Search
Total
86024 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2015-1269 | 1 Google | 1 Chrome | 2016-12-31 | 4.3 MEDIUM | N/A |
| The DecodeHSTSPreloadRaw function in net/http/transport_security_state.cc in Google Chrome before 43.0.2357.130 does not properly canonicalize DNS hostnames before making comparisons to HSTS or HPKP preload entries, which allows remote attackers to bypass intended access restrictions via a string that (1) ends in a . (dot) character or (2) is not entirely lowercase. | |||||
| CVE-2015-1389 | 1 Arubanetworks | 1 Clearpass Policy Manager | 2016-12-31 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in Aruba Networks ClearPass Policy Manager (CPPM) before 6.4.5 allows remote attackers to inject arbitrary web script or HTML via the username parameter to tips/tipsLoginSubmit.action. | |||||
| CVE-2015-1608 | 1 Topline Systems | 1 Opportunity Form | 2016-12-31 | 4.0 MEDIUM | N/A |
| Topline Opportunity Form (aka XLS Opp form) before 2015-02-15 does not properly restrict access to database-connection strings, which allows attackers to read the cleartext version of sensitive credential and e-mail address information via unspecified vectors. | |||||
| CVE-2015-1803 | 3 Canonical, Debian, X | 3 Ubuntu Linux, Debian Linux, Libxfont | 2016-12-31 | 8.5 HIGH | N/A |
| The bdfReadCharacters function in bitmap/bdfread.c in X.Org libXfont before 1.4.9 and 1.5.x before 1.5.1 does not properly handle character bitmaps it cannot read, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and crash) and possibly execute arbitrary code via a crafted BDF font file. | |||||
| CVE-2015-1804 | 3 Canonical, Debian, X | 3 Ubuntu Linux, Debian Linux, Libxfont | 2016-12-31 | 8.5 HIGH | N/A |
| The bdfReadCharacters function in bitmap/bdfread.c in X.Org libXfont before 1.4.9 and 1.5.x before 1.5.1 does not properly perform type conversion for metrics values, which allows remote authenticated users to cause a denial of service (out-of-bounds memory access) and possibly execute arbitrary code via a crafted BDF font file. | |||||
| CVE-2015-1815 | 2 Fedoraproject, Selinux | 2 Fedora, Setroubleshoot | 2016-12-31 | 10.0 HIGH | N/A |
| The get_rpm_nvr_by_file_path_temporary function in util.py in setroubleshoot before 3.2.22 allows remote attackers to execute arbitrary commands via shell metacharacters in a file name. | |||||
| CVE-2015-1827 | 2 Fedoraproject, Freeipa | 2 Fedora, Freeipa | 2016-12-31 | 5.0 MEDIUM | N/A |
| The get_user_grouplist function in the extdom plug-in in FreeIPA before 4.1.4 does not properly reallocate memory when processing user accounts, which allows remote attackers to cause a denial of service (crash) via a group list request for a user that belongs to a large number of groups. | |||||
| CVE-2015-1848 | 2 Fedora, Redhat | 5 Pacemaker Configuration System, Enterprise Linux High Availability, Enterprise Linux High Availability Eus and 2 more | 2016-12-31 | 6.8 MEDIUM | N/A |
| The pcs daemon (pcsd) in PCS 0.9.137 and earlier does not set the secure flag for a cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session. NOTE: this issue was SPLIT per ADT2 due to different vulnerability types. CVE-2015-3983 is for the issue with not setting the HTTPOnly flag. | |||||
| CVE-2015-2051 | 1 D-link | 2 Dir-645, Dir-645 Firmware | 2016-12-31 | 10.0 HIGH | N/A |
| The D-Link DIR-645 Wired/Wireless Router Rev. Ax with firmware 1.04b12 and earlier allows remote attackers to execute arbitrary commands via a GetDeviceSettings action to the HNAP interface. | |||||
