Total
416 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2015-4476 | 2 Google, Mozilla | 2 Android, Firefox | 2024-08-06 | N/A |
Mozilla Firefox before 41.0 on Android allows user-assisted remote attackers to spoof address-bar attributes by leveraging lack of navigation after a paste of a URL with a nonstandard scheme, as demonstrated by spoofing an SSL attribute. | ||||
CVE-2015-3972 | 1 Janitza | 5 Umg 508, Umg 509, Umg 511 and 2 more | 2024-08-06 | N/A |
The web interface on Janitza UMG 508, 509, 511, 604, and 605 devices supports only short PIN values for authentication, which makes it easier for remote attackers to obtain access via a brute-force attack. | ||||
CVE-2015-4112 | 1 Blackberry | 1 Enterprise Server | 2024-08-06 | N/A |
The Management Console in BlackBerry Enterprise Server (BES) 12 before 12.2 does not properly restrict use of FRAME elements, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web site, related to a "cross frame scripting" issue. | ||||
CVE-2015-3996 | 1 Afnetworking Project | 1 Afnetworking | 2024-08-06 | N/A |
The default AFSecurityPolicy.validatesDomainName configuration for AFSSLPinningModeNone in the AFNetworking framework before 2.5.3, as used in the ownCloud iOS Library, disables verification of a server hostname against the domain name in the subject's Common Name (CN) of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. | ||||
CVE-2015-3973 | 1 Janitza | 5 Umg 508, Umg 509, Umg 511 and 2 more | 2024-08-06 | N/A |
Janitza UMG 508, 509, 511, 604, and 605 devices improperly generate session tokens, which makes it easier for remote attackers to determine a PIN value via unspecified computations on session-token values. | ||||
CVE-2015-3900 | 4 Oracle, Redhat, Ruby-lang and 1 more | 5 Solaris, Enterprise Linux, Rhel Software Collections and 2 more | 2024-08-06 | N/A |
RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack." | ||||
CVE-2015-3715 | 1 Apple | 1 Mac Os X | 2024-08-06 | N/A |
The code-signing implementation in Apple OS X before 10.10.4 does not properly consider libraries that are external to an application bundle, which allows attackers to bypass intended launch restrictions via a crafted library. | ||||
CVE-2015-3710 | 1 Apple | 2 Iphone Os, Mac Os X | 2024-08-06 | N/A |
Mail in Apple iOS before 8.4 and OS X before 10.10.4 allows remote attackers to trigger a refresh operation, and consequently cause a visit to an arbitrary web site, via a crafted HTML e-mail message. | ||||
CVE-2015-3751 | 1 Apple | 2 Iphone Os, Safari | 2024-08-06 | N/A |
WebKit in Apple Safari before 6.2.8, 7.x before 7.1.8, and 8.x before 8.0.8, as used in iOS before 8.4.1 and other products, allows remote attackers to bypass a Content Security Policy protection mechanism by using a video control in conjunction with an IMG element within an OBJECT element. | ||||
CVE-2015-3714 | 1 Apple | 1 Mac Os X | 2024-08-06 | N/A |
Apple OS X before 10.10.4 does not properly consider custom resource rules during app signature verification, which allows attackers to bypass intended launch restrictions via a modified app. | ||||
CVE-2015-3729 | 1 Apple | 2 Iphone Os, Safari | 2024-08-06 | N/A |
Apple Safari before 6.2.8, 7.x before 7.1.8, and 8.x before 8.0.8, as used in iOS before 8.4.1 and other products, does not indicate what web site originated an input prompt, which allows remote attackers to conduct spoofing attacks via a crafted site. | ||||
CVE-2015-3756 | 1 Apple | 1 Iphone Os | 2024-08-06 | N/A |
The Certificate UI in Apple iOS before 8.4.1 does not prevent X.509 certificate acceptance within the lock screen, which allows physically proximate attackers to establish arbitrary certificate trust relationships by completing a dialog. | ||||
CVE-2015-3693 | 1 Apple | 1 Mac Os X | 2024-08-06 | N/A |
Apple Mac EFI before 2015-001, as used in OS X before 10.10.4 and other products, does not properly set refresh rates for DDR3 RAM, which might make it easier for remote attackers to conduct row-hammer attacks, and consequently gain privileges or cause a denial of service (memory corruption), by triggering certain patterns of access to memory locations. | ||||
CVE-2015-3750 | 1 Apple | 2 Iphone Os, Safari | 2024-08-06 | N/A |
WebKit in Apple Safari before 6.2.8, 7.x before 7.1.8, and 8.x before 8.0.8, as used in iOS before 8.4.1 and other products, does not enforce the HTTP Strict Transport Security (HSTS) protection mechanism for Content Security Policy (CSP) report requests, which allows man-in-the-middle attackers to obtain sensitive information by sniffing the network or spoof a report by modifying the client-server data stream. | ||||
CVE-2015-3728 | 1 Apple | 1 Iphone Os | 2024-08-06 | N/A |
The WiFi Connectivity feature in Apple iOS before 8.4 allows remote Wi-Fi access points to trigger an automatic association, with an arbitrary security type, by operating with a recognized ESSID within an 802.11 network's coverage area. | ||||
CVE-2015-3722 | 1 Apple | 1 Iphone Os | 2024-08-06 | N/A |
Application Store in Apple iOS before 8.4 does not ensure the uniqueness of bundle IDs, which allows attackers to cause a denial of service (ID collision and launch outage) via a crafted universal provisioning profile app. | ||||
CVE-2015-3755 | 1 Apple | 2 Iphone Os, Safari | 2024-08-06 | N/A |
WebKit in Apple Safari before 6.2.8, 7.x before 7.1.8, and 8.x before 8.0.8, as used in iOS before 8.4.1 and other products, allows remote attackers to spoof the user interface via a malformed URL. | ||||
CVE-2015-3658 | 1 Apple | 3 Iphone Os, Mac Os X, Safari | 2024-08-06 | N/A |
The Page Loading functionality in WebKit in Apple Safari before 6.2.7, 7.x before 7.1.7, and 8.x before 8.0.7, as used in Apple iOS before 8.4 and other products, does not properly consider redirects during decisions about sending an Origin header, which makes it easier for remote attackers to bypass CSRF protection mechanisms via a crafted web site. | ||||
CVE-2015-3412 | 2 Php, Redhat | 9 Php, Enterprise Linux, Enterprise Linux Desktop and 6 more | 2024-08-06 | N/A |
PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 does not ensure that pathnames lack %00 sequences, which might allow remote attackers to read arbitrary files via crafted input to an application that calls the stream_resolve_include_path function in ext/standard/streamsfuncs.c, as demonstrated by a filename\0.extension attack that bypasses an intended configuration in which client users may read files with only one specific extension. | ||||
CVE-2015-3449 | 1 Sap | 1 Afaria | 2024-08-06 | N/A |
The Windows client in SAP Afaria 7.0.6398.0 uses weak permissions (Everyone: read and Everyone: write) for the install folder, which allows local users to gain privileges via a Trojan horse XeService.exe file. |