The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
ID | Description | Priority | Modified date |
---|---|---|---|
CVE-2015-4587 | Cross-site scripting (XSS) vulnerability in the Alcatel-Lucent CellPipe 7130 router with firmware 1.0.0.20h.HOL allows remote attackers to inject arbitrary web script or HTML via the Custom application field in the port triggering menu. | Medium | Jun 19, 2015 |
CVE-2015-4588 | Heap-based buffer overflow in the DecodeImage function in libwmf 0.2.8.4 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted run-length count in an image in a WMF file. | Medium | Jul 2, 2015 |
CVE-2015-4590 | The extractFrom function in Internals/QuotedString.cpp in Arduino JSON before 4.5 allows remote attackers to cause a denial of service (crash) via a JSON string with a (backslash) followed by a terminator, as demonstrated by \ , which triggers a buffer overflow and over-read. | Medium | Jun 23, 2015 |
CVE-2015-4604 | The mget function in softmagic.c in file 5.x, as used in the Fileinfo component in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8, does not properly maintain a certain pointer relationship, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted string that is mishandled by a Python script text executable rule. | Medium | May 18, 2016 |
CVE-2015-4605 | The mcopy function in softmagic.c in file 5.x, as used in the Fileinfo component in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8, does not properly restrict a certain offset value, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted string that is mishandled by a Python script text executable rule. | Medium | May 17, 2016 |
CVE-2015-4609 | SQL injection vulnerability in the wt_directory extension before 1.4.2 for TYPO3 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. | Medium | Jun 17, 2015 |
CVE-2015-4610 | SQL injection vulnerability in the Store Locator (locator) extension before 3.3.1 for TYPO3 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. | Medium | Jun 17, 2015 |
CVE-2015-4611 | SQL injection vulnerability in the Smoelenboek (ncgov_smoelenboek) extension before 1.0.9 for TYPO3 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. | Medium | Jun 17, 2015 |
CVE-2015-4612 | SQL injection vulnerability in the FAQ - Frequently Asked Questions (js_faq) extension before 1.2.1 for TYPO3 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. | Medium | Jun 17, 2015 |
CVE-2015-4613 | SQL injection vulnerability in the backend module in the Developer Log (devlog) extension before 2.11.4 for TYPO3 allows remote editors to execute arbitrary SQL commands via unspecified vectors. | Medium | Jun 17, 2015 |
CVE-2015-4616 | Directory traversal vulnerability in includes/MapPinImageSave.php in the Easy2Map plugin before 1.2.5 for WordPress allows remote attackers to create arbitrary files via a .. (dot dot) in the map_id parameter. | Medium | Jul 9, 2015 |
CVE-2015-4625 | Integer overflow in the authentication_agent_new_cookie function in PolicyKit (aka polkit) before 0.113 allows local users to gain privileges by creating a large number of connections, which triggers the issuance of a duplicate cookie value. | Medium | Oct 27, 2015 |
CVE-2015-4628 | SQL injection vulnerability in application/controllers/admin/questiongroups.php in LimeSurvey before 2.06+ Build 150618 allows remote authenticated administrators to execute arbitrary SQL commands via the sid parameter. | Medium | Jun 18, 2015 |
CVE-2015-4637 | The REST API in F5 BIG-IQ Cloud, Device, and Security 4.4.0 and 4.5.0 before HF2 and ADC 4.5.0 before HF2, when configured for LDAP remote authentication and the LDAP server allows anonymous BIND operations, allows remote attackers to obtain an authentication token for arbitrary users by guessing an LDAP user account name. | Medium | Jul 21, 2015 |
CVE-2015-4638 | The FastL4 virtual server in F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, GTM, Link Controller, and PEM 11.3.0 through 11.5.2 and 11.6.0 through 11.6.0 HF4, BIG-IP Edge Gateway, WebAccelerator, and WOM 11.2.1 through 11.3.0, and BIG-IP PSM 11.2.1 through 11.4.1 allows remote attackers to cause a denial of service (Traffic Management Microkernel restart) via a fragmented packet. | Medium | Sep 22, 2015 |
CVE-2015-4641 | Directory traversal vulnerability in the SwiftKey language-pack update implementation on Samsung Galaxy S4, S4 Mini, S5, and S6 devices allows remote web servers to write to arbitrary files, and consequently execute arbitrary code in a privileged context, by leveraging control of the skslm.swiftkey.net domain name and providing a .. (dot dot) in an entry in a ZIP archive, as demonstrated by a traversal to the /data/dalvik-cache directory. | Medium | Jun 22, 2015 |
