| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2015-4137 |
89 |
|
Exec Code Sql |
2015-05-29 |
2016-12-06 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in related.php in Milw0rm Clone Script 1.0 allows remote attackers to execute arbitrary SQL commands via the program parameter. |
|
2 |
CVE-2015-4133 |
|
|
Exec Code |
2015-05-28 |
2016-11-28 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Unrestricted file upload vulnerability in admin/scripts/FileUploader/php.php in the ReFlex Gallery plugin before 3.1.4 for WordPress allows remote attackers to execute arbitrary PHP code by uploading a file with a PHP extension, then accessing it via a direct request to the file in uploads/ directory. |
|
3 |
CVE-2015-4092 |
119 |
|
DoS Exec Code Overflow |
2015-05-26 |
2018-12-10 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Buffer overflow in the XComms process in SAP Afaria 7.00.6620.2 SP5 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted request, aka SAP Security Note 2153690. |
|
4 |
CVE-2015-4091 |
|
|
|
2015-05-26 |
2018-12-10 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
XML external entity (XXE) vulnerability in SAP NetWeaver AS Java 7.4 allows remote attackers to send TCP requests to intranet servers or possibly have unspecified other impact via an XML request to tc~sld~wd~main/Main, related to "CIM UPLOAD," aka SAP Security Note 2090851. |
|
5 |
CVE-2015-4069 |
200 |
|
+Info |
2015-05-29 |
2016-12-06 |
7.8 |
None |
Remote |
Low |
Not required |
Complete |
None |
None |
|
The EdgeServiceImpl web service in Arcserve UDP before 5.0 Update 4 allows remote attackers to obtain sensitive credentials via a crafted SOAP request to the (1) getBackupPolicy or (2) getBackupPolicies method. |
|
6 |
CVE-2015-4068 |
22 |
|
DoS Dir. Trav. +Info |
2015-05-29 |
2016-12-06 |
9.4 |
None |
Remote |
Low |
Not required |
Complete |
None |
Complete |
|
Directory traversal vulnerability in Arcserve UDP before 5.0 Update 4 allows remote attackers to obtain sensitive information or cause a denial of service via a crafted file path to the (1) reportFileServlet or (2) exportServlet servlet. |
|
7 |
CVE-2015-4067 |
189 |
|
Exec Code Overflow |
2015-05-29 |
2016-12-06 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Integer overflow in the libnv6 module in Dell NetVault Backup before 10.0.5 allows remote attackers to execute arbitrary code via crafted template string specifiers in a serialized object, which triggers a heap-based buffer overflow. |
|
8 |
CVE-2015-4066 |
89 |
|
Exec Code Sql |
2015-05-27 |
2021-08-19 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
Multiple SQL injection vulnerabilities in admin/handlers.php in the GigPress plugin before 2.3.9 for WordPress allow remote authenticated users to execute arbitrary SQL commands via the (1) show_artist_id or (2) show_venue_id parameter in an add action in the gigpress.php page to wp-admin/admin.php. |
|
9 |
CVE-2015-4064 |
89 |
|
Exec Code Sql |
2015-05-27 |
2015-05-28 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in modules/module.ab-testing.php in the Landing Pages plugin before 1.8.5 for WordPress allows remote authenticated users to execute arbitrary SQL commands via the post parameter in an edit delete-variation action to wp-admin/post.php. |
|
10 |
CVE-2015-4062 |
89 |
|
Exec Code Sql |
2015-05-27 |
2015-05-28 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in includes/nsp_search.php in the NewStatPress plugin before 0.9.9 for WordPress allows remote authenticated users to execute arbitrary SQL commands via the where1 parameter in the nsp_search page to wp-admin/admin.php. |
|
11 |
CVE-2015-4060 |
119 |
|
Exec Code Overflow |
2015-05-29 |
