Vulnerabilities (CVE)

CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2016-9818 1 Xen 1 Xen 2017-07-28 4.9 MEDIUM 6.5 MEDIUM
Xen through 4.7.x allows local ARM guest OS users to cause a denial of service (host crash) via vectors involving an asynchronous abort while at HYP.
CVE-2016-6113 1 Ibm 2 Domino, Inotes 2017-07-28 4.3 MEDIUM 6.1 MEDIUM
IBM Verse is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVE-2016-9284 1 Exponentcms 1 Exponent Cms 2017-07-28 5.0 MEDIUM 5.3 MEDIUM
getUsersByJSON in framework/modules/users/controllers/usersController.php in Exponent CMS v2.4.0 allows remote attackers to read user information via users/getUsersByJSON/sort/ and a trailing string.
CVE-2016-9384 1 Xen 1 Xen 2017-07-28 2.1 LOW 6.5 MEDIUM
Xen 4.7 allows local guest OS users to obtain sensitive host information by loading a 32-bit ELF symbol table.
CVE-2016-2926 1 Ibm 7 Rational Collaborative Lifecycle Management, Rational Doors Next Generation, Rational Engineering Lifecycle Manager and 4 more 2017-07-28 3.5 LOW 5.4 MEDIUM
Cross-site scripting (XSS) vulnerability in IBM Rational Collaborative Lifecycle Management 4.0 before 4.0.7 iFix11, 5.0 before 5.0.2 iFix19, and 6.0 before 6.0.2 iFix3; Rational Quality Manager 4.0 before 4.0.7 iFix11, 5.0 before 5.0.2 iFix19, and 6.0 before 6.0.2 iFix3; Rational Team Concert 4.0 before 4.0.7 iFix11, 5.0 before 5.0.2 iFix19, and 6.0 before 6.0.2 iFix3; Rational DOORS Next Generation 4.0 before 4.0.7 iFix11, 5.0 before 5.0.2 iFix19, and 6.0 before 6.0.2 iFix3; Rational Engineering Lifecycle Manager 4.x before 4.0.7 iFix11, 5.0 before 5.0.2 iFix19, and 6.0 before 6.0.2 iFix3; Rational Rhapsody Design Manager 4.0 before 4.0.7 iFix11, 5.0 before 5.0.2 iFix19, and 6.0 before 6.0.2 iFix3; and Rational Software Architect Design Manager 4.0 before 4.0.7 iFix11, 5.0 before 5.0.2 iFix19, and 6.0 before 6.0.2 iFix3 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.
CVE-2016-4487 1 Gnu 1 Libiberty 2017-07-28 4.3 MEDIUM 5.5 MEDIUM
Use-after-free vulnerability in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, related to "btypevec."
CVE-2016-4488 1 Gnu 1 Libiberty 2017-07-28 4.3 MEDIUM 5.5 MEDIUM
Use-after-free vulnerability in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, related to "ktypevec."
CVE-2016-4489 1 Gnu 1 Libiberty 2017-07-28 4.3 MEDIUM 5.5 MEDIUM
Integer overflow in the gnu_special function in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, related to the "demangling of virtual tables."
CVE-2016-4490 1 Gnu 1 Libiberty 2017-07-28 4.3 MEDIUM 5.5 MEDIUM
Integer overflow in cp-demangle.c in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, related to inconsistent use of the long and int types for lengths.
CVE-2016-6462 1 Cisco 1 Email Security Appliance Firmware 2017-07-28 5.0 MEDIUM 5.3 MEDIUM
A vulnerability in the email filtering functionality of Cisco AsyncOS Software for Cisco Email Security Appliances could allow an unauthenticated, remote attacker to bypass Advanced Malware Protection (AMP) filters that are configured for an affected device. This vulnerability affects all releases prior to the first fixed release of Cisco AsyncOS Software for both virtual and hardware versions of Cisco Email Security Appliances, if the AMP feature is configured to scan incoming email attachments. More Information: CSCva13456. Known Affected Releases: 10.0.0-082 10.0.0-125 9.7.1-066. Known Fixed Releases: 10.0.0-203 9.7.2-131.
CVE-2015-8796 1 Apache 1 Solr 2017-07-28 4.3 MEDIUM 6.1 MEDIUM
Cross-site scripting (XSS) vulnerability in webapp/web/js/scripts/schema-browser.js in the Admin UI in Apache Solr before 5.3 allows remote attackers to inject arbitrary web script or HTML via a crafted schema-browse URL.
