# |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
1 |
CVE-2016-1000214 |
287 |
|
Bypass |
2016-10-25 |
2017-07-06 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
Ruckus Wireless H500 web management interface authentication bypass |
2 |
CVE-2016-10006 |
79 |
|
XSS Bypass |
2016-12-24 |
2017-07-26 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
In OWASP AntiSamy before 1.5.5, by submitting a specially crafted input (a tag that supports style with active content), you could bypass the library protections and supply executable code. The impact is XSS. |
3 |
CVE-2016-9865 |
502 |
|
Bypass |
2016-12-10 |
2018-07-07 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
An issue was discovered in phpMyAdmin. Due to a bug in serialized string parsing, it was possible to bypass the protection offered by PMA_safeUnserialize() function. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. |
4 |
CVE-2016-9861 |
254 |
|
Bypass |
2016-12-10 |
2017-06-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
An issue was discovered in phpMyAdmin. Due to the limitation in URL matching, it was possible to bypass the URL white-list protection. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. |
5 |
CVE-2016-9851 |
254 |
|
Bypass |
2016-12-10 |
2017-06-30 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
An issue was discovered in phpMyAdmin. With a crafted request parameter value it is possible to bypass the logout timeout. All 4.6.x versions (prior to 4.6.5), and 4.4.x versions (prior to 4.4.15.9) are affected. |
6 |
CVE-2016-9849 |
264 |
|
Bypass |
2016-12-10 |
2017-06-30 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
An issue was discovered in phpMyAdmin. It is possible to bypass AllowRoot restriction ($cfg['Servers'][$i]['AllowRoot']) and deny rules for username by using Null Byte in the username. All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected. |
7 |
CVE-2016-9796 |
264 |
|
Exec Code Bypass |
2016-12-03 |
2017-09-02 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
Alcatel-Lucent OmniVista 8770 2.0 through 3.0 exposes different ORBs interfaces, which can be queried using the GIOP protocol on TCP port 30024. An attacker can bypass authentication, and OmniVista invokes methods (AddJobSet, AddJob, and ExecuteNow) that can be used to run arbitrary commands on the server, with the privilege of NT AUTHORITY\SYSTEM on the server. NOTE: The discoverer states "The vendor position is to refer to the technical guidelines of the product security deployment to mitigate this issue, which means applying proper firewall rules to prevent unauthorised clients to connect to the OmniVista server." |
8 |
CVE-2016-9752 |
918 |
|
Bypass |
2016-12-01 |
2016-12-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
In Serendipity before 2.0.5, an attacker can bypass SSRF protection by using a malformed IP address (e.g., http://127.1) or a 30x (aka Redirection) HTTP status code. |
9 |
CVE-2016-9193 |
20 |
|
Bypass |
2016-12-13 |
2016-12-22 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
A vulnerability in the malicious file detection and blocking features of Cisco Firepower Management Center and Cisco FireSIGHT System Software could allow an unauthenticated, remote attacker to bypass malware detection mechanisms on an affected system. Affected Products: Cisco Firepower Management Center and FireSIGHT System Software are affected when they are configured to use a file policy that has the Block Malware action. More Information: CSCvb27494. Known Affected Releases: 6.0.1.1 6.1.0. |
10 |
CVE-2016-9183 |
200 |
|
Sql Bypass +Info |
2016-11-04 |
2016-11-29 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
In /framework/modules/ecommerce/controllers/orderController.php of Exponent CMS 2.4.0, untrusted input is passed into selectObjectsBySql. The method selectObjectsBySql of class mysqli_database uses the injectProof method to prevent SQL injection, but this filter can be bypassed easily: it only sanitizes user input if there are odd numbers of ' or " characters. Impact is Information Disclosure. |
11 |
CVE-2016-9182 |
284 |
|
Bypass |
2016-11-04 |
2016-11-29 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
Exponent CMS 2.4 uses PHP reflection to call a method of a controller class, and then uses the method name to check user permission. But, the method name in PHP reflection is case insensitive, and Exponent CMS permits undefined actions to execute by default, so an attacker can use a capitalized method name to bypass the permission check, e.g., controller=expHTMLEditor&action=preview&editor=ckeditor and controller=expHTMLEditor&action=Preview&editor=ckeditor. An anonymous user will be rejected for the former but can access the latter. |
