Weekly Vulnerabilities Reports > April 18 to 24, 2016
Overview
226 new vulnerabilities reported during this period, including 37 critical vulnerabilities and 37 high severity vulnerabilities. This weekly summary report vulnerabilities in 182 products from 48 vendors including Oracle, Google, Opensuse, Debian, and Redhat. Vulnerabilities are notably categorized as "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Permissions, Privileges, and Access Controls", "Information Exposure", "Improper Input Validation", and "Cross-site Scripting".
- 184 reported vulnerabilities are remotely exploitables.
- 13 reported vulnerabilities have public exploit available.
- 20 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 159 reported vulnerabilities are exploitable by an anonymous user.
- Oracle has the most reported vulnerabilities, with 102 reported vulnerabilities.
- Google has the most reported critical vulnerabilities, with 21 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
37 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2016-04-21 | CVE-2016-3443 | Oracle | Unspecified vulnerability in Oracle JDK and JRE Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to 2D. | 10.0 |
2016-04-21 | CVE-2016-2007 | HP | Request Remote Code Execution vulnerability in HP Data Protector HPE Data Protector before 7.03_108, 8.x before 8.15, and 9.x before 9.06 allows remote attackers to execute arbitrary code via unspecified vectors, aka ZDI-CAN-3354. | 10.0 |
2016-04-21 | CVE-2016-2006 | HP | Request Remote Code Execution vulnerability in HP Data Protector HPE Data Protector before 7.03_108, 8.x before 8.15, and 9.x before 9.06 allows remote attackers to execute arbitrary code via unspecified vectors, aka ZDI-CAN-3353. | 10.0 |
2016-04-21 | CVE-2016-2005 | HP | Request Remote Code Execution vulnerability in HP Data Protector HPE Data Protector before 7.03_108, 8.x before 8.15, and 9.x before 9.06 allows remote attackers to execute arbitrary code via unspecified vectors, aka ZDI-CAN-3352. | 10.0 |
2016-04-21 | CVE-2016-1363 | Cisco | Resource Management Errors vulnerability in Cisco Wireless LAN Controller Software Buffer overflow in the redirection functionality in Cisco Wireless LAN Controller (WLC) Software 7.2 through 7.4 before 7.4.140.0(MD) and 7.5 through 8.0 before 8.0.115.0(ED) allows remote attackers to execute arbitrary code via a crafted HTTP request, aka Bug ID CSCus25617. | 10.0 |
2016-04-21 | CVE-2016-0693 | Oracle | Remote Security vulnerability in Oracle Solaris 10/11.3 Unspecified vulnerability in Oracle Sun Solaris 10 and 11.3 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to the PAM LDAP module. | 10.0 |
2016-04-21 | CVE-2016-0687 | Oracle | Unspecified vulnerability in Oracle JDK and JRE Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77 and Java SE Embedded 8u77 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to the Hotspot sub-component. | 10.0 |
2016-04-21 | CVE-2016-0686 | Oracle | Unspecified vulnerability in Oracle JDK and JRE Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77 and Java SE Embedded 8u77 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Serialization. | 10.0 |
2016-04-21 | CVE-2016-0639 | Redhat Oracle | Remote Security vulnerability in Oracle MySQL Unspecified vulnerability in Oracle MySQL 5.6.29 and earlier and 5.7.11 and earlier allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Pluggable Authentication. | 10.0 |
2016-04-20 | CVE-2016-2002 | HP | Command Injection vulnerability in HP Vertica The validateAdminConfig handler in the Analytics Management Console in HPE Vertica 7.0.x before 7.0.2.12, 7.1.x before 7.1.2-12, and 7.2.x before 7.2.2-1 allows remote attackers to execute arbitrary commands via the mcPort parameter, aka ZDI-CAN-3417. | 10.0 |
2016-04-18 | CVE-2016-2419 | Permissions, Privileges, and Access Controls vulnerability in Google Android 6.0/6.0.1 media/libmedia/IDrm.cpp in mediaserver in Android 6.x before 2016-04-01 does not initialize a certain key-request data structure, which allows attackers to obtain sensitive information from process memory, and consequently bypass an unspecified protection mechanism, via unspecified vectors, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 26323455. | 10.0 | |
2016-04-18 | CVE-2016-2418 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android 6.0/6.0.1 media/libmedia/IOMX.cpp in mediaserver in Android 6.x before 2016-04-01 does not initialize certain metadata buffer pointers, which allows attackers to obtain sensitive information from process memory, and consequently bypass an unspecified protection mechanism, via unspecified vectors, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 26324358. | 10.0 | |
2016-04-18 | CVE-2016-2417 | Permissions, Privileges, and Access Controls vulnerability in Google Android media/libmedia/IOMX.cpp in mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 does not initialize a parameter data structure, which allows attackers to obtain sensitive information from process memory, and consequently bypass an unspecified protection mechanism, via unspecified vectors, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 26914474. | 10.0 | |
2016-04-18 | CVE-2016-2416 | Permissions, Privileges, and Access Controls vulnerability in Google Android libs/gui/BufferQueueConsumer.cpp in mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 does not check for the android.permission.DUMP permission, which allows attackers to obtain sensitive information, and consequently bypass an unspecified protection mechanism, via a dump request, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 27046057. | 10.0 | |
2016-04-18 | CVE-2016-1503 | Dhcpcd Project | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products dhcpcd before 6.10.0, as used in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 and other products, mismanages option lengths, which allows remote attackers to execute arbitrary code or cause a denial of service (heap-based buffer overflow) via a malformed DHCP response, aka internal bug 26461634. | 10.0 |
2016-04-18 | CVE-2016-0842 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android 6.0/6.0.1 The H.264 decoder in libstagefright in Android 6.x before 2016-04-01 mishandles Memory Management Control Operation (MMCO) data, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted media file, aka internal bug 25818142. | 10.0 | |
2016-04-18 | CVE-2016-0841 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android media/libmedia/mediametadataretriever.cpp in mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 mishandles cleared service binders, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted media file, aka internal bug 26040840. | 10.0 | |
2016-04-18 | CVE-2016-0840 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android 6.0/6.0.1 Multiple stack-based buffer underflows in decoder/ih264d_parse_cavlc.c in mediaserver in Android 6.x before 2016-04-01 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted media file, aka internal bug 26399350. | 10.0 | |
2016-04-18 | CVE-2016-0839 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android 6.0/6.0.1 post_proc/volume_listener.c in mediaserver in Android 6.x before 2016-04-01 mishandles deleted effect context, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted media file, aka internal bug 25753245. | 10.0 | |
2016-04-18 | CVE-2016-0838 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android Sonivox in mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 does not check for a negative number of samples, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted media file, related to arm-wt-22k/lib_src/eas_wtengine.c and arm-wt-22k/lib_src/eas_wtsynth.c, aka internal bug 26366256. | 10.0 | |
2016-04-18 | CVE-2016-0837 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android MPEG4Extractor.cpp in libstagefright in mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds read and memory corruption) via a crafted media file, aka internal bug 27208621. | 10.0 | |
2016-04-18 | CVE-2016-0836 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android 6.0/6.0.1 Stack-based buffer overflow in decoder/impeg2d_vld.c in mediaserver in Android 6.x before 2016-04-01 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted media file, aka internal bug 25812590. | 10.0 | |
2016-04-18 | CVE-2016-0835 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android 6.0/6.0.1 decoder/impeg2d_dec_hdr.c in mediaserver in Android 6.x before 2016-04-01 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted media file that triggers a certain negative value, aka internal bug 26070014. | 10.0 | |
2016-04-18 | CVE-2016-0834 | Improper Input Validation vulnerability in Google Android 6.0/6.0.1 An unspecified media codec in mediaserver in Android 6.x before 2016-04-01 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted media file, aka internal bug 26220548. | 10.0 | |
2016-04-21 | CVE-2016-3427 | Oracle Canonical Debian Netapp Apache Redhat Suse Opensuse | Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77; Java SE Embedded 8u77; and JRockit R28.3.9 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JMX. | 9.8 |
2016-04-18 | CVE-2016-1659 | Debian Suse Opensuse Canonical | Multiple unspecified vulnerabilities in Google Chrome before 50.0.2661.75 allow attackers to cause a denial of service or possibly have other impact via unknown vectors. | 9.8 |
