Vulnerabilities (CVE)

CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2016-9850 1 Phpmyadmin 1 Phpmyadmin 2017-07-01 5.0 MEDIUM 5.3 MEDIUM
An issue was discovered in phpMyAdmin. Username matching for the allow/deny rules may result in wrong matches and detection of the username in the rule due to non-constant execution time. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected.
CVE-2016-9848 1 Phpmyadmin 1 Phpmyadmin 2017-07-01 5.0 MEDIUM 5.3 MEDIUM
An issue was discovered in phpMyAdmin. phpinfo (phpinfo.php) shows PHP information including values of HttpOnly cookies. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected.
CVE-2016-6625 1 Phpmyadmin 1 Phpmyadmin 2017-07-01 4.0 MEDIUM 4.3 MEDIUM
An issue was discovered in phpMyAdmin. An attacker can determine whether a user is logged in to phpMyAdmin. The user's session, username, and password are not compromised by this vulnerability. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected.
CVE-2016-9847 1 Phpmyadmin 1 Phpmyadmin 2017-07-01 5.0 MEDIUM 5.3 MEDIUM
An issue was discovered in phpMyAdmin. When the user does not specify a blowfish_secret key for encrypting cookies, phpMyAdmin generates one at runtime. A vulnerability was reported where the way this value is created uses a weak algorithm. This could allow an attacker to determine the user's blowfish_secret and potentially decrypt their cookies. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected.
CVE-2016-6626 1 Phpmyadmin 1 Phpmyadmin 2017-07-01 5.8 MEDIUM 5.4 MEDIUM
An issue was discovered in phpMyAdmin. An attacker could redirect a user to a malicious web page. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected.
CVE-2016-6627 1 Phpmyadmin 1 Phpmyadmin 2017-07-01 5.0 MEDIUM 5.3 MEDIUM
An issue was discovered in phpMyAdmin. An attacker can determine the phpMyAdmin host location through the file url.php. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected.
CVE-2016-7555 1 Ffmpeg 1 Ffmpeg 2017-07-01 4.3 MEDIUM 5.5 MEDIUM
The avi_read_header function in libavformat/avidec.c in FFmpeg before 3.1.4 is vulnerable to memory leak when decoding an AVI file that has a crafted "strh" structure.
CVE-2016-6607 1 Phpmyadmin 1 Phpmyadmin 2017-07-01 4.3 MEDIUM 6.1 MEDIUM
XSS issues were discovered in phpMyAdmin. This affects Zoom search (specially crafted column content can be used to trigger an XSS attack); GIS editor (certain fields in the graphical GIS editor are not properly escaped and can be used to trigger an XSS attack); Relation view; the following Transformations: Formatted, Imagelink, JPEG: Upload, RegexValidation, JPEG inline, PNG inline, and transformation wrapper; XML export; MediaWiki export; Designer; When the MySQL server is running with a specially-crafted log_bin directive; Database tab; Replication feature; and Database search. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected.
CVE-2016-7094 1 Xen 1 Xen 2017-07-01 1.5 LOW 4.1 MEDIUM
Buffer overflow in Xen 4.7.x and earlier allows local x86 HVM guest OS administrators on guests running with shadow paging to cause a denial of service via a pagetable update.
CVE-2016-9189 2 Debian, Python 2 Debian Linux, Pillow 2017-07-01 4.3 MEDIUM 5.5 MEDIUM
Pillow before 3.3.2 allows context-dependent attackers to obtain sensitive information by using the "crafted image file" approach, related to an "Integer Overflow" issue affecting the Image.core.map_buffer in map.c component.
CVE-2017-6508 1 Gnu 1 Wget 2017-07-01 4.3 MEDIUM 6.1 MEDIUM
CRLF injection vulnerability in the url_parse function in url.c in Wget through 1.19.1 allows remote attackers to inject arbitrary HTTP headers via CRLF sequences in the host subcomponent of a URL.
CVE-2016-6610 1 Phpmyadmin 1 Phpmyadmin 2017-07-01 4.0 MEDIUM 4.3 MEDIUM
A full path disclosure vulnerability was discovered in phpMyAdmin where a user can trigger a particular error in the export mechanism to discover the full path of phpMyAdmin on the disk. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected.
