Skip to main content
CVE-2015-5681 HIGH POC This Week

Unrestricted file upload vulnerability in upload.php in the Powerplay Gallery plugin 3.3 for WordPress allows remote attackers to execute arbitrary code by uploading a file with an executable. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

RCE WordPress PHP File Upload Powerplay Gallery
NVD
CVSS 2.0
7.5
EPSS
7.8%
CVE-2015-6519 HIGH POC This Week

SQL injection vulnerability in Arab Portal 3 allows remote attackers to execute arbitrary SQL commands via the showemail parameter in a signup action to members.php. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Arab Portal
NVD Exploit-DB
CVSS 2.0
7.5
EPSS
2.0%
CVE-2015-5599 HIGH POC This Week

Multiple SQL injection vulnerabilities in upload.php in the Powerplay Gallery plugin 3.3 for WordPress allow remote attackers to execute arbitrary SQL commands via the (1) albumid or (2) name. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress SQLi PHP Powerplay Gallery
NVD
CVSS 2.0
7.5
EPSS
1.6%
CVE-2015-6513 HIGH POC PATCH This Week

Multiple SQL injection vulnerabilities in the J2Store (com_j2store) extension before 3.1.7 for Joomla!. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

PHP SQLi J2Store
NVD
CVSS 2.0
7.5
EPSS
0.4%
CVE-2015-4426 HIGH POC This Week

SQL injection vulnerability in pimcore before build 3473 allows remote attackers to execute arbitrary SQL commands via the filter parameter to admin/asset/grid-proxy. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Pimcore
NVD GitHub
CVSS 2.0
7.5
EPSS
0.0%
CVE-2015-6517 MEDIUM POC This Month

Cross-site request forgery (CSRF) vulnerability in phpLiteAdmin 1.1 allows remote attackers to hijack the authentication of users for requests that drop database tables via the droptable parameter to. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

CSRF PHP Phpliteadmin
NVD Exploit-DB
CVSS 2.0
6.8
EPSS
0.3%
CVE-2015-6516 MEDIUM POC This Month

SQL injection vulnerability in cygnux.org sysPass 1.0.9 and earlier allows remote authenticated users to execute arbitrary SQL commands via the search parameter to ajax/ajax_search.php. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Syspass
NVD Exploit-DB
CVSS 2.0
6.5
EPSS
0.8%
CVE-2015-4670 MEDIUM POC This Month

Directory traversal vulnerability in the AjaxFileUpload control in DevExpress AJAX Control Toolkit (aka AjaxControlToolkit) before 15.1 allows remote attackers to write to arbitrary files via a .. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Path Traversal Ajax Control Toolkit
NVD
CVSS 2.0
6.4
EPSS
0.9%
CVE-2015-6512 MEDIUM POC This Month

SQL injection vulnerability in the get_messages function in server/plugins/chatroom/chatroom.php in FreiChat 9.6 allows remote attackers to execute arbitrary SQL commands via the time parameter to. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP SQLi Freichat
NVD Exploit-DB
CVSS 2.0
5.0
EPSS
2.2%
CVE-2015-5490 MEDIUM POC PATCH This Month

The _views_fetch_data method in includes/cache.inc in the Views module 7.x-3.5 through 7.x-3.10 for Drupal does not rebuild the full cache if the static cache is not empty, which allows remote. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure Views
NVD
CVSS 2.0
5.0
EPSS
0.4%
CVE-2015-4425 MEDIUM POC This Month

Directory traversal vulnerability in pimcore before build 3473 allows remote authenticated users with the "assets" permission to create or write to arbitrary files via a .. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

Path Traversal Pimcore
NVD GitHub Exploit-DB
CVSS 2.0
4.9
EPSS
0.0%
CVE-2015-4029 MEDIUM POC This Month

Cross-site scripting (XSS) vulnerability in the WebGUI in pfSense before 2.2.3 allows remote attackers to inject arbitrary web script or HTML via the zone parameter in a del action to. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

XSS PHP Pfsense
NVD
CVSS 2.0
4.3
EPSS
1.3%
CVE-2015-6518 MEDIUM POC This Month

Multiple cross-site scripting (XSS) vulnerabilities in phpLiteAdmin 1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) PATH_INFO, (2) droptable parameter, or (3) table. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