| CVE-2015-2052 | 1 D-link | 2 Dir-645, Dir-645 Firmware | 2016-12-31 | 10.0 HIGH | N/A |
| Stack-based buffer overflow in the DIR-645 Wired/Wireless Router Rev. Ax with firmware 1.04b12 and earlier allows remote attackers to execute arbitrary code via a long string in a GetDeviceSettings action to the HNAP interface. | |||||
| CVE-2015-2064 | 1 Dlguard | 1 Dlguard | 2016-12-31 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in DLGuard 5, 4.6, and 4.5 allow remote attackers to inject arbitrary web script or HTML via the (1) page, (2) c, or (3) redirect parameter to index.php or (4) search field (searchTerm parameter) in the main page. | |||||
| CVE-2015-2066 | 1 Dlguard | 1 Dlguard | 2016-12-31 | 7.5 HIGH | N/A |
| SQL injection vulnerability in DLGuard 4.5 allows remote attackers to execute arbitrary SQL commands via the c parameter to index.php. | |||||
| CVE-2015-2077 | 1 Komodia | 1 Redirector Sdk | 2016-12-31 | 5.0 MEDIUM | N/A |
| The SDK for Komodia Redirector with SSL Digestor, as used in Lavasoft Ad-Aware Web Companion 1.1.885.1766 and Ad-Aware AdBlocker (alpha) 1.3.69.1, Qustodio for Windows, Atom Security, Inc. StaffCop 5.8, and other products, uses the same X.509 certificate private key for a root CA certificate across different customers' installations, which makes it easier for man-in-the-middle attackers to spoof SSL servers by leveraging knowledge of this key, as originally reported for Superfish VisualDiscovery on certain Lenovo Notebook laptop products. | |||||
| CVE-2015-2120 | 1 Hp | 1 Sitescope | 2016-12-31 | 8.7 HIGH | N/A |
| Unspecified vulnerability in HP SiteScope 11.1x before 11.13, 11.2x before 11.24.391, and 11.3x before 11.30.521 allows remote authenticated users to gain privileges via unknown vectors, aka ZDI-CAN-2567. | |||||
| CVE-2015-2336 | 2 Microsoft, Vmware | 6 Windows, Fusion, Horizon Client and 3 more | 2016-12-31 | 5.8 MEDIUM | N/A |
| TPView.dll in VMware Workstation 10.x before 10.0.6 and 11.x before 11.1.1, VMware Player 6.x before 6.0.6 and 7.x before 7.1.1, and VMware Horizon Client 3.2.x before 3.2.1, 3.3.x, and 5.x local-mode before 5.4.2 on Windows does not properly allocate memory, which allows guest OS users to execute arbitrary code on the host OS via unspecified vectors, a different vulnerability than CVE-2012-0897. | |||||
| CVE-2015-2337 | 2 Microsoft, Vmware | 6 Windows, Fusion, Horizon Client and 3 more | 2016-12-31 | 5.8 MEDIUM | N/A |
| TPInt.dll in VMware Workstation 10.x before 10.0.6 and 11.x before 11.1.1, VMware Player 6.x before 6.0.6 and 7.x before 7.1.1, and VMware Horizon Client 3.2.x before 3.2.1, 3.3.x, and 5.x local-mode before 5.4.2 on Windows does not properly allocate memory, which allows guest OS users to execute arbitrary code on the host OS via unspecified vectors. | |||||
| CVE-2015-2338 | 2 Microsoft, Vmware | 6 Windows, Fusion, Horizon Client and 3 more | 2016-12-31 | 6.1 MEDIUM | N/A |
| TPview.dll in VMware Workstation 10.x before 10.0.6 and 11.x before 11.1.1, VMware Player 6.x before 6.0.6 and 7.x before 7.1.1, and VMware Horizon Client 3.2.x before 3.2.1, 3.3.x, and 5.x local-mode before 5.4.2 on Windows does not properly allocate memory, which allows guest OS users to cause a host OS denial of service via unspecified vectors, a different vulnerability than CVE-2015-2339. | |||||