2016-12-06 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Heap-based buffer overflow in the TermProxy (WLTermProxyService.exe) service in Wavelink ConnectPro allows remote attackers to execute arbitrary code via a large HTTP header. |
|
12 |
CVE-2015-4059 |
119 |
|
Exec Code Overflow |
2015-05-29 |
2016-12-06 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Heap-based buffer overflow in the License Server (LicenseServer.exe) in Wavelink Terminal Emulation (TE) allows remote attackers to execute arbitrary code via a large HTTP header. |
|
13 |
CVE-2015-4047 |
476 |
|
DoS |
2015-05-29 |
2019-03-27 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
racoon/gssapi.c in IPsec-Tools 0.8.2 allows remote attackers to cause a denial of service (NULL pointer dereference and IKE daemon crash) via a series of crafted UDP requests. |
|
14 |
CVE-2015-4032 |
264 |
|
|
2015-05-29 |
2016-12-06 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
projectContents.jsp in the Developer tools in Visual Mining NetCharts Server allows remote attackers to rename arbitrary files, and consequently execute them, via unspecified vectors. |
|
15 |
CVE-2015-4031 |
22 |
|
Dir. Trav. |
2015-05-29 |
2019-06-24 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Directory traversal vulnerability in saveFile.jsp in the development installation in Visual Mining NetChart allows remote attackers to write to arbitrary files via unspecified vectors. |
|
16 |
CVE-2015-4018 |
89 |
|
Exec Code Sql |
2015-05-21 |
2015-06-25 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in feedwordpresssyndicationpage.class.php in the FeedWordPress plugin before 2015.0514 for WordPress allows remote authenticated users to execute arbitrary SQL commands via the link_ids[] parameter in an Update action in the syndication.php page to wp-admin/admin.php. |
|
17 |
CVE-2015-3990 |
19 |
|
Exec Code |
2015-05-20 |
2018-03-13 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
|
The GMS ViewPoint (GMSVP) web application in Dell Sonicwall GMS, Analyzer, and UMA EM5000 before 7.2 SP4 allows remote authenticated users to execute arbitrary commands via vectors related to configuration. |
|
18 |
CVE-2015-3987 |
426 |
|
+Priv |
2015-05-14 |
2019-02-11 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
Multiple unquoted Windows search path vulnerabilities in the (1) Client Management and (2) Gateway in McAfee ePO Deep Command 2.1 and 2.2 before HF 1058831 allow local users to gain privileges via unspecified vectors. |
|
19 |
CVE-2015-3980 |
89 |
|
Exec Code Sql |
2015-05-12 |
2017-01-03 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in the Business Rules Framework (CRM-BF-BRF) in SAP CRM allows attackers to execute arbitrary SQL commands via unspecified vectors, aka SAP Security Note 2097534. |
|
20 |
CVE-2015-3979 |
|
|
Exec Code |
2015-05-12 |
2017-01-03 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Unspecified vulnerability in the Business Rules Framework (CRM-BF-BRF) in SAP CRM allows attackers to execute arbitrary code via unknown vectors, aka SAP Security Note 2097534. |
|
21 |
CVE-2015-3939 |
22 |
|
Dir. Trav. |
2015-05-31 |
2016-12-06 |
6.8 |
None |
Remote |
Low |
??? |
Complete |
None |
None |
|
Directory traversal vulnerability in the NC854 and NC856 modules for IDS RTU 850C devices allows remote authenticated users to read arbitrary files via unspecified vectors involving an internal web server, as demonstrated by reading a TELNET credentials file. |
|
22 |
CVE-2015-3911 |
284 |
|
DoS Bypass |
2015-05-21 |
2015-05-22 |
9.0 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Complete |
|
Huawei E587 Mobile WiFi with firmware before 11.203.30.00.00 allows remote attackers to bypass authentication, change configurations, send messages, and cause a denial of service (device restart) via unspecified vectors. |
|
23 |
CVE-2015-3910 |
|
|
DoS |
