본문 바로가기
IT 와 Social 이야기

[US-CERT: Bulletin(SB16-116)] 2016년 4월 18일까지 발표된 보안 취약점

by manga0713 2016. 5. 2.

 

 

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0

  • Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9

  • Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

High Vulnerabilities

Primary
Vendor -- Product
Description Published CVSS Score Source & Patch Info
cisco -- adaptive_security_appliance_software The encryption-processing feature in Cisco libSRTP before 1.5.3 allows remote attackers to cause a denial of service via crafted fields in SRTP packets, aka Bug ID CSCux00686. 2016-04-21 7.8 CVE-2015-6360
CISCO(link is external)
cisco -- unified_computing_system_platform_emulator Cisco Unified Computing System (UCS) Platform Emulator 2.5(2)TS4, 3.0(2c)A, and 3.0(2c)TS9 allows local users to gain privileges via crafted arguments on a ucspe-copy command line, aka Bug ID CSCux68832. 2016-04-15 7.2 CVE-2016-1339
CISCO(link is external)
cisco -- unified_computing_system_platform_emulator Heap-based buffer overflow in Cisco Unified Computing System (UCS) Platform Emulator 2.5(2)TS4, 3.0(2c)A, and 3.0(2c)TS9 allows local users to gain privileges via crafted libclimeta.so filename arguments, aka Bug ID CSCux68837. 2016-04-15 7.2 CVE-2016-1340
CISCO(link is external)
dhcpcd_project -- dhcpcd dhcpcd before 6.10.0, as used in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 and other products, mismanages option lengths, which allows remote attackers to execute arbitrary code or cause a denial of service (heap-based buffer overflow) via a malformed DHCP response, aka internal bug 26461634. 2016-04-17 10.0 CVE-2016-1503
CONFIRM(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
emc -- unisphere An HTTP servlet in vApp Manager in EMC Unisphere for VMAX Virtual Appliance before 8.2.0 allows remote attackers to write to arbitrary files via a crafted pathname. 2016-04-15 10.0 CVE-2016-0889
BUGTRAQ
gnu -- glibc Multiple stack-based buffer overflows in the GNU C Library (aka glibc or libc6) before 2.23 allow context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long argument to the (1) nan, (2) nanf, or (3) nanl function. 2016-04-19 7.5 CVE-2014-9761
MLIST
CONFIRM
MLIST(link is external)
MLIST(link is external)
SUSE
SUSE
SUSE
SUSE
SUSE
gnu -- glibc Integer overflow in the GNU C Library (aka glibc or libc6) before 2.23 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via the size argument to the __hcreate_r function, which triggers out-of-bounds heap-memory access. 2016-04-19 7.5 CVE-2015-8778
MLIST
CONFIRM
MLIST(link is external)
MLIST(link is external)
DEBIAN
SUSE
SUSE
SUSE
SUSE
SUSE
gnu -- glibc Stack-based buffer overflow in the catopen function in the GNU C Library (aka glibc or libc6) before 2.23 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long catalog name. 2016-04-19 7.5 CVE-2015-8779
MLIST
CONFIRM
MLIST(link is external)
MLIST(link is external)
DEBIAN
SUSE
SUSE
SUSE
SUSE
SUSE
google -- android An unspecified media codec in mediaserver in Android 6.x before 2016-04-01 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted media file, aka internal bug 26220548. 2016-04-17 10.0 CVE-2016-0834
CONFIRM(link is external)
google -- android decoder/impeg2d_dec_hdr.c in mediaserver in Android 6.x before 2016-04-01 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted media file that triggers a certain negative value, aka internal bug 26070014. 2016-04-17 10.0 CVE-2016-0835
CONFIRM(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
google -- android Stack-based buffer overflow in decoder/impeg2d_vld.c in mediaserver in Android 6.x before 2016-04-01 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted media file, aka internal bug 25812590. 2016-04-17 10.0 CVE-2016-0836
CONFIRM(link is external)
CONFIRM(link is external)
google -- android MPEG4Extractor.cpp in libstagefright in mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds read and memory corruption) via a crafted media file, aka internal bug 27208621. 2016-04-17 10.0 CVE-2016-0837
CONFIRM(link is external)
CONFIRM(link is external)
google -- android Sonivox in mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 does not check for a negative number of samples, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted media file, related to arm-wt-22k/lib_src/eas_wtengine.c and arm-wt-22k/lib_src/eas_wtsynth.c, aka internal bug 26366256. 2016-04-17 10.0 CVE-2016-0838
CONFIRM(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
google -- android post_proc/volume_listener.c in mediaserver in Android 6.x before 2016-04-01 mishandles deleted effect context, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted media file, aka internal bug 25753245. 2016-04-17 10.0 CVE-2016-0839
CONFIRM(link is external)
CONFIRM(link is external)
google -- android Multiple stack-based buffer underflows in decoder/ih264d_parse_cavlc.c in mediaserver in Android 6.x before 2016-04-01 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted media file, aka internal bug 26399350. 2016-04-17 10.0 CVE-2016-0840
CONFIRM(link is external)
CONFIRM(link is external)
google -- android media/libmedia/mediametadataretriever.cpp in mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 mishandles cleared service binders, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted media file, aka internal bug 26040840. 2016-04-17 10.0 CVE-2016-0841
CONFIRM(link is external)
CONFIRM(link is external)
google -- android The H.264 decoder in libstagefright in Android 6.x before 2016-04-01 mishandles Memory Management Control Operation (MMCO) data, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted media file, aka internal bug 25818142. 2016-04-17 10.0 CVE-2016-0842
CONFIRM(link is external)
CONFIRM(link is external)
google -- android The Qualcomm ARM processor performance-event manager in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 allows attackers to gain privileges via a crafted application, aka internal bug 25801197. 2016-04-17 7.2 CVE-2016-0843
CONFIRM(link is external)
google -- android The Qualcomm RF driver in Android 6.x before 2016-04-01 does not properly restrict access to socket ioctl calls, which allows attackers to gain privileges via a crafted application, aka internal bug 26324307. 2016-04-17 7.2 CVE-2016-0844
CONFIRM(link is external)
CONFIRM(link is external)
google -- android libs/binder/IMemory.cpp in the IMemory Native Interface in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 does not properly consider the heap size, which allows attackers to gain privileges via a crafted application, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 26877992. 2016-04-17 7.2 CVE-2016-0846
CONFIRM(link is external)
CONFIRM(link is external)
google -- android The Telecom Component in Android 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 allows attackers to spoof the originating telephone number of a call via a crafted application, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 26864502. 2016-04-17 7.2 CVE-2016-0847
CONFIRM(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
google -- android Race condition in Download Manager in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 allows attackers to bypass private-storage file-access restrictions via a crafted application that changes a symlink target, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 26211054. 2016-04-17 7.2 CVE-2016-0848
CONFIRM(link is external)
CONFIRM(link is external)
google -- android Multiple integer overflows in minzip/SysUtil.c in the Recovery Procedure in Android 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 allow attackers to gain privileges via a crafted application, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 26960931. 2016-04-17 7.2 CVE-2016-0849
CONFIRM(link is external)