| CVE-2015-2339 | 2 Microsoft, Vmware | 6 Windows, Fusion, Horizon Client and 3 more | 2016-12-31 | 6.1 MEDIUM | N/A |
| TPview.dll in VMware Workstation 10.x before 10.0.6 and 11.x before 11.1.1, VMware Player 6.x before 6.0.6 and 7.x before 7.1.1, and VMware Horizon Client 3.2.x before 3.2.1, 3.3.x, and 5.x local-mode before 5.4.2 on Windows does not properly allocate memory, which allows guest OS users to cause a host OS denial of service via unspecified vectors, a different vulnerability than CVE-2015-2338. | |||||
| CVE-2015-2340 | 2 Microsoft, Vmware | 6 Windows, Fusion, Horizon Client and 3 more | 2016-12-31 | 6.1 MEDIUM | N/A |
| TPInt.dll in VMware Workstation 10.x before 10.0.6 and 11.x before 11.1.1, VMware Player 6.x before 6.0.6 and 7.x before 7.1.1, and VMware Horizon Client 3.2.x before 3.2.1, 3.3.x, and 5.x local-mode before 5.4.2 on Windows does not properly allocate memory, which allows guest OS users to cause a host OS denial of service via unspecified vectors. | |||||
| CVE-2015-2341 | 1 Vmware | 3 Fusion, Player, Workstation | 2016-12-31 | 7.8 HIGH | N/A |
| VMware Workstation 10.x before 10.0.5, VMware Player 6.x before 6.0.6, and VMware Fusion 6.x before 6.0.6 and 7.x before 7.0.1 allow attackers to cause a denial of service against a 32-bit guest OS or 64-bit host OS via a crafted RPC command. | |||||
| CVE-2015-2666 | 1 Linux | 1 Linux Kernel | 2016-12-31 | 6.9 MEDIUM | N/A |
| Stack-based buffer overflow in the get_matching_model_microcode function in arch/x86/kernel/cpu/microcode/intel_early.c in the Linux kernel before 4.0 allows context-dependent attackers to gain privileges by constructing a crafted microcode header and leveraging root privileges for write access to the initrd. | |||||
| CVE-2015-2959 | 1 Zohocorp | 1 Manageengine Netflow Analyzer | 2016-12-31 | 7.5 HIGH | N/A |
| Zoho NetFlow Analyzer build 10250 and earlier does not check for administrative authorization, which allows remote attackers to obtain sensitive information, modify passwords, or remove accounts by leveraging the guest role. | |||||
| CVE-2015-2960 | 1 Zohocorp | 1 Manageengine Netflow Analyzer | 2016-12-31 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in Zoho NetFlow Analyzer build 10250 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2015-2961 | 1 Zohocorp | 1 Manageengine Netflow Analyzer | 2016-12-31 | 6.8 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in Zoho NetFlow Analyzer build 10250 and earlier allows remote attackers to hijack the authentication of administrators. | |||||
| CVE-2015-3201 | 1 Redhat | 1 Thermostat | 2016-12-31 | 2.1 LOW | N/A |
| Thermostat before 2.0.0 uses world-readable permissions for the web.xml configuration file, which allows local users to obtain user credentials by reading the file. | |||||
| CVE-2015-3339 | 2 Debian, Linux | 2 Debian Linux, Linux Kernel | 2016-12-31 | 6.2 MEDIUM | N/A |
| Race condition in the prepare_binprm function in fs/exec.c in the Linux kernel before 3.19.6 allows local users to gain privileges by executing a setuid program at a time instant when a chown to root is in progress, and the ownership is changed but the setuid bit is not yet stripped. | |||||
| CVE-2015-3345 | 1 Phplist Integration Project | 1 Phplist Integration | 2016-12-31 | 6.5 MEDIUM | N/A |
| SQL injection vulnerability in the PHPlist Integration Module before 6.x-1.7 for Drupal allows remote administrators to execute arbitrary SQL commands via unspecified vectors, related to the "phpList database." | |||||
