CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

HP : Security Vulnerabilities

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2016-6306 125 DoS 2016-09-26 2016-11-28
4.3
None Remote Medium Not required None None Partial
The certificate parser in OpenSSL before 1.0.1u and 1.0.2 before 1.0.2i might allow remote attackers to cause a denial of service (out-of-bounds read) via crafted certificate operations, related to s3_clnt.c and s3_srvr.c.
2 CVE-2016-5388 284 2016-07-18 2016-11-28
5.1
None Remote High Not required Partial Partial Partial
Apache Tomcat through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability.
3 CVE-2016-5387 284 2016-07-18 2016-11-28
5.1
None Remote High Not required Partial Partial Partial
The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "This mitigation has been assigned the identifier CVE-2016-5387"; in other words, this is not a CVE ID for a vulnerability.
4 CVE-2016-5385 284 2016-07-18 2016-11-28
5.1
None Remote High Not required Partial Partial Partial
PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv('HTTP_PROXY') call or (2) a CGI configuration of PHP, aka an "httpoxy" issue.
5 CVE-2016-4543 119 DoS Overflow 2016-05-21 2016-11-30
7.5
None Remote Low Not required Partial Partial Partial
The exif_process_IFD_in_JPEG function in ext/exif/exif.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 does not validate IFD sizes, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via crafted header data.
6 CVE-2016-4448 2016-06-09 2016-11-28
10.0
None Remote Low Not required Complete Complete Complete
Format string vulnerability in libxml2 before 2.9.4 allows attackers to have unspecified impact via format string specifiers in unknown vectors.
7 CVE-2016-4447 119 DoS Overflow 2016-06-09 2016-11-28
5.0
None Remote Low Not required None None Partial
The xmlParseElementDecl function in parser.c in libxml2 before 2.9.4 allows context-dependent attackers to cause a denial of service (heap-based buffer underread and application crash) via a crafted file, involving xmlParseName.
8 CVE-2016-4396 119 Overflow 2016-10-28 2016-11-28
7.8
None Remote Low Not required None Complete None
HPE System Management Homepage before v7.6 allows remote attackers to have an unspecified impact via unknown vectors, related to a "Buffer Overflow" issue.
9 CVE-2016-4395 119 Overflow 2016-10-28 2016-11-28
7.8
None Remote Low Not required None Complete None
HPE System Management Homepage before v7.6 allows remote attackers to have an unspecified impact via unknown vectors, related to a "Buffer Overflow" issue.
10 CVE-2016-4394 254 +Info 2016-10-28 2016-11-28
5.8
None Remote Medium Not required None Partial Partial
HPE System Management Homepage before v7.6 allows remote attackers to obtain sensitive information via unspecified vectors, related to an "HSTS" issue.
11 CVE-2016-4393 79 XSS +Info 2016-10-28 2016-11-28
3.5
None Remote Medium Single system None Partial None
HPE System Management Homepage before v7.6 allows "remote authenticated" attackers to obtain sensitive information via unspecified vectors, related to an "XSS" issue.
12 CVE-2016-4390 Exec Code 2016-10-05 2016-11-28
6.8
None Remote Medium Not required Partial Partial Partial
The Filter SDK in HPE KeyView 10.18 through 10.24 allows remote attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2016-4387, CVE-2016-4388, and CVE-2016-4389.
13 CVE-2016-4389 Exec Code 2016-10-05 2016-11-28
6.8
None Remote Medium Not required Partial Partial Partial
The Filter SDK in HPE KeyView 10.18 through 10.24 allows remote attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2016-4387, CVE-2016-4388, and CVE-2016-4390.
14 CVE-2016-4388 Exec Code 2016-10-05 2016-11-28
6.8
None Remote Medium Not required Partial Partial Partial
The Filter SDK in HPE KeyView 10.18 through 10.24 allows remote attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2016-4387, CVE-2016-4389, and CVE-2016-4390.
15 CVE-2016-4387 Exec Code 2016-10-05 2016-11-28
6.8
None Remote Medium Not required Partial Partial Partial
The Filter SDK in HPE KeyView 10.18 through 10.24 allows remote attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2016-4388, CVE-2016-4389, and CVE-2016-4390.
