Vulnerabilities > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2016-11-11 | CVE-2016-9286 | Information Exposure vulnerability in Exponentcms Exponent CMS 2.4.0 framework/modules/users/controllers/usersController.php in Exponent CMS v2.4.0patch1 does not properly restrict access to user records, which allows remote attackers to read address information, as demonstrated by an address/show/id/1 URI. | 5.3 |
| 2016-11-11 | CVE-2016-9285 | Information Exposure vulnerability in Exponentcms Exponent CMS 2.4.0 framework/modules/addressbook/controllers/addressController.php in Exponent CMS v2.4.0 allows remote attackers to read user information via a modified id number, as demonstrated by address/edit/id/1, related to an "addresses, countries, and regions" issue. | 5.3 |
| 2016-11-11 | CVE-2016-9284 | Information Exposure vulnerability in Exponentcms Exponent CMS 2.4.0 getUsersByJSON in framework/modules/users/controllers/usersController.php in Exponent CMS v2.4.0 allows remote attackers to read user information via users/getUsersByJSON/sort/ and a trailing string. | 5.3 |
| 2016-11-10 | CVE-2016-7148 | Cross-site Scripting vulnerability in Moinmo Moinmoin 1.9.8 MoinMoin 1.9.8 allows remote attackers to conduct "JavaScript injection" attacks by using the "page creation" approach, related to a "Cross Site Scripting (XSS)" issue affecting the action=AttachFile (via page name) component. | 6.1 |
| 2016-11-10 | CVE-2016-7146 | Cross-site Scripting vulnerability in Moinmo Moinmoin 1.9.8 MoinMoin 1.9.8 allows remote attackers to conduct "JavaScript injection" attacks by using the "page creation or crafted URL" approach, related to a "Cross Site Scripting (XSS)" issue affecting the action=fckdialog&dialog=attachment (via page name) component. | 6.1 |
| 2016-11-10 | CVE-2016-7252 | Information Exposure vulnerability in Microsoft SQL Server 2016 Microsoft SQL Server 2016 mishandles the FILESTREAM path, which allows remote authenticated users to gain privileges via unspecified vectors, aka "SQL Analysis Services Information Disclosure Vulnerability." | 6.5 |
| 2016-11-10 | CVE-2016-7251 | Cross-site Scripting vulnerability in Microsoft SQL Server 2016 Cross-site scripting (XSS) vulnerability in the MDS API in Microsoft SQL Server 2016 allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka "MDS API XSS Vulnerability." | 6.1 |
| 2016-11-10 | CVE-2016-7244 | Improper Access Control vulnerability in Microsoft Office 2007 Microsoft Office 2007 SP3 allows remote attackers to cause a denial of service (application hang) via a crafted Office document, aka "Microsoft Office Denial of Service Vulnerability." | 5.5 |
| 2016-11-10 | CVE-2016-7237 | Improper Access Control vulnerability in Microsoft products Local Security Authority Subsystem Service (LSASS) in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, and 1607, and Windows Server 2016 allows remote authenticated users to cause a denial of service (system hang) via a crafted request, aka "Local Security Authority Subsystem Service Denial of Service Vulnerability." | 6.5 |
| 2016-11-10 | CVE-2016-7233 | Information Exposure vulnerability in Microsoft products Microsoft Word 2007, Office 2010 SP2, Word 2010 SP2, Word for Mac 2011, Excel for Mac 2011, Word Viewer, Office Compatibility Pack SP3, Word Automation Services on SharePoint Server 2013 SP1, and Office Web Apps 2010 SP2 allow remote attackers to obtain sensitive information from process memory or cause a denial of service (out-of-bounds read) via a crafted Office document, aka "Microsoft Office Information Disclosure Vulnerability." | 6.5 |