XSS PHP Phpliteadmin
NVD Exploit-DB
CVSS 2.0
4.3
EPSS
1.2%
CVE-2015-5485 MEDIUM POC This Month

Cross-site scripting (XSS) vulnerability in the Event Import page (import-eventbrite-events.php) in the Modern Tribe Eventbrite Tickets plugin before 3.10.2 for WordPress allows remote attackers to. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

XSS WordPress PHP Eventbrite Tickets
NVD
CVSS 2.0
4.3
EPSS
0.5%
CVE-2015-5481 MEDIUM POC This Month

Cross-site scripting (XSS) vulnerability in forms/panels.php in the GD bbPress Attachments plugin before 2.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via the tab. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

XSS WordPress PHP Gd Bbpress Attachments
NVD
CVSS 2.0
4.3
EPSS
0.2%
CVE-2015-5482 MEDIUM POC PATCH This Month

Directory traversal vulnerability in the GD bbPress Attachments plugin before 2.3 for WordPress allows remote administrators to include and execute arbitrary local files via a .. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Path Traversal WordPress PHP Gd Bbpress Attachments
NVD
CVSS 2.0
4.0
EPSS
0.7%
CVE-2015-5501 HIGH This Week

The Hostmaster (Aegir) module 6.x-2.x before 6.x-2.4 and 7.x-3.x before 7.x-3.0-beta2 for Drupal allows remote attackers to execute arbitrary PHP code via a crafted file in the directory used to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE PHP Apache Hostmaster
NVD
CVSS 2.0
7.5
EPSS
0.7%
CVE-2015-5502 HIGH PATCH This Week

The Storage API module 7.x-1.x before 7.x-1.8 for Drupal does not properly restrict access to Storage API fields attached to entities that are not nodes, which allows remote attackers to have. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass Storage Api
NVD
CVSS 2.0
7.5
EPSS
0.6%
CVE-2015-5504 HIGH PATCH This Week

SQL injection vulnerability in the Novalnet Payment Module Ubercart module for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, low attack complexity.

SQLi Novalnet Payment Module Ubercart
NVD
CVSS 2.0
7.5
EPSS
0.5%
CVE-2015-5505 MEDIUM PATCH This Month

The HTTP Strict Transport Security (HSTS) module 6.x-1.x before 6.x-1.1 and 7.x-1.x before 7.x-1.2 for Drupal does not properly implement the "include subdomains" directive, which causes the HSTS. Rated medium severity (CVSS 6.8), this vulnerability is remotely exploitable.

Information Disclosure Http Strict Transport Security
NVD
CVSS 2.0
6.8
EPSS
0.6%
CVE-2015-5509 MEDIUM PATCH This Month

The Administration Views module 7.x-1.x before 7.x-1.4 for Drupal, when used with other unspecified modules, does not properly grant access to administration pages, which allows remote administrators. Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable.

Privilege Escalation Administration Views
NVD
CVSS 2.0
6.0
EPSS
0.3%
CVE-2015-5510 MEDIUM PATCH This Month

Open redirect vulnerability in the Content Construction Kit (CCK) 6.x-2.x before 6.x-2.10 for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable.

Open Redirect Content Construction Kit
NVD
CVSS 2.0
5.8
EPSS
0.4%
CVE-2015-5503 MEDIUM PATCH This Month

Open redirect vulnerability in the Chamilo integration module 7.x-1.x before 7.x-1.2 for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable.

Open Redirect Chamilo Integration
NVD
CVSS 2.0
5.8
EPSS
0.4%
CVE-2015-5508 MEDIUM This Month

Cross-site request forgery (CSRF) vulnerability in the XC NCIP Provider module in the eXtensible Catalog (XC) Drupal Toolkit allows remote attackers to hijack the authentication of users with the. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable. No vendor patch available.

