Vulnerabilities
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2016-12-31 | CVE-2016-6856 | Cross-site Scripting vulnerability in SAP Hybris Cross-site scripting (XSS) vulnerability in the Inbox Search feature in Hybris Management Console (HMC) in SAP Hybris before 6.0 allows remote attackers to inject arbitrary web script or HTML via the itemsperpage parameter. | 6.1 |
| 2016-12-30 | CVE-2016-10074 | Command Injection vulnerability in Swiftmailer The mail transport (aka Swift_Transport_MailTransport) in Swift Mailer before 5.4.5 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted e-mail address in the (1) From, (2) ReturnPath, or (3) Sender header. | 9.8 |
| 2016-12-30 | CVE-2016-10045 | Command Injection vulnerability in multiple products The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code by leveraging improper interaction between the escapeshellarg function and internal escaping performed in the mail function in PHP. | 9.8 |
| 2016-12-30 | CVE-2016-10034 | Command Injection vulnerability in Zend Framework The setFrom function in the Sendmail adapter in the zend-mail component before 2.4.11, 2.5.x, 2.6.x, and 2.7.x before 2.7.2, and Zend Framework before 2.4.11 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted e-mail address. | 9.8 |
| 2016-12-30 | CVE-2016-10033 | Argument Injection or Modification vulnerability in multiple products The mailSend function in the isMail transport in PHPMailer before 5.2.18 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted Sender property. | 9.8 |
| 2016-12-30 | CVE-2016-10088 | Use After Free vulnerability in Linux Kernel The sg implementation in the Linux kernel through 4.9 does not properly restrict write operations in situations where the KERNEL_DS option is set, which allows local users to read or write to arbitrary kernel memory locations or cause a denial of service (use-after-free) by leveraging access to a /dev/sg device, related to block/bsg.c and drivers/scsi/sg.c. | 7.0 |
| 2016-12-30 | CVE-2016-10085 | Improper Access Control vulnerability in Piwigo admin/languages.php in Piwigo through 2.8.3 allows remote authenticated administrators to conduct File Inclusion attacks via the tab parameter. | 7.2 |
| 2016-12-30 | CVE-2016-10084 | Improper Access Control vulnerability in Piwigo admin/batch_manager.php in Piwigo through 2.8.3 allows remote authenticated administrators to conduct File Inclusion attacks via the $page['tab'] variable (aka the mode parameter). | 7.2 |
| 2016-12-30 | CVE-2016-10083 | Cross-site Scripting vulnerability in Piwigo Cross-site scripting (XSS) vulnerability in admin/plugin.php in Piwigo through 2.8.3 allows remote attackers to inject arbitrary web script or HTML via a crafted filename that is mishandled in a certain error case. | 6.1 |
| 2016-12-30 | CVE-2016-10082 | Improper Access Control vulnerability in S9Y Serendipity include/functions_installer.inc.php in Serendipity through 2.0.5 is vulnerable to File Inclusion and a possible Code Execution attack during a first-time installation because it fails to sanitize the dbType POST parameter before adding it to an include() call in the bundled-libs/serendipity_generateFTPChecksums.php file. | 9.8 |