Weekly Vulnerabilities Reports > October 17 to 23, 2016

Overview

19 new vulnerabilities reported during this period, including 4 critical vulnerabilities and 1 high severity vulnerabilities. This weekly summary report vulnerabilities in 15 products from 6 vendors including IBM, Huge IT, Adobe, Microsoft, and Apple. Vulnerabilities are notably categorized as "Cross-site Scripting", "Information Exposure", "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Command Injection", and "Permissions, Privileges, and Access Controls".

  • 17 reported vulnerabilities are remotely exploitables.
  • 10 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 8 reported vulnerabilities are exploitable by an anonymous user.
  • IBM has the most reported vulnerabilities, with 10 reported vulnerabilities.
  • Adobe has the most reported critical vulnerabilities, with 3 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

4 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2016-10-21 CVE-2016-7854 Apple
Microsoft
Adobe
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe products

Adobe Reader and Acrobat before 11.0.18, Acrobat and Acrobat Reader DC Classic before 15.006.30243, and Acrobat and Acrobat Reader DC Continuous before 15.020.20039 on Windows and OS X allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2016-6940, CVE-2016-6941, CVE-2016-6942, CVE-2016-6943, CVE-2016-6947, CVE-2016-6948, CVE-2016-6950, CVE-2016-6951, CVE-2016-6954, CVE-2016-6955, CVE-2016-6956, CVE-2016-6959, CVE-2016-6960, CVE-2016-6966, CVE-2016-6970, CVE-2016-6972, CVE-2016-6973, CVE-2016-6974, CVE-2016-6975, CVE-2016-6976, CVE-2016-6977, CVE-2016-6978, CVE-2016-6995, CVE-2016-6996, CVE-2016-6997, CVE-2016-6998, CVE-2016-7000, CVE-2016-7001, CVE-2016-7002, CVE-2016-7003, CVE-2016-7004, CVE-2016-7005, CVE-2016-7006, CVE-2016-7007, CVE-2016-7008, CVE-2016-7009, CVE-2016-7010, CVE-2016-7011, CVE-2016-7012, CVE-2016-7013, CVE-2016-7014, CVE-2016-7015, CVE-2016-7016, CVE-2016-7017, CVE-2016-7018, CVE-2016-7019, CVE-2016-7852, and CVE-2016-7853.

10.0
2016-10-21 CVE-2016-7853 Apple
Microsoft
Adobe
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe products

Adobe Reader and Acrobat before 11.0.18, Acrobat and Acrobat Reader DC Classic before 15.006.30243, and Acrobat and Acrobat Reader DC Continuous before 15.020.20039 on Windows and OS X allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2016-6940, CVE-2016-6941, CVE-2016-6942, CVE-2016-6943, CVE-2016-6947, CVE-2016-6948, CVE-2016-6950, CVE-2016-6951, CVE-2016-6954, CVE-2016-6955, CVE-2016-6956, CVE-2016-6959, CVE-2016-6960, CVE-2016-6966, CVE-2016-6970, CVE-2016-6972, CVE-2016-6973, CVE-2016-6974, CVE-2016-6975, CVE-2016-6976, CVE-2016-6977, CVE-2016-6978, CVE-2016-6995, CVE-2016-6996, CVE-2016-6997, CVE-2016-6998, CVE-2016-7000, CVE-2016-7001, CVE-2016-7002, CVE-2016-7003, CVE-2016-7004, CVE-2016-7005, CVE-2016-7006, CVE-2016-7007, CVE-2016-7008, CVE-2016-7009, CVE-2016-7010, CVE-2016-7011, CVE-2016-7012, CVE-2016-7013, CVE-2016-7014, CVE-2016-7015, CVE-2016-7016, CVE-2016-7017, CVE-2016-7018, CVE-2016-7019, CVE-2016-7852, and CVE-2016-7854.

10.0
2016-10-21 CVE-2016-7852 Apple
Microsoft
Adobe
Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Adobe products

Adobe Reader and Acrobat before 11.0.18, Acrobat and Acrobat Reader DC Classic before 15.006.30243, and Acrobat and Acrobat Reader DC Continuous before 15.020.20039 on Windows and OS X allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2016-6940, CVE-2016-6941, CVE-2016-6942, CVE-2016-6943, CVE-2016-6947, CVE-2016-6948, CVE-2016-6950, CVE-2016-6951, CVE-2016-6954, CVE-2016-6955, CVE-2016-6956, CVE-2016-6959, CVE-2016-6960, CVE-2016-6966, CVE-2016-6970, CVE-2016-6972, CVE-2016-6973, CVE-2016-6974, CVE-2016-6975, CVE-2016-6976, CVE-2016-6977, CVE-2016-6978, CVE-2016-6995, CVE-2016-6996, CVE-2016-6997, CVE-2016-6998, CVE-2016-7000, CVE-2016-7001, CVE-2016-7002, CVE-2016-7003, CVE-2016-7004, CVE-2016-7005, CVE-2016-7006, CVE-2016-7007, CVE-2016-7008, CVE-2016-7009, CVE-2016-7010, CVE-2016-7011, CVE-2016-7012, CVE-2016-7013, CVE-2016-7014, CVE-2016-7015, CVE-2016-7016, CVE-2016-7017, CVE-2016-7018, CVE-2016-7019, CVE-2016-7853, and CVE-2016-7854.