2016-04-21 | CVE-2016-0699 | Oracle | Remote Security vulnerability in Oracle Flexcube Direct Banking 12.0.2/12.0.3 Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking component in Oracle Financial Services Software 12.0.2 and 12.0.3 allows remote attackers to affect confidentiality and integrity via vectors related to the Login sub-component. | 9.4 |
2016-04-21 | CVE-2016-2004 | HP | Missing Authentication for Critical Function vulnerability in HP Data Protector HPE Data Protector before 7.03_108, 8.x before 8.15, and 9.x before 9.06 allow remote attackers to execute arbitrary code via unspecified vectors related to lack of authentication. | 9.3 |
2016-04-20 | CVE-2015-7801 | Optipng Project Canonical | Use-After-Free Remote Code Execution vulnerability in OptiPNG Use-after-free vulnerability in OptiPNG 0.6.4 allows remote attackers to execute arbitrary code via a crafted PNG file. | 9.3 |
2016-04-18 | CVE-2015-8106 | Latex2Rtf Project Fedoraproject | Use of Externally-Controlled Format String vulnerability in multiple products Format string vulnerability in the CmdKeywords function in funct1.c in latex2rtf before 2.3.10 allows remote attackers to execute arbitrary code via format string specifiers in the \keywords command in a crafted TeX file. | 9.3 |
2016-04-18 | CVE-2016-2422 | Permissions, Privileges, and Access Controls vulnerability in Google Android Wi-Fi in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 does not prevent use of a Wi-Fi CA certificate in an unrelated CA role, which allows attackers to gain privileges via a crafted application, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 26324357. | 9.3 | |
2016-04-18 | CVE-2016-2420 | Permissions, Privileges, and Access Controls vulnerability in Google Android rootdir/init.rc in Android 4.x before 4.4.4 does not ensure that the /data/tombstones directory exists for the Debuggerd component, which allows attackers to gain privileges via a crafted application, aka internal bug 26403620. | 9.3 | |
2016-04-18 | CVE-2016-2413 | Permissions, Privileges, and Access Controls vulnerability in Google Android media/libmedia/IOMX.cpp in mediaserver in Android 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 does not initialize a handle pointer, which allows attackers to gain privileges via a crafted application, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 26403627. | 9.3 | |
2016-04-18 | CVE-2016-2412 | Permissions, Privileges, and Access Controls vulnerability in Google Android include/core/SkPostConfig.h in Skia, as used in System_server in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01, mishandles certain crashes, which allows attackers to gain privileges via a crafted application, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 26593930. | 9.3 | |
2016-04-18 | CVE-2016-2411 | Improper Input Validation vulnerability in Google Android 6.0/6.0.1 A Qualcomm Power Management kernel driver in Android 6.x before 2016-04-01 allows attackers to gain privileges via a crafted application that leverages root access, aka internal bug 26866053. | 9.3 | |
2016-04-18 | CVE-2016-2409 | Permissions, Privileges, and Access Controls vulnerability in Google Android 6.0/6.0.1 A Texas Instruments (TI) haptic kernel driver in Android 6.x before 2016-04-01 allows attackers to gain privileges via a crafted application that leverages control over a service that can call this driver, aka internal bug 25981545. | 9.3 | |
2016-04-21 | CVE-2016-3455 | Oracle | Remote Security vulnerability in Oracle Outside in Technology 8.5.0/8.5.1/8.5.2 Unspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.5.0, 8.5.1, and 8.5.2 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Outside In Filters. | 9.0 |
37 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2016-04-22 | CVE-2015-8823 | Adobe | Use After Free vulnerability in Adobe products Use-after-free vulnerability in the TextField object implementation in Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before 20.0.0.228 on Windows and OS X and before 11.2.202.554 on Linux, Adobe AIR before 20.0.0.204, Adobe AIR SDK before 20.0.0.204, and Adobe AIR SDK & Compiler before 20.0.0.204 allows attackers to execute arbitrary code via crafted text property, a different vulnerability than CVE-2015-8048, CVE-2015-8049, CVE-2015-8050, CVE-2015-8055, CVE-2015-8056, CVE-2015-8057, CVE-2015-8058, CVE-2015-8059, CVE-2015-8061, CVE-2015-8062, CVE-2015-8063, CVE-2015-8064, CVE-2015-8065, CVE-2015-8066, CVE-2015-8067, CVE-2015-8068, CVE-2015-8069, CVE-2015-8070, CVE-2015-8071, CVE-2015-8401, CVE-2015-8402, CVE-2015-8403, CVE-2015-8404, CVE-2015-8405, CVE-2015-8406, CVE-2015-8410, CVE-2015-8411, CVE-2015-8412, CVE-2015-8413, CVE-2015-8414, CVE-2015-8420, CVE-2015-8421, CVE-2015-8422, CVE-2015-8423, CVE-2015-8424, CVE-2015-8425, CVE-2015-8426, CVE-2015-8427, CVE-2015-8428, CVE-2015-8429, CVE-2015-8430, CVE-2015-8431, CVE-2015-8432, CVE-2015-8433, CVE-2015-8434, CVE-2015-8435, CVE-2015-8436, CVE-2015-8437, CVE-2015-8441, CVE-2015-8442, CVE-2015-8447, CVE-2015-8448, CVE-2015-8449, CVE-2015-8450, CVE-2015-8452, CVE-2015-8454, CVE-2015-8653, CVE-2015-8655, CVE-2015-8821, and CVE-2015-8822. | 8.8 |
2016-04-18 | CVE-2016-1655 | Debian Suse Opensuse Canonical | Google Chrome before 50.0.2661.75 does not properly consider that frame removal may occur during callback execution, which allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via a crafted extension. | 8.8 |
2016-04-18 | CVE-2016-1653 | Debian Suse Opensuse Canonical | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products The LoadBuffer implementation in Google V8, as used in Google Chrome before 50.0.2661.75, mishandles data types, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted JavaScript code that triggers an out-of-bounds write operation, related to compiler/pipeline.cc and compiler/simplified-lowering.cc. | 8.8 |
2016-04-18 | CVE-2016-1651 | Google Debian Suse Opensuse | Information Exposure vulnerability in multiple products fxcodec/codec/fx_codec_jpx_opj.cpp in PDFium, as used in Google Chrome before 50.0.2661.75, does not properly implement the sycc420_to_rgb and sycc422_to_rgb functions, which allows remote attackers to obtain sensitive information from process memory or cause a denial of service (out-of-bounds read) via crafted JPEG 2000 data in a PDF document. | 8.1 |
2016-04-22 | CVE-2016-2354 | Lemurmonitors | Improper Access Control vulnerability in Lemurmonitors Bluedriver 6.3.2 The Bluetooth functionality in Lemur Vehicle Monitors BlueDriver before 2016-04-07 supports unrestricted pairing without a PIN, which allows remote attackers to send arbitrary CAN commands by leveraging access to a device inside or adjacent to the vehicle, as demonstrated by a CAN command to disrupt braking or steering. | 8.0 |
2016-04-22 | CVE-2016-2306 | Ecava | Cryptographic Issues vulnerability in Ecava Integraxor The HMI web server in Ecava IntegraXor before 5.0 build 4522 allows remote attackers to obtain sensitive cleartext information by sniffing the network. | 7.8 |
2016-04-21 | CVE-2016-3441 | Oracle | Unspecified vulnerability in Oracle Solaris 10/11.3 Unspecified vulnerability in Oracle Sun Solaris 10 and 11.3 allows local users to affect confidentiality, integrity, and availability via vectors related to Filesystem. | 7.8 |
2016-04-21 | CVE-2016-2280 | Honeywell | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Honeywell Uniformance Process History Database R310/R320/R321 Buffer overflow in RDISERVER in Honeywell Uniformance Process History Database (PHD) R310, R320, and R321 allows remote attackers to cause a denial of service (service outage) via unspecified vectors. | 7.8 |
2016-04-21 | CVE-2016-1364 | Cisco | Improper Input Validation vulnerability in Cisco Wireless LAN Controller Software Cisco Wireless LAN Controller (WLC) Software 7.4 before 7.4.130.0(MD) and 7.5, 7.6, and 8.0 before 8.0.110.0(ED) allows remote attackers to cause a denial of service (device reload) via crafted Bonjour traffic, aka Bug ID CSCur66908. | 7.8 |
2016-04-21 | CVE-2016-1362 | Cisco | Resource Management Errors vulnerability in Cisco Aireos Cisco AireOS 4.1 through 7.4.120.0, 7.5.x, and 7.6.100.0 on Wireless LAN Controller (WLC) devices allows remote attackers to cause a denial of service (device reload) via a crafted HTTP request, aka Bug ID CSCun86747. | 7.8 |
2016-04-19 | CVE-2016-0741 | Redhat Fedoraproject | Resource Management Errors vulnerability in multiple products slapd/connection.c in 389 Directory Server (formerly Fedora Directory Server) 1.3.4.x before 1.3.4.7 allows remote attackers to cause a denial of service (infinite loop and connection blocking) by leveraging an abnormally closed connection. | 7.8 |
2016-04-18 | CVE-2015-7552 | Opensuse | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Opensuse 13.2 Heap-based buffer overflow in the gdk_pixbuf_flip function in gdk-pixbuf-scale.c in gdk-pixbuf 2.30.x allows remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted BMP file. | 7.8 |
2016-04-21 | CVE-2016-3454 | Oracle | Remote Security vulnerability in Oracle Database 11.2.0.4/12.1.0.1/12.1.0.2 Unspecified vulnerability in the Java VM component in Oracle Database Server 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. | 7.6 |
2016-04-21 | CVE-2016-3449 | Oracle | Unspecified vulnerability in Oracle JDK and JRE Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Deployment. | 7.6 |
