Vulnerabilities > High
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2016-04-08 | CVE-2016-3979 | Improper Input Validation vulnerability in SAP Java AS 7.4 Internet Communication Manager (aka ICMAN or ICM) in SAP JAVA AS 7.2 through 7.4 allows remote attackers to cause a denial of service (heap memory corruption and process crash) via a crafted HTTP request, related to the IctParseCookies function, aka SAP Security Note 2256185. | 7.5 |
| 2016-04-08 | CVE-2016-3188 | Permissions, Privileges, and Access Controls vulnerability in Prepopulate Project Prepopulate 7.X2.0/7.X2.X The _prepopulate_request_walk function in the Prepopulate module 7.x-2.x before 7.x-2.1 for Drupal allows remote attackers to modify the (1) actions, (2) container, (3) token, (4) password, (5) password_confirm, (6) text_format, or (7) markup field type, and consequently have unspecified impact, via unspecified vectors. | 7.3 |
| 2016-04-08 | CVE-2016-3187 | Permissions, Privileges, and Access Controls vulnerability in Prepopulate Project Prepopulate 7.X2.0/7.X2.X The Prepopulate module 7.x-2.x before 7.x-2.1 for Drupal allows remote attackers to modify the REQUEST superglobal array, and consequently have unspecified impact, via a base64-encoded pp parameter. | 7.3 |
| 2016-04-08 | CVE-2015-6541 | Cross-Site Request Forgery (CSRF) vulnerability in Zimbra Collaboration Server Multiple cross-site request forgery (CSRF) vulnerabilities in the Mail interface in Zimbra Collaboration Server (ZCS) before 8.5 allow remote attackers to hijack the authentication of arbitrary users for requests that change account preferences via a SOAP request to service/soap/BatchRequest. | 8.8 |
| 2016-04-08 | CVE-2015-8840 | Missing Authorization vulnerability in SAP Netweaver Application Server Java The XML Data Archiving Service (XML DAS) in SAP NetWeaver AS Java does not check authorization, which allows remote authenticated users to obtain sensitive information, gain privileges, or possibly have unspecified other impact via requests to (1) webcontent/cas/cas_enter.jsp, (2) webcontent/cas/cas_validate.jsp, or (3) webcontent/aas/aas_store.jsp, aka SAP Security Note 1945215. | 8.8 |
| 2016-04-07 | CVE-2016-3976 | Path Traversal vulnerability in SAP Netweaver Application Server Java Directory traversal vulnerability in SAP NetWeaver AS Java 7.1 through 7.5 allows remote attackers to read arbitrary files via a ..\ (dot dot backslash) in the fileName parameter to CrashFileDownloadServlet, aka SAP Security Note 2234971. | 7.5 |
| 2016-04-07 | CVE-2016-2098 | Improper Input Validation vulnerability in multiple products Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method. | 7.3 |
| 2016-04-07 | CVE-2016-1531 | Permissions, Privileges, and Access Controls vulnerability in Exim Exim before 4.86.2, when installed setuid root, allows local users to gain privileges via the perl_startup argument. | 7.0 |
| 2016-04-07 | CVE-2016-0792 | Improper Input Validation vulnerability in multiple products Multiple unspecified API endpoints in Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando. | 8.8 |
| 2016-04-07 | CVE-2016-2216 | Improper Input Validation vulnerability in multiple products The HTTP header parsing code in Node.js 0.10.x before 0.10.42, 0.11.6 through 0.11.16, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x before 5.6.0 allows remote attackers to bypass an HTTP response-splitting protection mechanism via UTF-8 encoded Unicode characters in the HTTP header, as demonstrated by %c4%8d%c4%8a. | 7.5 |