CVE-2016-9374 2 Debian, Wireshark 2 Debian Linux, Wireshark 2017-07-28 4.3 MEDIUM 5.9 MEDIUM
In Wireshark 2.2.0 to 2.2.1 and 2.0.0 to 2.0.7, the AllJoyn dissector could crash with a buffer over-read, triggered by network traffic or a capture file. This was addressed in epan/dissectors/packet-alljoyn.c by ensuring that a length variable properly tracked the state of a signature variable.
CVE-2016-9286 1 Exponentcms 1 Exponent Cms 2017-07-28 5.0 MEDIUM 5.3 MEDIUM
framework/modules/users/controllers/usersController.php in Exponent CMS v2.4.0patch1 does not properly restrict access to user records, which allows remote attackers to read address information, as demonstrated by an address/show/id/1 URI.
CVE-2016-7458 1 Vmware 1 Vsphere Client 2017-07-28 5.0 MEDIUM 5.8 MEDIUM
VMware vSphere Client 5.5 before U3e and 6.0 before U2a allows remote vCenter Server and ESXi instances to read arbitrary files via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
CVE-2016-9285 1 Exponentcms 1 Exponent Cms 2017-07-28 5.0 MEDIUM 5.3 MEDIUM
framework/modules/addressbook/controllers/addressController.php in Exponent CMS v2.4.0 allows remote attackers to read user information via a modified id number, as demonstrated by address/edit/id/1, related to an "addresses, countries, and regions" issue.
CVE-2016-2939 1 Ibm 2 Domino, Inotes 2017-07-28 4.3 MEDIUM 6.1 MEDIUM
IBM iNotes is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVE-2016-5334 1 Vmware 2 Identity Manger, Vrealize Automation 2017-07-28 5.0 MEDIUM 5.3 MEDIUM
VMware Identity Manager 2.x before 2.7.1 and vRealize Automation 7.x before 7.2.0 allow remote attackers to read /SAAS/WEB-INF and /SAAS/META-INF files via unspecified vectors.
CVE-2016-4493 1 Gnu 1 Libiberty 2017-07-28 4.3 MEDIUM 5.5 MEDIUM
The demangle_template_value_parm and do_hpacc_template_literal functions in cplus-dem.c in libiberty allow remote attackers to cause a denial of service (out-of-bounds read and crash) via a crafted binary.
CVE-2016-4491 1 Gnu 1 Libiberty 2017-07-28 4.3 MEDIUM 5.5 MEDIUM
The d_print_comp function in cp-demangle.c in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, which triggers infinite recursion and a buffer overflow, related to a node having "itself as ancestor more than once."
CVE-2016-7795 2 Canonical, Systemd Project 2 Ubuntu Linux, Systemd 2017-07-28 4.9 MEDIUM 5.5 MEDIUM
The manager_invoke_notify_message function in systemd 231 and earlier allows local users to cause a denial of service (assertion failure and PID 1 hang) via a zero-length message received over a notify socket.
CVE-2016-0282 1 Ibm 1 Lotus Inotes 2017-07-28 3.5 LOW 5.4 MEDIUM
Cross-site scripting (XSS) vulnerability in IBM iNotes before 8.5.3 FP6 IF2 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL, aka SPR KLYHAAHNUS.
CVE-2016-6472 1 Cisco 1 Unified Communications Manager 2017-07-28 4.3 MEDIUM 6.1 MEDIUM
A vulnerability in several parameters of the ccmivr page of Cisco Unified Communication Manager (CallManager) could allow an unauthenticated, remote attacker to launch a cross-site scripting (XSS) attack against a user of the web interface on the affected system. More Information: CSCvb37121. Known Affected Releases: 11.5(1.2). Known Fixed Releases: 11.5(1.11950.96) 11.5(1.12900.2) 12.0(0.98000.133) 12.0(0.98000.313) 12.0(0.98000.404).
CVE-2016-2938 1 Ibm 2 Domino, Inotes 2017-07-28 4.3 MEDIUM 6.1 MEDIUM
IBM iNotes is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVE-2016-4492 1 Gnu 1 Libiberty 2017-07-28 4.3 MEDIUM 4.4 MEDIUM
Buffer overflow in the do_type function in cplus-dem.c in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary.
CVE-2016-9377 1 Xen 1 Xen 2017-07-28 2.1 LOW 5.5 MEDIUM
Xen 4.5.x through 4.7.x on AMD systems without the NRip feature, when emulating instructions that generate software interrupts, allows local HVM guest OS users to cause a denial of service (guest crash) by leveraging IDT entry miscalculation.
CVE-2016-7796 3 Novell, Redhat, Systemd Project 9 Suse Linux Enterprise Desktop, Suse Linux Enterprise Server, Suse Linux Enterprise Server For Sap and 6 more 2017-07-28 4.9 MEDIUM 5.5 MEDIUM
The manager_dispatch_notify_fd function in systemd allows local users to cause a denial of service (system hang) via a zero-length message received over a notify socket, which causes an error to be returned and the notification handler to be disabled.
