| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2015-4138 |
200 |
|
+Info |
2015-05-30 |
2015-06-02 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The WebUI component in Blue Coat SSL Visibility Appliance SV800, SV1800, SV2800, and SV3800 3.6.x through 3.8.x before 3.8.4 does not include the HTTPOnly flag in a Set-Cookie header for the administrator's cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie, a different vulnerability than CVE-2015-2855. |
|
2 |
CVE-2015-4137 |
89 |
|
Exec Code Sql |
2015-05-29 |
2016-12-06 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in related.php in Milw0rm Clone Script 1.0 allows remote attackers to execute arbitrary SQL commands via the program parameter. |
|
3 |
CVE-2015-4135 |
79 |
|
XSS |
2015-05-28 |
2016-12-31 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in goto.php in phpwind 8.7 allows remote attackers to inject arbitrary web script or HTML via the url parameter. |
|
4 |
CVE-2015-4134 |
|
|
|
2015-05-28 |
2016-12-31 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Open redirect vulnerability in goto.php in phpwind 8.7 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter. |
|
5 |
CVE-2015-4133 |
|
|
Exec Code |
2015-05-28 |
2016-11-28 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Unrestricted file upload vulnerability in admin/scripts/FileUploader/php.php in the ReFlex Gallery plugin before 3.1.4 for WordPress allows remote attackers to execute arbitrary PHP code by uploading a file with a PHP extension, then accessing it via a direct request to the file in uploads/ directory. |
|
6 |
CVE-2015-4132 |
79 |
|
XSS |
2015-05-28 |
2016-12-06 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in Aruba Networks ClearPass Policy Manager (CPPM) before 6.4.5 allow remote administrators to inject arbitrary web script or HTML via unspecified vectors. |
|
7 |
CVE-2015-4127 |
79 |
|
XSS |
2015-05-28 |
2016-12-31 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the church_admin plugin before 0.810 for WordPress allows remote attackers to inject arbitrary web script or HTML via the address parameter, as demonstrated by a request to index.php/2015/05/21/church_admin-registration-form/. |
|
8 |
CVE-2015-4092 |
119 |
|
DoS Exec Code Overflow |
2015-05-26 |
2018-12-10 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Buffer overflow in the XComms process in SAP Afaria 7.00.6620.2 SP5 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted request, aka SAP Security Note 2153690. |
|
9 |
CVE-2015-4091 |
|
|
|
2015-05-26 |
2018-12-10 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
XML external entity (XXE) vulnerability in SAP NetWeaver AS Java 7.4 allows remote attackers to send TCP requests to intranet servers or possibly have unspecified other impact via an XML request to tc~sld~wd~main/Main, related to "CIM UPLOAD," aka SAP Security Note 2090851. |
|
10 |
CVE-2015-4084 |
79 |
|
XSS |
2015-05-28 |
2018-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Free Counter plugin 1.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the value_ parameter in a check_stat action to wp-admin/admin-ajax.php. |
|
11 |
CVE-2015-4069 |
200 |
|
+Info |
2015-05-29 |
2016-12-06 |
7.8 |
None |
Remote |
Low |
Not required |
Complete |
None |
None |
|
The EdgeServiceImpl web service in Arcserve UDP before 5.0 Update 4 allows remote attackers to obtain sensitive credentials via a crafted SOAP request to the (1) getBackupPolicy or (2) getBackupPolicies method. |
|
12 |
CVE-2015-4068 |
22 |
|
DoS Dir. Trav. +Info |
2015-05-29 |
2016-12-06 |
9.4 |
None |
Remote |
Low |
Not required |
Complete |
None |
Complete |
|
Directory traversal vulnerability in Arcserve UDP before 5.0 Update 4 allows remote attackers to obtain sensitive information or cause a denial of service via a crafted file path to the (1) reportFileServlet or (2) exportServlet servlet. |
|
13 |
CVE-2015-4067 |
189 |
|
Exec Code Overflow |
2015-05-29 |
