| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
39151 |
CVE-2016-2922 |
295 |
|
|
2018-08-13 |
2019-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
IBM Rational ClearQuest 8.0 through 8.0.1.9 and 9.0 through 9.0.1.3 (CQ OSLC linkages, EmailRelay) fails to check the SSL certificate against the requested hostname. It is subject to a man-in-the-middle attack with an impersonating server observing all the data transmitted to the real server. IBM X-Force ID: 113353. |
|
39152 |
CVE-2016-2917 |
264 |
|
+Priv +Info |
2016-11-30 |
2016-12-01 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
The notifications component in IBM TRIRIGA Applications 10.4 and 10.5 before 10.5.1 allows remote authenticated users to obtain sensitive password information, and consequently gain privileges, via unspecified vectors. |
|
39153 |
CVE-2016-2914 |
434 |
|
Exec Code |
2016-08-07 |
2016-11-28 |
5.5 |
None |
Remote |
Low |
Single system |
None |
Partial |
Partial |
|
Unrestricted file upload vulnerability in the Document Builder in IBM Rational Publishing Engine (aka RPENG) 2.0.1 before ifix002 allows remote authenticated users to execute arbitrary code by specifying an unexpected file extension. |
|
39154 |
CVE-2016-2908 |
611 |
|
DoS +Info |
2017-02-01 |
2017-07-07 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
None |
Partial |
|
IBM Single Sign On for Bluemix could allow a remote attacker to obtain sensitive information, caused by a XML external entity (XXE) error when processing XML data by the XML parser. A remote attacker could exploit this vulnerability to read arbitrary files on the system or cause a denial of service. |
|
39155 |
CVE-2016-2901 |
352 |
|
XSS CSRF |
2016-06-25 |
2016-08-18 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in the PA_Theme_Creator application in IBM WebSphere Portal 8.5 CF08 through CF10 and Web Content Manager allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences. |
|
39156 |
CVE-2016-2889 |
352 |
|
CSRF |
2016-07-07 |
2016-11-28 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in the Report Builder and Data Collection Component (DCC) in IBM Jazz Reporting Service (JRS) 5.x before 5.0.2 ifix016, 6.0 and 6.0.1 before 6.0.1 ifix005, and 6.0.2 before ifix002 allows remote authenticated users to hijack the authentication of arbitrary users. |
|
39157 |
CVE-2016-2888 |
79 |
|
XSS |
2016-07-07 |
2016-07-08 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Report Builder and Data Collection Component (DCC) in IBM Jazz Reporting Service (JRS) 5.x before 5.0.2 ifix016 and 6.x before 6.0.1 ifix005 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL, a different vulnerability than CVE-2016-0313 and CVE-2016-0350. |
|
39158 |
CVE-2016-2887 |
284 |
|
+Info |
2016-11-30 |
2016-12-02 |
5.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
None |
|
IBM IMS Enterprise Suite Data Provider before 3.2.0.1 for Microsoft .NET allows remote authenticated users to obtain sensitive information or modify data via unspecified vectors. |
|
39159 |
CVE-2016-2884 |
352 |
|
XSS CSRF |
2016-11-30 |
2016-12-01 |
6.0 |
None |
Remote |
Medium |
Single system |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in IBM Forms Experience Builder 8.5.x and 8.6.x before 8.6.3.1, in an unspecified non-default configuration, allows remote authenticated users to hijack the authentication of arbitrary users for requests that insert XSS sequences. |
|
39160 |
CVE-2016-2882 |
200 |
|
+Info |
2016-07-02 |
2016-11-28 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
IBM TRIRIGA Application Platform 3.3 before 3.3.2.6, 3.4 before 3.4.2.4, and 3.5 before 3.5.0.2 allows remote authenticated users to obtain sensitive information by reading HTTP responses. |
|
39161 |
CVE-2016-2881 |
254 |
|
Bypass |
2016-11-30 |
2016-12-01 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
|
IBM QRadar SIEM 7.1 before MR2 Patch 13 and 7.2 before 7.2.7 and QRadar Incident Forensics 7.2 before 7.2.7 allow remote attackers to bypass intended access restrictions via modified request parameters. |
|
39162 |
CVE-2016-2878 |
352 |
|
XSS CSRF |
2016-11-30 |
2016-12-22 |
6.0 |
None |
Remote |
Medium |
Single system |
Partial |
Partial |
Partial |
|
Multiple cross-site request forgery (CSRF) vulnerabilities in IBM QRadar SIEM 7.1 before MR2 Patch 13 and 7.2 before 7.2.7 allow remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences. |
|
39163 |
CVE-2016-2876 |
78 |
|
Exec Code |
2016-11-30 |
2016-12-22 |
8.5 |
None |
Remote |
Medium |
Single system |
Complete |
Complete |
Complete |
|