CVE-2017-1245 1 Ibm 1 Rational Software Architect Design Manager 2017-07-27 3.5 LOW 5.4 MEDIUM
IBM Rational Software Architect Design Manager 5.0 and 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 124580.
CVE-2016-6118 1 Ibm 1 Emptoris Strategic Supply Management 2017-07-27 3.5 LOW 5.4 MEDIUM
IBM Emptoris Supplier Lifecycle Management 10.1.0.x is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 118356.
CVE-2016-8950 1 Ibm 1 Emptoris Sourcing 2017-07-27 3.5 LOW 5.4 MEDIUM
IBM Emptoris Sourcing 9.5.x through 10.1.x is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 118837.
CVE-2016-8947 1 Ibm 1 Emptoris Sourcing 2017-07-27 5.8 MEDIUM 6.1 MEDIUM
IBM Emptoris Sourcing 9.5.x through 10.1.x could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim. IBM X-Force ID: 118834
CVE-2017-1000006 1 Plotly 1 Plotly.js 2017-07-27 4.3 MEDIUM 6.1 MEDIUM
Plotly, Inc. plotly.js versions prior to 1.16.0 are vulnerable to an XSS issue.
CVE-2017-11522 1 Imagemagick 1 Imagemagick 2017-07-27 4.3 MEDIUM 6.5 MEDIUM
The WriteOnePNGImage function in coders/png.c in ImageMagick through 6.9.9-0 and 7.x through 7.0.6-1 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted file.
CVE-2017-3742 3 Google, Lenovo, Microsoft 3 Android, Connect2, Windows 2017-07-27 2.3 LOW 4.8 MEDIUM
In Lenovo Connect2 versions earlier than 4.2.5.4885 for Windows and 4.2.5.3071 for Android, when an ad-hoc connection is made between two systems for the purpose of sharing files, the password for this ad-hoc connection will be stored in a user-readable location. An attacker with read access to the user's contents could connect to the Connect2 hotspot and see the contents of files while they are being transferred between the two systems.
CVE-2016-9247 1 F5 10 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Analytics and 7 more 2017-07-27 4.3 MEDIUM 5.9 MEDIUM
Under certain conditions for BIG-IP systems using a virtual server with an associated FastL4 profile and TCP analytics profile, a specific sequence of packets may cause the Traffic Management Microkernel (TMM) to restart.
CVE-2016-7623 1 Apple 2 Iphone Os, Safari 2017-07-27 4.3 MEDIUM 6.5 MEDIUM
An issue was discovered in certain Apple products. iOS before 10.2 is affected. Safari before 10.0.2 is affected. The issue involves the "WebKit" component. It allows remote attackers to obtain sensitive information via a blob URL on a web site.
CVE-2016-9938 1 Digium 2 Asterisk, Certified Asterisk 2017-07-27 5.0 MEDIUM 5.3 MEDIUM
An issue was discovered in Asterisk Open Source 11.x before 11.25.1, 13.x before 13.13.1, and 14.x before 14.2.1 and Certified Asterisk 11.x before 11.6-cert16 and 13.x before 13.8-cert4. The chan_sip channel driver has a liberal definition for whitespace when attempting to strip the content between a SIP header name and a colon character. Rather than following RFC 3261 and stripping only spaces and horizontal tabs, Asterisk treats any non-printable ASCII character as if it were whitespace. This means that headers such as Contact\x01: will be seen as a valid Contact header. This mostly does not pose a problem until Asterisk is placed in tandem with an authenticating SIP proxy. In such a case, a crafty combination of valid and invalid To headers can cause a proxy to allow an INVITE request into Asterisk without authentication since it believes the request is an in-dialog request. However, because of the bug described above, the request will look like an out-of-dialog request to Asterisk. Asterisk will then process the request as a new call. The result is that Asterisk can process calls from unvetted sources without any authentication. If you do not use a proxy for authentication, then this issue does not affect you. If your proxy is dialog-aware (meaning that the proxy keeps track of what dialogs are currently valid), then this issue does not affect you. If you use chan_pjsip instead of chan_sip, then this issue does not affect you.
CVE-2016-7592 1 Apple 4 Icloud, Iphone Os, Itunes and 1 more 2017-07-27 4.3 MEDIUM 4.3 MEDIUM
An issue was discovered in certain Apple products. iOS before 10.2 is affected. Safari before 10.0.2 is affected. iCloud before 6.1 is affected. iTunes before 12.5.4 is affected. The issue involves the "WebKit" component, which allows remote attackers to obtain sensitive information via crafted JavaScript prompts on a web site.
