CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 4 and 4.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2016-4789 79 XSS 2016-05-26 2016-05-26
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the system configuration section in the administrative user interface in Pulse Connect Secure (PCS) 8.2 before 8.2r1, 8.1 before 8.1r2, 8.0 before 8.0r9, and 7.4 before 7.4r13.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
2 CVE-2016-4783 79 XSS 2016-05-23 2016-05-25
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Lenovo SHAREit before 3.5.98_ww on Android before 4.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka "Universal XSS (UXSS)."
3 CVE-2016-4581 DoS 2016-05-23 2016-05-24
4.9
None Local Low Not required None None Complete
fs/pnode.c in the Linux kernel before 4.5.4 does not properly traverse a mount propagation tree in a certain case involving a slave mount, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) via a crafted series of mount system calls.
4 CVE-2016-4575 79 XSS 2016-05-25 2016-05-26
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the email APP in Huawei PLK smartphones with software AL10C00 before AL10C00B211 and AL10C92 before AL10C92B211; ATH smartphones with software AL00C00 before AL00C00B361, CL00C92 before CL00C92B361, TL00HC01 before TL00HC01B361, and UL00C00 before UL00C00B361; CherryPlus smartphones with software TL00C00 before TL00C00B553, UL00C00 before UL00C00B553, and TL00MC01 before TL00MC01B553; and RIO smartphones with software AL00C00 before AL00C00B360 allows remote attackers to inject arbitrary web script or HTML via an email message.
5 CVE-2016-4567 79 XSS 2016-05-21 2016-05-24
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in flash/FlashMediaElement.as in MediaElement.js before 2.21.0, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via the query string.
6 CVE-2016-4566 79 XSS 2016-05-21 2016-05-24
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in plupload.flash.swf in Plupload before 2.1.9, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via a Same-Origin Method Execution (SOME) attack.
7 CVE-2016-4561 79 XSS 2016-05-10 2016-05-16
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the cgierror function in CGI.pm in ikiwiki before 3.20160506 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors involving an error message.
8 CVE-2016-4499 119 DoS Overflow 2016-05-11 2016-05-13
4.4
None Local Medium Not required Partial Partial Partial
Heap-based buffer overflow in Panasonic FPWIN Pro 5.x through 7.x before 7.130 allows local users to cause a denial of service (application crash) via unspecified vectors.
9 CVE-2016-4496 119 DoS Overflow 2016-05-11 2016-05-13
4.4
None Local Medium Not required Partial Partial Partial
Panasonic FPWIN Pro 5.x through 7.x before 7.130 allows local users to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact by triggering a crafted index value, as demonstrated by an integer overflow.
10 CVE-2016-4477 19 DoS +Priv 2016-05-09 2016-05-10
4.4
None Local Medium Not required Partial Partial Partial
wpa_supplicant 0.4.0 through 2.5 does not reject \n and \r characters in passphrase parameters, which allows local users to trigger arbitrary library loading and consequently gain privileges, or cause a denial of service (daemon outage), via a crafted (1) SET, (2) SET_CRED, or (3) SET_NETWORK command.
11 CVE-2016-4439 119 DoS Exec Code Overflow 2016-05-20 2016-05-23
4.6
None Local Low Not required Partial Partial Partial
The esp_reg_write function in hw/scsi/esp.c in the 53C9X Fast SCSI Controller (FSC) support in QEMU does not properly check command buffer length, which allows local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) or potentially execute arbitrary code on the QEMU host via unspecified vectors.
12 CVE-2016-4421 20 DoS 2016-04-30 2016-05-04
4.3
None Remote Medium Not required None None Partial
epan/dissectors/packet-ber.c in the ASN.1 BER dissector in Wireshark 1.12.x before 1.12.10 and 2.x before 2.0.2 allows remote attackers to cause a denial of service (deep recursion, stack consumption, and application crash) via a packet that specifies deeply nested data.
13 CVE-2016-4420 20 DoS 2016-04-30 2016-05-04
4.3
None Remote Medium Not required None None Partial
The NFS dissector in Wireshark 2.x before 2.0.2 allows remote attackers to cause a denial of service (application crash) via a crafted packet.
