# |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
37601 |
CVE-2016-4913 |
200 |
|
+Info |
2016-05-23 |
2018-10-31 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
The get_rock_ridge_filename function in fs/isofs/rock.c in the Linux kernel before 4.5.5 mishandles NM (aka alternate name) entries containing \0 characters, which allows local users to obtain sensitive information from kernel memory or possibly have unspecified other impact via a crafted isofs filesystem. |
37602 |
CVE-2016-4912 |
476 |
|
DoS |
2017-03-27 |
2017-07-10 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
The _xrealloc function in xlsp_xmalloc.c in OpenSLP 2.0.0 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a large number of crafted packets, which triggers a memory allocation failure. |
37603 |
CVE-2016-4911 |
284 |
|
Bypass |
2016-06-13 |
2016-11-28 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
The Fernet Token Provider in OpenStack Identity (Keystone) 9.0.x before 9.0.1 (mitaka) allows remote authenticated users to prevent revocation of a chain of tokens and bypass intended access restrictions by rescoping a token. |
37604 |
CVE-2016-4910 |
284 |
|
Bypass |
2017-06-09 |
2017-06-13 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
Cybozu Garoon 3.0.0 to 4.2.2 allows remote authenticated attackers to bypass access restriction to delete other operational administrators' MultiReport filters via unspecified vectors. |
37605 |
CVE-2016-4909 |
352 |
|
CSRF |
2017-06-09 |
2017-06-13 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
Cross-site request forgery (CSRF) vulnerability in Cybozu Garoon 3.0.0 to 4.2.2 allows remote attackers to hijack the authentication of a logged in user to force a logout via unspecified vectors. |
37606 |
CVE-2016-4908 |
284 |
|
Bypass |
2017-06-09 |
2017-06-13 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
Cybozu Garoon 3.0.0 to 4.2.2 allows remote authenticated attackers to bypass access restriction to alter or delete another user's private RSS settings via unspecified vectors. |
37607 |
CVE-2016-4907 |
352 |
|
CSRF |
2017-06-09 |
2017-06-13 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Cybozu Garoon 3.0.0 to 4.2.2 allow remote attackers to obtain CSRF tokens via unspecified vectors. |
37608 |
CVE-2016-4906 |
79 |
|
XSS |
2017-06-09 |
2017-06-13 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting vulnerability in Cybozu Garoon 3.0.0 to 4.2.2 allows remote attackers to inject arbitrary web script or HTML via "Messages" function of Cybozu Garoon Keitai. |
37609 |
CVE-2016-4905 |
89 |
|
Exec Code Sql |
2017-05-22 |
2017-05-30 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
SQL injection vulnerability in the WP-OliveCart versions prior to 3.1.3 and WP-OliveCartPro versions prior to 3.1.8 allows attackers with administrator rights to execute arbitrary SQL commands via unspecified vectors. |
37610 |
CVE-2016-4904 |
352 |
|
CSRF |
2017-05-22 |
2017-05-30 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Cross-site request forgery (CSRF) vulnerability in WP-OliveCart versions prior to 3.1.3 and WP-OliveCartPro versions prior to 3.1.8 allows remote attackers to hijack the authentication of a user to perform unintended operations via unspecified vectors. |
37611 |
CVE-2016-4903 |
79 |
|
XSS |
2017-05-22 |
2017-05-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting vulnerability in WP-OliveCart versions prior to 3.1.3 and WP-OliveCartPro versions prior to 3.1.8 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
37612 |
CVE-2016-4902 |
426 |
|
+Priv |
2017-06-09 |
2017-06-22 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
Untrusted search path vulnerability in The Public Certification Service for Individuals "The JPKI user's software (for Windows 7 and later)" Ver3.0.1 and earlier, The Public Certification Service for Individuals "The JPKI user's software (for Windows Vista)" Ver3.0.1 and earlier and The Public Certification Service for Individuals "The JPKI user's software" Ver2.6 and earlier allows remote attackers to gain privileges via a Trojan horse DLL in an unspecified directory. |
37613 |
CVE-2016-4901 |
426 |
|
+Priv |
2017-05-22 |
2017-05-31 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Untrusted search path vulnerability in The installer of e-Tax Software all versions allows remote attackers to gain privileges via a Trojan horse DLL in an unspecified directory. |
37614 |
CVE-2016-4900 |
426 |
|
+Priv |
2017-05-22 |
2017-06-01 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Untrusted search path vulnerability in Evernote for Windows versions prior to 6.3 allows remote attackers to gain privileges via a Trojan horse DLL in an unspecified directory. |
37615 |
CVE-2016-4899 |
20 |
|
Exec Code |
2017-04-13 |
2017-04-19 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
The datamover module in the Linux version of NovaBACKUP DataCenter before 09.06.03.0353 is vulnerable to remote command execution via unspecified attack vectors. |
37616 |
CVE-2016-4898 |
20 |
|
Exec Code |
