Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2016-0323 | 1 Ibm | 1 Bluemix | 2016-05-19 | 4.0 MEDIUM | 6.5 MEDIUM |
| The Auto-Scaling agent in Liberty for Java in IBM Bluemix before 2.7-20160321-1358 allows remote authenticated users to disable X.509 certificate validation, and consequently bypass an intended HTTPS trust-management feature, via unspecified vectors. | |||||
| CVE-2016-4536 | 1 Openafs | 1 Openafs | 2016-05-19 | 5.0 MEDIUM | 5.3 MEDIUM |
| The client in OpenAFS before 1.6.17 does not properly initialize the (1) AFSStoreStatus, (2) AFSStoreVolumeStatus, (3) VldbListByAttributes, and (4) ListAddrByAttributes structures, which might allow remote attackers to obtain sensitive memory information by leveraging access to RPC call traffic. | |||||
| CVE-2016-1206 | 1 Iodata | 5 Wn-gdn\/r3, Wn-gdn\/r3-c, Wn-gdn\/r3-s and 2 more | 2016-05-18 | 3.3 LOW | 4.3 MEDIUM |
| The WPS implementation on I-O DATA DEVICE WN-GDN/R3, WN-GDN/R3-C, WN-GDN/R3-S, and WN-GDN/R3-U devices does not limit PIN guesses, which allows remote attackers to obtain network access via a brute-force attack. | |||||
| CVE-2016-0731 | 1 Apache | 1 Ambari | 2016-05-18 | 4.0 MEDIUM | 4.9 MEDIUM |
| The File Browser View in Apache Ambari before 2.2.1 allows remote authenticated administrators to read arbitrary files via a file: URL in the WebHDFS URL configuration. | |||||
| CVE-2016-3950 | 1 Huawei | 2 Ar3200, Ar3200 Firmware | 2016-05-18 | 6.8 MEDIUM | 6.5 MEDIUM |
| Huawei AR3200 routers with software before V200R006C10SPC300 allow remote authenticated users to cause a denial of service (restart) via crafted packets. | |||||
| CVE-2016-3984 | 1 Mcafee | 7 Active Response, Agent, Data Exchange Layer and 4 more | 2016-05-18 | 3.6 LOW | 5.1 MEDIUM |
| The McAfee VirusScan Console (mcconsol.exe) in McAfee Active Response (MAR) before 1.1.0.161, Agent (MA) 5.x before 5.0.2 Hotfix 1110392 (5.0.2.333), Data Exchange Layer 2.x (DXL) before 2.0.1.140.1, Data Loss Prevention Endpoint (DLPe) 9.3 before Patch 6 and 9.4 before Patch 1 HF3, Device Control (MDC) 9.3 before Patch 6 and 9.4 before Patch 1 HF3, Endpoint Security (ENS) 10.x before 10.1, Host Intrusion Prevention Service (IPS) 8.0 before 8.0.0.3624, and VirusScan Enterprise (VSE) 8.8 before P7 (8.8.0.1528) on Windows allows local administrators to bypass intended self-protection rules and disable the antivirus engine by modifying registry keys. | |||||
| CVE-2016-1207 | 1 Iodata | 6 Wn-g300r, Wn-g300r2, Wn-g300r2 Firmware and 3 more | 2016-05-17 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability on I-O DATA DEVICE WN-G300R devices with firmware 1.12 and earlier, WN-G300R2 devices with firmware 1.12 and earlier, and WN-G300R3 devices with firmware 1.01 and earlier allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2016-1236 | 2 Debian, Websvn | 2 Debian Linux, Websvn | 2016-05-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in (1) revision.php, (2) log.php, (3) listing.php, and (4) comp.php in WebSVN allow context-dependent attackers to inject arbitrary web script or HTML via the name of a (a) file or (b) directory in a repository. | |||||
| CVE-2016-0390 | 1 Ibm | 1 Algo One | 2016-05-16 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting (XSS) vulnerability in IBM Algorithmics Algo One Algo Risk Application (ARA) 4.9.1 through 5.1.0 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL. | |||||
| CVE-2016-4561 | 2 Debian, Ikiwiki | 2 Debian Linux, Ikiwiki | 2016-05-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the cgierror function in CGI.pm in ikiwiki before 3.20160506 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors involving an error message. | |||||
| CVE-2016-2458 | 1 Google | 1 Android | 2016-05-10 | 4.3 MEDIUM | 5.5 MEDIUM |
| The compose functionality in AOSP Mail in Android 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-05-01 does not properly restrict attachments, which allows attackers to obtain sensitive information via a crafted application, related to ComposeActivity.java and ComposeActivityEmail.java, aka internal bug 27335139. | |||||
