CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
4901 CVE-2016-3971 79 XSS 2016-04-18 2016-12-16
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in lucene_search.jsp in dotCMS before 3.5.1 allows remote attackers to inject arbitrary web script or HTML via the query parameter to c/portal/layout.
4902 CVE-2016-3703 284 2016-06-08 2016-06-09
3.5
None Remote Medium ??? Partial None None
Red Hat OpenShift Enterprise 3.2 and 3.1 do not properly validate the origin of a request when anonymous access is granted to a service/proxy or pod/proxy API for a specific pod, which allows remote attackers to access API credentials in the web browser localStorage via an access_token in the query parameter.
4903 CVE-2016-3652 79 XSS 2016-06-30 2017-09-03
3.5
None Remote Medium ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in management scripts in Symantec Endpoint Protection Manager (SEPM) 12.1 before RU6 MP5 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
4904 CVE-2016-3614 2016-07-21 2019-02-21
3.5
None Remote Medium ??? None None Partial
Unspecified vulnerability in Oracle MySQL 5.6.30 and earlier and 5.7.12 and earlier allows remote authenticated users to affect availability via vectors related to Server: Security: Encryption.
4905 CVE-2016-3531 2016-07-21 2017-09-01
3.5
None Remote Medium ??? Partial None None
Unspecified vulnerability in the Oracle Agile PLM component in Oracle Supply Chain Products Suite 9.3.4 and 9.3.5 allows remote authenticated users to affect confidentiality via vectors related to PC / Notification.
4906 CVE-2016-3490 2016-07-21 2017-09-01
3.5
None Remote Medium ??? Partial None None
Unspecified vulnerability in the Oracle Transportation Management component in Oracle Supply Chain Products Suite 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.4.0, and 6.4.1 allows remote authenticated users to affect confidentiality via vectors related to Database.
4907 CVE-2016-3484 2016-07-21 2017-09-01
3.2
None Local Low ??? Partial Partial None
Unspecified vulnerability in the Database Vault component in Oracle Database Server 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows local users to affect confidentiality and integrity via unknown vectors.
4908 CVE-2016-3472 2016-07-21 2017-09-01
3.5
None Remote Medium ??? Partial None None
Unspecified vulnerability in the Siebel Engineering - Installer and Deployment component in Oracle Siebel CRM 8.1.1, 8.2.2, IP2014, IP2015, and IP2016 allows remote authenticated users to affect confidentiality via vectors related to Web Server.
4909 CVE-2016-3431 2016-04-21 2017-09-03
3.6
None Remote High ??? Partial Partial None
Unspecified vulnerability in the Oracle Agile PLM component in Oracle Supply Chain Products Suite 9.3.1.1, 9.3.1.2, 9.3.2, and 9.3.3 allows remote authenticated users to affect confidentiality and integrity via vectors related to Security, a different vulnerability than CVE-2016-3420.
4910 CVE-2016-3423 2016-04-21 2016-12-03
3.5
None Remote Medium ??? None Partial None
Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.53, 8.54, and 8.55 allows remote authenticated users to affect confidentiality and integrity via vectors related to Rich Text Editor, a different vulnerability than CVE-2016-0698.
4911 CVE-2016-3420 2016-04-21 2017-09-03
3.6
None Remote High ??? Partial Partial None
Unspecified vulnerability in the Oracle Agile PLM component in Oracle Supply Chain Products Suite 9.3.1.1, 9.3.1.2, 9.3.2, and 9.3.3 allows remote authenticated users to affect confidentiality and integrity via vectors related to Security, a different vulnerability than CVE-2016-3431.
4912 CVE-2016-3372 264 DoS 2016-09-14 2018-10-12
3.6
None Local Low Not required None Partial Partial
The kernel API in Microsoft Windows Vista SP2 and Windows Server 2008 SP2 does not properly enforce permissions, which allows local users to spoof processes, spoof inter-process communication, or cause a denial of service via a crafted application, aka "Windows Kernel Elevation of Privilege Vulnerability."