CONFIRM(link is external)
google -- chrome The LoadBuffer implementation in Google V8, as used in Google Chrome before 50.0.2661.75, mishandles data types, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted JavaScript code that triggers an out-of-bounds write operation, related to compiler/pipeline.cc and compiler/simplified-lowering.cc. 2016-04-18 9.3 CVE-2016-1653
CONFIRM(link is external)
CONFIRM
CONFIRM(link is external)
google -- chrome Google Chrome before 50.0.2661.75 does not properly consider that frame removal may occur during callback execution, which allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via a crafted extension. 2016-04-18 7.5 CVE-2016-1655
CONFIRM(link is external)
CONFIRM
CONFIRM(link is external)
google -- chrome Multiple unspecified vulnerabilities in Google Chrome before 50.0.2661.75 allow attackers to cause a denial of service or possibly have other impact via unknown vectors. 2016-04-18 10.0 CVE-2016-1659
CONFIRM(link is external)
CONFIRM(link is external)
google -- android A Texas Instruments (TI) haptic kernel driver in Android 6.x before 2016-04-01 allows attackers to gain privileges via a crafted application that leverages control over a service that can call this driver, aka internal bug 25981545. 2016-04-17 9.3 CVE-2016-2409
CONFIRM(link is external)
google -- android A Qualcomm Power Management kernel driver in Android 6.x before 2016-04-01 allows attackers to gain privileges via a crafted application that leverages root access, aka internal bug 26866053. 2016-04-17 9.3 CVE-2016-2411
CONFIRM(link is external)
google -- android include/core/SkPostConfig.h in Skia, as used in System_server in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01, mishandles certain crashes, which allows attackers to gain privileges via a crafted application, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 26593930. 2016-04-17 9.3 CVE-2016-2412
CONFIRM(link is external)
CONFIRM(link is external)
google -- android media/libmedia/IOMX.cpp in mediaserver in Android 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 does not initialize a handle pointer, which allows attackers to gain privileges via a crafted application, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 26403627. 2016-04-17 9.3 CVE-2016-2413
CONFIRM(link is external)
CONFIRM(link is external)
google -- android exchange/eas/EasAutoDiscover.java in the Autodiscover implementation in Exchange ActiveSync in Android 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 allows attackers to obtain sensitive information via a crafted application that triggers a spoofed response to a GET request, aka internal bug 26488455. 2016-04-17 7.1 CVE-2016-2415
CONFIRM(link is external)
CONFIRM(link is external)
google -- android media/libmedia/IOMX.cpp in mediaserver in Android 6.x before 2016-04-01 does not initialize certain metadata buffer pointers, which allows attackers to obtain sensitive information from process memory, and consequently bypass an unspecified protection mechanism, via unspecified vectors, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 26324358. 2016-04-17 10.0 CVE-2016-2418
CONFIRM(link is external)
CONFIRM(link is external)
google -- android rootdir/init.rc in Android 4.x before 4.4.4 does not ensure that the /data/tombstones directory exists for the Debuggerd component, which allows attackers to gain privileges via a crafted application, aka internal bug 26403620. 2016-04-17 9.3 CVE-2016-2420
CONFIRM(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
juniper -- screenos The administrative web services interface in Juniper ScreenOS before 6.3.0r21 allows remote attackers to cause a denial of service (reboot) via a crafted SSL packet. 2016-04-15 7.8 CVE-2016-1268
CONFIRM(link is external)
juniper -- junos Juniper Junos OS before 12.1X44-D60, 12.1X46 before 12.1X46-D40, 12.1X47 before 12.1X47-D30, 12.3 before 12.3R11, 12.3X48 before 12.3X48-D20, 13.2 before 13.2R9, 13.2X51 before 13.2X51-D39, 13.3 before 13.3R8, 14.1 before 14.1R6, 14.1X53 before 14.1X53-D30, 14.2 before 14.2R4-S1, 15.1 before 15.1R2, 15.1X49 before 15.1X49-D30, and 16.1 before 16.1R1 allow remote attackers to cause a denial of service (socket consumption) via crafted TCP timestamps. 2016-04-15 7.8 CVE-2016-1269
CONFIRM(link is external)
juniper -- junos Juniper Junos OS before 12.1X46-D45, 12.1X47 before 12.1X47-D30, 12.3 before 12.3R11, 12.3X48 before 12.3X48-D25, 13.2 before 13.2R8, 13.3 before 13.3R7, 14.1 before 14.1R6, 14.2 before 14.2R4, 15.1 before 15.1R1 or 15.1F2, and 15.1X49 before 15.1X49-D15 allow local users to gain privileges via crafted combinations of CLI commands and arguments, a different vulnerability than CVE-2015-3003, CVE-2014-3816, and CVE-2014-0615. 2016-04-15 7.2 CVE-2016-1271
CONFIRM(link is external)
juniper -- junos Juniper Junos OS 14.1X53 before 14.1X53-D30 on QFX Series switches allows remote attackers to cause a denial of service (PFE panic) via a high rate of unspecified VXLAN packets. 2016-04-15 7.8 CVE-2016-1274
CONFIRM(link is external)
Fedora -- latex2rtf Format string vulnerability in the CmdKeywords function in funct1.c in latex2rtf before 2.3.10 allows remote attackers to execute arbitrary code via format string specifiers in the \keywords command in a crafted TeX file. 2016-04-18 9.3 CVE-2015-8106
CONFIRM(link is external)
CONFIRM(link is external)
MLIST(link is external)
FEDORA
FEDORA
FEDORA
linuxfoundation -- foomatic-filters Heap-based buffer overflow in the unhtmlify function in foomatic-rip in foomatic-filters before 4.0.6 allows remote attackers to cause a denial of service (memory corruption and crash) or possibly execute arbitrary code via a long job title. 2016-04-15 7.5 CVE-2010-5325
CONFIRM
CONFIRM(link is external)
CONFIRM
MLIST(link is external)
MLIST(link is external)
REDHAT(link is external)
novell -- opensuse Heap-based buffer overflow in the gdk_pixbuf_flip function in gdk-pixbuf-scale.c in gdk-pixbuf 2.30.x allows remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted BMP file. 2016-04-18 9.3 CVE-2015-7552
CONFIRM(link is external)
SUSE
optipng -- optipng Use-after-free vulnerability in OptiPNG 0.6.4 allows remote attackers to execute arbitrary code via a crafted PNG file. 2016-04-20 9.3 CVE-2015-7801
CONFIRM(link is external)
UBUNTU(link is external)
MLIST(link is external)
oracle -- weblogic_server Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6, 12.1.2, 12.1.3, and 12.2.1 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Java Messaging Service. 2016-04-21 7.5 CVE-2016-0638
CONFIRM(link is external)
oracle -- mysql Unspecified vulnerability in Oracle MySQL 5.6.29 and earlier and 5.7.11 and earlier allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Pluggable Authentication. 2016-04-21 10.0 CVE-2016-0639
CONFIRM(link is external)
panda -- panda_security_url_filtering Panda Security URL Filtering before 4.3.1.9 uses a weak ACL for the "Panda Security URL Filtering" directory and installed files, which allows local users to gain SYSTEM privileges by modifying Panda_URL_Filteringb.exe. 2016-04-18 7.2 CVE-2015-7378
EXPLOIT-DB(link is external)
FULLDISC
MISC(link is external)
panda -- panda_endpoint_administration_agent Panda Endpoint Administration Agent before 7.50.00, as used in Panda Security for Business products for Windows, uses a weak ACL for the Panda Security/WaAgent directory and sub-directories, which allows local users to gain SYSTEM privileges by modifying an executable module. 2016-04-18 7.2 CVE-2016-3943
EXPLOIT-DB(link is external)
FULLDISC
MISC(link is external)
xen -- xen Integer overflow in the x86 shadow pagetable code in Xen allows local guest OS users to cause a denial of service (host crash) or possibly gain privileges by shadowing a superpage mapping. 2016-04-19 7.2 CVE-2016-3960
CONFIRM
Back to top