CSRF The Extensible Catalog Drupal Toolkit
NVD
CVSS 2.0
5.1
EPSS
0.3%
CVE-2015-5512 MEDIUM PATCH This Month

The me aliases module 6.x-2.x before 6.x-2.10 and 7.x-1.x before 7.x-1.2 for Drupal allows remote attackers to access Views using the "me" user argument handler by substituting "me" for a user id in. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass Me Aliases
NVD
CVSS 2.0
5.0
EPSS
0.6%
CVE-2015-5511 MEDIUM PATCH This Month

The HybridAuth Social Login module 7.x-2.x before 7.x-2.13 for Drupal allows remote attackers to bypass the user registration by administrator only configuration and create an account via a social. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Privilege Escalation Hybridauth Social Login
NVD
CVSS 2.0
5.0
EPSS
0.5%
CVE-2015-5506 MEDIUM PATCH This Month

The Apache Solr Real-Time module 7.x-1.x before 7.x-1.2 for Drupal does not check the status of an entity when indexing, which allows remote attackers to obtain information about unpublished content. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Apache Apache Solr Real Time
NVD
CVSS 2.0
5.0
EPSS
0.5%
CVE-2015-5498 MEDIUM PATCH This Month

The Shipwire API module 7.x-1.x before 7.x-1.03 for Drupal does not check the view permission for the shipments overview (admin/shipwire/shipments), which allows remote attackers to obtain sensitive. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Privilege Escalation Shipwire Api
NVD
CVSS 2.0
5.0
EPSS
0.3%
CVE-2015-5496 MEDIUM PATCH This Month

The pass2pdf module for Drupal does not restrict access to generated PDF files, which allows remote attackers to obtain user passwords via unspecified vectors. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Privilege Escalation Pass2Pdf
NVD
CVSS 2.0
5.0
EPSS
0.3%
CVE-2015-5493 MEDIUM PATCH This Month

The Entityform Block module 7.x-1.x before 7.x-1.3 for Drupal does not properly check permissions when a form is locked to a role, which allows remote attackers to obtain access to certain. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Privilege Escalation Entityform Block
NVD
CVSS 2.0
5.0
EPSS
0.2%
CVE-2015-5515 MEDIUM PATCH This Month

The Views Bulk Operations (VBO) module 6.x-1.x and 7.x-3.x before 7.x-3.3 for Drupal, when the bulk operation for changing Roles is enabled, allows remote authenticated users to edit user accounts. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable.

Privilege Escalation Views Bulk Operations
NVD
CVSS 2.0
4.9
EPSS
0.6%
CVE-2015-6508 MEDIUM This Month

Cross-site scripting (XSS) vulnerability in pfSense before 2.2.3 allows remote attackers to inject arbitrary web script or HTML via the descr parameter in a "new" action to system_authservers.php. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

XSS PHP Pfsense
NVD
CVSS 2.0
4.3
EPSS
1.3%
CVE-2015-5507 MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in the Inline Entity Form module 7.x-1.x before 7.x-1.6 for Drupal allows remote authenticated users with permission to create or edit fields to inject. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

XSS Inline Entity Form
NVD
CVSS 2.0
4.3
EPSS
0.4%
CVE-2015-5487 MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in the Camtasia Relay module 6.x-2.x before 6.x-3.2 and 7.x-2.x before 7.x-1.3 for Drupal allows remote authenticated users with the "view meta information". Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

XSS Camtasia Relay
NVD
CVSS 2.0
4.3
EPSS
0.3%
CVE-2015-5492 MEDIUM PATCH This Month

Cross-site scripting (XSS) vulnerability in the Video Consultation module for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

XSS Video Consultation
NVD
CVSS 2.0
4.3
EPSS
0.3%
CVE-2015-6515 MEDIUM This Month

Cross-site scripting (XSS) vulnerability in Splunk Web in Splunk Enterprise 6.2.x before 6.2.4, 6.1.x before 6.1.8, 6.0.x before 6.0.9, and 5.0.x before 5.0.13 and Splunk Light 6.2.x before 6.2.4. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

XSS Splunk
NVD
CVSS 2.0
4.3
EPSS
0.3%
CVE-2015-6514 MEDIUM This Month

Cross-site scripting (XSS) vulnerability in the Dashboard in Splunk Enterprise 6.2.x before 6.2.4 and Splunk Light 6.2.x before 6.2.4 allows remote authenticated users to inject arbitrary web script. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

XSS Splunk
NVD
CVSS 2.0
4.3
EPSS
0.3%
CVE-2015-6511 MEDIUM This Month

Cross-site scripting (XSS) vulnerability in pfSense before 2.2.3 allows remote attackers to inject arbitrary web script or HTML via the server[] parameter to services_ntpd.php. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

XSS PHP Pfsense
NVD
CVSS 2.0
4.3
EPSS
0.1%
CVE-2015-6510 MEDIUM This Month

Multiple cross-site scripting (XSS) vulnerabilities in pfSense before 2.2.3 allow remote attackers to inject arbitrary web script or HTML via the (1) srctrack, (2) use_mfs_tmp_size, or (3). Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

XSS PHP Pfsense
NVD
CVSS 2.0
4.3
EPSS
0.1%
CVE-2015-6509 MEDIUM This Month

Multiple cross-site scripting (XSS) vulnerabilities in pfSense before 2.2.3 allow remote attackers to inject arbitrary web script or HTML via the (1) proxypass parameter to system_advanced_misc.php;. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. No vendor patch available.

