CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
4951 CVE-2016-2967 79 XSS 2017-08-29 2017-09-03
3.5
None Remote Medium ??? None Partial None
IBM Sametime 8.5.2 and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Sametime away message altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 113848.
4952 CVE-2016-2956 79 XSS 2016-09-01 2016-11-28
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the Web UI in IBM Connections 5.0 before CR4 and 5.5 before CR1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2016-2954 and CVE-2016-3008.
4953 CVE-2016-2955 79 XSS 2016-12-01 2016-12-01
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in IBM Connections 5.0 before CR4 and 5.5 before CR1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
4954 CVE-2016-2954 79 XSS 2016-09-01 2016-11-28
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the Web UI in IBM Connections 5.0 before CR4 and 5.5 before CR1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2016-2956 and CVE-2016-3008.
4955 CVE-2016-2926 79 XSS 2016-11-25 2017-07-28
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in IBM Rational Collaborative Lifecycle Management 4.0 before 4.0.7 iFix11, 5.0 before 5.0.2 iFix19, and 6.0 before 6.0.2 iFix3; Rational Quality Manager 4.0 before 4.0.7 iFix11, 5.0 before 5.0.2 iFix19, and 6.0 before 6.0.2 iFix3; Rational Team Concert 4.0 before 4.0.7 iFix11, 5.0 before 5.0.2 iFix19, and 6.0 before 6.0.2 iFix3; Rational DOORS Next Generation 4.0 before 4.0.7 iFix11, 5.0 before 5.0.2 iFix19, and 6.0 before 6.0.2 iFix3; Rational Engineering Lifecycle Manager 4.x before 4.0.7 iFix11, 5.0 before 5.0.2 iFix19, and 6.0 before 6.0.2 iFix3; Rational Rhapsody Design Manager 4.0 before 4.0.7 iFix11, 5.0 before 5.0.2 iFix19, and 6.0 before 6.0.2 iFix3; and Rational Software Architect Design Manager 4.0 before 4.0.7 iFix11, 5.0 before 5.0.2 iFix19, and 6.0 before 6.0.2 iFix3 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.
4956 CVE-2016-2925 79 XSS 2016-08-08 2017-09-01
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 6.1.0.x through 6.1.0.6 CF27, 6.1.5.x through 6.1.5.3 CF27, 7.x through 7.0.0.2 CF30, 8.0.0.x through 8.0.0.1 CF21, and 8.5.0 before CF10 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.
4957 CVE-2016-2924 79 XSS 2017-02-01 2017-02-15
3.5
None Remote Medium ??? None Partial None
IBM Infosphere BigInsights is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
4958 CVE-2016-2912 79 XSS 2016-08-08 2016-11-28
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the Document Builder in IBM Rational Publishing Engine (aka RPENG) 2.0.1 before ifix002 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.
4959 CVE-2016-2883 79 XSS 2016-07-02 2016-11-28
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in IBM TRIRIGA Application Platform 3.3 before 3.3.2.6, 3.4 before 3.4.2.4, and 3.5 before 3.5.0.2 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL, a different vulnerability than CVE-2016-0387.
4960 CVE-2016-2874 284 +Info 2016-11-30 2016-12-23
3.5
None Remote Medium ??? Partial None None
IBM QRadar SIEM 7.1 before MR2 Patch 13 and 7.2 before 7.2.7 mishandles authorization, which allows remote authenticated users to obtain sensitive information via unspecified vectors.
4961 CVE-2016-2869 79 XSS 2016-11-30 2016-12-15
3.5
None Remote Medium ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the UI in IBM QRadar SIEM 7.1 before MR2 Patch 13 and 7.2 before 7.2.7 allow remote authenticated users to inject arbitrary web script or HTML via crafted fields in a URL.
4962 CVE-2016-2864 79 XSS 2016-11-24 2016-11-28
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in IBM Rational Collaborative Lifecycle Management 3.0.1.6 before iFix8, 4.0 before 4.0.7 iFix11, 5.0 before 5.0.2 iFix18, and 6.0 before 6.0.2 iFix5; Rational Quality Manager 3.0.1.6 before iFix8, 4.0 before 4.0.7 iFix11, 5.0 before 5.0.2 iFix18, and 6.0 before 6.0.2 iFix5; Rational Team Concert 3.0.1.6 before iFix8, 4.0 before 4.0.7 iFix11, 5.0 before 5.0.2 iFix18, and 6.0 before 6.0.2 iFix5; Rational DOORS Next Generation 4.0 before 4.0.7 iFix11, 5.0 before 5.0.2 iFix18, and 6.0 before 6.0.2 iFix5; Rational Engineering Lifecycle Manager 4.x before 4.0.7 iFix11, 5.0 before 5.0.2 iFix18, and 6.0 before 6.0.2 iFix5; Rational Rhapsody Design Manager 4.0 before 4.0.7 iFix11, 5.0 before 5.0.2 iFix18, and 6.0 before 6.0.2 iFix5; and Rational Software Architect Design Manager 4.0 before 4.0.7 iFix11, 5.0 before 5.0.2 iFix18, and 6.0 before 6.0.2 iFix5 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.
