The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2015-7705 | A flaw was found in the way NTP handled rate limiting. An attacker able to send a large number of crafted requests to an NTP server could trigger the rate limiting on that server, and prevent clients from getting a usable reply from the server. | HIGH | Oct 28, 2015 |
| CVE-2015-7709 | The arkeiad daemon in the Arkeia Backup Agent in Western Digital Arkeia 11.0.12 and earlier allows remote attackers to bypass authentication and execute arbitrary commands via a series of crafted requests involving the ARKFS_EXEC_CMD operation. | High | Oct 6, 2015 |
| CVE-2015-7716 | libstagefright in Android 5.x before 5.1.1 LMY48T allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted media file, aka internal bug 20721050, a different vulnerability than CVE-2015-3873. | High | Oct 7, 2015 |
| CVE-2015-7717 | mediaserver in Android 5.x before 5.1.1 LMY48T and 6.0 before 2015-10-01 allows attackers to gain privileges via a crafted application, aka internal bug 19573085, a different vulnerability than CVE-2015-6596. | High | Oct 7, 2015 |
| CVE-2015-7730 | SAP BusinessObjects BI Platform 4.1, BusinessObjects Edge 4.0, and BusinessObjects XI (BOXI) 3.1 R3 allow remote attackers to cause a denial of service (out-of-bounds read and listener crash) via a crafted GIOP packet, aka SAP Security Note 2001108. | High | Oct 16, 2015 |
| CVE-2015-7749 | The PFE daemon in Juniper vSRX virtual firewalls with Junos OS before 15.1X49-D20 allows remote attackers to cause a denial of service via an unspecified connection request to the host-OS. | High | Oct 20, 2015 |
| CVE-2015-7752 | The SSH server in Juniper Junos OS before 12.1X44-D50, 12.1X46 before 12.1X46-D35, 12.1X47 before 12.1X47-D25, 12.3 before 12.3R10, 12.3X48 before 12.3X48-D10, 13.2 before 13.2R8, 13.2X51 before 13.2X51-D35, 13.3 before 13.3R6, 14.1 before 14.1R5, 14.1X53 before 14.1X53-D25, 14.2 before 14.2R3, 15.1 before 15.1R1, and 15.1X49 before 15.1X49-D20 allows remote attackers to cause a denial of service (CPU consumption) via unspecified SSH traffic. | High | Oct 20, 2015 |
| CVE-2015-7754 | Juniper ScreenOS before 6.3.0r21, when ssh-pka is configured and enabled, allows remote attackers to cause a denial of service (system crash) or execute arbitrary code via crafted SSH negotiation. | HIGH | Jan 8, 2016 |
| CVE-2015-7755 | Juniper ScreenOS 6.2.0r15 through 6.2.0r18, 6.3.0r12 before 6.3.0r12b, 6.3.0r13 before 6.3.0r13b, 6.3.0r14 before 6.3.0r14b, 6.3.0r15 before 6.3.0r15b, 6.3.0r16 before 6.3.0r16b, 6.3.0r17 before 6.3.0r17b, 6.3.0r18 before 6.3.0r18b, 6.3.0r19 before 6.3.0r19b, and 6.3.0r20 before 6.3.0r21 allows remote attackers to obtain administrative access by entering an unspecified password during a (1) SSH or (2) TELNET session. | High | Dec 21, 2015 |
| CVE-2015-7765 | ZOHO ManageEngine OpManager 11.5 build 11600 and earlier uses a hardcoded password of plugin for the IntegrationUser account, which allows remote authenticated users to obtain administrator access by leveraging knowledge of this password.<a href=http://cwe.mitre.org/data/definitions/798.html target=_blank>CWE-798: Use of Hard-coded Credentials</a> | High | Oct 9, 2015 |
| CVE-2015-7766 | PGSQL:SubmitQuery.do in ZOHO ManageEngine OpManager 11.6, 11.5, and earlier allows remote administrators to bypass SQL query restrictions via a comment in the query to api/json/admin/SubmitQuery, as demonstrated by INSERT/**/INTO. | High | Oct 9, 2015 |
| CVE-2015-7767 | Buffer overflow in Konica Minolta FTP Utility 1.0 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a long USER command. | High | Oct 9, 2015 |
