| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1301 |
CVE-2015-5699 |
264 |
|
Exec Code |
2017-10-22 |
2017-11-14 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
The Switch Configuration Tools Backend (clcmd_server) in Cumulus Linux 2.5.3 and earlier allows local users to execute arbitrary commands via shell metacharacters in a cl-rctl command label. |
|
1302 |
CVE-2015-5675 |
264 |
|
DoS +Priv |
2017-10-10 |
2018-10-09 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
The sys_amd64 IRET Handler in the kernel in FreeBSD 9.3 and 10.1 allows local users to gain privileges or cause a denial of service (kernel panic). |
|
1303 |
CVE-2015-5639 |
295 |
|
|
2017-10-10 |
2017-11-05 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
niconico App for iOS before 6.38 does not verify SSL certificates which could allow remote attackers to execute man-in-the-middle attacks. |
|
1304 |
CVE-2015-5533 |
89 |
|
Exec Code Sql CSRF |
2017-10-23 |
2018-10-09 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in counter-options.php in the Count Per Day plugin before 3.4.1 for WordPress allows remote authenticated administrators to execute arbitrary SQL commands via the cpd_keep_month parameter to wp-admin/options-general.php. NOTE: this can be leveraged using CSRF to allow remote attackers to execute arbitrary SQL commands. |
|
1305 |
CVE-2015-5532 |
79 |
|
XSS |
2017-10-23 |
2021-04-06 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in the Paid Memberships Pro (PMPro) plugin before 1.8.4.3 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) s parameter to membershiplevels.php, (2) memberslist.php, or (3) orders.php in adminpages/ or the (4) edit parameter to adminpages/membershiplevels.php. |
|
1306 |
CVE-2015-5379 |
79 |
|
XSS |
2017-10-23 |
2018-10-09 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in actions.hsp in the Ajax WebMail interface in AXIGEN Mail Server before 9.0 allows remote attackers to inject arbitrary web script or HTML via an email attachment. |
|
1307 |
CVE-2015-5376 |
89 |
|
Exec Code Sql |
2017-10-18 |
2017-11-06 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in the login form in GSI WiNPAT Portal 3.2.0.1001 through 3.6.1.0 allows remote attackers to execute arbitrary SQL commands via the username field. |
|
1308 |
CVE-2015-5246 |
254 |
|
|
2017-10-06 |
2017-11-01 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The LDAP Authentication functionality in Foreman might allow remote attackers with knowledge of old passwords to gain access via vectors involving the password lifetime period in Active Directory. |
|
1309 |
CVE-2015-5227 |
74 |
|
Exec Code |
2017-10-18 |
2017-11-07 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The Landing Pages plugin before 1.9.2 for WordPress allows remote attackers to execute arbitrary code via the url parameter. |
|
1310 |
CVE-2015-5177 |
415 |
|
DoS |
2017-10-22 |
2017-11-07 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Double free vulnerability in the SLPDKnownDAAdd function in slpd/slpd_knownda.c in OpenSLP 1.2.1 allows remote attackers to cause a denial of service (crash) via a crafted package. |
|
1311 |
CVE-2015-5173 |
200 |
|
+Info |
2017-10-24 |
2021-08-25 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow attackers to have unspecified impact via vectors involving emails with password recovery links, aka "Cross Domain Referer Leakage." |
|
1312 |
CVE-2015-5172 |
640 |
|
|
2017-10-24 |
2021-08-25 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow attackers to have unspecified impact by leveraging failure to expire password reset links. |
|
1313 |
CVE-2015-5171 |
613 |
|
|
2017-10-24 |
2021-08-25 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The password change functionality in Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow attackers to have unspecified impact by leveraging failure to expire existing sessions. |
|
1314 |
CVE-2015-5170 |
352 |
|
CSRF |
2017-10-24 |
2021-08-25 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow remote attackers to conduct cross-site request forgery (CSRF) attacks on PWS and log a user into an arbitrary account by leveraging lack of CSRF checks. |
|
1315 |
CVE-2015-5164 |
502 |
|
Exec Code |
2017-10-18 |
2017-11-08 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
|
