# |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
1601 |
CVE-2016-10223 |
284 |
|
Exec Code |
2017-02-14 |
2017-02-16 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
An issue was discovered in BigTree CMS before 4.2.15. The vulnerability exists due to insufficient filtration of user-supplied data in the "id" HTTP GET parameter passed to the "core/admin/adjax/dashboard/check-module-integrity.php" URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website. |
1602 |
CVE-2016-10112 |
79 |
|
XSS |
2017-01-03 |
2017-01-12 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the WooCommerce plugin before 2.6.9 for WordPress allows remote authenticated administrators to inject arbitrary web script or HTML by providing crafted tax-rate table values in CSV format. |
1603 |
CVE-2016-9989 |
79 |
|
XSS |
2017-07-05 |
2017-07-12 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
IBM Jazz Foundation Reporting Service (JRS) 5.0 and 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 120555. |
1604 |
CVE-2016-9988 |
79 |
|
XSS |
2017-07-05 |
2017-07-12 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
IBM Jazz Foundation Reporting Service (JRS) 5.0 and 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 120554. |
1605 |
CVE-2016-9987 |
79 |
|
XSS |
2017-07-05 |
2017-07-12 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
IBM Jazz Foundation Reporting Service (JRS) 5.0 and 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 120553. |
1606 |
CVE-2016-9986 |
79 |
|
XSS |
2017-07-05 |
2017-07-12 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
IBM Jazz Foundation Reporting Service (JRS) 5.0 and 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 120552. |
1607 |
CVE-2016-9983 |
200 |
|
+Info |
2017-06-22 |
2017-06-26 |
3.5 |
None |
Remote |
Medium |
Single system |
Partial |
None |
None |
IBM Sterling B2B Integrator Standard Edition 5.2 could allow an authenticated user with special privileges to view files that they should not have access to. IBM X-Force ID: 120275. |
1608 |
CVE-2016-9980 |
79 |
|
XSS |
2017-04-20 |
2017-04-26 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
IBM Curam Social Program Management 5.2, 6.0, and 7.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 120256. |
1609 |
CVE-2016-9979 |
79 |
|
XSS |
2017-04-20 |
2017-04-26 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
IBM Curam Social Program Management 5.2, 6.0, and 7.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 120255. |
1610 |
CVE-2016-9973 |
79 |
|
XSS |
2017-06-13 |
2017-06-26 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
IBM Jazz Foundation is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 120209. |
1611 |
CVE-2016-9891 |
79 |
|
XSS |
2016-12-29 |
2017-01-03 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in admin/media.php and admin/media_item.php in Dotclear before 2.11 allows remote authenticated users to inject arbitrary web script or HTML via the upfiletitle or media_title parameter (aka the media title). |
1612 |
CVE-2016-9757 |
79 |
|
XSS |
2016-12-20 |
2016-12-27 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
In the Create Tags page of the Rapid7 Nexpose version 6.4.12 user interface, any authenticated user who has the capability to create tags can inject cross-site scripting (XSS) elements in the tag name field. Once this tag is viewed in the Tag Detail page of the Rapid7 Nexpose 6.4.12 UI by another authenticated user, the script is run in that user's browser context. |
1613 |
CVE-2016-9747 |
79 |
|
XSS |
2017-06-22 |
2017-06-28 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
IBM RELM 4.0, 5.0 and 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. |
1614 |
CVE-2016-9746 |
79 |
|
XSS |
2017-07-05 |
2017-07-25 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
IBM Team Concert (RTC) 4.0, 5.0 and 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 119821. |
1615 |
CVE-2016-9737 |
79 |
|
XSS |
2017-03-27 |
2017-03-29 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
IBM TRIRIGA 3.3, 3.4, and 3.5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM Reference #: 1996200. |
1616 |
CVE-2016-9733 |
79 |
|
XSS |
2017-07-05 |
2017-07-25 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
IBM Team Concert (RTC) 4.0, 5.0 and 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 119762. |
1617 |
CVE-2016-9732 |
79 |
|
XSS |
2017-08-28 |
2017-09-02 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
IBM Curam Social Program Management 6.0, 6.1, 6.2 and 7.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 119761. |
1618 |
CVE-2016-9731 |
79 |
|
XSS |
2017-02-01 |
2018-05-02 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
IBM Business Process Manager is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. |
1619 |
CVE-2016-9719 |
20 |
|
|
2017-07-31 |
2017-08-03 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
IBM InfoSphere Master Data Management Server 10.1. 11.0. 11.3, 11.4, 11.5, and 11.6 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim. IBM X-Force ID: 119733. |
1620 |
CVE-2016-9718 |
79 |
|
XSS |
2017-07-31 |
2017-08-03 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