CVE-2016-6652 1 Pivotal Software 1 Spring Data Jpa 2017-07-01 6.8 MEDIUM 5.6 MEDIUM
SQL injection vulnerability in Pivotal Spring Data JPA before 1.9.6 (Gosling SR6) and 1.10.x before 1.10.4 (Hopper SR4), when used with a repository that defines a String query using the @Query annotation, allows attackers to execute arbitrary JPQL commands via a sort instance with a function call.
CVE-2016-6608 1 Phpmyadmin 1 Phpmyadmin 2017-07-01 4.3 MEDIUM 6.1 MEDIUM
XSS issues were discovered in phpMyAdmin. This affects the database privilege check and the "Remove partitioning" functionality. Specially crafted database names can trigger the XSS attack. All 4.6.x versions (prior to 4.6.4) are affected.
CVE-2016-6632 1 Phpmyadmin 1 Phpmyadmin 2017-07-01 4.3 MEDIUM 5.9 MEDIUM
An issue was discovered in phpMyAdmin where, under certain conditions, phpMyAdmin may not delete temporary files during the import of ESRI files. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected.
CVE-2016-6628 1 Phpmyadmin 1 Phpmyadmin 2017-07-01 6.8 MEDIUM 6.3 MEDIUM
An issue was discovered in phpMyAdmin. An attacker may be able to trigger a user to download a specially crafted malicious SVG file. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected.
CVE-2016-7905 1 Ffmpeg 1 Ffmpeg 2017-07-01 4.3 MEDIUM 5.5 MEDIUM
The read_gab2_sub function in libavformat/avidec.c in FFmpeg before 3.1.4 allows remote attackers to cause a denial of service (NULL pointer used) via a crafted AVI file.
CVE-2016-9385 2 Citrix, Xen 2 Xenserver, Xen 2017-07-01 4.9 MEDIUM 6.0 MEDIUM
The x86 segment base write emulation functionality in Xen 4.4.x through 4.7.x allows local x86 PV guest OS administrators to cause a denial of service (host crash) by leveraging lack of canonical address checks.
CVE-2016-7785 1 Ffmpeg 1 Ffmpeg 2017-07-01 4.3 MEDIUM 5.5 MEDIUM
The avi_read_seek function in libavformat/avidec.c in FFmpeg before 3.1.4 allows remote attackers to cause a denial of service (assert fault) via a crafted AVI file.
CVE-2016-7777 1 Xen 1 Xen 2017-07-01 3.3 LOW 6.3 MEDIUM
Xen 4.7.x and earlier does not properly honor CR0.TS and CR0.EM, which allows local x86 HVM guest OS users to read or modify FPU, MMX, or XMM register state information belonging to arbitrary tasks on the guest by modifying an instruction while the hypervisor is preparing to emulate it.
CVE-2016-6630 1 Phpmyadmin 1 Phpmyadmin 2017-07-01 4.0 MEDIUM 6.5 MEDIUM
An issue was discovered in phpMyAdmin. An authenticated user can trigger a denial-of-service (DoS) attack by entering a very long password at the change password dialog. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected.
CVE-2016-7562 1 Ffmpeg 1 Ffmpeg 2017-07-01 4.3 MEDIUM 5.5 MEDIUM
The ff_draw_pc_font function in libavcodec/cga_data.c in FFmpeg before 3.1.4 allows remote attackers to cause a denial of service (buffer overflow) via a crafted AVI file.
CVE-2016-4855 1 Adodb Project 1 Adodb 2017-07-01 4.3 MEDIUM 6.1 MEDIUM
Cross-site scripting vulnerability in ADOdb versions prior to 5.20.6 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2016-5732 1 Phpmyadmin 1 Phpmyadmin 2017-07-01 4.3 MEDIUM 6.1 MEDIUM
Multiple cross-site scripting (XSS) vulnerabilities in the partition-range implementation in templates/table/structure/display_partitions.phtml in the table-structure page in phpMyAdmin 4.6.x before 4.6.3 allow remote attackers to inject arbitrary web script or HTML via crafted table parameters.
CVE-2016-2810 2 Google, Mozilla 2 Android, Firefox 2017-07-01 4.3 MEDIUM 5.0 MEDIUM
Mozilla Firefox before 46.0 on Android before 5.0 allows attackers to bypass intended Signature access requirements via a crafted application that leverages content-provider permissions, as demonstrated by reading the browser history or a saved password.
CVE-2016-2813 2 Google, Mozilla 2 Android, Firefox 2017-07-01 4.3 MEDIUM 6.5 MEDIUM
Mozilla Firefox before 46.0 on Android does not properly restrict JavaScript access to orientation and motion data, which allows remote attackers to obtain sensitive information about a device's physical environment, and possibly discover PIN values, via a crafted web site, a similar issue to CVE-2016-1780.
