| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
151 |
CVE-2015-2946 |
119 |
|
Exec Code Overflow |
2015-05-25 |
2016-12-03 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Stack-based buffer overflow in the Open CAD Format Council SXF common library before 3.30 allows remote attackers to execute arbitrary code via a crafted CAD file. |
|
152 |
CVE-2015-2945 |
94 |
|
Exec Code |
2015-05-25 |
2015-05-27 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
mt-phpincgi.php in Hajime Fujimoto mt-phpincgi before 2015-05-15 does not properly restrict URLs, which allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted request, as exploited in the wild in May 2015. |
|
153 |
CVE-2015-2922 |
17 |
|
|
2015-05-27 |
2018-01-05 |
3.3 |
None |
Local Network |
Low |
Not required |
None |
None |
Partial |
|
The ndisc_router_discovery function in net/ipv6/ndisc.c in the Neighbor Discovery (ND) protocol implementation in the IPv6 stack in the Linux kernel before 3.19.6 allows remote attackers to reconfigure a hop-limit setting via a small hop_limit value in a Router Advertisement (RA) message. |
|
154 |
CVE-2015-2855 |
200 |
|
+Info |
2015-05-30 |
2016-12-03 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The WebUI component in Blue Coat SSL Visibility Appliance SV800, SV1800, SV2800, and SV3800 3.6.x through 3.8.x before 3.8.4 does not set the secure flag for the administrator's cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session, a different vulnerability than CVE-2015-4138. |
|
155 |
CVE-2015-2854 |
20 |
|
|
2015-05-30 |
2016-12-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The WebUI component in Blue Coat SSL Visibility Appliance SV800, SV1800, SV2800, and SV3800 3.6.x through 3.8.x before 3.8.4 does not send a restrictive X-Frame-Options HTTP header, which allows remote attackers to conduct clickjacking attacks via vectors involving an IFRAME element. |
|
156 |
CVE-2015-2853 |
|
|
|
2015-05-30 |
2016-12-03 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Session fixation vulnerability in the WebUI component in Blue Coat SSL Visibility Appliance SV800, SV1800, SV2800, and SV3800 3.6.x through 3.8.x before 3.8.4 allows remote attackers to hijack web sessions by providing a session ID. |
|
157 |
CVE-2015-2852 |
352 |
|
CSRF |
2015-05-30 |
2016-12-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site request forgery (CSRF) vulnerability in the WebUI component in Blue Coat SSL Visibility Appliance SV800, SV1800, SV2800, and SV3800 3.6.x through 3.8.x before 3.8.4 allows remote attackers to hijack the authentication of administrators. |
|
158 |
CVE-2015-2851 |
264 |
|
|
2015-05-30 |
2016-12-03 |
6.8 |
None |
Local |
Low |
??? |
Complete |
Complete |
Complete |
|
client_chown in the sync client in Synology Cloud Station 1.1-2291 through 3.1-3320 on OS X allows local users to change the ownership of arbitrary files, and consequently obtain root access, by specifying a filename. |
|
159 |
CVE-2015-2845 |
78 |
|
Exec Code |
2015-05-12 |
2018-10-09 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
The cpanel function in go_site.php in GoAutoDial GoAdmin CE before 3.3-1421902800 allows remote attackers to execute arbitrary commands via the $type portion of the PATH_INFO. |
|
160 |
CVE-2015-2844 |
78 |
|
Exec Code |
2015-05-12 |
2018-10-09 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
The cpanel function in go_site.php in GoAutoDial GoAdmin CE before 3.3-1420434000 allows remote attackers to execute arbitrary commands via the $action portion of the PATH_INFO. |
|
161 |
CVE-2015-2843 |
89 |
|
Exec Code Sql |
2015-05-12 |
2018-10-09 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Multiple SQL injection vulnerabilities in GoAutoDial GoAdmin CE before 3.3-1421902800 allow remote attackers to execute arbitrary SQL commands via the (1) user_name or (2) user_pass parameter in go_login.php or the PATH_INFO to (3) go_login/validate_credentials/admin/ or (4) index.php/go_site/go_get_user_info/. |
|
162 |
CVE-2015-2842 |
|
|
Exec Code |
2015-05-12 |
2018-10-09 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Unrestricted file upload vulnerability in go_audiostore.php in the audiostore (Voice Files) upload functionality in GoAutoDial GoAdmin CE 3.x before 3.3-1421902800 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in sounds/. |
|
163 |
CVE-2015-2830 |
264 |
|
Bypass |
2015-05-27 |
2018-01-05 |
1.9 |
None |
Local |
Medium |
Not required |
None |
Partial |
None |
|
arch/x86/kernel/entry_64.S in the Linux kernel before 3.19.2 does not prevent the TS_COMPAT flag from reaching a user-mode task, which might allow local users to bypass the seccomp or audit protection mechanism via a crafted application that uses the (1) fork or (2) close system call, as demonstrated by an attack against seccomp before 3.16. |
