| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
8201 |
CVE-2016-5124 |
79 |
|
Exec Code XSS |
2016-12-15 |
2018-10-19 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev14. Adding images from external sources to HTML editors by drag&drop can potentially lead to script code execution in the context of the active user. To exploit this, a user needs to be tricked to use an image from a specially crafted website and add it to HTML editor areas of OX App Suite, for example E-Mail Compose or OX Text. This specific attack circumvents typical XSS filters and detection mechanisms since the code is not loaded from an external service but injected locally. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). To exploit this vulnerability, a attacker needs to convince a user to follow specific steps (social-engineering). |
|
8202 |
CVE-2016-5117 |
254 |
|
Bypass |
2017-01-31 |
2017-02-24 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
OpenNTPD before 6.0p1 does not validate the CN for HTTPS constraint requests, which allows remote attackers to bypass the man-in-the-middle mitigations via a crafted timestamp constraint with a valid certificate. |
|
8203 |
CVE-2016-5115 |
125 |
|
DoS |
2017-02-03 |
2017-02-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The avcodec_decode_audio4 function in libavcodec in libavformat 57.34.103, as used in MPlayer, allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted mp3 file. |
|
8204 |
CVE-2016-5102 |
20 |
|
DoS Overflow |
2017-02-06 |
2018-03-27 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Buffer overflow in the readgifimage function in gif2tiff.c in the gif2tiff tool in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (segmentation fault) via a crafted gif file. |
|
8205 |
CVE-2016-5099 |
79 |
|
XSS |
2016-07-04 |
2018-10-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in phpMyAdmin 4.4.x before 4.4.15.6 and 4.6.x before 4.6.2 allows remote attackers to inject arbitrary web script or HTML via special characters that are mishandled during double URL decoding. |
|
8206 |
CVE-2016-5092 |
22 |
|
Dir. Trav. |
2016-07-13 |
2016-07-14 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
Directory traversal vulnerability in Fortinet FortiWeb before 5.5.3 allows remote authenticated administrators with read and write privileges to read arbitrary files by leveraging the autolearn feature. |
|
8207 |
CVE-2016-5078 |
79 |
|
XSS |
2017-04-09 |
2017-04-14 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Paessler PRTG before 16.2.24.4045 has XSS via SNMP. |
|
8208 |
CVE-2016-5077 |
79 |
|
XSS |
2017-04-09 |
2017-04-14 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Netikus EventSentry before 3.2.1.44 has XSS via SNMP. |
|
8209 |
CVE-2016-5075 |
79 |
|
XSS |
2017-04-09 |
2017-04-14 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
CloudView NMS before 2.10a has XSS via a TELNET login. |
|
8210 |
CVE-2016-5073 |
79 |
|
XSS |
2017-04-09 |
2017-04-14 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
CloudView NMS before 2.10a has XSS via SNMP. |
|
8211 |
CVE-2016-5061 |
79 |
|
XSS |
2016-09-29 |
2017-04-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in the web server in Aternity before 9.0.1 allow remote attackers to inject arbitrary web script or HTML via the (1) HTTPAgent, (2) MacAgent, (3) getExternalURL, or (4) retrieveTrustedUrl page. |
|
8212 |
CVE-2016-5060 |
79 |
|
XSS |
2016-12-13 |
2016-12-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in nGrinder before 3.4 allow remote attackers to inject arbitrary web script or HTML via the (1) description, (2) email, or (3) username parameter to user/save. |
|
8213 |
CVE-2016-5059 |
200 |
|
+Info |
2017-04-09 |
2017-04-14 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
OSRAM SYLVANIA Osram Lightify Pro before 2016-07-26 allows attackers to obtain sensitive information by reading screenshots under /private/var/mobile/Containers/Data/Application. |
|
8214 |
CVE-2016-5055 |
79 |
|
XSS |