Medium Vulnerabilities

Primary
Vendor -- Product
Description Published CVSS Score Source & Patch Info
apache -- camel Apache Camel 2.6.x through 2.14.x, 2.15.x before 2.15.5, and 2.16.x before 2.16.1, when using (1) camel-jetty or (2) camel-servlet as a consumer in Camel routes, allow remote attackers to execute arbitrary commands via a crafted serialized Java object in an HTTP request. 2016-04-15 6.8 CVE-2015-5348
CONFIRM
BUGTRAQ(link is external)
MISC(link is external)
CONFIRM
dotcms -- dotcms Directory traversal vulnerability in the dotTailLogServlet in dotCMS before 3.5.1 allows remote authenticated administrators to read arbitrary files via a .. (dot dot) in the fileName parameter. 2016-04-18 4.0 CVE-2016-3972
FULLDISC
CONFIRM(link is external)
dotcms -- dotcms SQL injection vulnerability in the Workflow Screen in dotCMS before 3.3.2 allows remote administrators to execute arbitrary SQL commands via the orderby parameter. 2016-04-19 6.5 CVE-2016-4040
CONFIRM(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
gnu -- glibc The strftime function in the GNU C Library (aka glibc or libc6) before 2.23 allows context-dependent attackers to cause a denial of service (application crash) or possibly obtain sensitive information via an out-of-range time value. 2016-04-19 6.4 CVE-2015-8776
MLIST
CONFIRM
MLIST(link is external)
MLIST(link is external)
DEBIAN
SUSE
SUSE
SUSE
SUSE
SUSE
google -- android The PORCHE_PAIRING_CONFLICT feature in Bluetooth in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 allows remote attackers to bypass intended pairing restrictions via a crafted device, aka internal bug 26551752. 2016-04-17 5.8 CVE-2016-0850
CONFIRM(link is external)
CONFIRM(link is external)
google -- chrome fxcodec/codec/fx_codec_jpx_opj.cpp in PDFium, as used in Google Chrome before 50.0.2661.75, does not properly implement the sycc420_to_rgb and sycc422_to_rgb functions, which allows remote attackers to obtain sensitive information from process memory or cause a denial of service (out-of-bounds read) via crafted JPEG 2000 data in a PDF document. 2016-04-18 5.8 CVE-2016-1651
CONFIRM(link is external)
CONFIRM
MISC(link is external)
CONFIRM(link is external)
google -- chrome Cross-site scripting (XSS) vulnerability in the ModuleSystem::RequireForJsInner function in extensions/renderer/module_system.cc in the Extensions subsystem in Google Chrome before 50.0.2661.75 allows remote attackers to inject arbitrary web script or HTML via a crafted web site, aka "Universal XSS (UXSS)." 2016-04-18 4.3 CVE-2016-1652
CONFIRM(link is external)
CONFIRM
CONFIRM(link is external)
google -- chrome The media subsystem in Google Chrome before 50.0.2661.75 does not initialize an unspecified data structure, which allows remote attackers to cause a denial of service (invalid read operation) via unknown vectors. 2016-04-18 4.3 CVE-2016-1654
CONFIRM(link is external)
CONFIRM(link is external)
google -- chrome The download implementation in Google Chrome before 50.0.2661.75 on Android allows remote attackers to bypass intended pathname restrictions via unspecified vectors. 2016-04-18 5.0 CVE-2016-1656
CONFIRM(link is external)
CONFIRM(link is external)
google -- chrome The WebContentsImpl::FocusLocationBarByDefault function in content/browser/web_contents/web_contents_impl.cc in Google Chrome before 50.0.2661.75 mishandles focus for certain about:blank pages, which allows remote attackers to spoof the address bar via a crafted URL. 2016-04-18 4.3 CVE-2016-1657
CONFIRM(link is external)
CONFIRM
CONFIRM(link is external)
google -- chrome The Extensions subsystem in Google Chrome before 50.0.2661.75 incorrectly relies on GetOrigin method calls for origin comparisons, which allows remote attackers to bypass the Same Origin Policy and obtain sensitive information via a crafted extension. 2016-04-18 5.0 CVE-2016-1658
CONFIRM(link is external)
CONFIRM
CONFIRM(link is external)
google -- android A Qualcomm video kernel driver in Android 6.x before 2016-04-01 allows attackers to gain privileges via a crafted application that leverages control over a service that can call this driver, aka internal bug 26291677. 2016-04-17 6.9 CVE-2016-2410
CONFIRM(link is external)
google -- android The Minikin library in Android 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 does not properly consider negative size values in font data, which allows remote attackers to cause a denial of service (memory corruption and reboot loop) via a crafted font, aka internal bug 26413177. 2016-04-17 4.9 CVE-2016-2414
CONFIRM(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
huawei -- ar3200_firmware Huawei AR3200 routers with software before V200R006C10SPC300 allow remote authenticated users to cause a denial of service (restart) via crafted packets. 2016-04-18 6.8 CVE-2016-3950
CONFIRM(link is external)
juniper -- junos Race condition in the Op command in Juniper Junos OS before 12.1X44-D55, 12.1X46 before 12.1X46-D40, 12.1X47 before 12.1X47-D25, 12.3 before 12.3R11, 12.3X48 before 12.3X48-D20, 12.3X50 before 12.3X50-D50, 13.2 before 13.2R8, 13.2X51 before 13.2X51-D39, 13.2X52 before 13.2X52-D30, 13.3 before 13.3R7, 14.1 before 14.1R6, 14.1X53 before 14.1X53-D30, 14.2 before 14.2R4, 15.1 before 15.1F2 or 15.1R2, 15.1X49 before 15.1X49-D10 or 15.1X49-D20, and 16.1 before 16.1R1 allows remote authenticated users to gain privileges via the URL option. 2016-04-15 6.5 CVE-2016-1264
CONFIRM(link is external)
juniper -- junos Race condition in the RPC functionality in Juniper Junos OS before 12.1X44-D55, 12.1X46 before 12.1X46-D40, 12.1X47 before 12.1X47-D25, 12.3 before 12.3R11, 12.3X48 before 12.3X48-D20, 13.2 before 13.2R8, 13.2X51 before 13.2X51-D39, 13.3 before 13.3R7, 14.1 before 14.1R6, 14.1X53 before 14.1X53-D30, 14.2 before 14.2R3-S4, 15.1 before 15.1F2, or 15.1R2, 15.1X49 before 15.1X49-D20, and 16.1 before 16.1R1 allows local users to read, delete, or modify arbitrary files via unspecified vectors. 2016-04-15 4.4 CVE-2016-1267
CONFIRM(link is external)
juniper -- junos The rpd daemon in Juniper Junos OS before 12.1X44-D60, 12.1X46 before 12.1X46-D45, 12.1X47 before 12.1X47-D30, 12.3 before 12.3R9, 12.3X48 before 12.3X48-D20, 13.2 before 13.2R7, 13.2X51 before 13.2X51-D40, 13.3 before 13.3R6, 14.1 before 14.1R4, and 14.2 before 14.2R2, when configured with BGP-based L2VPN or VPLS, allows remote attackers to cause a denial of service (daemon restart) via a crafted L2VPN family BGP update. 2016-04-15 5.0 CVE-2016-1270
CONFIRM(link is external)
juniper -- junos Juniper Junos OS before 13.2X51-D40, 14.x before 14.1X53-D30, and 15.x before 15.1X53-D20 on QFX5100 and QFX10002 switches do not have sufficient entropy, which makes it easier for remote attackers to defeat cryptographic encryption and authentication protection mechanisms via unspecified vectors. 2016-04-15 4.3 CVE-2016-1273
CONFIRM(link is external)
libreswan -- libreswan Libreswan 3.16 might allow remote attackers to cause a denial of service (daemon restart) via an IKEv2 aes_xcbc transform. 2016-04-18 5.0 CVE-2016-3071
CONFIRM
FEDORA
FEDORA
CONFIRM
magento -- magento The getOrderByStatusUrlKey function in the Mage_Rss_Helper_Order class in app/code/core/Mage/Rss/Helper/Order.php in Magento Enterprise Edition before 1.14.2.3 and Magento Community Edition before 1.9.2.3 allows remote attackers to obtain sensitive order information via the order_id in a JSON object in the data parameter in an RSS feed request to index.php/rss/order/status. 2016-04-15 5.0 CVE-2016-2212
CONFIRM(link is external)
BUGTRAQ(link is external)
FULLDISC
MISC(link is external)
MISC(link is external)
openstack -- tripleo_heat_templates The TripleO Heat templates (tripleo-heat-templates) do not properly order the Identity Service (keystone) before the OpenStack Object Storage (Swift) staticweb middleware in the swiftproxy pipeline when the staticweb middleware is enabled, which might allow remote attackers to obtain sensitive information from private containers via unspecified vectors. 2016-04-15 5.0 CVE-2015-5271
CONFIRM(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
REDHAT(link is external)
oracle -- peoplesoft_enterprise_human_capital_management_human_resources Unspecified vulnerability in the PeopleSoft Enterprise HCM component in Oracle PeopleSoft Products 9.1 and 9.2 allows remote authenticated users to affect confidentiality via vectors related to Fusion HR Talent Integration. 2016-04-21 4.0 CVE-2016-0407
CONFIRM(link is external)
oracle -- peoplesoft_enterprise_peopletools Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.53 through 8.55 allows remote authenticated users to affect confidentiality and integrity via vectors related to the Activity Guide sub-component. 2016-04-21 4.3 CVE-2016-0408
CONFIRM(link is external)
oracle -- micros_c2 Unspecified vulnerability in the Oracle Retail MICROS C2 component in Oracle Retail Applications 9.89.0.0 allows local users to affect confidentiality via vectors related to POS. 2016-04-21 4.6 CVE-2016-0469
CONFIRM(link is external)
oracle -- business_intelligence Unspecified vulnerability in the Oracle Business Intelligence Enterprise Edition component in Oracle Fusion Middleware 11.1.1.7.0, 11.1.1.9.0, and 12.2.1.0.0 allows remote attackers to affect confidentiality and integrity via vectors related to Analytics Scorecard. 2016-04-21 5.8 CVE-2016-0479
CONFIRM(link is external)
oracle -- solaris Unspecified vulnerability in Oracle Sun Solaris 11.3 allows remote attackers to affect integrity via vectors related to the Automated Installer sub-component. 2016-04-21 4.3 CVE-2016-0623
CONFIRM(link is external)
oracle -- mysql Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 and earlier, and 5.7.10 and earlier allows local users to affect integrity and availability via vectors related to DML. 2016-04-21 4.9 CVE-2016-0640
CONFIRM(link is external)
oracle -- mysql Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 and earlier, and 5.7.10 and earlier allows local users to affect confidentiality and availability via vectors related to MyISAM. 2016-04-21 4.9 CVE-2016-0641
CONFIRM(link is external)
oracle -- mysql Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier allows local users to affect integrity and availability via vectors related to Federated. 2016-04-21 4.3 CVE-2016-0642
CONFIRM(link is external)
oracle -- mysql Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier allows local users to affect confidentiality via vectors related to DML. 2016-04-21 4.0 CVE-2016-0643
CONFIRM(link is external)
oracle -- mysql Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 and earlier, and 5.7.10 and earlier allows local users to affect availability via vectors related to DDL. 2016-04-21 4.0 CVE-2016-0644
CONFIRM(link is external)
oracle -- mysql Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 and earlier, and 5.7.10 and earlier allows local users to affect availability via vectors related to DML. 2016-04-21 4.0 CVE-2016-0646
CONFIRM(link is external)
oracle -- mysql Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier allows local users to affect availability via vectors related to FTS. 2016-04-21 4.0 CVE-2016-0647
CONFIRM(link is external)
oracle -- mysql Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier allows local users to affect availability via vectors related to PS. 2016-04-21 4.0 CVE-2016-0648
CONFIRM(link is external)
oracle -- mysql Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 and earlier, and 5.7.10 and earlier allows local users to affect availability via vectors related to PS. 2016-04-21 4.0 CVE-2016-0649
CONFIRM(link is external)
oracle -- mysql Unspecified vulnerability in Oracle MySQL 5.5.47 and earlier, 5.6.28 and earlier, and 5.7.10 and earlier allows local users to affect availability via vectors related to Replication. 2016-04-21 4.0 CVE-2016-0650
CONFIRM(link is external)
oracle -- flexcube_direct_banking Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking component in Oracle Financial Services Software 12.0.2 and 12.0.3 allows remote attackers to affect confidentiality and integrity via vectors related to Pre-Login. 2016-04-21 5.0 CVE-2016-0672
CONFIRM(link is external)
oracle -- siebel_ui_framework Unspecified vulnerability in the Siebel UI Framework component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows remote authenticated users to affect confidentiality and integrity via vectors related to UIF Open UI. 2016-04-21 4.9 CVE-2016-0673
CONFIRM(link is external)
sierra_wireless -- aleos ACEmanager in Sierra Wireless ALEOS 4.4.2 and earlier on ES440, ES450, GX400, GX440, GX450, and LS300 devices allows remote attackers to read the filteredlogs.txt file, and consequently discover potentially sensitive boot-sequence information, via unspecified vectors. 2016-04-21 4.3 CVE-2015-6479
MISC
squid -- squid_cache The FwdState::connectedToPeer method in FwdState.cc in Squid before 3.5.14 and 4.0.x before 4.0.6 does not properly handle SSL handshake errors when built with the --with-openssl option, which allows remote attackers to cause a denial of service (application crash) via a plaintext HTTP message. 2016-04-19 4.3 CVE-2016-2390
CONFIRM
SECTRACK(link is external)
MLIST
MLIST
CONFIRM
tibco -- enterprise_message_service Buffer overflow in tibemsd in the server in TIBCO Enterprise Message Service (EMS) before 8.3.0 and EMS Appliance before 2.4.0 allows remote authenticated users to cause a denial of service or possibly execute arbitrary code via crafted inbound data. 2016-04-20 6.5 CVE-2016-3628
CONFIRM(link is external)
CONFIRM(link is external)
videolan -- vlc_media_player Buffer overflow in the AStreamPeekStream function in input/stream.c in VideoLAN VLC media player before 2.2.0 allows remote attackers to cause a denial of service (crash) via a crafted wav file, related to "seek across EOF." 2016-04-18 4.3 CVE-2016-3941
MLIST
CONFIRM(link is external)
SECTRACK(link is external)
xdelta -- xdelta3 Buffer overflow in the main_get_appheader function in xdelta3-main.h in xdelta3 before 3.0.9 allows remote attackers to execute arbitrary code via a crafted input file. 2016-04-19 6.8 CVE-2014-9765
CONFIRM(link is external)
UBUNTU(link is external)
MLIST(link is external)
MLIST(link is external)
DEBIAN
SUSE
SUSE
Back to top

