CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 5 and 5.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2016-5433 20 2016-06-17 2016-06-20
5.8
None Remote Medium Not required Partial Partial None
Citrix iOS Receiver before 7.0 allows attackers to cause TLS certificates to be incorrectly validated via unspecified vectors.
2 CVE-2016-5367 200 +Info 2016-06-14 2016-06-14
5.0
None Remote Low Not required Partial None None
Huawei Honor WS851 routers with software 1.1.21.1 and earlier allow remote attackers to obtain sensitive information via unspecified vectors, aka HWPSIRT-2016-05053.
3 CVE-2016-5366 284 2016-06-14 2016-06-14
5.0
None Remote Low Not required None Partial None
Huawei Honor WS851 routers with software 1.1.21.1 and earlier allow remote attackers to modify configuration data via vectors related to a "file injection vulnerability," aka HWPSIRT-2016-05052.
4 CVE-2016-5361 20 DoS 2016-06-16 2016-06-20
5.0
None Remote Low Not required None None Partial
programs/pluto/ikev1.c in libreswan before 3.17 retransmits in initial-responder states, which allows remote attackers to cause a denial of service (traffic amplification) via a spoofed UDP packet. NOTE: the original behavior complies with the IKEv1 protocol, but has a required security update from the libreswan vendor; as of 2016-06-10, it is expected that several other IKEv1 implementations will have vendor-required security updates, with separate CVE IDs assigned to each.
5 CVE-2016-5104 284 Bypass 2016-06-13 2016-06-15
5.0
None Remote Low Not required None Partial None
The socket_create function in common/socket.c in libimobiledevice and libusbmuxd allows remote attackers to bypass intended access restrictions and communicate with services on iOS devices by connecting to an IPv4 TCP socket.
6 CVE-2016-4821 DoS 2016-06-18 2016-06-20
5.0
None Remote Low Not required None None Partial
I-O DATA DEVICE ETX-R devices allow remote attackers to cause a denial of service (web-server crash) via unspecified vectors.
7 CVE-2016-4817 DoS Exec Code 2016-06-18 2016-06-21
5.0
None Remote Low Not required None None Partial
lib/http2/connection.c in H2O before 1.7.3 and 2.x before 2.0.0-beta5 mishandles HTTP/2 disconnection, which allows remote attackers to cause a denial of service (use-after-free and application crash) or possibly execute arbitrary code via a crafted packet.
8 CVE-2016-4815 22 Dir. Trav. 2016-06-18 2016-06-21
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability on BUFFALO WZR-600DHP3 devices with firmware 2.16 and earlier and WZR-S600DHP devices with firmware 2.16 and earlier allows remote attackers to read arbitrary files via unspecified vectors.
9 CVE-2016-4814 22 Dir. Trav. 2016-06-18 2016-06-21
5.0
None Remote Low Not required Partial None None
Directory traversal vulnerability in kml2jsonp.php in Geospatial Information Authority of Japan (aka GSI) Old_GSI_Maps before January 2015 on Windows allows remote attackers to read arbitrary files via unspecified vectors.
10 CVE-2016-4811 284 2016-06-19 2016-06-21
5.1
None Remote High Not required Partial Partial Partial
The NTT Broadband Platform Japan Connected-free Wi-Fi application 1.15.1 and earlier for Android and 1.13.0 and earlier for iOS allows man-in-the-middle attackers to obtain API access via unspecified vectors.
11 CVE-2016-4810 284 2016-06-01 2016-06-02
5.0
None Remote Low Not required None Partial None
Citrix Studio before 7.6.1000, Citrix XenDesktop 7.x before 7.6 LTSR Cumulative Update 1 (CU1), and Citrix XenApp 7.5 and 7.6 allow attackers to set Access Policy rules on the XenDesktop Delivery Controller via unspecified vectors.
12 CVE-2016-4792 2016-05-26 2016-05-26
5.0
None Remote Low Not required Partial None None
Pulse Connect Secure (PCS) 8.2 before 8.2r1 allows remote attackers to disclose sign in pages via unspecified vectors.