The Qpid server on Red Hat Satellite 6 does not properly restrict message types, which allows remote authenticated users with administrative access on a managed content host to execute arbitrary code via a crafted message, related to a pickle processing problem in pulp. |
|
1316 |
CVE-2015-4650 |
264 |
|
Exec Code +Priv |
2017-10-16 |
2017-11-01 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Aruba Networks ClearPass Policy Manager before 6.4.7 and 6.5.x before 6.5.2 allows remote attackers to gain shell access and execute arbitrary code with root privileges via unspecified vectors. |
|
1317 |
CVE-2015-4422 |
119 |
|
DoS Overflow +Priv Mem. Corr. |
2017-10-19 |
2017-11-08 |
7.6 |
None |
Remote |
High |
Not required |
Complete |
Complete |
Complete |
|
The TEEOS module in Huawei Mate 7 (Mate7-TL10) smartphones before V100R001CHNC00B126SP03 allows local users with root permissions to gain privileges or cause a denial of service (memory corruption) via a crafted application. |
|
1318 |
CVE-2015-4421 |
119 |
|
DoS Overflow +Priv Mem. Corr. |
2017-10-19 |
2017-11-07 |
7.6 |
None |
Remote |
High |
Not required |
Complete |
Complete |
Complete |
|
The tzdriver module in Huawei Mate 7 (Mate7-TL10) smartphones before V100R001CHNC00B126SP03 allows local users to gain privileges or cause a denial of service (memory corruption) via an unspecified input. |
|
1319 |
CVE-2015-3400 |
200 |
|
+Info |
2017-10-18 |
2017-11-08 |
3.5 |
None |
Remote |
Medium |
??? |
Partial |
None |
None |
|
sharenfs 0.6.4, when built with commits bcdd594 and 7d08880 from the zfs repository, provides world readable access to the shared zfs file system, which might allow remote authenticated users to obtain sensitive information by reading shared files. |
|
1320 |
CVE-2015-3321 |
264 |
|
+Priv |
2017-10-03 |
2017-10-17 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
Services and files in Lenovo Fingerprint Manager before 8.01.42 have incorrect ACLs, which allows local users to invalidate local checks and gain privileges via standard filesystem operations. |
|
1321 |
CVE-2015-3249 |
119 |
|
DoS Exec Code Overflow |
2017-10-30 |
2017-11-18 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The HTTP/2 experimental feature in Apache Traffic Server 5.3.x before 5.3.1 allows remote attackers to cause a denial of service (out-of-bounds access and daemon crash) or possibly execute arbitrary code via vectors related to the (1) frame_handlers array or (2) set_dynamic_table_size function. |
|
1322 |
CVE-2015-3229 |
264 |
|
|
2017-10-16 |
2017-11-08 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
fedora-cloud-atomic.ks in spin-kickstarts allows remote attackers to conduct man-in-the-middle attacks by leveraging use of HTTP to download Fedora Atomic updates. |
|
1323 |
CVE-2015-2988 |
295 |
|
|
2017-10-10 |
2017-11-03 |
4.0 |
None |
Remote |
High |
Not required |
Partial |
Partial |
None |
|
Rakuten card App for iOS 5.2.0 through 5.2.4 does not verify SSL certificates which might allow remote attackers to execute man-in-the-middle attacks. |
|
1324 |
CVE-2015-2878 |
352 |
|
CSRF |
2017-10-23 |
2018-10-09 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Multiple cross-site request forgery (CSRF) vulnerabilities in Hexis HawkEye G 3.0.1.4912 allow remote attackers to hijack the authentication of administrators for requests that (1) add arbitrary accounts via the name parameter to interface/rest/accounts/json; turn off the (2) Url matching, (3) DNS Inject, or (4) IP Redirect Sensor in a request to interface/rest/dpi/setEnabled/1; or (5) perform whitelisting of malware MD5 hash IDs via the id parameter to interface/rest/md5-threats/whitelist. |
|
1325 |
CVE-2015-2856 |
22 |
|
Dir. Trav. |
2017-10-10 |
2017-10-23 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Directory traversal vulnerability in the template function in function.inc in Accellion File Transfer Appliance devices before FTA_9_11_210 allows remote attackers to read arbitrary files via a .. (dot dot) in the statecode cookie. |
|
1326 |
CVE-2015-2780 |
434 |
|
Exec Code |
2017-10-16 |
2017-11-07 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Unrestricted file upload vulnerability in Berta CMS allows remote attackers to execute arbitrary code by uploading a crafted image file with an executable extension, then accessing it via a direct request to the file in an unspecified directory. |
|
1327 |
CVE-2015-2673 |
264 |
|
Exec Code +Priv |
2017-10-06 |
