Weekly Vulnerabilities Reports > April 18 to 24, 2016

Overview

226 new vulnerabilities reported during this period, including 40 critical vulnerabilities and 30 high severity vulnerabilities. This weekly summary report vulnerabilities in 166 products from 50 vendors including Oracle, Google, Opensuse, Debian, and Redhat. Vulnerabilities are notably categorized as "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Permissions, Privileges, and Access Controls", "Information Exposure", "Improper Input Validation", and "Cross-site Scripting".

  • 186 reported vulnerabilities are remotely exploitables.
  • 13 reported vulnerabilities have public exploit available.
  • 20 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 163 reported vulnerabilities are exploitable by an anonymous user.
  • Oracle has the most reported vulnerabilities, with 102 reported vulnerabilities.
  • Google has the most reported critical vulnerabilities, with 23 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

40 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2016-04-21 CVE-2016-3443 Oracle Unspecified vulnerability in Oracle JDK and JRE

Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to 2D.

10.0
2016-04-21 CVE-2016-3427 Oracle Unspecified vulnerability in Oracle Jdk, JRE and Jrockit

Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77; Java SE Embedded 8u77; and JRockit R28.3.9 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JMX.

10.0
2016-04-21 CVE-2016-2007 HP Request Remote Code Execution vulnerability in HP Data Protector

HPE Data Protector before 7.03_108, 8.x before 8.15, and 9.x before 9.06 allows remote attackers to execute arbitrary code via unspecified vectors, aka ZDI-CAN-3354.

10.0
2016-04-21 CVE-2016-2006 HP Request Remote Code Execution vulnerability in HP Data Protector

HPE Data Protector before 7.03_108, 8.x before 8.15, and 9.x before 9.06 allows remote attackers to execute arbitrary code via unspecified vectors, aka ZDI-CAN-3353.

10.0
2016-04-21 CVE-2016-2005 HP Request Remote Code Execution vulnerability in HP Data Protector

HPE Data Protector before 7.03_108, 8.x before 8.15, and 9.x before 9.06 allows remote attackers to execute arbitrary code via unspecified vectors, aka ZDI-CAN-3352.

10.0
2016-04-21 CVE-2016-1363 Cisco Resource Management Errors vulnerability in Cisco Wireless LAN Controller Software

Buffer overflow in the redirection functionality in Cisco Wireless LAN Controller (WLC) Software 7.2 through 7.4 before 7.4.140.0(MD) and 7.5 through 8.0 before 8.0.115.0(ED) allows remote attackers to execute arbitrary code via a crafted HTTP request, aka Bug ID CSCus25617.

10.0
2016-04-21 CVE-2016-0693 Oracle Remote Security vulnerability in Oracle Solaris 10/11.3

Unspecified vulnerability in Oracle Sun Solaris 10 and 11.3 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to the PAM LDAP module.

10.0
2016-04-21 CVE-2016-0687 Oracle Unspecified vulnerability in Oracle JDK and JRE

Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77 and Java SE Embedded 8u77 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to the Hotspot sub-component.

10.0
2016-04-21 CVE-2016-0686 Oracle Unspecified vulnerability in Oracle JDK and JRE

Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77 and Java SE Embedded 8u77 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Serialization.

10.0
2016-04-21 CVE-2016-0639 Redhat
Oracle
Remote Security vulnerability in Oracle MySQL

Unspecified vulnerability in Oracle MySQL 5.6.29 and earlier and 5.7.11 and earlier allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Pluggable Authentication.

10.0
2016-04-20 CVE-2016-2002 HP Command Injection vulnerability in HP Vertica

The validateAdminConfig handler in the Analytics Management Console in HPE Vertica 7.0.x before 7.0.2.12, 7.1.x before 7.1.2-12, and 7.2.x before 7.2.2-1 allows remote attackers to execute arbitrary commands via the mcPort parameter, aka ZDI-CAN-3417.

10.0
2016-04-18 CVE-2016-1659 Debian
Opensuse
Suse
Canonical
Google
Multiple unspecified vulnerabilities in Google Chrome before 50.0.2661.75 allow attackers to cause a denial of service or possibly have other impact via unknown vectors.
10.0
2016-04-18 CVE-2016-2419 Google Permissions, Privileges, and Access Controls vulnerability in Google Android 6.0/6.0.1

media/libmedia/IDrm.cpp in mediaserver in Android 6.x before 2016-04-01 does not initialize a certain key-request data structure, which allows attackers to obtain sensitive information from process memory, and consequently bypass an unspecified protection mechanism, via unspecified vectors, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 26323455.

10.0
2016-04-18 CVE-2016-2418 Google Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android 6.0/6.0.1

media/libmedia/IOMX.cpp in mediaserver in Android 6.x before 2016-04-01 does not initialize certain metadata buffer pointers, which allows attackers to obtain sensitive information from process memory, and consequently bypass an unspecified protection mechanism, via unspecified vectors, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 26324358.

10.0
2016-04-18 CVE-2016-2417 Google Permissions, Privileges, and Access Controls vulnerability in Google Android

media/libmedia/IOMX.cpp in mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 does not initialize a parameter data structure, which allows attackers to obtain sensitive information from process memory, and consequently bypass an unspecified protection mechanism, via unspecified vectors, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 26914474.

10.0
2016-04-18 CVE-2016-2416 Google Permissions, Privileges, and Access Controls vulnerability in Google Android

libs/gui/BufferQueueConsumer.cpp in mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 does not check for the android.permission.DUMP permission, which allows attackers to obtain sensitive information, and consequently bypass an unspecified protection mechanism, via a dump request, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 27046057.

10.0
2016-04-18 CVE-2016-1503 Dhcpcd Project
Google
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products

dhcpcd before 6.10.0, as used in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 and other products, mismanages option lengths, which allows remote attackers to execute arbitrary code or cause a denial of service (heap-based buffer overflow) via a malformed DHCP response, aka internal bug 26461634.

10.0
2016-04-18 CVE-2016-0842 Google Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android 6.0/6.0.1

The H.264 decoder in libstagefright in Android 6.x before 2016-04-01 mishandles Memory Management Control Operation (MMCO) data, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted media file, aka internal bug 25818142.

10.0
2016-04-18 CVE-2016-0841 Google Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android

media/libmedia/mediametadataretriever.cpp in mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 mishandles cleared service binders, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted media file, aka internal bug 26040840.

10.0
2016-04-18 CVE-2016-0840 Google Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android 6.0/6.0.1

Multiple stack-based buffer underflows in decoder/ih264d_parse_cavlc.c in mediaserver in Android 6.x before 2016-04-01 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted media file, aka internal bug 26399350.

10.0
2016-04-18 CVE-2016-0839 Google Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android 6.0/6.0.1

post_proc/volume_listener.c in mediaserver in Android 6.x before 2016-04-01 mishandles deleted effect context, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted media file, aka internal bug 25753245.

10.0
2016-04-18 CVE-2016-0838 Google Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android

Sonivox in mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 does not check for a negative number of samples, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted media file, related to arm-wt-22k/lib_src/eas_wtengine.c and arm-wt-22k/lib_src/eas_wtsynth.c, aka internal bug 26366256.

10.0
2016-04-18 CVE-2016-0837 Google Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android

MPEG4Extractor.cpp in libstagefright in mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds read and memory corruption) via a crafted media file, aka internal bug 27208621.

10.0
2016-04-18 CVE-2016-0836 Google Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android 6.0/6.0.1

Stack-based buffer overflow in decoder/impeg2d_vld.c in mediaserver in Android 6.x before 2016-04-01 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted media file, aka internal bug 25812590.

10.0
2016-04-18 CVE-2016-0835 Google Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Google Android 6.0/6.0.1

decoder/impeg2d_dec_hdr.c in mediaserver in Android 6.x before 2016-04-01 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted media file that triggers a certain negative value, aka internal bug 26070014.

10.0
2016-04-18 CVE-2016-0834 Google Improper Input Validation vulnerability in Google Android 6.0/6.0.1

An unspecified media codec in mediaserver in Android 6.x before 2016-04-01 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted media file, aka internal bug 26220548.

10.0
2016-04-21 CVE-2016-0699 Oracle Remote Security vulnerability in Oracle Flexcube Direct Banking 12.0.2/12.0.3

Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking component in Oracle Financial Services Software 12.0.2 and 12.0.3 allows remote attackers to affect confidentiality and integrity via vectors related to the Login sub-component.