IBM QRadar SIEM 7.1 before MR2 Patch 13 and 7.2 before 7.2.7 executes unspecified processes at an incorrect privilege level, which makes it easier for remote authenticated users to obtain root access by leveraging a command-injection issue. |
|
39164 |
CVE-2016-2875 |
77 |
|
Exec Code |
2016-08-07 |
2016-11-28 |
9.0 |
None |
Remote |
Low |
Single system |
Complete |
Complete |
Complete |
|
IBM Security QRadar SIEM 7.1.x and 7.2.x before 7.2.7 allows remote authenticated users to execute arbitrary OS commands as root via unspecified vectors. |
|
39165 |
CVE-2016-2873 |
89 |
|
Exec Code Sql |
2016-11-30 |
2016-12-22 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in IBM QRadar SIEM 7.1 before MR2 Patch 13 and 7.2 before 7.2.7 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. |
|
39166 |
CVE-2016-2872 |
22 |
|
Dir. Trav. |
2016-07-02 |
2016-07-05 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Directory traversal vulnerability in IBM Security QRadar SIEM 7.2.x before 7.2.7 and QRadar Incident Forensics 7.2.x before 7.2.7 allows remote attackers to read arbitrary files via a crafted URL. |
|
39167 |
CVE-2016-2871 |
255 |
|
+Info |
2016-11-30 |
2016-12-14 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
IBM QRadar SIEM 7.1 before MR2 Patch 13 and 7.2 before 7.2.7 uses cleartext storage for unspecified passwords, which allows local users to obtain sensitive information by reading a configuration file. |
|
39168 |
CVE-2016-2870 |
119 |
|
DoS Overflow |
2016-07-02 |
2016-11-28 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Buffer overflow in the CLI on IBM WebSphere DataPower XC10 appliances 2.1 and 2.5 allows remote authenticated users to cause a denial of service via unspecified vectors. |
|
39169 |
CVE-2016-2868 |
|
|
|
2016-07-02 |
2016-07-06 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
IBM Security QRadar SIEM 7.2.x before 7.2.7 allows remote authenticated administrators to read arbitrary files via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. |
|
39170 |
CVE-2016-2867 |
254 |
|
|
2016-07-02 |
2016-07-06 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
IBM InfoSphere Streams before 4.0.1.2 and IBM Streams before 4.1.1.1 do not properly implement the runAsUser feature, which allows local users to obtain root group privileges via unspecified vectors. |
|
39171 |
CVE-2016-2866 |
200 |
|
+Info |
2017-02-08 |
2017-02-13 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
An unspecified vulnerability in IBM Jazz Team Server may disclose some deployment information to an authenticated user. |
|
39172 |
CVE-2016-2865 |
200 |
|
+Info |
2016-07-15 |
2016-11-28 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
The GIT Integration component in IBM Rational Team Concert (RTC) 5.x before 5.0.2 iFix14 and 6.x before 6.0.1 iFix5 and Rational Collaborative Lifecycle Management 5.x before 5.0.2 iFix14 and 6.x before 6.0.1 iFix5 allows remote authenticated users to obtain sensitive information via a malformed request. |
|
39173 |
CVE-2016-2863 |
352 |
|
XSS CSRF |
2016-07-03 |
2019-09-30 |
6.0 |
None |
Remote |
Medium |
Single system |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in IBM WebSphere Commerce 7.0 Feature Pack 8, 8.0.0.x before 8.0.0.10, and 8.0.1.x before 8.0.1.2 allows remote authenticated users to hijack the authentication of arbitrary users for requests that insert XSS sequences. |
|
39174 |
CVE-2016-2862 |
79 |
|
XSS |
2016-07-03 |
2019-09-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in IBM WebSphere Commerce 6.0 through 6.0.0.11, 7.0 before 7.0.0.9 cumulative iFix 3, and 8.0 before 8.0.0.5 allows remote attackers to inject arbitrary web script or HTML via a crafted URL. |
|
39175 |
CVE-2016-2861 |
200 |
|
+Info |
2016-07-02 |
2016-07-06 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
IBM WebSphere eXtreme Scale 7.1.0 before 7.1.0.3, 7.1.1 before 7.1.1.1, 8.5 before 8.5.0.3, and 8.6 before 8.6.0.8 does not properly encrypt data, which makes it easier for remote attackers to obtain sensitive information by sniffing the network. |
|
39176 |
CVE-2016-2860 |
284 |
|
Bypass |
2016-05-13 |
2016-05-19 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
The newEntry function in ptserver/ptprocs.c in OpenAFS before 1.6.17 allows remote authenticated users from foreign Kerberos realms to bypass intended access restrictions and create arbitrary groups as administrators by leveraging mishandling of the creator ID. |
|
39177 |
CVE-2016-2856 |
264 |
|
+Priv |
2016-03-13 |
2016-11-28 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