2017-11-01 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
The ec_ajax_update_option and ec_ajax_clear_all_taxrates functions in inc/admin/admin_ajax_functions.php in the WP EasyCart plugin 1.1.30 through 3.0.20 for WordPress allow remote attackers to gain administrator privileges and execute arbitrary code via the option_name and option_value parameters. |
|
1328 |
CVE-2015-2297 |
476 |
|
DoS |
2017-10-06 |
2017-10-13 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
nanohttp in libcsoap allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted Authorization header. |
|
1329 |
CVE-2015-2158 |
189 |
|
DoS Exec Code |
2017-10-06 |
2017-11-01 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Off-by-one error in the pngcrush_measure_idat function in pngcrush.c in pngcrush before 1.7.84 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PNG file. |
|
1330 |
CVE-2015-2156 |
20 |
|
Bypass +Info |
2017-10-18 |
2019-11-25 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters. |
|
1331 |
CVE-2015-2148 |
79 |
|
XSS |
2017-10-06 |
2017-10-11 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in Issuetracker phpBugTracker before 1.7.2 allow remote attackers to inject arbitrary web script or HTML via unspecified parameters. |
|
1332 |
CVE-2015-2147 |
89 |
|
Exec Code Sql |
2017-10-06 |
2017-10-11 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Multiple SQL injection vulnerabilities in Issuetracker phpBugTracker before 1.7.0 allow remote attackers to execute arbitrary SQL commands via unspecified parameters. |
|
1333 |
CVE-2015-2146 |
89 |
|
Exec Code Sql |
2017-10-06 |
2017-10-11 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Multiple SQL injection vulnerabilities in Issuetracker phpBugTracker before 1.7.0 allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to project.php, the (2) group_id parameter to group.php, the (3) status_id parameter to status.php, the (4) resolution_id parameter to resolution.php, the (5) severity_id parameter to severity.php, the (6) priority_id parameter to priority.php, the (7) os_id parameter to os.php, or the (8) site_id parameter to site.php. |
|
1334 |
CVE-2015-2145 |
79 |
|
XSS |
2017-10-06 |
2017-10-11 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in Issuetracker phpBugTracker before 1.7.0 allow remote attackers to inject arbitrary web script or HTML via unspecified parameters. |
|
1335 |
CVE-2015-2144 |
79 |
|
XSS |
2017-10-06 |
2017-10-11 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in Issuetracker phpBugTracker before 1.7.0 allow remote authenticated users to inject arbitrary web script or HTML via the (1) project name parameter to project.php; the (2) use_js parameter to user.php; the (3) use_js parameter to group.php; the (4) Description parameter to status.php; the (5) Description parameter to severity.php; the (6) Regex parameter to os.php; or the (7) Name parameter to database.php. |
|
1336 |
CVE-2015-2143 |
352 |
|
CSRF |
2017-10-06 |
2017-10-11 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Multiple cross-site request forgery (CSRF) vulnerabilities in Issuetracker phpBugTracker before 1.7.0 allow remote attackers to hijack the authentication of users for requests that cause an unspecified impact via unknown parameters. |
|
1337 |
CVE-2015-2142 |
352 |
|
CSRF |
2017-10-06 |
2017-10-12 |
6.0 |
None |
Remote |
Medium |
??? |
Partial |
Partial |
Partial |
|
Multiple cross-site request forgery (CSRF) vulnerabilities in Issuetracker phpBugTracker before 1.7.0 allow remote authenticated users to (1) hijack the authentication of users for requests that cause an unspecified impact via the id parameter to project.php, (2) hijack the authentication of users for requests that cause an unspecified impact via the group_id parameter to group.php, (3) hijack the authentication of users for requests that delete statuses via the status_id parameter to status.php, (4) hijack the authentication of users for requests that delete severities via the severity_id parameter to severity.php, (5) hijack the authentication of users for requests that cause an unspecified impact via the priority_id parameter to priority.php, (6) hijack the authentication of users for requests that delete the operating system via the os_id parameter to os.php, (7) hijack the authentication of users for requests that delete databases via the database_id parameter to database.php, or (8) hijack the authentication of users for requests that delete sites via the site_id parameter to sites.php. |
