CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In May 2016

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2016-4951 DoS 2016-05-23 2016-11-28
7.2
None Local Low Not required Complete Complete Complete
The tipc_nl_publ_dump function in net/tipc/socket.c in the Linux kernel through 4.6 does not verify socket existence, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a dumpit operation.
2 CVE-2016-4913 200 +Info 2016-05-23 2016-11-28
7.2
None Local Low Not required Complete Complete Complete
The get_rock_ridge_filename function in fs/isofs/rock.c in the Linux kernel before 4.5.5 mishandles NM (aka alternate name) entries containing \0 characters, which allows local users to obtain sensitive information from kernel memory or possibly have unspecified other impact via a crafted isofs filesystem.
3 CVE-2016-4805 416 DoS Mem. Corr. 2016-05-23 2017-08-12
7.2
None Local Low Not required Complete Complete Complete
Use-after-free vulnerability in drivers/net/ppp/ppp_generic.c in the Linux kernel before 4.5.2 allows local users to cause a denial of service (memory corruption and system crash, or spinlock) or possibly have unspecified other impact by removing a network namespace, related to the ppp_register_net_channel and ppp_unregister_channel functions.
4 CVE-2016-4794 DoS 2016-05-23 2017-01-17
7.2
None Local Low Not required Complete Complete Complete
Use-after-free vulnerability in mm/percpu.c in the Linux kernel through 4.6 allows local users to cause a denial of service (BUG) or possibly have unspecified other impact via crafted use of the mmap and bpf system calls.
5 CVE-2016-4792 2016-05-26 2016-05-26
5.0
None Remote Low Not required Partial None None
Pulse Connect Secure (PCS) 8.2 before 8.2r1 allows remote attackers to disclose sign in pages via unspecified vectors.
6 CVE-2016-4791 2016-05-26 2016-05-26
6.4
None Remote Low Not required Partial Partial None
The administrative user interface in Pulse Connect Secure (PCS) 8.2 before 8.2r1, 8.1 before 8.1r2, 8.0 before 8.0r9, and 7.4 before 7.4r13.4 allows remote administrators to enumerate files, read arbitrary files, and conduct server side request forgery (SSRF) attacks via unspecified vectors.
7 CVE-2016-4790 79 XSS 2016-05-26 2016-05-26
3.5
None Remote Medium Single system None Partial None
Cross-site scripting (XSS) vulnerability in the administrative user interface in Pulse Connect Secure (PCS) 8.2 before 8.2r1, 8.1 before 8.1r2, 8.0 before 8.0r9, and 7.4 before 7.4r13.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
8 CVE-2016-4789 79 XSS 2016-05-26 2016-05-26
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the system configuration section in the administrative user interface in Pulse Connect Secure (PCS) 8.2 before 8.2r1, 8.1 before 8.1r2, 8.0 before 8.0r9, and 7.4 before 7.4r13.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
9 CVE-2016-4788 2016-05-26 2016-05-26
5.0
None Remote Low Not required Partial None None
Pulse Connect Secure (PCS) 8.2 before 8.2r1, 8.1 before 8.1r2, 8.0 before 8.0r10, and 7.4 before 7.4r13.4 allow remote attackers to read an unspecified system file via unknown vectors.
10 CVE-2016-4787 2016-05-26 2016-05-26
6.4
None Remote Low Not required Partial None Partial
Pulse Connect Secure (PCS) 8.2 before 8.2r1, 8.1 before 8.1r2, 8.0 before 8.0r10, and 7.4 before 7.4r13.4 allow remote attackers to read sensitive system authentication files in an unspecified directory via unknown vectors.
11 CVE-2016-4786 DoS 2016-05-26 2016-05-26
7.8
None Remote Low Not required None None Complete
Pulse Connect Secure (PCS) 8.2 before 8.2r1, 8.1 before 8.1r3, 8.0 before 8.0r11, and 7.4 before 7.4r13.4 allow remote attackers to cause a denial of service (CPU consumption) via unspecified vectors.
12 CVE-2016-4785 200 +Info 2016-05-30 2017-07-12
5.0
None Remote Low Not required Partial None None
The integrated web server in the EN100 Ethernet module before 4.27 on Siemens SIPROTEC 4 and SIPROTEC Compact devices allows remote attackers to obtain sensitive information from device memory via an HTTP request.
