Vulnerabilities > Medium
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2016-04-12 | CVE-2016-0128 | 7PK - Security Features vulnerability in Microsoft products The SAM and LSAD protocol implementations in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 do not properly establish an RPC channel, which allows man-in-the-middle attackers to perform protocol-downgrade attacks and impersonate users by modifying the client-server data stream, aka "Windows SAM and LSAD Downgrade Vulnerability" or "BADLOCK." | 5.8 |
| 2016-04-12 | CVE-2016-4004 | Path Traversal vulnerability in Dell Openmanage Server Administrator 8.2 Directory traversal vulnerability in Dell OpenManage Server Administrator (OMSA) 8.2 allows remote authenticated administrators to read arbitrary files via a ..\ (dot dot backslash) in the file parameter to ViewFile. | 4.0 |
| 2016-04-12 | CVE-2016-3656 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Paloaltonetworks Pan-Os The GlobalProtect Portal in Palo Alto Networks PAN-OS before 5.0.18, 6.0.x before 6.0.13, 6.1.x before 6.1.10, and 7.0.x before 7.0.5H2 allows remote attackers to cause a denial of service (service crash) via a crafted request. | 5.0 |
| 2016-04-12 | CVE-2015-7520 | Cross-site Scripting vulnerability in Apache Wicket Multiple cross-site scripting (XSS) vulnerabilities in the (1) RadioGroup and (2) CheckBoxMultipleChoice classes in Apache Wicket 1.5.x before 1.5.15, 6.x before 6.22.0, and 7.x before 7.2.0 allow remote attackers to inject arbitrary web script or HTML via a crafted "value" attribute in a <input> element. | 4.3 |
| 2016-04-12 | CVE-2015-5347 | Cross-site Scripting vulnerability in Apache Wicket Cross-site scripting (XSS) vulnerability in the getWindowOpenJavaScript function in org.apache.wicket.extensions.ajax.markup.html.modal.ModalWindow in Apache Wicket 1.5.x before 1.5.15, 6.x before 6.22.0, and 7.x before 7.2.0 might allow remote attackers to inject arbitrary web script or HTML via a ModalWindow title. | 4.3 |
| 2016-04-12 | CVE-2016-4003 | Cross-site Scripting vulnerability in Apache Struts Cross-site scripting (XSS) vulnerability in the URLDecoder function in JRE before 1.8, as used in Apache Struts 2.x before 2.3.28, when using a single byte page encoding, allows remote attackers to inject arbitrary web script or HTML via multi-byte characters in a url-encoded parameter. | 4.3 |
| 2016-04-12 | CVE-2016-3172 | SQL Injection vulnerability in Cacti SQL injection vulnerability in tree.php in Cacti 0.8.8g and earlier allows remote authenticated users to execute arbitrary SQL commands via the parent_id parameter in an item_edit action. | 6.5 |
| 2016-04-12 | CVE-2016-2162 | Cross-site Scripting vulnerability in Apache Struts Apache Struts 2.x before 2.3.25 does not sanitize text in the Locale object constructed by I18NInterceptor, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via unspecified vectors involving language display. | 4.3 |
| 2016-04-12 | CVE-2016-3171 | Data Processing Errors vulnerability in multiple products Drupal 6.x before 6.38, when used with PHP before 5.4.45, 5.5.x before 5.5.29, or 5.6.x before 5.6.13, might allow remote attackers to execute arbitrary code via vectors related to session data truncation. | 6.8 |
| 2016-04-12 | CVE-2016-3170 | Information Exposure vulnerability in multiple products The "have you forgotten your password" links in the User module in Drupal 7.x before 7.43 and 8.x before 8.0.4 allow remote attackers to obtain sensitive username information by leveraging a configuration that permits using an email address to login and a module that permits logging in. | 5.0 |