Low Vulnerabilities

Primary
Vendor -- Product
Description Published CVSS Score Source & Patch Info
apache -- hadoop Apache Hadoop 2.6.x encrypts intermediate data generated by a MapReduce job and stores it along with the encryption key in a credentials file on disk when the Intermediate data encryption feature is enabled, which allows local users to obtain sensitive information by reading the file. 2016-04-19 2.1 CVE-2015-1776
MLIST
dotcms -- dotcms Cross-site scripting (XSS) vulnerability in lucene_search.jsp in dotCMS before 3.5.1 allows remote authenticated administrators to inject arbitrary web script or HTML via the query parameter to c/portal/layout. 2016-04-18 3.5 CVE-2016-3971
FULLDISC
CONFIRM(link is external)
drupal -- block_class Cross-site scripting (XSS) vulnerability in the Block Class module 7.x-2.x before 7.x-2.2 for Drupal allows remote authenticated users with the "Administer block classes" permission to inject arbitrary web script or HTML via a class name. 2016-04-15 3.5 CVE-2016-3144
MISC
CONFIRM
gnupg -- libgcrypt Libgcrypt before 1.6.5 does not properly perform elliptic-point curve multiplication during decryption, which makes it easier for physically proximate attackers to extract ECDH keys by measuring electromagnetic emanations. 2016-04-19 1.9 CVE-2015-7511
MLIST
UBUNTU(link is external)
DEBIAN
DEBIAN
MISC(link is external)
ipswitch -- moveit_dmz Ipswitch MOVEit File Transfer (formerly DMZ) 8.1 and earlier, when configured to support file view on download, allows remote authenticated users to conduct cross-site scripting (XSS) attacks by uploading HTML files. 2016-04-15 3.5 CVE-2015-7676
MISC(link is external)
FULLDISC
MISC(link is external)
novell -- leap openSUSE and SUSE Linux Enterprise Server 11 SP 1 use weak permissions for /etc/quagga, which allows local users to obtain sensitive information by reading files in the directory. 2016-04-18 2.1 CVE-2016-4036
CONFIRM(link is external)
SUSE
oracle -- business_intelligence Unspecified vulnerability in the Oracle Business Intelligence Enterprise Edition component in Oracle Fusion Middleware 11.1.1.7.0, 11.1.1.9.0, and 12.2.1.0.0 allows remote authenticated users to affect confidentiality and integrity via vectors related to Analytics Web General. 2016-04-21 3.5 CVE-2016-0468
CONFIRM(link is external)
oracle -- mysql Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier allows local users to affect availability via vectors related to Optimizer. 2016-04-21 3.5 CVE-2016-0651
CONFIRM(link is external)
oracle -- mysql Unspecified vulnerability in Oracle MySQL 5.7.10 and earlier allows local users to affect availability via vectors related to FTS. 2016-04-21 3.5 CVE-2016-0653
CONFIRM(link is external)
oracle -- mysql Unspecified vulnerability in Oracle MySQL 5.7.10 and earlier allows local users to affect availability via vectors related to InnoDB, a different vulnerability than CVE-2016-0656. 2016-04-21 3.5 CVE-2016-0654
CONFIRM(link is external)
oracle -- mysql Unspecified vulnerability in Oracle MySQL 5.6.29 and earlier and 5.7.11 and earlier allows local users to affect availability via vectors related to InnoDB. 2016-04-21 3.5 CVE-2016-0655
CONFIRM(link is external)
oracle -- mysql Unspecified vulnerability in Oracle MySQL 5.7.10 and earlier allows local users to affect availability via vectors related to InnoDB, a different vulnerability than CVE-2016-0654. 2016-04-21 3.5 CVE-2016-0656
CONFIRM(link is external)
oracle -- mysql Unspecified vulnerability in Oracle MySQL 5.7.11 and earlier allows local users to affect confidentiality via vectors related to JSON. 2016-04-21 3.5 CVE-2016-0657
CONFIRM(link is external)
oracle -- mysql Unspecified vulnerability in Oracle MySQL 5.7.10 and earlier allows local users to affect availability via vectors related to Optimizer. 2016-04-21 3.5 CVE-2016-0658
CONFIRM(link is external)
oracle -- mysql Unspecified vulnerability in Oracle MySQL 5.7.11 and earlier allows local users to affect availability via vectors related to Optimizer. 2016-04-21 3.5 CVE-2016-0659
CONFIRM(link is external)
oracle -- mysql Unspecified vulnerability in Oracle MySQL 5.6.28 and earlier and 5.7.10 and earlier allows local users to affect availability via vectors related to Options. 2016-04-21 3.5 CVE-2016-0661
CONFIRM(link is external)
oracle -- mysql Unspecified vulnerability in Oracle MySQL 5.7.11 and earlier allows local users to affect availability via vectors related to Partition. 2016-04-21 3.5 CVE-2016-0662
CONFIRM(link is external)
oracle -- mysql Unspecified vulnerability in Oracle MySQL 5.7.10 and earlier allows local users to affect availability via vectors related to Performance Schema. 2016-04-21 3.5 CVE-2016-0663
CONFIRM(link is external)
oracle -- mysql Unspecified vulnerability in Oracle MySQL 5.6.28 and earlier and 5.7.10 and earlier allows local users to affect availability via vectors related to Security: Encryption. 2016-04-21 3.5 CVE-2016-0665
CONFIRM(link is external)
oracle -- mysql Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier allows local users to affect availability via vectors related to Security: Privileges. 2016-04-21 3.5 CVE-2016-0666
CONFIRM(link is external)
xen -- xen Xen and the Linux kernel through 4.5.x do not properly suppress hugetlbfs support in x86 PV guests, which allows local PV guest users to cause a denial of service (guest OS crash) by attempting to access a hugetlbfs mapped area. 2016-04-15 2.1 CVE-2016-3961
CONFIRM
CONFIRM
SECTRACK(link is external)
Back to top

Severity Not Yet Assigned

Primary
Vendor -- Product
Description Published CVSS Score Source & Patch Info
389_directory_server -- slapd/ connection.c slapd/connection.c in 389 Directory Server (formerly Fedora Directory Server) 1.3.4.x before 1.3.4.7 allows remote attackers to cause a denial of service (infinite loop and connection blocking) by leveraging an abnormally closed connection. 2016-04-19

Not yet calculated

CVE-2016-0741
CONFIRM
CONFIRM
BID(link is external)
REDHAT(link is external)
CONFIRM
accuenergy -- acuvim_ii_net_firmware The AXM-NET module in Accuenergy Acuvim II NET Firmware 3.08 and Acuvim IIR NET Firmware 3.08 allows remote attackers to discover a cleartext mail-server password via unspecified vectors. 2016-04-21

Not yet calculated

CVE-2016-2294
MISC
accuenergy -- acuvim_ii_net_firmware The AXM-NET module in Accuenergy Acuvim II NET Firmware 3.08 and Acuvim IIR NET Firmware 3.08 allows remote attackers to discover settings via a direct request to an unspecified URL. 2016-04-21

Not yet calculated

CVE-2016-2293
MISC
adobe -- analytics_appmeasurement Cross-site scripting (XSS) vulnerability in Adobe Analytics AppMeasurement for Flash Library before 4.0.1, when debugTracking is enabled, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. 2016-04-22

Not yet calculated

CVE-2016-1036
CONFIRM(link is external)
adobe -- flash_player Use-after-free vulnerability in the TextField object implementation in Adobe Flash Player before 18.0.0.268 and 19.x and 20.x before 20.0.0.228 on Windows and OS X and before 11.2.202.554 on Linux, Adobe AIR before 20.0.0.204, Adobe AIR SDK before 20.0.0.204, and Adobe AIR SDK & Compiler before 20.0.0.204 allows attackers to execute arbitrary code via crafted text property, a different vulnerability than CVE-2015-8048, CVE-2015-8049, CVE-2015-8050, CVE-2015-8055, CVE-2015-8056, CVE-2015-8057, CVE-2015-8058, CVE-2015-8059, CVE-2015-8061, CVE-2015-8062, CVE-2015-8063, CVE-2015-8064, CVE-2015-8065, CVE-2015-8066, CVE-2015-8067, CVE-2015-8068, CVE-2015-8069, CVE-2015-8070, CVE-2015-8071, CVE-2015-8401, CVE-2015-8402, CVE-2015-8403, CVE-2015-8404, CVE-2015-8405, CVE-2015-8406, CVE-2015-8410, CVE-2015-8411, CVE-2015-8412, CVE-2015-8413, CVE-2015-8414, CVE-2015-8420, CVE-2015-8421, CVE-2015-8422, CVE-2015-8423, CVE-2015-8424, CVE-2015-8425, CVE-2015-8426, CVE-2015-8427, CVE-2015-8428, CVE-2015-8429, CVE-2015-8430, CVE-2015-8431, CVE-2015-8432, CVE-2015-8433, CVE-2015-8434, CVE-2015-8435, CVE-2015-8436, CVE-2015-8437, CVE-2015-8441, CVE-2015-8442, CVE-2015-8447, CVE-2015-8448, CVE-2015-8449, CVE-2015-8450, CVE-2015-8452, CVE-2015-8454, CVE-2015-8653, CVE-2015-8655, CVE-2015-8821, and CVE-2015-8822. 2016-04-22

Not yet calculated

CVE-2015-8823
CONFIRM(link is external)
MISC(link is external)
android -- aosp_mail mail/compose/ComposeActivity.java in AOSP Mail in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 supports file:///data attachments, which allows attackers to obtain sensitive information via a crafted application, aka internal bugs 7154234 and 26989185. 2016-04-17

Not yet calculated

CVE-2016-2425
CONFIRM(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
android -- framework_component server/content/ContentService.java in the Framework component in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 does not check for a GET_ACCOUNTS permission, which allows attackers to obtain sensitive information via a crafted application, aka internal bug 26094635. 2016-04-17

Not yet calculated

CVE-2016-2426
CONFIRM(link is external)
CONFIRM(link is external)
android -- mediaserver libs/gui/BufferQueueConsumer.cpp in mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 does not check for the android.permission.DUMP permission, which allows attackers to obtain sensitive information, and consequently bypass an unspecified protection mechanism, via a dump request, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 27046057. 2016-04-17

Not yet calculated

CVE-2016-2416
CONFIRM(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
android -- mediaserver media/libmedia/IDrm.cpp in mediaserver in Android 6.x before 2016-04-01 does not initialize a certain key-request data structure, which allows attackers to obtain sensitive information from process memory, and consequently bypass an unspecified protection mechanism, via unspecified vectors, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 26323455. 2016-04-17

Not yet calculated

CVE-2016-2419
CONFIRM(link is external)
CONFIRM(link is external)
android -- mediaserver media/libmedia/IOMX.cpp in mediaserver in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 does not initialize a parameter data structure, which allows attackers to obtain sensitive information from process memory, and consequently bypass an unspecified protection mechanism, via unspecified vectors, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 26914474. 2016-04-17

Not yet calculated

CVE-2016-2417
CONFIRM(link is external)
CONFIRM(link is external)
android -- setup_wizard Setup Wizard in Android 5.1.x before 5.1.1 and 6.x before 2016-04-01 allows physically proximate attackers to bypass the Factory Reset Protection protection mechanism and delete data via unspecified vectors, aka internal bug 26154410. 2016-04-17

Not yet calculated

CVE-2016-2421
CONFIRM(link is external)
android -- syncstorageengine server/content/SyncStorageEngine.java in SyncStorageEngine in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 mismanages certain authority data, which allows attackers to cause a denial of service (reboot loop) via a crafted application, aka internal bug 26513719. 2016-04-17

Not yet calculated

CVE-2016-2424
CONFIRM(link is external)
CONFIRM(link is external)
android -- telephony server/telecom/CallsManager.java in Telephony in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 does not properly consider whether a device is provisioned, which allows physically proximate attackers to bypass the Factory Reset Protection protection mechanism and delete data via unspecified vectors, aka internal bug 26303187. 2016-04-17

Not yet calculated

CVE-2016-2423
CONFIRM(link is external)
CONFIRM(link is external)
android -- wi-fi Wi-Fi in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01 does not prevent use of a Wi-Fi CA certificate in an unrelated CA role, which allows attackers to gain privileges via a crafted application, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 26324357. 2016-04-17

Not yet calculated

CVE-2016-2422
CONFIRM(link is external)
CONFIRM(link is external)
blackberry_enterprise_server_(bes) -- management_console Cross-site scripting (XSS) vulnerability in the Management Console in BlackBerry Enterprise Server (BES) 12 before 12.4.1 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, a different vulnerability than CVE-2016-1917. 2016-04-22

Not yet calculated

CVE-2016-1918
CONFIRM(link is external)
blackberry_enterprise_server_(bes) -- management_console Cross-site scripting (XSS) vulnerability in the Management Console in BlackBerry Enterprise Server (BES) 12 before 12.4.1 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, a different vulnerability than CVE-2016-1918. 2016-04-22

