CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In December 2015(Bypass)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2015-8703 200 Bypass +Info 2015-12-30 2016-11-28
4.0
None Remote Low ??? Partial None None
ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_PE and ZXV10 W300 devices W300V1.0.0f_ER1_PE allow remote authenticated users to bypass intended access restrictions, and discover credentials and keys, by reading the configuration file, a different vulnerability than CVE-2015-7248.
2 CVE-2015-8660 264 Bypass 2015-12-28 2017-09-10
7.2
None Local Low Not required Complete Complete Complete
The ovl_setattr function in fs/overlayfs/inode.c in the Linux kernel through 4.3.3 attempts to merge distinct setattr operations, which allows local users to bypass intended access restrictions and modify the attributes of arbitrary overlay files via a crafted application.
3 CVE-2015-8602 200 Bypass +Info 2015-12-17 2015-12-18
3.5
None Remote Medium ??? Partial None None
The Token Insert Entity module 7.x-1.x before 7.x-1.1 for Drupal does not properly check permissions, which allows remote authenticated users with certain permissions to bypass intended access restrictions and possibly obtain sensitive information by inserting a token, which embeds a rendered entity in the main node.
4 CVE-2015-8601 200 Bypass +Info 2015-12-17 2015-12-18
5.0
None Remote Low Not required Partial None None
The Chat Room module 7.x-2.x before 7.x-2.2 for Drupal does not properly check permissions when setting up a websocket for chat messages, which allows remote attackers to bypass intended access restrictions and read messages from arbitrary Chat Rooms via unspecified vectors.
5 CVE-2015-8600 264 +Priv Bypass +Info 2015-12-17 2018-12-10
7.5
None Remote Low Not required Partial Partial Partial
The SysAdminWebTool servlets in SAP Mobile Platform allow remote attackers to bypass authentication and obtain sensitive information, gain privileges, or have unspecified other impact via unknown vectors, aka SAP Security Note 2227855.
6 CVE-2015-8579 264 Bypass 2015-12-16 2016-11-28
6.4
None Remote Low Not required Partial Partial None
Kaspersky Total Security 2015 15.0.2.361 allocates memory with Read, Write, Execute (RWX) permissions at predictable addresses when protecting user-mode processes, which allows attackers to bypass the DEP and ASLR protection mechanisms via unspecified vectors.
7 CVE-2015-8578 264 Bypass 2015-12-16 2016-11-28
6.4
None Remote Low Not required Partial Partial None
AVG Internet Security 2015 allocates memory with Read, Write, Execute (RWX) permissions at predictable addresses when protecting user-mode processes, which allows attackers to bypass the DEP and ASLR protection mechanisms via unspecified vectors.
8 CVE-2015-8577 264 Overflow Bypass 2015-12-16 2016-05-26
2.6
None Local High Not required Partial Partial None
The Buffer Overflow Protection (BOP) feature in McAfee VirusScan Enterprise before 8.8 Patch 6 allocates memory with Read, Write, Execute (RWX) permissions at predictable addresses on 32-bit platforms when protecting another application, which allows attackers to bypass the DEP and ASLR protection mechanisms via unspecified vectors.
9 CVE-2015-8569 200 Bypass +Info 2015-12-28 2017-11-04
1.9
None Local Medium Not required Partial None None
The (1) pptp_bind and (2) pptp_connect functions in drivers/net/ppp/pptp.c in the Linux kernel through 4.3.3 do not verify an address length, which allows local users to obtain sensitive information from kernel memory and bypass the KASLR protection mechanism via a crafted application.
10 CVE-2015-8467 264 Bypass 2015-12-29 2016-12-31
6.0
None Remote Medium ??? Partial Partial Partial
The samldb_check_user_account_control_acl function in dsdb/samdb/ldb_modules/samldb.c in Samba 4.x before 4.1.22, 4.2.x before 4.2.7, and 4.3.x before 4.3.3 does not properly check for administrative privileges during creation of machine accounts, which allows remote authenticated users to bypass intended access restrictions by leveraging the existence of a domain with both a Samba DC and a Windows DC, a similar issue to CVE-2015-2535.