|
164 |
CVE-2015-2829 |
|
|
DoS |
2015-05-12 |
2017-01-03 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway before 10.5 Build 53.9 through 55.8 and 10.5.e Build 53-9010.e allow remote attackers to cause a denial of service (reboot) via unspecified vectors. |
|
165 |
CVE-2015-2810 |
189 |
|
DoS Overflow |
2015-05-15 |
2016-12-03 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Integer overflow in the HwpApp::CHncSDS_Manager function in Hancom Office HanWord processor, as used in Hwp 2014 VP before 9.1.0.2342, HanWord Viewer 2007 and Viewer 2010 8.5.6.1158, and HwpViewer 2014 VP 9.1.0.2186, allows remote attackers to cause a denial of service (crash) and possibly "influence the program's execution flow" via a document with a large paragraph size, which triggers heap corruption. |
|
166 |
CVE-2015-2720 |
17 |
|
+Priv |
2015-05-14 |
2017-01-03 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The update implementation in Mozilla Firefox before 38.0 on Windows does not ensure that the pathname for updater.exe corresponds to the application directory, which might allow local users to gain privileges via a Trojan horse file. |
|
167 |
CVE-2015-2718 |
200 |
|
Bypass +Info |
2015-05-14 |
2018-10-30 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The WebChannel.jsm module in Mozilla Firefox before 38.0 allows remote attackers to bypass the Same Origin Policy and obtain sensitive webchannel-response data via a crafted web site containing an IFRAME element referencing a different web site that is intended to read this data. |
|
168 |
CVE-2015-2717 |
189 |
|
DoS Exec Code Overflow |
2015-05-14 |
2018-10-30 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Integer overflow in libstagefright in Mozilla Firefox before 38.0 allows remote attackers to execute arbitrary code or cause a denial of service (heap-based buffer overflow and out-of-bounds read) via an MP4 video file containing invalid metadata. |
|
169 |
CVE-2015-2716 |
119 |
|
Exec Code Overflow |
2015-05-14 |
2021-07-31 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Buffer overflow in the XML parser in Mozilla Firefox before 38.0, Firefox ESR 31.x before 31.7, and Thunderbird before 31.7 allows remote attackers to execute arbitrary code by providing a large amount of compressed XML data, a related issue to CVE-2015-1283. |
|
170 |
CVE-2015-2715 |
362 |
|
DoS Exec Code Mem. Corr. |
2015-05-14 |
2018-10-30 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Race condition in the nsThreadManager::RegisterCurrentThread function in Mozilla Firefox before 38.0 allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and heap memory corruption) by leveraging improper Media Decoder Thread creation at the time of a shutdown. |
|
171 |
CVE-2015-2714 |
264 |
|
+Info |
2015-05-14 |
2017-01-03 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Mozilla Firefox before 38.0 on Android does not properly restrict writing URL data to the Android logging system, which allows attackers to obtain sensitive information via a crafted application that has a required permission for reading a log, as demonstrated by the READ_LOGS permission for the mixed-content violation log on Android 4.0 and earlier. |
|
172 |
CVE-2015-2713 |
|
|
DoS Exec Code Mem. Corr. |
2015-05-14 |
2018-10-30 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Use-after-free vulnerability in the SetBreaks function in Mozilla Firefox before 38.0, Firefox ESR 31.x before 31.7, and Thunderbird before 31.7 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a document containing crafted text in conjunction with a Cascading Style Sheets (CSS) token sequence containing properties related to vertical text. |
|
173 |
CVE-2015-2712 |
119 |
|
Exec Code Overflow +Info |
2015-05-14 |
2018-10-30 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The asm.js implementation in Mozilla Firefox before 38.0 does not properly determine heap lengths during identification of cases in which bounds checking may be safely skipped, which allows remote attackers to trigger out-of-bounds write operations and possibly execute arbitrary code, or trigger out-of-bounds read operations and possibly obtain sensitive information from process memory, via crafted JavaScript. |
|
174 |
CVE-2015-2711 |
200 |
|
+Info |
2015-05-14 |
2018-10-30 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Mozilla Firefox before 38.0 does not recognize a referrer policy delivered by a referrer META element in cases of context-menu navigation and middle-click navigation, which allows remote attackers to obtain sensitive information by reading web-server Referer logs that contain private data in a URL, as demonstrated by a private path component. |