14 CVE-2016-4419 399 DoS 2016-04-30 2016-05-04
4.3
None Remote Medium Not required None None Partial
epan/dissectors/packet-spice.c in the SPICE dissector in Wireshark 2.x before 2.0.2 mishandles capability data, which allows remote attackers to cause a denial of service (large loop) via a crafted packet.
15 CVE-2016-4418 119 DoS Overflow 2016-04-30 2016-05-04
4.3
None Remote Medium Not required None None Partial
epan/dissectors/packet-ber.c in the ASN.1 BER dissector in Wireshark 1.12.x before 1.12.10 and 2.x before 2.0.2 allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted packet that triggers an empty set.
16 CVE-2016-4417 119 DoS Overflow 2016-04-30 2016-05-04
4.3
None Remote Medium Not required None None Partial
Off-by-one error in epan/dissectors/packet-gsm_abis_oml.c in the GSM A-bis OML dissector in Wireshark 1.12.x before 1.12.10 and 2.x before 2.0.2 allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted packet that triggers a 0xff tag value.
17 CVE-2016-4416 119 DoS Overflow 2016-04-30 2016-05-04
4.3
None Remote Medium Not required None None Partial
epan/dissectors/packet-ieee80211.c in the IEEE 802.11 dissector in Wireshark 2.x before 2.0.2 mishandles the Grouping subfield, which allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted packet.
18 CVE-2016-4415 119 DoS Overflow 2016-04-30 2016-05-04
4.3
None Remote Medium Not required None None Partial
wiretap/vwr.c in the Ixia IxVeriWave file parser in Wireshark 2.x before 2.0.2 incorrectly increases a certain octet count, which allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) via a crafted file.
19 CVE-2016-4085 20 DoS Overflow 2016-04-25 2016-05-05
4.3
None Remote Medium Not required None None Partial
Stack-based buffer overflow in epan/dissectors/packet-ncp2222.inc in the NCP dissector in Wireshark 1.12.x before 1.12.11 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a long string in a packet.
20 CVE-2016-4084 DoS Overflow 2016-04-25 2016-04-28
4.3
None Remote Medium Not required None None Partial
Integer signedness error in epan/dissectors/packet-mswsp.c in the MS-WSP dissector in Wireshark 2.0.x before 2.0.3 allows remote attackers to cause a denial of service (integer overflow and application crash) via a crafted packet that triggers an unexpected array size.
21 CVE-2016-4083 20 DoS 2016-04-25 2016-04-28
4.3
None Remote Medium Not required None None Partial
epan/dissectors/packet-mswsp.c in the MS-WSP dissector in Wireshark 2.0.x before 2.0.3 does not ensure that data is available before array allocation, which allows remote attackers to cause a denial of service (application crash) via a crafted packet.
22 CVE-2016-4082 119 DoS Overflow 2016-04-25 2016-04-28
4.3
None Remote Medium Not required None None Partial
epan/dissectors/packet-gsm_cbch.c in the GSM CBCH dissector in Wireshark 1.12.x before 1.12.11 and 2.0.x before 2.0.3 uses the wrong variable to index an array, which allows remote attackers to cause a denial of service (out-of-bounds access and application crash) via a crafted packet.
23 CVE-2016-4081 284 DoS 2016-04-25 2016-04-28
4.3
None Remote Medium Not required None None Partial
epan/dissectors/packet-iax2.c in the IAX2 dissector in Wireshark 1.12.x before 1.12.11 and 2.0.x before 2.0.3 uses an incorrect integer data type, which allows remote attackers to cause a denial of service (infinite loop) via a crafted packet.
24 CVE-2016-4080 119 DoS Overflow 2016-04-25 2016-04-28
4.3
None Remote Medium Not required None None Partial
epan/dissectors/packet-pktc.c in the PKTC dissector in Wireshark 1.12.x before 1.12.11 and 2.0.x before 2.0.3 misparses timestamp fields, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted packet.
25 CVE-2016-4079 119 DoS Overflow 2016-04-25 2016-04-28
4.3
None Remote Medium Not required None None Partial
epan/dissectors/packet-pktc.c in the PKTC dissector in Wireshark 1.12.x before 1.12.11 and 2.0.x before 2.0.3 does not verify BER identifiers, which allows remote attackers to cause a denial of service (out-of-bounds write and application crash) via a crafted packet.
