CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 5 and 5.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2016-4061 20 DoS 2016-04-22 2016-04-28
5.0
None Remote Low Not required None None Partial
Foxit Reader and PhantomPDF before 7.3.4 on Windows allow remote attackers to cause a denial of service (application crash) via a crafted content stream.
2 CVE-2016-4060 DoS 2016-04-22 2016-04-28
5.0
None Remote Low Not required None None Partial
Use-after-free vulnerability in Foxit Reader and PhantomPDF before 7.3.4 on Windows allows remote attackers to cause a denial of service (application crash) via unspecified vectors.
3 CVE-2016-4017 DoS 2016-04-14 2016-04-20
5.0
None Remote Low Not required None None Partial
The Data Provisioning Agent (aka DP Agent) in SAP HANA allows remote attackers to cause a denial of service (process crash) via unspecified vectors, aka SAP Security Note 2262710.
4 CVE-2016-4015 DoS 2016-04-14 2016-04-19
5.0
None Remote Low Not required None None Partial
The Enqueue Server in SAP NetWeaver JAVA AS 7.1 through 7.4 allows remote attackers to cause a denial of service (process crash) via a crafted request, aka SAP Security Note 2258784.
5 CVE-2016-3983 345 Bypass 2016-04-08 2016-04-11
5.0
None Remote Low Not required None Partial None
McAfee Advanced Threat Defense (ATD) before 3.4.8.178 might allow remote attackers to bypass malware detection by leveraging information about the parent process.
6 CVE-2016-3980 20 DoS 2016-04-08 2016-04-14
5.0
None Remote Low Not required None None Partial
The Java Startup Framework (aka jstart) in SAP JAVA AS 7.4 allows remote attackers to cause a denial of service via a crafted HTTP request, aka SAP Security Note 2259547.
7 CVE-2016-3979 20 DoS 2016-04-08 2016-04-25
5.0
None Remote Low Not required None None Partial
Internet Communication Manager (aka ICMAN or ICM) in SAP JAVA AS 7.4 allows remote attackers to cause a denial of service via a crafted HTTP request, aka SAP Security Note 2256185.
8 CVE-2016-3976 22 Dir. Trav. 2016-04-07 2016-04-11
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in SAP NetWeaver AS Java 7.4 allows remote attackers to read arbitrary files via directory traversal sequences in unspecified vectors related to CrashFileDownloadServlet, aka SAP Security Note 2234971.
9 CVE-2016-3973 200 +Info 2016-04-07 2016-04-11
5.0
None Remote Low Not required Partial None None
The chat feature in the Real-Time Collaboration (RTC) services in SAP NetWeaver Java AS 7.4 allows remote attackers to obtain sensitive user information via unspecified vectors related to WD_CHAT, aka SAP Security Note 2255990.
10 CVE-2016-3963 DoS 2016-04-08 2016-04-11
5.0
None Remote Low Not required None None Partial
Siemens SCALANCE S613 allows remote attackers to cause a denial of service (web-server outage) via traffic to TCP port 443.
11 CVE-2016-3948 119 DoS Overflow 2016-04-07 2016-04-11
5.0
None Remote Low Not required None None Partial
Squid 3.x before 3.5.16 and 4.x before 4.0.8 improperly perform bounds checking, which allows remote attackers to cause a denial of service via a crafted HTTP response, related to Vary headers.
12 CVE-2016-3676 254 2016-04-11 2016-04-14
5.8
None Local Network Low Not required Partial Partial Partial
Huawei E3276s USB modems with software before E3276s-150TCPU-V200R002B436D09SP00C00 allow man-in-the-middle attackers to intercept, spoof, or modify network traffic via unspecified vectors related to a fake network.
13 CVE-2016-3656 119 DoS Overflow 2016-04-12 2016-04-14
5.0
None Remote Low Not required None None Partial
The GlobalProtect Portal in Palo Alto Networks PAN-OS before 5.0.18, 6.0.x before 6.0.13, 6.1.x before 6.1.10, and 7.0.x before 7.0.5H2 allows remote attackers to cause a denial of service (service crash) via a crafted request.