11 CVE-2015-8453 200 Bypass +Info 2015-12-10 2017-02-17
4.3
None Remote Medium Not required Partial None None
Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before 20.0.0.228 on Windows and OS X and before 11.2.202.554 on Linux, Adobe AIR before 20.0.0.204, Adobe AIR SDK before 20.0.0.204, and Adobe AIR SDK & Compiler before 20.0.0.204 allow attackers to bypass the ASLR protection mechanism via JIT data, a different vulnerability than CVE-2015-8409 and CVE-2015-8440.
12 CVE-2015-8440 264 Bypass 2015-12-10 2017-02-17
10.0
None Remote Low Not required Complete Complete Complete
Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before 20.0.0.228 on Windows and OS X and before 11.2.202.554 on Linux, Adobe AIR before 20.0.0.204, Adobe AIR SDK before 20.0.0.204, and Adobe AIR SDK & Compiler before 20.0.0.204 allow attackers to bypass intended access restrictions via unspecified vectors, a different vulnerability than CVE-2015-8409 and CVE-2015-8453.
13 CVE-2015-8409 Bypass 2015-12-10 2016-12-07
10.0
None Remote Low Not required Complete Complete Complete
Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before 20.0.0.228 on Windows and OS X and before 11.2.202.554 on Linux, Adobe AIR before 20.0.0.204, Adobe AIR SDK before 20.0.0.204, and Adobe AIR SDK & Compiler before 20.0.0.204 allow attackers to bypass intended access restrictions via unspecified vectors, a different vulnerability than CVE-2015-8440 and CVE-2015-8453.
14 CVE-2015-8370 264 DoS Mem. Corr. Bypass +Info 2015-12-16 2018-10-09
6.9
None Local Medium Not required Complete Complete Complete
Multiple integer underflows in Grub2 1.98 through 2.02 allow physically proximate attackers to bypass authentication, obtain sensitive information, or cause a denial of service (disk corruption) via backspace characters in the (1) grub_username_get function in grub-core/normal/auth.c or the (2) grub_password_get function in lib/crypto.c, which trigger an "Off-by-two" or "Out of bounds overwrite" memory error.
15 CVE-2015-8024 78 Bypass 2015-12-02 2016-12-07
9.3
None Remote Medium Not required Complete Complete Complete
McAfee Enterprise Security Manager (ESM), Enterprise Security Manager/Log Manager (ESMLM), and Enterprise Security Manager/Receiver (ESMREC) 9.3.x before 9.3.2MR19, 9.4.x before 9.4.2MR9, and 9.5.x before 9.5.0MR8, when configured to use Active Directory or LDAP authentication sources, allow remote attackers to bypass authentication by logging in with the username "NGCP|NGCP|NGCP;" and any password.
16 CVE-2015-7907 22 Dir. Trav. Bypass 2015-12-21 2015-12-22
6.4
None Remote Low Not required None Partial Partial
Directory traversal vulnerability in the web server on Honeywell Midas gas detectors before 1.13b3 and Midas Black gas detectors before 2.13b3 allows remote attackers to bypass authentication, and write to a configuration file or trigger a calibration or test, via unspecified vectors.
17 CVE-2015-7447 200 Bypass +Info 2015-12-31 2016-12-07
5.0
None Remote Low Not required Partial None None
IBM WebSphere Portal 6.1.0 through 6.1.0.6 CF27, 6.1.5 through 6.1.5.3 CF27, 7.0.0 through 7.0.0.2 CF29, 8.0.0 before 8.0.0.1 CF20, and 8.5.0 before CF09 allows remote attackers to bypass intended Portal AccessControl REST API access restrictions and obtain sensitive information via unspecified vectors.
18 CVE-2015-7249 264 Bypass 2015-12-30 2017-09-13
6.8
None Remote Low ??? None Complete None
ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_PE allow remote authenticated users to bypass intended access restrictions via a modified request, as demonstrated by leveraging the support account to change a password via a cgi-bin/webproc accountpsd action.