| CVE-2015-7768 | Buffer overflow in Konica Minolta FTP Utility 1.0 allows remote attackers to execute arbitrary code via a long CWD command. | High | Oct 9, 2015 |
| CVE-2015-7792 | Corega CG-WLBARGS devices allow remote attackers to perform administrative operations via unspecified vectors. | High | Dec 30, 2015 |
| CVE-2015-7801 | Use-after-free vulnerability in OptiPNG 0.6.4 allows remote attackers to execute arbitrary code via a crafted PNG file.<a href=http://cwe.mitre.org/data/definitions/416.html>CWE-416: Use After Free</a> | High | Apr 22, 2016 |
| CVE-2015-7805 | Heap-based buffer overflow in libsndfile 1.0.25 allows remote attackers to have unspecified impact via the headindex value in the header in an AIFF file. | High | Nov 24, 2015 |
| CVE-2015-7808 | The vB_Api_Hook::decodeArguments method in vBulletin 5 Connect 5.1.2 through 5.1.9 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object in the arguments parameter to ajax/api/hook/decodeArguments. | High | Nov 25, 2015 |
| CVE-2015-7815 | Directory traversal vulnerability in core/ViewDataTable/Factory.php in Piwik before 2.15.0 allows remote attackers to include and execute arbitrary local files via the viewDataTable parameter. | High | Nov 17, 2015 |
| CVE-2015-7816 | The DisplayTopKeywords function in plugins/Referrers/Controller.php in Piwik before 2.15.0, which allows remote attackers to conduct PHP object injection attacks, conduct Server-Side Request Forgery (SSRF) attacks, and execute arbitrary PHP code via a crafted HTTP header.<a href=https://cwe.mitre.org/data/definitions/918.html>CWE-918: Server-Side Request Forgery (SSRF)</a> | High | Nov 17, 2015 |
| CVE-2015-7817 | Race condition in the administration-panel web service in IBM System Networking Switch Center (SNSC) before 7.3.1.5 and Lenovo Switch Center before 8.1.2.0 allows remote attackers to obtain privileged-account access, and consequently provide FileReader.jsp input containing directory traversal sequences to read arbitrary text files, via a request to port 40080 or 40443. | HIGH | Nov 11, 2015 |
| CVE-2015-7818 | The administration-panel web service in IBM System Networking Switch Center (SNSC) before 7.3.1.5 and Lenovo Switch Center before 8.1.2.0 allows local users to execute arbitrary JSP code with SYSTEM privileges by using the Apache Axis AdminService deployment method to install a .jsp file. | HIGH | Nov 11, 2015 |
| CVE-2015-7820 | Race condition in the administration-panel web service in IBM System Networking Switch Center (SNSC) before 7.3.1.5 and Lenovo Switch Center before 8.1.2.0 allows remote attackers to obtain privileged-account access, and consequently provide ZipDownload.jsp input containing directory traversal sequences to read arbitrary files, via a request to port 40080 or 40443. | HIGH | Nov 11, 2015 |
| CVE-2015-7828 | SAP HANA Database 1.00 SPS10 and earlier do not require authentication, which allows remote attackers to execute arbitrary code or have unspecified other impact via a TrexNet packet to the (1) fcopydir, (2) fmkdir, (3) frmdir, (4) getenv, (5) dumpenv, (6) fcopy, (7) fput, (8) fdel, (9) fmove, (10) fget, (11) fappend, (12) fdir, (13) getTraces, (14) kill, (15) pexec, (16) stop, or (17) pythonexec method, aka SAP Security Note 2165583. | HIGH | Nov 10, 2015 |
| CVE-2015-7834 | Multiple unspecified vulnerabilities in Google V8 before 4.6.85.23, as used in Google Chrome before 46.0.2490.71, allow attackers to cause a denial of service or possibly have other impact via unknown vectors. | High | Oct 15, 2015 |
| CVE-2015-7835 | The mod_l2_entry function in arch/x86/mm.c in Xen 3.4 through 4.6.x does not properly validate level 2 page table entries, which allows local PV guest administrators to gain privileges via a crafted superpage mapping. | High | Nov 2, 2015 |
