| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1601 |
CVE-2016-4454 |
119 |
|
DoS Overflow +Info |
2016-06-01 |
2018-12-01 |
3.2 |
None |
Local |
Low |
Single system |
Partial |
None |
Partial |
|
The vmsvga_fifo_read_raw function in hw/display/vmware_vga.c in QEMU allows local guest OS administrators to obtain sensitive host memory information or cause a denial of service (QEMU process crash) by changing FIFO registers and issuing a VGA command, which triggers an out-of-bounds read. |
|
1602 |
CVE-2016-4428 |
79 |
|
XSS |
2016-07-12 |
2016-11-28 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in OpenStack Dashboard (Horizon) 8.0.1 and earlier and 9.0.0 through 9.0.1 allows remote authenticated users to inject arbitrary web script or HTML by injecting an AngularJS template in a dashboard form. |
|
1603 |
CVE-2016-4412 |
254 |
|
|
2016-12-10 |
2017-06-30 |
3.6 |
None |
Remote |
High |
Single system |
Partial |
Partial |
None |
|
An issue was discovered in phpMyAdmin. A user can be tricked into following a link leading to phpMyAdmin, which after authentication redirects to another malicious site. The attacker must sniff the user's valid phpMyAdmin token. All 4.0.x versions (prior to 4.0.10.16) are affected. |
|
1604 |
CVE-2016-4400 |
79 |
|
XSS |
2018-08-06 |
2018-10-04 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
A security vulnerability was identified in HP Network Node Manager i (NNMi) Software 10.00, 10.01 (patch1), 10.01 (patch 2), 10.10. The vulnerability could result in cross-site scripting (XSS). |
|
1605 |
CVE-2016-4399 |
79 |
|
XSS |
2018-08-06 |
2018-10-04 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
A security vulnerability was identified in HP Network Node Manager i (NNMi) Software 10.00, 10.01 (patch1), 10.01 (patch 2), 10.10. The vulnerability could result in cross-site scripting (XSS). |
|
1606 |
CVE-2016-4393 |
79 |
|
XSS +Info |
2016-10-28 |
2017-02-16 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
HPE System Management Homepage before v7.6 allows "remote authenticated" attackers to obtain sensitive information via unspecified vectors, related to an "XSS" issue. |
|
1607 |
CVE-2016-4392 |
79 |
|
XSS |
2018-08-06 |
2018-10-05 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
A remote cross site scripting vulnerability has been identified in HP Business Service Management software v9.1x, v9.20 - v9.25IP1. |
|
1608 |
CVE-2016-4380 |
79 |
|
XSS |
2016-09-08 |
2016-11-28 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the AdminUI in HPE Operations Manager 9.21.x before 9.21.130 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. |
|
1609 |
CVE-2016-4318 |
79 |
|
XSS |
2017-04-09 |
2018-02-15 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Atlassian JIRA Server before 7.1.9 has XSS in project/ViewDefaultProjectRoleActors.jspa via a role name. |
|
1610 |
CVE-2016-4317 |
79 |
|
XSS |
2017-04-09 |
2018-02-15 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Atlassian Confluence Server before 5.9.11 has XSS on the viewmyprofile.action page. |
|
1611 |
CVE-2016-4315 |
352 |
|
CSRF |
2017-02-16 |
2018-10-09 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
None |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in WSO2 Carbon 4.4.5 allows remote attackers to hijack the authentication of privileged users for requests that shutdown a server via a shutdown action to server-admin/proxy_ajaxprocessor.jsp. |
|
1612 |
CVE-2016-4058 |
79 |
|
XSS |
2016-09-27 |
2016-11-28 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Huawei Policy Center before V100R003C10SPC020 allows remote authenticated users to inject arbitrary web script or HTML via vectors related to "special characters on pages." |
|
1613 |
CVE-2016-4043 |
264 |
|
Bypass |
2017-02-24 |
2017-02-28 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Chameleon (five.pt) in Plone 5.0rc1 through 5.1a1 allows remote authenticated users to bypass Restricted Python by leveraging permissions to create or edit templates. |
|
1614 |
CVE-2016-4028 |
255 |
|
|
2016-12-15 |
2018-10-19 |
3.5 |
None |
Remote |
Medium |
Single system |
Partial |
None |
None |
|
An issue was discovered in Open-Xchange OX Guard before 2.4.0-rev8. OX Guard uses an authentication token to identify and transfer guest users' credentials. The OX Guard API acts as a padding oracle by responding with different error codes depending on whether the provided token matches the encryption padding. In combination with AES-CBC, this allows attackers to guess the correct padding. Attackers may run brute-forcing attacks on the content of the guest authentication token and discover user credentials. For a practical attack vector, the guest users needs to have logged in, the content of the guest user's "OxReaderID" cookie and the value of the "auth" parameter needs to be known to the attacker. |
