| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2015-2790 |
20 |
2
|
DoS Mem. Corr. |
2015-03-30 |
2016-12-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Foxit Reader, Enterprise Reader, and PhantomPDF before 7.1 allow remote attackers to cause a denial of service (memory corruption and crash) via a crafted (1) Ubyte Size in a DataSubBlock structure or (2) LZWMinimumCodeSize in a GIF image. |
|
2 |
CVE-2015-2789 |
|
1
|
+Priv |
2015-03-30 |
2016-12-03 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Unquoted Windows search path vulnerability in the Foxit Cloud Safe Update Service in the Cloud plugin in Foxit Reader 6.1 through 7.0.6.1126 allows local users to gain privileges via a Trojan horse program in the %SYSTEMDRIVE% folder. |
|
3 |
CVE-2015-2701 |
352 |
1
|
CSRF |
2015-03-25 |
2016-12-03 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in CS-Cart 4.2.4 allows remote attackers to hijack the authentication of users for requests that change a user password via a request to profiles-update/. |
|
4 |
CVE-2015-2680 |
352 |
1
|
CSRF |
2015-03-23 |
2016-12-03 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in MetalGenix GeniXCMS before 0.0.2 allows remote attackers to hijack the authentication of administrators for requests that add an administrator account via a request in the users page to gxadmin/index.php. |
|
5 |
CVE-2015-2679 |
89 |
1
|
Exec Code Sql |
2015-03-23 |
2016-12-03 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Multiple SQL injection vulnerabilities in MetalGenix GeniXCMS before 0.0.2 allow remote attackers to execute arbitrary SQL commands via the (1) page parameter to index.php or (2) username parameter to gxadmin/login.php. |
|
6 |
CVE-2015-2678 |
79 |
1
|
XSS |
2015-03-23 |
2016-12-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in MetalGenix GeniXCMS before 0.0.2 allow remote attackers to inject arbitrary web script or HTML via the (1) cat parameter in the categories page to gxadmin/index.php or (2) page parameter to index.php. |
|
7 |
CVE-2015-2564 |
89 |
1
|
Exec Code Sql |
2015-03-20 |
2018-10-09 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in client-edit.php in ProjectSend (formerly cFTP) r561 allows remote authenticated users to execute arbitrary SQL commands via the id parameter to users-edit.php. |
|
8 |
CVE-2015-2275 |
79 |
1
|
XSS |
2015-03-12 |
2018-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in WoltLab Community Gallery 2.0 before 2014-12-26 allows remote attackers to inject arbitrary web script or HTML via the parameters[data][7][title] parameter in a saveImageData action to index.php/AJAXProxy. |
|
9 |
CVE-2015-2218 |
79 |
1
|
XSS |
2015-03-05 |
2016-12-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in the wp_ajax_save_item function in wonderpluginaudio.php in the WonderPlugin Audio Player plugin before 2.1 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) item[name] or (2) item[customcss] parameter in a wonderplugin_audio_save_item action to wp-admin/admin-ajax.php or the itemid parameter in the (3) wonderplugin_audio_show_item or (4) wonderplugin_audio_edit_item page to wp-admin/admin.php. |
|
10 |
CVE-2015-2216 |
89 |
1
|
Exec Code Sql |
2015-03-05 |
2016-12-03 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in ecomm-sizes.php in the Photocrati theme 4.x for WordPress allows remote attackers to execute arbitrary SQL commands via the prod_id parameter. |
|
11 |
CVE-2015-2208 |
77 |
1
|
Exec Code |
2015-03-12 |
2015-03-12 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The saveObject function in moadmin.php in phpMoAdmin 1.1.2 allows remote attackers to execute arbitrary commands via shell metacharacters in the object parameter. |
|
12 |
CVE-2015-2199 |
89 |
1
|
Exec Code Sql |
2015-03-03 |
2015-03-04 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
Multiple SQL injection vulnerabilities in the WonderPlugin Audio Player plugin before 2.1 for WordPress allow (1) remote authenticated users to execute arbitrary SQL commands via the item[id] parameter in a wonderplugin_audio_save_item action to wp-admin/admin-ajax.php or remote administrators to execute arbitrary SQL commands via the itemid parameter in the (2) wonderplugin_audio_show_item, (3) wonderplugin_audio_show_items, or (4) wonderplugin_audio_edit_item page to wp-admin/admin.php. |