| CVE-2015-3378 | 1 Views Project | 1 Views | 2016-12-31 | 4.9 MEDIUM | N/A |
| Open redirect vulnerability in the Views module before 6.x-2.18, 6.x-3.x before 6.x-3.2, and 7.x-3.x before 7.x-3.10 for Drupal, when the Views UI submodule is enabled, allows remote authenticated users to redirect users to arbitrary web sites and conduct phishing attacks via vectors related to the break lock page for edited views. | |||||
| CVE-2015-3905 | 2 Canonical, T1utils Project | 2 Ubuntu Linux, T1utils | 2016-12-31 | 7.5 HIGH | N/A |
| Buffer overflow in the set_cs_start function in t1disasm.c in t1utils before 1.39 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file. | |||||
| CVE-2015-3910 | 1 Google | 2 Chrome, V8 | 2016-12-31 | 7.5 HIGH | N/A |
| Multiple unspecified vulnerabilities in Google V8 before 4.3.61.21, as used in Google Chrome before 43.0.2357.65, allow attackers to cause a denial of service or possibly have other impact via unknown vectors. | |||||
| CVE-2015-3921 | 1 Coppermine-gallery | 1 Coppermine Photo Gallery | 2016-12-31 | 3.5 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in contact.php in Coppermine Photo Gallery before 1.5.36 allows remote authenticated users to inject arbitrary web script or HTML via the referer parameter. | |||||
| CVE-2015-3922 | 1 Coppermine-gallery | 1 Coppermine Photo Gallery | 2016-12-31 | 5.8 MEDIUM | N/A |
| Open redirect vulnerability in mode.php in Coppermine Photo Gallery before 1.5.36 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the referer parameter. | |||||
| CVE-2015-3923 | 1 Coppermine-gallery | 1 Coppermine Photo Gallery | 2016-12-31 | 5.0 MEDIUM | N/A |
| Coppermine Photo Gallery before 1.5.36 allows remote attackers to enumerate directories via a full path in the folder parameter to minibrowser.php. | |||||
| CVE-2015-3983 | 1 Fedora | 1 Pacemaker Configuration System | 2016-12-31 | 4.3 MEDIUM | N/A |
| The pcs daemon (pcsd) in PCS 0.9.137 and earlier does not include the HTTPOnly flag in a Set-Cookie header, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie. NOTE: this issue was SPLIT from CVE-2015-1848 per ADT2 due to different vulnerability types. | |||||
| CVE-2015-4050 | 1 Sensiolabs | 1 Symfony | 2016-12-31 | 4.3 MEDIUM | N/A |
| FragmentListener in the HttpKernel component in Symfony 2.3.19 through 2.3.28, 2.4.9 through 2.4.10, 2.5.4 through 2.5.11, and 2.6.0 through 2.6.7, when ESI or SSI support enabled, does not check if the _controller attribute is set, which allows remote attackers to bypass URL signing and security rules by including (1) no hash or (2) an invalid hash in a request to /_fragment. | |||||
| CVE-2015-4051 | 1 Beckhoff | 1 Ipc Diagnostics | 2016-12-31 | 9.0 HIGH | N/A |
| Beckhoff IPC Diagnostics before 1.8 does not properly restrict access to functions in /config, which allows remote attackers to cause a denial of service (reboot or shutdown), create arbitrary users, or possibly have unspecified other impact via a crafted request, as demonstrated by a beckhoff.com:service:cxconfig:1#Write SOAP action to /upnpisapi. | |||||
| CVE-2015-4127 | 1 Church Admin Project | 1 Church Admin | 2016-12-31 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the church_admin plugin before 0.810 for WordPress allows remote attackers to inject arbitrary web script or HTML via the address parameter, as demonstrated by a request to index.php/2015/05/21/church_admin-registration-form/. | |||||