2016-12-06 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Integer overflow in the libnv6 module in Dell NetVault Backup before 10.0.5 allows remote attackers to execute arbitrary code via crafted template string specifiers in a serialized object, which triggers a heap-based buffer overflow. |
|
14 |
CVE-2015-4066 |
89 |
|
Exec Code Sql |
2015-05-27 |
2021-08-19 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
Multiple SQL injection vulnerabilities in admin/handlers.php in the GigPress plugin before 2.3.9 for WordPress allow remote authenticated users to execute arbitrary SQL commands via the (1) show_artist_id or (2) show_venue_id parameter in an add action in the gigpress.php page to wp-admin/admin.php. |
|
15 |
CVE-2015-4065 |
79 |
|
XSS |
2015-05-27 |
2015-05-28 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in shared/shortcodes/inbound-shortcodes.php in the Landing Pages plugin before 1.8.5 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the post parameter to wp-admin/post-new.php. |
|
16 |
CVE-2015-4064 |
89 |
|
Exec Code Sql |
2015-05-27 |
2015-05-28 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in modules/module.ab-testing.php in the Landing Pages plugin before 1.8.5 for WordPress allows remote authenticated users to execute arbitrary SQL commands via the post parameter in an edit delete-variation action to wp-admin/post.php. |
|
17 |
CVE-2015-4063 |
79 |
|
XSS |
2015-05-27 |
2015-05-28 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in includes/nsp_search.php in the NewStatPress plugin before 0.9.9 for WordPress allows remote authenticated users to inject arbitrary web script or HTML via the where1 parameter in the nsp_search page to wp-admin/admin.php. |
|
18 |
CVE-2015-4062 |
89 |
|
Exec Code Sql |
2015-05-27 |
2015-05-28 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in includes/nsp_search.php in the NewStatPress plugin before 0.9.9 for WordPress allows remote authenticated users to execute arbitrary SQL commands via the where1 parameter in the nsp_search page to wp-admin/admin.php. |
|
19 |
CVE-2015-4060 |
119 |
|
Exec Code Overflow |
2015-05-29 |
2016-12-06 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Heap-based buffer overflow in the TermProxy (WLTermProxyService.exe) service in Wavelink ConnectPro allows remote attackers to execute arbitrary code via a large HTTP header. |
|
20 |
CVE-2015-4059 |
119 |
|
Exec Code Overflow |
2015-05-29 |
2016-12-06 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Heap-based buffer overflow in the License Server (LicenseServer.exe) in Wavelink Terminal Emulation (TE) allows remote attackers to execute arbitrary code via a large HTTP header. |
|
21 |
CVE-2015-4047 |
476 |
|
DoS |
2015-05-29 |
2019-03-27 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
racoon/gssapi.c in IPsec-Tools 0.8.2 allows remote attackers to cause a denial of service (NULL pointer dereference and IKE daemon crash) via a series of crafted UDP requests. |
|
22 |
CVE-2015-4032 |
264 |
|
|
2015-05-29 |
2016-12-06 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
projectContents.jsp in the Developer tools in Visual Mining NetCharts Server allows remote attackers to rename arbitrary files, and consequently execute them, via unspecified vectors. |
|
23 |
CVE-2015-4031 |
22 |
|
Dir. Trav. |
2015-05-29 |
2019-06-24 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Directory traversal vulnerability in saveFile.jsp in the development installation in Visual Mining NetChart allows remote attackers to write to arbitrary files via unspecified vectors. |
|
24 |
CVE-2015-4018 |
89 |
|
Exec Code Sql |
2015-05-21 |
2015-06-25 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in feedwordpresssyndicationpage.class.php in the FeedWordPress plugin before 2015.0514 for WordPress allows remote authenticated users to execute arbitrary SQL commands via the link_ids[] parameter in an Update action in the syndication.php page to wp-admin/admin.php. |
|
25 |
CVE-2015-4016 |
20 |
|
DoS |
2015-05-20 |
2022-02-07 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The client detection protocol in Valve Steam allows remote attackers to cause a denial of service (process crash) via a crafted response to a broadcast packet. |