26 CVE-2016-4078 20 DoS 2016-04-25 2016-04-28
4.3
None Remote Medium Not required None None Partial
The IEEE 802.11 dissector in Wireshark 1.12.x before 1.12.11 and 2.0.x before 2.0.3 does not properly restrict element lists, which allows remote attackers to cause a denial of service (deep recursion and application crash) via a crafted packet, related to epan/dissectors/packet-capwap.c and epan/dissectors/packet-ieee80211.c.
27 CVE-2016-4077 DoS 2016-04-25 2016-04-28
4.3
None Remote Medium Not required None None Partial
epan/reassemble.c in TShark in Wireshark 2.0.x before 2.0.3 relies on incorrect special-case handling of truncated Tvb data structures, which allows remote attackers to cause a denial of service (use-after-free and application crash) via a crafted packet.
28 CVE-2016-4076 284 DoS 2016-04-25 2016-04-28
4.3
None Remote Medium Not required None None Partial
epan/dissectors/packet-ncp2222.inc in the NCP dissector in Wireshark 2.0.x before 2.0.3 does not properly initialize memory for search patterns, which allows remote attackers to cause a denial of service (application crash) via a crafted packet.
29 CVE-2016-4062 19 DoS 2016-04-22 2016-04-28
4.3
None Remote Medium Not required None None Partial
Foxit Reader and PhantomPDF before 7.3.4 on Windows improperly report format errors recursively, which allows remote attackers to cause a denial of service (application hang) via a crafted PDF.
30 CVE-2016-4053 119 Overflow +Info 2016-04-25 2016-04-28
4.3
None Remote Medium Not required Partial None None
Squid 3.x before 3.5.17 and 4.x before 4.0.9 allow remote attackers to obtain sensitive stack layout information via crafted Edge Side Includes (ESI) responses, related to incorrect use of assert and compiler optimization.
31 CVE-2016-4037 20 DoS 2016-05-23 2016-05-25
4.9
None Local Low Not required None None Complete
The ehci_advance_state function in hw/usb/hcd-ehci.c in QEMU allows local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) via a circular split isochronous transfer descriptor (siTD) list, a related issue to CVE-2015-8558.
32 CVE-2016-4016 79 XSS 2016-04-14 2016-04-20
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in SAP Manufacturing Integration and Intelligence (aka MII, formerly xMII) allows remote attackers to inject arbitrary web script or HTML via vectors related to UR Control, aka SAP Security Note 2201295.
33 CVE-2016-4008 399 DoS 2016-05-05 2016-05-10
4.3
None Remote Medium Not required None None Partial
The _asn1_extract_der_octet function in lib/decoding.c in GNU Libtasn1 before 4.8, when used without the ASN1_DECODE_FLAG_STRICT_DER flag, allows remote attackers to cause a denial of service (infinite recursion) via a crafted certificate.
34 CVE-2016-4006 119 DoS Overflow 2016-04-25 2016-04-28
4.3
None Remote Medium Not required None None Partial
epan/proto.c in Wireshark 1.12.x before 1.12.11 and 2.0.x before 2.0.3 does not limit the protocol-tree depth, which allows remote attackers to cause a denial of service (stack memory consumption and application crash) via a crafted packet.
35 CVE-2016-4004 22 Dir. Trav. 2016-04-12 2016-04-18
4.0
None Remote Low Single system Partial None None
Directory traversal vulnerability in Dell OpenManage Server Administrator (OMSA) 8.2 allows remote authenticated administrators to read arbitrary files via a ..\ (dot dot backslash) in the file parameter to ViewFile.
36 CVE-2016-4003 79 XSS 2016-04-12 2016-04-12
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the URLDecoder function in JRE before 1.8, as used in Apache Struts 2.x before 2.3.28, when using a single byte page encoding, allows remote attackers to inject arbitrary web script or HTML via multi-byte characters in a url-encoded parameter.
37 CVE-2016-4001 20 DoS Overflow 2016-05-23 2016-05-25
4.3
None Remote Medium Not required None None Partial
Buffer overflow in the stellaris_enet_receive function in hw/net/stellaris_enet.c in QEMU, when the Stellaris ethernet controller is configured to accept large packets, allows remote attackers to cause a denial of service (QEMU crash) via a large packet.
