CVE-2015-9302: The simple-fields plugin before 1.4.11 for WordPress has XSS.
The simple-fields plugin before 1.4.11 for WordPress has XSS.
Published Aug 13, 2019 · Updated Aug 6, 2024
Browse CVE records published in August 2015, with severity, affected products, CWE, KEV, and source-backed vulnerability context.
Showing 50 of 876 matching CVEs · Page 4 of 18.
The simple-fields plugin before 1.4.11 for WordPress has XSS.
Published Aug 13, 2019 · Updated Aug 6, 2024
The wp-fastest-cache plugin before 0.8.4.9 for WordPress has SQL injection in wp-admin/admin-ajax.php?action=wpfc_wppolls_ajax_request via the poll_id parameter.
Published Aug 14, 2019 · Updated Aug 6, 2024
The newstatpress plugin before 1.0.5 for WordPress has SQL injection related to an IMG element.
Published Aug 14, 2019 · Updated Aug 6, 2024
The events-manager plugin before 5.6 for WordPress has code injection.
Published Aug 13, 2019 · Updated Aug 6, 2024
The link-log plugin before 2.1 for WordPress has SQL injection.
Published Aug 27, 2019 · Updated Aug 6, 2024
6kbbs 7.1 and 8.0 allows CSRF via portalchannel_ajax.php (id or code parameter) or admin.php (fileids parameter).
Published Aug 8, 2019 · Updated Aug 6, 2024
The all-in-one-wp-security-and-firewall plugin before 3.9.8 for WordPress has XSS in the unlock request feature.
Published Aug 13, 2019 · Updated Aug 6, 2024
The wp-google-map-plugin plugin before 2.3.10 for WordPress has CSRF in the add/edit category feature.
Published Aug 14, 2019 · Updated Aug 6, 2024
cPanel before 11.52.0.13 does not prevent arbitrary file-read operations via get_information_for_applications (CPANEL-1221).
Published Aug 1, 2019 · Updated Aug 6, 2024
The clean-login plugin before 1.5.1 for WordPress has reflected XSS.
Published Aug 22, 2019 · Updated Aug 6, 2024
The all-in-one-wp-security-and-firewall plugin before 3.9.5 for WordPress has XSS in add_query_arg and remove_query_arg function instances.
Published Aug 13, 2019 · Updated Aug 6, 2024
The newstatpress plugin before 1.0.6 for WordPress has reflected XSS.
Published Aug 14, 2019 · Updated Aug 6, 2024
The email-newsletter plugin through 20.15 for WordPress has SQL injection.
Published Aug 22, 2019 · Updated Aug 6, 2024
Lansweeper 4.x through 6.x before 6.0.0.48 allows attackers to execute arbitrary code on the administrator's workstation via a crafted Windows service.
Published Aug 27, 2018 · Updated Aug 6, 2024
Zoho ManageEngine OpManager 11 through 12.2 uses a custom encryption algorithm to protect the credential used to access the monitored devices. The implemented algorithm doesn't use a per-system key or even a salt; therefore, it's possible to create a universal decryptor.
Published Aug 4, 2017 · Updated Aug 6, 2024
openshift-node in OpenShift Origin 1.1.6 and earlier improperly stores router credentials as envvars in the pod when the --credentials option is used, which allows local users to obtain sensitive private key information by reading the systemd journal.
Published Aug 5, 2016 · Updated Aug 6, 2024
Integer overflow in sound/soc/msm/qdsp6v2/q6lsm.c in the Qualcomm components in Android before 2016-08-05 on Nexus 6 devices allows attackers to gain privileges via a crafted application, aka Android internal bug 28813987 and Qualcomm internal bug CR792367.
Published Aug 6, 2016 · Updated Aug 6, 2024
drivers/video/msm/mdss/mdss_mdp_util.c in the Qualcomm components in Android before 2016-08-05 on Nexus 5 devices does not verify that a mapping exists before proceeding with an unmap operation, which allows attackers to gain privileges via a crafted application, aka Android internal bug 28815158 and Qualcomm internal bugs CR794217 and CR836226.
Published Aug 6, 2016 · Updated Aug 6, 2024
drivers/media/platform/msm/camera_v2/pproc/cpp/msm_cpp.c in the Qualcomm components in Android before 2016-08-05 on Nexus 6 devices does not validate the stream state, which allows attackers to gain privileges via a crafted application, aka Android internal bug 28814652 and Qualcomm internal bug CR803246.