12 |
CVE-2016-9111 |
284 |
|
Bypass |
2016-11-07 |
2017-09-05 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
Incorrect access control mechanisms in Citrix Receiver Desktop Lock 4.5 allow an attacker to bypass the authentication requirement by leveraging physical access to a VDI for temporary disconnection of a LAN cable. NOTE: as of 20161208, the vendor could not reproduce the issue, stating "the researcher was unable to provide us with information that would allow us to confirm the behaviour and, despite extensive investigation on test deployments of supported products, we were unable to reproduce the behaviour as he described. The researcher has also, despite additional requests for information, ceased to respond to us." |
13 |
CVE-2016-9083 |
190 |
|
DoS Overflow Mem. Corr. Bypass |
2016-11-27 |
2018-01-04 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
drivers/vfio/pci/vfio_pci.c in the Linux kernel through 4.8.11 allows local users to bypass integer overflow checks, and cause a denial of service (memory corruption) or have unspecified other impact, by leveraging access to a vfio PCI device file for a VFIO_DEVICE_SET_IRQS ioctl call, aka a "state machine confusion bug." |
14 |
CVE-2016-8867 |
264 |
|
Bypass |
2016-10-28 |
2017-07-27 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
Docker Engine 1.12.2 enabled ambient capabilities with misconfigured capability policies. This allowed malicious images to bypass user permissions to access files within the container filesystem or mounted volumes. |
15 |
CVE-2016-8501 |
264 |
|
Bypass |
2016-10-26 |
2016-12-02 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
Security WiFi bypass in Yandex Browser from version 15.10 to 15.12 allows remote attacker to sniff traffic in open or WEP-protected wi-fi networks despite of special security mechanism is enabled. |
16 |
CVE-2016-7890 |
254 |
|
Bypass |
2016-12-15 |
2018-10-12 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and earlier have security bypass vulnerability in the implementation of the same origin policy. |
17 |
CVE-2016-7572 |
264 |
|
Bypass |
2016-10-03 |
2016-10-04 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
The system.temporary route in Drupal 8.x before 8.1.10 does not properly check for "Export configuration" permission, which allows remote authenticated users to bypass intended access restrictions and read a full config export via unspecified vectors. |
18 |
CVE-2016-7444 |
264 |
|
Bypass |
2016-09-27 |
2018-01-04 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
The gnutls_ocsp_resp_check_crt function in lib/x509/ocsp.c in GnuTLS before 3.4.15 and 3.5.x before 3.5.4 does not verify the serial length of an OCSP response, which might allow remote attackers to bypass an intended certificate validation mechanism via vectors involving trailing bytes left by gnutls_malloc. |
19 |
CVE-2016-7401 |
254 |
|
Bypass CSRF |
2016-10-03 |
2018-01-04 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
The cookie parsing code in Django before 1.8.15 and 1.9.x before 1.9.10, when used on a site with Google Analytics, allows remote attackers to bypass an intended CSRF protection mechanism by setting arbitrary cookies. |
20 |
CVE-2016-7281 |
254 |
|
Bypass |
2016-12-20 |
2018-10-12 |
2.6 |
None |
Remote |
High |
Not required |
None |
Partial |
None |
The Web Workers implementation in Microsoft Internet Explorer 10 and 11 and Microsoft Edge allows remote attackers to bypass the Same Origin Policy via unspecified vectors, aka "Microsoft Browser Security Feature Bypass Vulnerability." |
21 |
CVE-2016-7271 |
264 |
|
Bypass |
2016-12-20 |
2018-10-12 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
The Secure Kernel Mode implementation in Microsoft Windows 10 Gold, 1511, and 1607 and Windows Server 2016 allows local users to bypass the virtual trust level (VTL) protection mechanism via a crafted application, aka "Secure Kernel Mode Elevation of Privilege Vulnerability." |
22 |
CVE-2016-7270 |
310 |
|
Bypass +Info |
2016-12-20 |
2018-10-12 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
The Data Provider for SQL Server in Microsoft .NET Framework 4.6.2 mishandles a developer-supplied key, which allows remote attackers to bypass the Always Encrypted protection mechanism and obtain sensitive cleartext information by leveraging key guessability, aka ".NET Information Disclosure Vulnerability." |
23 |
CVE-2016-7267 |
20 |
|
Exec Code Bypass |
2016-12-20 |
2018-10-12 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Microsoft Excel 2010 SP2, 2013 SP1, 2013 RT SP1, and 2016 misparses file formats, which makes it easier for remote attackers to execute arbitrary code via a crafted document, aka "Microsoft Office Security Feature Bypass Vulnerability." |