9.4
2016-04-22 CVE-2015-8823 Microsoft
Adobe
Apple
Google
Linux
Use After Free Remote Code Execution vulnerability in Adobe Flash Player and AIR

Use-after-free vulnerability in the TextField object implementation in Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before 20.0.0.228 on Windows and OS X and before 11.2.202.554 on Linux, Adobe AIR before 20.0.0.204, Adobe AIR SDK before 20.0.0.204, and Adobe AIR SDK & Compiler before 20.0.0.204 allows attackers to execute arbitrary code via crafted text property, a different vulnerability than CVE-2015-8048, CVE-2015-8049, CVE-2015-8050, CVE-2015-8055, CVE-2015-8056, CVE-2015-8057, CVE-2015-8058, CVE-2015-8059, CVE-2015-8061, CVE-2015-8062, CVE-2015-8063, CVE-2015-8064, CVE-2015-8065, CVE-2015-8066, CVE-2015-8067, CVE-2015-8068, CVE-2015-8069, CVE-2015-8070, CVE-2015-8071, CVE-2015-8401, CVE-2015-8402, CVE-2015-8403, CVE-2015-8404, CVE-2015-8405, CVE-2015-8406, CVE-2015-8410, CVE-2015-8411, CVE-2015-8412, CVE-2015-8413, CVE-2015-8414, CVE-2015-8420, CVE-2015-8421, CVE-2015-8422, CVE-2015-8423, CVE-2015-8424, CVE-2015-8425, CVE-2015-8426, CVE-2015-8427, CVE-2015-8428, CVE-2015-8429, CVE-2015-8430, CVE-2015-8431, CVE-2015-8432, CVE-2015-8433, CVE-2015-8434, CVE-2015-8435, CVE-2015-8436, CVE-2015-8437, CVE-2015-8441, CVE-2015-8442, CVE-2015-8447, CVE-2015-8448, CVE-2015-8449, CVE-2015-8450, CVE-2015-8452, CVE-2015-8454, CVE-2015-8653, CVE-2015-8655, CVE-2015-8821, and CVE-2015-8822.

9.3
2016-04-21 CVE-2016-2004 HP Missing Authentication for Critical Function vulnerability in HP Data Protector

HPE Data Protector before 7.03_108, 8.x before 8.15, and 9.x before 9.06 allow remote attackers to execute arbitrary code via unspecified vectors related to lack of authentication.

9.3
2016-04-20 CVE-2015-7801 Optipng Project
Canonical
Use-After-Free Remote Code Execution vulnerability in OptiPNG

Use-after-free vulnerability in OptiPNG 0.6.4 allows remote attackers to execute arbitrary code via a crafted PNG file.

9.3
2016-04-18 CVE-2015-8106 Latex2Rtf Project
Fedoraproject
Use of Externally-Controlled Format String vulnerability in multiple products

Format string vulnerability in the CmdKeywords function in funct1.c in latex2rtf before 2.3.10 allows remote attackers to execute arbitrary code via format string specifiers in the \keywords command in a crafted TeX file.

9.3
2016-04-18 CVE-2015-7552 Opensuse Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Opensuse 13.2

Heap-based buffer overflow in the gdk_pixbuf_flip function in gdk-pixbuf-scale.c in gdk-pixbuf 2.30.x allows remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted BMP file.

9.3
2016-04-18 CVE-2016-1653 Debian
Opensuse
Suse
Canonical
Google
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products

The LoadBuffer implementation in Google V8, as used in Google Chrome before 50.0.2661.75, mishandles data types, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted JavaScript code that triggers an out-of-bounds write operation, related to compiler/pipeline.cc and compiler/simplified-lowering.cc.

9.3
2016-04-18 CVE-2016-2422 Google Permissions, Privileges, and Access Controls vulnerability in Google Android

Wi-Fi in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 does not prevent use of a Wi-Fi CA certificate in an unrelated CA role, which allows attackers to gain privileges via a crafted application, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 26324357.

9.3
2016-04-18 CVE-2016-2420 Google Permissions, Privileges, and Access Controls vulnerability in Google Android

rootdir/init.rc in Android 4.x before 4.4.4 does not ensure that the /data/tombstones directory exists for the Debuggerd component, which allows attackers to gain privileges via a crafted application, aka internal bug 26403620.

9.3
2016-04-18 CVE-2016-2413 Google Permissions, Privileges, and Access Controls vulnerability in Google Android

media/libmedia/IOMX.cpp in mediaserver in Android 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 does not initialize a handle pointer, which allows attackers to gain privileges via a crafted application, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 26403627.

9.3
2016-04-18 CVE-2016-2412 Google Permissions, Privileges, and Access Controls vulnerability in Google Android

include/core/SkPostConfig.h in Skia, as used in System_server in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01, mishandles certain crashes, which allows attackers to gain privileges via a crafted application, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 26593930.

9.3
2016-04-18 CVE-2016-2411 Google Improper Input Validation vulnerability in Google Android 6.0/6.0.1

A Qualcomm Power Management kernel driver in Android 6.x before 2016-04-01 allows attackers to gain privileges via a crafted application that leverages root access, aka internal bug 26866053.

9.3
2016-04-18 CVE-2016-2409 Google Permissions, Privileges, and Access Controls vulnerability in Google Android 6.0/6.0.1

A Texas Instruments (TI) haptic kernel driver in Android 6.x before 2016-04-01 allows attackers to gain privileges via a crafted application that leverages control over a service that can call this driver, aka internal bug 25981545.

9.3
2016-04-21 CVE-2016-3455 Oracle Remote Security vulnerability in Oracle Outside in Technology 8.5.0/8.5.1/8.5.2

Unspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.5.0, 8.5.1, and 8.5.2 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Outside In Filters.

9.0

30 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2016-04-22 CVE-2016-2354 Lemurmonitors Improper Access Control vulnerability in Lemurmonitors Bluedriver 6.3.2

The Bluetooth functionality in Lemur Vehicle Monitors BlueDriver before 2016-04-07 supports unrestricted pairing without a PIN, which allows remote attackers to send arbitrary CAN commands by leveraging access to a device inside or adjacent to the vehicle, as demonstrated by a CAN command to disrupt braking or steering.

8.0
2016-04-22 CVE-2016-2306 Ecava Cryptographic Issues vulnerability in Ecava Integraxor

The HMI web server in Ecava IntegraXor before 5.0 build 4522 allows remote attackers to obtain sensitive cleartext information by sniffing the network.

7.8
2016-04-21 CVE-2016-2280 Honeywell Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Honeywell Uniformance Process History Database R310/R320/R321

Buffer overflow in RDISERVER in Honeywell Uniformance Process History Database (PHD) R310, R320, and R321 allows remote attackers to cause a denial of service (service outage) via unspecified vectors.

7.8
2016-04-21 CVE-2016-1367 Cisco Resource Management Errors vulnerability in Cisco Adaptive Security Appliance Software 9.4.1

The DHCPv6 relay implementation in Cisco Adaptive Security Appliance (ASA) Software 9.4.1 allows remote attackers to cause a denial of service (device reload) via crafted DHCPv6 packets, aka Bug ID CSCus23248.

7.8
2016-04-21 CVE-2016-1364 Cisco Improper Input Validation vulnerability in Cisco Wireless LAN Controller Software

Cisco Wireless LAN Controller (WLC) Software 7.4 before 7.4.130.0(MD) and 7.5, 7.6, and 8.0 before 8.0.110.0(ED) allows remote attackers to cause a denial of service (device reload) via crafted Bonjour traffic, aka Bug ID CSCur66908.

7.8
2016-04-21 CVE-2016-1362 Cisco Resource Management Errors vulnerability in Cisco Aireos

Cisco AireOS 4.1 through 7.4.120.0, 7.5.x, and 7.6.100.0 on Wireless LAN Controller (WLC) devices allows remote attackers to cause a denial of service (device reload) via a crafted HTTP request, aka Bug ID CSCun86747.

7.8
2016-04-21 CVE-2015-6360 Cisco Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Cisco products

The encryption-processing feature in Cisco libSRTP before 1.5.3 allows remote attackers to cause a denial of service via crafted fields in SRTP packets, aka Bug ID CSCux00686.

7.8
2016-04-19 CVE-2016-0741 Redhat
Fedoraproject
Resource Management Errors vulnerability in multiple products

slapd/connection.c in 389 Directory Server (formerly Fedora Directory Server) 1.3.4.x before 1.3.4.7 allows remote attackers to cause a denial of service (infinite loop and connection blocking) by leveraging an abnormally closed connection.

7.8
2016-04-21 CVE-2016-3454 Oracle Remote Security vulnerability in Oracle Database 11.2.0.4/12.1.0.1/12.1.0.2

Unspecified vulnerability in the Java VM component in Oracle Database Server 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.

7.6
2016-04-21 CVE-2016-3449 Oracle Unspecified vulnerability in Oracle JDK and JRE

Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Deployment.

7.6
2016-04-22 CVE-2016-2299 Ecava SQL Injection vulnerability in Ecava Integraxor

SQL injection vulnerability in Ecava IntegraXor before 5.0 build 4522 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

7.5
2016-04-21 CVE-2016-2293 Accuenergy Permissions, Privileges, and Access Controls vulnerability in Accuenergy Acuvim II NET Firmware and Acuvim IIR NET Firmware

The AXM-NET module in Accuenergy Acuvim II NET Firmware 3.08 and Acuvim IIR NET Firmware 3.08 allows remote attackers to discover settings via a direct request to an unspecified URL.

7.5
2016-04-21 CVE-2016-2008 HP Remote Code Execution vulnerability in HP Data Protector

HPE Data Protector before 7.03_108, 8.x before 8.15, and 9.x before 9.06 allows remote attackers to execute arbitrary code via unspecified vectors.

