Vulnerabilities > Medium

DATE CVE VULNERABILITY TITLE RISK
2016-04-12 CVE-2016-0128 7PK - Security Features vulnerability in Microsoft products
The SAM and LSAD protocol implementations in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 do not properly establish an RPC channel, which allows man-in-the-middle attackers to perform protocol-downgrade attacks and impersonate users by modifying the client-server data stream, aka "Windows SAM and LSAD Downgrade Vulnerability" or "BADLOCK."
network
high complexity
microsoft CWE-254
6.8
2016-04-12 CVE-2016-4004 Path Traversal vulnerability in Dell Openmanage Server Administrator 8.2
Directory traversal vulnerability in Dell OpenManage Server Administrator (OMSA) 8.2 allows remote authenticated administrators to read arbitrary files via a ..\ (dot dot backslash) in the file parameter to ViewFile.
network
low complexity
dell CWE-22
4.9
2016-04-12 CVE-2015-7520 Cross-site Scripting vulnerability in Apache Wicket
Multiple cross-site scripting (XSS) vulnerabilities in the (1) RadioGroup and (2) CheckBoxMultipleChoice classes in Apache Wicket 1.5.x before 1.5.15, 6.x before 6.22.0, and 7.x before 7.2.0 allow remote attackers to inject arbitrary web script or HTML via a crafted "value" attribute in a <input> element.
network
low complexity
apache CWE-79
6.1
2016-04-12 CVE-2015-5347 Cross-site Scripting vulnerability in Apache Wicket
Cross-site scripting (XSS) vulnerability in the getWindowOpenJavaScript function in org.apache.wicket.extensions.ajax.markup.html.modal.ModalWindow in Apache Wicket 1.5.x before 1.5.15, 6.x before 6.22.0, and 7.x before 7.2.0 might allow remote attackers to inject arbitrary web script or HTML via a ModalWindow title.
network
low complexity
apache CWE-79
6.1
2016-04-12 CVE-2016-4003 Cross-site Scripting vulnerability in Apache Struts
Cross-site scripting (XSS) vulnerability in the URLDecoder function in JRE before 1.8, as used in Apache Struts 2.x before 2.3.28, when using a single byte page encoding, allows remote attackers to inject arbitrary web script or HTML via multi-byte characters in a url-encoded parameter.
network
low complexity
apache CWE-79
6.1
2016-04-12 CVE-2016-2162 Cross-site Scripting vulnerability in Apache Struts
Apache Struts 2.x before 2.3.25 does not sanitize text in the Locale object constructed by I18NInterceptor, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors involving language display.
network
low complexity
apache CWE-79
6.1
2016-04-12 CVE-2016-3170 Information Exposure vulnerability in multiple products
The "have you forgotten your password" links in the User module in Drupal 7.x before 7.43 and 8.x before 8.0.4 allow remote attackers to obtain sensitive username information by leveraging a configuration that permits using an email address to login and a module that permits logging in.
network
low complexity
debian drupal CWE-200
5.3
2016-04-12 CVE-2016-3168 7PK - Security Features vulnerability in multiple products
The System module in Drupal 6.x before 6.38 and 7.x before 7.43 might allow remote attackers to hijack the authentication of site administrators for requests that download and run files with arbitrary JSON-encoded content, aka a "reflected file download vulnerability."
network
high complexity
drupal debian CWE-254
6.4
2016-04-12 CVE-2016-3166 CRLF injection vulnerability in the drupal_set_header function in Drupal 6.x before 6.38, when used with PHP before 5.1.2, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks by leveraging a module that allows user-submitted data to appear in HTTP headers.
network
high complexity
debian drupal
5.9
2016-04-12 CVE-2016-2166 Information Exposure vulnerability in multiple products
The (1) proton.reactor.Connector, (2) proton.reactor.Container, and (3) proton.utils.BlockingConnection classes in Apache Qpid Proton before 0.12.1 improperly use an unencrypted connection for an amqps URI scheme when SSL support is unavailable, which might allow man-in-the-middle attackers to obtain sensitive information or modify data via unspecified vectors.
network
high complexity
apache fedoraproject CWE-200
6.5