24 |
CVE-2016-7266 |
20 |
|
Exec Code Bypass |
2016-12-20 |
2018-10-12 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Microsoft Excel 2007 SP3, Excel 2010 SP2, Excel 2013 SP1, Excel 2013 RT SP1, Excel 2016, Office Compatibility Pack SP3, Excel Viewer, and Excel 2016 for Mac mishandle a registry check, which allows user-assisted remote attackers to execute arbitrary commands via crafted embedded content in a document, aka "Microsoft Office Security Feature Bypass Vulnerability." |
25 |
CVE-2016-7262 |
20 |
|
Exec Code Bypass |
2016-12-20 |
2018-10-12 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Microsoft Excel 2007 SP3, Excel 2010 SP2, Excel 2013 SP1, Excel 2013 RT SP1, Excel 2016, Office Compatibility Pack SP3, and Excel Viewer allow user-assisted remote attackers to execute arbitrary commands via a crafted cell that is mishandled upon a click, aka "Microsoft Office Security Feature Bypass Vulnerability." |
26 |
CVE-2016-7247 |
284 |
|
Bypass |
2016-11-10 |
2018-10-12 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
Microsoft Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, and 1607, and Windows Server 2016 allow physically proximate attackers to bypass the Secure Boot protection mechanism via a crafted boot policy, aka "Secure Boot Component Vulnerability." |
27 |
CVE-2016-7214 |
200 |
|
Bypass +Info |
2016-11-10 |
2018-10-12 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
The kernel-mode drivers in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, and 1607, and Windows Server 2016 allow local users to bypass the ASLR protection mechanism via a crafted application, aka "Win32k Information Disclosure Vulnerability." |
28 |
CVE-2016-7199 |
200 |
|
Bypass +Info |
2016-11-10 |
2018-10-12 |
2.6 |
None |
Remote |
High |
Not required |
Partial |
None |
None |
Microsoft Internet Explorer 9 through 11 and Microsoft Edge allow remote attackers to bypass the Same Origin Policy and obtain sensitive window-state information via a crafted web site, aka "Microsoft Browser Information Disclosure Vulnerability." |
29 |
CVE-2016-7191 |
287 |
|
Bypass |
2016-09-28 |
2017-07-29 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
The Microsoft Azure Active Directory Passport (aka Passport-Azure-AD) library 1.x before 1.4.6 and 2.x before 2.0.1 for Node.js does not recognize the validateIssuer setting, which allows remote attackers to bypass authentication via a crafted token. |
30 |
CVE-2016-7098 |
362 |
|
Bypass |
2016-09-26 |
2017-09-02 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Race condition in wget 1.17 and earlier, when used in recursive or mirroring mode to download a single file, might allow remote servers to bypass intended access list restrictions by keeping an HTTP connection open. |
31 |
CVE-2016-7034 |
352 |
|
Bypass CSRF |
2016-09-07 |
2018-02-14 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
The dashbuilder in Red Hat JBoss BPM Suite 6.3.2 does not properly handle CSRF tokens generated during an active session and includes them in query strings, which makes easier for remote attackers to (1) bypass CSRF protection mechanisms or (2) conduct cross-site request forgery (CSRF) attacks by obtaining an old token. |
32 |
CVE-2016-6958 |
284 |
|
Bypass |
2016-10-13 |
2017-07-29 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
Adobe Reader and Acrobat before 11.0.18, Acrobat and Acrobat Reader DC Classic before 15.006.30243, and Acrobat and Acrobat Reader DC Continuous before 15.020.20039 on Windows and OS X allow attackers to bypass intended access restrictions via unspecified vectors. |
33 |
CVE-2016-6957 |
254 |
|
Bypass |
2016-10-13 |
2017-07-29 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
Adobe Reader and Acrobat before 11.0.18, Acrobat and Acrobat Reader DC Classic before 15.006.30243, and Acrobat and Acrobat Reader DC Continuous before 15.020.20039 on Windows and OS X allow attackers to bypass JavaScript API execution restrictions via unspecified vectors. |
34 |
CVE-2016-6802 |
284 |
|
Bypass |
2016-09-20 |
2018-10-09 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
Apache Shiro before 1.3.2 allows attackers to bypass intended servlet filters and gain access by leveraging use of a non-root servlet context path. |
35 |
CVE-2016-6719 |
284 |
|
Bypass |
2016-11-25 |
2016-12-06 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
An elevation of privilege vulnerability in the Bluetooth component in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, 6.x before 2016-11-01, and 7.0 before 2016-11-01 could enable a local malicious application to pair with any Bluetooth device without user consent. This issue is rated as Moderate because it is a local bypass of user interaction requirements (access to functionality that would normally require either user initiation or user permission.) Android ID: A-29043989. |