|
1615 |
CVE-2016-4027 |
200 |
|
+Info |
2016-12-15 |
2018-10-19 |
3.5 |
None |
Remote |
Medium |
Single system |
Partial |
None |
None |
|
An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev10. App Suite frontend offers to control whether a user wants to store cookies that exceed the session duration. This functionality is useful when logging in from clients with reduced privileges or shared environments. However the setting was incorrectly recognized and cookies were stored regardless of this setting when the login was performed using a non-interactive login method. In case the setting was enforced by middleware configuration or the user went through the interactive login page, the workflow was correct. Cookies with authentication information may become available to other users on shared environments. In case the user did not properly log out from the session, third parties with access to the same client can access a user's account. |
|
1616 |
CVE-2016-3985 |
284 |
|
Bypass |
2016-04-11 |
2016-04-18 |
3.3 |
None |
Remote |
Low |
Multiple systems |
None |
Partial |
None |
|
The Terminal Services Remote Desktop Protocol (RDP) client session restrictions feature in Pulse Connect Secure (aka PCS) 8.1R7 and 8.2R1 allow remote authenticated users to bypass intended access restrictions via unspecified vectors. |
|
1617 |
CVE-2016-3984 |
284 |
|
Bypass |
2016-04-08 |
2016-05-18 |
3.6 |
None |
Local |
Low |
Not required |
None |
Partial |
Partial |
|
The McAfee VirusScan Console (mcconsol.exe) in McAfee Active Response (MAR) before 1.1.0.161, Agent (MA) 5.x before 5.0.2 Hotfix 1110392 (5.0.2.333), Data Exchange Layer 2.x (DXL) before 2.0.1.140.1, Data Loss Prevention Endpoint (DLPe) 9.3 before Patch 6 and 9.4 before Patch 1 HF3, Device Control (MDC) 9.3 before Patch 6 and 9.4 before Patch 1 HF3, Endpoint Security (ENS) 10.x before 10.1, Host Intrusion Prevention Service (IPS) 8.0 before 8.0.0.3624, and VirusScan Enterprise (VSE) 8.8 before P7 (8.8.0.1528) on Windows allows local administrators to bypass intended self-protection rules and disable the antivirus engine by modifying registry keys. |
|
1618 |
CVE-2016-3971 |
79 |
|
XSS |
2016-04-18 |
2016-12-15 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in lucene_search.jsp in dotCMS before 3.5.1 allows remote attackers to inject arbitrary web script or HTML via the query parameter to c/portal/layout. |
|
1619 |
CVE-2016-3703 |
284 |
|
|
2016-06-08 |
2016-06-09 |
3.5 |
None |
Remote |
Medium |
Single system |
Partial |
None |
None |
|
Red Hat OpenShift Enterprise 3.2 and 3.1 do not properly validate the origin of a request when anonymous access is granted to a service/proxy or pod/proxy API for a specific pod, which allows remote attackers to access API credentials in the web browser localStorage via an access_token in the query parameter. |
|
1620 |
CVE-2016-3652 |
79 |
|
XSS |
2016-06-30 |
2017-09-02 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in management scripts in Symantec Endpoint Protection Manager (SEPM) 12.1 before RU6 MP5 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. |
|
1621 |
CVE-2016-3614 |
|
|
|
2016-07-21 |
2017-08-31 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
None |
Partial |
|
Unspecified vulnerability in Oracle MySQL 5.6.30 and earlier and 5.7.12 and earlier allows remote authenticated users to affect availability via vectors related to Server: Security: Encryption. |
|
1622 |
CVE-2016-3531 |
|
|
|
2016-07-21 |
2017-08-31 |
3.5 |
None |
Remote |
Medium |
Single system |
Partial |
None |
None |
|
Unspecified vulnerability in the Oracle Agile PLM component in Oracle Supply Chain Products Suite 9.3.4 and 9.3.5 allows remote authenticated users to affect confidentiality via vectors related to PC / Notification. |
|
1623 |
CVE-2016-3490 |
|
|
|
2016-07-21 |
2017-08-31 |
3.5 |
None |
Remote |
Medium |
Single system |
Partial |
None |
None |
|
Unspecified vulnerability in the Oracle Transportation Management component in Oracle Supply Chain Products Suite 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.4.0, and 6.4.1 allows remote authenticated users to affect confidentiality via vectors related to Database. |
|
1624 |
CVE-2016-3484 |
|
|
|
2016-07-21 |
2017-08-31 |
3.2 |
None |
Local |
Low |
Single system |
Partial |
Partial |
None |
|
Unspecified vulnerability in the Database Vault component in Oracle Database Server 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows local users to affect confidentiality and integrity via unknown vectors. |