16 CVE-2016-4386 2016-09-29 2016-11-28
6.9
None Local Medium Not required Complete Complete Complete
HPE Network Automation Software 10.10 allows local users to write to arbitrary files via unspecified vectors.
17 CVE-2016-4385 502 Exec Code 2016-09-29 2016-11-28
7.5
None Remote Low Not required Partial Partial Partial
The RMI service in HP Network Automation Software 9.1x, 9.2x, 10.0x before 10.00.02.01, and 10.1x before 10.11.00.01 allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) and Commons BeanUtils libraries.
18 CVE-2016-4384 DoS 2016-09-20 2016-11-28
9.0
None Remote Low Not required Partial Partial Complete
HPE Performance Center before 12.50 and LoadRunner before 12.50 allow remote attackers to cause a denial of service via unspecified vectors.
19 CVE-2016-4382 264 Bypass 2016-09-20 2016-11-28
6.0
None Remote Medium Single system Partial Partial Partial
HPE Performance Center 11.52, 12.00, 12.01, 12.20, and 12.50 allows remote attackers to bypass intended access restrictions via unspecified vectors, related to a "remote user validation failure" issue.
20 CVE-2016-4381 264 Bypass 2016-09-08 2016-11-28
4.4
None Local Medium Not required Partial Partial Partial
HPE XP7 Command View Advanced Edition (CVAE) Suite 6.x through 8.x before 8.4.1-02, when Replication Manager (RepMgr) and Device Manager (DevMgr) are enabled, allows local users to bypass intended access restrictions via unspecified vectors.
21 CVE-2016-4380 79 XSS 2016-09-08 2016-11-28
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in the AdminUI in HPE Operations Manager 9.21.x before 9.21.130 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
22 CVE-2016-4379 310 +Info 2016-09-08 2016-11-28
4.3
None Remote Medium Not required Partial None None
The TLS implementation in HPE Integrated Lights-Out 3 (aka iLO3) firmware before 1.88 does not properly use a MAC protection mechanism in conjunction with CBC padding, which allows remote attackers to obtain sensitive information via a padding-oracle attack, aka a Vaudenay attack.
23 CVE-2016-4378 200 +Info 2016-08-26 2016-11-28
5.0
None Remote Low Not required Partial None None
The (1) Device Manager, (2) Tiered Storage Manager, (3) Replication Manager, (4) Replication Monitor, and (5) Hitachi Automation Director (HAD) components in HPE XP P9000 Command View Advanced Edition Software before 8.4.1-00 and XP7 Command View Advanced Edition Suite before 8.4.1-00 allow remote attackers to obtain sensitive information via unspecified vectors.
24 CVE-2016-4377 Exec Code 2016-08-22 2016-11-28
7.6
None Remote High Not required Complete Complete Complete
HPE Smart Update in Storage Sizing Tool before 13.0, Converged Infrastructure Solution Sizer Suite (CISSS) before 2.13.1, Power Advisor before 7.8.2, Insight Management Sizer before 16.12.1, Synergy Planning Tool before 3.3, SAP Sizing Tool before 16.12.1, Sizing Tool for SAP Business Suite powered by HANA before 16.11.1, Sizer for ConvergedSystems Virtualization before 16.7.1, Sizer for Microsoft Exchange Server before 16.12.1, Sizer for Microsoft Lync Server 2013 before 16.12.1, Sizer for Microsoft SharePoint 2013 before 16.13.1, Sizer for Microsoft SharePoint 2010 before 16.11.1, and Sizer for Microsoft Skype for Business Server 2015 before 16.5.1 allows remote attackers to execute arbitrary code via unspecified vectors.
25 CVE-2016-4375 DoS +Info 2016-09-08 2016-11-28
7.5
None Remote Low Not required Partial Partial Partial
Multiple unspecified vulnerabilities in HPE Integrated Lights-Out 3 (aka iLO 3) firmware before 1.88, Integrated Lights-Out 4 (aka iLO 4) firmware before 2.44, and Integrated Lights-Out 4 (aka iLO 4) mRCA firmware before 2.32 allow remote attackers to obtain sensitive information, modify data, or cause a denial of service via unknown vectors.
26 CVE-2016-4374 918 DoS +Info 2016-08-07 2016-11-28
4.0
None Remote Low Single system None Partial None
HPE Release Control (RC) 9.13, 9.20, and 9.21 before 9.21.0005 p4 allows remote authenticated users to conduct server-side request forgery (SSRF) attacks, and consequently obtain sensitive information or cause a denial of service, via unspecified vectors.