Not yet calculated

CVE-2016-1917
CONFIRM(link is external)
blackberry_enterprise_server_(bes) -- management_console Cross-site scripting (XSS) vulnerability in the Management Console in BlackBerry Enterprise Server (BES) 12 before 12.4.1 allows remote attackers to inject arbitrary web script or HTML via a crafted URL. 2016-04-22

Not yet calculated

CVE-2016-3126
CONFIRM(link is external)
blackberry_enterprise_server_(bes) -- management_console Cross-site scripting (XSS) vulnerability in the Management Console in BlackBerry Enterprise Server (BES) 12 before 12.4.1 allows remote authenticated users to inject arbitrary web script or HTML by leveraging basic administrative access to create a crafted policy, leading to improper rendering on a certain Export IT screen. 2016-04-22

Not yet calculated

CVE-2016-1916
CONFIRM(link is external)
cairo -- cairo_image_compositor.c The fill_xrgb32_lerp_opaque_spans function in cairo-image-compositor.c in cairo before 1.14.2 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a negative span length. 2016-04-21

Not yet calculated

CVE-2016-3190
MLIST
CONFIRM
CONFIRM(link is external)
SUSE
cisco -- adaptive_security_appliance_(asa) The DHCPv6 relay implementation in Cisco Adaptive Security Appliance (ASA) Software 9.4.1 allows remote attackers to cause a denial of service (device reload) via crafted DHCPv6 packets, aka Bug ID CSCus23248. 2016-04-21

Not yet calculated

CVE-2016-1367
CISCO(link is external)
cisco -- aireos Cisco AireOS 4.1 through 7.4.120.0, 7.5.x, and 7.6.100.0 on Wireless LAN Controller (WLC) devices allows remote attackers to cause a denial of service (device reload) via a crafted HTTP request, aka Bug ID CSCun86747. 2016-04-21

Not yet calculated

CVE-2016-1362
CISCO(link is external)
cisco -- ios The NTP implementation in Cisco IOS 15.1 and 15.5 and IOS XE 3.2 through 3.17 allows remote attackers to modify the system time via crafted packets, aka Bug ID CSCux46898. 2016-04-20

Not yet calculated

CVE-2016-1384
CISCO(link is external)
cisco -- wireless_lan_controller_(wlc) Buffer overflow in the redirection functionality in Cisco Wireless LAN Controller (WLC) Software 7.2 through 7.4 before 7.4.140.0(MD) and 7.5 through 8.0 before 8.0.115.0(ED) allows remote attackers to execute arbitrary code via a crafted HTTP request, aka Bug ID CSCus25617. 2016-04-21

Not yet calculated

CVE-2016-1363
CISCO(link is external)
cisco -- wireless_lan_controller_(wlc) Cisco Wireless LAN Controller (WLC) Software 7.4 before 7.4.130.0(MD) and 7.5, 7.6, and 8.0 before 8.0.110.0(ED) allows remote attackers to cause a denial of service (device reload) via crafted Bonjour traffic, aka Bug ID CSCur66908. 2016-04-21

Not yet calculated

CVE-2016-1364
CISCO(link is external)
dotcms -- sql_injection SQL injection vulnerability in dotCMS before 3.5 allows remote administrators to execute arbitrary SQL commands via the c0-e3 parameter to dwr/call/plaincall/UserAjax.getUsersList.dwr. 2016-04-19

Not yet calculated

CVE-2016-3688
FULLDISC
FULLDISC
MISC(link is external)
CONFIRM(link is external)
ecava -- integraxor CRLF injection vulnerability in Ecava IntegraXor before 5.0 build 4522 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL. 2016-04-21

Not yet calculated

CVE-2016-2303
MISC
ecava -- integraxor Cross-site scripting (XSS) vulnerability in Ecava IntegraXor before 5.0 build 4522 allows remote attackers to inject arbitrary web script or HTML via a crafted URL. 2016-04-21   CVE-2016-2305
MISC
ecava -- integraxor Ecava IntegraXor before 5.0 build 4522 allows remote attackers to obtain sensitive information by reading detailed error messages. 2016-04-21

Not yet calculated

CVE-2016-2302
MISC
ecava -- integraxor Ecava IntegraXor before 5.0 build 4522 does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie. 2016-04-21

Not yet calculated

CVE-2016-2304
MISC
ecava -- integraxor ecava_ integraxor 2016-04-21

Not yet calculated

CVE-2016-2300
MISC
ecava -- integraxor SQL injection vulnerability in Ecava IntegraXor before 5.0 build 4522 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. 2016-04-21

Not yet calculated

CVE-2016-2299
MISC
ecava -- integraxor SQL injection vulnerability in Ecava IntegraXor before 5.0 build 4522 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. 2016-04-21

Not yet calculated

CVE-2016-2301
MISC
ecava -- integraxor The HMI web server in Ecava IntegraXor before 5.0 build 4522 allows remote attackers to obtain sensitive cleartext information by sniffing the network. 2016-04-21

Not yet calculatedNot yet calculated

CVE-2016-2306
MISC
emc -- vipr_srm Multiple cross-site request forgery (CSRF) vulnerabilities in administrative pages in EMC ViPR SRM before 3.7 allow remote attackers to hijack the authentication of administrators. 2016-04-20

Not yet calculated

CVE-2016-0891
BUGTRAQ
foxit -- reader_and_phantompdf Foxit Reader and PhantomPDF before 7.3.4 on Windows allow remote attackers to cause a denial of service (application crash) via a crafted content stream. 2016-04-22

Not yet calculated

CVE-2016-4061
CONFIRM(link is external)
foxit -- reader_and_phantompdf Foxit Reader and PhantomPDF before 7.3.4 on Windows improperly report format errors recursively, which allows remote attackers to cause a denial of service (application hang) via a crafted PDF. 2016-04-22

Not yet calculated

CVE-2016-4062
CONFIRM(link is external)
foxit -- reader_and_phantompdf The ConvertToPDF plugin in Foxit Reader and PhantomPDF before 7.3.4 on Windows, when the gflags app is enabled, allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted (1) JPEG, (2) GIF, or (3) BMP image. 2016-04-22

Not yet calculated

CVE-2016-4065
CONFIRM(link is external)
MISC(link is external)
MISC(link is external)
MISC(link is external)
foxit -- reader_and_phantompdf Use-after-free vulnerability in Foxit Reader and PhantomPDF before 7.3.4 on Windows allows remote attackers to cause a denial of service (application crash) via unspecified vectors. 2016-04-22

Not yet calculated

CVE-2016-4060
CONFIRM(link is external)
foxit -- reader_and_phantompdf Use-after-free vulnerability in Foxit Reader and PhantomPDF before 7.3.4 on Windows allows remote attackers to execute arbitrary code via a crafted FlateDecode stream in a PDF document. 2016-04-22

Not yet calculated

CVE-2016-4059
CONFIRM(link is external)
MISC(link is external)
foxit -- reader_and_phantompdf Use-after-free vulnerability in Foxit Reader and PhantomPDF before 7.3.4 on Windows allows remote attackers to execute arbitrary code via an object with a revision number of -1 in a PDF document. 2016-04-22

Not yet calculated

CVE-2016-4063
CONFIRM(link is external)
MISC(link is external)
MISC(link is external)
foxit -- reader_and_phantompdf Use-after-free vulnerability in the XFA forms handling functionality in Foxit Reader and PhantomPDF before 7.3.4 on Windows allows remote attackers to execute arbitrary code via a crafted remerge call. 2016-04-22

Not yet calculated

CVE-2016-4064
CONFIRM(link is external)
MISC(link is external)
gif2png_optipng gifread.c in gif2png, as used in OptiPNG before 0.7.6, allows remote attackers to cause a denial of service (uninitialized memory read) via a crafted GIF file. 2016-04-20

Not yet calculated

CVE-2015-7802
CONFIRM(link is external)
UBUNTU(link is external)
CONFIRM(link is external)
giflib -- util/gif2rgb.c_in_gif2rgb Heap-based buffer overflow in util/gif2rgb.c in gif2rgb in giflib 5.1.2 allows remote attackers to cause a denial of service (application crash) via the background color index in a GIF file. 2016-04-21

Not yet calculated

CVE-2016-3977
CONFIRM(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
SUSE
MISC(link is external)
hexchat -- common/server.c The ssl_do_connect function in common/server.c in HexChat before 2.10.2, XChat, and XChat-GNOME does not verify that the server hostname matches a domain name in the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. 2016-04-21 Not yet calculated CVE-2013-7449
CONFIRM(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
UBUNTU(link is external)
CONFIRM
honeywell -- uniformance_process_history_database_(phd) Buffer overflow in RDISERVER in Honeywell Uniformance Process History Database (PHD) R310, R320, and R321 allows remote attackers to cause a denial of service (service outage) via unspecified vectors. 2016-04-21

Not yet calculated

CVE-2016-2280
MISC
hpe -- data_protector HPE Data Protector before 7.03_108, 8.x before 8.15, and 9.x before 9.06 allows remote attackers to execute arbitrary code via unspecified vectors, aka ZDI-CAN-3352. 2016-04-21

Not yet calculated

CVE-2016-2005
HP(link is external)
hpe -- data_protector HPE Data Protector before 7.03_108, 8.x before 8.15, and 9.x before 9.06 allows remote attackers to execute arbitrary code via unspecified vectors, aka ZDI-CAN-3353. 2016-04-21

Not yet calculated

CVE-2016-2006
HP(link is external)
hpe -- data_protector HPE Data Protector before 7.03_108, 8.x before 8.15, and 9.x before 9.06 allows remote attackers to execute arbitrary code via unspecified vectors, aka ZDI-CAN-3354. 2016-04-21

Not yet calculated

CVE-2016-2007
HP(link is external)
hpe -- data_protector HPE Data Protector before 7.03_108, 8.x before 8.15, and 9.x before 9.06 allows remote attackers to execute arbitrary code via unspecified vectors. 2016-04-21

Not yet calculated

CVE-2016-2004
CERT-VN
HP(link is external)
hpe -- data_protector HPE Data Protector before 7.03_108, 8.x before 8.15, and 9.x before 9.06 allows remote attackers to execute arbitrary code via unspecified vectors. 2016-04-21

Not yet calculated

CVE-2016-2008
HP(link is external)
hpe -- p9000 HPE P9000 Command View Advanced Edition Software (CVAE) 7.x and 8.x before 8.4.0-00 and XP7 CVAE 7.x and 8.x before 8.4.0-00 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library. 2016-04-20

