| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
31101 |
CVE-2016-4877 |
79 |
|
XSS |
2017-05-12 |
2017-05-18 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Cross-site scripting vulnerability in baserCMS plugin Mail version 3.0.10 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
31102 |
CVE-2016-4876 |
352 |
|
Exec Code CSRF |
2017-05-12 |
2017-05-18 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in baserCMS version 3.0.10 and earlier allows remote attackers to hijack the authentication of administrators to execute arbitrary PHP code via unspecified vectors. |
|
31103 |
CVE-2016-4875 |
79 |
|
XSS |
2017-04-14 |
2017-04-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in the IVYWE (1) Assist plugin before 1.1.2.test20160906, (2) dataBox plugin before 0.0.0.20160906, and (3) userBox plugin before 0.0.0.20160906 for Geeklog allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
31104 |
CVE-2016-4874 |
284 |
|
|
2017-04-17 |
2017-04-20 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Cybozu Office 9.0.0 through 10.4.0 allows remote attackers to conduct a "reflected file download" attack. |
|
31105 |
CVE-2016-4873 |
275 |
|
|
2017-04-17 |
2017-05-22 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
Cybozu Office 9.0.0 to 10.4.0 allows remote authenticated attackers to execute unintended operations via the Project function. |
|
31106 |
CVE-2016-4872 |
200 |
|
Bypass +Info |
2017-04-17 |
2017-05-22 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
Cybozu Office 9.0.0 to 10.4.0 allows remote authenticated attackers to bypass access restrictions to view the names of unauthorized projects via a breadcrumb trail. |
|
31107 |
CVE-2016-4871 |
399 |
|
DoS |
2017-04-17 |
2017-04-20 |
6.8 |
None |
Remote |
Low |
Single system |
None |
None |
Complete |
|
Cybozu Office 9.0.0 through 10.4.0 allows remote attackers to cause a denial of service. |
|
31108 |
CVE-2016-4870 |
79 |
|
XSS |
2017-04-17 |
2017-05-22 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Cross-site scripting vulnerability in Cybozu Office 9.0.0 to 10.4.0 allows remote authenticated attackers to inject arbitrary web script or HTML via the Schedule function. |
|
31109 |
CVE-2016-4869 |
200 |
|
+Info |
2017-04-17 |
2017-05-22 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Cybozu Office 9.0.0 to 10.4.0 allow remote attackers to obtain session information via a page where CGI environment variables are displayed. |
|
31110 |
CVE-2016-4868 |
20 |
|
|
2017-04-17 |
2017-05-22 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Email header injection vulnerability in Cybozu Office 9.0.0 to 10.4.0 allows remote attackers to inject arbitrary email headers to send unintended emails via specially crafted requests. |
|
31111 |
CVE-2016-4867 |
200 |
|
Bypass +Info |
2017-04-17 |
2017-05-22 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
Cybozu Office 9.0.0 to 10.4.0 allows remote authenticated attackers to bypass access restriction to view unauthorized project information via the Project function. |
|
31112 |
CVE-2016-4866 |
79 |
|
XSS |
2017-04-17 |
2017-05-22 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Cross-site scripting vulnerability in Cybozu Office 9.0.0 to 10.4.0 allows attackers with administrator rights to inject arbitrary web script or HTML via the Project function. |
|
31113 |
CVE-2016-4865 |
79 |
|
XSS |
2017-04-17 |
2017-05-22 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Cross-site scripting vulnerability in Cybozu Office 9.0.0 to 10.4.0 allows attackers with administrator rights to inject arbitrary web script or HTML via the Customapp function. |
|
31114 |
CVE-2016-4864 |
134 |
|
|
2017-05-12 |
2017-05-22 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
H2O versions 2.0.3 and earlier and 2.1.0-beta2 and earlier allows remote attackers to cause a denial-of-service (DoS) via format string specifiers in a template file via fastcgi, mruby, proxy, redirect or reproxy. |
|
31115 |
CVE-2016-4863 |
287 |
