2016 VULNERABILITY DATABASE
CVE-2016-2868
Summary: IBM Security QRadar SIEM 7.2.x before 7.2.7 allows remote authenticated administrators to read arbitrary files via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
Published: 7/2/2016 10:59:12 AM
CVSS Severity: v3 - 2.7 LOW v2 - 4.0 MEDIUM
CVE-2016-2867
Summary: IBM InfoSphere Streams before 4.0.1.2 and IBM Streams before 4.1.1.1 do not properly implement the runAsUser feature, which allows local users to obtain root group privileges via unspecified vectors.
Published: 7/2/2016 10:59:11 AM
CVSS Severity: v3 - 7.0 HIGH v2 - 6.9 MEDIUM
CVE-2016-2861
Summary: IBM WebSphere eXtreme Scale 7.1.0 before 7.1.0.3, 7.1.1 before 7.1.1.1, 8.5 before 8.5.0.3, and 8.6 before 8.6.0.8 does not properly encrypt data, which makes it easier for remote attackers to obtain sensitive information by sniffing the network.
Published: 7/2/2016 10:59:10 AM
CVSS Severity: v3 - 3.7 LOW v2 - 4.3 MEDIUM
CVE-2016-1440
Summary: The proxy process on Cisco Web Security Appliance (WSA) devices through 9.1.0-070 allows remote attackers to cause a denial of service (CPU consumption) by establishing an FTP session and then improperly terminating the control connection after a file transfer, aka Bug ID CSCuy43468.
Published: 7/2/2016 10:59:09 AM
CVSS Severity: v3 - 5.3 MEDIUM v2 - 5.0 MEDIUM
CVE-2016-1416
Summary: Cisco Prime Collaboration Provisioning 10.6 SP2 (aka 10.6.0.10602) mishandles LDAP authentication, which allows remote attackers to obtain administrator privileges via a crafted login attempt, aka Bug ID CSCuv37513.
Published: 7/2/2016 10:59:08 AM
CVSS Severity: v3 - 9.8 CRITICAL v2 - 10.0 HIGH
CVE-2016-1408
Summary: Cisco Prime Infrastructure 1.2 through 3.1 and Evolved Programmable Network Manager (EPNM) 1.2 and 2.0 allow remote authenticated users to execute arbitrary commands or upload files via a crafted HTTP request, aka Bug ID CSCuz01488.
Published: 7/2/2016 10:59:07 AM
CVSS Severity: v3 - 8.8 HIGH v2 - 6.5 MEDIUM
CVE-2016-1289
Summary: The API in Cisco Prime Infrastructure 1.2 through 3.0 and Evolved Programmable Network Manager (EPNM) 1.2 allows remote attackers to execute arbitrary code or obtain sensitive management information via a crafted HTTP request, as demonstrated by discovering managed-device credentials, aka Bug ID CSCuy10231.
Published: 7/2/2016 10:59:06 AM
CVSS Severity: v3 - 9.8 CRITICAL v2 - 10.0 HIGH
CVE-2016-0400
Summary: CRLF injection vulnerability in IBM WebSphere eXtreme Scale 7.1.0 before 7.1.0.3, 7.1.1 before 7.1.1.1, 8.5 before 8.5.0.3, and 8.6 before 8.6.0.8 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL.
Published: 7/2/2016 10:59:05 AM
CVSS Severity: v3 - 6.1 MEDIUM v2 - 4.3 MEDIUM
CVE-2016-0399
Summary: Cross-site scripting (XSS) vulnerability in IBM Maximo Asset Management 7.1 through 7.1.1.13, 7.5 before 7.5.0.9 IFIX007, and 7.6 before 7.6.0.5 FP005 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.
Published: 7/2/2016 10:59:04 AM
CVSS Severity: v3 - 5.4 MEDIUM v2 - 3.5 LOW
CVE-2016-0398
Summary: IBM Cognos Analytics (CA) 11.0 before 11.0.2 allows remote attackers to conduct content-spoofing attacks via a crafted URL.
Published: 7/2/2016 10:59:03 AM
CVSS Severity: v3 - 4.3 MEDIUM v2 - 4.3 MEDIUM
CVE-2016-0391
Summary: The IBM Watson Developer Cloud services on Bluemix platforms do not properly generate random numbers for service-instance credentials, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via a brute-force attack.