7.5
2016-04-21 CVE-2016-0638 Oracle Remote Security vulnerability in Oracle Fusion Middleware

Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6, 12.1.2, 12.1.3, and 12.2.1 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Java Messaging Service.

7.5
2016-04-20 CVE-2016-2003 HP Remote Code Execution vulnerability in HP products

HPE P9000 Command View Advanced Edition Software (CVAE) 7.x and 8.x before 8.4.0-00 and XP7 CVAE 7.x and 8.x before 8.4.0-00 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.

7.5
2016-04-19 CVE-2015-8779 Suse
Opensuse
Canonical
Debian
GNU
Fedoraproject
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products

Stack-based buffer overflow in the catopen function in the GNU C Library (aka glibc or libc6) before 2.23 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long catalog name.

7.5
2016-04-19 CVE-2015-8778 Fedoraproject
Debian
Canonical
GNU
Suse
Opensuse
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products

Integer overflow in the GNU C Library (aka glibc or libc6) before 2.23 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via the size argument to the __hcreate_r function, which triggers out-of-bounds heap-memory access.

7.5
2016-04-19 CVE-2014-9761 Suse
Opensuse
Fedoraproject
GNU
Canonical
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products

Multiple stack-based buffer overflows in the GNU C Library (aka glibc or libc6) before 2.23 allow context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long argument to the (1) nan, (2) nanf, or (3) nanl function.

7.5
2016-04-21 CVE-2016-3441 Oracle Unspecified vulnerability in Oracle Solaris 10/11.3

Unspecified vulnerability in Oracle Sun Solaris 10 and 11.3 allows local users to affect confidentiality, integrity, and availability via vectors related to Filesystem.

7.2
2016-04-19 CVE-2016-3960 XEN
Fedoraproject
Oracle
NULL pointer Dereference Remote Denial of Service vulnerability in Xen

Integer overflow in the x86 shadow pagetable code in Xen allows local guest OS users to cause a denial of service (host crash) or possibly gain privileges by shadowing a superpage mapping.

7.2
2016-04-18 CVE-2016-3943 Watchguard Incorrect Default Permissions vulnerability in Watchguard Panda Endpoint Administration Agent 7.49

Panda Endpoint Administration Agent before 7.50.00, as used in Panda Security for Business products for Windows, uses a weak ACL for the Panda Security/WaAgent directory and sub-directories, which allows local users to gain SYSTEM privileges by modifying an executable module.

7.2
2016-04-18 CVE-2015-7378 Watchguard Incorrect Default Permissions vulnerability in Watchguard Panda URL Filtering 4.3.1.8

Panda Security URL Filtering before 4.3.1.9 uses a weak ACL for the "Panda Security URL Filtering" directory and installed files, which allows local users to gain SYSTEM privileges by modifying Panda_URL_Filteringb.exe.

7.2
2016-04-18 CVE-2016-0849 Google Numeric Errors vulnerability in Google Android

Multiple integer overflows in minzip/SysUtil.c in the Recovery Procedure in Android 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 allow attackers to gain privileges via a crafted application, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 26960931.

7.2
2016-04-18 CVE-2016-0848 Google Race Condition vulnerability in Google Android

Race condition in Download Manager in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 allows attackers to bypass private-storage file-access restrictions via a crafted application that changes a symlink target, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 26211054.

7.2
2016-04-18 CVE-2016-0847 Google Permissions, Privileges, and Access Controls vulnerability in Google Android

The Telecom Component in Android 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 allows attackers to spoof the originating telephone number of a call via a crafted application, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 26864502.

7.2
2016-04-18 CVE-2016-0846 Google Permissions, Privileges, and Access Controls vulnerability in Google Android

libs/binder/IMemory.cpp in the IMemory Native Interface in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 does not properly consider the heap size, which allows attackers to gain privileges via a crafted application, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 26877992.

7.2
2016-04-18 CVE-2016-0844 Google Permissions, Privileges, and Access Controls vulnerability in Google Android 6.0/6.0.1

The Qualcomm RF driver in Android 6.x before 2016-04-01 does not properly restrict access to socket ioctl calls, which allows attackers to gain privileges via a crafted application, aka internal bug 26324307.

7.2
2016-04-18 CVE-2016-0843 Google Permissions, Privileges, and Access Controls vulnerability in Google Android

The Qualcomm ARM processor performance-event manager in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 allows attackers to gain privileges via a crafted application, aka internal bug 25801197.

7.2
2016-04-18 CVE-2016-2424 Google Improper Input Validation vulnerability in Google Android

server/content/SyncStorageEngine.java in SyncStorageEngine in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 mismanages certain authority data, which allows attackers to cause a denial of service (reboot loop) via a crafted application, aka internal bug 26513719.

7.1
2016-04-18 CVE-2016-2415 Google Information Exposure vulnerability in Google Android

exchange/eas/EasAutoDiscover.java in the Autodiscover implementation in Exchange ActiveSync in Android 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 allows attackers to obtain sensitive information via a crafted application that triggers a spoofed response to a GET request, aka internal bug 26488455.

7.1

117 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2016-04-21 CVE-2016-3418 Oracle Unspecified vulnerability in Oracle Berkeley DB

Unspecified vulnerability in the DataStore component in Oracle Berkeley DB 11.2.5.0.32, 11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35, and 12.1.6.1.26 allows local users to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2016-0682, CVE-2016-0689, CVE-2016-0692, and CVE-2016-0694.

6.9
2016-04-21 CVE-2016-0694 Oracle Unspecified vulnerability in Oracle Berkeley DB

Unspecified vulnerability in the DataStore component in Oracle Berkeley DB 11.2.5.0.32, 11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35, and 12.1.6.1.26 allows local users to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2016-0682, CVE-2016-0689, CVE-2016-0692, and CVE-2016-3418.

6.9
2016-04-21 CVE-2016-0692 Oracle Unspecified vulnerability in Oracle Berkeley DB

Unspecified vulnerability in the DataStore component in Oracle Berkeley DB 11.2.5.0.32, 11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35, and 12.1.6.1.26 allows local users to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2016-0682, CVE-2016-0689, CVE-2016-0694, and CVE-2016-3418.

6.9
2016-04-21 CVE-2016-0689 Oracle Unspecified vulnerability in Oracle Berkeley DB

Unspecified vulnerability in the DataStore component in Oracle Berkeley DB 11.2.5.0.32, 11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35, and 12.1.6.1.26 allows local users to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2016-0682, CVE-2016-0692, CVE-2016-0694, and CVE-2016-3418.

6.9
2016-04-21 CVE-2016-0682 Oracle Unspecified vulnerability in Oracle Berkeley DB

Unspecified vulnerability in the DataStore component in Oracle Berkeley DB 11.2.5.0.32, 11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35, and 12.1.6.1.26 allows local users to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2016-0689, CVE-2016-0692, CVE-2016-0694, and CVE-2016-3418.

6.9
2016-04-18 CVE-2016-2410 Google Permissions, Privileges, and Access Controls vulnerability in Google Android 6.0/6.0.1

A Qualcomm video kernel driver in Android 6.x before 2016-04-01 allows attackers to gain privileges via a crafted application that leverages control over a service that can call this driver, aka internal bug 26291677.

6.9
2016-04-22 CVE-2016-4065 Foxitsoftware Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Foxitsoftware Foxit Reader and Phantompdf

The ConvertToPDF plugin in Foxit Reader and PhantomPDF before 7.3.4 on Windows, when the gflags app is enabled, allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted (1) JPEG, (2) GIF, or (3) BMP image.

6.8
2016-04-22 CVE-2016-4064 Foxitsoftware Improper Access Control vulnerability in Foxitsoftware Foxit Reader and Phantompdf

Use-after-free vulnerability in the XFA forms handling functionality in Foxit Reader and PhantomPDF before 7.3.4 on Windows allows remote attackers to execute arbitrary code via a crafted remerge call.

6.8
2016-04-22 CVE-2016-4063 Foxitsoftware Remote Code Execution vulnerability in Foxitsoftware Foxit Reader and Phantompdf

Use-after-free vulnerability in Foxit Reader and PhantomPDF before 7.3.4 on Windows allows remote attackers to execute arbitrary code via an object with a revision number of -1 in a PDF document.

6.8
2016-04-22 CVE-2016-4059 Foxitsoftware Remote Code Execution vulnerability in Foxitsoftware Foxit Reader and Phantompdf

Use-after-free vulnerability in Foxit Reader and PhantomPDF before 7.3.4 on Windows allows remote attackers to execute arbitrary code via a crafted FlateDecode stream in a PDF document.

6.8
2016-04-21 CVE-2016-0684 Oracle Remote Security vulnerability in Oracle Micros Arspos 1.5

Unspecified vulnerability in the Oracle Retail MICROS ARS POS component in Oracle Retail Applications 1.5 allows remote authenticated users to affect confidentiality via vectors related to POS.

6.8
2016-04-20 CVE-2016-0891 EMC Cross-Site Request Forgery (CSRF) vulnerability in EMC Vipr SRM 3.6.0/3.6.4

Multiple cross-site request forgery (CSRF) vulnerabilities in administrative pages in EMC ViPR SRM before 3.7 allow remote attackers to hijack the authentication of administrators.