2017-04-13 |
2017-04-19 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
The datamover module in the Linux version of NovaBACKUP DataCenter before 09.06.03.0353 is vulnerable to remote command execution via unspecified attack vectors. |
37617 |
CVE-2016-4897 |
79 |
|
XSS |
2017-04-12 |
2017-04-19 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Multiple cross-site scripting (XSS) vulnerabilities in (1) filter/save_forward.cgi, (2) filter/save.cgi, (3) /man/search.cgi in Usermin before 1.690. |
37618 |
CVE-2016-4896 |
264 |
|
|
2017-04-12 |
2017-05-22 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
SetsucoCMS all versions does not properly manage sessions, which allows remote attackers to disclose or alter unauthorized information via unspecified vectors. |
37619 |
CVE-2016-4895 |
94 |
|
|
2017-04-12 |
2017-05-22 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
SetsucoCMS all versions allows remote authenticated attackers to conduct code injection attacks via unspecified vectors. |
37620 |
CVE-2016-4894 |
|
|
DoS |
2017-04-12 |
2017-05-22 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
SetsucoCMS all versions allows remote attackers to cause a denial of service via unspecified vectors. |
37621 |
CVE-2016-4893 |
89 |
|
Exec Code Sql |
2017-04-12 |
2017-05-22 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
SQL injection vulnerability in the SetsucoCMS all versions allows remote authenticated attackers to execute arbitrary SQL commands via unspecified vectors. |
37622 |
CVE-2016-4892 |
79 |
|
XSS |
2017-04-12 |
2017-05-22 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting vulnerability in SetsucoCMS all versions allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
37623 |
CVE-2016-4891 |
352 |
|
CSRF |
2017-04-12 |
2017-05-22 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Cross-site request forgery (CSRF) vulnerability in SetsucoCMS all versions allows remote attackers to hijack the authentication of an administrator to change settings via unspecified vectors. |
37624 |
CVE-2016-4890 |
254 |
|
+Info |
2017-04-14 |
2017-05-12 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
ZOHO ManageEngine ServiceDesk Plus before 9.2 uses an insecure method for generating cookies, which makes it easier for attackers to obtain sensitive password information by leveraging access to a cookie. |
37625 |
CVE-2016-4889 |
264 |
|
|
2017-04-14 |
2017-05-12 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
ZOHO ManageEngine ServiceDesk Plus before 9.0 allows remote authenticated guest users to have unspecified impact by leveraging failure to restrict access to unknown functions. |
37626 |
CVE-2016-4887 |
352 |
|
CSRF |
2017-05-12 |
2017-05-18 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Cross-site request forgery (CSRF) vulnerability in baserCMS plugin Uploader version 3.0.10 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors. |
37627 |
CVE-2016-4886 |
352 |
|
CSRF |
2017-05-12 |
2017-05-18 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Cross-site request forgery (CSRF) vulnerability in baserCMS plugin Mail version 3.0.10 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors. |
37628 |
CVE-2016-4885 |
352 |
|
CSRF |
2017-05-12 |
2017-05-18 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Cross-site request forgery (CSRF) vulnerability in baserCMS plugin Feed version 3.0.10 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors. |
37629 |
CVE-2016-4884 |
352 |
|
CSRF |
2017-05-12 |
2017-05-18 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Cross-site request forgery (CSRF) vulnerability in baserCMS plugin Blog version 3.0.10 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors. |
37630 |
CVE-2016-4882 |
352 |
|
CSRF |
2017-05-12 |
2017-05-18 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Cross-site request forgery (CSRF) vulnerability in baserCMS version 3.0.10 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors. |
37631 |
CVE-2016-4881 |
352 |
|
CSRF |
2017-05-12 |
2017-05-18 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Cross-site request forgery (CSRF) vulnerability in baserCMS plugin Blog version 3.0.10 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors. |
37632 |
CVE-2016-4879 |
352 |
|
CSRF |
2017-05-12 |
2017-05-19 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Cross-site request forgery (CSRF) vulnerability in baserCMS plugin Mail version 3.0.10 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors. |
37633 |
CVE-2016-4878 |
352 |
|
CSRF |
2017-05-12 |
2017-05-18 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Cross-site request forgery (CSRF) vulnerability in baserCMS version 3.0.10 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors. |
37634 |
CVE-2016-4876 |
352 |
|
Exec Code CSRF |
2017-05-12 |
2017-05-18 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Cross-site request forgery (CSRF) vulnerability in baserCMS version 3.0.10 and earlier allows remote attackers to hijack the authentication of administrators to execute arbitrary PHP code via unspecified vectors. |