2015-05-20 |
2016-12-31 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Multiple unspecified vulnerabilities in Google V8 before 4.3.61.21, as used in Google Chrome before 43.0.2357.65, allow attackers to cause a denial of service or possibly have other impact via unknown vectors. |
|
24 |
CVE-2015-3902 |
352 |
|
CSRF |
2015-05-26 |
2016-12-28 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Multiple cross-site request forgery (CSRF) vulnerabilities in the setup process in phpMyAdmin 4.0.x before 4.0.10.10, 4.2.x before 4.2.13.3, 4.3.x before 4.3.13.1, and 4.4.x before 4.4.6.1 allow remote attackers to hijack the authentication of administrators for requests that modify the configuration file. |
|
25 |
CVE-2015-3812 |
399 |
|
DoS |
2015-05-26 |
2019-12-27 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
Multiple memory leaks in the x11_init_protocol function in epan/dissectors/packet-x11.c in the X11 dissector in Wireshark 1.10.x before 1.10.14 and 1.12.x before 1.12.5 allow remote attackers to cause a denial of service (memory consumption) via a crafted packet. |
|
26 |
CVE-2015-3810 |
399 |
|
DoS |
2015-05-26 |
2017-07-01 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
epan/dissectors/packet-websocket.c in the WebSocket dissector in Wireshark 1.12.x before 1.12.5 uses a recursive algorithm, which allows remote attackers to cause a denial of service (CPU consumption) via a crafted packet. |
|
27 |
CVE-2015-3809 |
189 |
|
DoS |
2015-05-26 |
2017-07-01 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
The dissect_lbmr_pser function in epan/dissectors/packet-lbmr.c in the LBMR dissector in Wireshark 1.12.x before 1.12.5 does not properly track the current offset, which allows remote attackers to cause a denial of service (infinite loop) via a crafted packet. |
|
28 |
CVE-2015-3808 |
189 |
|
DoS |
2015-05-26 |
2017-07-01 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
The dissect_lbmr_pser function in epan/dissectors/packet-lbmr.c in the LBMR dissector in Wireshark 1.12.x before 1.12.5 does not reject a zero length, which allows remote attackers to cause a denial of service (infinite loop) via a crafted packet. |
|
29 |
CVE-2015-3630 |
264 |
|
+Info |
2015-05-18 |
2018-08-13 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
Docker Engine before 1.6.1 uses weak permissions for (1) /proc/asound, (2) /proc/timer_stats, (3) /proc/latency_stats, and (4) /proc/fs, which allows local users to modify the host, obtain sensitive information, and perform protocol downgrade attacks via a crafted image. |
|
30 |
CVE-2015-3629 |
59 |
|
|
2015-05-18 |
2018-08-13 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
Libcontainer 1.6.0, as used in Docker Engine, allows local users to escape containerization ("mount namespace breakout") and write to arbitrary file on the host system via a symlink attack in an image when respawning a container. |
|
31 |
CVE-2015-3627 |
59 |
|
+Priv |
2015-05-18 |
2018-08-13 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
Libcontainer and Docker Engine before 1.6.1 opens the file-descriptor passed to the pid-1 process before performing the chroot, which allows local users to gain privileges via a symlink attack in an image. |
|
32 |
CVE-2015-3456 |
119 |
|
DoS Exec Code Overflow |
2015-05-13 |
2021-11-17 |
7.7 |
None |
Local Network |
Low |
??? |
Complete |
Complete |
Complete |
|
The Floppy Disk Controller (FDC) in QEMU, as used in Xen 4.5.x and earlier and KVM, allows local guest users to cause a denial of service (out-of-bounds write and guest crash) or possibly execute arbitrary code via the (1) FD_CMD_READ_ID, (2) FD_CMD_DRIVE_SPECIFICATION_COMMAND, or other unspecified commands, aka VENOM. |
|
33 |
CVE-2015-3446 |
94 |
|
Exec Code |
2015-05-01 |
