2016 VULNERABILITY DATABASE
Summary: The chat feature in the Real-Time Collaboration (RTC) services in SAP NetWeaver Java AS 7.4 allows remote attackers to obtain sensitive user information via unspecified vectors related to WD_CHAT, aka SAP Security Note 2255990.
Published: 4/7/2016 3:59:04 PM
CVSS Severity: v3 - 7.5 HIGH v2 - 5.0 MEDIUM
Summary: QEMU, when built with the Pseudo Random Number Generator (PRNG) back-end support, allows guest OS users to cause a denial of service (process crash) via an entropy request, which triggers arbitrary stack based allocation and memory corruption.
Published: 4/7/2016 3:59:03 PM
CVSS Severity: v3 - 5.9 MEDIUM v2 - 1.9 LOW
Summary: The (1) fw_cfg_write and (2) fw_cfg_read functions in hw/nvram/fw_cfg.c in QEMU before 2.4, when built with the Firmware Configuration device emulation support, allow guest OS users with the CAP_SYS_RAWIO privilege to cause a denial of service (out-of-bounds read or write access and process crash) or potentially execute arbitrary code via an invalid current entry value in a firmware configuration.
Published: 4/7/2016 3:59:02 PM
CVSS Severity: v3 - 8.1 HIGH v2 - 6.9 MEDIUM
Summary: The web-based administration console in Apache ActiveMQ 5.x before 5.13.2 does not send an X-Frame-Options HTTP header, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web page that contains a (1) FRAME or (2) IFRAME element.
Published: 4/7/2016 3:59:01 PM
CVSS Severity: v3 - 6.1 MEDIUM v2 - 4.3 MEDIUM
Summary: Huawei Sophia-L10 smartphones with software before P7-L10C900B852 allow attackers to cause a denial of service (system panic) via a crafted application with the system or camera privilege.
Published: 4/7/2016 3:59:00 PM
Summary: Squid 3.x before 3.5.16 and 4.x before 4.0.8 improperly perform bounds checking, which allows remote attackers to cause a denial of service via a crafted HTTP response, related to Vary headers.
Published: 4/7/2016 2:59:01 PM
CVSS Severity: v3 - 7.5 HIGH v2 - 5.0 MEDIUM
Summary: Heap-based buffer overflow in the Icmp6::Recv function in icmp/Icmp6.cc in the pinger in Squid before 3.5.16 and 4.x before 4.0.8 allows remote servers to cause a denial of service (performance degradation or transition failures) or write sensitive information to log files via an ICMPv6 packet.
Published: 4/7/2016 2:59:00 PM
CVSS Severity: v3 - 8.2 HIGH v2 - 7.5 HIGH
Summary: NetApp Clustered Data ONTAP 8.3.1 does not properly verify X.509 certificates from TLS servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
Published: 4/7/2016 6:59:02 AM
CVSS Severity: v3 - 6.8 MEDIUM v2 - 5.8 MEDIUM
Summary: Adobe Flash Player 21.0.0.197 and earlier allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unspecified vectors, as exploited in the wild in April 2016.
Published: 4/7/2016 6:59:01 AM
CVSS Severity: v3 - 9.8 CRITICAL v2 - 10.0 HIGH
Summary: EMC Documentum D2 before 4.6 lacks intended ACLs for configuration objects, which allows remote authenticated users to modify objects via unspecified vectors.
Published: 4/7/2016 6:59:00 AM
CVSS Severity: v3 - 8.8 HIGH v2 - 9.0 HIGH
Summary: Stack-based buffer overflow in Pro-face GP-Pro EX EX-ED before 4.05.000, PFXEXEDV before 4.05.000, PFXEXEDLS before 4.05.000, and PFXEXGRPLS before 4.05.000 allows remote attackers to execute arbitrary code via unspecified vectors.
Published: 4/6/2016 7:59:18 PM
CVSS Severity: v3 - 6.5 MEDIUM v2 - 4.3 MEDIUM
Summary: Pro-face GP-Pro EX EX-ED before 4.05.000, PFXEXEDV before 4.05.000, PFXEXEDLS before 4.05.000, and PFXEXGRPLS before 4.05.000 allow remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds read) via unspecified vectors.
Published: 4/6/2016 7:59:17 PM
CVSS Severity: v3 - 6.5 MEDIUM v2 - 4.3 MEDIUM
Summary: Heap-based buffer overflow in Pro-face GP-Pro EX EX-ED before 4.05.000, PFXEXEDV before 4.05.000, PFXEXEDLS before 4.05.000, and PFXEXGRPLS before 4.05.000 allows remote attackers to execute arbitrary code via unspecified vectors.
Published: 4/6/2016 7:59:16 PM
CVSS Severity: v3 - 8.8 HIGH v2 - 6.8 MEDIUM
Summary: IAB.exe in Rockwell Automation Integrated Architecture Builder (IAB) before 9.6.0.8 and 9.7.x before 9.7.0.2 allows remote attackers to execute arbitrary code via a crafted project file.
Published: 4/6/2016 7:59:15 PM
CVSS Severity: v3 - 6.3 MEDIUM v2 - 6.9 MEDIUM
Summary: Eaton Lighting EG2 Web Control 4.04P and earlier allows remote attackers to have an unspecified impact via a modified cookie.
Published: 4/6/2016 7:59:14 PM
CVSS Severity: v3 - 7.5 HIGH v2 - 5.0 MEDIUM
Summary: The kernel in Cisco TelePresence Server 3.0 through 4.2(4.18) on Mobility Services Engine (MSE) 8710 devices allows remote attackers to cause a denial of service (panic and reboot) via a crafted sequence of IPv6 packets, aka Bug ID CSCuu46673.
Published: 4/6/2016 7:59:13 PM
CVSS Severity: v3 - 5.9 MEDIUM v2 - 7.1 HIGH
Summary: Cisco UCS Invicta C3124SA Appliance 4.3.1 through 5.0.1, UCS Invicta Scaling System and Appliance, and Whiptail Racerunner improperly store a default SSH private key, which allows remote attackers to obtain root access via unspecified vectors, aka Bug ID CSCun71294.
Published: 4/6/2016 7:59:12 PM
CVSS Severity: v3 - 9.8 CRITICAL v2 - 10.0 HIGH
Summary: Cisco Prime Infrastructure 1.2.0 through 2.2(2) and Cisco Evolved Programmable Network Manager (EPNM) 1.2 allow remote attackers to execute arbitrary code via crafted deserialized data in an HTTP POST request, aka Bug ID CSCuw03192.
Published: 4/6/2016 7:59:11 PM
CVSS Severity: v3 - 9.8 CRITICAL v2 - 9.3 HIGH
Summary: The web API in Cisco Prime Infrastructure 1.2.0 through 2.2(2) and Cisco Evolved Programmable Network Manager (EPNM) 1.2 allows remote authenticated users to bypass intended RBAC restrictions and gain privileges via an HTTP request that is inconsistent with a pattern filter, aka Bug ID CSCuy10227.
Published: 4/6/2016 7:59:10 PM
CVSS Severity: v3 - 8.1 HIGH v2 - 5.5 MEDIUM
Summary: Cross-site request forgery (CSRF) vulnerability in the Menubook plugin before 0.9.3 for baserCMS allows remote attackers to hijack the authentication of administrators.
Published: 4/6/2016 7:59:09 PM
CVSS Severity: v3 - 8.8 HIGH v2 - 6.8 MEDIUM