2016-04-22 | CVE-2016-2299 | Ecava | SQL Injection vulnerability in Ecava Integraxor SQL injection vulnerability in Ecava IntegraXor before 5.0 build 4522 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | 7.5 |
2016-04-21 | CVE-2016-2293 | Accuenergy | Permissions, Privileges, and Access Controls vulnerability in Accuenergy Acuvim II NET Firmware and Acuvim IIR NET Firmware The AXM-NET module in Accuenergy Acuvim II NET Firmware 3.08 and Acuvim IIR NET Firmware 3.08 allows remote attackers to discover settings via a direct request to an unspecified URL. | 7.5 |
2016-04-21 | CVE-2016-2008 | HP | Remote Code Execution vulnerability in HP Data Protector HPE Data Protector before 7.03_108, 8.x before 8.15, and 9.x before 9.06 allows remote attackers to execute arbitrary code via unspecified vectors. | 7.5 |
2016-04-21 | CVE-2016-1367 | Cisco | Resource Management Errors vulnerability in Cisco Adaptive Security Appliance Software 9.4.1 The DHCPv6 relay implementation in Cisco Adaptive Security Appliance (ASA) Software 9.4.1 allows remote attackers to cause a denial of service (device reload) via crafted DHCPv6 packets, aka Bug ID CSCus23248. | 7.5 |
2016-04-21 | CVE-2016-0638 | Oracle | Remote Security vulnerability in Oracle Fusion Middleware Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6, 12.1.2, 12.1.3, and 12.2.1 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Java Messaging Service. | 7.5 |
2016-04-21 | CVE-2015-6360 | Cisco | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Cisco products The encryption-processing feature in Cisco libSRTP before 1.5.3 allows remote attackers to cause a denial of service via crafted fields in SRTP packets, aka Bug ID CSCux00686. | 7.5 |
2016-04-20 | CVE-2016-2003 | HP | Remote Code Execution vulnerability in HP products HPE P9000 Command View Advanced Edition Software (CVAE) 7.x and 8.x before 8.4.0-00 and XP7 CVAE 7.x and 8.x before 8.4.0-00 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library. | 7.5 |
2016-04-19 | CVE-2015-8779 | Suse Opensuse Canonical Debian GNU Fedoraproject | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products Stack-based buffer overflow in the catopen function in the GNU C Library (aka glibc or libc6) before 2.23 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long catalog name. | 7.5 |
2016-04-19 | CVE-2015-8778 | Fedoraproject Debian Canonical GNU Suse Opensuse | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products Integer overflow in the GNU C Library (aka glibc or libc6) before 2.23 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via the size argument to the __hcreate_r function, which triggers out-of-bounds heap-memory access. | 7.5 |
2016-04-19 | CVE-2014-9761 | Suse Opensuse Fedoraproject GNU Canonical | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products Multiple stack-based buffer overflows in the GNU C Library (aka glibc or libc6) before 2.23 allow context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long argument to the (1) nan, (2) nanf, or (3) nanl function. | 7.5 |
2016-04-18 | CVE-2016-1656 | Google Suse Opensuse | Improper Access Control vulnerability in multiple products The download implementation in Google Chrome before 50.0.2661.75 on Android allows remote attackers to bypass intended pathname restrictions via unspecified vectors. | 7.5 |
2016-04-22 | CVE-2016-1593 | Novell | Path Traversal vulnerability in Novell Service Desk 7.1 Directory traversal vulnerability in the import users feature in Micro Focus Novell Service Desk before 7.2 allows remote authenticated administrators to upload and execute arbitrary JSP files via a .. | 7.2 |
2016-04-19 | CVE-2016-3960 | XEN Fedoraproject Oracle | NULL pointer Dereference Remote Denial of Service vulnerability in Xen Integer overflow in the x86 shadow pagetable code in Xen allows local guest OS users to cause a denial of service (host crash) or possibly gain privileges by shadowing a superpage mapping. | 7.2 |
2016-04-18 | CVE-2016-3943 | Watchguard | Incorrect Default Permissions vulnerability in Watchguard Panda Endpoint Administration Agent 7.49 Panda Endpoint Administration Agent before 7.50.00, as used in Panda Security for Business products for Windows, uses a weak ACL for the Panda Security/WaAgent directory and sub-directories, which allows local users to gain SYSTEM privileges by modifying an executable module. | 7.2 |
2016-04-18 | CVE-2015-7378 | Watchguard | Incorrect Default Permissions vulnerability in Watchguard Panda URL Filtering 4.3.1.8 Panda Security URL Filtering before 4.3.1.9 uses a weak ACL for the "Panda Security URL Filtering" directory and installed files, which allows local users to gain SYSTEM privileges by modifying Panda_URL_Filteringb.exe. | 7.2 |
2016-04-18 | CVE-2016-0849 | Numeric Errors vulnerability in Google Android Multiple integer overflows in minzip/SysUtil.c in the Recovery Procedure in Android 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 allow attackers to gain privileges via a crafted application, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 26960931. | 7.2 | |
2016-04-18 | CVE-2016-0848 | Race Condition vulnerability in Google Android Race condition in Download Manager in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 allows attackers to bypass private-storage file-access restrictions via a crafted application that changes a symlink target, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 26211054. | 7.2 | |
2016-04-18 | CVE-2016-0847 | Permissions, Privileges, and Access Controls vulnerability in Google Android The Telecom Component in Android 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 allows attackers to spoof the originating telephone number of a call via a crafted application, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 26864502. | 7.2 | |
2016-04-18 | CVE-2016-0846 | Permissions, Privileges, and Access Controls vulnerability in Google Android libs/binder/IMemory.cpp in the IMemory Native Interface in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 does not properly consider the heap size, which allows attackers to gain privileges via a crafted application, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 26877992. | 7.2 | |
2016-04-18 | CVE-2016-0844 | Permissions, Privileges, and Access Controls vulnerability in Google Android 6.0/6.0.1 The Qualcomm RF driver in Android 6.x before 2016-04-01 does not properly restrict access to socket ioctl calls, which allows attackers to gain privileges via a crafted application, aka internal bug 26324307. | 7.2 | |
2016-04-18 | CVE-2016-0843 | Permissions, Privileges, and Access Controls vulnerability in Google Android The Qualcomm ARM processor performance-event manager in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 allows attackers to gain privileges via a crafted application, aka internal bug 25801197. | 7.2 | |
2016-04-18 | CVE-2016-2424 | Improper Input Validation vulnerability in Google Android server/content/SyncStorageEngine.java in SyncStorageEngine in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 mismanages certain authority data, which allows attackers to cause a denial of service (reboot loop) via a crafted application, aka internal bug 26513719. | 7.1 | |
2016-04-18 | CVE-2016-2415 | Information Exposure vulnerability in Google Android exchange/eas/EasAutoDiscover.java in the Autodiscover implementation in Exchange ActiveSync in Android 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 allows attackers to obtain sensitive information via a crafted application that triggers a spoofed response to a GET request, aka internal bug 26488455. | 7.1 |
115 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2016-04-21 | CVE-2016-3418 | Oracle | Unspecified vulnerability in Oracle Berkeley DB Unspecified vulnerability in the DataStore component in Oracle Berkeley DB 11.2.5.0.32, 11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35, and 12.1.6.1.26 allows local users to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2016-0682, CVE-2016-0689, CVE-2016-0692, and CVE-2016-0694. | 6.9 |
2016-04-21 | CVE-2016-0694 | Oracle | Unspecified vulnerability in Oracle Berkeley DB Unspecified vulnerability in the DataStore component in Oracle Berkeley DB 11.2.5.0.32, 11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35, and 12.1.6.1.26 allows local users to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2016-0682, CVE-2016-0689, CVE-2016-0692, and CVE-2016-3418. | 6.9 |
2016-04-21 | CVE-2016-0692 | Oracle | Unspecified vulnerability in Oracle Berkeley DB Unspecified vulnerability in the DataStore component in Oracle Berkeley DB 11.2.5.0.32, 11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35, and 12.1.6.1.26 allows local users to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2016-0682, CVE-2016-0689, CVE-2016-0694, and CVE-2016-3418. | 6.9 |
2016-04-21 | CVE-2016-0689 | Oracle | Unspecified vulnerability in Oracle Berkeley DB Unspecified vulnerability in the DataStore component in Oracle Berkeley DB 11.2.5.0.32, 11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35, and 12.1.6.1.26 allows local users to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2016-0682, CVE-2016-0692, CVE-2016-0694, and CVE-2016-3418. | 6.9 |