19 CVE-2015-7215 200 Bypass +Info 2015-12-16 2018-10-30
5.0
None Remote Low Not required Partial None None
The importScripts function in the Web Workers API implementation in Mozilla Firefox before 43.0 allows remote attackers to bypass the Same Origin Policy by triggering use of the no-cors mode in the fetch API to attempt resource access that throws an exception, leading to information disclosure after a rethrow.
20 CVE-2015-7214 200 Bypass +Info 2015-12-16 2018-10-30
5.0
None Remote Low Not required Partial None None
Mozilla Firefox before 43.0 and Firefox ESR 38.x before 38.5 allow remote attackers to bypass the Same Origin Policy via data: and view-source: URIs.
21 CVE-2015-7207 200 Bypass +Info 2015-12-16 2018-10-30
5.0
None Remote Low Not required Partial None None
Mozilla Firefox before 43.0 does not properly restrict the availability of IFRAME Resource Timing API times, which allows remote attackers to bypass the Same Origin Policy and obtain sensitive information via crafted JavaScript code that leverages history.back and performance.getEntries calls, a related issue to CVE-2015-1300.
22 CVE-2015-7094 20 Bypass 2015-12-11 2017-09-13
2.6
None Remote High Not required None Partial None
CFNetwork HTTPProtocol in Apple iOS before 9.2 and OS X before 10.11.2 allows man-in-the-middle attackers to bypass the HSTS protection mechanism via a crafted URL.
23 CVE-2015-7080 200 Bypass +Info 2015-12-11 2016-12-07
2.1
None Local Low Not required Partial None None
Siri in Apple iOS before 9.2 allows physically proximate attackers to bypass an intended client-side protection mechanism and obtain sensitive content-notification information by listening to a device in the lock-screen state.
24 CVE-2015-7071 264 Bypass 2015-12-11 2017-09-13
10.0
None Remote Low Not required Complete Complete Complete
The File Bookmark component in Apple OS X before 10.11.2 allows attackers to bypass a sandbox protection mechanism for app scoped bookmarks via a crafted pathname.
25 CVE-2015-7062 264 Bypass 2015-12-11 2017-09-13
4.6
None Local Low Not required Partial Partial Partial
Apple OS X before 10.11.2 and tvOS before 9.1 allow local users to bypass intended configuration-profile installation restrictions via unspecified vectors.
26 CVE-2015-7046 200 Bypass +Info 2015-12-11 2019-03-08
2.6
None Remote High Not required Partial None None
The Sandbox feature in xnu in Apple iOS before 9.2, OS X before 10.11.2, tvOS before 9.1, and watchOS before 2.1 does not properly implement privilege separation, which allows attackers to bypass the ASLR protection mechanism via a crafted app with root privileges.
27 CVE-2015-7001 264 Bypass 2015-12-11 2019-03-08
6.8
None Remote Medium Not required Partial Partial Partial
AppSandbox in Apple iOS before 9.2, OS X before 10.11.2, tvOS before 9.1, and watchOS before 2.1 mishandles hard links, which allows attackers to bypass Contacts access revocation via a crafted app.
28 CVE-2015-6851 284 Bypass 2015-12-23 2016-12-07
7.2
None Local Low Not required Complete Complete Complete
EMC RSA SecurID Web Agent before 8.0 allows physically proximate attackers to bypass the privacy-screen protection mechanism by leveraging an unattended workstation and running DOM Inspector.
29 CVE-2015-6786 264 Bypass 2015-12-06 2017-09-14
4.3
None Remote Medium Not required None Partial None
The CSPSourceList::matches function in WebKit/Source/core/frame/csp/CSPSourceList.cpp in the Content Security Policy (CSP) implementation in Google Chrome before 47.0.2526.73 accepts a blob:, data:, or filesystem: URL as a match for a * pattern, which allows remote attackers to bypass intended scheme restrictions in opportunistic circumstances by leveraging a policy that relies on this pattern.