|
26 |
CVE-2015-4000 |
310 |
|
|
2015-05-21 |
2022-05-13 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the "Logjam" issue. |
|
27 |
CVE-2015-3999 |
200 |
|
+Info |
2015-05-20 |
2015-05-21 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Piriform CCleaner 3.26.0.1988 through 5.02.5101 writes the filenames to disk when overwriting files, which allows local users to obtain sensitive information by searching unallocated disk space. |
|
28 |
CVE-2015-3995 |
200 |
|
+Info |
2015-05-29 |
2018-10-09 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) allows remote authenticated users to read arbitrary files via an IMPORT FROM SQL statement, aka SAP Security Note 2109565. |
|
29 |
CVE-2015-3994 |
20 |
|
|
2015-05-29 |
2018-10-09 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
|
The grant.xsfunc application in testApps/grantAccess/ in the XS Engine in SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) allows remote authenticated users to spoof log entries via a crafted request, aka SAP Security Note 2109818. |
|
30 |
CVE-2015-3990 |
19 |
|
Exec Code |
2015-05-20 |
2018-03-13 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
|
The GMS ViewPoint (GMSVP) web application in Dell Sonicwall GMS, Analyzer, and UMA EM5000 before 7.2 SP4 allows remote authenticated users to execute arbitrary commands via vectors related to configuration. |
|
31 |
CVE-2015-3989 |
79 |
|
XSS |
2015-05-15 |
2016-12-06 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in concrete5 before 5.7.4 allow remote attackers to inject arbitrary web script or HTML via vectors related to private messages or other unspecified vectors. |
|
32 |
CVE-2015-3988 |
79 |
|
XSS |
2015-05-19 |
2016-12-24 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in OpenStack Dashboard (Horizon) 2015.1.0 allow remote authenticated users to inject arbitrary web script or HTML via the metadata to a (1) Glance image, (2) Nova flavor or (3) Host Aggregate. |
|
33 |
CVE-2015-3987 |
426 |
|
+Priv |
2015-05-14 |
2019-02-11 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
Multiple unquoted Windows search path vulnerabilities in the (1) Client Management and (2) Gateway in McAfee ePO Deep Command 2.1 and 2.2 before HF 1058831 allow local users to gain privileges via unspecified vectors. |
|
34 |
CVE-2015-3986 |
352 |
|
Dir. Trav. CSRF |
2015-05-14 |
2018-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Cross-site request forgery (CSRF) vulnerability in the TheCartPress eCommerce Shopping Cart (aka The Professional WordPress eCommerce Plugin) plugin for WordPress before 1.3.9.3 allows remote attackers to hijack the authentication of administrators for requests that conduct directory traversal attacks via the tcp_box_path parameter in the checkout_editor_settings page to wp-admin/admin.php. |
|
35 |
CVE-2015-3983 |
310 |
|
+Info |
2015-05-14 |
2016-12-31 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The pcs daemon (pcsd) in PCS 0.9.137 and earlier does not include the HTTPOnly flag in a Set-Cookie header, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie. NOTE: this issue was SPLIT from CVE-2015-1848 per ADT2 due to different vulnerability types. |
|
36 |
CVE-2015-3981 |
200 |
|
+Info |
2015-05-12 |
2018-12-10 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
SAP NetWeaver RFC SDK allows attackers to obtain sensitive information via unspecified vectors, aka SAP Security Note 2084037. |
|
37 |
CVE-2015-3980 |
89 |
|
Exec Code Sql |
2015-05-12 |
2017-01-03 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in the Business Rules Framework (CRM-BF-BRF) in SAP CRM allows attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2097534. |
|
38 |
CVE-2015-3979 |
|
|
Exec Code |
2015-05-12 |
2017-01-03 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Unspecified vulnerability in the Business Rules Framework (CRM-BF-BRF) in SAP CRM allows attackers to execute arbitrary code via unknown vectors, aka SAP Security Note 2097534. |
|
39 |
CVE-2015-3978 |
200 |
|
+Info |
2015-05-12 |
