# |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
6101 |
CVE-2016-2190 |
264 |
|
+Info |
2016-05-22 |
2017-09-06 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 does not properly restrict links, which allows remote attackers to obtain sensitive URL information by reading a Referer log. |
6102 |
CVE-2016-2183 |
200 |
|
+Info |
2016-08-31 |
2018-10-23 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack. |
6103 |
CVE-2016-2181 |
189 |
|
DoS |
2016-09-16 |
2018-04-19 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
The Anti-Replay feature in the DTLS implementation in OpenSSL before 1.1.0 mishandles early use of a new epoch number in conjunction with a large sequence number, which allows remote attackers to cause a denial of service (false-positive packet drops) via spoofed DTLS records, related to rec_layer_d1.c and ssl3_record.c. |
6104 |
CVE-2016-2180 |
125 |
|
DoS |
2016-07-31 |
2018-07-11 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
The TS_OBJ_print_bio function in crypto/ts/ts_lib.c in the X.509 Public Key Infrastructure Time-Stamp Protocol (TSP) implementation in OpenSSL through 1.0.2h allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted time-stamp file that is mishandled by the "openssl ts" command. |
6105 |
CVE-2016-2179 |
399 |
|
DoS |
2016-09-16 |
2018-07-11 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
The DTLS implementation in OpenSSL before 1.1.0 does not properly restrict the lifetime of queue entries associated with unused out-of-order messages, which allows remote attackers to cause a denial of service (memory consumption) by maintaining many crafted DTLS sessions simultaneously, related to d1_lib.c, statem_dtls.c, statem_lib.c, and statem_srvr.c. |
6106 |
CVE-2016-2169 |
17 |
|
|
2018-04-18 |
2018-05-24 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
Cloud Foundry Cloud Controller, capi-release versions prior to 1.0.0 and cf-release versions prior to v237, contain a business logic flaw. An application developer may create an application with a route that conflicts with a platform service route and receive traffic intended for the service. |
6107 |
CVE-2016-2166 |
200 |
|
+Info |
2016-04-12 |
2018-10-09 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
The (1) proton.reactor.Connector, (2) proton.reactor.Container, and (3) proton.utils.BlockingConnection classes in Apache Qpid Proton before 0.12.1 improperly use an unencrypted connection for an amqps URI scheme when SSL support is unavailable, which might allow man-in-the-middle attackers to obtain sensitive information or modify data via unspecified vectors. |
6108 |
CVE-2016-2164 |
200 |
|
+Info |
2016-04-11 |
2018-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
The (1) FileService.importFileByInternalUserId and (2) FileService.importFile SOAP API methods in Apache OpenMeetings before 3.1.1 improperly use the Java URL class without checking the specified protocol handler, which allows remote attackers to read arbitrary files by attempting to upload a file. |
6109 |
CVE-2016-2161 |
20 |
|
|
2017-07-27 |
2018-04-24 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
In Apache HTTP Server versions 2.4.0 to 2.4.23, malicious input to mod_auth_digest can cause the server to crash, and each instance continues to crash even for subsequently valid requests. |
6110 |
CVE-2016-2147 |
190 |
|
DoS Overflow |
2017-02-09 |
2018-07-27 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
Integer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to cause a denial of service (crash) via a malformed RFC1035-encoded domain name, which triggers an out-of-bounds heap write. |
6111 |
CVE-2016-2146 |
119 |
|
DoS Overflow |
2016-04-15 |
2016-04-25 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
The am_read_post_data function in mod_auth_mellon before 0.11.1 does not limit the amount of data read, which allows remote attackers to cause a denial of service (worker process crash, web server deadlock, or memory consumption) via a large amount of POST data. |
6112 |
CVE-2016-2145 |
20 |
|
DoS |
2016-04-15 |
2016-04-25 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
The am_read_post_data function in mod_auth_mellon before 0.11.1 does not check if the ap_get_client_block function returns an error, which allows remote attackers to cause a denial of service (segmentation fault and process crash) via a crafted POST data. |
6113 |
CVE-2016-2117 |
200 |
|
+Info |
2016-05-02 |
2018-01-04 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
The atl2_probe function in drivers/net/ethernet/atheros/atlx/atl2.c in the Linux kernel through 4.5.2 incorrectly enables scatter/gather I/O, which allows remote attackers to obtain sensitive information from kernel memory by reading packet data. |
6114 |
CVE-2016-2113 |
310 |
|
+Info |
2016-04-24 |
2016-12-30 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
Samba 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 does not verify X.509 certificates from TLS servers, which allows man-in-the-middle attackers to spoof LDAPS and HTTPS servers and obtain sensitive information via a crafted certificate. |
6115 |
CVE-2016-2106 |
189 |
|
DoS Overflow Mem. Corr. |
2016-05-04 |
2018-07-18 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
Integer overflow in the EVP_EncryptUpdate function in crypto/evp/evp_enc.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of data. |
6116 |
CVE-2016-2105 |
189 |
|
DoS Overflow Mem. Corr. |
2016-05-04 |