4913 CVE-2016-3196 79 XSS 2016-08-05 2018-10-09
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in Fortinet FortiAnalyzer 5.x before 5.0.12 and 5.2.x before 5.2.6 and FortiManager 5.x before 5.0.12 and 5.2.x before 5.2.6 allows remote authenticated users to inject arbitrary web script or HTML via the filename of an image uploaded in the report section.
4914 CVE-2016-3193 79 XSS 2016-08-19 2017-08-16
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the appliance web-application in Fortinet FortiManager 5.x before 5.0.12, 5.2.x before 5.2.6, and 5.4.x before 5.4.1 and FortiAnalyzer 5.x before 5.0.13, 5.2.x before 5.2.6, and 5.4.x before 5.4.1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
4915 CVE-2016-3173 79 Exec Code XSS 2016-12-15 2018-10-19
3.5
None Remote Medium ??? None Partial None
An issue was discovered in Open-Xchange OX AppSuite before 7.8.0-rev27. The aria-label parameter of tiles at the Portal can be used to inject script code. Those labels use the name of the file (e.g. an image) which gets displayed at the portal application. Using script code at the file name leads to script execution. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). Users actively need to add a file to the portal to enable this attack. In case of shared files however, a internal attacker may modify a previously embedded file to carry a malicious file name. Furthermore this vulnerability can be used to persistently execute code that got injected by a temporary script execution vulnerability.
4916 CVE-2016-3155 200 +Info 2016-03-18 2016-12-03
3.6
None Local Low Not required Partial Partial None
Siemens APOGEE Insight uses weak permissions for the application folder, which allows local users to obtain sensitive information or modify data via unspecified vectors.
4917 CVE-2016-3144 79 XSS 2016-04-15 2016-12-03
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the Block Class module 7.x-2.x before 7.x-2.2 for Drupal allows remote authenticated users with the "Administer block classes" permission to inject arbitrary web script or HTML via a class name.
4918 CVE-2016-3119 DoS 2016-03-26 2020-01-21
3.5
None Remote Medium ??? None None Partial
The process_db_args function in plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c in the LDAP KDB module in kadmind in MIT Kerberos 5 (aka krb5) through 1.13.4 and 1.14.x through 1.14.1 mishandles the DB argument, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted request to modify a principal.
4919 CVE-2016-3108 59 2017-06-08 2018-01-05
3.6
None Local Low Not required Partial Partial None
The pulp-gen-nodes-certificate script in Pulp before 2.8.3 allows local users to leak the keys or write to arbitrary files via a symlink attack.
4920 CVE-2016-3101 79 XSS 2017-02-09 2019-10-28
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the Extra Columns plugin before 1.17 in Jenkins allows remote attackers to inject arbitrary web script or HTML by leveraging failure to filter tool tips through the configured markup formatter.
4921 CVE-2016-3060 284 2016-10-29 2016-11-28
3.5
None Remote Medium ??? None Partial None
Payments Director in IBM Financial Transaction Manager (FTM) for ACH Services, Check Services, and Corporate Payment Services (CPS) 3.0.0.x before fp0015 and 3.0.1.0 before iFix0002 allows remote authenticated users to conduct clickjacking attacks via a crafted web site.
4922 CVE-2016-3056 79 XSS 2016-10-14 2016-11-28
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in Business Space in IBM Business Process Manager 7.5 through 7.5.1.2, 8.0 through 8.0.1.3, and 8.5 before 8.5.7.0 CF2016.09 allows remote authenticated users to inject arbitrary web script or HTML via crafted content.
4923 CVE-2016-3054 79 XSS 2016-08-08 2016-11-28
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in IBM FileNet Workplace 4.0.2 allows remote authenticated users to inject arbitrary web script or HTML by uploading a file.
4924 CVE-2016-3049 79 Exec Code XSS 2017-10-24 2017-11-13
3.5
None Remote Medium ??? None Partial None
IBM OpenPages GRC Platform 7.1, 7.2, and 7.3 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. IBM X-Force ID: 114712.