2016-12-06 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
The Framework Daemon in AlienVault Unified Security Management before 4.15 allows remote attackers to execute arbitrary Python code via a crafted plugin configuration file (.cfg). |
|
34 |
CVE-2015-3435 |
264 |
|
Exec Code |
2015-05-01 |
2016-12-06 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Samsung Security Manager (SSM) before 1.31 allows remote attackers to execute arbitrary code by uploading a file with an HTTP (1) PUT or (2) MOVE request. |
|
35 |
CVE-2015-3427 |
89 |
|
Sql |
2015-05-14 |
2016-12-06 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Quassel before 0.12.2 does not properly re-initialize the database session when the PostgreSQL database is restarted, which allows remote attackers to conduct SQL injection attacks via a \ (backslash) in a message. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4422. |
|
36 |
CVE-2015-3409 |
|
|
+Priv |
2015-05-19 |
2017-11-04 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
Untrusted search path vulnerability in Module::Signature before 0.75 allows local users to gain privileges via a Trojan horse module under the current working directory, as demonstrated by a Trojan horse Text::Diff module. |
|
37 |
CVE-2015-3408 |
77 |
|
Exec Code |
2015-05-19 |
2017-11-04 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Module::Signature before 0.74 allows remote attackers to execute arbitrary shell commands via a crafted SIGNATURE file which is not properly handled when generating checksums from a signed manifest. |
|
38 |
CVE-2015-3339 |
362 |
|
+Priv |
2015-05-27 |
2016-12-31 |
6.2 |
None |
Local |
High |
Not required |
Complete |
Complete |
Complete |
|
Race condition in the prepare_binprm function in fs/exec.c in the Linux kernel before 3.19.6 allows local users to gain privileges by executing a setuid program at a time instant when a chown to root is in progress, and the ownership is changed but the setuid bit is not yet stripped. |
|
39 |
CVE-2015-3331 |
119 |
|
DoS Exec Code Overflow |
2015-05-27 |
2018-01-05 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
The __driver_rfc4106_decrypt function in arch/x86/crypto/aesni-intel_glue.c in the Linux kernel before 3.19.3 does not properly determine the memory locations used for encrypted data, which allows context-dependent attackers to cause a denial of service (buffer overflow and system crash) or possibly execute arbitrary code by triggering a crypto API call, as demonstrated by use of a libkcapi test program with an AF_ALG(aead) socket. |
|
40 |
CVE-2015-3325 |
89 |
|
Exec Code Sql |
2015-05-15 |
2015-06-25 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in forum.php in the WP Symposium plugin before 15.4 for WordPress allows remote attackers to execute arbitrary SQL commands via the show parameter in the QUERY_STRING to the default URI. |
|
41 |
CVE-2015-3306 |
284 |
|
|
2015-05-18 |
2021-05-26 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
The mod_copy module in ProFTPD 1.3.5 allows remote attackers to read and write to arbitrary files via the site cpfr and site cpto commands. |
|
42 |
CVE-2015-3294 |
19 |
|
DoS |
2015-05-08 |
2018-10-09 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
None |
Partial |
|
The tcp_request function in Dnsmasq before 2.73rc4 does not properly handle the return value of the setup_reply function, which allows remote attackers to read process memory and cause a denial of service (out-of-bounds read and crash) via a malformed DNS request. |
|
43 |
CVE-2015-3292 |
17 |
|
Exec Code |
2015-05-31 |
2016-12-03 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
The installer in NetApp OnCommand Workflow Automation before 2.2.1P1 and 3.x before 3.0P1 sets up the Java Debugging Wire Protocol (JDWP) service, which allows remote attackers to execute arbitrary code via unspecified vectors. |
