The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
ID | Description | Priority | Modified date |
---|---|---|---|
CVE-2015-5215 | The default configuration of the Jinja templating engine used in the Identity Provider (IdP) server in Ipsilon 0.1.0 before 1.0.1 does not enable auto-escaping, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via template variables. NOTE: This may be a duplicate of CVE-2015-5216. Moreover, the Jinja development team does not enable auto-escape by default for performance issues as explained in https://jinja.palletsprojects.com/en/master/faq/#why-is-autoescaping-not-the-default. | MEDIUM | Feb 24, 2020 |
CVE-2015-5211 | Under some situations, the Spring Framework 4.2.0 to 4.2.1, 4.0.0 to 4.1.7, 3.2.0 to 3.2.14 and older unsupported versions is vulnerable to a Reflected File Download (RFD) attack. The attack involves a malicious user crafting a URL with a batch script extension that results in the response being downloaded rather than rendered and also includes some input reflected in the response. | High | Jun 8, 2017 |
CVE-2015-5209 | Apache Struts 2.x before 2.3.24.1 allows remote attackers to manipulate Struts internals, alter user sessions, or affect container settings via vectors involving a top object. | MEDIUM | Aug 29, 2017 |
CVE-2015-5206 | Unspecified vulnerability in the HTTP/2 experimental feature in Apache Traffic Server before 5.3.x before 5.3.2 has unknown impact and attack vectors, a different vulnerability than CVE-2015-5168. | HIGH | Sep 13, 2017 |
CVE-2015-5205 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2015. Notes: none | -- | Nov 7, 2023 |
CVE-2015-5202 | Red Hat Satellite 6 allows remote authenticated users with privileged access on a content host to authenticate to the capsule broker or server broker. | MEDIUM | Jun 7, 2017 |
CVE-2015-5201 | VDSM and libvirt in Red Hat Enterprise Virtualization Hypervisor (aka RHEV-H) 7-7.x before 7-7.2-20151119.0 and 6-6.x before 6-6.7-20151117.0 as packaged in Red Hat Enterprise Virtualization before 3.5.6 when VSDM is run with -spice disable-ticketing and a VM is suspended and then restored, allows remote attackers to log in without authentication via unspecified vectors. | MEDIUM | Feb 25, 2020 |
CVE-2015-5197 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none | -- | Nov 7, 2023 |
CVE-2015-5196 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2015-7703. Reason: This candidate is a reservation duplicate of CVE-2015-7703. Notes: All CVE users should reference CVE-2015-7703 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. | -- | Nov 7, 2023 |
CVE-2015-5195 | ntp_openssl.m4 in ntpd in NTP before 4.2.7p112 allows remote attackers to cause a denial of service (segmentation fault) via a crafted statistics or filegen configuration command that is not enabled during compilation. | MEDIUM | Jul 21, 2017 |
CVE-2015-5194 | The log_config_command function in ntp_parser.y in ntpd in NTP before 4.2.7p42 allows remote attackers to cause a denial of service (ntpd crash) via crafted logconfig commands. | MEDIUM | Jul 21, 2017 |
CVE-2015-5193 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2015-7703. Reason: This candidate is a reservation duplicate of CVE-2015-7703. Notes: All CVE users should reference CVE-2015-7703 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage | -- | Nov 7, 2023 |
CVE-2015-5192 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2015-5195. Reason: This candidate is a reservation duplicate of CVE-2015-5195. Notes: All CVE users should reference CVE-2015-5195 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage | -- | Nov 7, 2023 |
CVE-2015-5191 | VMware Tools prior to 10.0.9 contains multiple file system races in libDeployPkg, related to the use of hard-coded paths under /tmp. Successful exploitation of this issue may result in a local privilege escalation. CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H | Low | Aug 8, 2017 |
CVE-2015-5187 | Candlepin allows remote attackers to obtain sensitive information by obtaining Java exception statements as a result of excessive web traffic. | MEDIUM | Jul 25, 2017 |
CVE-2015-5186 | Audit before 2.4.4 in Linux does not sanitize escape characters in filenames. | MEDIUM | Sep 6, 2017 |
CVE-2015-5184 | The Hawtio console in A-MQ allows remote attackers to obtain sensitive information and perform other unspecified impact. | HIGH | Sep 25, 2017 |
CVE-2015-5183 | The Hawtio console in A-MQ does not set HTTPOnly or Secure attributes on cookies. | HIGH | Sep 25, 2017 |
CVE-2015-5182 | Cross-site request forgery (CSRF) vulnerability in the jolokia API in A-MQ. | MEDIUM | Sep 25, 2017 |
CVE-2015-5181 | The JBoss console in A-MQ allows remote attackers to execute arbitrary JavaScript. | LOW | Sep 25, 2017 |
CVE-2015-5180 | res_query in libresolv in glibc before 2.25 allows remote attackers to cause a denial of service (NULL pointer dereference and process crash). | MEDIUM | Jun 27, 2017 |
CVE-2015-5179 | FreeIPA might display user data improperly via vectors involving non-printable characters. | MEDIUM | Sep 20, 2017 |
CVE-2015-5177 | Double free vulnerability in the SLPDKnownDAAdd function in slpd/slpd_knownda.c in OpenSLP 1.2.1 allows remote attackers to cause a denial of service (crash) via a crafted package. | MEDIUM | Oct 22, 2017 |
CVE-2015-5175 | Application plugins in Apache CXF Fediz before 1.1.3 and 1.2.x before 1.2.1 allow remote attackers to cause a denial of service. | MEDIUM | Jun 7, 2017 |
CVE-2015-5173 | Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow attackers to have unspecified impact via vectors involving emails with password recovery links, aka Cross Domain Referer Leakage. | MEDIUM | Oct 24, 2017 |