|
|
2017-05-22 |
2017-06-12 |
3.3 |
None |
Local Network |
Low |
Not required |
Partial |
None |
None |
|
The Toshiba FlashAir SD-WD/WC series Class 6 model with firmware version 1.00.04 and later, FlashAir SD-WD/WC series Class 10 model W-02 with firmware version 2.00.02 and later, FlashAir SD-WE series Class 10 model W-03, FlashAir Class 6 model with firmware version 1.00.04 and later, FlashAir II Class 10 model W-02 series with firmware version 2.00.02 and later, FlashAir III Class 10 model W-03 series, FlashAir Class 6 model with firmware version 1.00.04 and later, FlashAir W-02 series Class 10 model with firmware version 2.00.02 and later, FlashAir W-03 series Class 10 model does not require authentication on accepting a connection from STA side LAN when "Internet pass-thru Mode" is enabled, which allows attackers with access to STA side LAN can obtain files or data. |
|
31116 |
CVE-2016-4862 |
20 |
|
Exec Code |
2017-04-20 |
2017-04-26 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
Twigmo bundled with CS-Cart 4.3.9 and earlier and Twigmo bundled with CS-Cart Multi-Vendor 4.3.9 and earlier allow remote authenticated users to execute arbitrary PHP code on the servers. |
|
31117 |
CVE-2016-4859 |
601 |
|
|
2017-05-12 |
2017-05-19 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Open redirect vulnerability in Splunk Enterprise 6.4.x prior to 6.4.3, Splunk Enterprise 6.3.x prior to 6.3.6, Splunk Enterprise 6.2.x prior to 6.2.10, Splunk Enterprise 6.1.x prior to 6.1.11, Splunk Enterprise 6.0.x prior to 6.0.12, Splunk Enterprise 5.0.x prior to 5.0.16 and Splunk Light prior to 6.4.3 allows to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. |
|
31118 |
CVE-2016-4858 |
79 |
|
XSS |
2017-05-12 |
2017-05-19 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Cross-site scripting vulnerability in Splunk Enterprise 6.4.x prior to 6.4.2, Splunk Enterprise 6.3.x prior to 6.3.6, Splunk Enterprise 6.2.x prior to 6.2.10, Splunk Enterprise 6.1.x prior to 6.1.11, Splunk Enterprise 6.0.x prior to 6.0.12, Splunk Enterprise 5.0.x prior to 5.0.16 and Splunk Light prior to 6.4.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
31119 |
CVE-2016-4857 |
601 |
|
|
2017-05-12 |
2017-05-19 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Open redirect vulnerability in Splunk Enterprise 6.4.x prior to 6.4.2, Splunk Enterprise 6.3.x prior to 6.3.6, Splunk Enterprise 6.2.x prior to 6.2.11 and Splunk Light prior to 6.4.2 allows to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. |
|
31120 |
CVE-2016-4856 |
79 |
|
XSS |
2017-05-12 |
2017-05-19 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Cross-site scripting vulnerability in Splunk Enterprise 6.3.x prior to 6.3.5 and Splunk Light 6.3.x prior to 6.3.5 allows attacker with administrator rights to inject arbitrary web script or HTML via unspecified vectors. |
|
31121 |
CVE-2016-4855 |
79 |
|
XSS |
2017-05-12 |
2017-06-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting vulnerability in ADOdb versions prior to 5.20.6 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
31122 |
CVE-2016-4854 |
352 |
|
CSRF |
2017-05-22 |
2017-05-31 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in L-04D firmware version V10a and V10b allows remote attackers to hijack the authentication of administrators to perform arbitrary operations via unspecified vectors. |
|
31123 |
CVE-2016-4853 |
78 |
|
Exec Code |
2016-09-01 |
2017-09-07 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
AKABEi SOFT2 games allow remote attackers to execute arbitrary OS commands via crafted saved data, as demonstrated by Happy Wardrobe. |
|
31124 |
CVE-2016-4852 |
20 |
|
DoS |
2016-09-12 |
2016-11-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
YoruFukurou (NightOwl) before 2.85 relies on support for emoji skin-tone modifiers even though this support is missing from the CoreText CTFramesetter API on OS X 10.9, which allows remote attackers to cause a denial of service (application crash) via a crafted emoji character sequence. |
