| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
32151 |
CVE-2016-1609 |
79 |
|
XSS |
2016-07-31 |
2017-09-02 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in Novell Filr before 1.2 Security Update 3 and 2.0 before Security Update 2 allow remote authenticated users to inject arbitrary web script or HTML via crafted input, as demonstrated by a crafted attribute of an IMG element in the phone field of a user profile. |
|
32152 |
CVE-2016-1607 |
352 |
|
CSRF |
2016-07-31 |
2017-09-02 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
Multiple cross-site request forgery (CSRF) vulnerabilities in the administrative interface in Novell Filr before 2.0 Security Update 2 allow remote attackers to hijack the authentication of administrators, as demonstrated by reconfiguring time settings via a vaconfig/time request. |
|
32153 |
CVE-2016-1605 |
22 |
|
Dir. Trav. |
2016-07-31 |
2016-08-01 |
6.8 |
None |
Remote |
Low |
Single system |
Complete |
None |
None |
|
Directory traversal vulnerability in the ReportViewServlet servlet in the server in NetIQ Sentinel 7.4.x before 7.4.2 allows remote attackers to read arbitrary files via a PREVIEW value for the fileType field. |
|
32154 |
CVE-2016-1603 |
200 |
|
+Info |
2017-03-23 |
2017-03-28 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
An information leak in the NetIQ IDM ServiceNow Driver before 1.0.0.1 could expose cryptographic attributes to logged-in users. |
|
32155 |
CVE-2016-1600 |
200 |
|
+Info |
2019-05-09 |
2019-05-10 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The ServiceNow driver in NetIQ Identity Manager versions prior to 4.6 are susceptible to an information disclosure vulnerability. |
|
32156 |
CVE-2016-1599 |
79 |
|
XSS |
2016-03-23 |
2017-03-14 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in NetIQ Self Service Password Reset (SSPR) 2.x and 3.x before 3.3.1 HF2 allows remote attackers to inject arbitrary web script or HTML via a crafted URL. |
|
32157 |
CVE-2016-1598 |
79 |
|
XSS |
2016-10-27 |
2016-11-28 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
XSS in NetIQ IDM 4.5 Identity Applications before 4.5.4 allows attackers able to change their username to inject arbitrary HTML code into the Role Assignment administrator HTML pages. |
|
32158 |
CVE-2016-1596 |
79 |
|
XSS |
2016-04-22 |
2018-10-09 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in Micro Focus Novell Service Desk before 7.2 allow remote authenticated users to inject arbitrary web script or HTML via a certain (1) user name, (2) tf_aClientFirstName, (3) tf_aClientLastName, (4) ta_selectedTopicContent, (5) tf_orgUnitName, (6) tf_aManufacturerFullName, (7) tf_aManufacturerName, (8) tf_aManufacturerAddress, or (9) tf_aManufacturerCity parameter. |
|
32159 |
CVE-2016-1595 |
200 |
|
+Info |
2016-04-22 |
2018-10-09 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
LiveTime/WebObjects/LiveTime.woa/wa/DownloadAction/downloadFile in Micro Focus Novell Service Desk before 7.2 allows remote authenticated users to conduct Hibernate Query Language (HQL) injection attacks and obtain sensitive information via the entityName parameter. |
|
32160 |
CVE-2016-1594 |
200 |
|
+Info |
2016-04-22 |
2018-10-09 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
Micro Focus Novell Service Desk before 7.2 allows remote authenticated users to read arbitrary attachments via a request to a LiveTime.woa URL, as demonstrated by obtaining sensitive information via a (1) downloadLogFiles or (2) downloadFile action. |
|
32161 |
CVE-2016-1593 |
22 |
|
Dir. Trav. |
2016-04-22 |
2018-10-09 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
Directory traversal vulnerability in the import users feature in Micro Focus Novell Service Desk before 7.2 allows remote authenticated administrators to upload and execute arbitrary JSP files via a .. (dot dot) in a filename within a multipart/form-data POST request to a LiveTime.woa URL. |
|
32162 |
CVE-2016-1592 |
79 |
|
XSS |
2016-10-27 |
2018-09-27 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
XSS in NetIQ Designer for Identity Manager before 4.5.3 allows remote attackers to inject arbitrary HTML code via the nrfEntitlementReport.do CGI. |
|
32163 |
CVE-2016-1587 |
284 |
|
|
2019-04-22 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The Snapweb interface before version 0.21.2 was exposing controls to install or remove snap packages without controlling the identity of the user, nor the origin of the connection. An attacker could have used the controls to remotely add a valid, but malicious, snap package, from the Store, potentially using system resources without permission from the legitimate administrator of the system. |
|
32164 |
