2016 VULNERABILITY DATABASE 

 

 

 

 

CVE-2016-1013

Summary: Use-after-free vulnerability in Adobe Flash Player before 18.0.0.343 and 19.x through 21.x before 21.0.0.213 on Windows and OS X and before 11.2.202.616 on Linux allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2016-1011, CVE-2016-1016, CVE-2016-1017, and CVE-2016-1031.

Published: 4/8/2016 9:59:29 PM

 

CVSS Severity: v3 - 9.8 CRITICAL      v2 - 10.0 HIGH

 

CVE-2016-1012

Summary: Adobe Flash Player before 18.0.0.343 and 19.x through 21.x before 21.0.0.213 on Windows and OS X and before 11.2.202.616 on Linux allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2016-1020, CVE-2016-1021, CVE-2016-1022, CVE-2016-1023, CVE-2016-1024, CVE-2016-1025, CVE-2016-1026, CVE-2016-1027, CVE-2016-1028, CVE-2016-1029, CVE-2016-1032, and CVE-2016-1033.

Published: 4/8/2016 9:59:28 PM

 

CVSS Severity: v3 - 9.8 CRITICAL      v2 - 10.0 HIGH

 

CVE-2016-1011

Summary: Use-after-free vulnerability in Adobe Flash Player before 18.0.0.343 and 19.x through 21.x before 21.0.0.213 on Windows and OS X and before 11.2.202.616 on Linux allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2016-1013, CVE-2016-1016, CVE-2016-1017, and CVE-2016-1031.

Published: 4/8/2016 9:59:27 PM

 

CVSS Severity: v3 - 9.8 CRITICAL      v2 - 10.0 HIGH

 

CVE-2016-1006

Summary: Adobe Flash Player before 18.0.0.343 and 19.x through 21.x before 21.0.0.213 on Windows and OS X and before 11.2.202.616 on Linux allows attackers to bypass the ASLR protection mechanism via JIT data.

Published: 4/8/2016 9:59:26 PM

 

CVE-2016-3984

Summary: McAfee Active Response (MAR) before 1.1.0.161, Agent (MA) 5.x before 5.0.2 Hotfix 1110392 (5.0.2.333), Data Exchange Layer 2.x (DXL) before 2.0.1.140.1, Data Loss Prevention Endpoint (DLPe) 9.3 before Patch 6 and 9.4 before Patch 1 HF3, Device Control (MDC) 9.3 before Patch 6 and 9.4 before Patch 1 HF3, Endpoint Security (ENS) 10.x before 10.1, Host Intrusion Prevention Service (IPS) 8.0 before 8.0.0.3624, and VirusScan Enterprise (VSE) 8.8 before P7 (8.8.0.1528) on Windows allow local administrators to bypass intended self-protection rules and modify registry keys and files via unspecified vectors.

Published: 4/8/2016 11:59:10 AM

 

CVE-2016-3983

Summary: McAfee Advanced Threat Defense (ATD) before 3.4.8.178 might allow remote attackers to bypass malware detection by leveraging information about the parent process.

Published: 4/8/2016 11:59:09 AM

 

CVSS Severity: v3 - 7.5 HIGH      v2 - 5.0 MEDIUM

 

CVE-2016-3963

Summary: Siemens SCALANCE S613 allows remote attackers to cause a denial of service (web-server outage) via traffic to TCP port 443.

Published: 4/8/2016 11:59:08 AM

 

CVSS Severity: v3 - 5.3 MEDIUM      v2 - 5.0 MEDIUM

 

CVE-2016-2513

Summary: The password hasher in contrib/auth/hashers.py in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to enumerate users via a timing attack involving login requests.

Published: 4/8/2016 11:59:07 AM

 

CVSS Severity: v3 - 3.1 LOW      v2 - 2.6 LOW

 

CVE-2016-2512

Summary: The utils.http.is_safe_url function in Django before 1.8.10 and 1.9.x before 1.9.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or possibly conduct cross-site scripting (XSS) attacks via a URL containing basic authentication, as demonstrated by http://mysite.example.com\@attacker.com.