30 CVE-2015-6785 264 Bypass 2015-12-06 2017-09-14
4.3
None Remote Medium Not required None Partial None
The CSPSource::hostMatches function in WebKit/Source/core/frame/csp/CSPSource.cpp in the Content Security Policy (CSP) implementation in Google Chrome before 47.0.2526.73 accepts an x.y hostname as a match for a *.x.y pattern, which might allow remote attackers to bypass intended access restrictions in opportunistic circumstances by leveraging a policy that was intended to be specific to subdomains.
31 CVE-2015-6783 20 Bypass 2015-12-06 2017-09-14
4.3
None Remote Medium Not required None Partial None
The FindStartOffsetOfFileInZipFile function in crazy_linker_zip.cpp in crazy_linker (aka Crazy Linker) in Android 5.x and 6.x, as used in Google Chrome before 47.0.2526.73, improperly searches for an EOCD record, which allows attackers to bypass a signature-validation requirement via a crafted ZIP archive.
32 CVE-2015-6779 264 Bypass 2015-12-06 2017-09-14
4.3
None Remote Medium Not required None Partial None
PDFium, as used in Google Chrome before 47.0.2526.73, does not properly restrict use of chrome: URLs, which allows remote attackers to bypass intended scheme restrictions via a crafted PDF document, as demonstrated by a document with a link to a chrome://settings URL.
33 CVE-2015-6772 264 Bypass 2015-12-06 2017-09-14
7.5
None Remote Low Not required Partial Partial Partial
The DOM implementation in Blink, as used in Google Chrome before 47.0.2526.73, does not prevent javascript: URL navigation while a document is being detached, which allows remote attackers to bypass the Same Origin Policy via crafted JavaScript code that improperly interacts with a plugin.
34 CVE-2015-6770 264 Bypass 2015-12-06 2017-09-14
7.5
None Remote Low Not required Partial Partial Partial
The DOM implementation in Google Chrome before 47.0.2526.73 allows remote attackers to bypass the Same Origin Policy via unspecified vectors, a different vulnerability than CVE-2015-6768.
35 CVE-2015-6769 264 Bypass 2015-12-06 2017-09-14
7.5
None Remote Low Not required Partial Partial Partial
The provisional-load commit implementation in WebKit/Source/bindings/core/v8/WindowProxy.cpp in Google Chrome before 47.0.2526.73 allows remote attackers to bypass the Same Origin Policy by leveraging a delay in window proxy clearing.
36 CVE-2015-6768 264 Bypass 2015-12-06 2017-09-14
7.5
None Remote Low Not required Partial Partial Partial
The DOM implementation in Google Chrome before 47.0.2526.73 allows remote attackers to bypass the Same Origin Policy via unspecified vectors, a different vulnerability than CVE-2015-6770.
37 CVE-2015-6632 200 Bypass +Info 2015-12-08 2019-02-12
5.0
None Remote Low Not required Partial None None
libstagefright in Android before 5.1.1 LMY48Z and 6.0 before 2015-12-01 allows remote attackers to obtain sensitive information, and consequently bypass an unspecified protection mechanism, via unknown vectors, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 24346430.
38 CVE-2015-6631 200 Bypass +Info 2015-12-08 2019-02-12
5.0
None Remote Low Not required Partial None None
libstagefright in Android before 5.1.1 LMY48Z and 6.0 before 2015-12-01 allows remote attackers to obtain sensitive information, and consequently bypass an unspecified protection mechanism, via unknown vectors, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 24623447.
39 CVE-2015-6628 200 Bypass +Info 2015-12-08 2019-02-12
5.0
None Remote Low Not required Partial None None
Media Framework in Android before 5.1.1 LMY48Z and 6.0 before 2015-12-01 allows attackers to obtain sensitive information, and consequently bypass an unspecified protection mechanism, via unknown vectors, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 24074485.