|
31125 |
CVE-2016-4851 |
79 |
|
XSS |
2016-09-01 |
2016-11-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Let's PHP! simple chat before 2016-08-15 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
31126 |
CVE-2016-4850 |
284 |
|
Exec Code |
2017-04-20 |
2017-04-26 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
LINE for Windows before 4.8.3 allows man-in-the-middle attackers to execute arbitrary code. |
|
31127 |
CVE-2016-4849 |
79 |
|
XSS |
2017-04-20 |
2017-04-25 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in Geeklog IVYWE edition 2.1.1 allow remote attackers to inject arbitrary web script or HTML by leveraging use of the COM_getCurrentURL function in (1) public_html/layout/default/header.thtml, (2) public_html/layout/bento/header.thtml, (3) public_html/layout/fotos/header.thtml, or (4) public_html/layout/default/article/article.thtml. |
|
31128 |
CVE-2016-4848 |
79 |
|
XSS |
2016-09-01 |
2018-10-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in ClipBucket before 2.8.1 RC2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
31129 |
CVE-2016-4847 |
79 |
|
XSS |
2017-04-20 |
2017-04-25 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in site/search.php in OSSEC Web UI before 0.9 allows remote attackers to inject arbitrary web script or HTML by leveraging an unanchored regex. |
|
31130 |
CVE-2016-4845 |
352 |
|
CSRF |
2016-09-24 |
2017-02-19 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability on I-O DATA DEVICE HVL-A2.0, HVL-A3.0, HVL-A4.0, HVL-AT1.0S, HVL-AT2.0, HVL-AT3.0, HVL-AT4.0, HVL-AT2.0A, HVL-AT3.0A, and HVL-AT4.0A devices with firmware before 2.04 allows remote attackers to hijack the authentication of arbitrary users for requests that delete content. |
|
31131 |
CVE-2016-4844 |
200 |
|
+Info |
2017-04-20 |
2017-04-25 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cybozu Mailwise before 5.4.0 allows remote attackers to conduct clickjacking attacks. |
|
31132 |
CVE-2016-4843 |
200 |
|
+Info |
2017-04-20 |
2017-04-24 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Cybozu Mailwise before 5.4.0 allows remote attackers to obtain sensitive cookie information. |
|
31133 |
CVE-2016-4842 |
200 |
|
+Info |
2017-04-20 |
2017-04-25 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Cybozu Mailwise before 5.4.0 allows remote attackers to obtain information on when an email is read. |
|
31134 |
CVE-2016-4841 |
20 |
|
|
2017-04-21 |
2017-04-27 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cybozu Mailwise before 5.4.0 allows remote attackers to inject arbitrary email headers. |
|
31135 |
CVE-2016-4840 |
295 |
|
|
2017-04-21 |
2017-04-27 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Coordinate Plus App for Android 1.0.2 and earlier and Coordinate Plus App for iOS 1.0.2 and earlier do not verify SSL certificates. |
|
31136 |
CVE-2016-4839 |
200 |
|
+Info |
2017-05-12 |
2017-05-26 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The Android Apps Money Forward (prior to v7.18.0), Money Forward for The Gunma Bank (prior to v1.2.0), Money Forward for SHIGA BANK (prior to v1.2.0), Money Forward for SHIZUOKA BANK (prior to v1.4.0), Money Forward for SBI Sumishin Net Bank (prior to v1.6.0), Money Forward for Tokai Tokyo Securities (prior to v1.4.0), Money Forward for THE TOHO BANK (prior to v1.3.0), Money Forward for YMFG (prior to v1.5.0) provided by Money Forward, Inc. and Money Forward for AppPass (prior to v7.18.3), Money Forward for au SMARTPASS (prior to v7.18.0), Money Forward for Chou Houdai (prior to v7.18.3) provided by SOURCENEXT CORPORATION do not properly implement the WebView class, which allows an attacker to disclose information stored on the device via a specially crafted application. |
|
31137 |
CVE-2016-4838 |
20 |
|
|
2017-05-12 |