4963 CVE-2016-2857 119 DoS Overflow 2016-04-12 2020-10-15
3.6
None Local Low Not required Partial None Partial
The net_checksum_calculate function in net/checksum.c in QEMU allows local guest OS users to cause a denial of service (out-of-bounds heap read and crash) via the payload length in a crafted packet.
4964 CVE-2016-2561 79 XSS 2016-03-01 2016-12-03
3.5
None Remote Medium ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.4.x before 4.4.15.5 and 4.5.x before 4.5.5.1 allow remote authenticated users to inject arbitrary web script or HTML via (1) normalization.php or (2) js/normalization.js in the database normalization page, (3) templates/database/structure/sortable_header.phtml in the database structure page, or (4) the pos parameter to db_central_columns.php in the central columns page.
4965 CVE-2016-2559 79 XSS 2016-03-01 2016-12-03
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the format function in libraries/sql-parser/src/Utils/Error.php in the SQL parser in phpMyAdmin 4.5.x before 4.5.5.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted query.
4966 CVE-2016-2538 189 DoS Overflow +Info 2016-06-16 2018-12-01
3.6
None Local Low Not required Partial None Partial
Multiple integer overflows in the USB Net device emulator (hw/usb/dev-network.c) in QEMU before 2.5.1 allow local guest OS administrators to cause a denial of service (QEMU process crash) or obtain sensitive host memory information via a remote NDIS control message packet that is mishandled in the (1) rndis_query_response, (2) rndis_set_response, or (3) usb_net_handle_dataout function.
4967 CVE-2016-2398 254 2016-02-17 2016-03-04
3.3
None Local Network Low Not required None None Partial
Comcast XFINITY Home Security System does not properly maintain base-station communication, which allows physically proximate attackers to defeat sensor functionality by interfering with ZigBee 2.4 GHz transmissions.
4968 CVE-2016-2379 326 2017-03-29 2017-04-10
3.3
None Local Network Low Not required Partial None None
The Mxit protocol uses weak encryption when encrypting user passwords, which might allow attackers to (1) decrypt hashed passwords by leveraging knowledge of client registration codes or (2) gain login access by eavesdropping on login messages and re-using the hashed passwords.
4969 CVE-2016-2367 200 DoS +Info 2017-01-06 2017-03-30
3.5
None Remote Medium ??? None None Partial
An information leak exists in the handling of the MXIT protocol in Pidgin. Specially crafted MXIT data sent via the server could potentially result in an out-of-bounds read. A malicious user, server, or man-in-the-middle can send an invalid size for an avatar which will trigger an out-of-bounds read vulnerability. This could result in a denial of service or copy data from memory to the file, resulting in an information leak if the avatar is sent to another user.
4970 CVE-2016-2219 79 XSS 2016-07-12 2020-02-17
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the management interface in Palo Alto Networks PAN-OS 7.x before 7.0.8 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
4971 CVE-2016-2206 264 2016-07-12 2017-09-01
3.3
None Local Network Low Not required Partial None None
The management console in Symantec Workspace Streaming (SWS) 7.5.x before 7.5 SP1 HF9 and 7.6.0 before 7.6 HF5 and Symantec Workspace Virtualization (SWV) 7.5.x before 7.5 SP1 HF9 and 7.6.0 before 7.6 HF5 allows remote authenticated users to read arbitrary files by modifying the file-download configuration file.
4972 CVE-2016-2150 284 2016-06-09 2019-04-22
3.6
None Local Low Not required Partial Partial None
SPICE allows local guest OS users to read from or write to arbitrary host memory locations via crafted primary surface parameters, a similar issue to CVE-2015-5261.
