS Score
0.07%
Published
2015-11-08
Updated
2015-11-09
The default Flash cross-domain policy (crossdomain.xml) in Revive Adserver before 3.2.2 does not restrict access cross domain access, which allows remote attackers to conduct cross domain attacks via unspecified vectors.
Source: MITRE
Max CVSS
7.5
EPSS Score
0.75%
Published
2015-10-14
Updated
2018-10-09
Revive Adserver before 3.2.2 allows remote attackers to perform unspecified actions by leveraging an unexpired session after the user has been (1) deleted or (2) unlinked.
Source: MITRE
Max CVSS
7.5
EPSS Score
0.75%
Published
2015-10-14
Updated
2018-10-09
FortiOS 5.2.3, when configured to use High Availability (HA) and the dedicated management interface is enabled, does not require authentication for access to the ZebOS shell on the HA dedicated management interface, which allows remote attackers to obtain shell access via unspecified vectors.
Source: MITRE
Max CVSS
9.3
EPSS Score
0.72%
Published
2015-10-15
Updated
2016-12-03
The CMS Updater module 7.x-1.x before 7.x-1.3 for Drupal does not properly check access permissions, which allows remote authenticated users to access and change settings by leveraging the "access administration pages" permission.
Source: MITRE
Max CVSS
4.9
EPSS Score
0.09%
Published
2015-09-21
Updated
2015-09-23
CSL DualCom GPRS CS2300-R devices with firmware 1.25 through 3.53 do not require authentication from Alarm Receiving Center (ARC) servers, which allows man-in-the-middle attackers to bypass intended access restrictions via a spoofed HSxx response.
Source: CERT/CC
Max CVSS
5.8
EPSS Score
0.11%
Published
2015-11-25
Updated
2015-11-25
The default configuration of the server in MobaXterm before 8.3 has a disabled Access Control setting and consequently does not require authentication for X11 connections, which allows remote attackers to execute arbitrary commands or obtain sensitive information via X11 packets.
Source: CERT/CC
Max CVSS
7.5
EPSS Score
0.40%
Published
2015-11-04
Updated
2015-11-04
The fetch API implementation in Mozilla Firefox before 41.0.2 does not restrict access to the HTTP response body in certain situations where user credentials are supplied but the CORS cross-origin request algorithm is improperly followed, which allows remote attackers to bypass the Same Origin Policy via a crafted web site.
Source: Mozilla Corporation
Max CVSS
6.8
EPSS Score
1.09%
Published
2015-10-18
Updated
2016-12-24
AppleMobileFileIntegrity in Apple iOS before 9.2 and tvOS before 9.1 does not prevent changes to access-control structures, which allows attackers to execute arbitrary code in a privileged context via a crafted app.
Source: Apple Inc.
Max CVSS
9.3
EPSS Score
0.25%
Published
2015-12-11
Updated
2019-03-08
libarchive in Apple OS X before 10.11.1 allows attackers to write to arbitrary files via a crafted app that conducts an unspecified symlink attack.
Source: Apple Inc.
Max CVSS
8.8
EPSS Score
0.06%
Published
2015-10-23
Updated
2015-10-26
classes/admin.class.php in CubeCart 5.2.12 through 5.2.16 and 6.x before 6.0.7 does not properly validate that a password reset request was made, which allows remote attackers to change the administrator password via a recovery request with a space character in the validate parameter and the administrator email in the email parameter.
Source: MITRE
Max CVSS
6.8
EPSS Score
1.54%
Published
2015-09-28
Updated
2016-12-07
The vertica-udx-zygote process in HP Vertica 7.1.1 UDx does not require authentication, which allows remote attackers to execute arbitrary commands via a crafted packet, aka ZDI-CAN-2914.
Source: MITRE
Max CVSS
7.5
EPSS Score
16.75%
Published
2015-11-04
Updated
2016-11-28
EMC RSA SecurID Web Agent before 8.0 allows physically proximate attackers to bypass the privacy-screen protection mechanism by leveraging an unattended workstation and running DOM Inspector.
Source: Dell
Max CVSS
7.2
EPSS Score
0.11%
Published
2015-12-23
Updated
2016-12-07
EMC Isilon OneFS 7.1.x before 7.1.1.5, 7.2.0.x before 7.2.0.3, and 7.2.1.x before 7.2.1.1, when the RFC 2307 feature is configured but SFU is not universally present, allows remote authenticated AD users to obtain root privileges via unspecified vectors.
Source: Dell
Max CVSS
8.5
EPSS Score
0.25%
Published
2015-11-27
Updated
2015-11-27
Siemens RUGGEDCOM ROS 3.8.0 through 4.1.x permanently enables the IP forwarding feature, which allows remote attackers to bypass a VLAN isolation protection mechanism via IP traffic.
Source: MITRE
Max CVSS
4.3
EPSS Score
0.27%
Published
2015-09-11
Updated
2016-12-22
The MessageBrokerServlet servlet in Moxa OnCell Central Manager before 2.2 does not require authentication, which allows remote attackers to obtain administrative access via a command, as demonstrated by the addUserAndGroup action.
Source: ICS-CERT
Max CVSS
8.3
EPSS Score
2.47%
Published
2015-12-21
Updated
2015-12-21
Unitronics VisiLogic OPLC IDE before 9.8.02 does not properly restrict access to ActiveX controls, which allows remote attackers to have an unspecified impact via a crafted web site.
Source: ICS-CERT
Max CVSS
6.8
EPSS Score
18.32%
Published
2015-11-13
Updated
2016-12-07
Cisco EPC3928 devices with EDVA 5.5.10, 5.5.11, and 5.7.1 allow remote attackers to bypass an intended authentication requirement and execute unspecified administrative functions via a crafted HTTP request, aka Bug ID CSCux24941.
Source: Cisco Systems, Inc.
Max CVSS
7.5
EPSS Score
0.28%
Published
2015-12-14
Updated
2017-09-13
Cisco Prime Collaboration Assurance before 11.0 has a hardcoded cmuser account, which allows remote attackers to obtain access by establishing an SSH session and leveraging knowledge of this account's password, aka Bug ID CSCus62707.
Source: Cisco Systems, Inc.
Max CVSS
9.0
EPSS Score
0.56%
Published
2015-12-13
Updated
2016-12-07
177 vulnerabilities found
1 2 3 4 5 6 7 8
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!