2016-04-21 | CVE-2016-0682 | Oracle | Unspecified vulnerability in Oracle Berkeley DB Unspecified vulnerability in the DataStore component in Oracle Berkeley DB 11.2.5.0.32, 11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35, and 12.1.6.1.26 allows local users to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2016-0689, CVE-2016-0692, CVE-2016-0694, and CVE-2016-3418. | 6.9 |
2016-04-18 | CVE-2016-2410 | Permissions, Privileges, and Access Controls vulnerability in Google Android 6.0/6.0.1 A Qualcomm video kernel driver in Android 6.x before 2016-04-01 allows attackers to gain privileges via a crafted application that leverages control over a service that can call this driver, aka internal bug 26291677. | 6.9 | |
2016-04-22 | CVE-2016-4065 | Foxitsoftware | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Foxitsoftware Foxit Reader and Phantompdf The ConvertToPDF plugin in Foxit Reader and PhantomPDF before 7.3.4 on Windows, when the gflags app is enabled, allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted (1) JPEG, (2) GIF, or (3) BMP image. | 6.8 |
2016-04-22 | CVE-2016-4064 | Foxitsoftware | Improper Access Control vulnerability in Foxitsoftware Foxit Reader and Phantompdf Use-after-free vulnerability in the XFA forms handling functionality in Foxit Reader and PhantomPDF before 7.3.4 on Windows allows remote attackers to execute arbitrary code via a crafted remerge call. | 6.8 |
2016-04-22 | CVE-2016-4063 | Foxitsoftware | Remote Code Execution vulnerability in Foxitsoftware Foxit Reader and Phantompdf Use-after-free vulnerability in Foxit Reader and PhantomPDF before 7.3.4 on Windows allows remote attackers to execute arbitrary code via an object with a revision number of -1 in a PDF document. | 6.8 |
2016-04-22 | CVE-2016-4059 | Foxitsoftware | Remote Code Execution vulnerability in Foxitsoftware Foxit Reader and Phantompdf Use-after-free vulnerability in Foxit Reader and PhantomPDF before 7.3.4 on Windows allows remote attackers to execute arbitrary code via a crafted FlateDecode stream in a PDF document. | 6.8 |
2016-04-21 | CVE-2016-0684 | Oracle | Remote Security vulnerability in Oracle Micros Arspos 1.5 Unspecified vulnerability in the Oracle Retail MICROS ARS POS component in Oracle Retail Applications 1.5 allows remote authenticated users to affect confidentiality via vectors related to POS. | 6.8 |
2016-04-20 | CVE-2016-0891 | EMC | Cross-Site Request Forgery (CSRF) vulnerability in EMC Vipr SRM 3.6.0/3.6.4 Multiple cross-site request forgery (CSRF) vulnerabilities in administrative pages in EMC ViPR SRM before 3.7 allow remote attackers to hijack the authentication of administrators. | 6.8 |
2016-04-19 | CVE-2014-9765 | Canonical Debian Xdelta Opensuse | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products Buffer overflow in the main_get_appheader function in xdelta3-main.h in xdelta3 before 3.0.9 allows remote attackers to execute arbitrary code via a crafted input file. | 6.8 |
2016-04-18 | CVE-2016-3950 | Huawei | Improper Input Validation vulnerability in Huawei Ar3200 Firmware V200R005C20/V200R005C30/V200R005C32 Huawei AR3200 routers with software before V200R006C10SPC300 allow remote authenticated users to cause a denial of service (restart) via crafted packets. | 6.8 |
2016-04-18 | CVE-2016-2423 | Permissions, Privileges, and Access Controls vulnerability in Google Android server/telecom/CallsManager.java in Telephony in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 does not properly consider whether a device is provisioned, which allows physically proximate attackers to bypass the Factory Reset Protection protection mechanism and delete data via unspecified vectors, aka internal bug 26303187. | 6.6 | |
2016-04-18 | CVE-2016-2421 | Permissions, Privileges, and Access Controls vulnerability in Google Android Setup Wizard in Android 5.1.x before 5.1.1 and 6.x before 2016-04-01 allows physically proximate attackers to bypass the Factory Reset Protection protection mechanism and delete data via unspecified vectors, aka internal bug 26154410. | 6.6 | |
2016-04-22 | CVE-2016-2204 | Symantec | Injection vulnerability in Symantec Messaging Gateway 10.6.0 The management console on Symantec Messaging Gateway (SMG) Appliance devices before 10.6.1 allows local users to obtain root-shell access via crafted terminal-window input. | 6.5 |
2016-04-22 | CVE-2016-1595 | Novell | Information Exposure vulnerability in Novell Service Desk 7.1 LiveTime/WebObjects/LiveTime.woa/wa/DownloadAction/downloadFile in Micro Focus Novell Service Desk before 7.2 allows remote authenticated users to conduct Hibernate Query Language (HQL) injection attacks and obtain sensitive information via the entityName parameter. | 6.5 |
2016-04-22 | CVE-2016-1594 | Novell | Information Exposure vulnerability in Novell Service Desk 7.1 Micro Focus Novell Service Desk before 7.2 allows remote authenticated users to read arbitrary attachments via a request to a LiveTime.woa URL, as demonstrated by obtaining sensitive information via a (1) downloadLogFiles or (2) downloadFile action. | 6.5 |
2016-04-22 | CVE-2016-2301 | Ecava | SQL Injection vulnerability in Ecava Integraxor SQL injection vulnerability in Ecava IntegraXor before 5.0 build 4522 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. | 6.5 |
2016-04-21 | CVE-2016-3421 | Oracle | Remote Security vulnerability in Oracle Peoplesoft Enterprise Peopletools 8.53/8.54/8.55 Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.53, 8.54, and 8.55 allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to Activity Guide. | 6.5 |
2016-04-21 | CVE-2016-0681 | Oracle | Remote Security vulnerability in Oracle Olap 11.2.0.4/12.1.0.1/12.1.0.2 Unspecified vulnerability in the Oracle OLAP component in Oracle Database Server 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows local users to affect confidentiality, integrity, and availability via unspecified vectors. | 6.5 |
2016-04-20 | CVE-2016-3628 | Tibco | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Tibco products Buffer overflow in tibemsd in the server in TIBCO Enterprise Message Service (EMS) before 8.3.0 and EMS Appliance before 2.4.0 allows remote authenticated users to cause a denial of service or possibly execute arbitrary code via crafted inbound data. | 6.5 |
2016-04-19 | CVE-2016-4040 | Dotcms | SQL Injection vulnerability in Dotcms SQL injection vulnerability in the Workflow Screen in dotCMS before 3.3.2 allows remote administrators to execute arbitrary SQL commands via the orderby parameter. | 6.5 |
2016-04-19 | CVE-2015-5479 | Ubuntu Libav Opensuse | Numeric Errors vulnerability in multiple products The ff_h263_decode_mba function in libavcodec/ituh263dec.c in Libav before 11.5 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a file with crafted dimensions. | 6.5 |
2016-04-18 | CVE-2016-1654 | Debian Suse Opensuse Canonical | Improper Input Validation vulnerability in multiple products The media subsystem in Google Chrome before 50.0.2661.75 does not initialize an unspecified data structure, which allows remote attackers to cause a denial of service (invalid read operation) via unknown vectors. | 6.5 |
2016-04-22 | CVE-2016-2300 | Ecava | Improper Authentication vulnerability in Ecava Integraxor Ecava IntegraXor before 5.0 build 4522 allows remote attackers to bypass authentication and access unspecified web pages via unknown vectors. | 6.4 |
2016-04-21 | CVE-2016-3466 | Oracle | Remote Security vulnerability in Oracle Field Service 12.1.1/12.1.2/12.1.3 Unspecified vulnerability in the Oracle Field Service component in Oracle E-Business Suite 12.1.1, 12.1.2, and 12.1.3 allows remote attackers to affect confidentiality and integrity via vectors related to Wireless. | 6.4 |
2016-04-21 | CVE-2016-3438 | Oracle | Remote Security vulnerability in Oracle Supply Chain Products Suite Unspecified vulnerability in the Oracle Configurator component in Oracle Supply Chain Products Suite 12.0.6, 12.1, and 12.2 allows remote attackers to affect confidentiality and integrity via vectors related to JRAD Heartbeat. | 6.4 |
2016-04-21 | CVE-2016-0696 | Oracle | Remote Security vulnerability in Oracle Weblogic Server 10.3.6.0.0 Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6 allows remote attackers to affect confidentiality and integrity via vectors related to Console. | 6.4 |
2016-04-19 | CVE-2015-8776 | Suse Opensuse Canonical Debian Fedoraproject GNU | Numeric Errors vulnerability in multiple products The strftime function in the GNU C Library (aka glibc or libc6) before 2.23 allows context-dependent attackers to cause a denial of service (application crash) or possibly obtain sensitive information via an out-of-range time value. | 6.4 |
2016-04-19 | CVE-2015-1776 | Apache | Information Exposure vulnerability in Apache Hadoop Apache Hadoop 2.6.x encrypts intermediate data generated by a MapReduce job and stores it along with the encryption key in a credentials file on disk when the Intermediate data encryption feature is enabled, which allows local users to obtain sensitive information by reading the file. | 6.2 |
2016-04-18 | CVE-2016-1652 | Debian Suse Opensuse | Cross-site Scripting vulnerability in multiple products Cross-site scripting (XSS) vulnerability in the ModuleSystem::RequireForJsInner function in extensions/renderer/module_system.cc in the Extensions subsystem in Google Chrome before 50.0.2661.75 allows remote attackers to inject arbitrary web script or HTML via a crafted web site, aka "Universal XSS (UXSS)." | 6.1 |
