CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 6 and 6.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
6451 CVE-2016-4657 119 DoS Exec Code Overflow Mem. Corr. 2016-08-25 2018-06-07
6.8
None Remote Medium Not required Partial Partial Partial
WebKit in Apple iOS before 9.3.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site.
6452 CVE-2016-4637 119 DoS Exec Code Overflow Mem. Corr. 2016-07-21 2017-08-31
6.8
None Remote Medium Not required Partial Partial Partial
CoreGraphics in Apple iOS before 9.3.3, OS X before 10.11.6, tvOS before 9.2.2, and watchOS before 2.2.2 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted BMP image.
6453 CVE-2016-4633 264 DoS Exec Code Mem. Corr. 2016-07-21 2017-08-31
6.9
None Local Medium Not required Complete Complete Complete
Intel Graphics Driver in Apple OS X before 10.11.6 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app.
6454 CVE-2016-4631 119 DoS Exec Code Overflow Mem. Corr. 2016-07-21 2017-08-31
6.8
None Remote Medium Not required Partial Partial Partial
ImageIO in Apple iOS before 9.3.3, OS X before 10.11.6, tvOS before 9.2.2, and watchOS before 2.2.2 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted TIFF file.
6455 CVE-2016-4630 119 DoS Exec Code Overflow Mem. Corr. 2016-07-21 2017-08-31
6.8
None Remote Medium Not required Partial Partial Partial
ImageIO in Apple OS X before 10.11.6 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted EXR image with B44 compression.
6456 CVE-2016-4624 119 DoS Exec Code Overflow Mem. Corr. 2016-07-21 2018-10-09
6.8
None Remote Medium Not required Partial Partial Partial
WebKit in Apple iOS before 9.3.3, Safari before 9.1.2, and tvOS before 9.2.2 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-4589, CVE-2016-4622, and CVE-2016-4623.
6457 CVE-2016-4623 119 DoS Exec Code Overflow Mem. Corr. 2016-07-21 2018-10-09
6.8
None Remote Medium Not required Partial Partial Partial
WebKit in Apple iOS before 9.3.3, Safari before 9.1.2, and tvOS before 9.2.2 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-4589, CVE-2016-4622, and CVE-2016-4624.
6458 CVE-2016-4622 119 DoS Exec Code Overflow Mem. Corr. 2016-07-21 2018-10-09
6.8
None Remote Medium Not required Partial Partial Partial
WebKit in Apple iOS before 9.3.3, Safari before 9.1.2, and tvOS before 9.2.2 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-4589, CVE-2016-4623, and CVE-2016-4624.
6459 CVE-2016-4611 119 DoS Exec Code Overflow Mem. Corr. 2016-09-25 2017-07-29
6.8
None Remote Medium Not required Partial Partial Partial
WebKit in Apple iOS before 10, Safari before 10, and tvOS before 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-4730, CVE-2016-4733, CVE-2016-4734, and CVE-2016-4735.
6460 CVE-2016-4602 119 DoS Exec Code Overflow Mem. Corr. 2016-07-21 2017-08-31
6.8
None Remote Medium Not required Partial Partial Partial
QuickTime in Apple OS X before 10.11.6 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted FlashPix bitmap image, a different vulnerability than CVE-2016-4596, CVE-2016-4597, and CVE-2016-4600.
6461 CVE-2016-4601 119 DoS Exec Code Overflow Mem. Corr. 2016-07-21 2017-08-31
6.8
None Remote Medium Not required Partial Partial Partial
QuickTime in Apple OS X before 10.11.6 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted SGI image.
6462 CVE-2016-4600 119 DoS Exec Code Overflow Mem. Corr. 2016-07-21 2017-08-31
6.8
None Remote Medium Not required Partial Partial Partial
QuickTime in Apple OS X before 10.11.6 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted FlashPix bitmap image, a different vulnerability than CVE-2016-4596, CVE-2016-4597, and CVE-2016-4602.
6463 CVE-2016-4599 119 DoS Exec Code Overflow Mem. Corr. 2016-07-21 2017-08-31
6.8
None Remote Medium Not required Partial Partial Partial
QuickTime in Apple OS X before 10.11.6 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted Photoshop document.