CVE-2016-2817 1 Mozilla 1 Firefox 2017-07-01 4.3 MEDIUM 5.4 MEDIUM
The WebExtension sandbox feature in browser/components/extensions/ext-tabs.js in Mozilla Firefox before 46.0 does not properly restrict principal inheritance during chrome.tabs.create and chrome.tabs.update API calls, which allows remote attackers to conduct Universal XSS (UXSS) attacks via a crafted extension that accesses a (1) javascript: or (2) data: URL.
CVE-2016-2270 4 Debian, Fedoraproject, Oracle and 1 more 4 Debian Linux, Fedora, Vm Server and 1 more 2017-07-01 4.6 MEDIUM 6.8 MEDIUM
Xen 4.6.x and earlier allows local guest administrators to cause a denial of service (host reboot) via vectors related to multiple mappings of MMIO pages with different cachability settings.
CVE-2016-2217 1 Dest-unreach 1 Socat 2017-07-01 5.0 MEDIUM 5.3 MEDIUM
The OpenSSL address implementation in Socat 1.7.3.0 and 2.0.0-b8 does not use a prime number for the DH, which makes it easier for remote attackers to obtain the shared secret.
CVE-2015-8927 1 Libarchive 1 Libarchive 2017-07-01 4.3 MEDIUM 5.5 MEDIUM
The trad_enc_decrypt_update function in archive_read_support_format_zip.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (out-of-bounds heap read and crash) via a crafted zip file, related to reading the password.
CVE-2015-8929 2 Libarchive, Suse 4 Libarchive, Linux Enterprise Desktop, Linux Enterprise Server and 1 more 2017-07-01 4.3 MEDIUM 5.5 MEDIUM
Memory leak in the __archive_read_get_extract function in archive_read_extract2.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service via a tar file.
CVE-2016-10221 1 Artifex 1 Mupdf 2017-07-01 4.3 MEDIUM 5.5 MEDIUM
The count_entries function in pdf-layer.c in Artifex Software, Inc. MuPDF 1.10a allows remote attackers to cause a denial of service (stack consumption and application crash) via a crafted PDF document.
CVE-2016-1523 4 Debian, Fedoraproject, Mozilla and 1 more 5 Debian Linux, Fedora, Firefox Esr and 2 more 2017-07-01 4.3 MEDIUM 6.5 MEDIUM
The SillMap::readFace function in FeatureMap.cpp in Libgraphite in Graphite 2 1.2.4, as used in Mozilla Firefox before 43.0 and Firefox ESR 38.x before 38.6.1, mishandles a return value, which allows remote attackers to cause a denial of service (missing initialization, NULL pointer dereference, and application crash) via a crafted Graphite smart font.
CVE-2016-2809 2 Microsoft, Mozilla 2 Windows, Firefox 2017-07-01 5.8 MEDIUM 5.5 MEDIUM
The Mozilla Maintenance Service updater in Mozilla Firefox before 46.0 on Windows allows user-assisted remote attackers to delete arbitrary files by leveraging certain local file execution.
CVE-2016-2533 3 Debian, Python, Python Imaging Project 3 Debian Linux, Pillow, Python Imaging 2017-07-01 4.3 MEDIUM 6.5 MEDIUM
Buffer overflow in the ImagingPcdDecode function in PcdDecode.c in Pillow before 3.1.1 and Python Imaging Library (PIL) 1.1.7 and earlier allows remote attackers to cause a denial of service (crash) via a crafted PhotoCD file.
CVE-2016-0775 2 Debian, Python 2 Debian Linux, Pillow 2017-07-01 4.3 MEDIUM 6.5 MEDIUM
Buffer overflow in the ImagingFliDecode function in libImaging/FliDecode.c in Pillow before 3.1.1 allows remote attackers to cause a denial of service (crash) via a crafted FLI file.
CVE-2016-2271 1 Xen 1 Xen 2017-07-01 2.1 LOW 5.5 MEDIUM
VMX in Xen 4.6.x and earlier, when using an Intel or Cyrix CPU, allows local HVM guest users to cause a denial of service (guest crash) via vectors related to a non-canonical RIP.