2017-05-26 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The Android Apps Money Forward (prior to v7.18.0), Money Forward for The Gunma Bank (prior to v1.2.0), Money Forward for SHIGA BANK (prior to v1.2.0), Money Forward for SHIZUOKA BANK (prior to v1.4.0), Money Forward for SBI Sumishin Net Bank (prior to v1.6.0), Money Forward for Tokai Tokyo Securities (prior to v1.4.0), Money Forward for THE TOHO BANK (prior to v1.3.0), Money Forward for YMFG (prior to v1.5.0) provided by Money Forward, Inc. and Money Forward for AppPass (prior to v7.18.3), Money Forward for au SMARTPASS (prior to v7.18.0), Money Forward for Chou Houdai (prior to v7.18.3) provided by SOURCENEXT CORPORATION allows an attacker to execute unintended operations via a specially crafted application. |
|
31138 |
CVE-2016-4834 |
264 |
|
|
2016-07-31 |
2016-12-06 |
5.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
None |
|
modules/Users/actions/Save.php in Vtiger CRM 6.4.0 and earlier does not properly restrict user-save actions, which allows remote authenticated users to create or modify user accounts via unspecified vectors. |
|
31139 |
CVE-2016-4833 |
79 |
|
XSS |
2016-08-02 |
2017-07-17 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Nofollow Links plugin before 1.0.11 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
31140 |
CVE-2016-4832 |
295 |
|
|
2017-04-21 |
2017-04-27 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
WAON "Service Application" for Android 1.4.1 and earlier does not verify SSL certificates. |
|
31141 |
CVE-2016-4830 |
295 |
|
|
2017-04-21 |
2017-04-27 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Sushiro App for iOS 2.1.16 and earlier and Sushiro App for Android 2.1.16.1 and earlier do not verify SSL certificates. |
|
31142 |
CVE-2016-4829 |
295 |
|
|
2017-04-21 |
2017-04-26 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
DMM Movie Player App for Android before 1.2.1, and DMM Movie Player App for iPhone/iPad before 2.1.3 does not verify SSL certificates. |
|
31143 |
CVE-2016-4828 |
19 |
|
|
2016-06-25 |
2016-06-27 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
|
The Collne Welcart e-Commerce plugin before 1.8.3 for WordPress mishandles sessions, which allows remote attackers to obtain access by leveraging knowledge of the e-mail address associated with an account. |
|
31144 |
CVE-2016-4827 |
79 |
|
XSS |
2016-06-25 |
2016-06-27 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Collne Welcart e-Commerce plugin before 1.8.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2016-4826. |
|
31145 |
CVE-2016-4826 |
79 |
|
XSS |
2016-06-25 |
2016-06-27 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Collne Welcart e-Commerce plugin before 1.8.3 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2016-4827. |
|
31146 |
CVE-2016-4825 |
20 |
|
Exec Code |
2016-06-25 |
2016-06-27 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The Collne Welcart e-Commerce plugin before 1.8.3 for WordPress allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via crafted serialized data. |
|
31147 |
CVE-2016-4824 |
254 |
|
|
2016-06-25 |
2016-06-27 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Wi-Fi Protected Setup (WPS) implementation on Corega CG-WLR300GNV and CG-WLR300GNV-W devices does not restrict the number of PIN authentication attempts, which makes it easier for remote attackers to obtain network access via a brute-force attack. |
|
31148 |
CVE-2016-4822 |
77 |
|
Exec Code |
2016-06-25 |
2016-06-27 |
5.2 |
None |
Local Network |
Low |
Single system |
Partial |
Partial |
Partial |
|
Corega CG-WLBARGL devices allow remote authenticated users to execute arbitrary commands via unspecified vectors. |
|
31149 |
CVE-2016-4821 |
|
|
DoS |
2016-06-18 |
2016-06-20 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
I-O DATA DEVICE ETX-R devices allow remote attackers to cause a denial of service (web-server crash) via unspecified vectors. |
|
31150 |
CVE-2016-4820 |
352 |
|
CSRF |
2016-06-18 |
2016-06-21 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability on I-O DATA DEVICE ETX-R devices allows remote attackers to hijack the authentication of arbitrary users. |