36 |
CVE-2016-6718 |
200 |
|
Bypass +Info |
2016-11-25 |
2016-12-06 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
An elevation of privilege vulnerability in the Account Manager Service in Android 7.0 before 2016-11-01 could enable a local malicious application to retrieve sensitive information without user interaction. This issue is rated as Moderate because it is a local bypass of user interaction requirements (access to functionality that would normally require either user initiation or user permission.) Android ID: A-30455516. |
37 |
CVE-2016-6716 |
284 |
|
Bypass |
2016-11-25 |
2016-12-06 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
An elevation of privilege vulnerability in the AOSP Launcher in Android 7.0 before 2016-11-01 could allow a local malicious application to create shortcuts that have elevated privileges without the user's consent. This issue is rated as Moderate because it is a local bypass of user interaction requirements (access to functionality that would normally require either user initiation or user permission). Android ID: A-30778130. |
38 |
CVE-2016-6715 |
284 |
|
Bypass |
2016-11-25 |
2016-12-06 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
An elevation of privilege vulnerability in the Framework APIs in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, 6.x before 2016-11-01, and 7.0 before 2016-11-01 could allow a local malicious application to record audio without the user's permission. This issue is rated as Moderate because it is a local bypass of user interaction requirements (access to functionality that would normally require either user initiation or user permission.) Android ID: A-29833954. |
39 |
CVE-2016-6710 |
200 |
|
Bypass +Info |
2016-11-25 |
2019-05-30 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
An information disclosure vulnerability in the download manager in Android 5.0.x before 5.0.2, 5.1.x before 5.1.1, 6.x before 2016-11-01, and 7.0 before 2016-11-01 could enable a local malicious application to bypass operating system protections that isolate application data from other applications. This issue is rated as High because it could be used to gain access to data that the application does not have access to. Android ID: A-30537115. |
40 |
CVE-2016-6708 |
284 |
|
Bypass |
2016-11-25 |
2016-12-06 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
An elevation of privilege in the System UI in Android 7.0 before 2016-11-01 could enable a local malicious user to bypass the security prompt of your work profile in Multi-Window mode. This issue is rated as High because it is a local bypass of user interaction requirements for any developer or security setting modifications. Android ID: A-30693465. |
41 |
CVE-2016-6662 |
264 |
|
Exec Code Bypass |
2016-09-20 |
2019-06-03 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
Oracle MySQL through 5.5.52, 5.6.x through 5.6.33, and 5.7.x through 5.7.15; MariaDB before 5.5.51, 10.0.x before 10.0.27, and 10.1.x before 10.1.17; and Percona Server before 5.5.51-38.1, 5.6.x before 5.6.32-78.0, and 5.7.x before 5.7.14-7 allow local users to create arbitrary configurations and bypass certain protection mechanisms by setting general_log_file to a my.cnf configuration. NOTE: this can be leveraged to execute arbitrary code with root privileges by setting malloc_lib. NOTE: the affected MySQL version information is from Oracle's October 2016 CPU. Oracle has not commented on third-party claims that the issue was silently patched in MySQL 5.5.52, 5.6.33, and 5.7.15. |
42 |
CVE-2016-6629 |
254 |
|
Bypass |
2016-12-10 |
2017-06-30 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
An issue was discovered in phpMyAdmin involving the $cfg['ArbitraryServerRegexp'] configuration directive. An attacker could reuse certain cookie values in a way of bypassing the servers defined by ArbitraryServerRegexp. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. |
43 |
CVE-2016-6623 |
20 |
|
Bypass |
2016-12-10 |
2017-06-30 |
4.0 |
None |
Remote |
Low |
Single system |
None |
None |
Partial |
An issue was discovered in phpMyAdmin. An authorized user can cause a denial-of-service (DoS) attack on a server by passing large values to a loop. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected. |
44 |
CVE-2016-6536 |
264 |
|
Bypass |
2016-09-18 |
2016-11-28 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
The /setup URI on AVer Information EH6108H+ devices with firmware X9.03.24.00.07l allows remote attackers to bypass intended page-access restrictions or modify passwords by leveraging knowledge of a handle parameter value. |