2018-12-10 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
SAP Sybase Unwired Platform Online Data Proxy allows local users to obtain usernames and passwords via the DataVault, aka SAP Security Note 2094830. |
|
40 |
CVE-2015-3939 |
22 |
|
Dir. Trav. |
2015-05-31 |
2016-12-06 |
6.8 |
None |
Remote |
Low |
??? |
Complete |
None |
None |
|
Directory traversal vulnerability in the NC854 and NC856 modules for IDS RTU 850C devices allows remote authenticated users to read arbitrary files via unspecified vectors involving an internal web server, as demonstrated by reading a TELNET credentials file. |
|
41 |
CVE-2015-3922 |
|
|
|
2015-05-27 |
2016-12-31 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Open redirect vulnerability in mode.php in Coppermine Photo Gallery before 1.5.36 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the referer parameter. |
|
42 |
CVE-2015-3921 |
79 |
|
XSS |
2015-05-27 |
2016-12-31 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in contact.php in Coppermine Photo Gallery before 1.5.36 allows remote authenticated users to inject arbitrary web script or HTML via the referer parameter. |
|
43 |
CVE-2015-3912 |
200 |
|
+Info |
2015-05-21 |
2015-05-22 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Huawei E355s Mobile WiFi with firmware before 22.158.45.02.625 and WEBUI before 13.100.04.01.625 allows remote attackers to obtain sensitive configuration information by sniffing the network or sending unspecified commands. |
|
44 |
CVE-2015-3911 |
284 |
|
DoS Bypass |
2015-05-21 |
2015-05-22 |
9.0 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Complete |
|
Huawei E587 Mobile WiFi with firmware before 11.203.30.00.00 allows remote attackers to bypass authentication, change configurations, send messages, and cause a denial of service (device restart) via unspecified vectors. |
|
45 |
CVE-2015-3910 |
|
|
DoS |
2015-05-20 |
2016-12-31 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Multiple unspecified vulnerabilities in Google V8 before 4.3.61.21, as used in Google Chrome before 43.0.2357.65, allow attackers to cause a denial of service or possibly have other impact via unknown vectors. |
|
46 |
CVE-2015-3906 |
119 |
|
DoS Overflow |
2015-05-26 |
2017-07-01 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The logcat_dump_text function in wiretap/logcat.c in the Android Logcat file parser in Wireshark 1.12.x before 1.12.5 does not properly handle a lack of \0 termination, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted message in a packet, a different vulnerability than CVE-2015-3815. |
|
47 |
CVE-2015-3904 |
79 |
|
XSS |
2015-05-29 |
2019-06-25 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in roomcloud.php in the Roomcloud plugin before 1.3 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) pin, (2) start_day, (3) start_month, (4) start_year, (5) end_day, (6) end_month, (7) end_year, (8) lang, (9) adults, or (10) children parameter. |
|
48 |
CVE-2015-3903 |
310 |
|
+Info |
2015-05-26 |
2018-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
libraries/Config.class.php in phpMyAdmin 4.0.x before 4.0.10.10, 4.2.x before 4.2.13.3, 4.3.x before 4.3.13.1, and 4.4.x before 4.4.6.1 disables X.509 certificate verification for GitHub API calls over SSL, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. |
|
49 |
CVE-2015-3902 |
352 |
|
CSRF |
2015-05-26 |
2016-12-28 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Multiple cross-site request forgery (CSRF) vulnerabilities in the setup process in phpMyAdmin 4.0.x before 4.0.10.10, 4.2.x before 4.2.13.3, 4.3.x before 4.3.13.1, and 4.4.x before 4.4.6.1 allow remote attackers to hijack the authentication of administrators for requests that modify the configuration file. |
|
50 |
CVE-2015-3885 |
189 |
|
DoS Overflow |
2015-05-19 |
2018-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Integer overflow in the ljpeg_start function in dcraw 7.00 and earlier allows remote attackers to cause a denial of service (crash) via a crafted image, which triggers a buffer overflow, related to the len variable. |