2018-10-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
Integer overflow in the EVP_EncodeUpdate function in crypto/evp/encode.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to cause a denial of service (heap memory corruption) via a large amount of binary data. |
6117 |
CVE-2016-2102 |
287 |
|
|
2017-08-22 |
2017-08-29 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
HAProxy statistics in openstack-tripleo-image-elements are non-authenticated over the network. |
6118 |
CVE-2016-2097 |
22 |
|
Dir. Trav. |
2016-04-07 |
2016-12-02 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.2 and 4.x before 4.1.14.2 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a .. (dot dot) in a pathname. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0752. |
6119 |
CVE-2016-2094 |
399 |
|
DoS |
2016-05-06 |
2016-05-10 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
The HTTPS NIO Connector allows remote attackers to cause a denial of service (thread consumption) by opening a socket and not sending an SSL handshake, aka a read-timeout vulnerability. |
6120 |
CVE-2016-2091 |
119 |
|
DoS Overflow |
2016-02-08 |
2016-03-04 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
The dwarf_read_cie_fde_prefix function in dwarf_frame2.c in libdwarf 20151114 allows attackers to cause a denial of service (out-of-bounds read) via a crafted ELF object file. |
6121 |
CVE-2016-2086 |
20 |
|
|
2016-04-07 |
2017-06-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
Node.js 0.10.x before 0.10.42, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x before 5.6.0 allow remote attackers to conduct HTTP request smuggling attacks via a crafted Content-Length HTTP header. |
6122 |
CVE-2016-2055 |
200 |
|
+Info |
2016-04-13 |
2018-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
xymond/xymond.c in xymond in Xymon 4.1.x, 4.2.x, and 4.3.x before 4.3.25 allow remote attackers to read arbitrary files in the configuration directory via a "config" command. |
6123 |
CVE-2016-2044 |
200 |
|
+Info |
2016-02-19 |
2016-08-17 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
libraries/sql-parser/autoload.php in the SQL parser in phpMyAdmin 4.5.x before 4.5.4 allows remote attackers to obtain sensitive information via a crafted request, which reveals the full path in an error message. |
6124 |
CVE-2016-2042 |
200 |
|
+Info |
2016-02-19 |
2018-10-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
phpMyAdmin 4.4.x before 4.4.15.3 and 4.5.x before 4.5.4 allows remote attackers to obtain sensitive information via a crafted request to (1) libraries/phpseclib/Crypt/AES.php or (2) libraries/phpseclib/Crypt/Rijndael.php, which reveals the full path in an error message. |
6125 |
CVE-2016-2041 |
254 |
|
Bypass CSRF |
2016-02-19 |
2018-10-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
libraries/common.inc.php in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 does not use a constant-time algorithm for comparing CSRF tokens, which makes it easier for remote attackers to bypass intended access restrictions by measuring time differences. |
6126 |
CVE-2016-2039 |
200 |
|
Bypass +Info CSRF |
2016-02-19 |
2018-10-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
libraries/session.inc.php in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 does not properly generate CSRF token values, which allows remote attackers to bypass intended access restrictions by predicting a value. |
6127 |
CVE-2016-2038 |
200 |
|
+Info |
2016-02-19 |
2018-10-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 allows remote attackers to obtain sensitive information via a crafted request, which reveals the full path in an error message. |
6128 |
CVE-2016-2030 |
|
|
+Info |
2016-06-08 |
2016-08-23 |
5.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
None |
HPE Systems Insight Manager (SIM) before 7.5.1 allows remote authenticated users to obtain sensitive information or modify data via unspecified vectors, a different vulnerability than CVE-2016-2017, CVE-2016-2019, CVE-2016-2020, CVE-2016-2021, and CVE-2016-2022. |
6129 |
CVE-2016-2028 |
|
|
+Info |
2016-06-08 |
2016-08-23 |
5.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
None |
HPE Matrix Operating Environment before 7.5.1 allows remote authenticated users to obtain sensitive information or modify data via unspecified vectors, a different vulnerability than CVE-2016-4357. |
6130 |
CVE-2016-2027 |
200 |
|
+Info |
2016-06-08 |
2016-08-23 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
HPE Matrix Operating Environment before 7.5.1 allows remote attackers to obtain sensitive information via unspecified vectors, a different vulnerability than CVE-2016-2026. |
6131 |
CVE-2016-2026 |
200 |
|
+Info |
2016-06-08 |
2016-08-23 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
HPE Matrix Operating Environment before 7.5.1 allows remote attackers to obtain sensitive information via unspecified vectors, a different vulnerability than CVE-2016-2027. |
6132 |
CVE-2016-2025 |
200 |
|
+Info |
2016-05-29 |
2016-11-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
HPE Service Manager 9.30, 9.31, 9.32, 9.33, 9.34, 9.35, 9.40, and 9.41 allows remote attackers to obtain sensitive information via unspecified vectors, related to the Web Client, Service Request Catalog, and Mobility components. |
6133 |
CVE-2016-2017 |
|
|
+Info |
2016-06-08 |
2016-08-23 |
5.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
None |