14 CVE-2016-3463 2016-04-21 2016-04-27
5.0
None Remote Low Not required Partial None None
Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking component in Oracle Financial Services Software 12.0.3 allows remote attackers to affect confidentiality and integrity via vectors related to Pre-Login.
15 CVE-2016-3460 2016-04-21 2016-04-27
5.5
None Remote Low Single system Partial Partial None
Unspecified vulnerability in the PeopleSoft Enterprise HCM component in Oracle PeopleSoft Products 9.2 allows remote authenticated users to affect confidentiality and integrity via vectors related to ePerformance.
16 CVE-2016-3429 2016-04-21 2016-04-26
5.4
None Local Medium Not required Complete Partial None
Unspecified vulnerability in the Oracle Retail Xstore Point of Service component in Oracle Retail Applications 5.0, 5.5, 6.0, 6.5, 7.0, and 7.1 allows remote authenticated users to affect confidentiality and integrity via vectors related to Xstore Services.
17 CVE-2016-3425 2016-04-21 2016-04-27
5.0
None Remote Low Not required None None Partial
Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77; Java SE Embedded 8u77; and JRockit R28.3.9 allows remote attackers to affect availability via vectors related to JAXP.
18 CVE-2016-3422 2016-04-21 2016-04-27
5.0
None Remote Low Not required None None Partial
Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77 allows remote attackers to affect availability via vectors related to 2D.
19 CVE-2016-3186 119 DoS Overflow 2016-04-19 2016-04-25
5.0
None Remote Low Not required None None Partial
Buffer overflow in the readextension function in gif2tiff.c in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (application crash) via a crafted GIF file.
20 CVE-2016-3170 200 +Info 2016-04-12 2016-04-14
5.0
None Remote Low Not required Partial None None
The "have you forgotten your password" links in the User module in Drupal 7.x before 7.43 and 8.x before 8.0.4 allow remote attackers to obtain sensitive username information by leveraging a configuration that permits using an email address to login and a module that permits logging in.
21 CVE-2016-3165 284 Bypass 2016-04-12 2016-04-12
5.0
None Remote Low Not required None Partial None
The Form API in Drupal 6.x before 6.38 ignores access restrictions on submit buttons, which might allow remote attackers to bypass intended access restrictions by leveraging permission to submit a form with a button that has "#access" set to FALSE in the server-side form definition.
22 CVE-2016-3164 2016-04-12 2016-04-12
5.8
None Remote Medium Not required Partial Partial None
Drupal 6.x before 6.38, 7.x before 7.43, and 8.x before 8.0.4 might allow remote attackers to conduct open redirect attacks by leveraging (1) custom code or (2) a form shown on a 404 error page, related to path manipulation.
23 CVE-2016-3163 254 2016-04-12 2016-04-18
5.0
None Remote Low Not required None Partial None
The XML-RPC system in Drupal 6.x before 6.38 and 7.x before 7.43 might make it easier for remote attackers to conduct brute-force attacks via a large number of calls made at once to the same method.
24 CVE-2016-3116 Bypass 2016-03-22 2016-03-23
5.5
None Remote Low Single system Partial Partial None
CRLF injection vulnerability in Dropbear SSH before 2016.72 allows remote authenticated users to bypass intended shell-command restrictions via crafted X11 forwarding data.
25 CVE-2016-3115 Bypass 2016-03-22 2016-03-22
5.5
None Remote Low Single system Partial Partial None
Multiple CRLF injection vulnerabilities in session.c in sshd in OpenSSH before 7.2p2 allow remote authenticated users to bypass intended shell-command restrictions via crafted X11 forwarding data, related to the (1) do_authenticated1 and (2) session_x11_req functions.
26 CVE-2016-3071 20 DoS 2016-04-18 2016-04-20
5.0
None Remote Low Not required None None Partial
Libreswan 3.16 might allow remote attackers to cause a denial of service (daemon restart) via an IKEv2 aes_xcbc transform.