6.8
2016-04-19 CVE-2014-9765 Canonical
Debian
Xdelta
Opensuse
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products

Buffer overflow in the main_get_appheader function in xdelta3-main.h in xdelta3 before 3.0.9 allows remote attackers to execute arbitrary code via a crafted input file.

6.8
2016-04-18 CVE-2016-3950 Huawei Improper Input Validation vulnerability in Huawei Ar3200 Firmware V200R005C20/V200R005C30/V200R005C32

Huawei AR3200 routers with software before V200R006C10SPC300 allow remote authenticated users to cause a denial of service (restart) via crafted packets.

6.8
2016-04-18 CVE-2016-1655 Debian
Opensuse
Suse
Google
Canonical
Google Chrome before 50.0.2661.75 does not properly consider that frame removal may occur during callback execution, which allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via a crafted extension.
6.8
2016-04-18 CVE-2016-2423 Google Permissions, Privileges, and Access Controls vulnerability in Google Android

server/telecom/CallsManager.java in Telephony in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 does not properly consider whether a device is provisioned, which allows physically proximate attackers to bypass the Factory Reset Protection protection mechanism and delete data via unspecified vectors, aka internal bug 26303187.

6.6
2016-04-18 CVE-2016-2421 Google Permissions, Privileges, and Access Controls vulnerability in Google Android

Setup Wizard in Android 5.1.x before 5.1.1 and 6.x before 2016-04-01 allows physically proximate attackers to bypass the Factory Reset Protection protection mechanism and delete data via unspecified vectors, aka internal bug 26154410.

6.6
2016-04-22 CVE-2016-2204 Symantec Injection vulnerability in Symantec Messaging Gateway 10.6.0

The management console on Symantec Messaging Gateway (SMG) Appliance devices before 10.6.1 allows local users to obtain root-shell access via crafted terminal-window input.

6.5
2016-04-22 CVE-2016-1593 Novell Path Traversal vulnerability in Novell Service Desk 7.1

Directory traversal vulnerability in the import users feature in Micro Focus Novell Service Desk before 7.2 allows remote authenticated administrators to upload and execute arbitrary JSP files via a ..

6.5
2016-04-22 CVE-2016-2301 Ecava SQL Injection vulnerability in Ecava Integraxor

SQL injection vulnerability in Ecava IntegraXor before 5.0 build 4522 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.

6.5
2016-04-21 CVE-2016-3421 Oracle Remote Security vulnerability in Oracle Peoplesoft Enterprise Peopletools 8.53/8.54/8.55

Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.53, 8.54, and 8.55 allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to Activity Guide.

6.5
2016-04-21 CVE-2016-0681 Oracle Remote Security vulnerability in Oracle Olap 11.2.0.4/12.1.0.1/12.1.0.2

Unspecified vulnerability in the Oracle OLAP component in Oracle Database Server 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows local users to affect confidentiality, integrity, and availability via unspecified vectors.

6.5
2016-04-20 CVE-2016-3628 Tibco Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Tibco products

Buffer overflow in tibemsd in the server in TIBCO Enterprise Message Service (EMS) before 8.3.0 and EMS Appliance before 2.4.0 allows remote authenticated users to cause a denial of service or possibly execute arbitrary code via crafted inbound data.

6.5
2016-04-19 CVE-2016-4040 Dotcms SQL Injection vulnerability in Dotcms

SQL injection vulnerability in the Workflow Screen in dotCMS before 3.3.2 allows remote administrators to execute arbitrary SQL commands via the orderby parameter.

6.5
2016-04-22 CVE-2016-2300 Ecava Improper Authentication vulnerability in Ecava Integraxor

Ecava IntegraXor before 5.0 build 4522 allows remote attackers to bypass authentication and access unspecified web pages via unknown vectors.

6.4
2016-04-21 CVE-2016-3466 Oracle Remote Security vulnerability in Oracle Field Service 12.1.1/12.1.2/12.1.3

Unspecified vulnerability in the Oracle Field Service component in Oracle E-Business Suite 12.1.1, 12.1.2, and 12.1.3 allows remote attackers to affect confidentiality and integrity via vectors related to Wireless.

6.4
2016-04-21 CVE-2016-3438 Oracle Remote Security vulnerability in Oracle Supply Chain Products Suite

Unspecified vulnerability in the Oracle Configurator component in Oracle Supply Chain Products Suite 12.0.6, 12.1, and 12.2 allows remote attackers to affect confidentiality and integrity via vectors related to JRAD Heartbeat.

6.4
2016-04-21 CVE-2016-0696 Oracle Remote Security vulnerability in Oracle Weblogic Server 10.3.6.0.0

Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6 allows remote attackers to affect confidentiality and integrity via vectors related to Console.

6.4
2016-04-19 CVE-2015-8776 Suse
Opensuse
Canonical
Debian
Fedoraproject
GNU
Numeric Errors vulnerability in multiple products

The strftime function in the GNU C Library (aka glibc or libc6) before 2.23 allows context-dependent attackers to cause a denial of service (application crash) or possibly obtain sensitive information via an out-of-range time value.

6.4
2016-04-21 CVE-2013-7449 Canonical
Xchat
Hexchat Project
Cryptographic Issues vulnerability in multiple products

The ssl_do_connect function in common/server.c in HexChat before 2.10.2, XChat, and XChat-GNOME does not verify that the server hostname matches a domain name in the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

5.8
2016-04-21 CVE-2016-0479 Oracle Remote Security vulnerability in Oracle Business Intelligence 11.1.1.7.0/11.1.1.9.0/12.2.1.0.0

Unspecified vulnerability in the Oracle Business Intelligence Enterprise Edition component in Oracle Fusion Middleware 11.1.1.7.0, 11.1.1.9.0, and 12.2.1.0.0 allows remote attackers to affect confidentiality and integrity via vectors related to Analytics Scorecard.

5.8
2016-04-18 CVE-2016-1651 Google
Debian
Opensuse
Suse
Information Exposure vulnerability in Google Chrome

fxcodec/codec/fx_codec_jpx_opj.cpp in PDFium, as used in Google Chrome before 50.0.2661.75, does not properly implement the sycc420_to_rgb and sycc422_to_rgb functions, which allows remote attackers to obtain sensitive information from process memory or cause a denial of service (out-of-bounds read) via crafted JPEG 2000 data in a PDF document.

5.8
2016-04-18 CVE-2016-0850 Google Permissions, Privileges, and Access Controls vulnerability in Google Android

The PORCHE_PAIRING_CONFLICT feature in Bluetooth in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 allows remote attackers to bypass intended pairing restrictions via a crafted device, aka internal bug 26551752.

5.8
2016-04-21 CVE-2016-3460 Oracle Remote Security vulnerability in Oracle Peoplesoft Enterprise Human Capital Management Eperformance 9.2

Unspecified vulnerability in the PeopleSoft Enterprise HCM component in Oracle PeopleSoft Products 9.2 allows remote authenticated users to affect confidentiality and integrity via vectors related to ePerformance.

5.5
2016-04-21 CVE-2016-0685 Oracle Remote Security vulnerability in Oracle Peoplesoft Enterprise Peopletools 8.53/8.54/8.55

Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.53, 8.54, and 8.55 allows remote authenticated users to affect confidentiality and integrity via vectors related to File Processing.

5.5
2016-04-21 CVE-2016-0680 Oracle Remote Security vulnerability in Oracle Peoplesoft Supply Chain Management Eprocurement 9.1/9.2

Unspecified vulnerability in the PeopleSoft Enterprise SCM component in Oracle PeopleSoft Products 9.1 and 9.2 allows remote authenticated users to affect confidentiality and integrity via vectors related to Services Procurement.

5.5
2016-04-21 CVE-2016-0679 Oracle Remote Security vulnerability in Oracle PeopleSoft Products

Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.53, 8.54, and 8.55 allows remote authenticated users to affect integrity and availability via vectors related to PIA Grids.

5.5
2016-04-21 CVE-2016-3429 Oracle Local Security vulnerability in Oracle Retail Applications

Unspecified vulnerability in the Oracle Retail Xstore Point of Service component in Oracle Retail Applications 5.0, 5.5, 6.0, 6.5, 7.0, and 7.1 allows remote authenticated users to affect confidentiality and integrity via vectors related to Xstore Services.

5.4
2016-04-21 CVE-2016-0669 Oracle Local Security vulnerability in Oracle Solaris 11.3

Unspecified vulnerability in Oracle Sun Solaris 11.3 allows local users to affect integrity and availability via vectors related to Fwflash.

5.2
2016-04-22 CVE-2016-4061 Foxitsoftware Improper Input Validation vulnerability in Foxitsoftware Foxit Reader and Phantompdf

Foxit Reader and PhantomPDF before 7.3.4 on Windows allow remote attackers to cause a denial of service (application crash) via a crafted content stream.

5.0
2016-04-22 CVE-2016-4060 Foxitsoftware Remote Code Execution vulnerability in Foxitsoftware Foxit Reader and Phantompdf

Use-after-free vulnerability in Foxit Reader and PhantomPDF before 7.3.4 on Windows allows remote attackers to cause a denial of service (application crash) via unspecified vectors.