4925 CVE-2016-3048 79 XSS 2017-11-01 2017-11-16
3.5
None Remote Medium ??? None Partial None
IBM OpenPages GRC Platform 7.1, 7.2, and 7.3 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 114711.
4926 CVE-2016-3042 79 XSS 2016-10-01 2016-11-28
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the Web UI in IBM WebSphere Application Server (WAS) Liberty before 16.0.0.3 allows remote authenticated users to inject arbitrary web script or HTML via vectors involving OpenID Connect clients.
4927 CVE-2016-3038 79 XSS 2017-04-17 2017-04-21
3.5
None Remote Medium ??? None Partial None
IBM Cognos TM1 10.1 and 10.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 114614.
4928 CVE-2016-3037 200 +Info 2017-04-17 2017-04-21
3.5
None Remote Medium ??? Partial None None
IBM Cognos TM1 10.1 and 10.2 provides a service to return the victim's password with a valid session key. An authenticated attacker with user interaction could obtain this sensitive information. IBM X-Force ID: 114613.
4929 CVE-2016-3032 79 XSS 2017-05-10 2017-05-15
3.5
None Remote Medium ??? None Partial None
IBM Cognos Analytics 11.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 114516.
4930 CVE-2016-3031 79 XSS 2017-04-05 2019-09-30
3.5
None Remote Medium ??? None Partial None
IBM Cognos Analytics 11.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM Reference #: 1998887.
4931 CVE-2016-3016 345 2017-02-01 2020-10-27
3.5
None Remote Medium ??? None Partial None
IBM Security Access Manager for Web processes patches, image backups and other updates without sufficiently verifying the origin and integrity of the code, which could allow an authenticated attacker to load malicious code.
4932 CVE-2016-3015 79 XSS 2017-04-05 2019-09-30
3.5
None Remote Medium ??? None Partial None
IBM Cognos Analytics 11.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM Reference #: 1998887.
4933 CVE-2016-3014 79 XSS 2016-11-30 2017-07-29
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in IBM Rational Collaborative Lifecycle Management 4.0 before 4.0.7 iFix11 and 5.0 before 5.0.2 iFix17, Rational Quality Manager 4.0 before 4.0.7 iFix11 and 5.0 before 5.0.2 iFix17, Rational Team Concert 4.0 before 4.0.7 iFix11 and 5.0 before 5.0.2 iFix17, Rational DOORS Next Generation 4.0 before 4.0.7 iFix11 and 5.0 before 5.0.2 iFix17, Rational Engineering Lifecycle Manager 4.x before 4.0.7 iFix11 and 5.0 before 5.0.2 iFix17, Rational Rhapsody Design Manager 4.0 before 4.0.7 iFix11 and 5.0 before 5.0.2 iFix17, and Rational Software Architect Design Manager 4.0 before 4.0.7 iFix11 and 5.0 before 5.0.2 iFix17 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
4934 CVE-2016-3010 79 XSS 2016-09-01 2016-11-28
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the Web UI in IBM Connections 4.0 through CR4, 4.5 through CR5, 5.0 before CR4, and 5.5 before CR1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2016-2995, CVE-2016-2997, and CVE-2016-3005.
4935 CVE-2016-3009 352 CSRF 2016-11-30 2016-11-30
3.5
None Remote Medium ??? None Partial None
Cross-site request forgery (CSRF) vulnerability in IBM Connections 4.0 through CR4, 4.5 through CR5, and 5.0 before CR4 allows remote authenticated users to hijack the authentication of arbitrary users for requests that modify the Connections generic page.
4936 CVE-2016-3008 79 XSS 2016-09-01 2016-11-28
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the Web UI in IBM Connections 5.0 before CR4 and 5.5 before CR1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2016-2954 and CVE-2016-2956.
