Exploit Intelligence Platform – 370K+ CVEs, Ranked Exploits & EPSS Scores

CVE-2015-8605 6.5 MEDIUM EPSS 0.43

ISC DHCP <4.1-ESV-R12-P1, 4.2.x, 4.3.x <4.3.3-P1 - DoS

ISC DHCP 4.x before 4.1-ESV-R12-P1, 4.2.x, and 4.3.x before 4.3.3-P1 allows remote attackers to cause a denial of service (application crash) via an invalid length field in a UDP IPv4 packet.

CWE-20 Jan 14, 2016

CVE-2016-1569 6.5 MEDIUM EPSS 0.01

FireBird 2.5.5 - DoS

FireBird 2.5.5 allows remote authenticated users to cause a denial of service (daemon crash) by using service manager to invoke the gbak utility with an invalid parameter.

CWE-20 Jan 13, 2016

CVE-2016-1494 5.3 MEDIUM 1 PoC Analysis EPSS 0.05

Python-RSA <3.3 - Code Injection

The verify function in the RSA package for Python (Python-RSA) before 3.3 allows attackers to spoof signatures with a small public exponent via crafted signature padding, aka a BERserk attack.

CWE-20 Jan 13, 2016

CVE-2016-0032 6.1 MEDIUM EPSS 0.01

Microsoft Exchange Server - XSS

Cross-site scripting (XSS) vulnerability in Outlook Web Access (OWA) in Microsoft Exchange Server 2013 PS1, 2013 Cumulative Update 10, 2013 Cumulative Update 11, and 2016 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka "Exchange Spoofing Vulnerability."

CWE-79 Jan 13, 2016

CVE-2016-0031 6.1 MEDIUM EPSS 0.01

Microsoft Exchange Server - XSS

Cross-site scripting (XSS) vulnerability in Outlook Web Access (OWA) in Microsoft Exchange Server 2016 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka "Exchange Spoofing Vulnerability," a different vulnerability than CVE-2016-0029.

CWE-79 Jan 13, 2016

CVE-2016-0030 6.1 MEDIUM EPSS 0.01

Microsoft Exchange Server - XSS

Cross-site scripting (XSS) vulnerability in Outlook Web Access (OWA) in Microsoft Exchange Server 2013 PS1, 2013 Cumulative Update 10, and 2016 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka "Exchange Spoofing Vulnerability."

CWE-79 Jan 13, 2016

CVE-2016-0029 6.1 MEDIUM EPSS 0.01

Microsoft Exchange Server - XSS

Cross-site scripting (XSS) vulnerability in Outlook Web Access (OWA) in Microsoft Exchange Server 2016 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka "Exchange Spoofing Vulnerability," a different vulnerability than CVE-2016-0031.

CWE-79 Jan 13, 2016

CVE-2016-0012 4.3 MEDIUM EPSS 0.13

Microsoft Excel - Information Disclosure

Microsoft Office 2007 SP3, Excel 2007 SP3, PowerPoint 2007 SP3, Visio 2007 SP3, Word 2007 SP3, Office 2010 SP2, Excel 2010 SP2, PowerPoint 2010 SP2, Visio 2010 SP2, Word 2010 SP2, Office 2013 SP1, Excel 2013 SP1, PowerPoint 2013 SP1, Visio 2013 SP1, Word 2013 SP1, Excel 2013 RT SP1, PowerPoint 2013 RT SP1, Word 2013 RT SP1, Office 2016, Excel 2016, PowerPoint 2016, Visio 2016, Word 2016, and Visual Basic 6.0 Runtime allow remote attackers to bypass the ASLR protection mechanism via unspecified vectors, aka "Microsoft Office ASLR Bypass."

CWE-200 Jan 13, 2016

CVE-2016-0011 5.4 MEDIUM EPSS 0.01

Microsoft Sharepoint Server - XSS

Microsoft SharePoint Server 2013 SP1 and SharePoint Foundation 2013 SP1 allow remote authenticated users to bypass intended Access Control Policy restrictions and conduct cross-site scripting (XSS) attacks by modifying a webpart, aka "Microsoft SharePoint Security Feature Bypass," a different vulnerability than CVE-2015-6117.

CWE-79 Jan 13, 2016

CVE-2016-0008 4.3 MEDIUM EPSS 0.12

Microsoft Windows 7 - Information Disclosure

The graphics device interface in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to bypass the ASLR protection mechanism via unspecified vectors, aka "Windows GDI32.dll ASLR Bypass Vulnerability."

CWE-200 Jan 13, 2016

CVE-2016-0005 4.3 MEDIUM EPSS 0.31

Microsoft Internet Explorer - Improper Input Validation

Microsoft Internet Explorer 9 through 11 allows remote attackers to bypass the Same Origin Policy via unspecified vectors, aka "Internet Explorer Elevation of Privilege Vulnerability."