5.0
2016-04-22 CVE-2016-2303 Ecava Unspecified vulnerability in Ecava Integraxor

CRLF injection vulnerability in Ecava IntegraXor before 5.0 build 4522 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL.

5.0
2016-04-22 CVE-2016-2302 Ecava Information Exposure vulnerability in Ecava Integraxor

Ecava IntegraXor before 5.0 build 4522 allows remote attackers to obtain sensitive information by reading detailed error messages.

5.0
2016-04-21 CVE-2016-3190 Opensuse
Cairographics
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products

The fill_xrgb32_lerp_opaque_spans function in cairo-image-compositor.c in cairo before 1.14.2 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a negative span length.

5.0
2016-04-21 CVE-2016-3463 Oracle Remote Security vulnerability in Oracle Flexcube Direct Banking 12.0.3

Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking component in Oracle Financial Services Software 12.0.3 allows remote attackers to affect confidentiality and integrity via vectors related to Pre-Login.

5.0
2016-04-21 CVE-2016-3425 Oracle Unspecified vulnerability in Oracle Jdk, JRE and Jrockit

Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77; Java SE Embedded 8u77; and JRockit R28.3.9 allows remote attackers to affect availability via vectors related to JAXP.

5.0
2016-04-21 CVE-2016-3422 Oracle Unspecified vulnerability in Oracle JDK and JRE

Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77 allows remote attackers to affect availability via vectors related to 2D.

5.0
2016-04-21 CVE-2016-2294 Accuenergy Information Exposure vulnerability in Accuenergy Acuvim II NET Firmware and Acuvim IIR NET Firmware

The AXM-NET module in Accuenergy Acuvim II NET Firmware 3.08 and Acuvim IIR NET Firmware 3.08 allows remote attackers to discover a cleartext mail-server password via unspecified vectors.

5.0
2016-04-21 CVE-2016-0677 Oracle Remote Security vulnerability in Oracle Database Server

Unspecified vulnerability in the RDBMS Security component in Oracle Database Server 12.1.0.1 and 12.1.0.2 allows remote attackers to affect availability via unknown vectors.

5.0
2016-04-21 CVE-2016-0672 Oracle Remote Security vulnerability in Oracle Flexcube Direct Banking 12.0.2/12.0.3

Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking component in Oracle Financial Services Software 12.0.2 and 12.0.3 allows remote attackers to affect confidentiality and integrity via vectors related to Pre-Login.

5.0
2016-04-20 CVE-2016-1384 Cisco Permissions, Privileges, and Access Controls vulnerability in Cisco IOS and IOS XE

The NTP implementation in Cisco IOS 15.1 and 15.5 and IOS XE 3.2 through 3.17 allows remote attackers to modify the system time via crafted packets, aka Bug ID CSCux46898.

5.0
2016-04-19 CVE-2016-3186 Opensuse
Libtiff
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products

Buffer overflow in the readextension function in gif2tiff.c in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (application crash) via a crafted GIF file.

5.0
2016-04-18 CVE-2016-3071 Libreswan
Fedoraproject
Improper Input Validation vulnerability in multiple products

Libreswan 3.16 might allow remote attackers to cause a denial of service (daemon restart) via an IKEv2 aes_xcbc transform.

5.0
2016-04-18 CVE-2016-1656 Google
Opensuse
Suse
Improper Access Control vulnerability in Google Chrome

The download implementation in Google Chrome before 50.0.2661.75 on Android allows remote attackers to bypass intended pathname restrictions via unspecified vectors.

5.0
2016-04-21 CVE-2016-3465 Oracle Unspecified vulnerability in Oracle Solaris 11.3

Unspecified vulnerability in Oracle Sun Solaris 10 and 11.3 allows local users to affect availability via vectors related to ZFS.

4.9
2016-04-21 CVE-2016-3462 Oracle Local Security vulnerability in Oracle Solaris 11.3

Unspecified vulnerability in Oracle Sun Solaris 11.3 allows local users to affect availability via vectors related to Network Configuration Service.

4.9
2016-04-21 CVE-2016-3457 Oracle Remote Security vulnerability in Oracle Peoplesoft Enterprise Human Capital Management Eperformance 9.2

Unspecified vulnerability in the PeopleSoft Enterprise HCM ePerformance component in Oracle PeopleSoft Products 9.2 allows remote authenticated users to affect confidentiality and integrity via vectors related to Security.

4.9
2016-04-21 CVE-2016-0673 Oracle Remote Security vulnerability in Oracle Siebel UI Framework 8.1.1/8.2.2

Unspecified vulnerability in the Siebel UI Framework component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote authenticated users to affect confidentiality and integrity via vectors related to UIF Open UI.

4.9
2016-04-21 CVE-2016-0641 Opensuse
Debian
Oracle
IBM
Redhat
Mariadb
Remote Security vulnerability in Oracle MySQL

Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 and earlier, and 5.7.10 and earlier and MariaDB before 5.5.48, 10.0.x before 10.0.24, and 10.1.x before 10.1.12 allows local users to affect confidentiality and availability via vectors related to MyISAM.

4.9
2016-04-21 CVE-2016-0640 Oracle
Opensuse
Mariadb
Debian
Redhat
IBM
Remote Security vulnerability in Oracle MySQL

Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 and earlier, and 5.7.10 and earlier and MariaDB before 5.5.48, 10.0.x before 10.0.24, and 10.1.x before 10.1.12 allows local users to affect integrity and availability via vectors related to DML.

4.9
2016-04-18 CVE-2016-2414 Google Improper Input Validation vulnerability in Google Android

The Minikin library in Android 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 does not properly consider negative size values in font data, which allows remote attackers to cause a denial of service (memory corruption and reboot loop) via a crafted font, aka internal bug 26413177.

4.9
2016-04-21 CVE-2016-0469 Oracle Local Security vulnerability in Oracle Micros C2 9.89.0.0

Unspecified vulnerability in the Oracle Retail MICROS C2 component in Oracle Retail Applications 9.89.0.0 allows local users to affect confidentiality via vectors related to POS.

4.6
2016-04-22 CVE-2016-3126 Blackberry Cross-site Scripting vulnerability in Blackberry Enterprise Server 12.4/5.0.4

Cross-site scripting (XSS) vulnerability in the Management Console in BlackBerry Enterprise Server (BES) 12 before 12.4.1 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.

4.3
2016-04-22 CVE-2016-1918 Blackberry Cross-site Scripting vulnerability in Blackberry Enterprise Server 12.4/5.0.4

Cross-site scripting (XSS) vulnerability in the Management Console in BlackBerry Enterprise Server (BES) 12 before 12.4.1 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, a different vulnerability than CVE-2016-1917.

4.3
2016-04-22 CVE-2016-1917 Blackberry Cross-site Scripting vulnerability in Blackberry Enterprise Server 12.4/5.0.4

Cross-site scripting (XSS) vulnerability in the Management Console in BlackBerry Enterprise Server (BES) 12 before 12.4.1 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, a different vulnerability than CVE-2016-1918.

4.3
2016-04-22 CVE-2016-1036 Adobe Cross-site Scripting vulnerability in Adobe Analytics Appmeasurement for Flash Library 4.0

Cross-site scripting (XSS) vulnerability in Adobe Analytics AppMeasurement for Flash Library before 4.0.1, when debugTracking is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2016-04-22 CVE-2016-4062 Foxitsoftware Data Processing Errors vulnerability in Foxitsoftware Foxit Reader and Phantompdf

Foxit Reader and PhantomPDF before 7.3.4 on Windows improperly report format errors recursively, which allows remote attackers to cause a denial of service (application hang) via a crafted PDF.

4.3
2016-04-22 CVE-2016-2305 Ecava Cross-site Scripting vulnerability in Ecava Integraxor

Cross-site scripting (XSS) vulnerability in Ecava IntegraXor before 5.0 build 4522 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.

4.3
2016-04-22 CVE-2016-2304 Ecava Information Exposure vulnerability in Ecava Integraxor

Ecava IntegraXor before 5.0 build 4522 does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

4.3
2016-04-21 CVE-2016-3977 Opensuse
Giflib Project
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products

Heap-based buffer overflow in util/gif2rgb.c in gif2rgb in giflib 5.1.2 allows remote attackers to cause a denial of service (application crash) via the background color index in a GIF file.

4.3
2016-04-21 CVE-2016-3461 Oracle Remote Security vulnerability in Oracle Mysql Enterprise Monitor 3.0.25/3.1.2

Unspecified vulnerability in the MySQL Enterprise Monitor component in Oracle MySQL 3.0.25 and earlier and 3.1.2 and earlier allows remote administrators to affect confidentiality, integrity, and availability via vectors related to Monitoring: Server.

4.3
2016-04-21 CVE-2016-3456 Oracle Remote Security vulnerability in Oracle Complex Maintenance Repair and Overhaul 12.1.1/12.1.2/12.1.3

Unspecified vulnerability in the Oracle Complex Maintenance, Repair, and Overhaul component in Oracle Supply Chain Products Suite 12.1.1, 12.1.2, and 12.1.3 allows remote attackers to affect confidentiality and integrity via vectors related to Dialog Box.