13 CVE-2016-4788 2016-05-26 2016-05-26
5.0
None Remote Low Not required Partial None None
Pulse Connect Secure (PCS) 8.2 before 8.2r1, 8.1 before 8.1r2, 8.0 before 8.0r10, and 7.4 before 7.4r13.4 allow remote attackers to read an unspecified system file via unknown vectors.
14 CVE-2016-4785 200 +Info 2016-05-30 2016-06-01
5.0
None Remote Low Not required Partial None None
The integrated web server in the EN100 Ethernet module before 4.27 on Siemens SIPROTEC 4 and SIPROTEC Compact devices allows remote attackers to obtain sensitive information from device memory via an HTTP request.
15 CVE-2016-4784 200 +Info 2016-05-30 2016-06-01
5.0
None Remote Low Not required Partial None None
The integrated web server in the EN100 Ethernet module before 4.27 on Siemens SIPROTEC 4 and SIPROTEC Compact devices, and the Ethernet Service Interface on SIPROTEC Compact devices, allows remote attackers to obtain sensitive information via an HTTP request.
16 CVE-2016-4580 200 +Info 2016-05-23 2016-05-24
5.0
None Remote Low Not required Partial None None
The x25_negotiate_facilities function in net/x25/x25_facilities.c in the Linux kernel before 4.5.5 does not properly initialize a certain data structure, which allows attackers to obtain sensitive information from kernel stack memory via an X.25 Call Request.
17 CVE-2016-4579 20 DoS 2016-06-13 2016-06-20
5.0
None Remote Low Not required None None Partial
Libksba before 1.3.4 allows remote attackers to cause a denial of service (out-of-bounds read and crash) via unspecified vectors, related to the "returned length of the object from _ksba_ber_parse_tl."
18 CVE-2016-4574 189 DoS 2016-06-13 2016-06-20
5.0
None Remote Low Not required None None Partial
Off-by-one error in the append_utf8_value function in the DN decoder (dn.c) in Libksba before 1.3.4 allows remote attackers to cause a denial of service (out-of-bounds read) via invalid utf-8 encoded data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-4356.
19 CVE-2016-4556 DoS 2016-05-10 2016-06-21
5.0
None Remote Low Not required None None Partial
Double free vulnerability in Esi.cc in Squid 3.x before 3.5.18 and 4.x before 4.0.10 allows remote servers to cause a denial of service (crash) via a crafted Edge Side Includes (ESI) response.
20 CVE-2016-4555 20 DoS 2016-05-10 2016-06-21
5.0
None Remote Low Not required None None Partial
client_side_request.cc in Squid 3.x before 3.5.18 and 4.x before 4.0.10 allows remote servers to cause a denial of service (crash) via crafted Edge Side Includes (ESI) responses.
21 CVE-2016-4554 345 Bypass 2016-05-10 2016-06-21
5.0
None Remote Low Not required None Partial None
mime_header.cc in Squid before 3.5.18 allows remote attackers to bypass intended same-origin restrictions and possibly conduct cache-poisoning attacks via a crafted HTTP Host header, aka a "header smuggling" issue.
22 CVE-2016-4553 345 2016-05-10 2016-06-21
5.0
None Remote Low Not required None Partial None
client_side.cc in Squid before 3.5.18 and 4.x before 4.0.10 does not properly ignore the Host header when absolute-URI is provided, which allows remote attackers to conduct cache-poisoning attacks via an HTTP request.
23 CVE-2016-4545 20 DoS 2016-06-07 2016-06-09
5.0
None Remote Low Not required None None Partial
Virtual servers in F5 BIG-IP 11.5.4, when SSL profiles are enabled, allow remote attackers to cause a denial of service (resource consumption and Traffic Management Microkernel restart) via an SSL alert during the handshake.
24 CVE-2016-4536 200 +Info 2016-05-13 2016-05-19
5.0
None Remote Low Not required Partial None None
The client in OpenAFS before 1.6.17 does not properly initialize the (1) AFSStoreStatus, (2) AFSStoreVolumeStatus, (3) VldbListByAttributes, and (4) ListAddrByAttributes structures, which might allow remote attackers to obtain sensitive memory information by leveraging access to RPC call traffic.
25 CVE-2016-4523 119 DoS Overflow 2016-06-09 2016-06-09
5.0
None Remote Low Not required None None Partial
The WAP interface in Trihedral VTScada (formerly VTS) 8.x through 11.x before 11.2.02 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via unspecified vectors.