2017-04-09 |
2017-04-14 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
OSRAM SYLVANIA Osram Lightify Pro before 2016-07-26 has XSS in the username field and Wireless Client Mode configuration page. |
|
8215 |
CVE-2016-5047 |
|
|
DoS |
2016-09-01 |
2017-11-15 |
4.0 |
None |
Remote |
Low |
Single system |
None |
None |
Partial |
|
NetApp OnCommand System Manager 8.3.x before 8.3.2P5 allows remote authenticated users to cause a denial of service via unspecified vectors. |
|
8216 |
CVE-2016-5040 |
125 |
|
DoS |
2017-02-17 |
2017-02-22 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
libdwarf before 20160923 allows remote attackers to cause a denial of service (out-of-bounds read and crash) via a large length value in a compilation unit header. |
|
8217 |
CVE-2016-5037 |
476 |
|
DoS |
2017-02-17 |
2017-02-22 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The _dwarf_load_section function in libdwarf before 20160923 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted file. |
|
8218 |
CVE-2016-5035 |
125 |
|
DoS |
2017-02-17 |
2017-02-22 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The _dwarf_read_line_table_header function in dwarf_line_table_reader.c in libdwarf before 20160923 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted file. |
|
8219 |
CVE-2016-5034 |
787 |
|
DoS |
2017-02-17 |
2017-02-22 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
dwarf_elf_access.c in libdwarf before 20160923 allows remote attackers to cause a denial of service (out-of-bounds write) via a crafted file, related to relocation records. |
|
8220 |
CVE-2016-5033 |
125 |
|
DoS |
2017-02-17 |
2017-02-22 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The print_exprloc_content function in libdwarf before 20160923 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted file. |
|
8221 |
CVE-2016-5032 |
125 |
|
DoS |
2017-02-17 |
2017-02-22 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The dwarf_get_xu_hash_entry function in libdwarf before 20160923 allows remote attackers to cause a denial of service (crash) via a crafted file. |
|
8222 |
CVE-2016-5031 |
125 |
|
DoS |
2017-02-17 |
2017-02-22 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The print_frame_inst_bytes function in libdwarf before 20160923 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted file. |
|
8223 |
CVE-2016-5030 |
476 |
|
DoS |
2017-02-17 |
2017-02-22 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The _dwarf_calculate_info_section_end_ptr function in libdwarf before 20160923 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted file. |
|
8224 |
CVE-2016-5029 |
476 |
|
DoS |
2017-02-17 |
2017-02-22 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The create_fullest_file_path function in libdwarf before 20160923 allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted dwarf file. |
|
8225 |
CVE-2016-5028 |
476 |
|
DoS |
2017-02-17 |
2017-02-22 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The print_frame_inst_bytes function in libdwarf before 20160923 allows remote attackers to cause a denial of service (NULL pointer dereference) via an object file with empty bss-like sections. |
|
8226 |
CVE-2016-5027 |
476 |
|
DoS |
2017-02-24 |
2017-02-27 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
dwarf_form.c in libdwarf 20160115 allows remote attackers to cause a denial of service (crash) via a crafted elf file. |
|
8227 |
CVE-2016-5024 |
20 |
|
DoS |
2017-01-03 |
2017-01-12 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Virtual servers in F5 BIG-IP systems 11.6.1 before 11.6.1 HF1 and 12.1.x before 12.1.2, when configured to parse RADIUS messages via an iRule, allow remote attackers to cause a denial of service (Traffic Management Microkernel restart) via crafted network traffic. |
|
8228 |
CVE-2016-5021 |
200 |
|
+Info |
2016-06-24 |
2016-08-18 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