Not yet calculated

CVE-2016-2003
HP(link is external)
hpe -- vertica The validateAdminConfig handler in the Analytics Management Console in HPE Vertica 7.0.x before 7.0.2.12, 7.1.x before 7.1.2-12, and 7.2.x before 7.2.2-1 allows remote attackers to execute arbitrary commands via the mcPort parameter, aka ZDI-CAN-3417. 2016-04-20

Not yet calculated

CVE-2016-2002
HP(link is external)
MISC(link is external)
java -- bouncy_castle_crypto_apis asn1/cms/GCMParameters.java in the Bouncy Castle Crypto APIs 1.54 for Java, as used in Android 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-04-01, has an improper AES-GCM-ICVlen value, which makes it easier for attackers to defeat a cryptographic protection mechanism and discover an authentication key via a crafted application, aka internal bug 26234568. 2016-04-17

Not yet calculated

CVE-2016-2427
CONFIRM(link is external)
CONFIRM(link is external)
CONFIRM(link is external)
lemur -- vehicle_monitors_bluedriver The Bluetooth functionality in Lemur Vehicle Monitors BlueDriver before 2016-04-07 supports unrestricted pairing without a PIN, which allows remote attackers to send arbitrary CAN commands by leveraging access to a device inside or adjacent to the vehicle, as demonstrated by a CAN command to disrupt braking or steering. 2016-04-21

Not yet calculated

CVE-2016-2354
CERT-VN
lexmark -- atl Lexmark printers with firmware ATL before ATL.021.063, CB before CB.021.063, PP before PP.021.063, and YK before YK.021.063 mishandle Erase Printer Memory and Erase Hard Disk actions, which allows physically proximate attackers to obtain sensitive information via direct read operations on non-volatile memory. 2016-04-21

Not yet calculated

CVE-2016-3145
CONFIRM(link is external)
libav_libavcodec/ituh263dec.c The ff_h263_decode_mba function in libavcodec/ituh263dec.c in Libav before 11.5 allows remote attackers to cause a denial of service (divide-by-zero error and application crash) via a file with crafted dimensions. 2016-04-19

Not yet calculated

CVE-2015-5479
CONFIRM
CONFIRM
MISC
UBUNTU(link is external)
libtiff -- gif2tiff.c Buffer overflow in the readextension function in gif2tiff.c in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (application crash) via a crafted GIF file. 2016-04-19

Not yet calculated

CVE-2016-3186
CONFIRM(link is external)
SECTRACK(link is external)
SUSE
micro_focus_novell -- service_desk Directory traversal vulnerability in the import users feature in Micro Focus Novell Service Desk before 7.2 allows remote authenticated administrators to upload and execute arbitrary JSP files via a .. (dot dot) in a filename within a multipart/form-data POST request to a LiveTime.woa URL. 2016-04-22

Not yet calculated

CVE-2016-1593
CONFIRM(link is external)
MISC(link is external)
MISC(link is external)
micro_focus_novell -- service_desk LiveTime/WebObjects/LiveTime.woa/wa/DownloadAction/downloadFile in Micro Focus Novell Service Desk before 7.2 allows remote authenticated users to conduct Hibernate Query Language (HQL) injection attacks and obtain sensitive information via the entityName parameter. 2016-04-22

Not yet calculated

CVE-2016-1595
CONFIRM(link is external)
MISC(link is external)
MISC(link is external)
micro_focus_novell -- service_desk Micro Focus Novell Service Desk before 7.2 allows remote authenticated users to read arbitrary attachments via a request to a LiveTime.woa URL, as demonstrated by obtaining sensitive information via a (1) downloadLogFiles or (2) downloadFile action. 2016-04-22

Not yet calculated

CVE-2016-1594
CONFIRM(link is external)
MISC(link is external)
MISC(link is external)
micro_focus_novell -- service_desk Multiple cross-site scripting (XSS) vulnerabilities in Micro Focus Novell Service Desk before 7.2 allow remote authenticated users to inject arbitrary web script or HTML via a certain (1) user name, (2) tf_aClientFirstName, (3) tf_aClientLastName, (4) ta_selectedTopicContent, (5) tf_orgUnitName, (6) tf_aManufacturerFullName, (7) tf_aManufacturerName, (8) tf_aManufacturerAddress, or (9) tf_aManufacturerCity parameter. 2016-04-22

Not yet calculated

CVE-2016-1596
CONFIRM(link is external)
MISC(link is external)
MISC(link is external)
oracle -- berkeley_db Unspecified vulnerability in the DataStore component in Oracle Berkeley DB 11.2.5.0.32, 11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35, and 12.1.6.1.26 allows local users to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2016-0682, CVE-2016-0689, CVE-2016-0692, and CVE-2016-0694. 2016-04-21

Not yet calculated

CVE-2016-3418
CONFIRM(link is external)
oracle -- berkeley_db Unspecified vulnerability in the DataStore component in Oracle Berkeley DB 11.2.5.0.32, 11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35, and 12.1.6.1.26 allows local users to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2016-0682, CVE-2016-0689, CVE-2016-0692, and CVE-2016-3418. 2016-04-21

Not yet calculated

CVE-2016-0694
CONFIRM(link is external)
oracle -- berkeley_db Unspecified vulnerability in the DataStore component in Oracle Berkeley DB 11.2.5.0.32, 11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35, and 12.1.6.1.26 allows local users to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2016-0682, CVE-2016-0689, CVE-2016-0694, and CVE-2016-3418. 2016-04-21

Not yet calculated

CVE-2016-0692
CONFIRM(link is external)
oracle -- berkeley_db Unspecified vulnerability in the DataStore component in Oracle Berkeley DB 11.2.5.0.32, 11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35, and 12.1.6.1.26 allows local users to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2016-0682, CVE-2016-0692, CVE-2016-0694, and CVE-2016-3418. 2016-04-21

Not yet calculated

CVE-2016-0689
CONFIRM(link is external)
oracle -- berkeley_db Unspecified vulnerability in the DataStore component in Oracle Berkeley DB 11.2.5.0.32, 11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35, and 12.1.6.1.26 allows local users to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2016-0689, CVE-2016-0692, CVE-2016-0694, and CVE-2016-3418. 2016-04-21

Not yet calculated

CVE-2016-0682
CONFIRM(link is external)
oracle -- database_server Unspecified vulnerability in the Java VM component in Oracle Database Server 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. 2016-04-21

Not yet calculatedNot yet calculated

CVE-2016-3454
CONFIRM(link is external)
oracle -- database_server Unspecified vulnerability in the Oracle OLAP component in Oracle Database Server 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows local users to affect confidentiality, integrity, and availability via unspecified vectors. 2016-04-21

Not yet calculated

CVE-2016-0681
CONFIRM(link is external)
oracle -- database_server Unspecified vulnerability in the RDBMS Security component in Oracle Database Server 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows local users to affect integrity via unknown vectors, a different vulnerability than CVE-2016-0690. 2016-04-21

Not yet calculated

CVE-2016-0691
CONFIRM(link is external)
oracle -- database_server Unspecified vulnerability in the RDBMS Security component in Oracle Database Server 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows local users to affect integrity via unknown vectors, a different vulnerability than CVE-2016-0691. 2016-04-21

Not yet calculated

CVE-2016-0690
CONFIRM(link is external)
oracle -- database_server Unspecified vulnerability in the RDBMS Security component in Oracle Database Server 12.1.0.1 and 12.1.0.2 allows remote attackers to affect availability via unknown vectors. 2016-04-21

Not yet calculated

CVE-2016-0677
CONFIRM(link is external)
oracle -- e-business_suite Unspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite 12.1.3, 12.2.3, 12.2.4, and 12.2.5 allows local users to affect confidentiality and integrity via unknown vectors. 2016-04-21

Not yet calculated

CVE-2016-0697
CONFIRM(link is external)
oracle -- e-business_suite Unspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite 12.1.3, 12.2.3, 12.2.4, and 12.2.5 allows remote attackers to affect integrity via vectors related to Logout. 2016-04-21

Not yet calculated

CVE-2016-3434
CONFIRM(link is external)
oracle -- e-business_suite Unspecified vulnerability in the Oracle Applications Framework component in Oracle E-Business Suite 12.1.3, 12.2.3, 12.2.4, and 12.2.5 allows remote attackers to affect confidentiality and integrity via vectors related to OAF Core. 2016-04-21   CVE-2016-3447
CONFIRM(link is external)
oracle -- e-business_suite Unspecified vulnerability in the Oracle Common Applications Calendar component in Oracle E-Business Suite 12.1.1, 12.1.2, and 12.1.3 allows remote attackers to affect confidentiality and integrity via vectors related to Tasks. 2016-04-21

Not yet calculated

CVE-2016-3436
CONFIRM(link is external)
oracle -- e-business_suite Unspecified vulnerability in the Oracle CRM Wireless component in Oracle E-Business Suite 12.1.3 allows remote attackers to affect confidentiality and integrity via vectors related to Call Phone Number Page. 2016-04-21

Not yet calculated

CVE-2016-3439
CONFIRM(link is external)
oracle -- e-business_suite Unspecified vulnerability in the Oracle CRM Wireless component in Oracle E-Business Suite 12.1.3 allows remote attackers to affect confidentiality and integrity via vectors related to Person Address Page. 2016-04-21

Not yet calculated

CVE-2016-3437
CONFIRM(link is external)
oracle -- e-business_suite Unspecified vulnerability in the Oracle Field Service component in Oracle E-Business Suite 12.1.1, 12.1.2, and 12.1.3 allows remote attackers to affect confidentiality and integrity via vectors related to Wireless. 2016-04-21

Not yet calculated

CVE-2016-3466
CONFIRM(link is external)
oracle -- financial_services Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking component in Oracle Financial Services Software 12.0.2 and 12.0.3 allows remote attackers to affect confidentiality and integrity via vectors related to the Login sub-component. 2016-04-21

Not yet calculated

CVE-2016-0699
CONFIRM(link is external)
oracle -- financial_services_software Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking component in Oracle Financial Services Software 12.0.3 allows remote attackers to affect confidentiality and integrity via vectors related to Pre-Login. 2016-04-21

Not yet calculated

CVE-2016-3463
CONFIRM(link is external)
oracle -- financial_services_software Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking component in Oracle Financial Services Software 12.0.3 allows remote authenticated users to affect confidentiality via vectors related to Accounts. 2016-04-21

Not yet calculated

CVE-2016-3464
CONFIRM(link is external)
oracle -- fusion_middleware Unspecified vulnerability in the Oracle HTTP Server component in Oracle Fusion Middleware 12.1.2.0 allows remote attackers to affect confidentiality via vectors related to OSSL Module. 2016-04-21