45 |
CVE-2016-6474 |
287 |
|
Bypass |
2016-12-13 |
2017-01-05 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
A vulnerability in the implementation of X.509 Version 3 for SSH authentication functionality in Cisco IOS and IOS XE Software could allow an unauthenticated, remote attacker to bypass authentication on an affected system. More Information: CSCuv89417. Known Affected Releases: 15.5(2.25)T. Known Fixed Releases: 15.2(4)E1 15.2(4)E2 15.2(4)E3 15.2(4)EA4 15.2(4.0r)EB 15.2(4.1.27)EB 15.2(4.4.2)EA4 15.2(4.7.1)EC 15.2(4.7.2)EC 15.2(5.1.1)E 15.2(5.5.63)E 15.2(5.5.64)E 15.4(1)IA1.80 15.5(3)M1.1 15.5(3)M2 15.5(3)S1.4 15.5(3)S2 15.6(0.22)S0.12 15.6(1)T0.1 15.6(1)T1 15.6(1.15)T 15.6(1.17)S0.7 15.6(1.17)SP 15.6(1.22.1a)T0 15.6(2)S 15.6(2)SP 16.1(1.24) 16.1.2 16.2(0.247) 16.3(0.11) 3.8(1)E Denali-16.1.2. |
46 |
CVE-2016-6465 |
20 |
|
Bypass |
2016-12-13 |
2017-01-05 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
A vulnerability in the content filtering functionality of Cisco AsyncOS Software for Cisco Email Security Appliances and Cisco Web Security Appliances could allow an unauthenticated, remote attacker to bypass user filters that are configured for an affected device. Affected Products: This vulnerability affects all releases prior to the first fixed release of Cisco AsyncOS Software for both virtual and hardware versions of the following Cisco products: Cisco Email Security Appliances (ESAs) that are configured to use message or content filters that scan incoming email attachments; Cisco Web Security Appliances (WSAs) that are configured to use services that scan accessed web content. More Information: CSCva90076, CSCvb06764. Known Affected Releases: 10.0.0-125 8.5.7-042 9.7.2-047. |
47 |
CVE-2016-6463 |
20 |
|
Bypass |
2016-11-18 |
2016-11-28 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
A vulnerability in the email filtering functionality of Cisco AsyncOS Software for Cisco Email Security Appliances could allow an unauthenticated, remote attacker to bypass Advanced Malware Protection (AMP) filters that are configured for an affected device. This vulnerability affects all releases prior to the first fixed release of Cisco AsyncOS Software for both virtual and hardware versions of Cisco Email Security Appliances, if the AMP feature is configured to scan incoming email attachments. More Information: CSCuz85823. Known Affected Releases: 10.0.0-082 9.7.0-125 9.7.1-066. Known Fixed Releases: 10.0.0-203 9.7.2-131. |
48 |
CVE-2016-6462 |
20 |
|
Bypass |
2016-11-18 |
2017-07-27 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
A vulnerability in the email filtering functionality of Cisco AsyncOS Software for Cisco Email Security Appliances could allow an unauthenticated, remote attacker to bypass Advanced Malware Protection (AMP) filters that are configured for an affected device. This vulnerability affects all releases prior to the first fixed release of Cisco AsyncOS Software for both virtual and hardware versions of Cisco Email Security Appliances, if the AMP feature is configured to scan incoming email attachments. More Information: CSCva13456. Known Affected Releases: 10.0.0-082 10.0.0-125 9.7.1-066. Known Fixed Releases: 10.0.0-203 9.7.2-131. |
49 |
CVE-2016-6460 |
254 |
|
Bypass |
2016-11-18 |
2016-12-06 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
A vulnerability in the FTP Representational State Transfer Application Programming Interface (REST API) for Cisco Firepower System Software could allow an unauthenticated, remote attacker to bypass FTP malware detection rules and download malware over an FTP connection. Cisco Firepower System Software is affected when the device has a file policy with malware block configured for FTP connections. More Information: CSCuv36188 CSCuy91156. Known Affected Releases: 5.4.0.2 5.4.1.1 5.4.1.6 6.0.0 6.1.0 6.2.0. Known Fixed Releases: 6.0.0. |
50 |
CVE-2016-6458 |
20 |
|
Bypass |
2016-11-18 |
2017-07-28 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
A vulnerability in the content filtering functionality of Cisco AsyncOS Software for Cisco Email Security Appliances could allow an unauthenticated, remote attacker to bypass content filters configured on an affected device. Email that should have been filtered could instead be forwarded by the device. This vulnerability affects all releases prior to the first fixed release of Cisco AsyncOS Software for Cisco Email Security Appliances, both virtual and hardware appliances, if the software is configured to use a content filter for email attachments that are protected or encrypted. More Information: CSCva52546. Known Affected Releases: 10.0.0-125 9.7.1-066. |