26 CVE-2016-4502 284 Bypass 2016-05-30 2016-06-07
5.0
None Remote Low Not required Partial None None
Environmental Systems Corporation (ESC) 8832 Data Controller 3.02 and earlier allows remote attackers to bypass intended access restrictions and execute arbitrary functions via a modified parameter.
27 CVE-2016-4495 284 Bypass 2016-06-09 2016-06-14
5.0
None Remote Low Not required Partial None None
KMC Controls BAC-5051E devices with firmware before E0.2.0.2 allow remote attackers to bypass intended access restrictions and read a configuration file via unspecified vectors.
28 CVE-2016-4485 200 +Info 2016-05-23 2016-05-24
5.0
None Remote Low Not required Partial None None
The llc_cmsg_rcv function in net/llc/af_llc.c in the Linux kernel before 4.5.5 does not initialize a certain data structure, which allows attackers to obtain sensitive information from kernel stack memory by reading a message.
29 CVE-2016-4478 119 DoS Overflow 2016-06-13 2016-06-20
5.0
None Remote Low Not required None None Partial
Buffer overflow in the xmlrpc_char_encode function in modules/transport/xmlrpc/xmlrpclib.c in Atheme before 7.2.7 allows remote attackers to cause a denial of service via vectors related to XMLRPC response encoding.
30 CVE-2016-4476 20 DoS 2016-05-09 2016-05-10
5.0
None Remote Low Not required None None Partial
hostapd 0.6.7 through 2.5 and wpa_supplicant 0.6.7 through 2.5 do not reject \n and \r characters in passphrase parameters, which allows remote attackers to cause a denial of service (daemon outage) via a crafted WPS operation.
31 CVE-2016-4450 DoS 2016-06-07 2016-06-15
5.0
None Remote Low Not required None None Partial
os/unix/ngx_files.c in nginx before 1.10.1 and 1.11.x before 1.11.1 allows remote attackers to cause a denial of service (NULL pointer dereference and worker process crash) via a crafted request, involving writing a client request body to a temporary file.
32 CVE-2016-4449 20 DoS 2016-06-09 2016-06-20
5.8
None Remote Medium Not required Partial None Partial
XML external entity (XXE) vulnerability in the xmlStringLenDecodeEntities function in parser.c in libxml2 before 2.9.4, when not in validating mode, allows context-dependent attackers to read arbitrary files or cause a denial of service (resource consumption) via unspecified vectors.
33 CVE-2016-4447 119 DoS Overflow 2016-06-09 2016-06-21
5.0
None Remote Low Not required None None Partial
The xmlParseElementDecl function in parser.c in libxml2 before 2.9.4 allows context-dependent attackers to cause a denial of service (heap-based buffer underread and application crash) via a crafted file, involving xmlParseName.
34 CVE-2016-4432 287 Bypass 2016-06-01 2016-06-15
5.0
None Remote Low Not required None Partial None
The AMQP 0-8, 0-9, 0-91, and 0-10 connection handling in Apache Qpid Java before 6.0.3 might allow remote attackers to bypass authentication and consequently perform actions via vectors related to connection state logging.
35 CVE-2016-4425 20 DoS 2016-05-17 2016-05-19
5.0
None Remote Low Not required None None Partial
Jansson 2.7 and earlier allows context-dependent attackers to cause a denial of service (deep recursion, stack consumption, and crash) via crafted JSON data.
36 CVE-2016-4423 399 DoS 2016-06-01 2016-06-03
5.0
None Remote Low Not required None None Partial
The attemptAuthentication function in Component/Security/Http/Firewall/UsernamePasswordFormAuthenticationListener.php in Symfony before 2.3.41, 2.7.x before 2.7.13, 2.8.x before 2.8.6, and 3.0.x before 3.0.6 does not limit the length of a username stored in a session, which allows remote attackers to cause a denial of service (session storage consumption) via a series of authentication attempts with long, non-existent usernames.
37 CVE-2016-4414 DoS 2016-06-13 2016-06-15
5.0
None Remote Low Not required None None Partial
The onReadyRead function in core/coreauthhandler.cpp in Quassel before 0.12.4 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via invalid handshake data.