Not yet calculated

CVE-2016-0671
CONFIRM(link is external)
oracle -- fusion_middleware Unspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.5.0, 8.5.1, and 8.5.2 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Outside In Filters. 2016-04-21

Not yet calculated

CVE-2016-3455
CONFIRM(link is external)
oracle -- fusion_middleware Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6 allows remote attackers to affect confidentiality and integrity via vectors related to Console. 2016-04-21

Not yet calculated

CVE-2016-0696
CONFIRM(link is external)
oracle -- fusion_middleware Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6, 12.1.2, 12.1.3, and 12.2.1 allows remote attackers to affect confidentiality and integrity via vectors related to Console. 2016-04-21

Not yet calculated

CVE-2016-3416
CONFIRM(link is external)
oracle -- fusion_middleware Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6, 12.1.2, and 12.1.3 allows remote attackers to affect confidentiality and integrity via vectors related to Console, a different vulnerability than CVE-2016-0675. 2016-04-21

Not yet calculated

CVE-2016-0700
CONFIRM(link is external)
oracle -- fusion_middleware Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6, 12.1.2, and 12.1.3 allows remote attackers to affect confidentiality and integrity via vectors related to Console, a different vulnerability than CVE-2016-0700. 2016-04-21

Not yet calculated

CVE-2016-0675
CONFIRM(link is external)
oracle -- fusion_middleware Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6, 12.1.2, and 12.1.3 allows remote attackers to affect integrity via vectors related to Core Components. 2016-04-21

Not yet calculated

CVE-2016-0688
CONFIRM(link is external)
oracle -- java_se Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77 allows remote attackers to affect availability via vectors related to 2D. 2016-04-21

Not yet calculated

CVE-2016-3422
CONFIRM(link is external)
oracle -- java_se Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to 2D. 2016-04-21

Not yet calculatedNot yet calculated

CVE-2016-3443
CONFIRM(link is external)
oracle -- java_se Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Deployment. 2016-04-21

Not yet calculated

CVE-2016-3449
CONFIRM(link is external)
oracle -- java_se Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77 and Java SE Embedded 8u77 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Serialization. 2016-04-21

Not yet calculated

CVE-2016-0686
CONFIRM(link is external)
oracle -- java_se Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77 and Java SE Embedded 8u77 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to the Hotspot sub-component. 2016-04-21

Not yet calculated

CVE-2016-0687
CONFIRM(link is external)
oracle -- java_se Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77; Java SE Embedded 8u77; and JRockit R28.3.9 allows remote attackers to affect availability via vectors related to JAXP. 2016-04-21

Not yet calculated

CVE-2016-3425
CONFIRM(link is external)
oracle -- java_se Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77; Java SE Embedded 8u77; and JRockit R28.3.9 allows remote attackers to affect confidentiality via vectors related to Security. 2016-04-21

Not yet calculated

CVE-2016-0695
CONFIRM(link is external)
oracle -- java_se Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77; Java SE Embedded 8u77; and JRockit R28.3.9 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JMX. 2016-04-21

Not yet calculated

CVE-2016-3427
CONFIRM(link is external)
oracle -- java_se Unspecified vulnerability in Oracle Java SE 8u77 and Java SE Embedded 8u77 allows remote attackers to affect confidentiality via vectors related to JCE. 2016-04-21

Not yet calculated

CVE-2016-3426
CONFIRM(link is external)
oracle -- mysql_3.0.25 Unspecified vulnerability in the MySQL Enterprise Monitor component in Oracle MySQL 3.0.25 and earlier and 3.1.2 and earlier allows remote administrators to affect confidentiality, integrity, and availability via vectors related to Monitoring: Server. 2016-04-21

Not yet calculated

CVE-2016-3461
CONFIRM(link is external)
oracle -- mysql_5.6.28 Unspecified vulnerability in Oracle MySQL 5.6.28 and earlier and 5.7.10 and earlier allows local users to affect availability via vectors related to InnoDB. 2016-04-21

Not yet calculated

CVE-2016-0668
CONFIRM(link is external)
oracle -- mysql_5.7.10 Unspecified vulnerability in Oracle MySQL 5.7.10 and earlier allows local users to affect availability via vectors related to DML. 2016-04-21

Not yet calculated

CVE-2016-0652
CONFIRM(link is external)
oracle -- mysql_5.7.11 Unspecified vulnerability in Oracle MySQL 5.7.11 and earlier allows local users to affect availability via vectors related to Locking. 2016-04-21

Not yet calculated

CVE-2016-0667
CONFIRM(link is external)
oracle -- peoplesoft_enterprise_peopletools Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.53, 8.54, and 8.55 allows remote authenticated users to affect confidentiality and integrity via vectors related to PIA Search Functionality. 2016-04-21

Not yet calculated

CVE-2016-3417
CONFIRM(link is external)
oracle -- peoplesoft_products Unspecified vulnerability in the PeopleSoft Enterprise HCM component in Oracle PeopleSoft Products 9.2 allows remote authenticated users to affect confidentiality and integrity via vectors related to ePerformance. 2016-04-21

Not yet calculated

CVE-2016-3460
CONFIRM(link is external)
oracle -- peoplesoft_products Unspecified vulnerability in the PeopleSoft Enterprise HCM ePerformance component in Oracle PeopleSoft Products 9.2 allows remote authenticated users to affect confidentiality and integrity via vectors related to Security. 2016-04-21

Not yet calculated

CVE-2016-3457
CONFIRM(link is external)
oracle -- peoplesoft_products Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.53, 8.54, and 8.55 allows remote attackers to affect availability via vectors related to PIA Core Technology. 2016-04-21

Not yet calculated

CVE-2016-3435
CONFIRM(link is external)
oracle -- peoplesoft_products Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.53, 8.54, and 8.55 allows remote authenticated users to affect confidentiality and integrity via vectors related to File Processing. 2016-04-21

Not yet calculated

CVE-2016-0685
CONFIRM(link is external)
oracle -- peoplesoft_products Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.53, 8.54, and 8.55 allows remote authenticated users to affect confidentiality and integrity via vectors related to Portal. 2016-04-21   CVE-2016-3442
CONFIRM(link is external)
oracle -- peoplesoft_products Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.53, 8.54, and 8.55 allows remote authenticated users to affect confidentiality and integrity via vectors related to Rich Text Editor, a different vulnerability than CVE-2016-0698. 2016-04-21

Not yet calculated

CVE-2016-3423
CONFIRM(link is external)
oracle -- peoplesoft_products Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.53, 8.54, and 8.55 allows remote authenticated users to affect confidentiality and integrity via vectors related to Rich Text Editor, a different vulnerability than CVE-2016-3423. 2016-04-21

Not yet calculated

CVE-2016-0698
CONFIRM(link is external)
oracle -- peoplesoft_products Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.53, 8.54, and 8.55 allows remote authenticated users to affect confidentiality and integrity via vectors related to Search Framework. 2016-04-21

Not yet calculated

CVE-2016-0683
CONFIRM(link is external)
oracle -- peoplesoft_products Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.53, 8.54, and 8.55 allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to Activity Guide. 2016-04-21

Not yet calculated

CVE-2016-3421
CONFIRM(link is external)
oracle -- peoplesoft_products Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.53, 8.54, and 8.55 allows remote authenticated users to affect integrity and availability via vectors related to PIA Grids. 2016-04-21

Not yet calculated

CVE-2016-0679
CONFIRM(link is external)
oracle -- peoplesoft_products Unspecified vulnerability in the PeopleSoft Enterprise SCM component in Oracle PeopleSoft Products 9.1 and 9.2 allows remote authenticated users to affect confidentiality and integrity via vectors related to Services Procurement. 2016-04-21

Not yet calculated

CVE-2016-0680
CONFIRM(link is external)
oracle -- retail_applications Unspecified vulnerability in the Oracle Retail Xstore Point of Service component in Oracle Retail Applications 5.0, 5.5, 6.0, 6.5, 7.0, and 7.1 allows remote authenticated users to affect confidentiality and integrity via vectors related to Xstore Services. 2016-04-21

Not yet calculated

CVE-2016-3429
CONFIRM(link is external)
oracle -- retail_applicat_retail_applications Unspecified vulnerability in the Oracle Retail MICROS ARS POS component in Oracle Retail Applications 1.5 allows remote authenticated users to affect confidentiality via vectors related to POS. 2016-04-21

Not yet calculated

CVE-2016-0684
CONFIRM(link is external)
oracle -- siebel_core Unspecified vulnerability in the Siebel Core - Common Components component in Oracle Siebel CRM 8.1.1 and 8.2.2 allows local users to affect confidentiality and integrity via vectors related to Email. 2016-04-21

Not yet calculated

CVE-2016-0674
CONFIRM(link is external)
oracle -- sun_solaris Unspecified vulnerability in Oracle Sun Solaris 10 allows local users to affect availability via vectors related to the kernel. 2016-04-21

Not yet calculated

CVE-2016-0676
CONFIRM(link is external)
oracle -- sun_solaris Unspecified vulnerability in Oracle Sun Solaris 10 and 11.3 allows local users to affect availability via vectors related to Filesystem. 2016-04-21

Not yet calculated

CVE-2016-3419
CONFIRM(link is external)
oracle -- sun_solaris Unspecified vulnerability in Oracle Sun Solaris 10 and 11.3 allows local users to affect confidentiality, integrity, and availability via vectors related to Filesystem. 2016-04-21

Not yet calculated

CVE-2016-3441
CONFIRM(link is external)
oracle -- sun_solaris Unspecified vulnerability in Oracle Sun Solaris 10 and 11.3 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to the PAM LDAP module. 2016-04-21

Not yet calculated

CVE-2016-0693
CONFIRM(link is external)
oracle -- sun_solaris Unspecified vulnerability in Oracle Sun Solaris 11.3 allows local users to affect availability via vectors related to Network Configuration Service. 2016-04-21

Not yet calculated

CVE-2016-3462
CONFIRM(link is external)
oracle -- sun_solaris Unspecified vulnerability in Oracle Sun Solaris 11.3 allows local users to affect availability via vectors related to ZFS. 2016-04-21

Not yet calculated

CVE-2016-3465
CONFIRM(link is external)
oracle -- sun_solaris Unspecified vulnerability in Oracle Sun Solaris 11.3 allows local users to affect integrity and availability via vectors related to Fwflash. 2016-04-21

Not yet calculated

CVE-2016-0669
CONFIRM(link is external)
oracle -- supply_chain_products_suite Unspecified vulnerability in the Oracle Agile Engineering Data Management component in Oracle Supply Chain Products Suite 6.1.3.0 and 6.2.0.0 allows remote attackers to affect availability via vectors related to Engineering Communication Interface. 2016-04-21