CVE-2015-4644 | The php_pgsql_meta_data function in pgsql.c in the PostgreSQL (aka pgsql) extension in PHP before 5.4.42, 5.5.x before 5.5.26, and 5.6.x before 5.6.10 does not validate token extraction for table names, which might allow remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted name. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-1352.<a href=http://cwe.mitre.org/data/definitions/476.html>CWE-476: NULL Pointer Dereference</a> | Medium | May 17, 2016 |
CVE-2015-4647 | Multiple stack-based buffer overflows in Ipropsapi in Panasonic Security API (PS-API) ActiveX SDK before 8.10.18 allow remote attackers to execute arbitrary code via a long string in the (1) FilePassword property or to the (2) GetStringInfo method. | Medium | Jul 8, 2015 |
CVE-2015-4651 | The dissect_wccp2r1_address_table_info function in epan/dissectors/packet-wccp.c in the WCCP dissector in Wireshark 1.12.x before 1.12.6 does not properly determine whether enough memory is available for storing IP address strings, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. | Medium | Jul 22, 2015 |
CVE-2015-4652 | epan/dissectors/packet-gsm_a_dtap.c in the GSM DTAP dissector in Wireshark 1.12.x before 1.12.6 does not properly validate digit characters, which allows remote attackers to cause a denial of service (application crash) via a crafted packet, related to the de_emerg_num_list and de_bcd_num functions. | Medium | Jul 22, 2015 |
CVE-2015-4655 | Cross-site scripting (XSS) vulnerability in Synology DiskStation Manager (DSM) before 5.2-5565 Update 1 allows remote attackers to inject arbitrary web script or HTML via the compound parameter to entry.cgi. | Medium | Jun 19, 2015 |
CVE-2015-4656 | Multiple cross-site scripting (XSS) vulnerabilities in Synology Photo Station before 6.3-2945 allow remote attackers to inject arbitrary web script or HTML via the (1) success parameter to login.php or (2) crafted URL parameters to index.php, as demonstrated by the t parameter to photo/. | Medium | Jun 19, 2015 |
CVE-2015-4657 | Cross-site scripting (XSS) vulnerability in Mailbird 2.0.16.0 and earlier allows remote attackers to inject arbitrary web script or HTML via an e-mail message body with a crafted URL. | Medium | Jun 19, 2015 |
CVE-2015-4659 | Cross-site request forgery (CSRF) vulnerability in ClickHeat 1.14 and earlier allows remote attackers to hijack the authentication of administrators for requests that change the administrator password via a config action to index.php. | Medium | Jun 19, 2015 |
CVE-2015-4660 | Cross-site scripting (XSS) vulnerability in Enhanced SQL Portal 5.0.7961 allows remote attackers to inject arbitrary web script or HTML via the id parameter to iframe.php. | Medium | Jun 19, 2015 |
CVE-2015-4661 | Cross-site scripting (XSS) vulnerability in Symphony CMS 2.6.2 allows remote attackers to inject arbitrary web script or HTML via the sort parameter to system/authors. | Medium | Jun 19, 2015 |
CVE-2015-4665 | Cross-site scripting (XSS) vulnerability in ajax_cmd.php in Xceedium Xsuite 2.3.0 and 2.4.3.0 allows remote attackers to inject arbitrary web script or HTML via the fileName parameter. | Medium | Aug 13, 2015 |
CVE-2015-4666 | Directory traversal vulnerability in opm/read_sessionlog.php in Xceedium Xsuite 2.3.0 and 2.4.3.0 allows remote attackers to read arbitrary files via a ....// (quadruple dot double slash) in the logFile parameter. | Medium | Aug 13, 2015 |
CVE-2015-4670 | Directory traversal vulnerability in the AjaxFileUpload control in DevExpress AJAX Control Toolkit (aka AjaxControlToolkit) before 15.1 allows remote attackers to write to arbitrary files via a .. (dot dot) in the fileId parameter to AjaxFileUploadHandler.axd. | Medium | Aug 20, 2015 |
CVE-2015-4671 | Cross-site scripting (XSS) vulnerability in OpenCart before 2.1.0.2 allows remote attackers to inject arbitrary web script or HTML via the zone_id parameter to index.php. | MEDIUM | Jan 12, 2016 |
CVE-2015-4676 | SQL injection vulnerability in ticket.php in TickFa 1.x allows remote authenticated users to execute arbitrary SQL commands via the tid parameter in a read action. | Medium | Jun 22, 2015 |
CVE-2015-4677 | Cross-site request forgery (CSRF) vulnerability in FiverrScript (aka Fiverr Script) 7.2 allows remote attackers to hijack the authentication of administrators for requests that create a new admin via a request to administrator/admins_create.php. | Medium | Jun 22, 2015 |