27 CVE-2016-4373 284 Exec Code 2016-07-31 2016-11-28
7.5
None Remote Low Not required Partial Partial Partial
The AdminUI in HPE Operations Manager (OM) before 9.21.130 on Linux, Unix, and Solaris allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.
28 CVE-2016-4372 20 Exec Code 2016-07-15 2016-11-28
7.5
None Remote Low Not required Partial Partial Partial
HPE iMC PLAT before 7.2 E0403P04, iMC EAD before 7.2 E0405P05, iMC APM before 7.2 E0401P04, iMC NTA before 7.2 E0401P01, iMC BIMS before 7.2 E0402P02, and iMC UAM_TAM before 7.2 E0405P05 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.
29 CVE-2016-4371 352 +Info 2016-06-18 2016-06-21
6.0
None Remote Medium Single system Partial Partial Partial
HP Service Manager Software 9.30, 9.31, 9.32, 9.33, 9.34, 9.35, 9.40, and 9.41 allows remote authenticated users to obtain sensitive information, modify data, and conduct server-side request forgery (SSRF) attacks via unspecified vectors, related to the Server, Web Client, Windows Client, and Service Request components.
30 CVE-2016-4370 Exec Code +Info 2016-06-09 2016-06-10
6.5
None Remote Low Single system Partial Partial Partial
HPE Project and Portfolio Management Center (PPM) 9.2x and 9.3x before 9.32.0002 allows remote authenticated users to execute arbitrary commands or obtain sensitive information via unspecified vectors.
31 CVE-2016-4369 284 Exec Code 2016-06-08 2016-08-23
6.5
None Remote Low Single system Partial Partial Partial
HPE Discovery and Dependency Mapping Inventory (DDMi) 9.30, 9.31, 9.32, 9.32 update 1, 9.32 update 2, and 9.32 update 3 allows remote authenticated users to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections library.
32 CVE-2016-4368 20 Exec Code 2016-06-08 2016-06-10
7.5
None Remote Low Not required Partial Partial Partial
HPE Universal CMDB 10.0 through 10.21, Universal CMDB Configuration Manager 10.0 through 10.21, and Universal Discovery 10.0 through 10.21 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.
33 CVE-2016-4367 200 +Info 2016-06-08 2016-08-23
5.0
None Remote Low Not required Partial None None
The Universal Discovery component in HPE Universal CMDB 10.0, 10.01, 10.10, 10.11, 10.20, and 10.21 allows remote attackers to obtain sensitive information via unspecified vectors.
34 CVE-2016-4366 DoS +Info 2016-06-08 2016-08-23
7.5
None Remote Low Not required Partial Partial Partial
HPE Systems Insight Manager (SIM) before 7.5.1 allows remote attackers to obtain sensitive information, modify data, or cause a denial of service via unspecified vectors.
35 CVE-2016-4365 +Info 2016-06-08 2016-08-23
5.0
None Remote Low Not required Partial None None
HPE Insight Control server deployment allows remote attackers to obtain sensitive information via unspecified vectors.
36 CVE-2016-4364 +Priv 2016-06-08 2016-08-23
7.2
None Local Low Not required Complete Complete Complete
HPE Insight Control server deployment allows local users to gain privileges via unspecified vectors.
37 CVE-2016-4363 79 XSS 2016-06-08 2016-08-23
4.3
None Remote Medium Not required None Partial None
HPE Insight Control server deployment allows remote attackers to modify data via unspecified vectors.
38 CVE-2016-4362 +Info 2016-06-08 2016-08-23
5.5
None Remote Low Single system Partial Partial None
HPE Insight Control server deployment allows remote authenticated users to obtain sensitive information or modify data via unspecified vectors.
39 CVE-2016-4361 DoS 2016-06-08 2016-11-28
5.0
None Remote Low Not required None None Partial
HPE LoadRunner 11.52 through patch 3, 12.00 through patch 1, 12.01 through patch 3, 12.02 through patch 2, and 12.50 through patch 3 and Performance Center 11.52 through patch 3, 12.00 through patch 1, 12.01 through patch 3, 12.20 through patch 2, and 12.50 through patch 1 allow remote attackers to cause a denial of service via unspecified vectors.