|
44 |
CVE-2015-3141 |
352 |
|
XSS CSRF |
2015-05-20 |
2016-12-03 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Multiple cross-site request forgery (CSRF) vulnerabilities in Synametrics Technologies Xeams 4.5 Build 5755 and earlier allow remote attackers to hijack the authentication of administrators for requests that create an (1) SMTP domain or a (2) user via a request to /FrontController; or conduct cross-site scripting (XSS) attacks via the (3) domainname parameter to /FrontController, when creating a new SMTP domain configuration; the (4) txtRecipient parameter to /FrontController, when creating a new forwarder; the (5) popFetchServer, (6) popFetchUser, or (7) popFetchRecipient parameter to /FrontController, when creating a new POP3 Fetcher account; or the (8) Smtp HELO domain in the Advanced Server Configuration. |
|
45 |
CVE-2015-3093 |
119 |
|
DoS Exec Code Overflow Mem. Corr. |
2015-05-13 |
2017-09-17 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Adobe Flash Player before 13.0.0.289 and 14.x through 17.x before 17.0.0.188 on Windows and OS X and before 11.2.202.460 on Linux, Adobe AIR before 17.0.0.172, Adobe AIR SDK before 17.0.0.172, and Adobe AIR SDK & Compiler before 17.0.0.172 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-3078, CVE-2015-3089, and CVE-2015-3090. |
|
46 |
CVE-2015-3090 |
119 |
|
DoS Exec Code Overflow Mem. Corr. |
2015-05-13 |
2017-01-03 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Adobe Flash Player before 13.0.0.289 and 14.x through 17.x before 17.0.0.188 on Windows and OS X and before 11.2.202.460 on Linux, Adobe AIR before 17.0.0.172, Adobe AIR SDK before 17.0.0.172, and Adobe AIR SDK & Compiler before 17.0.0.172 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-3078, CVE-2015-3089, and CVE-2015-3093. |
|
47 |
CVE-2015-3089 |
119 |
|
DoS Exec Code Overflow Mem. Corr. |
2015-05-13 |
2017-09-17 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Adobe Flash Player before 13.0.0.289 and 14.x through 17.x before 17.0.0.188 on Windows and OS X and before 11.2.202.460 on Linux, Adobe AIR before 17.0.0.172, Adobe AIR SDK before 17.0.0.172, and Adobe AIR SDK & Compiler before 17.0.0.172 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-3078, CVE-2015-3090, and CVE-2015-3093. |
|
48 |
CVE-2015-3088 |
119 |
|
Exec Code Overflow |
2015-05-13 |
2017-09-17 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Heap-based buffer overflow in Adobe Flash Player before 13.0.0.289 and 14.x through 17.x before 17.0.0.188 on Windows and OS X and before 11.2.202.460 on Linux, Adobe AIR before 17.0.0.172, Adobe AIR SDK before 17.0.0.172, and Adobe AIR SDK & Compiler before 17.0.0.172 allows attackers to execute arbitrary code via unspecified vectors. |
|
49 |
CVE-2015-3087 |
189 |
|
Exec Code Overflow |
2015-05-13 |
2017-09-17 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Integer overflow in Adobe Flash Player before 13.0.0.289 and 14.x through 17.x before 17.0.0.188 on Windows and OS X and before 11.2.202.460 on Linux, Adobe AIR before 17.0.0.172, Adobe AIR SDK before 17.0.0.172, and Adobe AIR SDK & Compiler before 17.0.0.172 allows attackers to execute arbitrary code via unspecified vectors. |
|
50 |
CVE-2015-3086 |
|
|
Exec Code |
2015-05-13 |
2017-01-03 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Adobe Flash Player before 13.0.0.289 and 14.x through 17.x before 17.0.0.188 on Windows and OS X and before 11.2.202.460 on Linux, Adobe AIR before 17.0.0.172, Adobe AIR SDK before 17.0.0.172, and Adobe AIR SDK & Compiler before 17.0.0.172 allow attackers to execute arbitrary code by leveraging an unspecified "type confusion," a different vulnerability than CVE-2015-3077 and CVE-2015-3084. |