| CVE-2016-2350 | 1 Accellion | 1 File Transfer Appliance | 2016-05-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities on the Accellion File Transfer Appliance (FTA) before FTA_9_12_40 allow remote attackers to inject arbitrary web script or HTML via unspecified input to (1) getimageajax.php, (2) move_partition_frame.html, or (3) wmInfo.html. | |||||
| CVE-2016-2459 | 1 Google | 10 Android, Android One, Nexus 5 and 7 more | 2016-05-09 | 4.3 MEDIUM | 5.5 MEDIUM |
| mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-05-01 does not initialize certain data structures, which allows attackers to obtain sensitive information via a crafted application, related to IGraphicBufferConsumer.cpp and IGraphicBufferProducer.cpp, aka internal bug 27556038. | |||||
| CVE-2016-2454 | 1 Google | 2 Android, Nexus 5 | 2016-05-09 | 7.1 HIGH | 5.5 MEDIUM |
| The Qualcomm hardware video codec in Android before 2016-05-01 on Nexus 5 devices allows remote attackers to cause a denial of service (reboot) via a crafted file, aka internal bug 26221024. | |||||
| CVE-2016-0864 | 1 Tollgrade | 1 Smartgrid Lighthouse Sensor Management System | 2016-05-09 | 5.0 MEDIUM | 5.3 MEDIUM |
| Tollgrade SmartGrid LightHouse Sensor Management System (SMS) Software EMS before 5.1, and 4.1.0 Build 16, allows remote attackers to obtain sensitive report and username information via unspecified vectors. | |||||
| CVE-2016-1176 | 1 Sharp | 1 Eva Animator | 2016-05-09 | 6.8 MEDIUM | 6.3 MEDIUM |
| Buffer overflow in the ActiveX control in Sharp EVA Animeter allows remote attackers to execute arbitrary code via a crafted web page. | |||||
| CVE-2015-4178 | 1 Linux | 1 Linux Kernel | 2016-05-06 | 4.9 MEDIUM | 5.5 MEDIUM |
| The fs_pin implementation in the Linux kernel before 4.0.5 does not ensure the internal consistency of a certain list data structure, which allows local users to cause a denial of service (system crash) by leveraging user-namespace root access for an MNT_DETACH umount2 system call, related to fs/fs_pin.c and include/linux/fs_pin.h. | |||||
| CVE-2015-2672 | 1 Linux | 1 Linux Kernel | 2016-05-06 | 4.9 MEDIUM | 5.5 MEDIUM |
| The xsave/xrstor implementation in arch/x86/include/asm/xsave.h in the Linux kernel before 3.19.2 creates certain .altinstr_replacement pointers and consequently does not provide any protection against instruction faulting, which allows local users to cause a denial of service (panic) by triggering a fault, as demonstrated by an unaligned memory operand or a non-canonical address memory operand. | |||||
| CVE-2015-4177 | 1 Linux | 1 Linux Kernel | 2016-05-06 | 4.9 MEDIUM | 5.5 MEDIUM |
| The collect_mounts function in fs/namespace.c in the Linux kernel before 4.0.5 does not properly consider that it may execute after a path has been unmounted, which allows local users to cause a denial of service (system crash) by leveraging user-namespace root access for an MNT_DETACH umount2 system call. | |||||
| CVE-2016-1199 | 1 Lockon | 1 Ec-cube | 2016-05-06 | 5.0 MEDIUM | 5.3 MEDIUM |
| The login page in the management screen in LOCKON EC-CUBE 3.0.0 through 3.0.9 allows remote attackers to bypass intended IP address restrictions via unspecified vectors, a different vulnerability than CVE-2016-1200. | |||||
| CVE-2008-7316 | 1 Linux | 1 Linux Kernel | 2016-05-06 | 2.1 LOW | 5.5 MEDIUM |
| mm/filemap.c in the Linux kernel before 2.6.25 allows local users to cause a denial of service (infinite loop) via a writev system call that triggers an iovec of zero length, followed by a page fault for an iovec of nonzero length. | |||||
| CVE-2015-4176 | 1 Linux | 1 Linux Kernel | 2016-05-05 | 2.1 LOW | 5.5 MEDIUM |
| fs/namespace.c in the Linux kernel before 4.0.2 does not properly support mount connectivity, which allows local users to read arbitrary files by leveraging user-namespace root access for deletion of a file or directory. | |||||
| CVE-2016-4419 | 1 Wireshark | 1 Wireshark | 2016-05-04 | 4.3 MEDIUM | 5.9 MEDIUM |
| epan/dissectors/packet-spice.c in the SPICE dissector in Wireshark 2.x before 2.0.2 mishandles capability data, which allows remote attackers to cause a denial of service (large loop) via a crafted packet. | |||||
| CVE-2016-4420 | 1 Wireshark | 1 Wireshark | 2016-05-04 | 4.3 MEDIUM | 5.9 MEDIUM |
| The NFS dissector in Wireshark 2.x before 2.0.2 allows remote attackers to cause a denial of service (application crash) via a crafted packet. | |||||