|
13 |
CVE-2015-2198 |
79 |
1
|
XSS |
2015-03-03 |
2015-03-04 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in edit_prefs.php in Beehive Forum 1.4.4 allow remote attackers to inject arbitrary web script or HTML via the (1) homepage_url, (2) pic_url, or (3) avatar_url parameter, which are not properly handled in an error message. |
|
14 |
CVE-2015-2196 |
89 |
1
|
Exec Code Sql |
2015-03-03 |
2015-03-04 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in Spider Event Calendar 1.4.9 for WordPress allows remote attackers to execute arbitrary SQL commands via the cat_id parameter in a spiderbigcalendar_month action to wp-admin/admin-ajax.php. |
|
15 |
CVE-2015-2184 |
200 |
1
|
+Info |
2015-03-10 |
2015-03-11 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
ZeusCart 4 allows remote attackers to obtain configuration information via a getphpinfo action to admin/, which calls the phpinfo function. |
|
16 |
CVE-2015-2183 |
89 |
1
|
Exec Code Sql |
2015-03-10 |
2015-07-28 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Multiple SQL injection vulnerabilities in the administrative backend in ZeusCart 4 allow remote administrators to execute arbitrary SQL commands via the id parameter in a (1) disporders detail or (2) subadminmgt edit action or (3) cid parameter in an editcurrency action to admin/. |
|
17 |
CVE-2015-2182 |
79 |
1
|
XSS |
2015-03-11 |
2015-03-11 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in ZeusCart 4 allow remote attackers to inject arbitrary web script or HTML via the (1) schltr parameter in a brands action or (2) brand parameter in a viewbrands action to index.php. NOTE: The search parameter vector is already covered by CVE-2010-5322. |
|
18 |
CVE-2014-9566 |
89 |
1
|
Exec Code Sql |
2015-03-10 |
2015-03-11 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwinds Orion Platform 2015.1, as used in Network Performance Monitor (NPM) before 11.5, NetFlow Traffic Analyzer (NTA) before 4.1, Network Configuration Manager (NCM) before 7.3.2, IP Address Manager (IPAM) before 4.3, User Device Tracker (UDT) before 3.2, VoIP & Network Quality Manager (VNQM) before 4.2, Server & Application Manager (SAM) before 6.2, Web Performance Monitor (WPM) before 2.2, and possibly other Solarwinds products, allow remote authenticated users to execute arbitrary SQL commands via the (1) dir or (2) sort parameter to the (a) GetAccounts or (b) GetAccountGroups endpoint. |
|
19 |
CVE-2014-9261 |
22 |
1
|
Dir. Trav. |
2015-03-23 |
2020-02-18 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The sanitize function in Codoforum 2.5.1 does not properly implement filtering for directory traversal sequences, which allows remote attackers to read arbitrary files via a .. (dot dot) in the path parameter to index.php. |
|
20 |
CVE-2010-5322 |
79 |
1
|
XSS |
2015-03-11 |
2015-03-11 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in ZeusCart 4.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the search parameter in a search action to index.php. |
|
21 |
CVE-2015-2792 |
284 |
|
Bypass |
2015-03-30 |
2015-03-31 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The WPML plugin before 3.1.9 for WordPress does not properly handle multiple actions in a request, which allows remote attackers to bypass nonce checks and perform arbitrary actions via a request containing an action POST parameter, an action GET parameter, and a valid nonce for the action GET parameter. |
|
22 |
CVE-2015-2791 |
264 |
|
|
2015-03-30 |
2018-10-09 |
6.4 |
None |
Remote |
Low |
Not required |
None |
Partial |
Partial |
|
The "menu sync" function in the WPML plugin before 3.1.9 for WordPress allows remote attackers to delete arbitrary posts, pages, and menus via a crafted request to sitepress-multilingual-cms/menu/menus-sync.php. |
|
23 |
CVE-2015-2787 |
|
|
Exec Code |
2015-03-30 |
2018-10-30 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.39, 5.5.x before 5.5.23, and 5.6.x before 5.6.7 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages use of the unset function within an __wakeup function, a related issue to CVE-2015-0231. |