pt_chown in the glibc package before 2.19-18+deb8u4 on Debian jessie; the elibc package before 2.15-0ubuntu10.14 on Ubuntu 12.04 LTS and before 2.19-0ubuntu6.8 on Ubuntu 14.04 LTS; and the glibc package before 2.21-0ubuntu4.2 on Ubuntu 15.10 and before 2.23-0ubuntu1 on Ubuntu 16.04 LTS and 16.10 lacks a namespace check associated with file-descriptor passing, which allows local users to capture keystrokes and spoof data, and possibly gain privileges, via pts read and write operations, related to debian/sysdeps/linux.mk. NOTE: this is not considered a vulnerability in the upstream GNU C Library because the upstream documentation has a clear security recommendation against the --enable-pt_chown option. |
|
39178 |
CVE-2016-2855 |
264 |
|
+Priv |
2016-05-23 |
2016-05-25 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
The Huawei Mobile Broadband HL Service 22.001.25.00.03 and earlier uses a weak ACL for the MobileBrServ program data directory, which allows local users to gain SYSTEM privileges by modifying VERSION.dll. |
|
39179 |
CVE-2016-2854 |
264 |
|
+Priv |
2016-05-02 |
2017-03-14 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
The aufs module for the Linux kernel 3.x and 4.x does not properly maintain POSIX ACL xattr data, which allows local users to gain privileges by leveraging a group-writable setgid directory. |
|
39180 |
CVE-2016-2853 |
284 |
|
+Priv |
2016-05-02 |
2017-03-14 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The aufs module for the Linux kernel 3.x and 4.x does not properly restrict the mount namespace, which allows local users to gain privileges by mounting an aufs filesystem on top of a FUSE filesystem, and then executing a crafted setuid program. |
|
39181 |
CVE-2016-2851 |
119 |
|
DoS Exec Code Overflow Mem. Corr. |
2016-04-07 |
2018-10-30 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Integer overflow in proto.c in libotr before 4.1.1 on 64-bit platforms allows remote attackers to cause a denial of service (memory corruption and application crash) or execute arbitrary code via a series of large OTR messages, which triggers a heap-based buffer overflow. |
|
39182 |
CVE-2016-2850 |
20 |
|
|
2016-05-13 |
2017-06-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Botan 1.11.x before 1.11.29 does not enforce TLS policy for (1) signature algorithms and (2) ECC curves, which allows remote attackers to conduct downgrade attacks via unspecified vectors. |
|
39183 |
CVE-2016-2849 |
200 |
|
+Info |
2016-05-13 |
2017-06-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Botan before 1.10.13 and 1.11.x before 1.11.29 do not use a constant-time algorithm to perform a modular inverse on the signature nonce k, which might allow remote attackers to obtain ECDSA secret keys via a timing side-channel attack. |
|
39184 |
CVE-2016-2848 |
20 |
|
DoS |
2016-10-21 |
2018-09-27 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
ISC BIND 9.1.0 through 9.8.4-P2 and 9.9.0 through 9.9.2-P2 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via malformed options data in an OPT resource record. |
|
39185 |
CVE-2016-2847 |
399 |
|
DoS |
2016-04-27 |
2018-01-04 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
fs/pipe.c in the Linux kernel before 4.5 does not limit the amount of unread data in pipes, which allows local users to cause a denial of service (memory consumption) by creating many pipes with non-default sizes. |
|
39186 |
CVE-2016-2846 |
254 |
|
Bypass |
2016-03-16 |
2016-12-02 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
|
Siemens SIMATIC S7-1200 CPU devices before 4.0 allow remote attackers to bypass a "user program block" protection mechanism via unspecified vectors. |
|
39187 |
CVE-2016-2845 |
200 |
|
+Info |
2016-03-05 |
2016-12-02 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Content Security Policy (CSP) implementation in Blink, as used in Google Chrome before 49.0.2623.75, does not ignore a URL's path component in the case of a ServiceWorker fetch, which allows remote attackers to obtain sensitive information about visited web pages by reading CSP violation reports, related to FrameFetchContext.cpp and ResourceFetcher.cpp. |
|
39188 |
CVE-2016-2844 |
20 |
|
DoS |
2016-03-05 |
2016-12-02 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
WebKit/Source/core/layout/LayoutBlock.cpp in Blink, as used in Google Chrome before 49.0.2623.75, does not properly determine when anonymous block wrappers may exist, which allows remote attackers to cause a denial of service (incorrect cast and assertion failure) or possibly have unspecified other impact via crafted JavaScript code. |