2016-04-21 | CVE-2013-7449 | Canonical Xchat Hexchat Project | Cryptographic Issues vulnerability in multiple products The ssl_do_connect function in common/server.c in HexChat before 2.10.2, XChat, and XChat-GNOME does not verify that the server hostname matches a domain name in the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. | 5.8 |
2016-04-21 | CVE-2016-0479 | Oracle | Remote Security vulnerability in Oracle Business Intelligence 11.1.1.7.0/11.1.1.9.0/12.2.1.0.0 Unspecified vulnerability in the Oracle Business Intelligence Enterprise Edition component in Oracle Fusion Middleware 11.1.1.7.0, 11.1.1.9.0, and 12.2.1.0.0 allows remote attackers to affect confidentiality and integrity via vectors related to Analytics Scorecard. | 5.8 |
2016-04-18 | CVE-2016-0850 | Permissions, Privileges, and Access Controls vulnerability in Google Android The PORCHE_PAIRING_CONFLICT feature in Bluetooth in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 allows remote attackers to bypass intended pairing restrictions via a crafted device, aka internal bug 26551752. | 5.8 | |
2016-04-21 | CVE-2016-3460 | Oracle | Remote Security vulnerability in Oracle Peoplesoft Enterprise Human Capital Management Eperformance 9.2 Unspecified vulnerability in the PeopleSoft Enterprise HCM component in Oracle PeopleSoft Products 9.2 allows remote authenticated users to affect confidentiality and integrity via vectors related to ePerformance. | 5.5 |
2016-04-21 | CVE-2016-0685 | Oracle | Remote Security vulnerability in Oracle Peoplesoft Enterprise Peopletools 8.53/8.54/8.55 Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.53, 8.54, and 8.55 allows remote authenticated users to affect confidentiality and integrity via vectors related to File Processing. | 5.5 |
2016-04-21 | CVE-2016-0680 | Oracle | Remote Security vulnerability in Oracle Peoplesoft Supply Chain Management Eprocurement 9.1/9.2 Unspecified vulnerability in the PeopleSoft Enterprise SCM component in Oracle PeopleSoft Products 9.1 and 9.2 allows remote authenticated users to affect confidentiality and integrity via vectors related to Services Procurement. | 5.5 |
2016-04-21 | CVE-2016-0679 | Oracle | Remote Security vulnerability in Oracle PeopleSoft Products Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.53, 8.54, and 8.55 allows remote authenticated users to affect integrity and availability via vectors related to PIA Grids. | 5.5 |
2016-04-18 | CVE-2016-2427 | Bouncycastle | Information Exposure vulnerability in multiple products The AES-GCM specification in RFC 5084, as used in Android 5.x and 6.x, recommends 12 octets for the aes-ICVlen parameter field, which might make it easier for attackers to defeat a cryptographic protection mechanism and discover an authentication key via a crafted application, aka internal bug 26234568. | 5.5 |
2016-04-22 | CVE-2016-1596 | Novell | Cross-site Scripting vulnerability in Novell Service Desk 7.1 Multiple cross-site scripting (XSS) vulnerabilities in Micro Focus Novell Service Desk before 7.2 allow remote authenticated users to inject arbitrary web script or HTML via a certain (1) user name, (2) tf_aClientFirstName, (3) tf_aClientLastName, (4) ta_selectedTopicContent, (5) tf_orgUnitName, (6) tf_aManufacturerFullName, (7) tf_aManufacturerName, (8) tf_aManufacturerAddress, or (9) tf_aManufacturerCity parameter. | 5.4 |
2016-04-21 | CVE-2016-3429 | Oracle | Local Security vulnerability in Oracle Retail Applications Unspecified vulnerability in the Oracle Retail Xstore Point of Service component in Oracle Retail Applications 5.0, 5.5, 6.0, 6.5, 7.0, and 7.1 allows remote authenticated users to affect confidentiality and integrity via vectors related to Xstore Services. | 5.4 |
2016-04-21 | CVE-2016-0669 | Oracle | Local Security vulnerability in Oracle Solaris 11.3 Unspecified vulnerability in Oracle Sun Solaris 11.3 allows local users to affect integrity and availability via vectors related to Fwflash. | 5.2 |
2016-04-22 | CVE-2016-4061 | Foxitsoftware | Improper Input Validation vulnerability in Foxitsoftware Foxit Reader and Phantompdf Foxit Reader and PhantomPDF before 7.3.4 on Windows allow remote attackers to cause a denial of service (application crash) via a crafted content stream. | 5.0 |
2016-04-22 | CVE-2016-4060 | Foxitsoftware | Remote Code Execution vulnerability in Foxitsoftware Foxit Reader and Phantompdf Use-after-free vulnerability in Foxit Reader and PhantomPDF before 7.3.4 on Windows allows remote attackers to cause a denial of service (application crash) via unspecified vectors. | 5.0 |
2016-04-22 | CVE-2016-2303 | Ecava | Unspecified vulnerability in Ecava Integraxor CRLF injection vulnerability in Ecava IntegraXor before 5.0 build 4522 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL. | 5.0 |
2016-04-22 | CVE-2016-2302 | Ecava | Information Exposure vulnerability in Ecava Integraxor Ecava IntegraXor before 5.0 build 4522 allows remote attackers to obtain sensitive information by reading detailed error messages. | 5.0 |
2016-04-21 | CVE-2016-3190 | Opensuse Cairographics | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products The fill_xrgb32_lerp_opaque_spans function in cairo-image-compositor.c in cairo before 1.14.2 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a negative span length. | 5.0 |
2016-04-21 | CVE-2016-3463 | Oracle | Remote Security vulnerability in Oracle Flexcube Direct Banking 12.0.3 Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking component in Oracle Financial Services Software 12.0.3 allows remote attackers to affect confidentiality and integrity via vectors related to Pre-Login. | 5.0 |
2016-04-21 | CVE-2016-3425 | Oracle | Unspecified vulnerability in Oracle Jdk, JRE and Jrockit Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77; Java SE Embedded 8u77; and JRockit R28.3.9 allows remote attackers to affect availability via vectors related to JAXP. | 5.0 |
2016-04-21 | CVE-2016-3422 | Oracle | Unspecified vulnerability in Oracle JDK and JRE Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77 allows remote attackers to affect availability via vectors related to 2D. | 5.0 |
2016-04-21 | CVE-2016-2294 | Accuenergy | Information Exposure vulnerability in Accuenergy Acuvim II NET Firmware and Acuvim IIR NET Firmware The AXM-NET module in Accuenergy Acuvim II NET Firmware 3.08 and Acuvim IIR NET Firmware 3.08 allows remote attackers to discover a cleartext mail-server password via unspecified vectors. | 5.0 |
2016-04-21 | CVE-2016-0677 | Oracle | Remote Security vulnerability in Oracle Database Server Unspecified vulnerability in the RDBMS Security component in Oracle Database Server 12.1.0.1 and 12.1.0.2 allows remote attackers to affect availability via unknown vectors. | 5.0 |
2016-04-21 | CVE-2016-0672 | Oracle | Remote Security vulnerability in Oracle Flexcube Direct Banking 12.0.2/12.0.3 Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking component in Oracle Financial Services Software 12.0.2 and 12.0.3 allows remote attackers to affect confidentiality and integrity via vectors related to Pre-Login. | 5.0 |
2016-04-20 | CVE-2016-1384 | Cisco | Permissions, Privileges, and Access Controls vulnerability in Cisco IOS and IOS XE The NTP implementation in Cisco IOS 15.1 and 15.5 and IOS XE 3.2 through 3.17 allows remote attackers to modify the system time via crafted packets, aka Bug ID CSCux46898. | 5.0 |
2016-04-19 | CVE-2016-3186 | Opensuse Libtiff | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products Buffer overflow in the readextension function in gif2tiff.c in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (application crash) via a crafted GIF file. | 5.0 |
2016-04-18 | CVE-2016-3071 | Libreswan Fedoraproject | Improper Input Validation vulnerability in multiple products Libreswan 3.16 might allow remote attackers to cause a denial of service (daemon restart) via an IKEv2 aes_xcbc transform. | 5.0 |
2016-04-21 | CVE-2016-3465 | Oracle | Unspecified vulnerability in Oracle Solaris 11.3 Unspecified vulnerability in Oracle Sun Solaris 10 and 11.3 allows local users to affect availability via vectors related to ZFS. | 4.9 |
2016-04-21 | CVE-2016-3462 | Oracle | Local Security vulnerability in Oracle Solaris 11.3 Unspecified vulnerability in Oracle Sun Solaris 11.3 allows local users to affect availability via vectors related to Network Configuration Service. | 4.9 |
2016-04-21 | CVE-2016-3457 | Oracle | Remote Security vulnerability in Oracle Peoplesoft Enterprise Human Capital Management Eperformance 9.2 Unspecified vulnerability in the PeopleSoft Enterprise HCM ePerformance component in Oracle PeopleSoft Products 9.2 allows remote authenticated users to affect confidentiality and integrity via vectors related to Security. | 4.9 |
2016-04-21 | CVE-2016-0673 | Oracle | Remote Security vulnerability in Oracle Siebel UI Framework 8.1.1/8.2.2 Unspecified vulnerability in the Siebel UI Framework component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote authenticated users to affect confidentiality and integrity via vectors related to UIF Open UI. | 4.9 |
2016-04-21 | CVE-2016-0641 | Opensuse Debian Oracle IBM Redhat Mariadb | Remote Security vulnerability in Oracle MySQL Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 and earlier, and 5.7.10 and earlier and MariaDB before 5.5.48, 10.0.x before 10.0.24, and 10.1.x before 10.1.12 allows local users to affect confidentiality and availability via vectors related to MyISAM. | 4.9 |