IBM InfoSphere Master Data Management Server 10.1. 11.0. 11.3, 11.4, 11.5, and 11.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 119732. |
1621 |
CVE-2016-9715 |
79 |
|
XSS |
2017-07-31 |
2017-08-03 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
IBM InfoSphere Master Data Management Server 11.0, 11.3, 11.4, 11.5, and 11.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 119728. |
1622 |
CVE-2016-9701 |
79 |
|
XSS |
2017-07-05 |
2017-07-25 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
IBM Team Concert 4.0, 5.0 and 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 119529. |
1623 |
CVE-2016-9696 |
79 |
|
Exec Code XSS |
2017-03-20 |
2017-03-23 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
IBM Rhapsody DM 4.0, 5.0, and 6.0 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. IBM Reference #: 1999960. |
1624 |
CVE-2016-9694 |
79 |
|
XSS |
2017-03-20 |
2017-03-23 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
IBM Rhapsody DM 4.0, 5.0, and 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM Reference #: 1999960. |
1625 |
CVE-2016-9681 |
79 |
|
XSS |
2016-12-25 |
2016-12-30 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
Multiple cross-site scripting (XSS) vulnerabilities in Serendipity before 2.0.5 allow remote authenticated users to inject arbitrary web script or HTML via a category or directory name. |
1626 |
CVE-2016-9637 |
264 |
|
+Priv |
2017-02-16 |
2018-02-07 |
3.7 |
None |
Local |
High |
Not required |
Partial |
Partial |
Partial |
The (1) ioport_read and (2) ioport_write functions in Xen, when qemu is used as a device model within Xen, might allow local x86 HVM guest OS administrators to gain qemu process privileges via vectors involving an out-of-range ioport access. |
1627 |
CVE-2016-9595 |
59 |
|
|
2018-07-27 |
2018-09-24 |
3.6 |
None |
Local |
Low |
Not required |
None |
Partial |
Partial |
A flaw was found in katello-debug before 3.4.0 where certain scripts and log files used insecure temporary files. A local user could exploit this flaw to conduct a symbolic-link attack, allowing them to overwrite the contents of arbitrary files. |
1628 |
CVE-2016-9494 |
20 |
|
DoS |
2018-07-13 |
2018-09-06 |
3.3 |
None |
Local Network |
Low |
Not required |
None |
None |
Partial |
Hughes high-performance broadband satellite modems, models HN7740S DW7000 HN7000S/SM, are potentially vulnerable to improper input validation. The device's advanced status web page that is linked to from the basic status web page does not appear to properly parse malformed GET requests. This may lead to a denial of service. |
1629 |
CVE-2016-9472 |
79 |
|
XSS |
2017-03-27 |
2017-03-29 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
Revive Adserver before 3.2.5 and 4.0.0 suffers from Reflected XSS. The Revive Adserver web installer scripts were vulnerable to a reflected XSS attack via the dbHost, dbUser, and possibly other parameters. It has to be noted that the window for such attack vectors to be possible is extremely narrow and it is very unlikely that such an attack could be actually effective. |
1630 |
CVE-2016-9465 |
79 |
|
XSS |
2017-03-27 |
2017-03-30 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
Nextcloud Server before 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from Stored XSS in CardDAV image export. The CardDAV image export functionality as implemented in Nextcloud/ownCloud allows the download of images stored within a vCard. Due to not performing any kind of verification on the image content this is prone to a stored Cross-Site Scripting attack. |
1631 |
CVE-2016-9457 |
79 |
|
XSS |
2017-03-27 |
2017-03-29 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
Revive Adserver before 3.2.3 suffers from Reflected XSS. `www/admin/stats.php` is vulnerable to reflected XSS attacks via multiple parameters that are not properly sanitised or escaped when displayed, such as setPerPage, pageId, bannerid, period_start, period_end, and possibly others. |
1632 |
CVE-2016-9454 |
79 |
|
XSS |
2017-03-27 |
2017-03-29 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
Revive Adserver before 3.2.3 suffers from Persistent XSS. A vector for persistent XSS attacks via the Revive Adserver user interface exists, requiring a trusted (non-admin) account. The banner image URL for external banners wasn't properly escaped when displayed in most of the banner related pages. |
1633 |
CVE-2016-9316 |
79 |
|
XSS |
2017-02-21 |
2017-07-24 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
Multiple stored Cross-Site-Scripting (XSS) vulnerabilities in com.trend.iwss.gui.servlet.updateaccountadministration in Trend Micro InterScan Web Security Virtual Appliance (IWSVA) version 6.5-SP2_Build_Linux_1707 and earlier allow authenticated, remote users with least privileges to inject arbitrary HTML/JavaScript code into web pages. This was resolved in Version 6.5 CP 1737. |
1634 |
CVE-2016-9261 |
79 |
|
XSS |
2017-02-28 |
2017-03-01 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in Tenable Log Correlation Engine (aka LCE) before 4.8.1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. |