Published: 4/8/2016 11:59:06 AM

 

CVSS Severity: v3 - 7.4 HIGH      v2 - 4.3 MEDIUM

 

CVE-2016-2381

Summary: Perl might allow context-dependent attackers to bypass the taint protection mechanism in a child process via duplicate environment variables in envp.

Published: 4/8/2016 11:59:05 AM

 

CVE-2016-1375

Summary: Cross-site scripting (XSS) vulnerability in Cisco IP Interoperability and Collaboration System 4.10(1) allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug ID CSCuy12339.

Published: 4/8/2016 11:59:04 AM

 

CVE-2016-1180

Summary: Cross-site scripting (XSS) vulnerability in the Cyber-Will Social-button Premium plugin before 1.1 for EC-CUBE 2.13.x allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Published: 4/8/2016 11:59:02 AM

 

CVE-2015-5969

Summary: The mysql-systemd-helper script in the mysql-community-server package before 5.6.28-2.17.1 in openSUSE 13.2 and before 5.6.28-13.1 in openSUSE Leap 42.1 and the mariadb package before 10.0.22-2.21.2 in openSUSE 13.2 and before 10.0.22-3.1 in SUSE Linux Enterprise (SLE) 12.1 and openSUSE Leap 42.1 allows local users to discover database credentials by listing a process and its arguments.

Published: 4/8/2016 11:59:01 AM

 

CVE-2015-5229

Summary: The calloc function in the glibc package in Red Hat Enterprise Linux (RHEL) 6.7 and 7.2 does not properly initialize memory areas, which might allow context-dependent attackers to cause a denial of service (hang or crash) via unspecified vectors.

Published: 4/8/2016 11:59:00 AM

 

CVE-2016-3980

Summary: The Java Startup Framework (aka jstart) in SAP JAVA AS 7.4 allows remote attackers to cause a denial of service via a crafted HTTP request, aka SAP Security Note 2259547.

Published: 4/8/2016 10:59:09 AM

 

CVE-2016-3979

Summary: Internet Communication Manager (aka ICMAN or ICM) in SAP JAVA AS 7.4 allows remote attackers to cause a denial of service via a crafted HTTP request, aka SAP Security Note 2256185.

Published: 4/8/2016 10:59:08 AM

 

CVE-2016-3978

Summary: The Web User Interface (WebUI) in FortiOS 5.0.x before 5.0.13, 5.2.x before 5.2.3, and 5.4.x before 5.4.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks or cross-site scripting (XSS) attacks via the "redirect" parameter to "login."

Published: 4/8/2016 10:59:07 AM

 

CVE-2016-3188

Summary: The _prepopulate_request_walk function in the Prepopulate module 7.x-2.x before 7.x-2.1 for Drupal allows remote attackers to modify the (1) actions, (2) container, (3) token, (4) password, (5) password_confirm, (6) text_format, or (7) markup field type, and consequently have unspecified impact, via unspecified vectors.

Published: 4/8/2016 10:59:06 AM

 

CVE-2016-3187

Summary: The Prepopulate module 7.x-2.x before 7.x-2.1 for Drupal allows remote attackers to modify the REQUEST superglobal array, and consequently have unspecified impact, via a base64-encoded pp parameter.

Published: 4/8/2016 10:59:05 AM

 

CVE-2016-3154

Summary: The encoder_contexte_ajax function in ecrire/inc/filtres.php in SPIP 2.x before 2.1.19, 3.0.x before 3.0.22, and 3.1.x before 3.1.1 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object.

Published: 4/8/2016 10:59:04 AM

 

CVE-2016-3153

Summary: SPIP 2.x before 2.1.19, 3.0.x before 3.0.22, and 3.1.x before 3.1.1 allows remote attackers to execute arbitrary PHP code by adding content, related to the filtrer_entites function.