6464 CVE-2016-4598 119 DoS Exec Code Overflow Mem. Corr. 2016-07-21 2017-08-31
6.8
None Remote Medium Not required Partial Partial Partial
QuickTime in Apple OS X before 10.11.6 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted image.
6465 CVE-2016-4597 119 DoS Exec Code Overflow Mem. Corr. 2016-07-21 2017-08-31
6.8
None Remote Medium Not required Partial Partial Partial
QuickTime in Apple OS X before 10.11.6 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted FlashPix bitmap image, a different vulnerability than CVE-2016-4596, CVE-2016-4600, and CVE-2016-4602.
6466 CVE-2016-4596 119 DoS Exec Code Overflow Mem. Corr. 2016-07-21 2017-08-31
6.8
None Remote Medium Not required Partial Partial Partial
QuickTime in Apple OS X before 10.11.6 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted FlashPix bitmap image, a different vulnerability than CVE-2016-4597, CVE-2016-4600, and CVE-2016-4602.
6467 CVE-2016-4589 119 DoS Exec Code Overflow Mem. Corr. 2016-07-21 2018-10-09
6.8
None Remote Medium Not required Partial Partial Partial
WebKit in Apple iOS before 9.3.3, Safari before 9.1.2, and tvOS before 9.2.2 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-4622, CVE-2016-4623, and CVE-2016-4624.
6468 CVE-2016-4588 119 DoS Exec Code Overflow Mem. Corr. 2016-07-21 2018-10-09
6.8
None Remote Medium Not required Partial Partial Partial
WebKit in Apple tvOS before 9.2.2 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site.
6469 CVE-2016-4586 119 DoS Exec Code Overflow Mem. Corr. 2016-07-21 2018-10-09
6.8
None Remote Medium Not required Partial Partial Partial
WebKit in Apple Safari before 9.1.2 and tvOS before 9.2.2 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site.
6470 CVE-2016-4584 119 DoS Exec Code Overflow Mem. Corr. 2016-07-21 2016-11-28
6.8
None Remote Medium Not required Partial Partial Partial
The WebKit Page Loading implementation in Apple iOS before 9.3.3, Safari before 9.1.2, and tvOS before 9.2.2 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site.
6471 CVE-2016-4577 119 DoS Exec Code Overflow 2016-05-23 2016-11-28
6.8
None Local Network High Not required Complete Complete Complete
Buffer overflow in the Smart DNS functionality in the Huawei NGFW Module and Secospace USG6300, USG6500, USG6600, and USG9500 firewalls with software before V500R001C20SPC100 allows remote attackers to cause a denial of service or execute arbitrary code via a crafted packet, related to "illegitimate parameters."
6472 CVE-2016-4563 119 DoS Overflow 2016-06-04 2016-09-22
6.8
None Remote Medium Not required Partial Partial Partial
The TraceStrokePolygon function in MagickCore/draw.c in ImageMagick before 6.9.4-0 and 7.x before 7.0.1-2 mishandles the relationship between the BezierQuantum value and certain strokes data, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted file.
6473 CVE-2016-4562 119 DoS Overflow 2016-06-04 2016-09-22
6.8
None Remote Medium Not required Partial Partial Partial
The DrawDashPolygon function in MagickCore/draw.c in ImageMagick before 6.9.4-0 and 7.x before 7.0.1-2 mishandles calculations of certain vertices integer data, which allows remote attackers to cause a denial of service (buffer overflow and application crash) or possibly have unspecified other impact via a crafted file.
6474 CVE-2016-4558 DoS 2016-05-23 2016-08-02
6.9
None Local Medium Not required Complete Complete Complete
The BPF subsystem in the Linux kernel before 4.5.5 mishandles reference counts, which allows local users to cause a denial of service (use-after-free) or possibly have unspecified other impact via a crafted application on (1) a system with more than 32 Gb of memory, related to the program reference count or (2) a 1 Tb system, related to the map reference count.
6475 CVE-2016-4533 119 Exec Code Overflow 2016-07-11 2016-11-28
6.8
None Remote Medium Not required Partial Partial Partial
Heap-based buffer overflow in WECON LeviStudio allows remote attackers to execute arbitrary code via a crafted file.