40 CVE-2016-4360 2016-06-08 2016-11-28
6.4
None Remote Low Not required None Partial Partial
web/admin/data.js in the Performance Center Virtual Table Server (VTS) component in HPE LoadRunner 11.52 through patch 3, 12.00 through patch 1, 12.01 through patch 3, 12.02 through patch 2, and 12.50 through patch 3 and Performance Center 11.52 through patch 3, 12.00 through patch 1, 12.01 through patch 3, 12.20 through patch 2, and 12.50 through patch 1 do not restrict file paths sent to an unlink call, which allows remote attackers to delete arbitrary files via the path parameter to data/import_csv, aka ZDI-CAN-3555.
41 CVE-2016-4359 119 Exec Code Overflow 2016-06-08 2016-11-28
7.5
None Remote Low Not required Partial Partial Partial
Stack-based buffer overflow in mchan.dll in the agent in HPE LoadRunner 11.52 through patch 3, 12.00 through patch 1, 12.01 through patch 3, 12.02 through patch 2, and 12.50 through patch 3 and Performance Center 11.52 through patch 3, 12.00 through patch 1, 12.01 through patch 3, 12.20 through patch 2, and 12.50 through patch 1 allows remote attackers to execute arbitrary code via a long -server_name value, aka ZDI-CAN-3516.
42 CVE-2016-4358 +Info 2016-06-08 2016-08-23
4.8
None Local Network Low Not required Partial Partial None
HPE Matrix Operating Environment before 7.5.1 allows remote attackers to obtain sensitive information or modify data via unspecified vectors, a different vulnerability than CVE-2016-2029.
43 CVE-2016-4357 +Info 2016-06-08 2016-08-23
7.5
None Remote Low Single system Partial Complete None
HPE Matrix Operating Environment before 7.5.1 allows remote authenticated users to obtain sensitive information or modify data via unspecified vectors, a different vulnerability than CVE-2016-2028.
44 CVE-2016-3710 284 Exec Code 2016-05-11 2016-11-30
7.2
None Local Low Not required Complete Complete Complete
The VGA module in QEMU improperly performs bounds checking on banked access to video memory, which allows local guest OS administrators to execute arbitrary code on the host by changing access modes after setting the bank register, aka the "Dark Portal" issue.
45 CVE-2016-3705 20 DoS 2016-05-17 2016-11-30
5.0
None Remote Low Not required None None Partial
The (1) xmlParserEntityCheck and (2) xmlParseAttValueComplex functions in parser.c in libxml2 2.9.3 do not properly keep track of the recursion depth, which allows context-dependent attackers to cause a denial of service (stack consumption and application crash) via a crafted XML document containing a large number of nested entity references.
46 CVE-2016-3627 20 DoS 2016-05-17 2016-11-30
5.0
None Remote Low Not required None None Partial
The xmlStringGetNodeList function in tree.c in libxml2 2.9.3 and earlier, when used in recovery mode, allows context-dependent attackers to cause a denial of service (infinite recursion, stack consumption, and application crash) via a crafted XML document.
47 CVE-2016-3092 20 DoS 2016-07-04 2016-11-28
7.8
None Remote Low Not required None None Complete
The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.
48 CVE-2016-2776 20 DoS 2016-09-28 2016-11-28
7.8
None Remote Low Not required None None Complete
buffer.c in named in ISC BIND 9 before 9.9.9-P3, 9.10.x before 9.10.4-P3, and 9.11.x before 9.11.0rc3 does not properly construct responses, which allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a crafted query.
49 CVE-2016-2775 20 DoS 2016-07-19 2016-11-28
4.3
None Remote Medium Not required None None Partial
ISC BIND 9.x before 9.9.9-P2, 9.10.x before 9.10.4-P2, and 9.11.x before 9.11.0b2, when lwresd or the named lwres option is enabled, allows remote attackers to cause a denial of service (daemon crash) via a long request that uses the lightweight resolver protocol.
50 CVE-2016-2245 287 Bypass 2016-03-19 2016-03-22
10.0
None Remote Low Not required Complete Complete Complete
HP Support Assistant before 8.1.52.1 allows remote attackers to bypass authentication via unspecified vectors.
Total number of vulnerabilities : 1407   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.