4937 CVE-2016-3006 79 XSS 2016-09-26 2016-11-28
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the Web UI in IBM Connections 4.x through 4.5 CR5, 5.0 before CR4, and 5.5 before CR1 allows remote authenticated users to inject arbitrary web script or HTML via an embedded string, a different vulnerability than CVE-2016-3001 and CVE-2016-3003.
4938 CVE-2016-3005 79 XSS 2016-09-01 2016-11-28
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the Web UI in IBM Connections 4.0 through CR4, 4.5 through CR5, 5.0 before CR4, and 5.5 before CR1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2016-2995, CVE-2016-2997, and CVE-2016-3010.
4939 CVE-2016-3003 79 XSS 2016-09-26 2016-11-28
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the Web UI in IBM Connections 4.x through 4.5 CR5, 5.0 before CR4, and 5.5 before CR1 allows remote authenticated users to inject arbitrary web script or HTML via an embedded string, a different vulnerability than CVE-2016-3001 and CVE-2016-3006.
4940 CVE-2016-3001 79 XSS 2016-09-26 2016-11-28
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the Web UI in IBM Connections 4.x through 4.5 CR5, 5.0 before CR4, and 5.5 before CR1 allows remote authenticated users to inject arbitrary web script or HTML via an embedded string, a different vulnerability than CVE-2016-3003 and CVE-2016-3006.
4941 CVE-2016-2998 352 CSRF 2016-09-01 2016-11-28
3.5
None Remote Medium ??? None Partial None
Cross-site request forgery (CSRF) vulnerability in IBM Connections 4.0 through CR4, 4.5 through CR5, 5.0 before CR4, and 5.5 before CR1 allows remote authenticated users to hijack the authentication of arbitrary users for requests that update data.
4942 CVE-2016-2997 79 XSS 2016-09-01 2016-11-28
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the Web UI in IBM Connections 4.0 through CR4, 4.5 through CR5, 5.0 before CR4, and 5.5 before CR1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2016-2995, CVE-2016-3005, and CVE-2016-3010.
4943 CVE-2016-2995 79 XSS 2016-09-01 2016-11-28
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the Web UI in IBM Connections 4.0 through CR4, 4.5 through CR5, 5.0 before CR4, and 5.5 before CR1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2016-2997, CVE-2016-3005, and CVE-2016-3010.
4944 CVE-2016-2994 79 XSS 2016-12-01 2016-12-06
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in IBM UrbanCode Deploy 6.2.x before 6.2.1.2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
4945 CVE-2016-2992 79 XSS 2017-02-01 2017-02-15
3.5
None Remote Medium ??? None Partial None
IBM Infosphere BigInsights is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
4946 CVE-2016-2991 79 XSS 2016-12-01 2016-12-01
3.5
None Remote Medium ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in IBM Lotus Protector for Mail Security 2.8.0.0 through 2.8.1.0 before 2.8.1.0-22115 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
4947 CVE-2016-2986 79 XSS 2016-11-25 2016-11-28
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in IBM Rational Collaborative Lifecycle Management 6.x before 6.0.1 iFix6, Rational Quality Manager 6.x before 6.0.1 iFix6, Rational Team Concert 6.x before 6.0.1 iFix6, Rational DOORS Next Generation 6.x before 6.0.1 iFix6, Rational Engineering Lifecycle Manager 6.x before 6.0.1 iFix6, and Rational Rhapsody Design Manager 6.x before 6.0.1 iFix6 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
4948 CVE-2016-2979 79 XSS 2017-08-29 2017-09-07
3.5
None Remote Medium ??? None Partial None
IBM Sametime Meeting Server 8.5.2 and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 113945.
4949 CVE-2016-2975 79 XSS 2017-08-29 2017-09-03
3.5
None Remote Medium ??? None Partial None
IBM Sametime 8.5.2 and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 113935.
4950 CVE-2016-2973 79 XSS 2017-08-29 2017-09-07
3.5
None Remote Medium ??? None Partial None
IBM Sametime Media Services 8.5.2 and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 113899.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.