|
1625 |
CVE-2016-3472 |
|
|
|
2016-07-21 |
2017-08-31 |
3.5 |
None |
Remote |
Medium |
Single system |
Partial |
None |
None |
|
Unspecified vulnerability in the Siebel Engineering - Installer and Deployment component in Oracle Siebel CRM 8.1.1, 8.2.2, IP2014, IP2015, and IP2016 allows remote authenticated users to affect confidentiality via vectors related to Web Server. |
|
1626 |
CVE-2016-3431 |
|
|
|
2016-04-21 |
2017-09-02 |
3.6 |
None |
Remote |
High |
Single system |
Partial |
Partial |
None |
|
Unspecified vulnerability in the Oracle Agile PLM component in Oracle Supply Chain Products Suite 9.3.1.1, 9.3.1.2, 9.3.2, and 9.3.3 allows remote authenticated users to affect confidentiality and integrity via vectors related to Security, a different vulnerability than CVE-2016-3420. |
|
1627 |
CVE-2016-3423 |
|
|
|
2016-04-21 |
2016-12-02 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.53, 8.54, and 8.55 allows remote authenticated users to affect confidentiality and integrity via vectors related to Rich Text Editor, a different vulnerability than CVE-2016-0698. |
|
1628 |
CVE-2016-3420 |
|
|
|
2016-04-21 |
2017-09-02 |
3.6 |
None |
Remote |
High |
Single system |
Partial |
Partial |
None |
|
Unspecified vulnerability in the Oracle Agile PLM component in Oracle Supply Chain Products Suite 9.3.1.1, 9.3.1.2, 9.3.2, and 9.3.3 allows remote authenticated users to affect confidentiality and integrity via vectors related to Security, a different vulnerability than CVE-2016-3431. |
|
1629 |
CVE-2016-3372 |
264 |
|
DoS |
2016-09-14 |
2018-10-12 |
3.6 |
None |
Local |
Low |
Not required |
None |
Partial |
Partial |
|
The kernel API in Microsoft Windows Vista SP2 and Windows Server 2008 SP2 does not properly enforce permissions, which allows local users to spoof processes, spoof inter-process communication, or cause a denial of service via a crafted application, aka "Windows Kernel Elevation of Privilege Vulnerability." |
|
1630 |
CVE-2016-3196 |
79 |
|
XSS |
2016-08-05 |
2018-10-09 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Fortinet FortiAnalyzer 5.x before 5.0.12 and 5.2.x before 5.2.6 and FortiManager 5.x before 5.0.12 and 5.2.x before 5.2.6 allows remote authenticated users to inject arbitrary web script or HTML via the filename of an image uploaded in the report section. |
|
1631 |
CVE-2016-3193 |
79 |
|
XSS |
2016-08-19 |
2017-08-15 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the appliance web-application in Fortinet FortiManager 5.x before 5.0.12, 5.2.x before 5.2.6, and 5.4.x before 5.4.1 and FortiAnalyzer 5.x before 5.0.13, 5.2.x before 5.2.6, and 5.4.x before 5.4.1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. |
|
1632 |
CVE-2016-3173 |
79 |
|
Exec Code XSS |
2016-12-15 |
2018-10-19 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
An issue was discovered in Open-Xchange OX AppSuite before 7.8.0-rev27. The aria-label parameter of tiles at the Portal can be used to inject script code. Those labels use the name of the file (e.g. an image) which gets displayed at the portal application. Using script code at the file name leads to script execution. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). Users actively need to add a file to the portal to enable this attack. In case of shared files however, a internal attacker may modify a previously embedded file to carry a malicious file name. Furthermore this vulnerability can be used to persistently execute code that got injected by a temporary script execution vulnerability. |
|
1633 |
CVE-2016-3155 |
200 |
|
+Info |
2016-03-18 |
2016-12-02 |
3.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
None |
|
Siemens APOGEE Insight uses weak permissions for the application folder, which allows local users to obtain sensitive information or modify data via unspecified vectors. |
|
1634 |
CVE-2016-3144 |
79 |
|
XSS |
2016-04-15 |
2016-12-02 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Block Class module 7.x-2.x before 7.x-2.2 for Drupal allows remote authenticated users with the "Administer block classes" permission to inject arbitrary web script or HTML via a class name. |
|
1635 |
CVE-2016-3119 |
|
|
DoS |
2016-03-25 |
2018-10-30 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
None |
Partial |
|
The process_db_args function in plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c in the LDAP KDB module in kadmind in MIT Kerberos 5 (aka krb5) through 1.13.4 and 1.14.x through 1.14.1 mishandles the DB argument, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted request to modify a principal. |
|
1636 |
