Vulnerabilities > Critical

DATE CVE VULNERABILITY TITLE RISK
2016-01-08 CVE-2015-8261 SQL Injection vulnerability in Progress Whatsup Gold 16.3
The DroneDeleteOldMeasurements implementation in Ipswitch WhatsUp Gold before 16.4 does not properly validate serialized XML objects, which allows remote attackers to conduct SQL injection attacks via a crafted SOAP request.
network
low complexity
progress CWE-89
critical
9.8
2016-01-06 CVE-2015-6640 Permissions, Privileges, and Access Controls vulnerability in Google Android
The prctl_set_vma_anon_name function in kernel/sys.c in Android before 5.1.1 LMY49F and 6.0 before 2016-01-01 does not ensure that only one vma is accessed in a certain update action, which allows attackers to gain privileges or cause a denial of service (vma list corruption) via a crafted application, aka internal bug 20017123.
network
google CWE-264
critical
9.3
2016-01-06 CVE-2015-6638 Permissions, Privileges, and Access Controls vulnerability in Google Android
The Imagination Technologies driver in Android 5.x before 5.1.1 LMY49F and 6.0 before 2016-01-01 allows attackers to gain privileges via a crafted application, aka internal bug 24673908.
network
google CWE-264
critical
9.3
2016-01-06 CVE-2015-6637 Permissions, Privileges, and Access Controls vulnerability in Google Android
The MediaTek misc-sd driver in Android before 5.1.1 LMY49F and 6.0 before 2016-01-01 allows attackers to gain privileges via a crafted application, aka internal bug 25307013.
network
google CWE-264
critical
9.3
2016-01-06 CVE-2015-6636 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android
mediaserver in Android 5.x before 5.1.1 LMY49F and 6.0 before 2016-01-01 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted media file, aka internal bugs 25070493 and 24686670.
network
low complexity
google CWE-119
critical
10.0
2016-01-02 CVE-2015-7450 Unspecified vulnerability in IBM products
Serialized-object interfaces in certain IBM analytics, business solutions, cognitive, IT infrastructure, and mobile and social products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the InvokerTransformer class in the Apache Commons Collections library.
network
low complexity
ibm
critical
9.8
2016-01-02 CVE-2015-7426 OS Command Injection vulnerability in IBM products
The Data Protection extension in the VMware GUI in IBM Tivoli Storage Manager for Virtual Environments: Data Protection for VMware (aka Spectrum Protect for Virtual Environments) 7.1 before 7.1.3.0 and Tivoli Storage FlashCopy Manager for VMware (aka Spectrum Protect Snapshot) 4.1 before 4.1.3.0 allows remote attackers to execute arbitrary OS commands via unspecified vectors.
network
low complexity
ibm CWE-78
critical
10.0
2015-12-31 CVE-2015-5989 Permissions, Privileges, and Access Controls vulnerability in Belkin N600 DB Wi-Fi Dual-Band N+ Router F9K1102 Firmware 2.10.17
Belkin F9K1102 2 devices with firmware 2.10.17 rely on client-side JavaScript code for authorization, which allows remote attackers to obtain administrative privileges via certain changes to LockStatus and Login_Success values.
network
low complexity
belkin CWE-264
critical
10.0
2015-12-31 CVE-2015-5988 Credentials Management vulnerability in Belkin N600 DB Wi-Fi Dual-Band N+ Router F9K1102 Firmware 2.10.17
The web management interface on Belkin F9K1102 2 devices with firmware 2.10.17 has a blank password, which allows remote attackers to obtain administrative privileges by leveraging a LAN session.
network
belkin CWE-255
critical
9.3
2015-12-31 CVE-2015-7283 Credentials Management vulnerability in Zyxel Nbg-418N Firmware 1.00(Aadz.3)C0
The web administration interface on ZyXEL NBG-418N devices with firmware 1.00(AADZ.3)C0 has a default password of 1234 for the admin account, which allows remote attackers to obtain administrative privileges by leveraging a LAN session.
network
zyxel CWE-255
critical
9.3