13 CVE-2016-4784 200 +Info 2016-05-30 2017-07-12
5.0
None Remote Low Not required Partial None None
The integrated web server in the EN100 Ethernet module before 4.27 on Siemens SIPROTEC 4 and SIPROTEC Compact devices, and the Ethernet Service Interface on SIPROTEC Compact devices, allows remote attackers to obtain sensitive information via an HTTP request.
14 CVE-2016-4783 79 XSS 2016-05-23 2016-05-25
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Lenovo SHAREit before 3.5.98_ww on Android before 4.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka "Universal XSS (UXSS)."
15 CVE-2016-4782 20 2016-05-23 2016-05-25
9.3
None Remote Medium Not required Complete Complete Complete
Lenovo SHAREit before 3.5.98_ww on Android before 4.2 allows remote attackers to have unspecified impact via a crafted intent: URL, aka an "intent scheme URL attack."
16 CVE-2016-4581 DoS 2016-05-23 2016-11-28
4.9
None Local Low Not required None None Complete
fs/pnode.c in the Linux kernel before 4.5.4 does not properly traverse a mount propagation tree in a certain case involving a slave mount, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) via a crafted series of mount system calls.
17 CVE-2016-4580 200 +Info 2016-05-23 2016-11-28
5.0
None Remote Low Not required Partial None None
The x25_negotiate_facilities function in net/x25/x25_facilities.c in the Linux kernel before 4.5.5 does not properly initialize a certain data structure, which allows attackers to obtain sensitive information from kernel stack memory via an X.25 Call Request.
18 CVE-2016-4578 200 +Info 2016-05-23 2016-11-28
2.1
None Local Low Not required Partial None None
sound/core/timer.c in the Linux kernel through 4.6 does not initialize certain r1 data structures, which allows local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface, related to the (1) snd_timer_user_ccallback and (2) snd_timer_user_tinterrupt functions.
19 CVE-2016-4577 119 DoS Exec Code Overflow 2016-05-23 2016-11-28
6.8
None Local Network High Not required Complete Complete Complete
Buffer overflow in the Smart DNS functionality in the Huawei NGFW Module and Secospace USG6300, USG6500, USG6600, and USG9500 firewalls with software before V500R001C20SPC100 allows remote attackers to cause a denial of service or execute arbitrary code via a crafted packet, related to "illegitimate parameters."
20 CVE-2016-4576 119 DoS Exec Code Overflow 2016-05-23 2016-11-28
7.5
None Remote Low Not required Partial Partial Partial
Buffer overflow in the Application Specific Packet Filtering (ASPF) functionality in the Huawei IPS Module, NGFW Module, NIP6300, NIP6600, Secospace USG6300, USG6500, USG6600, USG9500, and AntiDDoS8000 devices with software before V500R001C20SPC100 allows remote attackers to cause a denial of service or execute arbitrary code via a crafted packet, related to "illegitimate parameters."
21 CVE-2016-4575 79 XSS 2016-05-25 2016-05-26
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the email APP in Huawei PLK smartphones with software AL10C00 before AL10C00B211 and AL10C92 before AL10C92B211; ATH smartphones with software AL00C00 before AL00C00B361, CL00C92 before CL00C92B361, TL00HC01 before TL00HC01B361, and UL00C00 before UL00C00B361; CherryPlus smartphones with software TL00C00 before TL00C00B553, UL00C00 before UL00C00B553, and TL00MC01 before TL00MC01B553; and RIO smartphones with software AL00C00 before AL00C00B360 allows remote attackers to inject arbitrary web script or HTML via an email message.
22 CVE-2016-4569 200 +Info 2016-05-23 2016-11-28
2.1
None Local Low Not required Partial None None
The snd_timer_user_params function in sound/core/timer.c in the Linux kernel through 4.6 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via crafted use of the ALSA timer interface.
23 CVE-2016-4568 119 DoS Overflow 2016-05-23 2016-05-24
7.2
None Local Low Not required Complete Complete Complete
drivers/media/v4l2-core/videobuf2-v4l2.c in the Linux kernel before 4.5.3 allows local users to cause a denial of service (kernel memory write operation) or possibly have unspecified other impact via a crafted number of planes in a VIDIOC_DQBUF ioctl call.