CVE-2016-3108 |
59 |
|
|
2017-06-08 |
2018-01-04 |
3.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
None |
|
The pulp-gen-nodes-certificate script in Pulp before 2.8.3 allows local users to leak the keys or write to arbitrary files via a symlink attack. |
|
1637 |
CVE-2016-3060 |
284 |
|
|
2016-10-28 |
2016-11-28 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Payments Director in IBM Financial Transaction Manager (FTM) for ACH Services, Check Services, and Corporate Payment Services (CPS) 3.0.0.x before fp0015 and 3.0.1.0 before iFix0002 allows remote authenticated users to conduct clickjacking attacks via a crafted web site. |
|
1638 |
CVE-2016-3056 |
79 |
|
XSS |
2016-10-13 |
2016-11-28 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Business Space in IBM Business Process Manager 7.5 through 7.5.1.2, 8.0 through 8.0.1.3, and 8.5 before 8.5.7.0 CF2016.09 allows remote authenticated users to inject arbitrary web script or HTML via crafted content. |
|
1639 |
CVE-2016-3054 |
79 |
|
XSS |
2016-08-07 |
2016-11-28 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in IBM FileNet Workplace 4.0.2 allows remote authenticated users to inject arbitrary web script or HTML by uploading a file. |
|
1640 |
CVE-2016-3049 |
79 |
|
Exec Code XSS |
2017-10-24 |
2017-11-13 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
IBM OpenPages GRC Platform 7.1, 7.2, and 7.3 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. IBM X-Force ID: 114712. |
|
1641 |
CVE-2016-3048 |
79 |
|
XSS |
2017-11-01 |
2017-11-16 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
IBM OpenPages GRC Platform 7.1, 7.2, and 7.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 114711. |
|
1642 |
CVE-2016-3042 |
79 |
|
XSS |
2016-09-30 |
2016-11-28 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Web UI in IBM WebSphere Application Server (WAS) Liberty before 16.0.0.3 allows remote authenticated users to inject arbitrary web script or HTML via vectors involving OpenID Connect clients. |
|
1643 |
CVE-2016-3038 |
79 |
|
XSS |
2017-04-17 |
2017-04-21 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
IBM Cognos TM1 10.1 and 10.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 114614. |
|
1644 |
CVE-2016-3037 |
200 |
|
+Info |
2017-04-17 |
2017-04-21 |
3.5 |
None |
Remote |
Medium |
Single system |
Partial |
None |
None |
|
IBM Cognos TM1 10.1 and 10.2 provides a service to return the victim's password with a valid session key. An authenticated attacker with user interaction could obtain this sensitive information. IBM X-Force ID: 114613. |
|
1645 |
CVE-2016-3032 |
79 |
|
XSS |
2017-05-10 |
2017-05-15 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
IBM Cognos Analytics 11.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 114516. |
|
1646 |
CVE-2016-3031 |
79 |
|
XSS |
2017-04-05 |
2017-04-10 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
IBM Cognos Analytics 11.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM Reference #: 1998887. |
|
1647 |
CVE-2016-3016 |
345 |
|
|
2017-02-01 |
2017-02-07 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
IBM Security Access Manager for Web processes patches, image backups and other updates without sufficiently verifying the origin and integrity of the code, which could allow an authenticated attacker to load malicious code. |
|
1648 |
CVE-2016-3015 |
79 |
|
XSS |
2017-04-05 |
2017-04-10 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
IBM Cognos Analytics 11.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM Reference #: 1998887. |
|
1649 |
CVE-2016-3014 |
79 |
|
XSS |
2016-11-30 |
2017-07-28 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in IBM Rational Collaborative Lifecycle Management 4.0 before 4.0.7 iFix11 and 5.0 before 5.0.2 iFix17, Rational Quality Manager 4.0 before 4.0.7 iFix11 and 5.0 before 5.0.2 iFix17, Rational Team Concert 4.0 before 4.0.7 iFix11 and 5.0 before 5.0.2 iFix17, Rational DOORS Next Generation 4.0 before 4.0.7 iFix11 and 5.0 before 5.0.2 iFix17, Rational Engineering Lifecycle Manager 4.x before 4.0.7 iFix11 and 5.0 before 5.0.2 iFix17, Rational Rhapsody Design Manager 4.0 before 4.0.7 iFix11 and 5.0 before 5.0.2 iFix17, and Rational Software Architect Design Manager 4.0 before 4.0.7 iFix11 and 5.0 before 5.0.2 iFix17 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. |
|
1650 |
CVE-2016-3010 |
79 |
|
XSS |
2016-09-01 |
2016-11-28 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Web UI in IBM Connections 4.0 through CR4, 4.5 through CR5, 5.0 before CR4, and 5.5 before CR1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2016-2995, CVE-2016-2997, and CVE-2016-3005. |