27 CVE-2016-2845 200 +Info 2016-03-05 2016-03-08
5.0
None Remote Low Not required Partial None None
The Content Security Policy (CSP) implementation in Blink, as used in Google Chrome before 49.0.2623.75, does not ignore a URL's path component in the case of a ServiceWorker fetch, which allows remote attackers to obtain sensitive information about visited web pages by reading CSP violation reports, related to FrameFetchContext.cpp and ResourceFetcher.cpp.
28 CVE-2016-2572 20 DoS 2016-02-27 2016-03-03
5.0
None Remote Low Not required None None Partial
http.cc in Squid 4.x before 4.0.7 relies on the HTTP status code after a response-parsing failure, which allows remote HTTP servers to cause a denial of service (assertion failure and daemon exit) via a malformed response.
29 CVE-2016-2571 20 DoS 2016-02-27 2016-03-14
5.0
None Remote Low Not required None None Partial
http.cc in Squid 3.x before 3.5.15 and 4.x before 4.0.7 proceeds with the storage of certain data after a response-parsing failure, which allows remote HTTP servers to cause a denial of service (assertion failure and daemon exit) via a malformed response.
30 CVE-2016-2570 20 DoS 2016-02-27 2016-03-14
5.0
None Remote Low Not required None None Partial
The Edge Side Includes (ESI) parser in Squid 3.x before 3.5.15 and 4.x before 4.0.7 does not check buffer limits during XML parsing, which allows remote HTTP servers to cause a denial of service (assertion failure and daemon exit) via a crafted XML document, related to esi/CustomParser.cc and esi/CustomParser.h.
31 CVE-2016-2569 20 DoS 2016-02-27 2016-03-14
5.0
None Remote Low Not required None None Partial
Squid 3.x before 3.5.15 and 4.x before 4.0.7 does not properly append data to String objects, which allows remote servers to cause a denial of service (assertion failure and daemon exit) via a long string, as demonstrated by a crafted HTTP Vary header.
32 CVE-2016-2562 20 +Info 2016-03-01 2016-03-03
5.8
None Remote Medium Not required Partial Partial None
The checkHTTP function in libraries/Config.class.php in phpMyAdmin 4.5.x before 4.5.5.1 does not verify X.509 certificates from api.github.com SSL servers, which allows man-in-the-middle attackers to spoof these servers and obtain sensitive information via a crafted certificate.
33 CVE-2016-2537 20 DoS 2016-02-23 2016-02-29
5.0
None Remote Low Not required None None Partial
The is-my-json-valid package before 2.12.4 for Node.js has an incorrect exports['utc-millisec'] regular expression, which allows remote attackers to cause a denial of service (blocked event loop) via a crafted string.
34 CVE-2016-2388 284 +Info 2016-02-16 2016-02-29
5.0
None Remote Low Not required Partial None None
The Universal Worklist Configuration in SAP NetWeaver 7.4 allows remote attackers to obtain sensitive user information via a crafted HTTP request, aka SAP Security Note 2256846.
35 CVE-2016-2381 20 Bypass 2016-04-08 2016-04-25
5.0
None Remote Low Not required None Partial None
Perl might allow context-dependent attackers to bypass the taint protection mechanism in a child process via duplicate environment variables in envp.
36 CVE-2016-2340 DoS 2016-03-25 2016-03-28
5.5
None Remote Low Single system Partial None Partial
The AMF framework in Granite Data Services 3.1.1-SNAPSHOT allows remote authenticated users to read arbitrary files, send TCP requests to intranet servers, or cause a denial of service via an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
37 CVE-2016-2303 Http R.Spl. 2016-04-21 2016-04-27
5.0
None Remote Low Not required None Partial None
CRLF injection vulnerability in Ecava IntegraXor before 5.0 build 4522 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL.