24 CVE-2016-4567 79 XSS 2016-05-21 2016-12-02
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in flash/FlashMediaElement.as in MediaElement.js before 2.21.0, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via an obfuscated form of the jsinitfunction parameter, as demonstrated by "jsinitfunctio%gn."
25 CVE-2016-4566 79 XSS 2016-05-21 2016-12-02
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in plupload.flash.swf in Plupload before 2.1.9, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via a Same-Origin Method Execution (SOME) attack.
26 CVE-2016-4565 264 DoS 2016-05-23 2016-11-28
7.2
None Local Low Not required Complete Complete Complete
The InfiniBand (aka IB) stack in the Linux kernel before 4.5.3 incorrectly relies on the write system call, which allows local users to cause a denial of service (kernel memory write operation) or possibly have unspecified other impact via a uAPI interface.
27 CVE-2016-4561 79 XSS 2016-05-10 2016-05-16
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the cgierror function in CGI.pm in ikiwiki before 3.20160506 might allow remote attackers to inject arbitrary web script or HTML via unspecified vectors involving an error message.
28 CVE-2016-4558 DoS 2016-05-23 2016-08-02
6.9
None Local Medium Not required Complete Complete Complete
The BPF subsystem in the Linux kernel before 4.5.5 mishandles reference counts, which allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a crafted application on (1) a system with more than 32 Gb of memory, related to the program reference count or (2) a 1 Tb system, related to the map reference count.
29 CVE-2016-4557 DoS +Priv 2016-05-23 2017-09-02
7.2
None Local Low Not required Complete Complete Complete
The replace_map_fd_with_map_ptr function in kernel/bpf/verifier.c in the Linux kernel before 4.5.5 does not properly maintain an fd data structure, which allows local users to gain privileges or cause a denial of service (use-after-free) via crafted BPF instructions that reference an incorrect file descriptor.
30 CVE-2016-4556 DoS 2016-05-10 2016-11-29
5.0
None Remote Low Not required None None Partial
Double free vulnerability in Esi.cc in Squid 3.x before 3.5.18 and 4.x before 4.0.10 allows remote servers to cause a denial of service (crash) via a crafted Edge Side Includes (ESI) response.
31 CVE-2016-4555 20 DoS 2016-05-10 2016-11-29
5.0
None Remote Low Not required None None Partial
client_side_request.cc in Squid 3.x before 3.5.18 and 4.x before 4.0.10 allows remote servers to cause a denial of service (crash) via crafted Edge Side Includes (ESI) responses.
32 CVE-2016-4554 345 Bypass 2016-05-10 2016-11-29
5.0
None Remote Low Not required None Partial None
mime_header.cc in Squid before 3.5.18 allows remote attackers to bypass intended same-origin restrictions and possibly conduct cache-poisoning attacks via a crafted HTTP Host header, aka a "header smuggling" issue.
33 CVE-2016-4553 345 2016-05-10 2016-11-29
5.0
None Remote Low Not required None Partial None
client_side.cc in Squid before 3.5.18 and 4.x before 4.0.10 does not properly ignore the Host header when absolute-URI is provided, which allows remote attackers to conduct cache-poisoning attacks via an HTTP request.
34 CVE-2016-4544 119 DoS Overflow 2016-05-21 2017-06-30
7.5
None Remote Low Not required Partial Partial Partial
The exif_process_TIFF_in_JPEG function in ext/exif/exif.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 does not validate TIFF start data, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via crafted header data.
35 CVE-2016-4543 119 DoS Overflow 2016-05-21 2017-06-30
7.5
None Remote Low Not required Partial Partial Partial
The exif_process_IFD_in_JPEG function in ext/exif/exif.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 does not validate IFD sizes, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via crafted header data.
36 CVE-2016-4542 119 DoS Overflow 2016-05-21 2017-06-30
7.5
None Remote Low Not required Partial Partial Partial
The exif_process_IFD_TAG function in ext/exif/exif.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 does not properly construct spprintf arguments, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via crafted header data.
37 CVE-2016-4541 DoS 2016-05-21 2017-06-30
7.5
None Remote Low Not required Partial Partial Partial
The grapheme_strpos function in ext/intl/grapheme/grapheme_string.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a negative offset.