4.3
2016-04-21 CVE-2016-3442 Oracle Remote Security vulnerability in Oracle Peoplesoft Enterprise Peopletools 8.53/8.54/8.55

Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.53, 8.54, and 8.55 allows remote authenticated users to affect confidentiality and integrity via vectors related to Portal.

4.3
2016-04-21 CVE-2016-3439 Oracle Remote Security vulnerability in Oracle CRM Technical Foundation 12.1.3

Unspecified vulnerability in the Oracle CRM Wireless component in Oracle E-Business Suite 12.1.3 allows remote attackers to affect confidentiality and integrity via vectors related to Call Phone Number Page.

4.3
2016-04-21 CVE-2016-3437 Oracle Remote Security vulnerability in Oracle CRM Technical Foundation 12.1.3

Unspecified vulnerability in the Oracle CRM Wireless component in Oracle E-Business Suite 12.1.3 allows remote attackers to affect confidentiality and integrity via vectors related to Person Address Page.

4.3
2016-04-21 CVE-2016-3436 Oracle Remote Security vulnerability in Oracle Common Applications Calendar 12.1.1/12.1.2/12.1.3

Unspecified vulnerability in the Oracle Common Applications Calendar component in Oracle E-Business Suite 12.1.1, 12.1.2, and 12.1.3 allows remote attackers to affect confidentiality and integrity via vectors related to Tasks.

4.3
2016-04-21 CVE-2016-3435 Oracle Remote Security vulnerability in Oracle Peoplesoft Enterprise Peopletools 8.53/8.54/8.55

Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.53, 8.54, and 8.55 allows remote attackers to affect availability via vectors related to PIA Core Technology.

4.3
2016-04-21 CVE-2016-3434 Oracle Remote Security vulnerability in Oracle E-Business Suite

Unspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite 12.1.3, 12.2.3, 12.2.4, and 12.2.5 allows remote attackers to affect integrity via vectors related to Logout.

4.3
2016-04-21 CVE-2016-3426 Oracle Unspecified vulnerability in Oracle JDK and JRE

Unspecified vulnerability in Oracle Java SE 8u77 and Java SE Embedded 8u77 allows remote attackers to affect confidentiality via vectors related to JCE.

4.3
2016-04-21 CVE-2016-3417 Oracle Remote Security vulnerability in Oracle Peoplesoft Enterprise Peopletools 8.53/8.54/8.55

Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.53, 8.54, and 8.55 allows remote authenticated users to affect confidentiality and integrity via vectors related to PIA Search Functionality.

4.3
2016-04-21 CVE-2016-3416 Oracle Remote Security vulnerability in Oracle Fusion Middleware

Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6, 12.1.2, 12.1.3, and 12.2.1 allows remote attackers to affect confidentiality and integrity via vectors related to Console.

4.3
2016-04-21 CVE-2016-0700 Oracle Remote Security vulnerability in Oracle Weblogic Server 10.3.6.0.0/12.1.2.0.0/12.1.3.0.0

Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6, 12.1.2, and 12.1.3 allows remote attackers to affect confidentiality and integrity via vectors related to Console, a different vulnerability than CVE-2016-0675.

4.3
2016-04-21 CVE-2016-0698 Oracle Remote Security vulnerability in Oracle Peoplesoft Enterprise Peopletools 8.53/8.54/8.55

Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.53, 8.54, and 8.55 allows remote authenticated users to affect confidentiality and integrity via vectors related to Rich Text Editor, a different vulnerability than CVE-2016-3423.

4.3
2016-04-21 CVE-2016-0675 Oracle Remote Security vulnerability in Oracle Weblogic Server 10.3.6.0.0/12.1.2.0.0/12.1.3.0.0

Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6, 12.1.2, and 12.1.3 allows remote attackers to affect confidentiality and integrity via vectors related to Console, a different vulnerability than CVE-2016-0700.

4.3
2016-04-21 CVE-2016-0642 Oracle
Opensuse
Redhat
Remote Security vulnerability in Oracle MySQL

Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier allows local users to affect integrity and availability via vectors related to Federated.

4.3
2016-04-21 CVE-2016-0623 Oracle Remote Security vulnerability in Oracle Solaris 11.3

Unspecified vulnerability in Oracle Sun Solaris 11.3 allows remote attackers to affect integrity via vectors related to the Automated Installer sub-component.

4.3
2016-04-21 CVE-2016-0408 Oracle Remote Security vulnerability in Oracle Peoplesoft Enterprise Peopletools 8.53/8.54/8.55

Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.53 through 8.55 allows remote authenticated users to affect confidentiality and integrity via vectors related to the Activity Guide sub-component.

4.3
2016-04-21 CVE-2015-6479 Sierrawireless Unspecified vulnerability in Sierrawireless Aleos

ACEmanager in Sierra Wireless ALEOS 4.4.2 and earlier on ES440, ES450, GX400, GX440, GX450, and LS300 devices allows remote attackers to read the filteredlogs.txt file, and consequently discover potentially sensitive boot-sequence information, via unspecified vectors.

4.3
2016-04-20 CVE-2015-7802 Optipng Project
Canonical
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products

gifread.c in gif2png, as used in OptiPNG before 0.7.6, allows remote attackers to cause a denial of service (uninitialized memory read) via a crafted GIF file.

4.3
2016-04-19 CVE-2016-2390 Squid Cache Improper Input Validation vulnerability in Squid-Cache Squid

The FwdState::connectedToPeer method in FwdState.cc in Squid before 3.5.14 and 4.0.x before 4.0.6 does not properly handle SSL handshake errors when built with the --with-openssl option, which allows remote attackers to cause a denial of service (application crash) via a plaintext HTTP message.

4.3
2016-04-19 CVE-2015-5479 Ubuntu
Libav
Opensuse
Numeric Errors vulnerability in multiple products

The ff_h263_decode_mba function in libavcodec/ituh263dec.c in Libav before 11.5 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a file with crafted dimensions.

4.3
2016-04-18 CVE-2016-3941 Videolan
Canonical
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products

Buffer overflow in the AStreamPeekStream function in input/stream.c in VideoLAN VLC media player before 2.2.0 allows remote attackers to cause a denial of service (crash) via a crafted wav file, related to "seek across EOF."

4.3
2016-04-18 CVE-2016-1658 Novell
Opensuse
Google
Debian
Improper Access Control vulnerability in multiple products

The Extensions subsystem in Google Chrome before 50.0.2661.75 incorrectly relies on GetOrigin method calls for origin comparisons, which allows remote attackers to bypass the Same Origin Policy and obtain sensitive information via a crafted extension.

4.3
2016-04-18 CVE-2016-1657 Debian
Novell
Opensuse
Google
7PK - Security Features vulnerability in multiple products

The WebContentsImpl::FocusLocationBarByDefault function in content/browser/web_contents/web_contents_impl.cc in Google Chrome before 50.0.2661.75 mishandles focus for certain about:blank pages, which allows remote attackers to spoof the address bar via a crafted URL.

4.3
2016-04-18 CVE-2016-1654 Debian
Opensuse
Suse
Google
Canonical
Improper Input Validation vulnerability in multiple products

The media subsystem in Google Chrome before 50.0.2661.75 does not initialize an unspecified data structure, which allows remote attackers to cause a denial of service (invalid read operation) via unknown vectors.

4.3
2016-04-18 CVE-2016-1652 Debian
Opensuse
Suse
Google
Cross-site Scripting vulnerability in multiple products

Cross-site scripting (XSS) vulnerability in the ModuleSystem::RequireForJsInner function in extensions/renderer/module_system.cc in the Extensions subsystem in Google Chrome before 50.0.2661.75 allows remote attackers to inject arbitrary web script or HTML via a crafted web site, aka "Universal XSS (UXSS)."

4.3
2016-04-18 CVE-2016-2427 Bouncycastle
Google
Information Exposure vulnerability in multiple products

** DISPUTED ** The AES-GCM specification in RFC 5084, as used in Android 5.x and 6.x, recommends 12 octets for the aes-ICVlen parameter field, which might make it easier for attackers to defeat a cryptographic protection mechanism and discover an authentication key via a crafted application, aka internal bug 26234568.

4.3
2016-04-18 CVE-2016-2426 Google Information Exposure vulnerability in Google Android

server/content/ContentService.java in the Framework component in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 does not check for a GET_ACCOUNTS permission, which allows attackers to obtain sensitive information via a crafted application, aka internal bug 26094635.

4.3
2016-04-18 CVE-2016-2425 Google Information Exposure vulnerability in Google Android

mail/compose/ComposeActivity.java in AOSP Mail in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 supports file:///data attachments, which allows attackers to obtain sensitive information via a crafted application, aka internal bugs 7154234 and 26989185.

4.3
2016-04-21 CVE-2016-0678 Oracle Local Security vulnerability in Oracle VM Virtualbox 5.0.18

Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 5.0.18 allows local users to affect confidentiality, integrity, and availability via vectors related to Core.