The iControl REST service in F5 BIG-IP LTM, AAM, AFM, Analytics, APM, ASM, Link Controller, and PEM 11.5.x before 11.5.4, 11.6.x before 11.6.1, and 12.x before 12.0.0 HF3; BIG-IP DNS 12.x before 12.0.0 HF3; BIG-IP GTM 11.5.x before 11.5.4 and 11.6.x before 11.6.1; BIG-IQ Cloud and Security 4.0.0 through 4.5.0; BIG-IQ Device 4.2.0 through 4.5.0; BIG-IQ ADC 4.5.0; BIG-IQ Centralized Management 4.6.0; and BIG-IQ Cloud and Orchestration 1.0.0 allows remote authenticated administrators to obtain sensitive information via unspecified vectors. |
|
8229 |
CVE-2016-5016 |
295 |
|
|
2017-04-24 |
2017-04-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Pivotal Cloud Foundry 239 and earlier, UAA (aka User Account and Authentication Server) 3.4.1 and earlier, UAA release 12.2 and earlier, PCF (aka Pivotal Cloud Foundry) Elastic Runtime 1.6.x before 1.6.35, and PCF Elastic Runtime 1.7.x before 1.7.13 does not validate if a certificate is expired. |
|
8230 |
CVE-2016-5011 |
399 |
|
DoS |
2017-04-11 |
2017-04-17 |
4.7 |
None |
Local |
Medium |
Not required |
None |
None |
Complete |
|
The parse_dos_extended function in partitions/dos.c in the libblkid library in util-linux allows physically proximate attackers to cause a denial of service (memory consumption) via a crafted MSDOS partition table with an extended partition boot record at zero offset. |
|
8231 |
CVE-2016-5010 |
125 |
|
DoS |
2017-04-20 |
2017-06-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
coders/tiff.c in ImageMagick before 6.9.5-3 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted TIFF file. |
|
8232 |
CVE-2016-5009 |
20 |
|
DoS |
2016-07-12 |
2017-01-17 |
4.0 |
None |
Remote |
Low |
Single system |
None |
None |
Partial |
|
The handle_command function in mon/Monitor.cc in Ceph allows remote authenticated users to cause a denial of service (segmentation fault and ceph monitor crash) via an (1) empty or (2) crafted prefix. |
|
8233 |
CVE-2016-5008 |
284 |
|
Bypass |
2016-07-13 |
2018-03-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
libvirt before 2.0.0 improperly disables password checking when the password on a VNC server is set to an empty string, which allows remote attackers to bypass authentication and establish a VNC session by connecting to the server. |
|
8234 |
CVE-2016-5004 |
400 |
|
DoS |
2017-06-06 |
2017-06-16 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The Content-Encoding HTTP header feature in ws-xmlrpc 3.1.3 as used in Apache Archiva allows remote attackers to cause a denial of service (resource consumption) by decompressing a large file containing zeroes. |
|
8235 |
CVE-2016-5000 |
611 |
|
|
2016-08-05 |
2018-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The XLSX2CSV example in Apache POI before 3.14 allows remote attackers to read arbitrary files via a crafted OpenXML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. |
|
8236 |
CVE-2016-4993 |
93 |
|
Http R.Spl. |
2016-09-26 |
2017-12-14 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
CRLF injection vulnerability in the Undertow web server in WildFly 10.0.0, as used in Red Hat JBoss Enterprise Application Platform (EAP) 7.x before 7.0.2, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors. |
|
8237 |
CVE-2016-4988 |
79 |
|
XSS |
2017-02-09 |
2017-02-13 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Build Failure Analyzer plugin before 1.16.0 in Jenkins allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter. |
|
8238 |
CVE-2016-4975 |
93 |
|
Http R.Spl. |
2018-08-14 |
2018-10-19 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Possible CRLF injection allowing HTTP response splitting attacks for sites which use mod_userdir. This issue was mitigated by changes made in 2.4.25 and 2.2.32 which prohibit CR or LF injection into the "Location" or other outbound header key or value. Fixed in Apache HTTP Server 2.4.25 (Affected 2.4.1-2.4.23). Fixed in Apache HTTP Server 2.2.32 (Affected 2.2.0-2.2.31). |
|
8239 |
CVE-2016-4973 |
119 |
|
Overflow |
2017-06-07 |