| CVE-2016-4416 | 1 Wireshark | 1 Wireshark | 2016-05-04 | 4.3 MEDIUM | 5.9 MEDIUM |
| epan/dissectors/packet-ieee80211.c in the IEEE 802.11 dissector in Wireshark 2.x before 2.0.2 mishandles the Grouping subfield, which allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted packet. | |||||
| CVE-2016-4415 | 1 Wireshark | 1 Wireshark | 2016-05-04 | 4.3 MEDIUM | 5.9 MEDIUM |
| wiretap/vwr.c in the Ixia IxVeriWave file parser in Wireshark 2.x before 2.0.2 incorrectly increases a certain octet count, which allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) via a crafted file. | |||||
| CVE-2016-2202 | 1 Symantec | 1 Altiris It Management Suite | 2016-04-28 | 2.1 LOW | 5.5 MEDIUM |
| The Inventory Solution component in the Management Agent in the client in Symantec Altiris IT Management Suite (ITMS) through 7.6 HF7 allows local users to bypass intended application-blacklist restrictions via unspecified vectors. | |||||
| CVE-2016-2304 | 1 Ecava | 1 Integraxor | 2016-04-28 | 4.3 MEDIUM | 4.3 MEDIUM |
| Ecava IntegraXor before 5.0 build 4522 does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie. | |||||
| CVE-2016-3688 | 1 Dotcms | 1 Dotcms | 2016-04-28 | 4.0 MEDIUM | 6.5 MEDIUM |
| SQL injection vulnerability in dotCMS before 3.5 allows remote administrators to execute arbitrary SQL commands via the c0-e3 parameter to dwr/call/plaincall/UserAjax.getUsersList.dwr. | |||||
| CVE-2016-2305 | 1 Ecava | 1 Integraxor | 2016-04-27 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Ecava IntegraXor before 5.0 build 4522 allows remote attackers to inject arbitrary web script or HTML via a crafted URL. | |||||
| CVE-2016-2303 | 1 Ecava | 1 Integraxor | 2016-04-27 | 5.0 MEDIUM | 5.3 MEDIUM |
| CRLF injection vulnerability in Ecava IntegraXor before 5.0 build 4522 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL. | |||||
| CVE-2016-2300 | 1 Ecava | 1 Integraxor | 2016-04-27 | 6.4 MEDIUM | 6.5 MEDIUM |
| Ecava IntegraXor before 5.0 build 4522 allows remote attackers to bypass authentication and access unspecified web pages via unknown vectors. | |||||
| CVE-2016-2302 | 1 Ecava | 1 Integraxor | 2016-04-27 | 5.0 MEDIUM | 5.3 MEDIUM |
| Ecava IntegraXor before 5.0 build 4522 allows remote attackers to obtain sensitive information by reading detailed error messages. | |||||
| CVE-2016-2301 | 1 Ecava | 1 Integraxor | 2016-04-27 | 6.5 MEDIUM | 6.3 MEDIUM |
| SQL injection vulnerability in Ecava IntegraXor before 5.0 build 4522 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. | |||||
| CVE-2016-2425 | 1 Google | 1 Android | 2016-04-25 | 4.3 MEDIUM | 5.5 MEDIUM |
| mail/compose/ComposeActivity.java in AOSP Mail in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 supports file:///data attachments, which allows attackers to obtain sensitive information via a crafted application, aka internal bugs 7154234 and 26989185. | |||||
| CVE-2016-2423 | 1 Google | 1 Android | 2016-04-25 | 6.6 MEDIUM | 6.1 MEDIUM |
| server/telecom/CallsManager.java in Telephony in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 does not properly consider whether a device is provisioned, which allows physically proximate attackers to bypass the Factory Reset Protection protection mechanism and delete data via unspecified vectors, aka internal bug 26303187. | |||||
| CVE-2016-2421 | 1 Google | 1 Android | 2016-04-25 | 6.6 MEDIUM | 6.1 MEDIUM |
| Setup Wizard in Android 5.1.x before 5.1.1 and 6.x before 2016-04-01 allows physically proximate attackers to bypass the Factory Reset Protection protection mechanism and delete data via unspecified vectors, aka internal bug 26154410. | |||||
| CVE-2016-2424 | 1 Google | 1 Android | 2016-04-25 | 7.1 HIGH | 5.5 MEDIUM |
| server/content/SyncStorageEngine.java in SyncStorageEngine in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 mismanages certain authority data, which allows attackers to cause a denial of service (reboot loop) via a crafted application, aka internal bug 26513719. | |||||
| CVE-2016-2426 | 1 Google | 1 Android | 2016-04-25 | 4.3 MEDIUM | 5.5 MEDIUM |
| server/content/ContentService.java in the Framework component in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 does not check for a GET_ACCOUNTS permission, which allows attackers to obtain sensitive information via a crafted application, aka internal bug 26094635. | |||||
| CVE-2016-2414 | 1 Google | 1 Android | 2016-04-21 | 4.9 MEDIUM | 6.2 MEDIUM |
| The Minikin library in Android 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 does not properly consider negative size values in font data, which allows remote attackers to cause a denial of service (memory corruption and reboot loop) via a crafted font, aka internal bug 26413177. | |||||
| CVE-2016-2415 | 1 Google | 1 Android | 2016-04-21 | 7.1 HIGH | 5.5 MEDIUM |
| exchange/eas/EasAutoDiscover.java in the Autodiscover implementation in Exchange ActiveSync in Android 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 allows attackers to obtain sensitive information via a crafted application that triggers a spoofed response to a GET request, aka internal bug 26488455. | |||||
| CVE-2016-1273 | 1 Juniper | 3 Junos, Qfx10002, Qfx5100 | 2016-04-20 | 4.3 MEDIUM | 5.9 MEDIUM |
| Juniper Junos OS before 13.2X51-D40, 14.x before 14.1X53-D30, and 15.x before 15.1X53-D20 on QFX5100 and QFX10002 switches do not have sufficient entropy, which makes it easier for remote attackers to defeat cryptographic encryption and authentication protection mechanisms via unspecified vectors. | |||||
| CVE-2015-8346 | 2 Debian, Redmine | 2 Debian Linux, Redmine | 2016-04-20 | 5.0 MEDIUM | 5.3 MEDIUM |
| app/views/timelog/_form.html.erb in Redmine before 2.6.8, 3.0.x before 3.0.6, and 3.1.x before 3.1.2 allows remote attackers to obtain sensitive information about subjects of issues by viewing the time logging form. | |||||
| CVE-2015-8537 | 2 Debian, Redmine | 2 Debian Linux, Redmine | 2016-04-20 | 5.0 MEDIUM | 5.3 MEDIUM |
| app/views/journals/index.builder in Redmine before 2.6.9, 3.0.x before 3.0.7, and 3.1.x before 3.1.3 allows remote attackers to obtain sensitive information by viewing an Atom feed. | |||||
| CVE-2015-8473 | 2 Debian, Redmine | 2 Debian Linux, Redmine | 2016-04-20 | 4.0 MEDIUM | 4.3 MEDIUM |
| The Issues API in Redmine before 2.6.8, 3.0.x before 3.0.6, and 3.1.x before 3.1.2 allows remote authenticated users to obtain sensitive information in changeset messages by leveraging permission to read issues with related changesets from other projects. | |||||
| CVE-2016-0712 | 1 Apache | 1 Jetspeed | 2016-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in Apache Jetspeed before 2.3.1 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to portal. | |||||
| CVE-2016-0711 | 1 Apache | 1 Jetspeed | 2016-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in Apache Jetspeed before 2.3.1 allow remote attackers to inject arbitrary web script or HTML via the title parameter when adding a (1) link, (2) page, or (3) folder resource. | |||||
| CVE-2015-5233 | 2 Redhat, Theforeman | 2 Satellite, Foreman | 2016-04-20 | 6.0 MEDIUM | 4.2 MEDIUM |
| Foreman before 1.8.4 and 1.9.x before 1.9.1 do not properly apply view_hosts permissions, which allows (1) remote authenticated users with the view_reports permission to read reports from arbitrary hosts or (2) remote authenticated users with the destroy_reports permission to delete reports from arbitrary hosts via direct access to the (a) individual report show/delete pages or (b) APIs. | |||||
| CVE-2014-6276 | 2 Debian, Roundup-tracker | 2 Debian Linux, Roundup | 2016-04-20 | 4.0 MEDIUM | 4.3 MEDIUM |
| schema.py in Roundup before 1.5.1 does not properly limit attributes included in default user permissions, which might allow remote authenticated users to obtain sensitive user information by viewing user details. | |||||
| CVE-2015-8682 | 1 Huawei | 4 Mate S, Mate S Firmware, P8 and 1 more | 2016-04-20 | 7.8 HIGH | 6.1 MEDIUM |
| The Video0 driver in Huawei P8 smartphones with software GRA-UL00 before GRA-UL00C00B350, GRA-UL10 before GRA-UL10C00B350, GRA-TL00 before GRA-TL00C01B350, GRA-CL00 before GRA-CL00C92B350, and GRA-CL10 before GRA-CL10C92B350 and Mate S smartphones with software CRR-TL00 before CRR-TL00C01B160SP01, CRR-UL00 before CRR-UL00C00B160, and CRR-CL00 before CRR-CL00C92B161 allows attackers to obtain sensitive information from stack memory or cause a denial of service (system crash) via a crafted application, which triggers an invalid memory access. | |||||