Published: 7/2/2016 10:59:02 AM
CVE-2016-0387
Summary: Cross-site scripting (XSS) vulnerability in IBM TRIRIGA Application Platform 3.3 before 3.3.2.6, 3.4 before 3.4.2.4, and 3.5 before 3.5.0.2 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.
Published: 7/2/2016 10:59:01 AM
CVSS Severity: v3 - 5.4 MEDIUM v2 - 3.5 LOW
CVE-2016-0386
Summary: Cross-site request forgery (CSRF) vulnerability in IBM TRIRIGA Application Platform 3.3 before 3.3.2.6, 3.4 before 3.4.2.4, and 3.5 before 3.5.0.2 allows remote authenticated users to hijack the authentication of administrators for requests that delete employees.
Published: 7/2/2016 10:59:00 AM
CVSS Severity: v3 - 8.0 HIGH v2 - 6.0 MEDIUM
CVE-2016-0375
Summary: JMS Client in IBM MessageSight 1.1.x through 1.1.0.1, 1.2.x through 1.2.0.3, and 2.0.x through 2.0.0.0 allows remote authenticated users to obtain administrator privileges for executing arbitrary commands via unspecified vectors.
Published: 6/30/2016 9:59:04 PM
CVSS Severity: v3 - 8.8 HIGH v2 - 9.0 HIGH
CVE-2016-0374
Summary: The builder tools in IBM TRIRIGA Application Platform 3.3 before 3.3.2.6, 3.4 before 3.4.2.4, and 3.5 before 3.5.0.2 allow remote authenticated users to gain privileges for application modification via unspecified vectors.
Published: 6/30/2016 9:59:03 PM
CVSS Severity: v3 - 8.8 HIGH v2 - 6.5 MEDIUM
CVE-2016-0365
Summary: IBM UrbanCode Deploy 6.0.x before 6.0.1.13, 6.1.x before 6.1.3.3, and 6.2.x before 6.2.1.1, when agent-relay Codestation artifact caching is enabled, allows remote attackers to bypass authentication and obtain sensitive artifact information via unspecified vectors.
Published: 6/30/2016 9:59:02 PM
CVSS Severity: v3 - 5.9 MEDIUM v2 - 4.3 MEDIUM
CVE-2016-0364
Summary: IBM UrbanCode Deploy 6.0.x before 6.0.1.13, 6.1.x before 6.1.3.3, and 6.2.x before 6.2.1.1 does not properly implement a logging-obfuscation feature for secure properties, which allows remote authenticated users to obtain sensitive information via vectors involving special characters.
Published: 6/30/2016 9:59:01 PM
CVSS Severity: v3 - 4.3 MEDIUM v2 - 4.0 MEDIUM
CVE-2016-0362
Summary: IBM TRIRIGA Application Platform 3.3 before 3.3.2.6, 3.4 before 3.4.2.4, and 3.5 before 3.5.0.2 allows remote authenticated users to conduct server-side request forgery (SSRF) attacks, and trigger network traffic to arbitrary intranet or Internet hosts, via a crafted proxy request to a web service.
Published: 6/30/2016 9:59:00 PM
CVSS Severity: v3 - 7.7 HIGH v2 - 4.0 MEDIUM
CVE-2016-5307
Summary: Directory traversal vulnerability in Symantec Endpoint Protection Manager (SEPM) 12.1 before RU6 MP5 allows remote authenticated users to read arbitrary files in the web-root directory tree via unspecified vectors.
Published: 6/30/2016 7:59:18 PM
CVSS Severity: v3 - 4.3 MEDIUM v2 - 4.0 MEDIUM
CVE-2016-5306
Summary: Symantec Endpoint Protection Manager (SEPM) 12.1 before RU6 MP5 does not properly implement the HSTS protection mechanism, which makes it easier for remote attackers to obtain sensitive information by sniffing the network for unintended HTTP traffic on port 8445.
Published: 6/30/2016 7:59:17 PM
CVSS Severity: v3 - 5.3 MEDIUM v2 - 5.0 MEDIUM