The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2015-0104 | IBM Tivoli IT Asset Management for IT, Tivoli Service Request Manager, and Change and Configuration Management Database 7.1 through 7.1.1.8 and 7.2 and Maximo Asset Management and Maximo Industry Solutions 7.1 through 7.1.1.8, 7.5 before 7.5.0.7 IFIX003, and 7.6 before 7.6.0.0 IFIX002 allow remote authenticated users to execute arbitrary code via unspecified vectors. | MEDIUM | Apr 24, 2017 | n/a |
| CVE-2015-0107 | IBM Tivoli IT Asset Management for IT, Tivoli Service Request Manager, and Change and Configuration Management Database 7.1 through 7.1.1.8 and 7.2 and Maximo Asset Management and Maximo Industry Solutions 7.1 through 7.1.1.8, 7.5 before 7.5.0.7 IFIX003, and 7.6 before 7.6.0.0 IFIX002 allow remote authenticated users to conduct directory traversal attacks via unspecified vectors. | MEDIUM | Apr 24, 2017 | n/a |
| CVE-2015-1521 | analyzer/protocol/dnp3/DNP3.cc in Bro before 2.3.2 does not properly handle zero values of a packet length, which allows remote attackers to cause a denial of service (buffer overflow or buffer over-read if NDEBUG; otherwise assertion failure) via a crafted DNP3 packet. | MEDIUM | Apr 24, 2017 | n/a |
| CVE-2015-1522 | analyzer/protocol/dnp3/DNP3.cc in Bro before 2.3.2 does not reject certain non-zero values of a packet length, which allows remote attackers to cause a denial of service (buffer overflow or buffer over-read) via a crafted DNP3 packet. | MEDIUM | Apr 24, 2017 | n/a |
| CVE-2015-1838 | modules/serverdensity_device.py in SaltStack before 2014.7.4 does not properly handle files in /tmp. | Medium | Apr 19, 2017 | n/a |
| CVE-2015-1839 | modules/chef.py in SaltStack before 2014.7.4 does not properly handle files in /tmp. | Medium | Apr 19, 2017 | n/a |
| CVE-2015-2947 | KanColleViewer versions 3.8.1 and earlier operates as an open proxy which allows remote attackers to trigger outbound network traffic. | MEDIUM | Apr 13, 2017 | n/a |
| CVE-2015-4646 | (1) unsquash-1.c, (2) unsquash-2.c, (3) unsquash-3.c, and (4) unsquash-4.c in Squashfs and sasquatch allow remote attackers to cause a denial of service (application crash) via a crafted input. | MEDIUM | Apr 13, 2017 | n/a |
| CVE-2015-6567 | Wolf CMS before 0.8.3.1 allows unrestricted file upload and PHP Code Execution because admin/plugin/file_manager/browse/ (aka the filemanager) does not validate the parameter filename properly. Exploitation requires a registered user who has access to upload functionality. | Medium | Apr 21, 2017 | n/a |
| CVE-2015-6568 | Wolf CMS before 0.8.3.1 allows unrestricted file rename and PHP Code Execution because admin/plugin/file_manager/browse/ (aka the filemanager) does not prevent a change of a file extension to .php after originally using the parameter filename for uploading a JPEG image. Exploitation requires a registered user who has access to upload functionality. | Medium | Apr 21, 2017 | n/a |
| CVE-2015-7245 | Directory traversal vulnerability in DLink DVG-N5402SP with firmware W1000CN-00, W1000CN-03, or W2000EN-00 allows remote attackers to read sensitive information via a .. (dot dot) in the errorpage parameter. | MEDIUM | Apr 24, 2017 | n/a |
| CVE-2015-7562 | Multiple cross-site scripting (XSS) vulnerabilities in TeamPass 2.1.24 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) label value of an item or (2) name of a role. | Medium | Apr 20, 2017 | n/a |
| CVE-2015-7563 | Cross-site request forgery (CSRF) vulnerability in TeamPass 2.1.24 and earlier allows remote attackers to hijack the authentication of an authenticated user. | Medium | Apr 20, 2017 | n/a |
| CVE-2015-7565 | Cross-site scripting (XSS) vulnerability in Ember.js 1.8.x through 1.10.x, 1.11.x before 1.11.4, 1.12.x before 1.12.2, 1.13.x before 1.13.12, 2.0.x before 2.0.3, 2.1.x before 2.1.2, and 2.2.x before 2.2.1 allows remote attackers to inject arbitrary web script or HTML. | Medium | Apr 20, 2017 | n/a |