6476 CVE-2016-4532 22 Dir. Trav. 2016-06-09 2016-11-28
6.4
None Remote Low Not required Partial Partial None
Directory traversal vulnerability in the WAP interface in Trihedral VTScada (formerly VTS) 8.x through 11.x before 11.2.02 allows remote attackers to read arbitrary files via a crafted pathname.
6477 CVE-2016-4526 427 +Priv 2016-09-18 2016-11-28
6.9
None Local Medium Not required Complete Complete Complete
ABB DataManagerPro 1.x before 1.7.1 allows local users to gain privileges by replacing a DLL file in the package directory.
6478 CVE-2016-4510 287 Bypass 2016-06-09 2016-11-28
6.4
None Remote Low Not required Partial Partial None
The WAP interface in Trihedral VTScada (formerly VTS) 8.x through 11.x before 11.2.02 allows remote attackers to bypass authentication and read arbitrary files via unspecified vectors.
6479 CVE-2016-4509 119 Exec Code Overflow 2016-07-03 2016-11-28
6.0
None Remote Medium Single system Partial Partial Partial
Heap-based buffer overflow in elcsoft.exe in Eaton ELCSoft 2.4.01 and earlier allows remote authenticated users to execute arbitrary code via a crafted file.
6480 CVE-2016-4506 352 CSRF 2016-05-30 2016-06-07
6.0
None Remote Medium Single system Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability on Resource Data Management (RDM) Intuitive 650 TDB Controller devices before 2.1.24 allows remote authenticated users to hijack the authentication of arbitrary users.
6481 CVE-2016-4504 352 CSRF 2017-03-21 2017-03-24
6.8
None Remote Medium Not required Partial Partial Partial
A Cross-Site Request Forgery issue was discovered in Meteocontrol WEB'log Basic 100 all versions, Light all versions, Pro all versions, and Pro Unlimited all versions. There is no CSRF Token generated per page or per function.
6482 CVE-2016-4501 284 Bypass 2016-05-30 2016-06-07
6.4
None Remote Low Not required Partial Partial None
Environmental Systems Corporation (ESC) 8832 Data Controller 3.02 and earlier mishandles sessions, which allows remote attackers to bypass authentication and make arbitrary configuration changes via unspecified vectors.
6483 CVE-2016-4498 20 DoS 2016-05-11 2016-11-28
6.8
None Remote Medium Not required Partial Partial Partial
Panasonic FPWIN Pro 5.x through 7.x before 7.130 accesses an uninitialized pointer, which allows local users to cause a denial of service or possibly have unspecified other impact via unknown vectors.
6484 CVE-2016-4497 20 DoS 2016-05-11 2016-11-28
6.8
None Remote Medium Not required Partial Partial Partial
Panasonic FPWIN Pro 5.x through 7.x before 7.130 allows local users to cause a denial of service or possibly have unspecified other impact via vectors that leverage "type confusion."
6485 CVE-2016-4494 352 CSRF 2016-06-09 2016-06-10
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability on KMC Controls BAC-5051E devices with firmware before E0.2.0.2 allows remote attackers to hijack the authentication of unspecified victims for requests that disclose the contents of a configuration file.
6486 CVE-2016-4475 254 Bypass 2016-08-19 2018-01-04
6.5
None Remote Low Single system Partial Partial Partial
The (1) Organization and (2) Locations APIs and UIs in Foreman before 1.11.4 and 1.12.x before 1.12.0-RC3 allow remote authenticated users to bypass organization and location restrictions and (a) read, (b) edit, or (c) delete arbitrary organizations or locations via unspecified vectors.
6487 CVE-2016-4472 119 DoS Exec Code Overflow 2016-06-30 2017-11-02
6.8
None Remote Medium Not required Partial Partial Partial
The overflow protection in Expat is removed by compilers with certain optimization settings, which allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via crafted XML data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-1283 and CVE-2015-2716.
6488 CVE-2016-4471 264 Exec Code 2017-06-08 2017-06-15
6.5
None Remote Low Single system Partial Partial Partial
ManageIQ in CloudForms before 4.1 allows remote authenticated users to execute arbitrary code.
