LiveActive security incident?Get immediate response
CVE archive

February 2015

Browse CVE records published in February 2015, with severity, affected products, CWE, KEV, and source-backed vulnerability context.

Showing 50 of 584 matching CVEs · Page 1 of 12.

High · CVSS 7.8 · CISA KEV

CVE-2015-0313: Use-after-free vulnerability in Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0.0.30...

Use-after-free vulnerability in Adobe Flash Player before 13.0.0.269 and 14.x through 16.x before 16.0.0.305 on Windows and OS X and before 11.2.202.442 on Linux allows remote attackers to execute arbitrary code via unspecified vectors, as exploited in the wild in February 2015, a different vulnerability than CVE-2015-0315, CVE-2015-0320, and CVE-2015-0322.

Published Feb 2, 2015 · Updated Nov 17, 2025

High · CVSS 8.8 · CISA KEV

CVE-2015-2051: The D-Link DIR-645 Wired/Wireless Router Rev.

The D-Link DIR-645 Wired/Wireless Router Rev. Ax with firmware 1.04b12 and earlier allows remote attackers to execute arbitrary commands via a GetDeviceSettings action to the HNAP interface.

Published Feb 23, 2015 · Updated Oct 22, 2025

Unknown · CVSS Not scored

CVE-2015-0240: The Netlogon server implementation in smbd in Samba 3.5.x and 3.6.x before 3.6.25, 4.0.x before 4.0.25, 4.1...

The Netlogon server implementation in smbd in Samba 3.5.x and 3.6.x before 3.6.25, 4.0.x before 4.0.25, 4.1.x before 4.1.17, and 4.2.x before 4.2.0rc5 performs a free operation on an uninitialized stack pointer, which allows remote attackers to execute arbitrary code via crafted Netlogon packets that use the ServerPasswordSet RPC API, as demonstrated by packets reaching the _netr_ServerPasswordSet function in rpc_server/netlogon/srv_netlog_nt.c.

Published Feb 24, 2015 · Updated May 9, 2025

Medium · CVSS 4

CVE-2015-10079: juju2143 WalrusIRC parser.js parseLinks cross site scripting

A vulnerability was found in juju2143 WalrusIRC 0.0.2. It has been rated as problematic. This issue affects the function parseLinks of the file public/parser.js. The manipulation of the argument text leads to cross site scripting. The attack may be initiated remotely. Upgrading to version 0.0.3 is able to address this issue. The patch is named 45fd885895ae13e8d9b3a71e89d59768914f60af. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-220751.

Published Feb 13, 2023 · Updated Nov 25, 2024

Medium · CVSS 4

CVE-2015-10072: NREL api-umbrella-web Flash Message cross site scripting

A vulnerability classified as problematic was found in NREL api-umbrella-web 0.7.1. This vulnerability affects unknown code of the component Flash Message Handler. The manipulation leads to cross site scripting. The attack can be initiated remotely. Upgrading to version 0.8.0 is able to address this issue. The name of the patch is bcc0e922c61d30367678c8f17a435950969315cd. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-220060.

Published Feb 4, 2023 · Updated Nov 25, 2024

Medium · CVSS 5.5

CVE-2015-10076: dimtion Shaarlier Tag TagsSource.java createTag sql injection

A vulnerability was found in dimtion Shaarlier up to 1.2.2. It has been declared as critical. Affected by this vulnerability is the function createTag of the file app/src/main/java/com/dimtion/shaarlier/TagsSource.java of the component Tag Handler. The manipulation leads to sql injection. Upgrading to version 1.2.3 is able to address this issue. The identifier of the patch is 3d1d9b239d9b3cd87e8bed45a0f02da583ad371e. It is recommended to upgrade the affected component. The identifier VDB-220453 was assigned to this vulnerability.

Published Feb 9, 2023 · Updated Nov 25, 2024

Medium · CVSS 5

CVE-2015-10081: arnoldle submitByMailPlugin edit_list.php cross-site request forgery

A vulnerability was found in arnoldle submitByMailPlugin 1.0b2.9 and classified as problematic. This issue affects some unknown processing of the file edit_list.php. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. Upgrading to version 1.0b2.9a is able to address this issue. The patch is named a739f680a1623d22f52ff1371e86ca472e63756f. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-221495.