10.0
2016-10-21 CVE-2016-0236 IBM Command Injection vulnerability in IBM Security Guardium Database Activity Monitor

IBM Security Guardium Database Activity Monitor 8.2 before p310, 9.x through 9.5 before p700, and 10.x through 10.1 before p100 allows remote authenticated users to execute arbitrary commands with root privileges via the search field.

9.0

1 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2016-10-22 CVE-2016-0328 IBM Command Injection vulnerability in IBM Security Guardium Database Activity Monitor

IBM Security Guardium Database Activity Monitor 8.2 before p310, 9.x through 9.5 before p700, and 10.x through 10.1 before p100 allows local users to obtain administrator privileges for command execution via unspecified vectors.

7.2

13 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2016-10-22 CVE-2016-0326 IBM Command Injection vulnerability in IBM products

IBM Rational Quality Manager (RQM) and Rational Collaborative Lifecycle Management 3.0.1.6 before iFix8, 4.x before 4.0.7 iFix11, 5.x before 5.0.2 iFix17, and 6.x before 6.0.1 ifix3 allow remote authenticated users to execute arbitrary OS commands via a crafted "HTML request."

6.5
2016-10-22 CVE-2016-0241 IBM Improper Access Control vulnerability in IBM Security Guardium Database Activity Monitor

IBM Security Guardium Database Activity Monitor 8.2 before p310, 9.x through 9.5 before p700, and 10.x through 10.1 before p100 allows remote authenticated users to spoof administrator accounts by sending a modified login request over HTTP.

6.5
2016-10-22 CVE-2016-0239 IBM Permissions, Privileges, and Access Controls vulnerability in IBM Security Guardium Database Activity Monitor

IBM Security Guardium Database Activity Monitor 9.x through 9.5 before p700 and 10.x through 10.0.1 before p100 allows remote authenticated users to make HTTP requests with administrator privileges via unspecified vectors.

6.5
2016-10-21 CVE-2016-1000119 Huge IT Cross-site Scripting vulnerability in Huge-It Catalog 1.0.4

SQLi and XSS in Huge IT catalog extension v1.0.4 for Joomla

6.5
2016-10-21 CVE-2016-1000118 Huge IT Cross-site Scripting vulnerability in Huge-It Slideshow 1.0.4

XSS & SQLi in HugeIT slideshow v1.0.4

6.5
2016-10-21 CVE-2016-1000117 Huge IT Cross-site Scripting vulnerability in Huge-It Slideshow 1.0.4

XSS & SQLi in HugeIT slideshow v1.0.4

6.5
2016-10-21 CVE-2016-1000116 Huge IT Cross-site Scripting vulnerability in Huge-It Portfolio Gallery Manager 1.1.5

Huge-IT Portfolio Gallery manager v1.1.0 SQL Injection and XSS

6.5
2016-10-21 CVE-2016-1000115 Huge IT Cross-site Scripting vulnerability in Huge-It Portfolio Gallery Manager 1.1.0

Huge-IT Portfolio Gallery manager v1.1.0 SQL Injection and XSS

6.5
2016-10-21 CVE-2016-2848 ISC Improper Input Validation vulnerability in ISC Bind

ISC BIND 9.1.0 through 9.8.4-P2 and 9.9.0 through 9.9.2-P2 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via malformed options data in an OPT resource record.

5.0
2016-10-22 CVE-2016-0246 IBM Cross-site Scripting vulnerability in IBM Security Guardium

Cross-site scripting (XSS) vulnerability in IBM Security Guardium 8.2 before p310, 9.x through 9.5 before p700, and 10.x through 10.1 before p100 allows remote attackers to inject arbitrary web script or HTML via a crafted URL.

4.3
2016-10-22 CVE-2016-0240 IBM 7PK - Security Features vulnerability in IBM Security Guardium Database Activity Monitor

IBM Security Guardium Database Activity Monitor 8.2 before p310, 9.x through 9.5 before p700, and 10.x through 10.1 before p100 does not enable the HSTS protection mechanism, which makes it easier for remote attackers to obtain sensitive information by leveraging use of HTTP.

4.3
2016-10-22 CVE-2016-0377 IBM Information Exposure vulnerability in IBM Websphere Application Server

The Administrative Console in IBM WebSphere Application Server (WAS) 7.x before 7.0.0.43, 8.0.x before 8.0.0.13, and 8.5.x before 8.5.5.10 mishandles CSRFtoken cookies, which allows remote authenticated users to obtain sensitive information via unspecified vectors.

4.0
2016-10-22 CVE-2016-0242 IBM Information Exposure vulnerability in IBM Security Guardium 10.0/10.01/10.1

IBM Security Guardium 10.x through 10.1 before p100 allows remote authenticated users to obtain sensitive information by reading an Application Error message.

4.0

1 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2016-10-22 CVE-2016-0247 IBM Information Exposure vulnerability in IBM Security Guardium

IBM Security Guardium 8.2 before p310, 9.x through 9.5 before p700, and 10.x through 10.1 before p100 allows local users to obtain sensitive cleartext information via unspecified vectors, as demonstrated by password information.

2.1