|
39189 |
CVE-2016-2843 |
|
|
DoS |
2016-03-05 |
2016-12-02 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Multiple unspecified vulnerabilities in Google V8 before 4.9.385.26, as used in Google Chrome before 49.0.2623.75, allow attackers to cause a denial of service or possibly have other impact via unknown vectors. |
|
39190 |
CVE-2016-2842 |
119 |
|
DoS Overflow |
2016-03-03 |
2018-01-04 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
The doapr_outch function in crypto/bio/b_print.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g does not verify that a certain memory allocation succeeds, which allows remote attackers to cause a denial of service (out-of-bounds write or memory consumption) or possibly have unspecified other impact via a long string, as demonstrated by a large amount of ASN.1 data, a different vulnerability than CVE-2016-0799. |
|
39191 |
CVE-2016-2840 |
79 |
|
Exec Code XSS |
2016-12-15 |
2018-10-19 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
An issue was discovered in Open-Xchange Server 6 / OX AppSuite before 7.8.0-rev26. The "session" parameter for file-download requests can be used to inject script code that gets reflected through the subsequent status page. Malicious script code can be executed within a trusted domain's context. While no OX App Suite specific data can be manipulated, the vulnerability can be exploited without being authenticated and therefore used for social engineering attacks, stealing cookies or redirecting from trustworthy to malicious hosts. |
|
39192 |
CVE-2016-2839 |
20 |
|
DoS |
2016-08-04 |
2017-08-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3 on Linux make cairo _cairo_surface_get_extents calls that do not properly interact with libav header allocation in FFmpeg 0.10, which allows remote attackers to cause a denial of service (application crash) via a crafted video. |
|
39193 |
CVE-2016-2838 |
119 |
|
Exec Code Overflow |
2016-08-04 |
2017-08-15 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Heap-based buffer overflow in the nsBidi::BracketData::AddOpening function in Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3 allows remote attackers to execute arbitrary code via directional content in an SVG document. |
|
39194 |
CVE-2016-2837 |
119 |
|
Exec Code Overflow Bypass |
2016-08-04 |
2017-08-15 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Heap-based buffer overflow in the ClearKey Content Decryption Module (CDM) in the Encrypted Media Extensions (EME) API in Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3 might allow remote attackers to execute arbitrary code by providing a malformed video and leveraging a Gecko Media Plugin (GMP) sandbox bypass. |
|
39195 |
CVE-2016-2836 |
119 |
|
DoS Exec Code Overflow Mem. Corr. |
2016-08-04 |
2017-08-15 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 48.0 and Firefox ESR 45.x before 45.3 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to Http2Session::Shutdown and SpdySession31::Shutdown, and other vectors. |
|
39196 |
CVE-2016-2835 |
|
|
DoS Exec Code Mem. Corr. |
2016-08-04 |
2017-08-15 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 48.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. |
|
39197 |
CVE-2016-2834 |
|
|
DoS Mem. Corr. |
2016-06-13 |
2018-10-30 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Mozilla Network Security Services (NSS) before 3.23, as used in Mozilla Firefox before 47.0, allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via unknown vectors. |
|
39198 |
CVE-2016-2833 |
79 |
|
XSS |
2016-06-13 |
2018-10-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Mozilla Firefox before 47.0 ignores Content Security Policy (CSP) directives for cross-domain Java applets, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted applet. |
|
39199 |
CVE-2016-2832 |
200 |
|
+Info |
2016-06-13 |
2018-10-30 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Mozilla Firefox before 47.0 allows remote attackers to discover the list of disabled plugins via a fingerprinting attack involving Cascading Style Sheets (CSS) pseudo-classes. |
|
39200 |
CVE-2016-2831 |
284 |
|
DoS |
2016-06-13 |
2018-10-30 |
5.8 |
None |
Remote |
Medium |
Not required |
None |
Partial |
Partial |
|
Mozilla Firefox before 47.0 and Firefox ESR 45.x before 45.2 do not ensure that the user approves the fullscreen and pointerlock settings, which allows remote attackers to cause a denial of service (UI outage), or conduct clickjacking or spoofing attacks, via a crafted web site. |