CVE-2016-1586 |
20 |
|
|
2019-04-22 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
A malicious webview could install long-lived unload handlers that re-use an incognito BrowserContext that is queued for destruction in versions of Oxide before 1.18.3. |
|
32165 |
CVE-2016-1584 |
399 |
|
|
2019-04-22 |
2019-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
In all versions of Unity8 a running but not active application on a large-screen device could talk with Maliit and consume keyboard input. |
|
32166 |
CVE-2016-1582 |
200 |
|
+Info |
2016-06-09 |
2016-06-10 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
LXD before 2.0.2 does not properly set permissions when switching an unprivileged container into privileged mode, which allows local users to access arbitrary world readable paths in the container directory via unspecified vectors. |
|
32167 |
CVE-2016-1581 |
284 |
|
|
2016-06-09 |
2016-06-10 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
LXD before 2.0.2 uses world-readable permissions for /var/lib/lxd/zfs.img when setting up a loop based ZFS pool, which allows local users to copy and read data from arbitrary containers via unspecified vectors. |
|
32168 |
CVE-2016-1577 |
|
|
DoS Exec Code |
2016-04-13 |
2018-01-04 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Double free vulnerability in the jas_iccattrval_destroy function in JasPer 1.900.1 and earlier allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via a crafted ICC color profile in a JPEG 2000 image file, a different vulnerability than CVE-2014-8137. |
|
32169 |
CVE-2016-1573 |
416 |
|
Exec Code |
2019-04-22 |
2019-10-09 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Versions of Unity8 before 8.11+16.04.20160122-0ubuntu1 file plugins/Dash/CardCreator.js will execute any code found in place of a fallback image supplied by a scope. |
|
32170 |
CVE-2016-1572 |
264 |
|
+Priv |
2016-01-22 |
2018-10-30 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
mount.ecryptfs_private.c in eCryptfs-utils does not validate mount destination filesystem types, which allows local users to gain privileges by mounting over a nonstandard filesystem, as demonstrated by /proc/$pid. |
|
32171 |
CVE-2016-1571 |
17 |
|
DoS |
2016-01-22 |
2018-10-30 |
4.7 |
None |
Local |
Medium |
Not required |
None |
None |
Complete |
|
The paging_invlpg function in include/asm-x86/paging.h in Xen 3.3.x through 4.6.x, when using shadow mode paging or nested virtualization is enabled, allows local HVM guest users to cause a denial of service (host crash) via a non-canonical guest address in an INVVPID instruction, which triggers a hypervisor bug check. |
|
32172 |
CVE-2016-1570 |
20 |
|
DoS +Priv +Info |
2016-01-22 |
2018-10-30 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
The PV superpage functionality in arch/x86/mm.c in Xen 3.4.0, 3.4.1, and 4.1.x through 4.6.x allows local PV guests to obtain sensitive information, cause a denial of service, gain privileges, or have unspecified other impact via a crafted page identifier (MFN) to the (1) MMUEXT_MARK_SUPER or (2) MMUEXT_UNMARK_SUPER sub-op in the HYPERVISOR_mmuext_op hypercall or (3) unknown vectors related to page table updates. |
|
32173 |
CVE-2016-1569 |
20 |
|
DoS |
2016-01-13 |
2016-12-05 |
4.0 |
None |
Remote |
Low |
Single system |
None |
None |
Partial |
|
FireBird 2.5.5 allows remote authenticated users to cause a denial of service (daemon crash) by using service manager to invoke the gbak utility with an invalid parameter. |
|
32174 |
CVE-2016-1567 |
254 |
|
|
2016-01-26 |
2016-12-05 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
chrony before 1.31.2 and 2.x before 2.2.1 do not verify peer associations of symmetric keys when authenticating packets, which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a "skeleton key." |
|
32175 |
CVE-2016-1566 |
79 |
|
XSS |
2017-02-02 |
2017-02-05 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the file browser in Guacamole 0.9.8 and 0.9.9, when file transfer is enabled to a location shared by multiple users, allows remote authenticated users to inject arbitrary web script or HTML via a crafted filename. NOTE: this vulnerability was fixed in guacamole.war on 2016-01-13, but the version number was not changed. |
|
32176 |
CVE-2016-1565 |
79 |
|
XSS |
2016-01-08 |
2016-01-11 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Field Group module 7.x-1.x before 7.x-1.5 for Drupal allows remote authenticated users with permission to configure field display settings to inject arbitrary web script or HTML via an element attribute. |
|
32177 |
CVE-2016-1564 |
79 |
|
XSS |
2016-05-21 |