38 CVE-2016-4540 DoS 2016-05-21 2017-06-30
7.5
None Remote Low Not required Partial Partial Partial
The grapheme_stripos function in ext/intl/grapheme/grapheme_string.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a negative offset.
39 CVE-2016-4539 119 DoS Overflow 2016-05-21 2017-06-30
7.5
None Remote Low Not required Partial Partial Partial
The xml_parse_into_struct function in ext/xml/xml.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 allows remote attackers to cause a denial of service (buffer under-read and segmentation fault) or possibly have unspecified other impact via crafted XML data in the second argument, leading to a parser level of zero.
40 CVE-2016-4538 20 DoS 2016-05-21 2017-06-30
7.5
None Remote Low Not required Partial Partial Partial
The bcpowmod function in ext/bcmath/bcmath.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 modifies certain data structures without considering whether they are copies of the _zero_, _one_, or _two_ global variable, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted call.
41 CVE-2016-4537 20 DoS 2016-05-21 2017-06-30
7.5
None Remote Low Not required Partial Partial Partial
The bcpowmod function in ext/bcmath/bcmath.c in PHP before 5.5.35, 5.6.x before 5.6.21, and 7.x before 7.0.6 accepts a negative integer for the scale argument, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted call.
42 CVE-2016-4536 200 +Info 2016-05-13 2016-05-19
5.0
None Remote Low Not required Partial None None
The client in OpenAFS before 1.6.17 does not properly initialize the (1) AFSStoreStatus, (2) AFSStoreVolumeStatus, (3) VldbListByAttributes, and (4) ListAddrByAttributes structures, which might allow remote attackers to obtain sensitive memory information by leveraging access to RPC call traffic.
43 CVE-2016-4535 20 DoS Mem. Corr. 2016-05-05 2016-05-10
7.8
None Remote Low Not required None None Complete
Integer signedness error in the AV engine before DAT 8145, as used in McAfee LiveSafe 14.0, allows remote attackers to cause a denial of service (memory corruption and crash) via a crafted packed executable.
44 CVE-2016-4534 264 Bypass 2016-05-05 2016-11-30
3.0
None Local Medium Single system None Partial Partial
The McAfee VirusScan Console (mcconsol.exe) in McAfee VirusScan Enterprise 8.8.0 before Hotfix 1123565 (8.8.0.1546) on Windows allows local administrators to bypass intended self-protection rules and unlock the console window by closing registry handles.
45 CVE-2016-4521 200 +Info 2016-05-30 2016-06-01
10.0
None Remote Low Not required Complete Complete Complete
Sixnet BT-5xxx and BT-6xxx M2M devices before 3.8.21 and 3.9.x before 3.9.8 have hardcoded credentials, which allows remote attackers to obtain access via unspecified vectors.
46 CVE-2016-4506 352 CSRF 2016-05-30 2016-06-07
6.0
None Remote Medium Single system Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability on Resource Data Management (RDM) Intuitive 650 TDB Controller devices before 2.1.24 allows remote authenticated users to hijack the authentication of arbitrary users.
47 CVE-2016-4505 264 2016-05-30 2016-06-07
9.0
None Remote Low Single system Complete Complete Complete
Resource Data Management (RDM) Intuitive 650 TDB Controller devices before 2.1.24 allow remote authenticated users to modify arbitrary passwords via unspecified vectors.
48 CVE-2016-4502 284 Bypass 2016-05-30 2016-06-07
5.0
None Remote Low Not required Partial None None
Environmental Systems Corporation (ESC) 8832 Data Controller 3.02 and earlier allows remote attackers to bypass intended access restrictions and execute arbitrary functions via a modified parameter.
49 CVE-2016-4501 284 Bypass 2016-05-30 2016-06-07
6.4
None Remote Low Not required Partial Partial None
Environmental Systems Corporation (ESC) 8832 Data Controller 3.02 and earlier mishandles sessions, which allows remote attackers to bypass authentication and make arbitrary configuration changes via unspecified vectors.
50 CVE-2016-4499 119 DoS Overflow 2016-05-11 2016-11-28
4.4
None Local Medium Not required Partial Partial Partial
Heap-based buffer overflow in Panasonic FPWIN Pro 5.x through 7.x before 7.130 allows local users to cause a denial of service (application crash) via unspecified vectors.
Total number of vulnerabilities : 604   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.