CVE-2016-2088 1 Isc 1 Bind 2017-07-01 4.3 MEDIUM 6.8 MEDIUM
resolver.c in named in ISC BIND 9.10.x before 9.10.3-P4, when DNS cookies are enabled, allows remote attackers to cause a denial of service (INSIST assertion failure and daemon exit) via a malformed packet with more than one cookie option.
CVE-2016-2820 1 Mozilla 1 Firefox 2017-07-01 4.3 MEDIUM 4.3 MEDIUM
The Firefox Health Reports (aka FHR or about:healthreport) feature in Mozilla Firefox before 46.0 does not properly restrict the origin of events, which makes it easier for remote attackers to modify sharing preferences by leveraging access to the remote-report IFRAME element.
CVE-2016-0740 2 Debian, Python 2 Debian Linux, Pillow 2017-07-01 4.3 MEDIUM 6.5 MEDIUM
Buffer overflow in the ImagingLibTiffDecode function in libImaging/TiffDecode.c in Pillow before 3.1.1 allows remote attackers to overwrite memory via a crafted TIFF file.
CVE-2016-2816 1 Mozilla 1 Firefox 2017-07-01 4.3 MEDIUM 6.5 MEDIUM
Mozilla Firefox before 46.0 allows remote attackers to bypass the Content Security Policy (CSP) protection mechanism via the multipart/x-mixed-replace content type.
CVE-2016-5319 1 Libtiff 1 Libtiff 2017-07-01 4.3 MEDIUM 6.5 MEDIUM
Heap-based buffer overflow in tif_packbits.c in libtiff 4.0.6 and earlier allows remote attackers to crash the application via a crafted bmp file.
CVE-2016-5704 1 Phpmyadmin 1 Phpmyadmin 2017-07-01 4.3 MEDIUM 6.1 MEDIUM
Cross-site scripting (XSS) vulnerability in the table-structure page in phpMyAdmin 4.6.x before 4.6.3 allows remote attackers to inject arbitrary web script or HTML via vectors involving a comment.
CVE-2016-5010 1 Imagemagick 1 Imagemagick 2017-07-01 4.3 MEDIUM 6.5 MEDIUM
coders/tiff.c in ImageMagick before 6.9.5-3 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted TIFF file.
CVE-2016-4412 1 Phpmyadmin 1 Phpmyadmin 2017-07-01 3.6 LOW 4.4 MEDIUM
An issue was discovered in phpMyAdmin. A user can be tricked into following a link leading to phpMyAdmin, which after authentication redirects to another malicious site. The attacker must sniff the user's valid phpMyAdmin token. All 4.0.x versions (prior to 4.0.10.16) are affected.
CVE-2015-3182 1 Wireshark 1 Wireshark 2017-07-01 4.3 MEDIUM 5.5 MEDIUM
epan/dissectors/packet-dec-dnart.c in the DECnet NSP/RT dissector in Wireshark 1.10.12 through 1.10.14 mishandles a certain strdup return value, which allows remote attackers to cause a denial of service (application crash) via a crafted packet.
CVE-2015-7780 1 Zohocorp 1 Manageengine Firewall Analyzer 2017-06-30 4.0 MEDIUM 6.5 MEDIUM
Directory traversal vulnerability in ManageEngine Firewall Analyzer before 8.0.
CVE-2017-9218 1 Audiocoding 1 Freeware Advanced Audio Decoder 2 2017-06-30 4.3 MEDIUM 5.5 MEDIUM
The mp4ff_read_stsd function in common/mp4ff/mp4atom.c in Freeware Advanced Audio Decoder 2 (FAAD2) 2.7 allows remote attackers to cause a denial of service (invalid memory read and application crash) via a crafted mp4 file.
CVE-2017-9219 1 Audiocoding 1 Freeware Advanced Audio Decoder 2 2017-06-30 4.3 MEDIUM 5.5 MEDIUM
The mp4ff_read_stsc function in common/mp4ff/mp4atom.c in Freeware Advanced Audio Decoder 2 (FAAD2) 2.7 allows remote attackers to cause a denial of service (memory allocation error and application crash) via a crafted mp4 file.
CVE-2017-9221 1 Audiocoding 1 Freeware Advanced Audio Decoder 2 2017-06-30 4.3 MEDIUM 5.5 MEDIUM
The mp4ff_read_mdhd function in common/mp4ff/mp4atom.c in Freeware Advanced Audio Decoder 2 (FAAD2) 2.7 allows remote attackers to cause a denial of service (invalid memory read and application crash) via a crafted mp4 file.