CVE-2015-4679 | Multiple cross-site scripting (XSS) vulnerabilities in the web interface in Airties RT-210 allow remote attackers to inject arbitrary web script or HTML via the (1) ddns_domainame or (2) ddns_account parameter to ddns.stm. | Medium | Jun 22, 2015 |
CVE-2015-4692 | The kvm_apic_has_events function in arch/x86/kvm/lapic.h in the Linux kernel through 4.1.3 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact by leveraging /dev/kvm access for an ioctl call.<a href=http://cwe.mitre.org/data/definitions/476.html>CWE-476: NULL Pointer Dereference</a> | Medium | Jul 27, 2015 |
CVE-2015-4694 | Directory traversal vulnerability in download.php in the Zip Attachments plugin before 1.5.1 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the za_file parameter. | MEDIUM | Jan 8, 2016 |
CVE-2015-4695 | meta.h in libwmf 0.2.8.4 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted WMF file. | Medium | Jul 2, 2015 |
CVE-2015-4696 | Use-after-free vulnerability in libwmf 0.2.8.4 allows remote attackers to cause a denial of service (crash) via a crafted WMF file to the (1) wmf2gd or (2) wmf2eps command.<a href=http://cwe.mitre.org/data/definitions/416.html>CWE-416: Use After Free</a> | Medium | Jul 2, 2015 |
CVE-2015-4700 | The bpf_int_jit_compile function in arch/x86/net/bpf_jit_comp.c in the Linux kernel before 4.0.6 allows local users to cause a denial of service (system crash) by creating a packet filter and then loading crafted BPF instructions that trigger late convergence by the JIT compiler. | Medium | Aug 31, 2015 |
CVE-2015-4703 | Absolute path traversal vulnerability in mysqldump_download.php in the WordPress Rename plugin 1.0 for WordPress allows remote attackers to read arbitrary files via a full pathname in the dumpfname parameter. | MEDIUM | Jan 12, 2016 |
CVE-2015-4713 | SQL injection vulnerability in ApPHP Hotel Site 3.x.x allows remote editors to execute arbitrary SQL commands via the pid parameter to index.php. | Medium | Jun 23, 2015 |
CVE-2015-4714 | Cross-site scripting (XSS) vulnerability in the DreamBox DM500-S allows remote attackers to inject arbitrary web script or HTML via the mode parameter to /body. | Medium | Jun 23, 2015 |
CVE-2015-4725 | Cross-site scripting (XSS) vulnerability in forgot.php in AudioShare 2.0.2 allows remote attackers to inject arbitrary web script or HTML via the email parameter. | Medium | Jun 23, 2015 |
CVE-2015-4728 | Unspecified vulnerability in the Oracle Sourcing component in Oracle E-Business Suite 12.1.1, 12.1.2, 12.1.3, 12.2.3, and 12.2.4 allows remote authenticated users to affect confidentiality via unknown vectors related to Bid/Quote creation. | Medium | Jul 16, 2015 |
CVE-2015-4729 | Unspecified vulnerability in Oracle Java SE 7u80 and 8u45 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Deployment.Per Advisory: <a href=http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html>Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets.</a> | Medium | Jul 20, 2015 |
CVE-2015-4730 | Unspecified vulnerability in Oracle MySQL 5.6.20 and earlier allows remote authenticated users to affect availability via unknown vectors related to Types. | Medium | Oct 22, 2015 |
CVE-2015-4734 | Unspecified vulnerability in Oracle Java SE 6u101, 7u85 and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality via vectors related to JGSS.Per <a href=http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html>LINK</a>: Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets. | Medium | Oct 22, 2015 |
CVE-2015-4735 | Unspecified vulnerability in the Enterprise Manager for Oracle Database component in Oracle Enterprise Manager Grid Control EM Base Platform 11.1.0.1, and EM DB Control 11.2.0.3 and 11.2.0.4, allows remote attackers to affect confidentiality via vectors related to RAC Management. | Medium | Jul 21, 2015 |
CVE-2015-4738 | Unspecified vulnerability in the PeopleSoft Enterprise HCM Candidate Gateway component in Oracle PeopleSoft Products 9.1 and 9.2 allows remote authenticated users to affect confidentiality via unknown vectors related to Security. | Medium | Jul 20, 2015 |
CVE-2015-4740 | Unspecified vulnerability in the RDBMS Partitioning component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors. | Medium | Jul 20, 2015 |
CVE-2015-4742 | Unspecified vulnerability in the Oracle JDeveloper component in Oracle Fusion Middleware 11.1.1.7.0, 11.1.2.4.0, 12.1.2.0.0, and 12.1.3.0.0 allows remote attackers to affect availability via vectors related to ADF Faces. | Medium | Jul 20, 2015 |