4.1
2016-04-22 CVE-2016-1595 Novell Information Exposure vulnerability in Novell Service Desk 7.1

LiveTime/WebObjects/LiveTime.woa/wa/DownloadAction/downloadFile in Micro Focus Novell Service Desk before 7.2 allows remote authenticated users to conduct Hibernate Query Language (HQL) injection attacks and obtain sensitive information via the entityName parameter.

4.0
2016-04-22 CVE-2016-1594 Novell Information Exposure vulnerability in Novell Service Desk 7.1

Micro Focus Novell Service Desk before 7.2 allows remote authenticated users to read arbitrary attachments via a request to a LiveTime.woa URL, as demonstrated by obtaining sensitive information via a (1) downloadLogFiles or (2) downloadFile action.

4.0
2016-04-21 CVE-2016-3464 Oracle Remote Security vulnerability in Oracle Flexcube Direct Banking 12.0.3

Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking component in Oracle Financial Services Software 12.0.3 allows remote authenticated users to affect confidentiality via vectors related to Accounts.

4.0
2016-04-21 CVE-2016-0691 Oracle Remote Security vulnerability in Oracle Database 11.2.0.4/12.1.0.1/12.1.0.2

Unspecified vulnerability in the RDBMS Security component in Oracle Database Server 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows local users to affect integrity via unknown vectors, a different vulnerability than CVE-2016-0690.

4.0
2016-04-21 CVE-2016-0690 Oracle Remote Security vulnerability in Oracle Database 11.2.0.4/12.1.0.1/12.1.0.2

Unspecified vulnerability in the RDBMS Security component in Oracle Database Server 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows local users to affect integrity via unknown vectors, a different vulnerability than CVE-2016-0691.

4.0
2016-04-21 CVE-2016-0683 Oracle Remote Security vulnerability in Oracle Peoplesoft Enterprise Peopletools 8.53/8.54/8.55

Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.53, 8.54, and 8.55 allows remote authenticated users to affect confidentiality and integrity via vectors related to Search Framework.

4.0
2016-04-21 CVE-2016-0676 Oracle Local Security vulnerability in Oracle Solaris 10

Unspecified vulnerability in Oracle Sun Solaris 10 allows local users to affect availability via vectors related to the kernel.

4.0
2016-04-21 CVE-2016-0650 Oracle
Opensuse
IBM
Redhat
Debian
Mariadb
Remote Security vulnerability in Oracle MySQL

Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 and earlier, and 5.7.10 and earlier and MariaDB before 5.5.48, 10.0.x before 10.0.24, and 10.1.x before 10.1.12 allows local users to affect availability via vectors related to Replication.

4.0
2016-04-21 CVE-2016-0649 IBM
Redhat
Opensuse
Debian
Oracle
Mariadb
Remote Security vulnerability in Oracle MySQL

Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 and earlier, and 5.7.10 and earlier and MariaDB before 5.5.48, 10.0.x before 10.0.24, and 10.1.x before 10.1.12 allows local users to affect availability via vectors related to PS.

4.0
2016-04-21 CVE-2016-0648 Debian
Opensuse
Oracle
Redhat
IBM
Mariadb
Remote Security vulnerability in Oracle MySQL

Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier and MariaDB before 5.5.49, 10.0.x before 10.0.25, and 10.1.x before 10.1.14 allows local users to affect availability via vectors related to PS.

4.0
2016-04-21 CVE-2016-0647 Opensuse
Debian
Oracle
Redhat
IBM
Mariadb
Remote Security vulnerability in Oracle MySQL

Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier and MariaDB before 5.5.49, 10.0.x before 10.0.25, and 10.1.x before 10.1.14 allows local users to affect availability via vectors related to FTS.

4.0
2016-04-21 CVE-2016-0646 Debian
Oracle
Redhat
IBM
Opensuse
Mariadb
Remote Security vulnerability in Oracle MySQL

Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 and earlier, and 5.7.10 and earlier and MariaDB before 5.5.48, 10.0.x before 10.0.24, and 10.1.x before 10.1.12 allows local users to affect availability via vectors related to DML.

4.0
2016-04-21 CVE-2016-0644 Debian
Opensuse
Oracle
IBM
Redhat
Mariadb
Remote Security vulnerability in Oracle MySQL

Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 and earlier, and 5.7.10 and earlier and MariaDB before 5.5.48, 10.0.x before 10.0.24, and 10.1.x before 10.1.12 allows local users to affect availability via vectors related to DDL.

4.0
2016-04-21 CVE-2016-0643 Debian
Redhat
IBM
Opensuse
Oracle
Mariadb
Remote Security vulnerability in Oracle MySQL

Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier and MariaDB before 5.5.49, 10.0.x before 10.0.25, and 10.1.x before 10.1.14 allows local users to affect confidentiality via vectors related to DML.

4.0
2016-04-21 CVE-2016-0407 Oracle Remote Security vulnerability in Oracle Peoplesoft Enterprise Human Capital Management Human Resources 9.1/9.2

Unspecified vulnerability in the PeopleSoft Enterprise HCM component in Oracle PeopleSoft Products 9.1 and 9.2 allows remote authenticated users to affect confidentiality via vectors related to Fusion HR Talent Integration.

4.0
2016-04-19 CVE-2016-3688 Dotcms Information Exposure vulnerability in Dotcms

SQL injection vulnerability in dotCMS before 3.5 allows remote administrators to execute arbitrary SQL commands via the c0-e3 parameter to dwr/call/plaincall/UserAjax.getUsersList.dwr.

4.0
2016-04-18 CVE-2016-3972 Dotcms Path Traversal vulnerability in Dotcms

Directory traversal vulnerability in the dotTailLogServlet in dotCMS before 3.5.1 allows remote authenticated administrators to read arbitrary files via a ..

4.0

39 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2016-04-21 CVE-2016-3431 Oracle Remote Security vulnerability in Oracle Supply Chain Products Suite

Unspecified vulnerability in the Oracle Agile PLM component in Oracle Supply Chain Products Suite 9.3.1.1, 9.3.1.2, 9.3.2, and 9.3.3 allows remote authenticated users to affect confidentiality and integrity via vectors related to Security, a different vulnerability than CVE-2016-3420.

3.6
2016-04-21 CVE-2016-3420 Oracle Remote Security vulnerability in Oracle Supply Chain Products Suite

Unspecified vulnerability in the Oracle Agile PLM component in Oracle Supply Chain Products Suite 9.3.1.1, 9.3.1.2, 9.3.2, and 9.3.3 allows remote authenticated users to affect confidentiality and integrity via vectors related to Security, a different vulnerability than CVE-2016-3431.

3.6
2016-04-21 CVE-2016-0697 Oracle Remote Security vulnerability in Oracle E-Business Suite

Unspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite 12.1.3, 12.2.3, 12.2.4, and 12.2.5 allows local users to affect confidentiality and integrity via unknown vectors.

3.6
2016-04-22 CVE-2016-1916 Blackberry Cross-site Scripting vulnerability in Blackberry Enterprise Server 12.4/5.0.4

Cross-site scripting (XSS) vulnerability in the Management Console in BlackBerry Enterprise Server (BES) 12 before 12.4.1 allows remote authenticated users to inject arbitrary web script or HTML by leveraging basic administrative access to create a crafted policy, leading to improper rendering on a certain Export IT screen.

3.5
2016-04-22 CVE-2016-1596 Novell Cross-site Scripting vulnerability in Novell Service Desk 7.1

Multiple cross-site scripting (XSS) vulnerabilities in Micro Focus Novell Service Desk before 7.2 allow remote authenticated users to inject arbitrary web script or HTML via a certain (1) user name, (2) tf_aClientFirstName, (3) tf_aClientLastName, (4) ta_selectedTopicContent, (5) tf_orgUnitName, (6) tf_aManufacturerFullName, (7) tf_aManufacturerName, (8) tf_aManufacturerAddress, or (9) tf_aManufacturerCity parameter.

3.5
2016-04-21 CVE-2016-3423 Oracle Remote Security vulnerability in Oracle Peoplesoft Enterprise Peopletools 8.53/8.54/8.55

Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.53, 8.54, and 8.55 allows remote authenticated users to affect confidentiality and integrity via vectors related to Rich Text Editor, a different vulnerability than CVE-2016-0698.

3.5
2016-04-21 CVE-2016-0666 Redhat
Debian
Mariadb
Oracle
Opensuse
IBM
Remote Security vulnerability in Oracle MySQL

Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier and MariaDB before 5.5.49, 10.0.x before 10.0.25, and 10.1.x before 10.1.14 allows local users to affect availability via vectors related to Security: Privileges.

3.5
2016-04-21 CVE-2016-0665 Redhat
Oracle
Canonical
Remote Security vulnerability in Oracle MySQL

Unspecified vulnerability in Oracle MySQL 5.6.28 and earlier and 5.7.10 and earlier allows local users to affect availability via vectors related to Security: Encryption.

3.5
2016-04-21 CVE-2016-0663 Oracle Remote Security vulnerability in Oracle MySQL

Unspecified vulnerability in Oracle MySQL 5.7.10 and earlier allows local users to affect availability via vectors related to Performance Schema.