Published Feb 20, 2023 · Updated Nov 25, 2024

Low · CVSS 3.5

CVE-2015-10085: GoPistolet MTA denial of service

A vulnerability was found in GoPistolet. It has been declared as problematic. This vulnerability affects unknown code of the component MTA. The manipulation leads to denial of service. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The patch is identified as b91aa4674d460993765884e8463c70e6d886bc90. It is recommended to apply a patch to fix this issue. VDB-221506 is the identifier assigned to this vulnerability.

Published Feb 21, 2023 · Updated Nov 25, 2024

Medium · CVSS 4.3

CVE-2015-0749: Cisco Unified Communications Manager Cross-Site Scripting Vulnerability

A vulnerability in Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack on the affected software. The vulnerabilities is due to improper input validation of certain parameters passed to the affected software. An attacker could exploit this vulnerability by convincing a user to follow a malicious link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected site or allow the attacker to access sensitive browser-based information.

Published Feb 19, 2020 · Updated Nov 15, 2024

Unknown · CVSS Not scored

CVE-2015-1565: Cross-site scripting (XSS) vulnerability in the online help in Hitachi Device Manager, Tiered Storage Manag...

Cross-site scripting (XSS) vulnerability in the online help in Hitachi Device Manager, Tiered Storage Manager, Replication Manager, and Global Link Manager before 8.1.2-00, and Compute Systems Manager before 7.6.1-08 and 8.x before 8.1.2-00, as used in Hitachi Command Suite, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Published Feb 9, 2015 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2015-1581: Multiple cross-site request forgery (CSRF) vulnerabilities in the Mobile Domain plugin 1.5.2 for WordPress...

Multiple cross-site request forgery (CSRF) vulnerabilities in the Mobile Domain plugin 1.5.2 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) change plugin settings or conduct cross-site scripting (XSS) attacks via the (2) domain, (3) text, (4) font, (5) fontcolor, (6) color, or (7) padding parameter in an add-domain action in the mobile-domain page to wp-admin/options-general.php.

Published Feb 11, 2015 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2015-1580: Multiple cross-site request forgery (CSRF) vulnerabilities in the Redirection Page plugin 1.2 for WordPress...

Multiple cross-site request forgery (CSRF) vulnerabilities in the Redirection Page plugin 1.2 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) change plugin settings or conduct cross-site scripting (XSS) attacks via the (2) source or (3) redir parameter in an add action in the redirection-page to wp-admin/options-general.php.

Published Feb 11, 2015 · Updated Sep 17, 2024

Unknown · CVSS Not scored

CVE-2015-1619: Cross-site scripting (XSS) vulnerability in the Secure Web Mail Client user interface in McAfee Email Gatew...

Cross-site scripting (XSS) vulnerability in the Secure Web Mail Client user interface in McAfee Email Gateway (MEG) 7.6.x before 7.6.3.2, 7.5.x before 75.6, 7.0.x through 7.0.5, 5.6, and earlier allows remote authenticated users to inject arbitrary web script or HTML via unspecified tokens in Digest messages.

Published Feb 17, 2015 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2015-1575: Multiple cross-site scripting (XSS) vulnerabilities in u5CMS before 3.9.4 allow remote attackers to inject...

Multiple cross-site scripting (XSS) vulnerabilities in u5CMS before 3.9.4 allow remote attackers to inject arbitrary web script or HTML via the (1) c, (2) i, (3) l, or (4) p parameter to index.php; the (5) a or (6) b parameter to u5admin/cookie.php; the name parameter to (7) copy.php or (8) delete.php in u5admin/; the (9) f or (10) typ parameter to u5admin/deletefile.php; the (11) n parameter to u5admin/done.php; the (12) c parameter to u5admin/editor.php; the (13) uri parameter to u5admin/meta2.php; the (14) n parameter to u5admin/notdone.php; the (15) newname parameter to u5admin/rename2.php; the (16) l parameter to u5admin/sendfile.php; the (17) s parameter to u5admin/characters.php; the (18) page parameter to u5admin/savepage.php; or the (19) name parameter to u5admin/new2.php.

Published Feb 11, 2015 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2015-1582: Multiple cross-site scripting (XSS) vulnerabilities in the Spider Facebook plugin before 1.0.11 for WordPre...