| CVE-2015-7570 | Multiple server-side request forgery (SSRF) vulnerabilities in Yeager CMS 1.2.1 allow remote attackers to trigger outbound requests and enumerate open ports via the dbhost parameter to libs/org/adodb_lite/tests/test_adodb_lite.php, libs/org/adodb_lite/tests/test_datadictionary.php, or libs/org/adodb_lite/tests/test_adodb_lite_sessions.php. | MEDIUM | Apr 24, 2017 | n/a |
| CVE-2015-7740 | Huawei P7 before P7-L00C17B851, P7-L05C00B851, and P7-L09C92B851 and P8 ALE-UL00 before ALE-UL00B211 allows local users to cause a denial of service (OS crash) via vectors involving an application that passes crafted input to the GPU driver. | MEDIUM | Apr 13, 2017 | n/a |
| CVE-2015-7893 | SecEmailUI in Samsung Galaxy S6 does not sanitize HTML email content, allows remote attackers to execute arbitrary JavaScript. | Medium | Apr 17, 2017 | n/a |
| CVE-2015-8107 | Format string vulnerability in GNU a2ps 4.14 allows remote attackers to execute arbitrary code. | Medium | Apr 19, 2017 | n/a |
| CVE-2015-8109 | Lenovo System Update (formerly ThinkVantage System Update) before 5.07.0019 allows local users to gain privileges by making a prediction of tvsu_tmp_xxxxxXXXXX account credentials that requires knowledge of the time that this account was created, aka a temporary administrator account vulnerability. | MEDIUM | Apr 24, 2017 | n/a |
| CVE-2015-8223 | Huawei P7 before P7-L00C17B851, P7-L05C00B851, and P7-L09C92B85, and P8 ALE-UL00 before ALE-UL00B211 allows local users to cause a denial of service (OS crash) by leveraging camera permissions and via crafted input to the camera driver. | MEDIUM | Apr 13, 2017 | n/a |
| CVE-2015-8256 | Multiple cross-site scripting (XSS) vulnerabilities in Axis network cameras. | Medium | Apr 24, 2017 | n/a |
| CVE-2015-8270 | The AMF3ReadString function in amf.c in RTMPDump 2.4 allows remote RTMP Media servers to cause a denial of service (invalid pointer dereference and process crash). | Medium | Apr 20, 2017 | n/a |
| CVE-2015-8272 | RTMPDump 2.4 allows remote attackers to trigger a denial of service (NULL pointer dereference and process crash). | Medium | Apr 19, 2017 | n/a |
| CVE-2015-8283 | Directory traversal vulnerability in configure_manage.php in SeaWell Networks Spectrum SDC 02.05.00. | Medium | Apr 19, 2017 | n/a |
| CVE-2015-8284 | SeaWell Networks Spectrum SDC 02.05.00 allows remote viewer users to perform administrative functions. | Medium | Apr 19, 2017 | n/a |
| CVE-2015-8285 | The webssx.sys driver in QuickHeal 16.00 allows remote attackers to cause a denial of service. | MEDIUM | Apr 20, 2017 | n/a |
| CVE-2015-8356 | Multiple SQL injection vulnerabilities in the mcart.xls module 6.5.2 and earlier for Bitrix allow remote authenticated users to execute arbitrary SQL commands via the (1) xls_profile parameter to admin/mcart_xls_import.php or the (2) xls_iblock_id, (3) xls_iblock_section_id, (4) firstRow, (5) titleRow, (6) firstColumn, (7) highestColumn, (8) sku_iblock_id, or (9) xls_iblock_section_id_new parameter to admin/mcart_xls_import_step_2.php. | Medium | Apr 22, 2017 | n/a |
| CVE-2015-8567 | Memory leak in net/vmxnet3.c in QEMU allows remote attackers to cause a denial of service (memory consumption). | Medium | Apr 20, 2017 | n/a |
| CVE-2015-8568 | Memory leak in QEMU, when built with a VMWARE VMXNET3 paravirtual NIC emulator support, allows local guest users to cause a denial of service (host memory consumption) by trying to activate the vmxnet3 device repeatedly. | Medium | Apr 17, 2017 | n/a |
| CVE-2015-8619 | The Human Monitor Interface support in QEMU allows remote attackers to cause a denial of service (out-of-bounds write and application crash). | Medium | Apr 20, 2017 | n/a |
| CVE-2015-8780 | Samsung wssyncmlnps before 2015-10-31 allows directory traversal in a Kies restore, aka ZipFury. | MEDIUM | Apr 13, 2017 | n/a |