HPE Systems Insight Manager (SIM) before 7.5.1 allows remote authenticated users to obtain sensitive information or modify data via unspecified vectors, a different vulnerability than CVE-2016-2019, CVE-2016-2020, CVE-2016-2021, CVE-2016-2022, and CVE-2016-2030. |
6134 |
CVE-2016-2001 |
|
|
+Info |
2016-04-12 |
2016-12-02 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
HPE Universal CMDB Foundation 10.0, 10.01, 10.10, 10.11, and 10.20 allows remote attackers to obtain sensitive information or conduct URL redirection attacks via unspecified vectors. |
6135 |
CVE-2016-1993 |
|
|
+Info |
2016-03-18 |
2016-12-02 |
5.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
None |
HPE System Management Homepage before 7.5.4 allows remote authenticated users to obtain sensitive information or modify data via unspecified vectors. |
6136 |
CVE-2016-1983 |
20 |
|
DoS |
2016-01-27 |
2016-12-05 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
The client_host function in parsers.c in Privoxy before 3.0.24 allows remote attackers to cause a denial of service (invalid read and crash) via an empty HTTP Host header. |
6137 |
CVE-2016-1982 |
20 |
|
DoS |
2016-01-27 |
2016-12-05 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
The remove_chunked_transfer_coding function in filters.c in Privoxy before 3.0.24 allows remote attackers to cause a denial of service (invalid read and crash) via crafted chunk-encoded content. |
6138 |
CVE-2016-1940 |
17 |
|
|
2016-01-31 |
2017-09-09 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
Mozilla Firefox before 44.0 on Android allows remote attackers to spoof the address bar via a data: URL that is mishandled during (1) shortcut opening or (2) BOOKMARK intent processing. |
6139 |
CVE-2016-1939 |
200 |
|
+Info |
2016-01-31 |
2018-10-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
Mozilla Firefox before 44.0 stores cookies with names containing vertical tab characters, which allows remote attackers to obtain sensitive information by reading HTTP Cookie headers. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-7208. |
6140 |
CVE-2016-1927 |
254 |
|
|
2016-02-19 |
2016-11-28 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
The suggestPassword function in js/functions.js in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 relies on the Math.random JavaScript function, which makes it easier for remote attackers to guess passwords via a brute-force approach. |
6141 |
CVE-2016-1910 |
200 |
|
+Info |
2016-01-15 |
2018-12-10 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
The User Management Engine (UME) in SAP NetWeaver 7.4 allows attackers to decrypt unspecified data via unknown vectors, aka SAP Security Note 2191290. |
6142 |
CVE-2016-1907 |
119 |
|
DoS Overflow |
2016-01-19 |
2017-02-16 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
The ssh_packet_read_poll2 function in packet.c in OpenSSH before 7.1p2 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via crafted network traffic. |
6143 |
CVE-2016-1902 |
310 |
|
|
2016-06-01 |
2016-06-03 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
The nextBytes function in the SecureRandom class in Symfony before 2.3.37, 2.6.x before 2.6.13, and 2.7.x before 2.7.9 does not properly generate random numbers when used with PHP 5.x without the paragonie/random_compat library and the openssl_random_pseudo_bytes function fails, which makes it easier for attackers to defeat cryptographic protection mechanisms via unspecified vectors. |
6144 |
CVE-2016-1888 |
287 |
|
Bypass |
2017-02-15 |
2017-02-17 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
The telnetd service in FreeBSD 9.3, 10.1, 10.2, 10.3, and 11.0 allows remote attackers to inject arguments to login and bypass authentication via vectors involving a "sequence of memory allocation failures." |
6145 |
CVE-2016-1864 |
200 |
|
XSS +Info |
2016-06-19 |
2017-08-31 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
The XSS auditor in WebKit, as used in Apple iOS before 9.3 and Safari before 9.1, does not properly handle redirects in block mode, which allows remote attackers to obtain sensitive information via a crafted URL. |
6146 |
CVE-2016-1853 |
200 |
|
+Info |
2016-05-20 |
2016-12-02 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
Tcl in Apple OS X before 10.11.5 allows remote attackers to obtain sensitive information by leveraging SSLv2 support. |
6147 |
CVE-2016-1844 |
284 |
|
|
2016-05-20 |
2016-12-01 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
The Messages component in Apple OS X before 10.11.5 mishandles roster changes, which allows remote attackers to modify contact lists via unspecified vectors. |
6148 |
CVE-2016-1843 |
20 |
|
+Info |
2016-05-20 |
2016-12-01 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
The Messages component in Apple OS X before 10.11.5 mishandles filename encoding, which allows remote attackers to obtain sensitive information via unspecified vectors. |
6149 |
CVE-2016-1842 |
284 |
|
+Info |
2016-05-20 |
2016-12-01 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
MapKit in Apple iOS before 9.3.2, OS X before 10.11.5, and watchOS before 2.2.1 does not use HTTPS for shared links, which allows remote attackers to obtain sensitive information by sniffing the network for HTTP traffic. |
6150 |
CVE-2016-1811 |
|
|
DoS |
2016-05-20 |
2016-11-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
ImageIO in Apple iOS before 9.3.2, OS X before 10.11.5, tvOS before 9.2.1, and watchOS before 2.2.1 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted image. |