3.5
2016-04-21 CVE-2016-0662 Oracle Remote Security vulnerability in Oracle MySQL

Unspecified vulnerability in Oracle MySQL 5.7.11 and earlier allows local users to affect availability via vectors related to Partition.

3.5
2016-04-21 CVE-2016-0661 Oracle
Redhat
Canonical
Remote Security vulnerability in Oracle MySQL

Unspecified vulnerability in Oracle MySQL 5.6.28 and earlier and 5.7.10 and earlier allows local users to affect availability via vectors related to Options.

3.5
2016-04-21 CVE-2016-0659 Oracle Remote Security vulnerability in Oracle MySQL

Unspecified vulnerability in Oracle MySQL 5.7.11 and earlier allows local users to affect availability via vectors related to Optimizer.

3.5
2016-04-21 CVE-2016-0658 Oracle Remote Security vulnerability in Oracle MySQL

Unspecified vulnerability in Oracle MySQL 5.7.10 and earlier allows local users to affect availability via vectors related to Optimizer.

3.5
2016-04-21 CVE-2016-0657 Oracle Remote Security vulnerability in Oracle MySQL

Unspecified vulnerability in Oracle MySQL 5.7.11 and earlier allows local users to affect confidentiality via vectors related to JSON.

3.5
2016-04-21 CVE-2016-0656 Oracle Remote Security vulnerability in Oracle MySQL

Unspecified vulnerability in Oracle MySQL 5.7.10 and earlier allows local users to affect availability via vectors related to InnoDB, a different vulnerability than CVE-2016-0654.

3.5
2016-04-21 CVE-2016-0655 Mariadb
Debian
Opensuse
Oracle
Redhat
Remote Security vulnerability in Oracle MySQL

Unspecified vulnerability in Oracle MySQL 5.6.29 and earlier and 5.7.11 and earlier and MariaDB 10.0.x before 10.0.25 and 10.1.x before 10.1.14 allows local users to affect availability via vectors related to InnoDB.

3.5
2016-04-21 CVE-2016-0654 Oracle Remote Security vulnerability in Oracle MySQL

Unspecified vulnerability in Oracle MySQL 5.7.10 and earlier allows local users to affect availability via vectors related to InnoDB, a different vulnerability than CVE-2016-0656.

3.5
2016-04-21 CVE-2016-0653 Oracle Remote Security vulnerability in Oracle MySQL

Unspecified vulnerability in Oracle MySQL 5.7.10 and earlier allows local users to affect availability via vectors related to FTS.

3.5
2016-04-21 CVE-2016-0652 Oracle Remote Security vulnerability in Oracle MySQL

Unspecified vulnerability in Oracle MySQL 5.7.10 and earlier allows local users to affect availability via vectors related to DML.

3.5
2016-04-21 CVE-2016-0651 Oracle
Opensuse
Remote Security vulnerability in Oracle MySQL

Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier allows local users to affect availability via vectors related to Optimizer.

3.5
2016-04-21 CVE-2016-0468 Oracle Remote Security vulnerability in Oracle Business Intelligence 11.1.1.7.0/11.1.1.9.0/12.2.1.0.0

Unspecified vulnerability in the Oracle Business Intelligence Enterprise Edition component in Oracle Fusion Middleware 11.1.1.7.0, 11.1.1.9.0, and 12.2.1.0.0 allows remote authenticated users to affect confidentiality and integrity via vectors related to Analytics Web General.

3.5
2016-04-18 CVE-2016-3971 Dotcms Cross-site Scripting vulnerability in Dotcms

Cross-site scripting (XSS) vulnerability in lucene_search.jsp in dotCMS before 3.5.1 allows remote attackers to inject arbitrary web script or HTML via the query parameter to c/portal/layout.

3.5
2016-04-21 CVE-2016-0674 Oracle Local Security vulnerability in Oracle Siebel Core-Common Components 8.1.1/8.2.2

Unspecified vulnerability in the Siebel Core - Common Components component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows local users to affect confidentiality and integrity via vectors related to Email.

3.2
2016-04-21 CVE-2016-0667 Oracle Remote Security vulnerability in Oracle MySQL

Unspecified vulnerability in Oracle MySQL 5.7.11 and earlier allows local users to affect availability via vectors related to Locking.

2.8
2016-04-21 CVE-2016-3447 Oracle Remote Security vulnerability in Oracle E-Business Suite

Unspecified vulnerability in the Oracle Applications Framework component in Oracle E-Business Suite 12.1.3, 12.2.3, 12.2.4, and 12.2.5 allows remote attackers to affect confidentiality and integrity via vectors related to OAF Core.

2.6
2016-04-21 CVE-2016-0695 Oracle
Redhat
Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77; Java SE Embedded 8u77; and JRockit R28.3.9 allows remote attackers to affect confidentiality via vectors related to Security.
2.6
2016-04-21 CVE-2016-0688 Oracle Remote Security vulnerability in Oracle Weblogic Server 10.3.6.0.0/12.1.2.0.0/12.1.3.0.0

Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6, 12.1.2, and 12.1.3 allows remote attackers to affect integrity via vectors related to Core Components.

2.6
2016-04-21 CVE-2016-0671 Oracle Remote Security vulnerability in Oracle Http Server 12.1.2.0

Unspecified vulnerability in the Oracle HTTP Server component in Oracle Fusion Middleware 12.1.2.0 allows remote attackers to affect confidentiality via vectors related to OSSL Module.

2.6
2016-04-22 CVE-2016-2203 Symantec Credentials Management vulnerability in Symantec Messaging Gateway 10.6.0

The management console on Symantec Messaging Gateway (SMG) Appliance devices before 10.6.1 allows local users to discover an encrypted AD password by leveraging certain read privileges.

2.1
2016-04-22 CVE-2016-3145 Lexmark Information Exposure vulnerability in Lexmark Printer Firmware

Lexmark printers with firmware ATL before ATL.021.063, CB before CB.021.063, PP before PP.021.063, and YK before YK.021.063 mishandle Erase Printer Memory and Erase Hard Disk actions, which allows physically proximate attackers to obtain sensitive information via direct read operations on non-volatile memory.

2.1
2016-04-21 CVE-2016-3419 Oracle Unspecified vulnerability in Oracle Solaris 10/11.3

Unspecified vulnerability in Oracle Sun Solaris 10 and 11.3 allows local users to affect availability via vectors related to Filesystem.

2.1
2016-04-20 CVE-2016-2202 Symantec Permissions, Privileges, and Access Controls vulnerability in Symantec Altiris IT Management Suite 7.6

The Inventory Solution component in the Management Agent in the client in Symantec Altiris IT Management Suite (ITMS) through 7.6 HF7 allows local users to bypass intended application-blacklist restrictions via unspecified vectors.

2.1
2016-04-20 CVE-2015-8842 Opensuse Permissions, Privileges, and Access Controls vulnerability in Opensuse 13.2

tmpfiles.d/systemd.conf in systemd before 229 uses weak permissions for /var/log/journal/%m/system.journal, which allows local users to obtain sensitive information by reading the file.

2.1
2016-04-20 CVE-2014-9770 Opensuse Permissions, Privileges, and Access Controls vulnerability in Opensuse 13.2

tmpfiles.d/systemd.conf in systemd before 214 uses weak permissions for journal files under (1) /run/log/journal/%m and (2) /var/log/journal/%m, which allows local users to obtain sensitive information by reading these files.

2.1
2016-04-19 CVE-2015-1776 Apache Information Exposure vulnerability in Apache Hadoop

Apache Hadoop 2.6.x encrypts intermediate data generated by a MapReduce job and stores it along with the encryption key in a credentials file on disk when the Intermediate data encryption feature is enabled, which allows local users to obtain sensitive information by reading the file.

2.1
2016-04-18 CVE-2016-4036 Opensuse Permissions, Privileges, and Access Controls vulnerability in Opensuse Leap and Opensuse

The quagga package before 0.99.23-2.6.1 in openSUSE and SUSE Linux Enterprise Server 11 SP 1 uses weak permissions for /etc/quagga, which allows local users to obtain sensitive information by reading files in the directory.

2.1
2016-04-19 CVE-2015-7511 Gnupg
Debian
Canonical
Information Exposure vulnerability in multiple products

Libgcrypt before 1.6.5 does not properly perform elliptic-point curve multiplication during decryption, which makes it easier for physically proximate attackers to extract ECDH keys by measuring electromagnetic emanations.

1.9
2016-04-21 CVE-2016-3428 Oracle Remote Security vulnerability in Oracle Agile Engineering Data Management 6.1.3.0/6.2.0.0

Unspecified vulnerability in the Oracle Agile Engineering Data Management component in Oracle Supply Chain Products Suite 6.1.3.0 and 6.2.0.0 allows remote attackers to affect availability via vectors related to Engineering Communication Interface.

1.8
2016-04-21 CVE-2016-0668 Redhat
Oracle
Mariadb
Debian
Opensuse
Remote Security vulnerability in Oracle MySQL

Unspecified vulnerability in Oracle MySQL 5.6.28 and earlier and 5.7.10 and earlier and MariaDB 10.0.x before 10.0.24 and 10.1.x before 10.1.12 allows local users to affect availability via vectors related to InnoDB.

1.7