CWE-20 Jan 13, 2016

CVE-2015-6117 6.1 MEDIUM EPSS 0.01

Microsoft Sharepoint Foundation - XSS

Microsoft SharePoint Server 2013 SP1 and SharePoint Foundation 2013 SP1 allow remote authenticated users to bypass intended Access Control Policy restrictions and conduct cross-site scripting (XSS) attacks by modifying a webpart, aka "Microsoft SharePoint Security Feature Bypass," a different vulnerability than CVE-2016-0011.

CWE-79 Jan 13, 2016

CVE-2016-1715 6.6 MEDIUM EPSS 0.00

McAfee Application Control <6.2.0 - Memory Corruption

The swin.sys kernel driver in McAfee Application Control (MAC) 6.1.0 before build 706, 6.1.1 before build 404, 6.1.2 before build 449, 6.1.3 before build 441, and 6.2.0 before build 505 on 32-bit Windows platforms allows local users to cause a denial of service (memory corruption and system crash) or gain privileges via a 768 syscall, which triggers a zero to be written to an arbitrary kernel memory location.

CWE-189 Jan 12, 2016

CVE-2016-1231 5.9 MEDIUM EPSS 0.01

Prosody <0.9.9 - Path Traversal

Directory traversal vulnerability in the HTTP file-serving module (mod_http_files) in Prosody 0.9.x before 0.9.9 allows remote attackers to read arbitrary files via a .. (dot dot) in an unspecified path.

CWE-22 Jan 12, 2016

CVE-2015-8673 6.8 MEDIUM EPSS 0.00

Huawei Te30 < v100r001c10b022 - Credentials Management

Huawei TE30, TE40, TE50, and TE60 multimedia video conferencing endpoints with software before V100R001C10SPC100 do not require entry of the old password when changing the password for the Debug account, which allows physically proximate attackers to change the password by leveraging an unattended workstation.

CWE-255 Jan 12, 2016

CVE-2015-8672 5.3 MEDIUM EPSS 0.00

Huawei Te60 Firmware < v100r001c10b022 - Denial of Service

The presentation transmission permission management mechanism in Huawei TE30, TE40, TE50, and TE60 multimedia video conferencing endpoints with software before V100R001C10SPC100 allows remote attackers to cause a denial of service (wired presentation outage) via unspecified vectors involving a wireless presentation.

CWE-19 Jan 12, 2016

CVE-2015-8603 5.4 MEDIUM EPSS 0.00

Serendipity <2.0.3 - XSS

Cross-site scripting (XSS) vulnerability in Serendipity before 2.0.3 allows remote attackers to inject arbitrary web script or HTML via the serendipity[entry_id] parameter in an "edit" admin action to serendipity_admin.php.

CWE-79 Jan 12, 2016

CVE-2015-8337 5.5 MEDIUM EPSS 0.00

Huawei P8/Mate7 <GRA-TL00/MT7-UL00/... - DoS

The HIFI driver in Huawei P8 phones with software GRA-TL00 before GRA-TL00C01B220SP01, GRA-CL00 before GRA-CL00C92B220, GRA-CL10 before GRA-CL10C92B220, GRA-UL00 before GRA-UL00C00B220, GRA-UL10 before GRA-UL10C00B220 and Mate7 phones with software MT7-UL00 before MT7-UL00C17B354, MT7-TL10 before MT7-TL10C00B354, MT7-TL00 before MT7-TL00C01B354, and MT7-CL00 before MT7-CL00C92B354 allows remote attackers to cause a denial of service (invalid memory access and reboot) via unspecified vectors related to "input null pointer as parameter."

Jan 12, 2016

CVE-2015-7242 6.1 MEDIUM EPSS 0.00

AVM Fritz! OS < 6.23 - XSS

Cross-site scripting (XSS) vulnerability in the Push-Service-Mails feature in AVM FRITZ!OS before 6.30 allows remote attackers to inject arbitrary web script or HTML via the display name in the FROM field of an SIP INVITE message.

CWE-79 Jan 12, 2016

CVE-2015-5471 5.3 MEDIUM EXPLOITED 1 PoC Analysis NUCLEI EPSS 0.54

Swim Team plugin <1.44.10777 - Path Traversal

Absolute path traversal vulnerability in include/user/download.php in the Swim Team plugin 1.44.10777 for WordPress allows remote attackers to read arbitrary files via a full pathname in the file parameter.

CWE-22 Jan 12, 2016

CVE & Exploit Intelligence Database

Investigate

Ecosystems

Reference Indexes

Recent Blog Posts

CVEForge Labs

KEV Gaps