Published Aug 6, 2016 · Updated Aug 6, 2024
Use-after-free vulnerability in the my_login function in DBD::mysql before 4.033_01 allows attackers to have unspecified impact by leveraging a call to mysql_errno after a failure of my_login.
Published Aug 19, 2016 · Updated Aug 6, 2024
The sapi_header_op function in main/SAPI.c in PHP before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 supports deprecated line folding without considering browser compatibility, which allows remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer by leveraging (1) %0A%20 or (2) %0D%0A%20 mishandling in the header function.
Published Aug 7, 2016 · Updated Aug 6, 2024
The MSM camera driver in the Qualcomm components in Android before 2016-08-05 on Nexus 6 devices does not validate input parameters, which allows attackers to gain privileges via a crafted application, aka Android internal bug 28804030 and Qualcomm internal bug CR766022.
Published Aug 6, 2016 · Updated Aug 6, 2024
drivers/media/platform/msm/camera_v2/isp/msm_isp_axi_util.c in the Qualcomm components in Android before 2016-08-05 on Nexus 6 and 7 (2013) devices does not properly validate array indexes, which allows attackers to gain privileges via a crafted application, aka Android internal bug 28814502 and Qualcomm internal bug CR792473.
Published Aug 6, 2016 · Updated Aug 6, 2024
drivers/video/msm/mdp4_util.c in the Qualcomm components in Android before 2016-08-05 on Nexus 7 (2013) devices does not validate r stages, g stages, or b stages data, which allows attackers to gain privileges via a crafted application, aka Android internal bug 28398884 and Qualcomm internal bug CR779021.
Published Aug 6, 2016 · Updated Aug 6, 2024
The ioresources_init function in kernel/resource.c in the Linux kernel through 4.7, as used in Android before 2016-08-05 on Nexus 6 and 7 (2013) devices, uses weak permissions for /proc/iomem, which allows local users to obtain sensitive information by reading this file, aka Android internal bug 28814213 and Qualcomm internal bug CR786116. NOTE: the permissions may be intentional in most non-Android contexts.
Published Aug 6, 2016 · Updated Aug 6, 2024
drivers/char/diag/diagchar_core.c in the Qualcomm components in Android before 2016-08-05 on Nexus 5, 6, and 7 (2013) devices mishandles a socket process, which allows attackers to gain privileges via a crafted application, aka Android internal bug 28803962 and Qualcomm internal bug CR770548.
Published Aug 6, 2016 · Updated Aug 6, 2024
t-coffee before 11.00.8cbe486-2 allows local users to write to ~/.t_coffee globally.
Published Aug 7, 2017 · Updated Aug 6, 2024
Huawei Video Content Management (VCM) before V100R001C10SPC001 does not properly "authenticate online user identities and privileges," which allows remote authenticated users to gain privileges and perform a case operation as another user via a crafted message, aka "Horizontal Privilege Escalation Vulnerability."
Published Aug 28, 2017 · Updated Aug 6, 2024
Directory traversal vulnerability in Zen Cart 1.5.4 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the act parameter to ajax.php.
Published Aug 24, 2017 · Updated Aug 6, 2024
Multiple SQL injection vulnerabilities in the orion.extfeedbackform module before 2.1.3 for Bitrix allow remote authenticated users to execute arbitrary SQL commands via the (1) order or (2) "by" parameter to admin/orion.extfeedbackform_efbf_forms.php.
Published Aug 24, 2017 · Updated Aug 6, 2024
SQL injection vulnerability in the Operation and Maintenance Unit (OMU) in Huawei VCN500 before V100R002C00SPC201 allows remote authenticated users to execute arbitrary SQL commands via a crafted HTTP request.
Published Aug 29, 2017 · Updated Aug 6, 2024
Untrusted search path vulnerability in F-Secure Online Scanner allows remote attackers to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse DLL that is located in the same folder as F-SecureOnlineScanner.exe.
Published Aug 2, 2017 · Updated Aug 6, 2024
Polycom BToE Connector before 3.0.0 uses weak permissions (Everyone: Full Control) for "Program Files (x86)\polycom\polycom btoe connector\plcmbtoesrv.exe," which allows local users to gain privileges via a Trojan horse file.
Published Aug 28, 2017 · Updated Aug 6, 2024
Buffer overflow in the Group messages monitor (Falcon) in KNX ETS 4.1.5 (Build 3246) allows remote attackers to execute arbitrary code via a crafted KNXnet/IP UDP packet.
Published Aug 29, 2017 · Updated Aug 6, 2024
LXDM before 0.5.2 did not start X server with -auth, which allows local users to bypass authentication with X connections.
Published Aug 24, 2017 · Updated Aug 6, 2024
In Textpattern 4.5.7, an unprivileged author can change an article's markup setting.
Published Aug 14, 2020 · Updated Aug 6, 2024
In Textpattern 4.5.7, the password-reset feature does not securely tether a hash to a user account.
Published Aug 14, 2020 · Updated Aug 6, 2024
The Configuration utility in F5 BIG-IP LTM, Analytics, APM, ASM, GTM, and Link Controller 11.x before 11.2.1 HF16, 11.3.x, 11.4.x before 11.4.1 HF10, 11.5.x before 11.5.4, and 11.6.x before 11.6.1; BIG-IP AAM 11.4.x before 11.4.1 HF10, 11.5.x before 11.5.4, and 11.6.x before 11.6.1; BIG-IP AFM and PEM 11.3.x, 11.4.x before 11.4.1 HF10, 11.5.x before 11.5.4, and 11.6.x before 11.6.1; BIG-IP Edge Gateway, WebAccelerator, and WOM 11.x before 11.2.1 HF16 and 11.3.0; and BIG-IP PSM 11.x before 11.2.1 HF16, 11.3.x, and 11.4.x before 11.4.1 HF10 allows remote authenticated users with certain permissions to gain privileges by leveraging an Access Policy Manager customization configuration section that allows file uploads.
Published Aug 19, 2016 · Updated Aug 6, 2024
NetApp SnapCenter Server 1.0 allows remote authenticated users to list and delete backups.
Published Aug 7, 2017 · Updated Aug 6, 2024
The RESTful control interface (aka RAPI or ganeti-rapi) in Ganeti before 2.9.7, 2.10.x before 2.10.8, 2.11.x before 2.11.8, 2.12.x before 2.12.6, 2.13.x before 2.13.3, 2.14.x before 2.14.2, and 2.15.x before 2.15.2 allows remote attackers to obtain the DRBD secret via instance information job results.
Published Aug 18, 2017 · Updated Aug 6, 2024
Race condition in the ioctl implementation in the Samsung Graphics 2D driver (aka /dev/fimg2d) in Samsung devices with Android L(5.0/5.1) allows local users to trigger memory errors by leveraging definition of g2d_lock and g2d_unlock lock macros as no-ops, aka SVE-2015-4598.
Published Aug 2, 2017 · Updated Aug 6, 2024
The RESTful control interface (aka RAPI or ganeti-rapi) in Ganeti before 2.9.7, 2.10.x before 2.10.8, 2.11.x before 2.11.8, 2.12.x before 2.12.6, 2.13.x before 2.13.3, 2.14.x before 2.14.2, and 2.15.x before 2.15.2, when used in SSL mode, allows remote attackers to cause a denial of service (resource consumption) via SSL parameter renegotiation.
Published Aug 18, 2017 · Updated Aug 6, 2024
LibQJpeg in the Samsung Galaxy S6 before the October 2015 MR allows remote attackers to cause a denial of service (memory corruption and SIGSEGV) via a crafted image file.
Published Aug 24, 2017 · Updated Aug 6, 2024
The DCMProvider service in Samsung LibQjpeg on a Samsung SM-G925V device running build number LRX22G.G925VVRU1AOE2 allows remote attackers to cause a denial of service (segmentation fault and process crash) and execute arbitrary code via a crafted JPG.
Published Aug 9, 2017 · Updated Aug 6, 2024
ctools 6.x-1.x before 6.x-1.14 and 7.x-1.x before 7.x-1.8 in Drupal does not verify the "edit" permission for the "content type" plugins that are used on Panels and similar systems to place content and functionality on a page.
Published Aug 7, 2017 · Updated Aug 6, 2024
Buffer overflow in the password management functionality in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote authenticated users to cause a denial of service (daemon crash) or possibly execute arbitrary code via a crafted key file.
Published Aug 7, 2017 · Updated Aug 6, 2024
Crypto-NAK packets in ntpd in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote attackers to bypass authentication.
Published Aug 7, 2017 · Updated Aug 6, 2024
The decodenetnum function in ntpd in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote attackers to cause a denial of service (assertion failure) via a 6 or mode 7 packet containing a long data value.
Published Aug 7, 2017 · Updated Aug 6, 2024
ntpq in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote attackers to cause a denial of service (crash) via crafted mode 6 response packets.
Published Aug 7, 2017 · Updated Aug 6, 2024
The datalen parameter in the refclock driver in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote attackers to execute arbitrary code or cause a denial of service (crash) via a negative input value.
Published Aug 7, 2017 · Updated Aug 6, 2024