38 CVE-2016-4367 200 +Info 2016-06-08 2016-06-15
5.0
None Remote Low Not required Partial None None
The Universal Discovery component in HPE Universal CMDB 10.0, 10.01, 10.10, 10.11, 10.20, and 10.21 allows remote attackers to obtain sensitive information via unspecified vectors.
39 CVE-2016-4365 +Info 2016-06-08 2016-06-09
5.0
None Remote Low Not required Partial None None
HPE Insight Control server deployment allows remote attackers to obtain sensitive information via unspecified vectors.
40 CVE-2016-4362 +Info 2016-06-08 2016-06-09
5.5
None Remote Low Single system Partial Partial None
HPE Insight Control server deployment allows remote authenticated users to obtain sensitive information or modify data via unspecified vectors.
41 CVE-2016-4361 DoS 2016-06-08 2016-06-15
5.0
None Remote Low Not required None None Partial
HPE LoadRunner 11.52 through patch 3, 12.00 through patch 1, 12.01 through patch 3, 12.02 through patch 2, and 12.50 through patch 3 and Performance Center 11.52 through patch 3, 12.00 through patch 1, 12.01 through patch 3, 12.20 through patch 2, and 12.50 through patch 1 allow remote attackers to cause a denial of service via unspecified vectors.
42 CVE-2016-4356 119 DoS Overflow 2016-06-13 2016-06-14
5.0
None Remote Low Not required None None Partial
The append_utf8_value function in the DN decoder (dn.c) in Libksba before 1.3.3 allows remote attackers to cause a denial of service (out-of-bounds read) by clearing the high bit of the byte after invalid utf-8 encoded data.
43 CVE-2016-4355 119 DoS Overflow 2016-06-13 2016-06-14
5.0
None Remote Low Not required None None Partial
Multiple integer overflows in ber-decoder.c in Libksba before 1.3.3 allow remote attackers to cause a denial of service (crash) via crafted BER data, which leads to a buffer overflow.
44 CVE-2016-4354 119 DoS Overflow 2016-06-13 2016-06-14
5.0
None Remote Low Not required None None Partial
ber-decoder.c in Libksba before 1.3.3 uses an incorrect integer data type, which allows remote attackers to cause a denial of service (crash) via crafted BER data, which leads to a buffer overflow.
45 CVE-2016-4353 20 DoS Overflow 2016-06-13 2016-06-14
5.0
None Remote Low Not required None None Partial
ber-decoder.c in Libksba before 1.3.3 does not properly handle decoder stack overflows, which allows remote attackers to cause a denial of service (abort) via crafted BER data.
46 CVE-2016-4348 20 DoS 2016-05-20 2016-05-23
5.0
None Remote Low Not required None None Partial
The _rsvg_css_normalize_font_size function in librsvg 2.40.2 allows context-dependent attackers to cause a denial of service (stack consumption and application crash) via circular definitions in an SVG document.
47 CVE-2016-4087 20 DoS Exec Code 2016-05-23 2016-05-25
5.1
None Remote High Not required Partial Partial Partial
Huawei S12700 switches with software before V200R008C00SPC500 and S5700 switches with software before V200R005SPH010, when the debug switch is enabled, allows remote attackers to cause a denial of service or execute arbitrary code via crafted DNS packets.
48 CVE-2016-4070 189 DoS Overflow 2016-05-20 2016-05-24
5.0
None Remote Low Not required None None Partial
** DISPUTED ** Integer overflow in the php_raw_url_encode function in ext/standard/url.c in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allows remote attackers to cause a denial of service (application crash) via a long string to the rawurlencode function. NOTE: the vendor says "Not sure if this qualifies as security issue (probably not)."
49 CVE-2016-4061 20 DoS 2016-04-22 2016-04-28
5.0
None Remote Low Not required None None Partial
Foxit Reader and PhantomPDF before 7.3.4 on Windows allow remote attackers to cause a denial of service (application crash) via a crafted content stream.
50 CVE-2016-4060 DoS 2016-04-22 2016-04-28
5.0
None Remote Low Not required None None Partial
Use-after-free vulnerability in Foxit Reader and PhantomPDF before 7.3.4 on Windows allows remote attackers to cause a denial of service (application crash) via unspecified vectors.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.