37635 |
CVE-2016-4875 |
79 |
|
XSS |
2017-04-14 |
2017-04-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Multiple cross-site scripting (XSS) vulnerabilities in the IVYWE (1) Assist plugin before 1.1.2.test20160906, (2) dataBox plugin before 0.0.0.20160906, and (3) userBox plugin before 0.0.0.20160906 for Geeklog allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
37636 |
CVE-2016-4873 |
275 |
|
|
2017-04-17 |
2017-05-22 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
Cybozu Office 9.0.0 to 10.4.0 allows remote authenticated attackers to execute unintended operations via the Project function. |
37637 |
CVE-2016-4872 |
200 |
|
Bypass +Info |
2017-04-17 |
2017-05-22 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
Cybozu Office 9.0.0 to 10.4.0 allows remote authenticated attackers to bypass access restrictions to view the names of unauthorized projects via a breadcrumb trail. |
37638 |
CVE-2016-4871 |
399 |
|
DoS |
2017-04-17 |
2017-04-20 |
6.8 |
None |
Remote |
Low |
Single system |
None |
None |
Complete |
Cybozu Office 9.0.0 through 10.4.0 allows remote attackers to cause a denial of service. |
37639 |
CVE-2016-4869 |
200 |
|
+Info |
2017-04-17 |
2017-05-22 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
Cybozu Office 9.0.0 to 10.4.0 allow remote attackers to obtain session information via a page where CGI environment variables are displayed. |
37640 |
CVE-2016-4868 |
20 |
|
|
2017-04-17 |
2017-05-22 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Email header injection vulnerability in Cybozu Office 9.0.0 to 10.4.0 allows remote attackers to inject arbitrary email headers to send unintended emails via specially crafted requests. |
37641 |
CVE-2016-4867 |
200 |
|
Bypass +Info |
2017-04-17 |
2017-05-22 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
Cybozu Office 9.0.0 to 10.4.0 allows remote authenticated attackers to bypass access restriction to view unauthorized project information via the Project function. |
37642 |
CVE-2016-4864 |
134 |
|
|
2017-05-12 |
2017-05-22 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
H2O versions 2.0.3 and earlier and 2.1.0-beta2 and earlier allows remote attackers to cause a denial-of-service (DoS) via format string specifiers in a template file via fastcgi, mruby, proxy, redirect or reproxy. |
37643 |
CVE-2016-4862 |
20 |
|
Exec Code |
2017-04-20 |
2017-04-26 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
Twigmo bundled with CS-Cart 4.3.9 and earlier and Twigmo bundled with CS-Cart Multi-Vendor 4.3.9 and earlier allow remote authenticated users to execute arbitrary PHP code on the servers. |
37644 |
CVE-2016-4861 |
89 |
|
Sql |
2017-02-16 |
2018-10-21 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
The (1) order and (2) group methods in Zend_Db_Select in the Zend Framework before 1.12.20 might allow remote attackers to conduct SQL injection attacks by leveraging failure to remove comments from an SQL statement before validation. |
37645 |
CVE-2016-4860 |
287 |
|
DoS |
2016-09-18 |
2016-11-28 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
Yokogawa STARDOM FCN/FCJ controller R1.01 through R4.01 does not require authentication for Logic Designer connections, which allows remote attackers to reconfigure the device or cause a denial of service via a (1) stop application program, (2) change value, or (3) modify application command. |
37646 |
CVE-2016-4859 |
601 |
|
|
2017-05-12 |
2017-05-19 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
Open redirect vulnerability in Splunk Enterprise 6.4.x prior to 6.4.3, Splunk Enterprise 6.3.x prior to 6.3.6, Splunk Enterprise 6.2.x prior to 6.2.10, Splunk Enterprise 6.1.x prior to 6.1.11, Splunk Enterprise 6.0.x prior to 6.0.12, Splunk Enterprise 5.0.x prior to 5.0.16 and Splunk Light prior to 6.4.3 allows to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. |
37647 |
CVE-2016-4857 |
601 |
|
|
2017-05-12 |
2017-05-19 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
Open redirect vulnerability in Splunk Enterprise 6.4.x prior to 6.4.2, Splunk Enterprise 6.3.x prior to 6.3.6, Splunk Enterprise 6.2.x prior to 6.2.11 and Splunk Light prior to 6.4.2 allows to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. |
37648 |
CVE-2016-4855 |
79 |
|
XSS |
2017-05-12 |
2017-06-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting vulnerability in ADOdb versions prior to 5.20.6 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
37649 |
CVE-2016-4854 |
352 |
|
CSRF |
2017-05-22 |
2017-05-31 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Cross-site request forgery (CSRF) vulnerability in L-04D firmware version V10a and V10b allows remote attackers to hijack the authentication of administrators to perform arbitrary operations via unspecified vectors. |
37650 |
CVE-2016-4853 |
78 |
|
Exec Code |
2016-09-01 |
2017-09-07 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
AKABEi SOFT2 games allow remote attackers to execute arbitrary OS commands via crafted saved data, as demonstrated by Happy Wardrobe. |