|
24 |
CVE-2015-2786 |
|
|
|
2015-03-29 |
2016-12-03 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Unspecified vulnerability in MyBB (aka MyBulletinBoard) before 1.8.4 has unknown attack vectors related to "Group join request notifications sent to wrong group leaders." |
|
25 |
CVE-2015-2785 |
119 |
|
DoS Exec Code Overflow |
2015-03-29 |
2015-03-30 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The GIF encoder in Byzanz allows remote attackers to cause a denial of service (out-of-bounds heap write and crash) or possibly execute arbitrary code via a crafted Byzanz debug data recording (ByzanzRecording file) to the byzanz-playback command. |
|
26 |
CVE-2015-2776 |
20 |
|
DoS |
2015-03-31 |
2016-12-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The parse_SST function in FreeXL before 1.0.0i allows remote attackers to cause a denial of service (memory consumption) via a crafted shared strings table in a workbook. |
|
27 |
CVE-2015-2773 |
|
|
|
2015-03-27 |
2016-12-03 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
SVM in Websense TRITON V-Series appliances before 8.0.0 allows attackers to read arbitrary files via unspecified vectors. |
|
28 |
CVE-2015-2772 |
|
|
|
2015-03-27 |
2016-12-03 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SVM in Websense TRITON V-Series appliances before 8.0.0 allows attackers to upload arbitrary files via unspecified vectors. |
|
29 |
CVE-2015-2771 |
200 |
|
+Info |
2015-03-27 |
2016-12-03 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Mail Server in Websense TRITON AP-EMAIL and V-Series appliances before 8.0.0 uses plaintext credentials, which allows remote attackers to obtain sensitive information via unspecified vectors. |
|
30 |
CVE-2015-2770 |
352 |
|
CSRF |
2015-03-27 |
2015-03-30 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in the command line page in Websense TRITON V-Series appliances before 8.0.0 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. |
|
31 |
CVE-2015-2769 |
352 |
|
CSRF |
2015-03-27 |
2015-03-30 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Multiple cross-site request forgery (CSRF) vulnerabilities in the Personal Email Manager (PEM) in Websense TRITON AP-EMAIL before 8.0.0 allow remote attackers to hijack the authentication of unspecified victims via unknown vectors. |
|
32 |
CVE-2015-2768 |
79 |
|
XSS |
2015-03-27 |
2016-12-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Websense TRITON AP-EMAIL before 8.0.0 and V-Series 7.7 appliances allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
33 |
CVE-2015-2767 |
|
|
|
2015-03-27 |
2016-12-03 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Unspecified vulnerability in Websense TRITON AP-EMAIL before 8.0.0 has unknown impact and attack vectors, related to "Autocomplete Enabled." |
|
34 |
CVE-2015-2766 |
255 |
|
|
2015-03-27 |
2016-12-03 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Personal Email Manager (PEM) in Websense TRITON AP-EMAIL before 8.0.0 allows attackers to have unspecified impact via a brute force attack. |
|
35 |
CVE-2015-2765 |
20 |
|
|
2015-03-27 |
2016-12-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The Email Security Gateway in Websense TRITON AP-EMAIL before 8.0.0 allows remote attackers to conduct clickjacking attacks via unspecified vectors. |
|
36 |
CVE-2015-2764 |
79 |
|
XSS |
2015-03-27 |
2016-12-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in Websense TRITON AP-DATA before 8.0.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors to the DSS (1) Mobile or (2) DLP report catalog. |
|
37 |
CVE-2015-2763 |
|
|
|
2015-03-27 |
2016-12-03 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Unspecified vulnerability in Websense TRITON AP-EMAIL before 8.0.0 has unknown impact and attack vectors, related to port 17703. |
|
38 |
CVE-2015-2762 |
200 |
|
+Info |
2015-03-27 |
2016-12-03 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Websense TRITON AP-WEB before 8.0.0 allows remote attackers to enumerate Windows domain user accounts via vectors related to HTTP authentication. |
|
39 |
CVE-2015-2761 |
79 |
|
XSS |
2015-03-27 |