38 CVE-2016-3978 79 XSS 2016-04-08 2016-04-14
4.3
None Remote Medium Not required None Partial None
The Web User Interface (WebUI) in FortiOS 5.0.x before 5.0.13, 5.2.x before 5.2.3, and 5.4.x before 5.4.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or cross-site scripting (XSS) attacks via the "redirect" parameter to "login."
39 CVE-2016-3977 119 DoS Overflow 2016-04-21 2016-04-28
4.3
None Remote Medium Not required None None Partial
Heap-based buffer overflow in util/gif2rgb.c in gif2rgb in giflib 5.1.2 allows remote attackers to cause a denial of service (application crash) via the background color index in a GIF file.
40 CVE-2016-3975 79 XSS 2016-04-07 2016-04-11
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in SAP NetWeaver AS Java 7.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to NavigationURLTester, aka SAP Security Note 2238375.
41 CVE-2016-3972 22 Dir. Trav. 2016-04-18 2016-04-19
4.0
None Remote Low Single system Partial None None
Directory traversal vulnerability in the dotTailLogServlet in dotCMS before 3.5.1 allows remote authenticated administrators to read arbitrary files via a .. (dot dot) in the fileName parameter.
42 CVE-2016-3969 79 XSS 2016-04-06 2016-05-19
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in McAfee Email Gateway (MEG) 7.6.x before 7.6.404, when File Filtering is enabled with the action set to ESERVICES:REPLACE, allows remote attackers to inject arbitrary web script or HTML via an attachment in a blocked email.
43 CVE-2016-3968 79 XSS 2016-04-06 2016-04-07
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Sophos Cyberoam CR100iNG UTM appliance with firmware 10.6.3 MR-1 build 503, CR35iNG UTM appliance with firmware 10.6.2 MR-1 build 383, and CR35iNG UTM appliance with firmware 10.6.2 Build 378 allow remote attackers to inject arbitrary web script or HTML via the (1) ipFamily parameter to corporate/webpages/trafficdiscovery/LiveConnections.jsp; the (2) ipFamily, (3) applicationname, or (4) username parameter to corporate/webpages/trafficdiscovery/LiveConnectionDetail.jsp; or the (5) X-Forwarded-For HTTP header.
44 CVE-2016-3951 DoS 2016-05-02 2016-05-05
4.9
None Local Low Not required None None Complete
Double free vulnerability in drivers/net/usb/cdc_ncm.c in the Linux kernel before 4.5 allows physically proximate attackers to cause a denial of service (system crash) or possibly have unspecified other impact by inserting a USB device with an invalid USB descriptor.
45 CVE-2016-3941 119 DoS Overflow 2016-04-18 2016-04-20
4.3
None Remote Medium Not required None None Partial
Buffer overflow in the AStreamPeekStream function in input/stream.c in VideoLAN VLC media player before 2.2.0 allows remote attackers to cause a denial of service (crash) via a crafted wav file, related to "seek across EOF."
46 CVE-2016-3727 200 +Info 2016-05-17 2016-05-18
4.0
None Remote Low Single system Partial None None
The API URL computer/(master)/api/xml in CloudBees Jenkins before 2.3 and LTS before 1.651.2 allows remote authenticated users with extended read permission for the master node to obtain sensitive information about the global configuration via unspecified vectors.
47 CVE-2016-3724 200 +Info 2016-05-17 2016-05-18
4.0
None Remote Low Single system Partial None None
CloudBees Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with extended read access to obtain sensitive password information by reading a job configuration.
48 CVE-2016-3723 200 +Info 2016-05-17 2016-05-18
4.0
None Remote Low Single system Partial None None
CloudBees Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with read access to obtain sensitive plugin installation information by leveraging missing permissions checks in unspecified XML/JSON API endpoints.
49 CVE-2016-3722 264 DoS 2016-05-17 2016-05-18
4.0
None Remote Low Single system None None Partial
CloudBees Jenkins before 2.3 and LTS before 1.651.2 allow remote authenticated users with multiple accounts to cause a denial of service (unable to login) by editing the "full name."
50 CVE-2016-3721 17 2016-05-17 2016-05-18
4.0
None Remote Low Single system None Partial None
CloudBees Jenkins before 2.3 and LTS before 1.651.2 might allow remote authenticated users to inject arbitrary build parameters into the build environment via environment variables.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.