XSS PHP Pfsense
NVD
CVSS 2.0
4.3
EPSS
0.1%
CVE-2015-5499 MEDIUM PATCH This Month

The Navigate module for Drupal does not properly check permissions, which allows remote authenticated users to modify custom widgets and create widget database records by leveraging the "navigate. Rated medium severity (CVSS 4.0), this vulnerability is remotely exploitable, low attack complexity.

Privilege Escalation Navigate
NVD
CVSS 2.0
4.0
EPSS
0.1%
CVE-2015-5491 LOW PATCH Monitor

The Dynamic display block module 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users to bypass intended access restrictions and read sensitive titles by leveraging the "administer. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Information Disclosure Dynamic Display Block
NVD
CVSS 2.0
3.5
EPSS
0.2%
CVE-2015-5494 LOW PATCH Monitor

Cross-site scripting (XSS) vulnerability in the Webform Matrix Component module 7.x-4.x before 7.x-4.13 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable.

XSS Webform Matrix Component
NVD
CVSS 2.0
3.5
EPSS
0.2%
CVE-2015-5489 LOW PATCH Monitor

Cross-site scripting (XSS) vulnerability in the Smart Trim module 7.x-1.x before 7.x-1.5 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable.

XSS Smart Trim
NVD
CVSS 2.0
3.5
EPSS
0.2%
CVE-2015-5497 LOW PATCH Monitor

Cross-site scripting (XSS) vulnerability in the Web Links module 6.x-2.x before 6.x-2.6 and 7.x-1.x before 7.x-1.0 for Drupal allows remote authenticated users with certain permissions to inject. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable.

XSS Web Links
NVD
CVSS 2.0
3.5
EPSS
0.2%
CVE-2015-5500 LOW PATCH Monitor

Cross-site scripting (XSS) vulnerability in the Navigate module for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via unspecified vectors. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable.

XSS Navigate
NVD
CVSS 2.0
3.5
EPSS
0.1%
CVE-2015-5514 LOW PATCH Monitor

Cross-site scripting (XSS) vulnerability in the Migrate module 7.x-2.x before 7.x-2.8 for Drupal, when the migrate_ui submodule is enabled, allows user-assisted remote attackers to inject arbitrary. Rated low severity (CVSS 2.6), this vulnerability is remotely exploitable.

XSS Migrate
NVD
CVSS 2.0
2.6
EPSS
0.4%
CVE-2015-5495 LOW PATCH Monitor

Cross-site scripting (XSS) vulnerability in the Mobile sliding menu module 7.x-2.x before 7.x-2.1 for Drupal allows remote authenticated users with the "administer menu" permission to inject. Rated low severity (CVSS 2.1), this vulnerability is remotely exploitable.

XSS Mobile Sliding Menu
NVD
CVSS 2.0
2.1
EPSS
0.2%
CVE-2015-5488 LOW PATCH Monitor

Cross-site scripting (XSS) vulnerability in the MailChimp Signup submodule in the MailChimp module 7.x-3.x before 7.x-3.3 for Drupal allows remote authenticated users with the "administer mailchimp". Rated low severity (CVSS 2.1), this vulnerability is remotely exploitable.

XSS Mailchimp
NVD
CVSS 2.0
2.1
EPSS
0.2%
CVE-2015-5513 LOW PATCH Monitor

Cross-site scripting (XSS) vulnerability in the Shibboleth authentication module 6.x-4.x before 6.x-4.2 and 7.x-4.x before 7.x-4.2 for Drupal allows remote authenticated users with the "Administer. Rated low severity (CVSS 2.1), this vulnerability is remotely exploitable.

XSS Shibboleth Authentication
NVD
CVSS 2.0
2.1
EPSS
0.2%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy