Search
Total
201818 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2016-2504 | 1 Google | 1 Android | 2016-11-28 | 6.9 MEDIUM | 7.8 HIGH |
| The Qualcomm GPU driver in Android before 2016-08-05 on Nexus 5, 5X, 6, 6P, and 7 (2013) devices allows attackers to gain privileges via a crafted application, aka Android internal bug 28026365 and Qualcomm internal bug CR1002974. | |||||
| CVE-2016-2826 | 2 Microsoft, Mozilla | 3 Windows, Firefox, Firefox Esr | 2016-11-28 | 7.2 HIGH | 7.8 HIGH |
| The maintenance service in Mozilla Firefox before 47.0 and Firefox ESR 45.x before 45.2 on Windows does not prevent MAR extracted-file modification during updater execution, which might allow local users to gain privileges via a Trojan horse file. | |||||
| CVE-2016-2162 | 1 Apache | 1 Struts | 2016-11-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| Apache Struts 2.x before 2.3.25 does not sanitize text in the Locale object constructed by I18NInterceptor, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors involving language display. | |||||
| CVE-2016-2187 | 3 Canonical, Linux, Novell | 5 Ubuntu Linux, Linux Kernel, Suse Linux Enterprise Debuginfo and 2 more | 2016-11-28 | 4.9 MEDIUM | 4.6 MEDIUM |
| The gtco_probe function in drivers/input/tablet/gtco.c in the Linux kernel through 4.5.2 allows physically proximate attackers to cause a denial of service (NULL pointer dereference and system crash) via a crafted endpoints value in a USB device descriptor. | |||||
| CVE-2016-1927 | 1 Phpmyadmin | 1 Phpmyadmin | 2016-11-28 | 5.0 MEDIUM | 7.5 HIGH |
| The suggestPassword function in js/functions.js in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 relies on the Math.random JavaScript function, which makes it easier for remote attackers to guess passwords via a brute-force approach. | |||||
| CVE-2016-1951 | 1 Mozilla | 1 Netscape Portable Runtime | 2016-11-28 | 7.5 HIGH | 8.6 HIGH |
| Multiple integer overflows in io/prprf.c in Mozilla Netscape Portable Runtime (NSPR) before 4.12 allow remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a long string to a PR_*printf function. | |||||
| CVE-2016-2048 | 1 Djangoproject | 1 Django | 2016-11-28 | 6.0 MEDIUM | 5.5 MEDIUM |
| Django 1.9.x before 1.9.2, when ModelAdmin.save_as is set to True, allows remote authenticated users to bypass intended access restrictions and create ModelAdmin objects via the "Save as New" option when editing objects and leveraging the "change" permission. | |||||
| CVE-2016-1598 | 1 Novell | 2 Identity Manager, Identity Manager Identity Applications | 2016-11-28 | 3.5 LOW | 5.4 MEDIUM |
| XSS in NetIQ IDM 4.5 Identity Applications before 4.5.4 allows attackers able to change their username to inject arbitrary HTML code into the Role Assignment administrator HTML pages. | |||||
| CVE-2016-1606 | 1 Microfocus | 1 Rumba | 2016-11-28 | 10.0 HIGH | 9.8 CRITICAL |
| Multiple stack-based buffer overflows in COM objects in Micro Focus Rumba 9.4.x before 9.4 HF 13960 allow remote attackers to execute arbitrary code via (1) the NetworkName property value to ObjectXSNAConfig.ObjectXSNAConfig in iconfig.dll, (2) the CPName property value to ObjectXSNAConfig.ObjectXSNAConfig in iconfig.dll, (3) the PrinterName property value to ProfileEditor.PrintPasteControl in ProfEdit.dll, (4) the Data argument to the WriteRecords function in FTXBIFFLib.AS400FtxBIFF in FtxBIFF.dll, (5) the Serialized property value to NMSECCOMPARAMSLib.SSL3 in NMSecComParams.dll, (6) the UserName property value to NMSECCOMPARAMSLib.FirewallProxy in NMSecComParams.dll, (7) the LUName property value to ProfileEditor.MFSNAControl in ProfEdit.dll, (8) the newVal argument to the Load function in FTPSFTPLib.SFtpSession in FTPSFtp.dll, or (9) a long Host field in the FTP Client. | |||||
| CVE-2016-1441 | 1 Cisco | 1 Cloud Network Automation Provisioner | 2016-11-28 | 6.4 MEDIUM | 8.2 HIGH |
| Cisco Cloud Network Automation Provisioner (CNAP) 1.0(0) in Cisco Configuration Assistant (CCA) allows remote attackers to bypass intended filesystem and administrative-endpoint restrictions via GET API calls, aka Bug ID CSCuy77145. | |||||
| CVE-2016-1458 | 1 Cisco | 1 Firepower Management Center | 2016-11-28 | 9.0 HIGH | 8.8 HIGH |
| The web-based GUI in Cisco Firepower Management Center 4.x and 5.x before 5.3.0.3, 5.3.1.x before 5.3.1.2, and 5.4.x before 5.4.0.1 and Cisco Adaptive Security Appliance (ASA) Software on 5500-X devices with FirePOWER Services 4.x and 5.x before 5.3.0.3, 5.3.1.x before 5.3.1.2, and 5.4.x before 5.4.0.1 allows remote authenticated users to increase user-account privileges via crafted HTTP requests, aka Bug ID CSCur25483. | |||||
| CVE-2016-1467 | 1 Cisco | 1 Videoscape Session Resource Manager | 2016-11-28 | 6.1 MEDIUM | 6.5 MEDIUM |
| Cisco Videoscape Session Resource Manager (VSRM) allows remote attackers to cause a denial of service (device restart) by sending a traffic flood to upstream devices, aka Bug ID CSCva01813. | |||||
| CVE-2016-1477 | 1 Cisco | 1 Connected Streaming Analytics | 2016-11-28 | 4.0 MEDIUM | 6.5 MEDIUM |
| Cisco Connected Streaming Analytics 1.1.1 allows remote authenticated users to discover a notification service password by reading administrative pages, aka Bug ID CSCuz92891. | |||||
| CVE-2016-1505 | 2 Microsoft, Radicale | 2 Windows, Radicale | 2016-11-28 | 7.5 HIGH | 10.0 CRITICAL |
| The filesystem storage backend in Radicale before 1.1 on Windows allows remote attackers to read or write to arbitrary files via a crafted path, as demonstrated by /c:/file/ignore. | |||||
| CVE-2016-1200 | 1 Lockon | 1 Ec-cube | 2016-11-28 | 6.5 MEDIUM | 6.3 MEDIUM |
| The management screen in LOCKON EC-CUBE 3.0.7 through 3.0.9 allows remote authenticated users to bypass intended access restrictions via unspecified vectors, a different vulnerability than CVE-2016-1199. | |||||
| CVE-2016-1201 | 1 Lockon | 1 Ec-cube | 2016-11-28 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in LOCKON EC-CUBE 3.0.0 through 3.0.9 allows remote attackers to hijack the authentication of administrators. | |||||
| CVE-2016-1205 | 1 Shiro8 | 2 Category Freearea Addition, Itemdetail Freearea Addition | 2016-11-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site scripting (XSS) vulnerability in the shiro8 (1) category_freearea_ addition_plugin plugin 1.0 and (2) itemdetail_freearea_ addition_plugin plugin 1.0 for EC-CUBE allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2016-1237 | 1 Linux | 1 Linux Kernel | 2016-11-28 | 4.9 MEDIUM | 5.5 MEDIUM |
| nfsd in the Linux kernel through 4.6.3 allows local users to bypass intended file-permission restrictions by setting a POSIX ACL, related to nfs2acl.c, nfs3acl.c, and nfs4acl.c. | |||||
| CVE-2016-1393 | 1 Cisco | 1 Cloud Network Automation Provisioner | 2016-11-28 | 6.5 MEDIUM | 7.1 HIGH |
| SQL injection vulnerability in Cisco Cloud Network Automation Provisioner (CNAP) 1.0 and 1.1 allows remote authenticated users to execute arbitrary SQL commands via a crafted URL, aka Bug ID CSCuy72175. | |||||
| CVE-2016-1394 | 1 Cisco | 1 Firesight System Software | 2016-11-28 | 7.5 HIGH | 8.6 HIGH |
| Cisco Firepower System Software 6.0.0 through 6.1.0 has a hardcoded account, which allows remote attackers to obtain CLI access by leveraging knowledge of the password, aka Bug ID CSCuz56238. | |||||
| CVE-2016-1405 | 2 Cisco, Clamav | 3 Email Security Appliance, Web Security Appliance, Clamav | 2016-11-28 | 5.0 MEDIUM | 7.5 HIGH |
| libclamav in ClamAV (aka Clam AntiVirus), as used in Advanced Malware Protection (AMP) on Cisco Email Security Appliance (ESA) devices before 9.7.0-125 and Web Security Appliance (WSA) devices before 9.0.1-135 and 9.1.x before 9.1.1-041, allows remote attackers to cause a denial of service (AMP process restart) via a crafted document, aka Bug IDs CSCuv78533 and CSCuw60503. | |||||
| CVE-2016-1000140 | 1 New-year-firework Project | 1 New-year-firework | 2016-11-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| Reflected XSS in wordpress plugin new-year-firework v1.1.9 | |||||
| CVE-2016-1000141 | 1 Page-layout-builder Project | 1 Page-layout-builder | 2016-11-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| Reflected XSS in wordpress plugin page-layout-builder v1.9.3 | |||||
| CVE-2016-1000143 | 1 Photoxhibit Project | 1 Photoxhibit | 2016-11-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| Reflected XSS in wordpress plugin photoxhibit v2.1.8 | |||||
| CVE-2016-1000146 | 1 Pondol-formmail Project | 1 Pondol-formmail | 2016-11-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| Reflected XSS in wordpress plugin pondol-formmail v1.1 | |||||
| CVE-2016-1000148 | 1 S3-video Project | 1 S3-video | 2016-11-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| Reflected XSS in wordpress plugin s3-video v0.983 | |||||
| CVE-2016-1000149 | 1 Simpel-reserveren Project | 1 Simpel-reserveren | 2016-11-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| Reflected XSS in wordpress plugin simpel-reserveren v3.5.2 | |||||
| CVE-2016-1000154 | 1 Browserweb | 1 Whizz | 2016-11-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| Reflected XSS in wordpress plugin whizz v1.0.7 | |||||
| CVE-2016-0922 | 1 Emc | 1 Vipr Srm | 2016-11-28 | 5.0 MEDIUM | 9.8 CRITICAL |
| EMC ViPR SRM before 3.7.2 does not restrict the number of password-authentication attempts, which makes it easier for remote attackers to obtain access via a brute-force guessing attack. | |||||
| CVE-2016-0928 | 1 Pivotal | 1 Cloud Foundry Elastic Runtime | 2016-11-28 | 5.8 MEDIUM | 7.4 HIGH |
| Multiple open redirect vulnerabilities in Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.6.30 and 1.7.x before 1.7.8 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. | |||||
| CVE-2016-0929 | 1 Pivotal Software | 1 Rabbitmq | 2016-11-28 | 5.0 MEDIUM | 7.5 HIGH |
| The metrics-collection component in RabbitMQ for Pivotal Cloud Foundry (PCF) 1.6.x before 1.6.4 logs command lines of failed commands, which might allow context-dependent attackers to obtain sensitive information by reading the log data, as demonstrated by a syslog message that contains credentials from a command line. | |||||
| CVE-2016-0930 | 1 Pivotal | 1 Operations Manager | 2016-11-28 | 5.0 MEDIUM | 9.8 CRITICAL |
| Pivotal Cloud Foundry (PCF) Ops Manager before 1.6.19 and 1.7.x before 1.7.10, when vCloud or vSphere is used, has a default password for compilation VMs, which allows remote attackers to obtain SSH access by connecting within an installation-time period during which these VMs exist. | |||||
| CVE-2016-1000121 | 1 Huge-it | 1 Slider | 2016-11-28 | 3.5 LOW | 4.8 MEDIUM |
| XSS and SQLi in Huge IT Joomla Slider v1.0.9 extension | |||||
| CVE-2016-1000126 | 1 Admin-font-editor Project | 1 Admin-font-editor | 2016-11-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| Reflected XSS in wordpress plugin admin-font-editor v1.8 | |||||
| CVE-2016-1000127 | 1 Ajax-random-post Project | 1 Ajax-random-post | 2016-11-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| Reflected XSS in wordpress plugin ajax-random-post v2.00 | |||||
| CVE-2016-1000129 | 1 Defa-online-image-protector Project | 1 Defa-online-image-protector | 2016-11-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| Reflected XSS in wordpress plugin defa-online-image-protector v3.3 | |||||
| CVE-2016-1000133 | 1 Designsandcode | 1 Forget-about-shorcode-buttons | 2016-11-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| Reflected XSS in wordpress plugin forget-about-shortcode-buttons v1.1.1 | |||||
| CVE-2016-1000136 | 1 Heat-trakr Project | 1 Heat-trackr | 2016-11-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| Reflected XSS in wordpress plugin heat-trackr v1.0 | |||||