38 CVE-2016-2302 200 +Info 2016-04-21 2016-04-27
5.0
None Remote Low Not required Partial None None
Ecava IntegraXor before 5.0 build 4522 allows remote attackers to obtain sensitive information by reading detailed error messages.
39 CVE-2016-2294 200 +Info 2016-04-21 2016-04-28
5.0
None Remote Low Not required Partial None None
The AXM-NET module in Accuenergy Acuvim II NET Firmware 3.08 and Acuvim IIR NET Firmware 3.08 allows remote attackers to discover a cleartext mail-server password via unspecified vectors.
40 CVE-2016-2289 22 Dir. Trav. 2016-04-01 2016-04-04
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in ICONICS WebHMI 9 and earlier allows remote attackers to read configuration files, and consequently discover password hashes, via unspecified vectors.
41 CVE-2016-2283 255 2016-03-04 2016-03-11
5.0
None Remote Low Not required Partial None None
Moxa ioLogik E2200 devices before 3.12 and ioAdmin Configuration Utility before 3.18 do not properly encrypt data, which makes it easier for remote attackers to obtain the associated cleartext via unspecified vectors.
42 CVE-2016-2282 255 2016-03-04 2016-03-14
5.0
None Remote Low Not required Partial None None
Moxa ioLogik E2200 devices before 3.12 and ioAdmin Configuration Utility before 3.18 do not properly encrypt credentials, which makes it easier for remote attackers to obtain the associated cleartext via unspecified vectors.
43 CVE-2016-2272 284 2016-04-06 2016-04-07
5.0
None Remote Low Not required None Partial None
Eaton Lighting EG2 Web Control 4.04P and earlier allows remote attackers to have an unspecified impact via a modified cookie.
44 CVE-2016-2268 310 +Info 2016-02-08 2016-03-10
5.8
None Remote Medium Not required Partial Partial None
Dell SecureWorks app before 2.1 for iOS does not validate SSL certificates, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
45 CVE-2016-2244 200 +Info 2016-03-04 2016-03-10
5.0
None Remote Low Not required Partial None None
HP LaserJet printers and MFPs and OfficeJet Enterprise printers with firmware before 3.7.01 allow remote attackers to obtain sensitive information via unspecified vectors.
46 CVE-2016-2243 284 DoS 2016-03-04 2016-03-14
5.4
None Local Medium Not required None Partial Complete
Sure Start on HP Commercial PCs 2015 allows local users to cause a denial of service (BIOS recovery failure) by leveraging administrative access.
47 CVE-2016-2212 200 +Info 2016-04-15 2016-04-22
5.0
None Remote Low Not required Partial None None
The getOrderByStatusUrlKey function in the Mage_Rss_Helper_Order class in app/code/core/Mage/Rss/Helper/Order.php in Magento Enterprise Edition before 1.14.2.3 and Magento Community Edition before 1.9.2.3 allows remote attackers to obtain sensitive order information via the order_id in a JSON object in the data parameter in an RSS feed request to index.php/rss/order/status.
48 CVE-2016-2201 20 Bypass 2016-02-08 2016-02-18
5.0
None Remote Low Not required None Partial None
Siemens SIMATIC S7-1500 CPU devices before 1.8.3 allow remote attackers to bypass a replay protection mechanism via packets on TCP port 102.
49 CVE-2016-2193 254 Bypass 2016-04-11 2016-04-14
5.0
None Remote Low Not required None Partial None
PostgreSQL before 9.5.x before 9.5.2 does not properly maintain row-security status in cached plans, which might allow attackers to bypass intended access restrictions by leveraging a session that performs queries as more than one role.
50 CVE-2016-2166 200 +Info 2016-04-12 2016-04-14
5.8
None Remote Medium Not required Partial Partial None
The (1) proton.reactor.Connector, (2) proton.reactor.Container, and (3) proton.utils.BlockingConnection classes in Apache Qpid Proton before 0.12.1 improperly use an unencrypted connection for an amqps URI scheme when SSL support is unavailable, which might allow man-in-the-middle attackers to obtain sensitive information or modify data via unspecified vectors.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.