|
1338 |
CVE-2015-1835 |
20 |
|
|
2017-10-27 |
2017-11-16 |
2.6 |
None |
Remote |
High |
Not required |
None |
Partial |
None |
|
Apache Cordova Android before 3.7.2 and 4.x before 4.0.2, when an application does not set explicit values in config.xml, allows remote attackers to modify undefined secondary configuration variables (preferences) via a crafted intent: URL. |
|
1339 |
CVE-2015-1828 |
200 |
|
+Info |
2017-10-06 |
2019-10-17 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The Ruby http gem before 0.7.3 does not verify hostnames in SSL connections, which might allow remote attackers to obtain sensitive information via a man-in-the-middle-attack. |
|
1340 |
CVE-2015-1429 |
22 |
|
Dir. Trav. |
2017-10-06 |
2020-08-19 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Directory traversal vulnerability in Cybele Software Thinfinity Remote Desktop Workstation 3.0.0.3 32-bit and 64-bit allows remote attackers to download arbitrary files via a .. (dot dot) in an unspecified parameter. |
|
1341 |
CVE-2015-1239 |
415 |
|
DoS |
2017-10-18 |
2021-11-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Double free vulnerability in the j2k_read_ppm_v3 function in OpenJPEG before r2997, as used in PDFium in Google Chrome, allows remote attackers to cause a denial of service (process crash) via a crafted PDF. |
|
1342 |
CVE-2015-1206 |
119 |
|
DoS Overflow |
2017-10-06 |
2017-11-01 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Heap-based buffer overflow in Google Chrome before M40 allows remote attackers to cause a denial of service (unpaged memory write and process crash) via a crafted MP4 file. |
|
1343 |
CVE-2015-0296 |
264 |
|
|
2017-10-06 |
2017-11-01 |
1.2 |
None |
Local |
High |
Not required |
None |
Partial |
None |
|
The pre-install script in texlive 3.1.20140525_r34255.fc21 as packaged in Fedora 21 and rpm, and texlive 6.20131226_r32488.fc20 and rpm allows local users to delete arbitrary files via a crafted file in the user's home directory. |
|
1344 |
CVE-2015-0226 |
327 |
|
+Info |
2017-10-30 |
2019-07-23 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Apache WSS4J before 1.6.17 and 2.0.x before 2.0.2 improperly leaks information about decryption failures when decrypting an encrypted key or message data, which makes it easier for remote attackers to recover the plaintext form of a symmetric key via a series of crafted messages. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-2487. |
|
1345 |
CVE-2015-0224 |
19 |
|
DoS |
2017-10-30 |
2018-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
qpidd in Apache Qpid 0.30 and earlier allows remote attackers to cause a denial of service (daemon crash) via a crafted protocol sequence set. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-0203. |
|
1346 |
CVE-2014-9733 |
20 |
|
|
2017-10-17 |
2017-11-08 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
nw.js before 0.11.5 can simulate user input events in a normal frame, which allows remote attackers to have unspecified impact via unknown vectors. |
|
1347 |
CVE-2014-9697 |
400 |
|
DoS |
2017-10-17 |
2017-11-08 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
Huawei USG9560/9520/9580 before V300R001C01SPC300 allows remote attackers to cause a memory leak or denial of service (memory exhaustion, reboot and MPU switchover) via a crafted website. |
|
1348 |
CVE-2014-9678 |
20 |
|
|
2017-10-17 |
2017-11-08 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
FlexPaperViewer.swf in Flexpaper before 2.3.1 allows remote attackers to conduct content-spoofing attacks via the Swfile parameter. |
|
1349 |
CVE-2014-9677 |
79 |
|
XSS |
2017-10-17 |
2017-10-27 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in FlexPaperViewer.swf in Flexpaper before 2.3.1 allows remote attackers to inject arbitrary web script or HTML via the Swfile parameter. |
|
1350 |
CVE-2014-9489 |
284 |
|
Exec Code |
2017-10-17 |
2017-11-08 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
The gollum-grit_adapter Ruby gem dependency in gollum before 3.1.1 and the gollum-lib gem dependency in gollum-lib before 4.0.1 when the string "master" is in any of the wiki documents, allows remote authenticated users to execute arbitrary code via the -O or --open-files-in-pager flags. |