2016-04-21 | CVE-2016-0640 | Oracle Opensuse Mariadb Debian Redhat IBM | Remote Security vulnerability in Oracle MySQL Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 and earlier, and 5.7.10 and earlier and MariaDB before 5.5.48, 10.0.x before 10.0.24, and 10.1.x before 10.1.12 allows local users to affect integrity and availability via vectors related to DML. | 4.9 |
2016-04-18 | CVE-2016-2414 | Improper Input Validation vulnerability in Google Android The Minikin library in Android 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 does not properly consider negative size values in font data, which allows remote attackers to cause a denial of service (memory corruption and reboot loop) via a crafted font, aka internal bug 26413177. | 4.9 | |
2016-04-21 | CVE-2016-0469 | Oracle | Local Security vulnerability in Oracle Micros C2 9.89.0.0 Unspecified vulnerability in the Oracle Retail MICROS C2 component in Oracle Retail Applications 9.89.0.0 allows local users to affect confidentiality via vectors related to POS. | 4.6 |
2016-04-22 | CVE-2016-3126 | Blackberry | Cross-site Scripting vulnerability in Blackberry Enterprise Server 12.4/5.0.4 Cross-site scripting (XSS) vulnerability in the Management Console in BlackBerry Enterprise Server (BES) 12 before 12.4.1 allows remote attackers to inject arbitrary web script or HTML via a crafted URL. | 4.3 |
2016-04-22 | CVE-2016-1918 | Blackberry | Cross-site Scripting vulnerability in Blackberry Enterprise Server 12.4/5.0.4 Cross-site scripting (XSS) vulnerability in the Management Console in BlackBerry Enterprise Server (BES) 12 before 12.4.1 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, a different vulnerability than CVE-2016-1917. | 4.3 |
2016-04-22 | CVE-2016-1917 | Blackberry | Cross-site Scripting vulnerability in Blackberry Enterprise Server 12.4/5.0.4 Cross-site scripting (XSS) vulnerability in the Management Console in BlackBerry Enterprise Server (BES) 12 before 12.4.1 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, a different vulnerability than CVE-2016-1918. | 4.3 |
2016-04-22 | CVE-2016-1036 | Adobe | Cross-site Scripting vulnerability in Adobe Analytics Appmeasurement for Flash Library 4.0 Cross-site scripting (XSS) vulnerability in Adobe Analytics AppMeasurement for Flash Library before 4.0.1, when debugTracking is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
2016-04-22 | CVE-2016-4062 | Foxitsoftware | Data Processing Errors vulnerability in Foxitsoftware Foxit Reader and Phantompdf Foxit Reader and PhantomPDF before 7.3.4 on Windows improperly report format errors recursively, which allows remote attackers to cause a denial of service (application hang) via a crafted PDF. | 4.3 |
2016-04-22 | CVE-2016-2305 | Ecava | Cross-site Scripting vulnerability in Ecava Integraxor Cross-site scripting (XSS) vulnerability in Ecava IntegraXor before 5.0 build 4522 allows remote attackers to inject arbitrary web script or HTML via a crafted URL. | 4.3 |
2016-04-22 | CVE-2016-2304 | Ecava | Information Exposure vulnerability in Ecava Integraxor Ecava IntegraXor before 5.0 build 4522 does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie. | 4.3 |
2016-04-21 | CVE-2016-3977 | Opensuse Giflib Project | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products Heap-based buffer overflow in util/gif2rgb.c in gif2rgb in giflib 5.1.2 allows remote attackers to cause a denial of service (application crash) via the background color index in a GIF file. | 4.3 |
2016-04-21 | CVE-2016-3461 | Oracle | Remote Security vulnerability in Oracle Mysql Enterprise Monitor 3.0.25/3.1.2 Unspecified vulnerability in the MySQL Enterprise Monitor component in Oracle MySQL 3.0.25 and earlier and 3.1.2 and earlier allows remote administrators to affect confidentiality, integrity, and availability via vectors related to Monitoring: Server. | 4.3 |
2016-04-21 | CVE-2016-3456 | Oracle | Remote Security vulnerability in Oracle Complex Maintenance Repair and Overhaul 12.1.1/12.1.2/12.1.3 Unspecified vulnerability in the Oracle Complex Maintenance, Repair, and Overhaul component in Oracle Supply Chain Products Suite 12.1.1, 12.1.2, and 12.1.3 allows remote attackers to affect confidentiality and integrity via vectors related to Dialog Box. | 4.3 |
2016-04-21 | CVE-2016-3442 | Oracle | Remote Security vulnerability in Oracle Peoplesoft Enterprise Peopletools 8.53/8.54/8.55 Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.53, 8.54, and 8.55 allows remote authenticated users to affect confidentiality and integrity via vectors related to Portal. | 4.3 |
2016-04-21 | CVE-2016-3439 | Oracle | Remote Security vulnerability in Oracle CRM Technical Foundation 12.1.3 Unspecified vulnerability in the Oracle CRM Wireless component in Oracle E-Business Suite 12.1.3 allows remote attackers to affect confidentiality and integrity via vectors related to Call Phone Number Page. | 4.3 |
2016-04-21 | CVE-2016-3437 | Oracle | Remote Security vulnerability in Oracle CRM Technical Foundation 12.1.3 Unspecified vulnerability in the Oracle CRM Wireless component in Oracle E-Business Suite 12.1.3 allows remote attackers to affect confidentiality and integrity via vectors related to Person Address Page. | 4.3 |
2016-04-21 | CVE-2016-3436 | Oracle | Remote Security vulnerability in Oracle Common Applications Calendar 12.1.1/12.1.2/12.1.3 Unspecified vulnerability in the Oracle Common Applications Calendar component in Oracle E-Business Suite 12.1.1, 12.1.2, and 12.1.3 allows remote attackers to affect confidentiality and integrity via vectors related to Tasks. | 4.3 |
2016-04-21 | CVE-2016-3435 | Oracle | Remote Security vulnerability in Oracle Peoplesoft Enterprise Peopletools 8.53/8.54/8.55 Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.53, 8.54, and 8.55 allows remote attackers to affect availability via vectors related to PIA Core Technology. | 4.3 |
2016-04-21 | CVE-2016-3434 | Oracle | Remote Security vulnerability in Oracle E-Business Suite Unspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite 12.1.3, 12.2.3, 12.2.4, and 12.2.5 allows remote attackers to affect integrity via vectors related to Logout. | 4.3 |
2016-04-21 | CVE-2016-3426 | Oracle | Unspecified vulnerability in Oracle JDK and JRE Unspecified vulnerability in Oracle Java SE 8u77 and Java SE Embedded 8u77 allows remote attackers to affect confidentiality via vectors related to JCE. | 4.3 |
2016-04-21 | CVE-2016-3417 | Oracle | Remote Security vulnerability in Oracle Peoplesoft Enterprise Peopletools 8.53/8.54/8.55 Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.53, 8.54, and 8.55 allows remote authenticated users to affect confidentiality and integrity via vectors related to PIA Search Functionality. | 4.3 |
2016-04-21 | CVE-2016-3416 | Oracle | Remote Security vulnerability in Oracle Fusion Middleware Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6, 12.1.2, 12.1.3, and 12.2.1 allows remote attackers to affect confidentiality and integrity via vectors related to Console. | 4.3 |
2016-04-21 | CVE-2016-0700 | Oracle | Remote Security vulnerability in Oracle Weblogic Server 10.3.6.0.0/12.1.2.0.0/12.1.3.0.0 Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6, 12.1.2, and 12.1.3 allows remote attackers to affect confidentiality and integrity via vectors related to Console, a different vulnerability than CVE-2016-0675. | 4.3 |
2016-04-21 | CVE-2016-0698 | Oracle | Remote Security vulnerability in Oracle Peoplesoft Enterprise Peopletools 8.53/8.54/8.55 Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.53, 8.54, and 8.55 allows remote authenticated users to affect confidentiality and integrity via vectors related to Rich Text Editor, a different vulnerability than CVE-2016-3423. | 4.3 |
2016-04-21 | CVE-2016-0675 | Oracle | Remote Security vulnerability in Oracle Weblogic Server 10.3.6.0.0/12.1.2.0.0/12.1.3.0.0 Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6, 12.1.2, and 12.1.3 allows remote attackers to affect confidentiality and integrity via vectors related to Console, a different vulnerability than CVE-2016-0700. | 4.3 |
2016-04-21 | CVE-2016-0642 | Oracle Suse Opensuse Redhat Mariadb Debian Canonical | Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier allows local users to affect integrity and availability via vectors related to Federated. | 4.3 |
2016-04-21 | CVE-2016-0623 | Oracle | Remote Security vulnerability in Oracle Solaris 11.3 Unspecified vulnerability in Oracle Sun Solaris 11.3 allows remote attackers to affect integrity via vectors related to the Automated Installer sub-component. | 4.3 |
2016-04-21 | CVE-2016-0408 | Oracle | Remote Security vulnerability in Oracle Peoplesoft Enterprise Peopletools 8.53/8.54/8.55 Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.53 through 8.55 allows remote authenticated users to affect confidentiality and integrity via vectors related to the Activity Guide sub-component. | 4.3 |
2016-04-21 | CVE-2015-6479 | Sierrawireless | Unspecified vulnerability in Sierrawireless Aleos ACEmanager in Sierra Wireless ALEOS 4.4.2 and earlier on ES440, ES450, GX400, GX440, GX450, and LS300 devices allows remote attackers to read the filteredlogs.txt file, and consequently discover potentially sensitive boot-sequence information, via unspecified vectors. | 4.3 |
2016-04-20 | CVE-2015-7802 | Optipng Project Canonical | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products gifread.c in gif2png, as used in OptiPNG before 0.7.6, allows remote attackers to cause a denial of service (uninitialized memory read) via a crafted GIF file. | 4.3 |