4973 CVE-2016-2140 200 +Info 2016-04-12 2018-11-16
3.5
None Remote Medium ??? Partial None None
The libvirt driver in OpenStack Compute (Nova) before 2015.1.4 (kilo) and 12.0.x before 12.0.3 (liberty), when using raw storage and use_cow_images is set to false, allows remote authenticated users to read arbitrary files via a crafted qcow2 header in an ephemeral or root disk.
4974 CVE-2016-2125 20 2018-10-31 2019-10-09
3.3
None Local Network Low Not required Partial None None
It was found that Samba before versions 4.5.3, 4.4.8, 4.3.13 always requested forwardable tickets when using Kerberos authentication. A service to which Samba authenticated using Kerberos could subsequently use the ticket to impersonate Samba to other services or domain users.
4975 CVE-2016-2075 79 XSS 2016-03-16 2020-12-08
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in VMware vRealize Business Advanced and Enterprise 8.x before 8.2.5 on Linux allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
4976 CVE-2016-2058 79 XSS 2016-04-13 2018-10-09
3.5
None Remote Medium ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Xymon 4.1.x, 4.2.x, and 4.3.x before 4.3.25 allow (1) remote Xymon clients to inject arbitrary web script or HTML via a status-message, which is not properly handled in the "detailed status" page, or (2) remote authenticated users to inject arbitrary web script or HTML via an acknowledgement message, which is not properly handled in the "status" page.
4977 CVE-2016-2045 79 XSS 2016-02-20 2016-08-02
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the SQL editor in phpMyAdmin 4.5.x before 4.5.4 allows remote authenticated users to inject arbitrary web script or HTML via a SQL query that triggers JSON data in a response.
4978 CVE-2016-2043 79 XSS 2016-02-20 2018-10-30
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the goToFinish1NF function in js/normalization.js in phpMyAdmin 4.4.x before 4.4.15.3 and 4.5.x before 4.5.4 allows remote authenticated users to inject arbitrary web script or HTML via a table name to the normalization page.
4979 CVE-2016-2040 79 XSS 2016-02-20 2018-10-30
3.5
None Remote Medium ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 allow remote authenticated users to inject arbitrary web script or HTML via a (1) table name, (2) SET value, (3) search query, or (4) hostname in a Location header.
4980 CVE-2016-2011 79 XSS 2016-05-07 2016-12-01
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in HPE Network Node Manager i (NNMi) 9.20, 9.23, 9.24, 9.25, 10.00, and 10.01 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2016-2010.
4981 CVE-2016-2010 79 XSS 2016-05-07 2016-12-01
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in HPE Network Node Manager i (NNMi) 9.20, 9.23, 9.24, 9.25, 10.00, and 10.01 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2016-2011.
4982 CVE-2016-1996 +Info 2016-03-18 2016-12-03
3.6
None Local Low Not required Partial Partial None
HPE System Management Homepage before 7.5.4 allows local users to obtain sensitive information or modify data via unspecified vectors.
4983 CVE-2016-1916 79 XSS 2016-04-22 2016-12-03
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the Management Console in BlackBerry Enterprise Server (BES) 12 before 12.4.1 allows remote authenticated users to inject arbitrary web script or HTML by leveraging basic administrative access to create a crafted policy, leading to improper rendering on a certain Export IT screen.
4984 CVE-2016-1913 79 XSS 2016-01-15 2016-01-20
3.5
None Remote Medium ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the Redhen module 7.x-1.x before 7.x-1.11 for Drupal allow remote authenticated users with certain access to inject arbitrary web script or HTML via unspecified vectors, related to (1) individual contacts, (2) notes, or (3) engagement scores.
4985 CVE-2016-1912 79 XSS 2016-01-15 2016-01-22
3.5
None Remote Medium ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Dolibarr ERP/CRM 3.8.3 allow remote authenticated users to inject arbitrary web script or HTML via the (1) lastname, (2) firstname, (3) email, (4) job, or (5) signature parameter to htdocs/user/card.php.
4986 CVE-2016-1763 20 +Info 2016-03-24 2016-12-03
3.5
None Remote Medium ??? Partial None None
Messages in Apple iOS before 9.3 does not ensure that an auto-fill action applies to the intended message thread, which allows remote authenticated users to obtain sensitive information by providing a crafted sms: URL and reading a thread.
4987 CVE-2016-1609 79 XSS 2016-08-01 2017-09-03
3.5
None Remote Medium ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Novell Filr before 1.2 Security Update 3 and 2.0 before Security Update 2 allow remote authenticated users to inject arbitrary web script or HTML via crafted input, as demonstrated by a crafted attribute of an IMG element in the phone field of a user profile.