40 CVE-2015-6626 200 Bypass +Info 2015-12-08 2019-02-12
5.0
None Remote Low Not required Partial None None
libstagefright in Android before 5.1.1 LMY48Z and 6.0 before 2015-12-01 allows remote attackers to obtain sensitive information, and consequently bypass an unspecified protection mechanism, via unknown vectors, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 24310423.
41 CVE-2015-6622 200 Bypass +Info 2015-12-08 2019-02-12
5.0
None Remote Low Not required Partial None None
The Native Frameworks Library in Android before 5.1.1 LMY48Z and 6.0 before 2015-12-01 allows attackers to obtain sensitive information, and consequently bypass an unspecified protection mechanism, via unknown vectors, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 23905002.
42 CVE-2015-6538 Bypass 2015-12-27 2015-12-28
7.5
None Remote Low Not required Partial Partial Partial
The login page in Epiphany Cardio Server 3.3, 4.0, and 4.1 mishandles authentication requests, which allows remote attackers to conduct LDAP injection attacks, and consequently bypass intended access restrictions, via a crafted URL.
43 CVE-2015-6427 254 Bypass 2015-12-18 2016-12-07
5.0
None Remote Low Not required None Partial None
Cisco FireSIGHT Management Center allows remote attackers to bypass the HTTP attack detection feature and avoid triggering Snort IDS rules via an SSL session that is mishandled after decryption, aka Bug ID CSCux53437.
44 CVE-2015-6426 20 Exec Code Bypass 2015-12-18 2016-11-28
7.2
None Local Low Not required Complete Complete Complete
Cisco Prime Network Services Controller 3.0 allows local users to bypass intended access restrictions and execute arbitrary commands via additional parameters to an unspecified command, aka Bug ID CSCus99427.
45 CVE-2015-6424 255 Bypass 2015-12-18 2016-12-07
7.2
None Local Low Not required Complete Complete Complete
The boot manager in Cisco Application Policy Infrastructure Controller (APIC) 1.1(0.920a) allows local users to bypass intended access restrictions and obtain single-user-mode root access via unspecified vectors, aka Bug ID CSCuu83985.
46 CVE-2015-6413 264 Bypass 2015-12-13 2016-12-07
4.0
None Remote Low ??? None Partial None
Cisco TelePresence Video Communication Server (VCS) Expressway X8.6 allows remote authenticated users to bypass intended read-only restrictions and upload Tandberg Linux Package (TLP) files by visiting an administrative page, aka Bug ID CSCuw55651.
47 CVE-2015-6410 20 Bypass 2015-12-14 2016-12-07
4.0
None Remote Low ??? Partial None None
The Mobile and Remote Access (MRA) services implementation in Cisco Unified Communications Manager mishandles edge-device identity validation, which allows remote attackers to bypass intended call-reception and call-setup restrictions by spoofing a user, aka Bug ID CSCuu97283.
48 CVE-2015-6401 287 Bypass 2015-12-14 2017-09-13
7.5
None Remote Low Not required Partial Partial Partial
Cisco EPC3928 devices with EDVA 5.5.10, 5.5.11, and 5.7.1 allow remote attackers to bypass an intended authentication requirement and execute unspecified administrative functions via a crafted HTTP request, aka Bug ID CSCux24941.
49 CVE-2015-6384 264 Bypass 2015-12-05 2015-12-07
4.3
None Remote Medium Not required Partial None None
The Cisco WebEx Meetings application before 8.5.1 for Android improperly initializes custom application permissions, which allows attackers to bypass intended access restrictions via a crafted application, aka Bug ID CSCuw86442.
50 CVE-2015-6383 264 Bypass 2015-12-03 2017-09-14
7.2
None Local Low Not required Complete Complete Complete
Cisco IOS XE 15.4(3)S on ASR 1000 devices improperly loads software packages, which allows local users to bypass license restrictions and obtain certain root privileges by using the CLI to enter crafted filenames, aka Bug ID CSCuv93130.
Total number of vulnerabilities : 63   Page : 1 (This Page)2
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.