2016-04-19 | CVE-2016-2390 | Squid Cache | Improper Input Validation vulnerability in Squid-Cache Squid The FwdState::connectedToPeer method in FwdState.cc in Squid before 3.5.14 and 4.0.x before 4.0.6 does not properly handle SSL handshake errors when built with the --with-openssl option, which allows remote attackers to cause a denial of service (application crash) via a plaintext HTTP message. | 4.3 |
2016-04-18 | CVE-2016-3941 | Videolan Canonical | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products Buffer overflow in the AStreamPeekStream function in input/stream.c in VideoLAN VLC media player before 2.2.0 allows remote attackers to cause a denial of service (crash) via a crafted wav file, related to "seek across EOF." | 4.3 |
2016-04-18 | CVE-2016-1658 | Novell Opensuse Debian | Improper Access Control vulnerability in multiple products The Extensions subsystem in Google Chrome before 50.0.2661.75 incorrectly relies on GetOrigin method calls for origin comparisons, which allows remote attackers to bypass the Same Origin Policy and obtain sensitive information via a crafted extension. | 4.3 |
2016-04-18 | CVE-2016-1657 | Debian Novell Opensuse | 7PK - Security Features vulnerability in multiple products The WebContentsImpl::FocusLocationBarByDefault function in content/browser/web_contents/web_contents_impl.cc in Google Chrome before 50.0.2661.75 mishandles focus for certain about:blank pages, which allows remote attackers to spoof the address bar via a crafted URL. | 4.3 |
2016-04-18 | CVE-2016-2426 | Information Exposure vulnerability in Google Android server/content/ContentService.java in the Framework component in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 does not check for a GET_ACCOUNTS permission, which allows attackers to obtain sensitive information via a crafted application, aka internal bug 26094635. | 4.3 | |
2016-04-18 | CVE-2016-2425 | Information Exposure vulnerability in Google Android mail/compose/ComposeActivity.java in AOSP Mail in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 supports file:///data attachments, which allows attackers to obtain sensitive information via a crafted application, aka internal bugs 7154234 and 26989185. | 4.3 | |
2016-04-21 | CVE-2016-0678 | Oracle | Local Security vulnerability in Oracle VM Virtualbox 5.0.18 Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 5.0.18 allows local users to affect confidentiality, integrity, and availability via vectors related to Core. | 4.1 |
2016-04-21 | CVE-2016-3464 | Oracle | Remote Security vulnerability in Oracle Flexcube Direct Banking 12.0.3 Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking component in Oracle Financial Services Software 12.0.3 allows remote authenticated users to affect confidentiality via vectors related to Accounts. | 4.0 |
2016-04-21 | CVE-2016-0691 | Oracle | Remote Security vulnerability in Oracle Database 11.2.0.4/12.1.0.1/12.1.0.2 Unspecified vulnerability in the RDBMS Security component in Oracle Database Server 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows local users to affect integrity via unknown vectors, a different vulnerability than CVE-2016-0690. | 4.0 |
2016-04-21 | CVE-2016-0690 | Oracle | Remote Security vulnerability in Oracle Database 11.2.0.4/12.1.0.1/12.1.0.2 Unspecified vulnerability in the RDBMS Security component in Oracle Database Server 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows local users to affect integrity via unknown vectors, a different vulnerability than CVE-2016-0691. | 4.0 |
2016-04-21 | CVE-2016-0683 | Oracle | Remote Security vulnerability in Oracle Peoplesoft Enterprise Peopletools 8.53/8.54/8.55 Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.53, 8.54, and 8.55 allows remote authenticated users to affect confidentiality and integrity via vectors related to Search Framework. | 4.0 |
2016-04-21 | CVE-2016-0676 | Oracle | Local Security vulnerability in Oracle Solaris 10 Unspecified vulnerability in Oracle Sun Solaris 10 allows local users to affect availability via vectors related to the kernel. | 4.0 |
2016-04-21 | CVE-2016-0650 | Oracle Opensuse IBM Redhat Debian Mariadb | Remote Security vulnerability in Oracle MySQL Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 and earlier, and 5.7.10 and earlier and MariaDB before 5.5.48, 10.0.x before 10.0.24, and 10.1.x before 10.1.12 allows local users to affect availability via vectors related to Replication. | 4.0 |
2016-04-21 | CVE-2016-0649 | IBM Redhat Opensuse Debian Oracle Mariadb | Remote Security vulnerability in Oracle MySQL Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 and earlier, and 5.7.10 and earlier and MariaDB before 5.5.48, 10.0.x before 10.0.24, and 10.1.x before 10.1.12 allows local users to affect availability via vectors related to PS. | 4.0 |
2016-04-21 | CVE-2016-0648 | Debian Opensuse Oracle Redhat IBM Mariadb | Remote Security vulnerability in Oracle MySQL Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier and MariaDB before 5.5.49, 10.0.x before 10.0.25, and 10.1.x before 10.1.14 allows local users to affect availability via vectors related to PS. | 4.0 |
2016-04-21 | CVE-2016-0647 | Opensuse Debian Oracle Redhat IBM Mariadb | Remote Security vulnerability in Oracle MySQL Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier and MariaDB before 5.5.49, 10.0.x before 10.0.25, and 10.1.x before 10.1.14 allows local users to affect availability via vectors related to FTS. | 4.0 |
2016-04-21 | CVE-2016-0646 | Debian Oracle Redhat IBM Opensuse Mariadb | Remote Security vulnerability in Oracle MySQL Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 and earlier, and 5.7.10 and earlier and MariaDB before 5.5.48, 10.0.x before 10.0.24, and 10.1.x before 10.1.12 allows local users to affect availability via vectors related to DML. | 4.0 |
2016-04-21 | CVE-2016-0644 | Debian Opensuse Oracle IBM Redhat Mariadb | Remote Security vulnerability in Oracle MySQL Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 and earlier, and 5.7.10 and earlier and MariaDB before 5.5.48, 10.0.x before 10.0.24, and 10.1.x before 10.1.12 allows local users to affect availability via vectors related to DDL. | 4.0 |
2016-04-21 | CVE-2016-0643 | Debian Redhat IBM Opensuse Oracle Mariadb | Remote Security vulnerability in Oracle MySQL Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier and MariaDB before 5.5.49, 10.0.x before 10.0.25, and 10.1.x before 10.1.14 allows local users to affect confidentiality via vectors related to DML. | 4.0 |
2016-04-21 | CVE-2016-0407 | Oracle | Remote Security vulnerability in Oracle Peoplesoft Enterprise Human Capital Management Human Resources 9.1/9.2 Unspecified vulnerability in the PeopleSoft Enterprise HCM component in Oracle PeopleSoft Products 9.1 and 9.2 allows remote authenticated users to affect confidentiality via vectors related to Fusion HR Talent Integration. | 4.0 |
2016-04-19 | CVE-2016-3688 | Dotcms | Information Exposure vulnerability in Dotcms SQL injection vulnerability in dotCMS before 3.5 allows remote administrators to execute arbitrary SQL commands via the c0-e3 parameter to dwr/call/plaincall/UserAjax.getUsersList.dwr. | 4.0 |
2016-04-18 | CVE-2016-3972 | Dotcms | Path Traversal vulnerability in Dotcms Directory traversal vulnerability in the dotTailLogServlet in dotCMS before 3.5.1 allows remote authenticated administrators to read arbitrary files via a .. | 4.0 |
37 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2016-04-21 | CVE-2016-3431 | Oracle | Remote Security vulnerability in Oracle Supply Chain Products Suite Unspecified vulnerability in the Oracle Agile PLM component in Oracle Supply Chain Products Suite 9.3.1.1, 9.3.1.2, 9.3.2, and 9.3.3 allows remote authenticated users to affect confidentiality and integrity via vectors related to Security, a different vulnerability than CVE-2016-3420. | 3.6 |
2016-04-21 | CVE-2016-3420 | Oracle | Remote Security vulnerability in Oracle Supply Chain Products Suite Unspecified vulnerability in the Oracle Agile PLM component in Oracle Supply Chain Products Suite 9.3.1.1, 9.3.1.2, 9.3.2, and 9.3.3 allows remote authenticated users to affect confidentiality and integrity via vectors related to Security, a different vulnerability than CVE-2016-3431. | 3.6 |
2016-04-21 | CVE-2016-0697 | Oracle | Remote Security vulnerability in Oracle E-Business Suite Unspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite 12.1.3, 12.2.3, 12.2.4, and 12.2.5 allows local users to affect confidentiality and integrity via unknown vectors. | 3.6 |
2016-04-22 | CVE-2016-1916 | Blackberry | Cross-site Scripting vulnerability in Blackberry Enterprise Server 12.4/5.0.4 Cross-site scripting (XSS) vulnerability in the Management Console in BlackBerry Enterprise Server (BES) 12 before 12.4.1 allows remote authenticated users to inject arbitrary web script or HTML by leveraging basic administrative access to create a crafted policy, leading to improper rendering on a certain Export IT screen. | 3.5 |
2016-04-21 | CVE-2016-3423 | Oracle | Remote Security vulnerability in Oracle Peoplesoft Enterprise Peopletools 8.53/8.54/8.55 Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.53, 8.54, and 8.55 allows remote authenticated users to affect confidentiality and integrity via vectors related to Rich Text Editor, a different vulnerability than CVE-2016-0698. | 3.5 |