| CVE-2016-1000138 | 1 Indexisto Project | 1 Indexisto | 2016-11-28 | 4.3 MEDIUM | 6.1 MEDIUM |
| Reflected XSS in wordpress plugin indexisto v1.0.5 | |||||
| CVE-2016-0757 | 1 Openstack | 1 Image Registry And Delivery Service \(glance\) | 2016-11-28 | 4.0 MEDIUM | 4.3 MEDIUM |
| OpenStack Image Service (Glance) before 2015.1.3 (kilo) and 11.0.x before 11.0.2 (liberty), when show_multiple_locations is enabled, allow remote authenticated users to change image status and upload new image data by removing the last location of an image. | |||||
| CVE-2016-0758 | 2 Linux, Redhat | 8 Linux Kernel, Enterprise Linux Desktop, Enterprise Linux Hpc Node and 5 more | 2016-11-28 | 7.2 HIGH | 7.8 HIGH |
| Integer overflow in lib/asn1_decoder.c in the Linux kernel before 4.6 allows local users to gain privileges via crafted ASN.1 data. | |||||
| CVE-2016-0815 | 1 Google | 1 Android | 2016-11-28 | 10.0 HIGH | 9.8 CRITICAL |
| The MPEG4Source::fragmentedRead function in MPEG4Extractor.cpp in libstagefright in mediaserver in Android 4.x before 4.4.4, 5.x before 5.1.1 LMY49H, and 6.x before 2016-03-01 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted media file, aka internal bug 26365349. | |||||
| CVE-2016-0816 | 1 Google | 1 Android | 2016-11-28 | 10.0 HIGH | 9.8 CRITICAL |
| mediaserver in Android 6.x before 2016-03-01 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted media file, related to decoder/ih264d_parse_islice.c and decoder/ih264d_parse_pslice.c, aka internal bug 25928803. | |||||
| CVE-2016-0818 | 1 Google | 1 Android | 2016-11-28 | 4.3 MEDIUM | 5.9 MEDIUM |
| The caching functionality in the TrustManagerImpl class in TrustManagerImpl.java in Conscrypt in Android 4.x before 4.4.4, 5.x before 5.1.1 LMY49H, and 6.x before 2016-03-01 mishandles the distinction between an intermediate CA and a trusted root CA, which allows man-in-the-middle attackers to spoof servers by leveraging access to an intermediate CA to issue a certificate, aka internal bug 26232830. | |||||
| CVE-2016-0819 | 1 Google | 1 Android | 2016-11-28 | 9.3 HIGH | 7.8 HIGH |
| The Qualcomm performance component in Android 4.x before 4.4.4, 5.x before 5.1.1 LMY49H, and 6.x before 2016-03-01 allows attackers to gain privileges via a crafted application, aka internal bug 25364034. | |||||
| CVE-2016-0820 | 1 Google | 1 Android | 2016-11-28 | 9.3 HIGH | 7.8 HIGH |
| The MediaTek Wi-Fi kernel driver in Android 6.0.1 before 2016-03-01 allows attackers to gain privileges via a crafted application, aka internal bug 26267358. | |||||
| CVE-2016-0822 | 1 Google | 1 Android | 2016-11-28 | 7.6 HIGH | 7.0 HIGH |
| The MediaTek connectivity kernel driver in Android 6.0.1 before 2016-03-01 allows attackers to gain privileges via a crafted application that leverages conn_launcher access, aka internal bug 25873324. | |||||
| CVE-2016-0823 | 2 Google, Linux | 2 Android, Linux Kernel | 2016-11-28 | 2.1 LOW | 4.0 MEDIUM |
| The pagemap_open function in fs/proc/task_mmu.c in the Linux kernel before 3.19.3, as used in Android 6.0.1 before 2016-03-01, allows local users to obtain sensitive physical-address information by reading a pagemap file, aka Android internal bug 25739721. | |||||
| CVE-2016-0824 | 1 Google | 1 Android | 2016-11-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| libmpeg2 in libstagefright in Android 6.x before 2016-03-01 allows attackers to obtain sensitive information, and consequently bypass an unspecified protection mechanism, via crafted Bitstream data, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 25765591. | |||||
| CVE-2016-0825 | 1 Google | 1 Android | 2016-11-28 | 5.0 MEDIUM | 5.3 MEDIUM |
| The Widevine Trusted Application in Android 6.0.1 before 2016-03-01 allows attackers to obtain sensitive TrustZone secure-storage information by leveraging kernel access, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 20860039. | |||||