CVE-2015-5172 | Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow attackers to have unspecified impact by leveraging failure to expire password reset links. | HIGH | Oct 24, 2017 |
CVE-2015-5171 | The password change functionality in Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow attackers to have unspecified impact by leveraging failure to expire existing sessions. | HIGH | Oct 24, 2017 |
CVE-2015-5170 | Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.7.0 allow remote attackers to conduct cross-site request forgery (CSRF) attacks on PWS and log a user into an arbitrary account by leveraging lack of CSRF checks. | MEDIUM | Oct 24, 2017 |
CVE-2015-5169 | Cross-site scripting (XSS) vulnerability in Apache Struts before 2.3.20. | MEDIUM | Sep 25, 2017 |
CVE-2015-5168 | Unspecified vulnerability in the HTTP/2 experimental feature in Apache Traffic Server 5.3.x before 5.3.2 has unknown impact and attack vectors, a different vulnerability than CVE-2015-5206. | HIGH | Sep 13, 2017 |
CVE-2015-5164 | The Qpid server on Red Hat Satellite 6 does not properly restrict message types, which allows remote authenticated users with administrative access on a managed content host to execute arbitrary code via a crafted message, related to a pickle processing problem in pulp. | HIGH | Oct 18, 2017 |
CVE-2015-5160 | libvirt before 2.2 includes Ceph credentials on the qemu command line when using RADOS Block Device (aka RBD), which allows local users to obtain sensitive information via a process listing. | LOW | Aug 20, 2018 |
CVE-2015-5159 | python-kdcproxy before 0.3.2 allows remote attackers to cause a denial of service via a large POST request. | MEDIUM | Oct 30, 2018 |
CVE-2015-5156 | The virtnet_probe function in drivers/net/virtio_net.c in the Linux kernel before 4.2 attempts to support a FRAGLIST feature without proper memory allocation, which allows guest OS users to cause a denial of service (buffer overflow and memory corruption) via a crafted sequence of fragmented packets. | Medium | Oct 19, 2015 |
CVE-2015-5155 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2010-3609. Reason: This candidate is a reservation duplicate of CVE-2010-3609. Notes: All CVE users should reference CVE-2010-3609 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. | -- | Nov 7, 2023 |
CVE-2015-5153 | Pulp does not remove permissions for named objects upon deletion, which allows authenticated users to gain the privileges of a deleted object via creating an object with the same name. | MEDIUM | Aug 18, 2017 |
CVE-2015-5152 | Foreman after 1.1 and before 1.9.0-RC1 does not redirect HTTP requests to HTTPS when the require_ssl setting is set to true, which allows remote attackers to obtain user credentials via a man-in-the-middle attack. | MEDIUM | Jul 17, 2017 |
CVE-2015-5146 | Under limited and specific circumstances an attacker can send a crafted packet to cause a vulnerable ntpd instance to crash. This requires each of the following to be true: | LOW | Jul 14, 2015 |
CVE-2015-5128 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none | -- | Nov 7, 2023 |
CVE-2015-5126 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2015. Notes: none | -- | Nov 7, 2023 |
CVE-2015-5112 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2015. Notes: none | -- | Nov 7, 2023 |
CVE-2015-5081 | Cross-site request forgery (CSRF) vulnerability in django CMS before 3.0.14, 3.1.x before 3.1.1 allows remote attackers to manipulate privileged users into performing unknown actions via unspecified vectors. | MEDIUM | Aug 18, 2017 |
CVE-2015-5079 | Directory traversal vulnerability in widgets/logs.php in BlackCat CMS before 1.1.2 allows remote attackers to read arbitrary files via a .. (dot dot) in the dl parameter. | MEDIUM | Feb 28, 2018 |
CVE-2015-5072 | The BIRT Engine servlet in the AR System Mid Tier component before 9.0 SP1 for BMC Remedy AR System Server allows remote authenticated users to navigate to arbitrary local files via the __imageid parameter. | MEDIUM | Jan 15, 2020 |
CVE-2015-5071 | AR System Mid Tier in the AR System Mid Tier component before 9.0 SP1 for BMC Remedy AR System Server allows remote authenticated users to navigate to arbitrary files via the __report parameter of the BIRT viewer servlet. | MEDIUM | Jan 15, 2020 |
CVE-2015-5070 | The (1) filesystem::get_wml_location function in filesystem.cpp and (2) is_legal_file function in filesystem_boost.cpp in Battle for Wesnoth before 1.12.4 and 1.13.x before 1.13.1, when a case-insensitive filesystem is used, allow remote attackers to obtain sensitive information via vectors related to inclusion of .pbl files from WML. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-5069. | Low | Oct 10, 2017 |
CVE-2015-5069 | The (1) filesystem::get_wml_location function in filesystem.cpp and (2) is_legal_file function in filesystem_boost.cpp in Battle for Wesnoth before 1.12.3 and 1.13.x before 1.13.1 allow remote attackers to obtain sensitive information via vectors related to inclusion of .pbl files from WML. | Medium | Oct 10, 2017 |
CVE-2015-5060 | Cross-site scripting (XSS) vulnerability in anchor-cms before 0.9-dev. | MEDIUM | Sep 7, 2017 |
CVE-2015-5059 | The Project Documentation feature in MantisBT 1.2.19 and earlier, when the threshold to access files ($g_view_proj_doc_threshold) is set to ANYBODY, allows remote authenticated users to download attachments linked to arbitrary private projects via a file id number in the file_id parameter to file_download.php. | Low | Aug 7, 2017 |
CVE-2015-5057 | Cross-site scripting (XSS) vulnerability exists in the Wordpress admin panel when the Broken Link Checker plugin before 1.10.9 is installed. | Medium | Aug 23, 2017 |