|
175 |
CVE-2015-2710 |
119 |
|
Exec Code Overflow |
2015-05-14 |
2018-10-30 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Heap-based buffer overflow in the SVGTextFrame class in Mozilla Firefox before 38.0, Firefox ESR 31.x before 31.7, and Thunderbird before 31.7 allows remote attackers to execute arbitrary code via crafted SVG graphics data in conjunction with a crafted Cascading Style Sheets (CSS) token sequence. |
|
176 |
CVE-2015-2709 |
|
|
DoS Exec Code Mem. Corr. |
2015-05-14 |
2018-10-30 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 38.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. |
|
177 |
CVE-2015-2708 |
|
|
DoS Exec Code Mem. Corr. |
2015-05-14 |
2018-10-30 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 38.0, Firefox ESR 31.x before 31.7, and Thunderbird before 31.7 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. |
|
178 |
CVE-2015-2704 |
74 |
|
|
2015-05-18 |
2016-12-03 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
realmd allows remote attackers to inject arbitrary configurations in to sssd.conf and smb.conf via a newline character in an LDAP response. |
|
179 |
CVE-2015-2694 |
264 |
|
Bypass |
2015-05-25 |
2020-01-21 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
The kdcpreauth modules in MIT Kerberos 5 (aka krb5) 1.12.x and 1.13.x before 1.13.2 do not properly track whether a client's request has been validated, which allows remote attackers to bypass an intended preauthentication requirement by providing (1) zero bytes of data or (2) an arbitrary realm name, related to plugins/preauth/otp/main.c and plugins/preauth/pkinit/pkinit_srv.c. |
|
180 |
CVE-2015-2668 |
399 |
|
DoS |
2015-05-12 |
2017-01-03 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
ClamAV before 0.98.7 allows remote attackers to cause a denial of service (infinite loop) via a crafted xz archive file. |
|
181 |
CVE-2015-2667 |
|
|
+Priv |
2015-05-18 |
2016-12-03 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
Untrusted search path vulnerability in GNS3 1.2.3 allows local users to gain privileges via a Trojan horse uuid.dll in an unspecified directory. |
|
182 |
CVE-2015-2666 |
119 |
|
Overflow +Priv |
2015-05-27 |
2016-12-31 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Stack-based buffer overflow in the get_matching_model_microcode function in arch/x86/kernel/cpu/microcode/intel_early.c in the Linux kernel before 4.0 allows context-dependent attackers to gain privileges by constructing a crafted microcode header and leveraging root privileges for write access to the initrd. |
|
183 |
CVE-2015-2347 |
79 |
|
XSS |
2015-05-08 |
2015-05-11 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Huawei SEQ Analyst before V200R002C03LG0001CP0022 allows remote attackers to inject arbitrary web script or HTML via the command XML element in the req parameter to flexdata.action in (1) common/, (2) monitor/, or (3) psnpm/ or the (4) module XML element in the req parameter to flexdata.action in monitor/. |
|
184 |
CVE-2015-2346 |
|
|
|
2015-05-18 |
2016-12-03 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
XML external entity (XXE) vulnerability in Huawei SEQ Analyst before V200R002C03LG0001CP0022 allows remote authenticated users to read arbitrary files via the req parameter. |
|
185 |
CVE-2015-2250 |
79 |
|
XSS |
2015-05-15 |
2018-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in concrete5 before 5.7.4 allow remote attackers to inject arbitrary web script or HTML via the (1) banned_word[] parameter to index.php/dashboard/system/conversations/bannedwords/success, (2) channel parameter to index.php/dashboard/reports/logs/view, (3) accessType parameter to index.php/tools/required/permissions/access_entity, (4) msCountry parameter to index.php/dashboard/system/multilingual/setup/load_icon, arHandle parameter to (5) design/submit or (6) design in index.php/ccm/system/dialogs/area/design/submit, (7) pageURL to index.php/dashboard/pages/single, (8) SEARCH_INDEX_AREA_METHOD parameter to index.php/dashboard/system/seo/searchindex/updated, (9) unit parameter to index.php/dashboard/system/optimization/jobs/job_scheduled, (10) register_notification_email parameter to index.php/dashboard/system/registration/open/1, or (11) PATH_INFO to index.php/dashboard/extend/connect/. |
|
186 |
CVE-2015-2248 |
352 |
|
CSRF |
2015-05-01 |