2017-11-03 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in wp-includes/class-wp-theme.php in WordPress before 4.4.1 allow remote attackers to inject arbitrary web script or HTML via a (1) stylesheet name or (2) template name to wp-admin/customize.php. |
|
32178 |
CVE-2016-1563 |
20 |
|
+Info |
2016-04-07 |
2017-11-15 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
NetApp Clustered Data ONTAP 8.3.1 does not properly verify X.509 certificates from TLS servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. |
|
32179 |
CVE-2016-1562 |
200 |
|
+Info |
2016-03-11 |
2016-03-18 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
The REST API in the DTE Energy Insight application before 1.7.8 for Android allows remote authenticated users to obtain unspecified customer information via a SQL expression in the filter parameter. |
|
32180 |
CVE-2016-1561 |
200 |
|
+Info |
2017-04-21 |
2017-04-27 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
ExaGrid appliances with firmware before 4.8 P26 have a default SSH public key in the authorized_keys file for root, which allows remote attackers to obtain SSH access by leveraging knowledge of a private key from another installation or a firmware image. |
|
32181 |
CVE-2016-1559 |
200 |
|
+Info |
2017-04-21 |
2017-04-28 |
2.6 |
None |
Remote |
High |
Not required |
Partial |
None |
None |
|
D-Link DAP-1353 H/W vers. B1 3.15 and earlier, D-Link DAP-2553 H/W ver. A1 1.31 and earlier, and D-Link DAP-3520 H/W ver. A1 1.16 and earlier reveal wireless passwords and administrative usernames and passwords over SNMP. |
|
32182 |
CVE-2016-1557 |
200 |
|
+Info |
2017-04-21 |
2017-04-27 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Netgear WNAP320, WNDAP350, and WNDAP360 before 3.5.5.0 reveal wireless passwords and administrative usernames and passwords over SNMP. |
|
32183 |
CVE-2016-1556 |
200 |
|
+Info |
2017-04-21 |
2017-04-28 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Information disclosure in Netgear WN604 before 3.3.3; WNAP210, WNAP320, WNDAP350, and WNDAP360 before 3.5.5.0; and WND930 before 2.0.11 allows remote attackers to read the wireless WPS PIN or passphrase by visiting unauthenticated webpages. |
|
32184 |
CVE-2016-1551 |
254 |
|
|
2017-01-27 |
2017-11-20 |
2.6 |
None |
Remote |
High |
Not required |
None |
Partial |
None |
|
ntpd in NTP 4.2.8p3 and NTPsec a5fb34b9cc89b92a8fef2f459004865c93bb7f92 relies on the underlying operating system to protect it from requests that impersonate reference clocks. Because reference clocks are treated like other peers and stored in the same structure, any packet with a source ip address of a reference clock (127.127.1.1 for example) that reaches the receive() function will match that reference clock's peer record and will be treated as a trusted peer. Any system that lacks the typical martian packet filtering which would block these packets is in danger of having its time controlled by an attacker. |
|
32185 |
CVE-2016-1550 |
200 |
|
+Info |
2017-01-06 |
2018-01-04 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
An exploitable vulnerability exists in the message authentication functionality of libntp in ntp 4.2.8p4 and NTPSec a5fb34b9cc89b92a8fef2f459004865c93bb7f92. An attacker can send a series of crafted messages to attempt to recover the message digest key. |
|
32186 |
CVE-2016-1549 |
19 |
|
|
2017-01-06 |
2018-03-27 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
A malicious authenticated peer can create arbitrarily-many ephemeral associations in order to win the clock selection algorithm in ntpd in NTP 4.2.8p4 and earlier and NTPsec 3e160db8dc248a0bcb053b56a80167dc742d2b74 and a5fb34b9cc89b92a8fef2f459004865c93bb7f92 and modify a victim's clock. |
|
32187 |
CVE-2016-1548 |
19 |
|
|
2017-01-06 |
2018-01-04 |
6.4 |
None |
Remote |
Low |
Not required |
None |
Partial |
Partial |
|
An attacker can spoof a packet from a legitimate ntpd server with an origin timestamp that matches the peer->dst timestamp recorded for that server. After making this switch, the client in NTP 4.2.8p4 and earlier and NTPSec aa48d001683e5b791a743ec9c575aaf7d867a2b0c will reject all future legitimate server responses. It is possible to force the victim client to move time after the mode has been changed. ntpq gives no indication that the mode has been switched. |
|
32188 |
CVE-2016-1547 |
20 |
|
|
2017-01-06 |
2018-01-04 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
An off-path attacker can cause a preemptible client association to be demobilized in NTP 4.2.8p4 and earlier and NTPSec a5fb34b9cc89b92a8fef2f459004865c93bb7f92 by sending a crypto NAK packet to a victim client with a spoofed source address of an existing associated peer. This is true even if authentication is enabled. |
|
32189 |