2017-06-15 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Binaries compiled against targets that use the libssp library in GCC for stack smashing protection (SSP) might allow local users to perform buffer overflow attacks by leveraging lack of the Object Size Checking feature. |
|
8240 |
CVE-2016-4971 |
254 |
|
|
2016-06-30 |
2018-01-04 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
GNU wget before 1.18 allows remote servers to write to arbitrary files by redirecting a request from HTTP to a crafted FTP resource. |
|
8241 |
CVE-2016-4969 |
79 |
|
XSS |
2016-09-21 |
2016-09-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Fortinet FortiWan (formerly AscernLink) before 4.2.5 allows remote attackers to inject arbitrary web script or HTML via the IP parameter to script/statistics/getconn.php. |
|
8242 |
CVE-2016-4968 |
200 |
|
+Info |
2016-09-21 |
2016-09-21 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
The linkreport/tmp/admin_global page in Fortinet FortiWan (formerly AscernLink) before 4.2.5 allows remote authenticated users to discover administrator cookies via a GET request. |
|
8243 |
CVE-2016-4967 |
200 |
|
+Info |
2016-09-21 |
2016-09-21 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
Fortinet FortiWan (formerly AscernLink) before 4.2.5 allows remote authenticated users to obtain sensitive information from (1) a backup of the device configuration via script/cfg_show.php or (2) PCAP files via script/system/tcpdump.php. |
|
8244 |
CVE-2016-4966 |
287 |
|
|
2016-09-21 |
2016-09-21 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
The diagnosis_control.php page in Fortinet FortiWan (formerly AscernLink) before 4.2.5 allows remote authenticated users to download PCAP files via vectors related to the UserName GET parameter. |
|
8245 |
CVE-2016-4964 |
20 |
|
DoS |
2016-12-09 |
2017-06-30 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
The mptsas_fetch_requests function in hw/scsi/mptsas.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop, and CPU consumption or QEMU process crash) via vectors involving s->state. |
|
8246 |
CVE-2016-4961 |
20 |
|
DoS |
2016-11-08 |
2016-12-14 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
For the NVIDIA Quadro, NVS, and GeForce products, improper sanitization of parameters in the NVStreamKMS.sys API layer caused a denial of service vulnerability (blue screen crash) within the NVIDIA Windows graphics drivers. |
|
8247 |
CVE-2016-4954 |
362 |
|
DoS |
2016-07-04 |
2017-11-20 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The process_packet function in ntp_proto.c in ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service (peer-variable modification) by sending spoofed packets from many source IP addresses in a certain scenario, as demonstrated by triggering an incorrect leap indication. |
|
8248 |
CVE-2016-4953 |
362 |
|
DoS |
2016-07-04 |
2017-11-20 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service (ephemeral-association demobilization) by sending a spoofed crypto-NAK packet with incorrect authentication data at a certain time. |
|
8249 |
CVE-2016-4948 |
79 |
|
XSS |
2017-03-07 |
2017-03-08 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in Cloudera Manager 5.5 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) Template Name field when renaming a template; (2) KDC Server host, (3) Kerberos Security Realm, (4) Kerberos Encryption Types, (5) Advanced Configuration Snippet (Safety Valve) for [libdefaults] section of krb5.conf, (6) Advanced Configuration Snippet (Safety Valve) for the Default Realm in krb5.conf, (7) Advanced Configuration Snippet (Safety Valve) for remaining krb5.conf, or (8) Active Directory Account Prefix fields in the Kerberos wizard; or (9) classicWizard parameter to cmf/cloudera-director/redirect. |
|
8250 |
CVE-2016-4946 |
79 |
|
XSS |
2017-03-07 |
2017-03-08 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in Cloudera HUE 3.9.0 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) First name or (2) Last name field in the HUE Users page. |