| CVE-2015-7838 | ProcessFileUpload.jsp in SolarWinds Storage Manager before 6.2 allows remote attackers to upload and execute arbitrary files via unspecified vectors. | High | Oct 16, 2015 |
| CVE-2015-7839 | SolarWinds Log and Event Manager (LEM) allows remote attackers to execute arbitrary commands on managed computers via a request to services/messagebroker/nonsecurestreamingamf involving the traceroute functionality. | High | Oct 16, 2015 |
| CVE-2015-7840 | The command line management console (CMC) in SolarWinds Log and Event Manager (LEM) before 6.2.0 allows remote attackers to execute arbitrary code via unspecified vectors involving the ping feature. | High | Oct 16, 2015 |
| CVE-2015-7853 | A potential buffer overflow vulnerability exists in the refclock of ntpd. An invalid length provided by a hardware reference clock could cause a buffer overflow potentially resulting in memory being modified. A malicious reflock could provide a negative length to trigger this vulnerability. | HIGH | Oct 28, 2015 |
| CVE-2015-7856 | OpenNMS has a default password of rtc for the rtc account, which makes it easier for remote attackers to obtain access by leveraging knowledge of the credentials. | High | Oct 19, 2015 |
| CVE-2015-7857 | SQL injection vulnerability in the getListQuery function in administrator/components/com_contenthistory/models/history.php in Joomla! 3.2 before 3.4.5 allows remote attackers to execute arbitrary SQL commands via the list[select] parameter to index.php. | High | Oct 30, 2015 |
| CVE-2015-7858 | SQL injection vulnerability in Joomla! 3.2 before 3.4.4 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, a different vulnerability than CVE-2015-7297. | High | Oct 30, 2015 |
| CVE-2015-7860 | Stack-based buffer overflow in the agent in Persistent Accelerite Radia Client Automation (formerly HP Client Automation), possibly before 9.1, allows remote attackers to execute arbitrary code by sending a large amount of data in an environment that lacks relationship-based firewalling. | High | Oct 20, 2015 |
| CVE-2015-7861 | Persistent Accelerite Radia Client Automation (formerly HP Client Automation), possibly before 9.1, allows remote attackers to execute arbitrary code by sending unspecified commands in an environment that lacks relationship-based firewalling. | High | Oct 20, 2015 |
| CVE-2015-7865 | nvSCPAPISvr.exe in the Stereoscopic 3D Driver Service in the NVIDIA GPU graphics driver R340 before 341.92, R352 before 354.35, and R358 before 358.87 on Windows does not properly restrict access to the stereosvrpipe named pipe, which allows local users to gain privileges via a commandline in a number 2 command, which is stored in the HKEY_LOCAL_MACHINE explorer Run registry key, a different vulnerability than CVE-2011-4784. | High | Nov 25, 2015 |
| CVE-2015-7866 | Unquoted Windows search path vulnerability in the Smart Maximize Helper (nvSmartMaxApp.exe) in the Control Panel in the NVIDIA GPU graphics driver R340 before 341.92, R352 before 354.35, and R358 before 358.87 on Windows allows local users to gain privileges via a Trojan horse application, as demonstrated by C:Program.exe.<a href=http://cwe.mitre.org/data/definitions/428.html>CWE-428: Unquoted Search Path or Element</a> | High | Nov 25, 2015 |
| CVE-2015-7871 | Unauthenticated off-path attackers can force ntpd processes to peer with malicious time sources of the attacker??s choosing allowing the attacker to make arbitrary changes to system time. This attack leverages a logic error in ntpd??s handling of certain crypto-NAK packets. When a vulnerable ntpd receives an NTP symmetric active crypto-NAK packet, it will peer with the sender bypassing the authentication typically required to establish a peer association. | HIGH | Oct 28, 2015 |