Not yet calculated

CVE-2016-3428
CONFIRM(link is external)
oracle -- supply_chain_products_suite Unspecified vulnerability in the Oracle Agile PLM component in Oracle Supply Chain Products Suite 9.3.1.1, 9.3.1.2, 9.3.2, and 9.3.3 allows remote authenticated users to affect confidentiality and integrity via vectors related to Security, a different vulnerability than CVE-2016-3420. 2016-04-21

Not yet calculated

CVE-2016-3431
CONFIRM(link is external)
oracle -- supply_chain_products_suite Unspecified vulnerability in the Oracle Agile PLM component in Oracle Supply Chain Products Suite 9.3.1.1, 9.3.1.2, 9.3.2, and 9.3.3 allows remote authenticated users to affect confidentiality and integrity via vectors related to Security, a different vulnerability than CVE-2016-3431. 2016-04-21

Not yet calculated

CVE-2016-3420
CONFIRM(link is external)
oracle -- supply_chain_products_suite Unspecified vulnerability in the Oracle Complex Maintenance, Repair, and Overhaul component in Oracle Supply Chain Products Suite 12.1.1, 12.1.2, and 12.1.3 allows remote attackers to affect confidentiality and integrity via vectors related to Dialog Box. 2016-04-21

Not yet calculated

CVE-2016-3456
CONFIRM(link is external)
oracle -- supply_chain_products_suite Unspecified vulnerability in the Oracle Configurator component in Oracle Supply Chain Products Suite 12.0.6, 12.1, and 12.2 allows remote attackers to affect confidentiality and integrity via vectors related to JRAD Heartbeat. 2016-04-21

Not yet calculated

CVE-2016-3438
CONFIRM(link is external)
oracle -- virtualization_virtualbox Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 5.0.18 allows local users to affect confidentiality, integrity, and availability via vectors related to Core. 2016-04-21

Not yet calculated

CVE-2016-0678
CONFIRM(link is external)
samba -- dce-rpc_layer Samba 3.x and 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 does not properly implement the DCE-RPC layer, which allows remote attackers to perform protocol-downgrade attacks, cause a denial of service (application crash or CPU consumption), or possibly execute arbitrary code on a client system via unspecified vectors. 2016-04-24

Not yet calculated

CVE-2015-5370
CONFIRM
samba -- ldap_client_library The bundled LDAP client library in Samba 3.x and 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 does not recognize the "client ldap sasl wrapping" setting, which allows man-in-the-middle attackers to perform LDAP protocol-downgrade attacks by modifying the client-server data stream. 2016-04-24

Not yet calculated

CVE-2016-2112
CONFIRM
samba -- netlogon The NETLOGON service in Samba 3.x and 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2, when a domain controller is configured, allows remote attackers to spoof the computer name of a secure channel's endpoint, and obtain sensitive session information, by running a crafted application and leveraging the ability to sniff network traffic, a related issue to CVE-2015-0005. 2016-04-24

Not yet calculated

CVE-2016-2111
CONFIRM
samba -- ntlmssp The NTLMSSP authentication implementation in Samba 3.x and 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 allows man-in-the-middle attackers to perform protocol-downgrade attacks by modifying the client-server data stream to remove application-layer flags or encryption settings, as demonstrated by clearing the NTLMSSP_NEGOTIATE_SEAL or NTLMSSP_NEGOTIATE_SIGN option to disrupt LDAP security. 2016-04-24

Not yet calculated

CVE-2016-2110
CONFIRM
samba -- samba Samba 3.x and 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 does not require SMB signing within a DCERPC session over ncacn_np, which allows man-in-the-middle attackers to spoof SMB clients by modifying the client-server data stream. 2016-04-24

Not yet calculated

CVE-2016-2115
CONFIRM
samba -- smbl_protocol_implementation The SMB1 protocol implementation in Samba 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 does not recognize the "server signing = mandatory" setting, which allows man-in-the-middle attackers to spoof SMB servers by modifying the client-server data stream. 2016-04-24

Not yet calculated

Not yet calculated

CVE-2016-2114
CONFIRM
samba -- tls_servers Samba 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 does not verify X.509 certificates from TLS servers, which allows man-in-the-middle attackers to spoof LDAPS and HTTPS servers and obtain sensitive information via a crafted certificate. 2016-04-24

Not yet calculated

CVE-2016-2113
CONFIRM
symantec -- management_agent The Inventory Solution component in the Management Agent in the client in Symantec Altiris IT Management Suite (ITMS) through 7.6 HF7 allows local users to bypass intended application-blacklist restrictions via unspecified vectors. 2016-04-20

Not yet calculated

CVE-2016-2202
CONFIRM(link is external)
BID(link is external)
symantec -- messaging_gateway_(smg)_appliance The management console on Symantec Messaging Gateway (SMG) Appliance devices before 10.6.1 allows local users to discover an encrypted AD password by leveraging certain read privileges. 2016-04-22

Not yet calculated

CVE-2016-2203
CONFIRM(link is external)
BID(link is external)
symantec -- messaging_gateway_(smg)_appliance The management console on Symantec Messaging Gateway (SMG) Appliance devices before 10.6.1 allows local users to obtain root-shell access via crafted terminal-window input. 2016-04-22

Not yet calculated

CVE-2016-2204
CONFIRM(link is external)
BID(link is external)
systemd_ tmpfiles.d/systemd.conf tmpfiles.d/systemd.conf in systemd before 229 uses weak permissions for /var/log/journal/%m/system.journal, which allows local users to obtain sensitive information by reading the file. 2016-04-20

Not yet calculated

CVE-2015-8842
CONFIRM(link is external)
CONFIRM(link is external)
MLIST(link is external)
MLIST(link is external)
SUSE
systemd_tmpfiles.d/systemd.conf tmpfiles.d/systemd.conf in systemd before 214 uses weak permissions for journal files under (1) /run/log/journal/%m and (2) /var/log/journal/%m, which allows local users to obtain sensitive information by reading these files. 2016-04-20

Not yet calculated

CVE-2014-9770
CONFIRM(link is external)
MLIST(link is external)
MLIST(link is external)
SUSE
wireshark -- epan/dissectors/packet-gsm_cbch.c_in_the_gsm_cbch_dissector epan/dissectors/packet-gsm_cbch.c in the GSM CBCH dissector in Wireshark 1.12.x before 1.12.11 and 2.0.x before 2.0.3 uses the wrong variable to index an array, which allows remote attackers to cause a denial of service (out-of-bounds access and application crash) via a crafted packet. 2016-04-25

Not yet calculated

CVE-2016-4082
CONFIRM
CONFIRM
CONFIRM
wireshark -- epan/dissectors/packet-iax2.c_in_the_iax2_dissector epan/dissectors/packet-iax2.c in the IAX2 dissector in Wireshark 1.12.x before 1.12.11 and 2.0.x before 2.0.3 uses an incorrect integer data type, which allows remote attackers to cause a denial of service (infinite loop) via a crafted packet. 2016-04-25

Not yet calculated

CVE-2016-4081
CONFIRM
CONFIRM
CONFIRM
wireshark -- epan/dissectors/packet-mswsp.c_in_the_ms-wsp Integer signedness error in epan/dissectors/packet-mswsp.c in the MS-WSP dissector in Wireshark 2.0.x before 2.0.3 allows remote attackers to cause a denial of service (integer overflow and application crash) via a crafted packet that triggers an unexpected array size. 2016-04-25

Not yet calculated

CVE-2016-4084
CONFIRM
CONFIRM
CONFIRM
wireshark -- epan/dissectors/packet-mswsp.c_in_the_ms-wsp_dissector epan/dissectors/packet-mswsp.c in the MS-WSP dissector in Wireshark 2.0.x before 2.0.3 does not ensure that data is available before array allocation, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. 2016-04-25

Not yet calculated

CVE-2016-4083
CONFIRM
CONFIRM
CONFIRM
wireshark -- epan/dissectors/packet-ncp2222.inc epan/dissectors/packet-ncp2222.inc in the NCP dissector in Wireshark 2.0.x before 2.0.3 does not properly initialize memory for search patterns, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. 2016-04-25

Not yet calculated

CVE-2016-4076
CONFIRM
CONFIRM
CONFIRM
wireshark -- epan/dissectors/packet-ncp2222.inc_in_the_ncp_dissector Stack-based buffer overflow in epan/dissectors/packet-ncp2222.inc in the NCP dissector in Wireshark 1.12.x before 1.12.11 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a long string in a packet. 2016-04-25

Not yet calculated

CVE-2016-4085
CONFIRM
CONFIRM
CONFIRM
wireshark -- epan/dissectors/packet-pktc.c_in_the_pktc_dissector epan/dissectors/packet-pktc.c in the PKTC dissector in Wireshark 1.12.x before 1.12.11 and 2.0.x before 2.0.3 does not verify BER identifiers, which allows remote attackers to cause a denial of service (out-of-bounds write and application crash) via a crafted packet. 2016-04-25

Not yet calculated

CVE-2016-4079
CONFIRM
CONFIRM
CONFIRM
wireshark -- epan/dissectors/packet-pktc.c_in_the_pktc_dissector epan/dissectors/packet-pktc.c in the PKTC dissector in Wireshark 1.12.x before 1.12.11 and 2.0.x before 2.0.3 misparses timestamp fields, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted packet. 2016-04-25

Not yet calculated

CVE-2016-4080
CONFIRM
CONFIRM
CONFIRM
wireshark -- epan/proto.c epan/proto.c in Wireshark 1.12.x before 1.12.11 and 2.0.x before 2.0.3 does not limit the protocol-tree depth, which allows remote attackers to cause a denial of service (stack memory consumption and application crash) via a crafted packet. 2016-04-25

Not yet calculated

CVE-2016-4006
CONFIRM
CONFIRM
CONFIRM
wireshark -- epan/reassemble.c_in_tshark epan/reassemble.c in TShark in Wireshark 2.0.x before 2.0.3 relies on incorrect special-case handling of truncated Tvb data structures, which allows remote attackers to cause a denial of service (use-after-free and application crash) via a crafted packet. 2016-04-25

Not yet calculated

CVE-2016-4077
CONFIRM
MISC(link is external)
CONFIRM
CONFIRM
wireshark -- ieee_802.11_dissector The IEEE 802.11 dissector in Wireshark 1.12.x before 1.12.11 and 2.0.x before 2.0.3 does not properly restrict element lists, which allows remote attackers to cause a denial of service (deep recursion and application crash) via a crafted packet, related to epan/dissectors/packet-capwap.c and epan/dissectors/packet-ieee80211.c. 2016-04-25

Not yet calculated

CVE-2016-4078
CONFIRM
CONFIRM
CONFIRM
CONFIRM

 

기사원문확인하기: [US-CERT: Bulletin(SB16-116)] 2016년 4월 18일까지 발표된 보안 취약점