| CVE-2015-4134 | 1 Phpwind | 1 Phpwind | 2016-12-31 | 5.8 MEDIUM | N/A |
| Open redirect vulnerability in goto.php in phpwind 8.7 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter. | |||||
| CVE-2015-4135 | 1 Phpwind | 1 Phpwind | 2016-12-31 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in goto.php in phpwind 8.7 allows remote attackers to inject arbitrary web script or HTML via the url parameter. | |||||
| CVE-2015-4161 | 1 Sap | 1 Afaria | 2016-12-31 | 7.5 HIGH | N/A |
| SAP Afaria does not properly restrict access to unspecified functionality, which allows remote attackers to obtain sensitive information, gain privileges, or have other unspecified impact via unknown vectors, SAP Security Note 2155690. | |||||
| CVE-2015-4418 | 1 Zohocorp | 1 Manageengine Netflow Analyzer | 2016-12-31 | 5.0 MEDIUM | N/A |
| Zoho NetFlow Analyzer build 10250 and earlier does not have an off autocomplete attribute for a password field, which makes it easier for remote attackers to obtain access by leveraging an unattended workstation. | |||||
| CVE-2015-5722 | 2 Apple, Isc | 2 Mac Os X Server, Bind | 2016-12-31 | 7.8 HIGH | N/A |
| buffer.c in named in ISC BIND 9.x before 9.9.7-P3 and 9.10.x before 9.10.2-P4 allows remote attackers to cause a denial of service (assertion failure and daemon exit) by creating a zone containing a malformed DNSSEC key and issuing a query for a name in that zone. | |||||
| CVE-2015-5986 | 2 Apple, Isc | 2 Mac Os X Server, Bind | 2016-12-31 | 7.1 HIGH | N/A |
| openpgpkey_61.c in named in ISC BIND 9.9.7 before 9.9.7-P3 and 9.10.x before 9.10.2-P4 allows remote attackers to cause a denial of service (REQUIRE assertion failure and daemon exit) via a crafted DNS response. | |||||
| CVE-2016-1003 | 2016-12-31 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2016-10033. Reason: This candidate is a duplicate of CVE-2016-10033. A typo caused the wrong ID to be used. Notes: All CVE users should reference CVE-2016-10033 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. | |||||
| CVE-2016-1004 | 2016-12-31 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2016. Notes: none. | |||||
| CVE-2015-3724 | 1 Apple | 1 Iphone Os | 2016-12-30 | 6.8 MEDIUM | N/A |
| CoreGraphics in Apple iOS before 8.4 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted ICC profile in a PDF document, a different vulnerability than CVE-2015-3723. | |||||
| CVE-2015-3725 | 1 Apple | 1 Iphone Os | 2016-12-30 | 4.3 MEDIUM | N/A |
| MobileInstallation in Apple iOS before 8.4 does not ensure the uniqueness of Watch bundle IDs, which allows attackers to cause a denial of service (ID collision and Watch launch outage) via a crafted universal provisioning profile app. | |||||
| CVE-2015-3726 | 1 Apple | 1 Iphone Os | 2016-12-30 | 4.6 MEDIUM | N/A |
| The Telephony subsystem in Apple iOS before 8.4 allows physically proximate attackers to execute arbitrary code via a crafted (1) SIM or (2) UIM card. | |||||
| CVE-2015-3713 | 1 Apple | 2 Mac Os X, Quicktime | 2016-12-30 | 6.8 MEDIUM | N/A |
| QuickTime in Apple OS X before 10.10.4 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted movie file. | |||||
| CVE-2015-3723 | 1 Apple | 1 Iphone Os | 2016-12-30 | 6.8 MEDIUM | N/A |
| CoreGraphics in Apple iOS before 8.4 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted ICC profile in a PDF document, a different vulnerability than CVE-2015-3724. | |||||