Published: 4/8/2016 10:59:03 AM

 

CVE-2016-2324

Summary: Integer overflow in Git before 2.7.4 allows remote attackers to execute arbitrary code via a (1) long filename or (2) many nested trees, which triggers a heap-based buffer overflow.

Published: 4/8/2016 10:59:02 AM

 

CVSS Severity: v3 - 9.8 CRITICAL      v2 - 10.0 HIGH

 

CVE-2016-2315

Summary: revision.c in git before 2.7.4 uses an incorrect integer data type, which allows remote attackers to execute arbitrary code via a (1) long filename or (2) many nested trees, leading to a heap-based buffer overflow.

Published: 4/8/2016 10:59:01 AM

 

CVSS Severity: v3 - 9.8 CRITICAL      v2 - 10.0 HIGH

 

CVE-2015-6541

Summary: Multiple cross-site request forgery (CSRF) vulnerabilities in the Mail interface in Zimbra Collaboration Server (ZCS) before 8.5 allow remote attackers to hijack the authentication of arbitrary users for requests that change account preferences via a SOAP request to service/soap/BatchRequest.

Published: 4/8/2016 10:59:00 AM

 

CVSS Severity: v3 - 8.8 HIGH      v2 - 6.8 MEDIUM

 

CVE-2015-8840

Summary: The XML Data Archiving Service (XML DAS) in SAP NetWeaver AS Java does not check authorization, which allows remote authenticated users to obtain sensitive information, gain privileges, or possibly have unspecified other impact via requests to (1) webcontent/cas/cas_enter.jsp, (2) webcontent/cas/cas_validate.jsp, or (3) webcontent/aas/aas_store.jsp, aka SAP Security Note 1945215.

Published: 4/7/2016 8:59:00 PM

 

CVSS Severity: v3 - 6.3 MEDIUM      v2 - 6.5 MEDIUM

 

CVE-2016-3976

Summary: Directory traversal vulnerability in SAP NetWeaver AS Java 7.4 allows remote attackers to read arbitrary files via directory traversal sequences in unspecified vectors related to CrashFileDownloadServlet, aka SAP Security Note 2234971.

Published: 4/7/2016 7:59:10 PM

 

CVSS Severity: v3 - 7.5 HIGH      v2 - 5.0 MEDIUM

 

CVE-2016-2851

Summary: Integer overflow in proto.c in libotr before 4.1.1 on 64-bit platforms allows remote attackers to cause a denial of service (memory corruption and application crash) or execute arbitrary code via a series of large OTR messages, which triggers a heap-based buffer overflow.

Published: 4/7/2016 7:59:09 PM

 

CVSS Severity: v3 - 9.8 CRITICAL      v2 - 7.5 HIGH

 

CVE-2016-2789

Summary: Cross-site scripting (XSS) vulnerability in the Web User Interface in Citrix XenMobile Server 10.0, 10.1 before Rolling Patch 4, and 10.3 before Rolling Patch 1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Published: 4/7/2016 7:59:08 PM

 

CVSS Severity: v3 - 6.1 MEDIUM      v2 - 4.3 MEDIUM

 

CVE-2016-2563

Summary: Stack-based buffer overflow in the SCP command-line utility in PuTTY before 0.67 and KiTTY 0.66.6.3 and earlier allows remote servers to cause a denial of service (stack memory corruption) or execute arbitrary code via a crafted SCP-SINK file-size response to an SCP download request.

Published: 4/7/2016 7:59:07 PM

 

CVSS Severity: v3 - 9.8 CRITICAL      v2 - 7.5 HIGH

 

CVE-2016-2098

Summary: Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method.

Published: 4/7/2016 7:59:06 PM

 

CVSS Severity: v3 - 7.3 HIGH      v2 - 7.5 HIGH

 

CVE-2016-2097

Summary: Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.2 and 4.x before 4.1.14.2 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a .. (dot dot) in a pathname. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0752.

Published: 4/7/2016 7:59:05 PM

 

CVSS Severity: v3 - 5.3 MEDIUM      v2 - 5.0 MEDIUM

 

 

 

 <<< New  Older >>>