| CVE-2015-8864 | Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG, a different vulnerability than CVE-2016-4068. | Medium | Apr 19, 2017 | n/a |
| CVE-2015-8957 | Buffer overflow in ImageMagick before 6.9.0-4 Beta allows remote attackers to cause a denial of service (application crash) via a crafted SUN file. | MEDIUM | Apr 20, 2017 | n/a |
| CVE-2015-8958 | coders/sun.c in ImageMagick before 6.9.0-4 Beta allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted SUN file. | MEDIUM | Apr 20, 2017 | n/a |
| CVE-2016-0228 | IBM Marketing Platform 10.0 could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability in various scripts. An attacker could exploit this vulnerability to redirect a victim to arbitrary Web sites. IBM X-Force ID: 110236. | MEDIUM | Apr 21, 2017 | n/a |
| CVE-2016-0720 | Cross-site request forgery (CSRF) vulnerability in pcsd web UI in pcs before 0.9.149. | MEDIUM | Apr 21, 2017 | n/a |
| CVE-2016-0721 | Session fixation vulnerability in pcsd in pcs before 0.9.157. | MEDIUM | Apr 21, 2017 | n/a |
| CVE-2016-0736 | It was discovered that the mod_session_crypto module of httpd did not use any mechanisms to verify integrity of the encrypted session data stored in the user\'s browser. A remote attacker could use this flaw to decrypt and modify session data using a padding oracle attack. | MEDIUM | Apr 24, 2017 | n/a |
| CVE-2016-10091 | Multiple stack-based buffer overflows in unrtf 0.21.9 allow remote attackers to cause a denial-of-service by writing a negative integer to the (1) cmd_expand function, (2) cmd_emboss function, or (3) cmd_engrave function. | MEDIUM | Apr 21, 2017 | n/a |
| CVE-2016-10259 | Blue Coat SSL Visibility (SSLV) 3.x before 3.11.3.1 is susceptible to a denial-of-service vulnerability that impacts the SSL servers for intercepted SSL connections. A malicious SSL client can, under certain circumstances, temporarily exhaust the TCP connection pool of an SSL server. | MEDIUM | Apr 17, 2017 | n/a |
| CVE-2016-10325 | In libosip2 in GNU oSIP 4.1.0, a malformed SIP message can lead to a heap buffer overflow in the _osip_message_to_str() function defined in osipparser2/osip_message_to_str.c, resulting in a remote DoS. | MEDIUM | Apr 19, 2017 | n/a |
| CVE-2016-10326 | In libosip2 in GNU oSIP 4.1.0, a malformed SIP message can lead to a heap buffer overflow in the osip_body_to_str() function defined in osipparser2/osip_body.c, resulting in a remote DoS. | MEDIUM | Apr 19, 2017 | n/a |
| CVE-2016-10345 | In Phusion Passenger before 5.1.0, a known /tmp filename was used during passenger-install-nginx-module execution, which could allow local attackers to gain the privileges of the passenger user. | MEDIUM | Apr 24, 2017 | n/a |
| CVE-2016-1132 | Shoplat App for iOS 1.10.00 through 1.18.00 does not properly verify SSL certificates. | MEDIUM | Apr 20, 2017 | n/a |
| CVE-2016-1148 | Akerun - Smart Lock Robot App for iOS before 1.2.4 does not verify SSL certificates. | MEDIUM | Apr 21, 2017 | n/a |
| CVE-2016-1161 | Cross-site request forgery (CSRF) vulnerability in ManageEngine Password Manager Pro before 8.5 (Build 8500). | MEDIUM | Apr 20, 2017 | n/a |
| CVE-2016-1178 | The session management of the comment functionality in appleple a-blog cms 2.6.0.1 and earlier allows remote attackers to obtain or modify sensitive data via unspecified vectors. | MEDIUM | Apr 20, 2017 | n/a |
| CVE-2016-1179 | Cross-site scripting (XSS) vulnerability in the standard template of the comment functionality in appleple a-blog cms 2.6.0.1 and earlier allows remote attackers to inject arbitrary web script or HTML. | MEDIUM | Apr 20, 2017 | n/a |
| CVE-2016-1184 | Tokyo Star bank App for Android before 1.4 and Tokyo Star bank App for iOS before 1.4 do not validate SSL certificates. | MEDIUM | Apr 21, 2017 | n/a |
| CVE-2016-1186 | Kintone mobile for Android 1.0.0 through 1.0.5 does not verify SSL server certificates. | MEDIUM | Apr 21, 2017 | n/a |