2016-04-21 | CVE-2016-0666 | Redhat Debian Mariadb Oracle Opensuse IBM | Remote Security vulnerability in Oracle MySQL Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier and MariaDB before 5.5.49, 10.0.x before 10.0.25, and 10.1.x before 10.1.14 allows local users to affect availability via vectors related to Security: Privileges. | 3.5 |
2016-04-21 | CVE-2016-0665 | Redhat Oracle Canonical | Remote Security vulnerability in Oracle MySQL Unspecified vulnerability in Oracle MySQL 5.6.28 and earlier and 5.7.10 and earlier allows local users to affect availability via vectors related to Security: Encryption. | 3.5 |
2016-04-21 | CVE-2016-0663 | Oracle | Remote Security vulnerability in Oracle MySQL Unspecified vulnerability in Oracle MySQL 5.7.10 and earlier allows local users to affect availability via vectors related to Performance Schema. | 3.5 |
2016-04-21 | CVE-2016-0662 | Oracle | Remote Security vulnerability in Oracle MySQL Unspecified vulnerability in Oracle MySQL 5.7.11 and earlier allows local users to affect availability via vectors related to Partition. | 3.5 |
2016-04-21 | CVE-2016-0661 | Oracle Redhat Canonical | Remote Security vulnerability in Oracle MySQL Unspecified vulnerability in Oracle MySQL 5.6.28 and earlier and 5.7.10 and earlier allows local users to affect availability via vectors related to Options. | 3.5 |
2016-04-21 | CVE-2016-0659 | Oracle | Remote Security vulnerability in Oracle MySQL Unspecified vulnerability in Oracle MySQL 5.7.11 and earlier allows local users to affect availability via vectors related to Optimizer. | 3.5 |
2016-04-21 | CVE-2016-0658 | Oracle | Remote Security vulnerability in Oracle MySQL Unspecified vulnerability in Oracle MySQL 5.7.10 and earlier allows local users to affect availability via vectors related to Optimizer. | 3.5 |
2016-04-21 | CVE-2016-0657 | Oracle | Remote Security vulnerability in Oracle MySQL Unspecified vulnerability in Oracle MySQL 5.7.11 and earlier allows local users to affect confidentiality via vectors related to JSON. | 3.5 |
2016-04-21 | CVE-2016-0656 | Oracle | Remote Security vulnerability in Oracle MySQL Unspecified vulnerability in Oracle MySQL 5.7.10 and earlier allows local users to affect availability via vectors related to InnoDB, a different vulnerability than CVE-2016-0654. | 3.5 |
2016-04-21 | CVE-2016-0655 | Mariadb Debian Opensuse Oracle Redhat | Remote Security vulnerability in Oracle MySQL Unspecified vulnerability in Oracle MySQL 5.6.29 and earlier and 5.7.11 and earlier and MariaDB 10.0.x before 10.0.25 and 10.1.x before 10.1.14 allows local users to affect availability via vectors related to InnoDB. | 3.5 |
2016-04-21 | CVE-2016-0654 | Oracle | Remote Security vulnerability in Oracle MySQL Unspecified vulnerability in Oracle MySQL 5.7.10 and earlier allows local users to affect availability via vectors related to InnoDB, a different vulnerability than CVE-2016-0656. | 3.5 |
2016-04-21 | CVE-2016-0653 | Oracle | Remote Security vulnerability in Oracle MySQL Unspecified vulnerability in Oracle MySQL 5.7.10 and earlier allows local users to affect availability via vectors related to FTS. | 3.5 |
2016-04-21 | CVE-2016-0652 | Oracle | Remote Security vulnerability in Oracle MySQL Unspecified vulnerability in Oracle MySQL 5.7.10 and earlier allows local users to affect availability via vectors related to DML. | 3.5 |
2016-04-21 | CVE-2016-0651 | Oracle Mariadb Suse Opensuse Redhat | Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier allows local users to affect availability via vectors related to Optimizer. | 3.5 |
2016-04-21 | CVE-2016-0468 | Oracle | Remote Security vulnerability in Oracle Business Intelligence 11.1.1.7.0/11.1.1.9.0/12.2.1.0.0 Unspecified vulnerability in the Oracle Business Intelligence Enterprise Edition component in Oracle Fusion Middleware 11.1.1.7.0, 11.1.1.9.0, and 12.2.1.0.0 allows remote authenticated users to affect confidentiality and integrity via vectors related to Analytics Web General. | 3.5 |
2016-04-18 | CVE-2016-3971 | Dotcms | Cross-site Scripting vulnerability in Dotcms Cross-site scripting (XSS) vulnerability in lucene_search.jsp in dotCMS before 3.5.1 allows remote attackers to inject arbitrary web script or HTML via the query parameter to c/portal/layout. | 3.5 |
2016-04-21 | CVE-2016-3419 | Oracle | Unspecified vulnerability in Oracle Solaris 10/11.3 Unspecified vulnerability in Oracle Sun Solaris 10 and 11.3 allows local users to affect availability via vectors related to Filesystem. | 3.3 |
2016-04-20 | CVE-2015-8842 | Opensuse | Permissions, Privileges, and Access Controls vulnerability in Opensuse 13.2 tmpfiles.d/systemd.conf in systemd before 229 uses weak permissions for /var/log/journal/%m/system.journal, which allows local users to obtain sensitive information by reading the file. | 3.3 |
2016-04-20 | CVE-2014-9770 | Opensuse | Permissions, Privileges, and Access Controls vulnerability in Opensuse 13.2 tmpfiles.d/systemd.conf in systemd before 214 uses weak permissions for journal files under (1) /run/log/journal/%m and (2) /var/log/journal/%m, which allows local users to obtain sensitive information by reading these files. | 3.3 |
2016-04-21 | CVE-2016-0674 | Oracle | Local Security vulnerability in Oracle Siebel Core-Common Components 8.1.1/8.2.2 Unspecified vulnerability in the Siebel Core - Common Components component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows local users to affect confidentiality and integrity via vectors related to Email. | 3.2 |
2016-04-21 | CVE-2016-0667 | Oracle | Remote Security vulnerability in Oracle MySQL Unspecified vulnerability in Oracle MySQL 5.7.11 and earlier allows local users to affect availability via vectors related to Locking. | 2.8 |
2016-04-21 | CVE-2016-3447 | Oracle | Remote Security vulnerability in Oracle E-Business Suite Unspecified vulnerability in the Oracle Applications Framework component in Oracle E-Business Suite 12.1.3, 12.2.3, 12.2.4, and 12.2.5 allows remote attackers to affect confidentiality and integrity via vectors related to OAF Core. | 2.6 |
2016-04-21 | CVE-2016-0695 | Oracle Redhat | Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77; Java SE Embedded 8u77; and JRockit R28.3.9 allows remote attackers to affect confidentiality via vectors related to Security. | 2.6 |
2016-04-21 | CVE-2016-0688 | Oracle | Remote Security vulnerability in Oracle Weblogic Server 10.3.6.0.0/12.1.2.0.0/12.1.3.0.0 Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6, 12.1.2, and 12.1.3 allows remote attackers to affect integrity via vectors related to Core Components. | 2.6 |
2016-04-21 | CVE-2016-0671 | Oracle | Remote Security vulnerability in Oracle Http Server 12.1.2.0 Unspecified vulnerability in the Oracle HTTP Server component in Oracle Fusion Middleware 12.1.2.0 allows remote attackers to affect confidentiality via vectors related to OSSL Module. | 2.6 |
2016-04-22 | CVE-2016-2203 | Symantec | Credentials Management vulnerability in Symantec Messaging Gateway 10.6.0 The management console on Symantec Messaging Gateway (SMG) Appliance devices before 10.6.1 allows local users to discover an encrypted AD password by leveraging certain read privileges. | 2.1 |
2016-04-22 | CVE-2016-3145 | Lexmark | Information Exposure vulnerability in Lexmark Printer Firmware Lexmark printers with firmware ATL before ATL.021.063, CB before CB.021.063, PP before PP.021.063, and YK before YK.021.063 mishandle Erase Printer Memory and Erase Hard Disk actions, which allows physically proximate attackers to obtain sensitive information via direct read operations on non-volatile memory. | 2.1 |
2016-04-20 | CVE-2016-2202 | Symantec | Permissions, Privileges, and Access Controls vulnerability in Symantec Altiris IT Management Suite 7.6 The Inventory Solution component in the Management Agent in the client in Symantec Altiris IT Management Suite (ITMS) through 7.6 HF7 allows local users to bypass intended application-blacklist restrictions via unspecified vectors. | 2.1 |
2016-04-18 | CVE-2016-4036 | Opensuse | Permissions, Privileges, and Access Controls vulnerability in Opensuse Leap and Opensuse The quagga package before 0.99.23-2.6.1 in openSUSE and SUSE Linux Enterprise Server 11 SP 1 uses weak permissions for /etc/quagga, which allows local users to obtain sensitive information by reading files in the directory. | 2.1 |
2016-04-19 | CVE-2015-7511 | Gnupg Debian Canonical | Information Exposure vulnerability in multiple products Libgcrypt before 1.6.5 does not properly perform elliptic-point curve multiplication during decryption, which makes it easier for physically proximate attackers to extract ECDH keys by measuring electromagnetic emanations. | 2.0 |
2016-04-21 | CVE-2016-3428 | Oracle | Remote Security vulnerability in Oracle Agile Engineering Data Management 6.1.3.0/6.2.0.0 Unspecified vulnerability in the Oracle Agile Engineering Data Management component in Oracle Supply Chain Products Suite 6.1.3.0 and 6.2.0.0 allows remote attackers to affect availability via vectors related to Engineering Communication Interface. | 1.8 |
2016-04-21 | CVE-2016-0668 | Oracle Mariadb Debian Suse Opensuse Canonical | Unspecified vulnerability in Oracle MySQL 5.6.28 and earlier and 5.7.10 and earlier and MariaDB 10.0.x before 10.0.24 and 10.1.x before 10.1.12 allows local users to affect availability via vectors related to InnoDB. | 1.7 |