2018-03-12 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in the user portal in Dell SonicWALL Secure Remote Access (SRA) products with firmware before 7.5.1.0-38sv and 8.x before 8.0.0.1-16sv allows remote attackers to hijack the authentication of users for requests that create bookmarks via a crafted request to cgi-bin/editBookmark. |
|
187 |
CVE-2015-2234 |
362 |
|
+Priv |
2015-05-12 |
2017-01-03 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Race condition in Lenovo System Update (formerly ThinkVantage System Update) before 5.06.0034 uses world-writable permissions for the update files directory, which allows local users to gain privileges by writing to an update file after the signature is validated. |
|
188 |
CVE-2015-2233 |
310 |
|
|
2015-05-12 |
2016-12-03 |
8.3 |
None |
Local Network |
Low |
Not required |
Complete |
Complete |
Complete |
|
Lenovo System Update (formerly ThinkVantage System Update) before 5.06.0034 does not properly validate CA chains during signature validation, which allows man-in-the-middle attackers to upload and execute arbitrary files via a crafted certificate. |
|
189 |
CVE-2015-2222 |
399 |
|
DoS |
2015-05-12 |
2017-01-03 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
ClamAV before 0.98.7 allows remote attackers to cause a denial of service (crash) via a crafted petite packed file. |
|
190 |
CVE-2015-2221 |
399 |
|
DoS |
2015-05-12 |
2017-01-03 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
ClamAV before 0.98.7 allows remote attackers to cause a denial of service (infinite loop) via a crafted y0da cryptor file. |
|
191 |
CVE-2015-2219 |
264 |
|
+Priv |
2015-05-12 |
2016-12-03 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
Lenovo System Update (formerly ThinkVantage System Update) before 5.06.0034 uses predictable security tokens, which allows local users to gain privileges by sending a valid token with a command to the System Update service (SUService.exe) through an unspecified named pipe. |
|
192 |
CVE-2015-2170 |
399 |
|
DoS |
2015-05-12 |
2017-01-03 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The upx decoder in ClamAV before 0.98.7 allows remote attackers to cause a denial of service (crash) via a crafted file. |
|
193 |
CVE-2015-2123 |
|
|
+Priv |
2015-05-25 |
2016-12-03 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
|
Unspecified vulnerability in HP NonStop Safeguard Security Software H06.x, L15.02, and J06.x before J06.19 allows remote authenticated users to gain privileges by leveraging Expand access. |
|
194 |
CVE-2015-2122 |
399 |
|
DoS |
2015-05-25 |
2016-12-03 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
The REST layer on HP SDN VAN Controller devices 2.5 and earlier allows remote attackers to cause a denial of service via network traffic to the REST port. |
|
195 |
CVE-2015-2121 |
200 |
|
+Info |
2015-05-25 |
2016-12-03 |
7.8 |
None |
Remote |
Low |
Not required |
Complete |
None |
None |
|
HP Network Virtualization for LoadRunner and Performance Center 8.61 and 11.52 allows remote attackers to read arbitrary files via a crafted filename in a URL to the (1) HttpServlet or (2) NetworkEditorController component, aka ZDI-CAN-2569. |
|
196 |
CVE-2015-2120 |
|
|
+Priv |
2015-05-25 |
2016-12-31 |
8.7 |
None |
Remote |
Low |
??? |
Complete |
Partial |
Complete |
|
Unspecified vulnerability in HP SiteScope 11.1x before 11.13, 11.2x before 11.24.391, and 11.3x before 11.30.521 allows remote authenticated users to gain privileges via unknown vectors, aka ZDI-CAN-2567. |
|
197 |
CVE-2015-2118 |
|
|
+Info |
2015-05-25 |
2019-10-09 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
Unspecified vulnerability in the Secure Pull Print and Security Pull Print components in HP Access Control (AC) Software 12.x through 14.x before 14.1.2 allows remote authenticated users to obtain sensitive information via unknown vectors. |
|
198 |
CVE-2015-2110 |
119 |
|
Exec Code Overflow |
2015-05-25 |
2019-10-09 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Buffer overflow in HP LoadRunner 11.52 allows remote attackers to execute arbitrary code via unspecified vectors. |
|
199 |
CVE-2015-1937 |
284 |
|
|
2015-05-30 |
2016-11-30 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
IBM PowerVC 1.2.0.x through 1.2.0.4, 1.2.1.x through 1.2.1.2, and 1.2.2.x through 1.2.2.2 does not require authentication for the ceilometer NoSQL database, which allows remote attackers to read or write to arbitrary database records, and consequently obtain administrator privileges, via a session on port 27017. |
|
200 |
CVE-2015-1921 |
|
|
|
2015-05-25 |
2016-08-17 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
|
Open redirect vulnerability in IBM WebSphere Portal 8.0.0 before 8.0.0.1 CF17 and 8.5.0 before CF06 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a crafted URL. |