1635 |
CVE-2016-9260 |
79 |
|
XSS |
2017-01-31 |
2017-02-03 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in Tenable Nessus before 6.9 allows remote authenticated users to inject arbitrary web script or HTML via vectors related to handling of .nessus files. |
1636 |
CVE-2016-9259 |
79 |
|
XSS |
2017-02-28 |
2017-03-01 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in Tenable Nessus before 6.9.1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. |
1637 |
CVE-2016-9221 |
399 |
|
DoS |
2017-01-26 |
2017-01-27 |
3.3 |
None |
Local Network |
Low |
Not required |
None |
None |
Partial |
A Denial of Service Vulnerability in 802.11 ingress connection authentication handling for the Cisco Mobility Express 2800 and 3800 Access Points (APs) could allow an unauthenticated, adjacent attacker to cause authentication to fail. Affected Products: This vulnerability affects Cisco Mobility Express 2800 Series and 3800 Series Access Points when configured in local mode in 40 MHz. More Information: CSCvb33575. Known Affected Releases: 8.2(121.12) 8.4(1.82). Known Fixed Releases: 8.2(131.2) 8.2(131.3) 8.2(131.4) 8.2(141.0) 8.3(104.53) 8.3(104.54) 8.4(1.80) 8.4(1.85). |
1638 |
CVE-2016-9220 |
399 |
|
DoS |
2017-01-26 |
2017-01-26 |
3.3 |
None |
Local Network |
Low |
Not required |
None |
None |
Partial |
A Denial of Service Vulnerability in 802.11 ingress packet processing of the Cisco Mobility Express 2800 and 3800 Access Points (APs) could allow an unauthenticated, adjacent attacker to cause the connection table to be full of invalid connections and be unable to process new incoming requests. More Information: CSCvb66659. Known Affected Releases: 8.2(130.0). Known Fixed Releases: 8.2(131.10) 8.2(131.6) 8.2(141.0) 8.3(104.56) 8.4(1.88) 8.4(1.91). |
1639 |
CVE-2016-9130 |
79 |
|
XSS |
2017-03-27 |
2017-03-29 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
Revive Adserver before 3.2.3 suffers from Persistent XSS. A vector for persistent XSS attacks via the Revive Adserver user interface exists, requiring a trusted (non-admin) account. The website name wasn't properly escaped when displayed in the campaign-zone.php script. |
1640 |
CVE-2016-9128 |
79 |
|
XSS |
2017-03-27 |
2017-03-29 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
Revive Adserver before 3.2.3 suffers from reflected XSS. The affiliate-preview.php script in www/admin is vulnerable to a reflected XSS attack. This vulnerability could be used by an attacker to steal the session ID of an authenticated user, by tricking them into visiting a specifically crafted URL. |
1641 |
CVE-2016-9126 |
79 |
|
XSS |
2017-03-27 |
2017-03-29 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
Revive Adserver before 3.2.3 suffers from persistent XSS. Usernames are not properly escaped when displayed in the audit trail widget of the dashboard upon login, allowing persistent XSS attacks. An authenticated user with enough privileges to create other users could exploit the vulnerability to access the administrator account. |
1642 |
CVE-2016-9006 |
79 |
|
XSS |
2017-03-08 |
2017-03-13 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
IBM UrbanCode Deploy 6.1 and 6.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM Reference #: C1000264. |
1643 |
CVE-2016-8999 |
79 |
|
XSS |
2017-02-01 |
2017-07-26 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
IBM InfoSphere Information Server contains a Path-relative stylesheet import vulnerability that allows attackers to render a page in quirks mode thereby facilitating an attacker to inject malicious CSS. |
1644 |
CVE-2016-8975 |
79 |
|
XSS |
2017-07-24 |
2017-08-05 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
IBM Rhapsody DM 5.0 and 6.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 118912. |
1645 |
CVE-2016-8968 |
79 |
|
XSS |
2017-02-15 |
2017-07-24 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
IBM Jazz Foundation is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM Reference #: 1998515. |
1646 |
CVE-2016-8952 |
79 |
|
XSS |
2017-07-13 |
2017-07-19 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
IBM Emptoris Strategic Supply Management Platform 10.0.0.x through 10.1.1.x is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 118839. |
1647 |
CVE-2016-8950 |
79 |
|
XSS |
2017-07-12 |
2017-07-27 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
IBM Emptoris Sourcing 9.5.x through 10.1.x is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 118837. |
1648 |
CVE-2016-8948 |
79 |
|
XSS |
2017-07-12 |
2017-07-21 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
IBM Emptoris Sourcing 9.5.x through 10.1.x is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 118835. |
1649 |
CVE-2016-8946 |
79 |
|
XSS |
2017-07-12 |
2017-07-20 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
IBM Emptoris Sourcing 9.5.x through 10.1.x is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 118833. |
1650 |
CVE-2016-8943 |
79 |
|
XSS |
2017-02-01 |
2017-02-13 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
IBM Tivoli Storage Productivity Center is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. |