CVE-2016-1546 |
399 |
|
DoS |
2016-07-06 |
2018-06-02 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The Apache HTTP Server 2.4.17 and 2.4.18, when mod_http2 is enabled, does not limit the number of simultaneous stream workers for a single HTTP/2 connection, which allows remote attackers to cause a denial of service (stream-processing outage) via modified flow-control windows. |
|
32190 |
CVE-2016-1543 |
284 |
|
Bypass |
2016-06-13 |
2018-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
The RPC API in the RSCD agent in BMC BladeLogic Server Automation (BSA) 8.2.x, 8.3.x, 8.5.x, 8.6.x, and 8.7.x on Linux and UNIX allows remote attackers to bypass authorization and reset arbitrary user passwords by sending an action packet to xmlrpc after an authorization failure. |
|
32191 |
CVE-2016-1542 |
20 |
|
Bypass |
2016-06-13 |
2018-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The RPC API in RSCD agent in BMC BladeLogic Server Automation (BSA) 8.2.x, 8.3.x, 8.5.x, 8.6.x, and 8.7.x on Linux and UNIX allows remote attackers to bypass authorization and enumerate users by sending an action packet to xmlrpc after an authorization failure. |
|
32192 |
CVE-2016-1541 |
20 |
|
Exec Code Overflow |
2016-05-07 |
2018-01-04 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Heap-based buffer overflow in the zip_read_mac_metadata function in archive_read_support_format_zip.c in libarchive before 3.2.0 allows remote attackers to execute arbitrary code via crafted entry-size values in a ZIP archive. |
|
32193 |
CVE-2016-1531 |
264 |
|
+Priv |
2016-04-07 |
2017-09-07 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Exim before 4.86.2, when installed setuid root, allows local users to gain privileges via the perl_startup argument. |
|
32194 |
CVE-2016-1526 |
119 |
|
DoS Overflow +Info |
2016-02-12 |
2018-01-04 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
None |
Partial |
|
The TtfUtil:LocaLookup function in TtfUtil.cpp in Libgraphite in Graphite 2 1.2.4, as used in Mozilla Firefox before 43.0 and Firefox ESR 38.x before 38.6.1, incorrectly validates a size value, which allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and application crash) via a crafted Graphite smart font. |
|
32195 |
CVE-2016-1523 |
|
|
DoS |
2016-02-12 |
2017-06-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The SillMap::readFace function in FeatureMap.cpp in Libgraphite in Graphite 2 1.2.4, as used in Mozilla Firefox before 43.0 and Firefox ESR 38.x before 38.6.1, mishandles a return value, which allows remote attackers to cause a denial of service (missing initialization, NULL pointer dereference, and application crash) via a crafted Graphite smart font. |
|
32196 |
CVE-2016-1521 |
119 |
|
DoS Exec Code Overflow +Info |
2016-02-12 |
2017-06-30 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The directrun function in directmachine.cpp in Libgraphite in Graphite 2 1.2.4, as used in Mozilla Firefox before 43.0 and Firefox ESR 38.x before 38.6.1, does not validate a certain skip operation, which allows remote attackers to execute arbitrary code, obtain sensitive information, or cause a denial of service (out-of-bounds read and application crash) via a crafted Graphite smart font. |
|
32197 |
CVE-2016-1520 |
254 |
|
Exec Code |
2017-04-21 |
2018-10-09 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The Grandstream Wave app 1.0.1.26 and earlier for Android does not use HTTPS when retrieving update information, which might allow man-in-the-middle attackers to execute arbitrary code via a crafted application. |
|
32198 |
CVE-2016-1519 |
295 |
|
|
2017-04-21 |
2018-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The com.softphone.common package in the Grandstream Wave app 1.0.1.26 and earlier for Android does not properly validate SSL certificates, which allows man-in-the-middle attackers to spoof the Grandstream provisioning server via a crafted certificate. |
|
32199 |
CVE-2016-1518 |
284 |
|
+Info |
2017-04-21 |
2018-10-09 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The auto-provisioning mechanism in the Grandstream Wave app 1.0.1.26 and earlier for Android and Grandstream Video IP phones allows man-in-the-middle attackers to spoof provisioning data and consequently modify device functionality, obtain sensitive information from system logs, and have unspecified other impact by leveraging failure to use an HTTPS session for downloading configuration files from http://fm.grandstream.com/gs/. |
|
32200 |
CVE-2016-1517 |
20 |
|
DoS |
2017-04-09 |
2017-04-14 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
OpenCV 3.0.0 allows remote attackers to cause a denial of service (segfault) via vectors involving corrupt chunks. |