4988 CVE-2016-1598 79 XSS 2016-10-27 2016-11-28
3.5
None Remote Medium ??? None Partial None
XSS in NetIQ IDM 4.5 Identity Applications before 4.5.4 allows attackers able to change their username to inject arbitrary HTML code into the Role Assignment administrator HTML pages.
4989 CVE-2016-1596 79 XSS 2016-04-22 2018-10-09
3.5
None Remote Medium ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Micro Focus Novell Service Desk before 7.2 allow remote authenticated users to inject arbitrary web script or HTML via a certain (1) user name, (2) tf_aClientFirstName, (3) tf_aClientLastName, (4) ta_selectedTopicContent, (5) tf_orgUnitName, (6) tf_aManufacturerFullName, (7) tf_aManufacturerName, (8) tf_aManufacturerAddress, or (9) tf_aManufacturerCity parameter.
4990 CVE-2016-1566 79 XSS 2017-02-02 2017-02-05
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the file browser in Guacamole 0.9.8 and 0.9.9, when file transfer is enabled to a location shared by multiple users, allows remote authenticated users to inject arbitrary web script or HTML via a crafted filename. NOTE: this vulnerability was fixed in guacamole.war on 2016-01-13, but the version number was not changed.
4991 CVE-2016-1565 79 XSS 2016-01-08 2016-01-12
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the Field Group module 7.x-1.x before 7.x-1.5 for Drupal allows remote authenticated users with permission to configure field display settings to inject arbitrary web script or HTML via an element attribute.
4992 CVE-2016-1500 200 +Info 2016-01-08 2016-01-12
3.5
None Remote Medium ??? Partial None None
ownCloud Server before 7.0.12, 8.0.x before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8.2.2, when the "file_versions" application is enabled, does not properly check the return value of getOwner, which allows remote authenticated users to read the files with names starting with ".v" and belonging to a sharing user by leveraging an incoming share.
4993 CVE-2016-1476 79 XSS 2016-08-22 2017-08-16
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability on Cisco IP Phone 8800 devices with software 11.0 allows remote authenticated users to inject arbitrary web script or HTML via crafted parameters, aka Bug ID CSCuz03024.
4994 CVE-2016-1360 200 +Info 2016-03-12 2016-12-03
3.0
None Local Medium ??? Partial Partial None
Cisco Prime LAN Management Solution (LMS) through 4.2.5 uses the same database decryption key across different customers' installations, which allows local users to obtain cleartext data by leveraging console connectivity, aka Bug ID CSCuw85390.
4995 CVE-2016-1314 79 XSS 2016-03-28 2016-12-03
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in Cisco Unified Communications Domain Manager (CDM) 8.1(1) allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL, aka Bug ID CSCux80760.
4996 CVE-2016-1241 200 +Info 2016-09-07 2016-09-08
3.5
None Remote Medium ??? Partial None None
Tryton 3.x before 3.2.17, 3.4.x before 3.4.14, 3.6.x before 3.6.12, 3.8.x before 3.8.8, and 4.x before 4.0.4 allow remote authenticated users to discover user password hashes via unspecified vectors.
4997 CVE-2016-1229 79 XSS 2016-06-05 2016-06-06
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in HumHub 0.20.0-beta.1 through 0.20.1 and 1.0.0-beta before 1.0.0-beta.3 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
4998 CVE-2016-1207 79 XSS 2016-05-14 2016-05-17
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability on I-O DATA DEVICE WN-G300R devices with firmware 1.12 and earlier, WN-G300R2 devices with firmware 1.12 and earlier, and WN-G300R3 devices with firmware 1.01 and earlier allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
4999 CVE-2016-1206 200 +Info 2016-05-14 2016-05-18
3.3
None Local Network Low Not required Partial None None
The WPS implementation on I-O DATA DEVICE WN-GDN/R3, WN-GDN/R3-C, WN-GDN/R3-S, and WN-GDN/R3-U devices does not limit PIN guesses, which allows remote attackers to obtain network access via a brute-force attack.
5000 CVE-2016-1156 20 DoS 2016-02-19 2020-05-11
3.5
None Remote Medium ??? None None Partial
LINE 4.3.0.724 and earlier on Windows and 4.3.1 and earlier on OS X allows remote authenticated users to cause a denial of service (application crash) via a crafted post that is mishandled when displaying a Timeline.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.