6489 CVE-2016-4469 352 CSRF 2016-07-28 2019-04-16
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in Apache Archiva 1.3.9 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) add new repository proxy connectors via the token parameter to admin/addProxyConnector_commit.action, (2) new repositories via the token parameter to admin/addRepository_commit.action, (3) edit existing repositories via the token parameter to admin/editRepository_commit.action, (4) add legacy artifact paths via the token parameter to admin/addLegacyArtifactPath_commit.action, (5) change the organizational appearance via the token parameter to admin/saveAppearance.action, or (6) upload new artifacts via the token parameter to upload_submit.action.
6490 CVE-2016-4468 89 Exec Code Sql 2017-04-11 2017-04-17
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in Pivotal Cloud Foundry (PCF) before 238; UAA 2.x before 2.7.4.4, 3.x before 3.3.0.2, and 3.4.x before 3.4.1; UAA BOSH before 11.2 and 12.x before 12.2; Elastic Runtime before 1.6.29 and 1.7.x before 1.7.7; and Ops Manager 1.7.x before 1.7.8 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.
6491 CVE-2016-4462 20 Exec Code 2017-08-30 2017-09-12
6.5
None Remote Low Single system Partial Partial Partial
By manipulating the URL parameter externalLoginKey, a malicious, logged in user could pass valid Freemarker directives to the Template Engine that are reflected on the webpage; a specially crafted Freemarker template could be used for remote code execution. Mitigation: Upgrade to Apache OFBiz 16.11.01
6492 CVE-2016-4451 254 Bypass 2016-08-19 2018-02-22
6.0
None Remote Medium Single system Partial Partial Partial
The (1) Organization and (2) Locations APIs in Foreman before 1.11.3 and 1.12.x before 1.12.0-RC1 allow remote authenticated users with unlimited filters to bypass organization and location restrictions and read or modify data for an arbitrary organization by leveraging knowledge of the id of that organization.
6493 CVE-2016-4446 77 Exec Code 2017-04-11 2017-04-17
6.9
None Local Medium Not required Complete Complete Complete
The allow_execstack plugin for setroubleshoot allows local users to execute arbitrary commands by triggering an execstack SELinux denial with a crafted filename, related to the commands.getoutput function.
6494 CVE-2016-4445 77 Exec Code 2017-04-11 2017-04-17
6.9
None Local Medium Not required Complete Complete Complete
The fix_lookup_id function in sealert in setroubleshoot before 3.2.23 allows local users to execute arbitrary commands as root by triggering an SELinux denial with a crafted file name, related to executing external commands with the commands.getstatusoutput function.
6495 CVE-2016-4444 77 Exec Code 2017-04-11 2017-04-17
6.9
None Local Medium Not required Complete Complete Complete
The allow_execmod plugin for setroubleshoot before 3.2.23 allows local users to execute arbitrary commands by triggering an execmod SELinux denial with a crafted binary filename, related to the commands.getstatusoutput function.
6496 CVE-2016-4437 284 Exec Code Bypass 2016-06-07 2018-10-09
6.8
None Remote Medium Not required Partial Partial Partial
Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.
6497 CVE-2016-4435 264 DoS 2017-05-25 2017-10-02
6.8
None Remote Medium Not required Partial Partial Partial
An endpoint of the Agent running on the BOSH Director VM with stemcell versions prior to 3232.6 and 3146.13 may allow unauthenticated clients to read or write blobs or cause a denial of service attack on the Director VM. This vulnerability requires that the unauthenticated clients guess or find a URL matching an existing GUID.
6498 CVE-2016-4434 611 2017-09-29 2018-10-09
6.8
None Remote Medium Not required Partial Partial Partial
Apache Tika before 1.13 does not properly initialize the XML parser or choose handlers, which might allow remote attackers to conduct XML External Entity (XXE) attacks via vectors involving (1) spreadsheets in OOXML files and (2) XMP metadata in PDF and other file formats, a related issue to CVE-2016-2175.
6499 CVE-2016-4430 352 CSRF 2016-07-04 2017-10-30
6.8
None Remote Medium Not required Partial Partial Partial
Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors.
6500 CVE-2016-4405 502 Exec Code 2018-08-06 2018-10-05
6.5
None Remote Low Single system Partial Partial Partial
A remote code execution vulnerability was identified in HP Business Service Management (BSM) using Apache Commons Collection Java Deserialization versions v9.20-v9.26
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.