Multiple cross-site scripting (XSS) vulnerabilities in the Spider Facebook plugin before 1.0.11 for WordPress allow (1) remote attackers to inject arbitrary web script or HTML via the appid parameter in a registration task to the default URI or remote administrators to inject arbitrary web script or HTML via the (2) asc_or_desc, (3) order_by, (4) page_number, (5) serch_or_not, or (6) search_events_by_title parameter in (a) the Spider_Facebook_manage page to wp-admin/admin.php or a (b) selectpagesforfacebook or (c) selectpostsforfacebook action to wp-admin/admin-ajax.php.

Published Feb 11, 2015 · Updated Sep 16, 2024

Medium · CVSS 6.5

CVE-2015-3006: Junos: QFX Series: Insufficient entropy on QFX3500 and QFX3600 platforms when the system boots up

On the QFX3500 and QFX3600 platforms, the number of bytes collected from the RANDOM_INTERRUPT entropy source when the device boots up is insufficient, possibly leading to weak or duplicate SSH keys or self-signed SSL/TLS certificates. Entropy increases after the system has been up and running for some time, but immediately after boot, the entropy is very low. This issue only affects the QFX3500 and QFX3600 switches. No other Juniper Networks products or platforms are affected by this weak entropy vulnerability.

Published Feb 28, 2020 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2015-1576: Multiple SQL injection vulnerabilities in u5CMS before 3.9.4 allow remote attackers to execute arbitrary SQ...

Multiple SQL injection vulnerabilities in u5CMS before 3.9.4 allow remote attackers to execute arbitrary SQL commands via the name parameter to (1) copy2.php, (2) localize.php, (3) metai.php, (4) nc.php, (5) new2.php, or (6) rename2.php in u5admin/; (7) c parameter to u5admin/editor.php; (8) typ parameter to u5admin/meta2.php; or (9) newname parameter to u5admin/rename2.php.

Published Feb 11, 2015 · Updated Sep 16, 2024

Unknown · CVSS Not scored

CVE-2015-1454: Blue Coat ProxyClient before 3.3.3.3 and 3.4.x before 3.4.4.10 and Unified Agent before 4.1.3.151952 does n...

Blue Coat ProxyClient before 3.3.3.3 and 3.4.x before 3.4.4.10 and Unified Agent before 4.1.3.151952 does not properly validate certain certificates, which allows man-in-the-middle attackers to spoof ProxySG Client Managers, and consequently modify configurations and execute arbitrary software updates, via a crafted certificate.

Published Feb 2, 2015 · Updated Sep 16, 2024

Medium · CVSS 6.5

CVE-2015-5361: Junos: FTPS through SRX opens up wide range of data channel TCP ports

Background For regular, unencrypted FTP traffic, the FTP ALG can inspect the unencrypted control channel and open related sessions for the FTP data channel. These related sessions (gates) are specific to source and destination IPs and ports of client and server. The design intent of the ftps-extensions option (which is disabled by default) is to provide similar functionality when the SRX secures the FTP/FTPS client. As the control channel is encrypted, the FTP ALG cannot inspect the port specific information and will open a wider TCP data channel (gate) from client IP to server IP on all destination TCP ports. In FTP/FTPS client environments to an enterprise network or the Internet, this is the desired behavior as it allows firewall policy to be written to FTP/FTPS servers on well-known control ports without using a policy with destination IP ANY and destination port ANY. Issue The ftps-extensions option is not intended or recommended where the SRX secures the FTPS server, as the wide data channel session (gate) will allow the FTPS client temporary access to all TCP ports on the FTPS server. The data session is associated to the control channel and will be closed when the control channel session closes. Depending on the configuration of the FTPS server, supporting load-balancer, and SRX inactivity-timeout values, the server/load-balancer and SRX may keep the control channel open for an extended period of time, allowing an FTPS client access for an equal duration.​ Note that the ftps-extensions option is not enabled by default.

Published Feb 28, 2020 · Updated Sep 16, 2024

Low · CVSS 3.7

CVE-2015-10129: planet-freo auth.inc.php comparison

A vulnerability was found in planet-freo up to 20150116 and classified as problematic. Affected by this issue is some unknown functionality of the file admin/inc/auth.inc.php. The manipulation of the argument auth leads to incorrect comparison. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The name of the patch is 6ad38c58a45642eb8c7844e2f272ef199f59550d. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-252716.

Published Feb 4, 2024 · Updated Aug 6, 2024