CVE-2016-5881 1 Ibm 1 Inotes 2017-07-27 4.3 MEDIUM 6.1 MEDIUM
IBM iNotes is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVE-2016-9998 1 Spip 1 Spip 2017-07-27 4.3 MEDIUM 6.1 MEDIUM
SPIP 3.1.x suffer from a Reflected Cross Site Scripting Vulnerability in /ecrire/exec/info_plugin.php involving the `$plugin` parameter, as demonstrated by a /ecrire/?exec=info_plugin URL.
CVE-2016-9997 1 Spip 1 Spip 2017-07-27 4.3 MEDIUM 6.1 MEDIUM
SPIP 3.1.x suffers from a Reflected Cross Site Scripting Vulnerability in /ecrire/exec/puce_statut.php involving the `$id` parameter, as demonstrated by a /ecrire/?exec=puce_statut URL.
CVE-2016-4690 1 Apple 1 Iphone Os 2017-07-27 4.6 MEDIUM 6.8 MEDIUM
An issue was discovered in certain Apple products. iOS before 10.2 is affected. The issue involves the "Image Capture" component, which allows attackers to execute arbitrary code via a crafted USB HID device.
CVE-2016-7634 1 Apple 1 Iphone Os 2017-07-27 2.1 LOW 4.6 MEDIUM
An issue was discovered in certain Apple products. iOS before 10.2 is affected. The issue involves the "Accessibility" component, which accepts spoken passwords without considering that they are locally audible.
CVE-2016-9889 1 Tiki 1 Tikiwiki Cms\/groupware 2017-07-27 4.3 MEDIUM 6.1 MEDIUM
Some forms with the parameter geo_zoomlevel_to_found_location in Tiki Wiki CMS 12.x before 12.10 LTS, 15.x before 15.3 LTS, and 16.x before 16.1 don't have the input sanitized, related to tiki-setup.php and article_image.php. The impact is XSS.
CVE-2016-7650 1 Apple 2 Iphone Os, Safari 2017-07-27 2.6 LOW 4.7 MEDIUM
An issue was discovered in certain Apple products. iOS before 10.2 is affected. Safari before 10.0.2 is affected. The issue involves the "Safari Reader" component, which allows remote attackers to conduct UXSS attacks via a crafted web site.
CVE-2016-7628 1 Apple 1 Mac Os X 2017-07-27 2.1 LOW 5.5 MEDIUM
An issue was discovered in certain Apple products. macOS before 10.12.2 is affected. The issue involves the "Assets" component, which allows local users to bypass intended permission restrictions and change a downloaded mobile asset via unspecified vectors.
CVE-2016-7586 1 Apple 4 Icloud, Iphone Os, Itunes and 1 more 2017-07-27 4.3 MEDIUM 6.5 MEDIUM
An issue was discovered in certain Apple products. iOS before 10.2 is affected. Safari before 10.0.2 is affected. iCloud before 6.1 is affected. iTunes before 12.5.4 is affected. The issue involves the "WebKit" component. It allows remote attackers to obtain sensitive information via a crafted web site.
CVE-2016-7608 1 Apple 1 Mac Os X 2017-07-27 2.1 LOW 5.5 MEDIUM
An issue was discovered in certain Apple products. macOS before 10.12.2 is affected. The issue involves the "IOFireWireFamily" component, which allows local users to obtain sensitive information from kernel memory via unspecified vectors.
CVE-2016-4781 1 Apple 1 Iphone Os 2017-07-27 4.6 MEDIUM 6.8 MEDIUM
An issue was discovered in certain Apple products. iOS before 10.2 is affected. The issue involves the "SpringBoard" component, which allows physically proximate attackers to bypass the passcode attempt counter and unlock a device via unspecified vectors.
CVE-2016-7597 1 Apple 1 Iphone Os 2017-07-27 2.1 LOW 4.6 MEDIUM
An issue was discovered in certain Apple products. iOS before 10.2 is affected. The issue involves the "SpringBoard" component, which allows physically proximate attackers to maintain the unlocked state via vectors related to Handoff with Siri.
CVE-2016-7598 1 Apple 4 Icloud, Iphone Os, Itunes and 1 more 2017-07-27 4.3 MEDIUM 6.5 MEDIUM
An issue was discovered in certain Apple products. iOS before 10.2 is affected. Safari before 10.0.2 is affected. iCloud before 6.1 is affected. iTunes before 12.5.4 is affected. The issue involves the "WebKit" component. It allows remote attackers to obtain sensitive information from process memory via a crafted web site.