2016-12-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Exceptions and Scanning Exceptions Pages in Websense TRITON AP-WEB before 8.0.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
40 |
CVE-2015-2760 |
79 |
|
XSS |
2015-03-27 |
2016-12-03 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the ePO extension in McAfee Data Loss Prevention Endpoint (DLPe) before 9.3 Patch 4 Hotfix 16 (9.3.416.4) allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. |
|
41 |
CVE-2015-2759 |
352 |
|
+Info CSRF |
2015-03-27 |
2016-12-03 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Multiple cross-site request forgery (CSRF) vulnerabilities in the ePO extension in McAfee Data Loss Prevention Endpoint (DLPe) before 9.3 Patch 4 Hotfix 16 (9.3.416.4) allow remote attackers to hijack the authentication of users for requests that (1) obtain sensitive information or (2) modify the database via unspecified vectors. |
|
42 |
CVE-2015-2758 |
264 |
|
+Info |
2015-03-27 |
2016-12-03 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
The ePO extension in McAfee Data Loss Prevention Endpoint (DLPe) before 9.3 Patch 4 Hotfix 16 (9.3.416.4) allows remote authenticated users to obtain sensitive information, modify the database, or possibly have other unspecified impact via a crafted URL. |
|
43 |
CVE-2015-2757 |
399 |
|
DoS |
2015-03-27 |
2016-12-03 |
4.0 |
None |
Remote |
Low |
??? |
None |
None |
Partial |
|
The ePO extension in McAfee Data Loss Prevention Endpoint (DLPe) before 9.3 Patch 4 Hotfix 16 (9.3.416.4) allows remote authenticated users to cause a denial of service (database lock or license corruption) via unspecified vectors. |
|
44 |
CVE-2015-2754 |
20 |
|
DoS Exec Code |
2015-03-31 |
2017-11-08 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
FreeXL before 1.0.0i allows remote attackers to cause a denial of service (stack corruption) and possibly execute arbitrary code via a crafted workbook, related to a "premature EOF." |
|
45 |
CVE-2015-2753 |
20 |
|
DoS Exec Code |
2015-03-31 |
2016-12-03 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
FreeXL before 1.0.0i allows remote attackers to cause a denial of service (stack corruption) or possibly execute arbitrary code via a crafted sector in a workbook. |
|
46 |
CVE-2015-2748 |
200 |
|
+Info |
2015-03-26 |
2018-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Websense TRITON AP-WEB before 8.0.0 does not properly restrict access to files in explorer_wse/, which allows remote attackers to obtain sensitive information via a direct request to a (1) Web Security incident report or the (2) Explorer configuration (websense.ini) file. |
|
47 |
CVE-2015-2747 |
79 |
|
XSS |
2015-03-26 |
2018-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in the data loss prevention (DLP) incident Forensics Preview in Websense Triton 7.8.3 and V-Series 7.7 appliances allow remote attackers to inject arbitrary web script or HTML via a crafted (1) email or (2) HTTP request, which triggers a DLP Policy. |
|
48 |
CVE-2015-2746 |
77 |
|
Exec Code |
2015-03-26 |
2018-10-09 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
The network diagnostics tool (CommandLineServlet) in the Appliance Manager command line utility (CLU) in Websense TRITON 7.8.3 and V-Series appliances before 7.8.4 Hotfix 02 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the "second" parameter of a command, as demonstrated by the Destination parameter in the ping command. |
|
49 |
CVE-2015-2703 |
79 |
|
XSS |
2015-03-25 |
2018-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in Websense TRITON AP-WEB before 8.0.0 and V-Series 7.7 appliances allow remote attackers to inject arbitrary web script or HTML via the (1) ws-userip in the ws-encdata parameter to cve-bin/moreBlockInfo.cgi in the Data Security block page or (2) admin_msg parameter to configure/ssl_ui/eva-config/client-cert-import_wsoem.html in the Content Gateway, which is not properly handled in an error message. |
|
50 |
CVE-2015-2702 |
79 |
|
XSS |
2015-03-25 |
2018-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Message Log in the Email Security Gateway in Websense TRITON AP-EMAIL before 8.0.0 and V-Series 7.7 appliances allows remote attackers to inject arbitrary web script or HTML via the sender address in an email. |