| CVE-2015-7876 | The escapeLike function in sqlsrv/database.inc in the Drupal 7 driver for SQL Server and SQL Azure 7.x-1.x before 7.x-1.4 does not properly escape certain characters, which allows remote attackers to execute arbitrary SQL commands vectors involving a module using the db_like function. | High | Oct 23, 2015 |
| CVE-2015-7897 | The media scanning functionality in the face recognition library in android.media.process in Samsung Galaxy S6 Edge before G925VVRU4B0G9 allows remote attackers to gain privileges or cause a denial of service (memory corruption) via a crafted BMP image file. | High | Nov 17, 2015 |
| CVE-2015-7905 | Unitronics VisiLogic OPLC IDE before 9.8.02 allows remote attackers to execute unspecified code via unknown vectors. | High | Nov 13, 2015 |
| CVE-2015-7906 | LOYTEC LIP-3ECTB 6.0.1, LINX-100, LVIS-3E100, and LIP-ME201 devices allow remote attackers to read a password-hash backup file via unspecified vectors. | High | Dec 21, 2015 |
| CVE-2015-7908 | Honeywell Midas gas detectors before 1.13b3 and Midas Black gas detectors before 2.13b3 allow remote attackers to discover cleartext passwords by sniffing the network. | High | Dec 21, 2015 |
| CVE-2015-7909 | Stack-based buffer overflow in Hospira Communication Engine (CE) before 1.2 in LifeCare PCA Infusion System 5.07, Plum A+ Infusion System 13.40, and Plum A+3 Infusion System 13.40 allows remote attackers to cause a denial of service or possibly have unspecified other impact via traffic on TCP port 5000. | High | Jan 25, 2016 |
| CVE-2015-7910 | Exemys Telemetry Web Server relies on an HTTP Location header to indicate that a client is unauthorized, which allows remote attackers to bypass intended access restrictions by disregarding this header and processing the response body. | High | Nov 19, 2015 |
| CVE-2015-7911 | Saia Burgess PCD1.M0xx0, PCD1.M2xx0, PCD2.M5xx0, PCD3.Mxx60, PCD3.Mxxx0, PCD7.D4xxD, PCD7.D4xxV, PCD7.D4xxWTPF, and PCD7.D4xxxT5F devices before 1.24.50 and PCD3.T665 and PCD3.T666 devices before 1.24.41 have hardcoded credentials, which allows remote attackers to obtain administrative access via an FTP session. | High | Dec 23, 2015 |
| CVE-2015-7912 | The Ice Faces servlet in ag_server_service.exe in the AggreGate Server Service in Tibbo AggreGate before 5.30.06 allows remote attackers to upload and execute arbitrary Java code via a crafted XML document.<a href=http://cwe.mitre.org/data/definitions/434.html>CWE-434: Unrestricted Upload of File with Dangerous Type</a> | High | Nov 23, 2015 |
| CVE-2015-7913 | ag_server_service.exe in the AggreGate Server Service in Tibbo AggreGate before 5.30.06 allows local users to execute arbitrary Java code with SYSTEM privileges by using the Apache Axis AdminService deployment method to publish a class.<a href=http://cwe.mitre.org/data/definitions/434.html>CWE-434: Unrestricted Upload of File with Dangerous Type</a> | High | Nov 23, 2015 |
| CVE-2015-7914 | Sauter EY-WS505F0x0 moduWeb Vision before 1.6.0 allows remote attackers to bypass authentication by leveraging knowledge of a password hash without knowledge of the associated password. | HIGH | Feb 6, 2016 |
| CVE-2015-7915 | Sauter EY-WS505F0x0 moduWeb Vision before 1.6.0 sends cleartext credentials, which allows remote attackers to obtain sensitive information by sniffing the network. | HIGH | Feb 6, 2016 |
| CVE-2015-7923 | Westermo WeOS before 4.19.0 uses the same SSL private key across different customers' installations, which makes it easier for man-in-the-middle attackers to defeat cryptographic protection mechanisms by leveraging knowledge of a key. | HIGH | Jan 30, 2016 |
