CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In January 2016(Gain Information)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2016-1939 200 +Info 2016-01-31 2018-10-30
5.0
None Remote Low Not required Partial None None
Mozilla Firefox before 44.0 stores cookies with names containing vertical tab characters, which allows remote attackers to obtain sensitive information by reading HTTP Cookie headers. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-7208.
2 CVE-2016-1910 200 +Info 2016-01-15 2018-12-10
5.0
None Remote Low Not required Partial None None
The User Management Engine (UME) in SAP NetWeaver 7.4 allows attackers to decrypt unspecified data via unknown vectors, aka SAP Security Note 2191290.
3 CVE-2016-1903 119 DoS Overflow +Info 2016-01-19 2018-01-05
6.4
None Remote Low Not required Partial None Partial
The gdImageRotateInterpolated function in ext/gd/libgd/gd_interpolation.c in PHP before 5.5.31, 5.6.x before 5.6.17, and 7.x before 7.0.2 allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and application crash) via a large bgd_color argument to the imagerotate function.
4 CVE-2016-1898 200 +Info 2016-01-15 2018-10-30
4.3
None Remote Medium Not required Partial None None
FFmpeg 2.x allows remote attackers to conduct cross-origin attacks and read arbitrary files by using the subfile protocol in an HTTP Live Streaming (HLS) M3U8 file, leading to an external HTTP request in which the URL string contains an arbitrary line of a local file.
5 CVE-2016-1897 200 +Info 2016-01-15 2018-10-30
4.3
None Remote Medium Not required Partial None None
FFmpeg 2.x allows remote attackers to conduct cross-origin attacks and read arbitrary files by using the concat protocol in an HTTP Live Streaming (HLS) M3U8 file, leading to an external HTTP request in which the URL string contains the first line of a local file.
6 CVE-2016-1617 200 +Info 2016-01-25 2016-12-07
4.3
None Remote Medium Not required Partial None None
The CSPSource::schemeMatches function in WebKit/Source/core/frame/csp/CSPSource.cpp in the Content Security Policy (CSP) implementation in Blink, as used in Google Chrome before 48.0.2564.82, does not apply http policies to https URLs and does not apply ws policies to wss URLs, which makes it easier for remote attackers to determine whether a specific HSTS web site has been visited by reading a CSP report.
7 CVE-2016-1614 200 +Info 2016-01-25 2016-12-07
4.3
None Remote Medium Not required Partial None None
The UnacceleratedImageBufferSurface class in WebKit/Source/platform/graphics/UnacceleratedImageBufferSurface.cpp in Blink, as used in Google Chrome before 48.0.2564.82, mishandles the initialization mode, which allows remote attackers to obtain sensitive information from process memory via a crafted web site.
8 CVE-2016-1570 20 DoS +Priv +Info 2016-01-22 2018-10-30
6.9
None Local Medium Not required Complete Complete Complete
The PV superpage functionality in arch/x86/mm.c in Xen 3.4.0, 3.4.1, and 4.1.x through 4.6.x allows local PV guests to obtain sensitive information, cause a denial of service, gain privileges, or have unspecified other impact via a crafted page identifier (MFN) to the (1) MMUEXT_MARK_SUPER or (2) MMUEXT_UNMARK_SUPER sub-op in the HYPERVISOR_mmuext_op hypercall or (3) unknown vectors related to page table updates.
9 CVE-2016-1501 200 +Info 2016-01-08 2016-01-12
4.0
None Remote Low ??? Partial None None
ownCloud Server before 8.0.9 and 8.1.x before 8.1.4 allow remote authenticated users to obtain sensitive information via unspecified vectors, which reveals the installation path in the resulting exception messages.
10 CVE-2016-1500 200 +Info 2016-01-08 2016-01-12
3.5
None Remote Medium ??? Partial None None
ownCloud Server before 7.0.12, 8.0.x before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8.2.2, when the "file_versions" application is enabled, does not properly check the return value of getOwner, which allows remote authenticated users to read the files with names starting with ".v" and belonging to a sharing user by leveraging an incoming share.
11 CVE-2016-1499 200 DoS +Info 2016-01-08 2018-10-09
7.5
None Remote Low ??? Partial None Complete
ownCloud Server before 8.0.10, 8.1.x before 8.1.5, and 8.2.x before 8.2.2 allow remote authenticated users to obtain sensitive information from a directory listing and possibly cause a denial of service (CPU consumption) via the force parameter to index.php/apps/files/ajax/scan.php.
12 CVE-2016-1490 200 +Info 2016-01-26 2018-10-09
2.7
None Local Network Low ??? Partial None None
The Wifi hotspot in Lenovo SHAREit before 3.2.0 for Windows allows remote attackers to obtain sensitive file names via a crafted file request to /list.
13 CVE-2016-1489 200 +Info 2016-01-26 2018-10-09
4.3
None Local Network Medium Not required Partial Partial None
Lenovo SHAREit before 3.2.0 for Windows and SHAREit before 3.5.48_ww for Android transfer files in cleartext, which allows remote attackers to (1) obtain sensitive information by sniffing the network or (2) conduct man-in-the-middle (MITM) attacks via unspecified vectors.
14 CVE-2016-1295 200 +Info 2016-01-16 2016-12-07
5.0
None Remote Low Not required Partial None None
Cisco Adaptive Security Appliance (ASA) Software 8.4 allows remote attackers to obtain sensitive information via an AnyConnect authentication attempt, aka Bug ID CSCuo65775.
15 CVE-2016-0867 200 Bypass +Info 2016-01-30 2016-03-01
7.8
None Remote Low Not required Complete None None
CAREL PlantVisorEnhanced allows remote attackers to bypass intended access restrictions via a direct file request.
16 CVE-2016-0853 200 +Info 2016-01-15 2016-01-21
5.0
None Remote Low Not required Partial None None
Advantech WebAccess before 8.1 allows remote attackers to obtain sensitive information via crafted input.
17 CVE-2016-0777 200 +Info 2016-01-14 2019-12-27
4.0
None Remote Low ??? Partial None None
The resend_bytes function in roaming_common.c in the client in OpenSSH 5.x, 6.x, and 7.x before 7.1p2 allows remote servers to obtain sensitive information from process memory by requesting transmission of an entire buffer, as demonstrated by reading a private key.
18 CVE-2016-0201 200 +Info 2016-01-18 2016-12-07
4.3
None Remote Medium Not required Partial None None
GSKit in IBM Security Network Protection 5.3.1 before 5.3.1.7 and 5.3.2 allows remote attackers to discover credentials by triggering an MD5 collision.
19 CVE-2016-0012 200 Bypass +Info 2016-01-13 2018-10-12
4.3
None Remote Medium Not required Partial None None
Microsoft Office 2007 SP3, Excel 2007 SP3, PowerPoint 2007 SP3, Visio 2007 SP3, Word 2007 SP3, Office 2010 SP2, Excel 2010 SP2, PowerPoint 2010 SP2, Visio 2010 SP2, Word 2010 SP2, Office 2013 SP1, Excel 2013 SP1, PowerPoint 2013 SP1, Visio 2013 SP1, Word 2013 SP1, Excel 2013 RT SP1, PowerPoint 2013 RT SP1, Word 2013 RT SP1, Office 2016, Excel 2016, PowerPoint 2016, Visio 2016, Word 2016, and Visual Basic 6.0 Runtime allow remote attackers to bypass the ASLR protection mechanism via unspecified vectors, aka "Microsoft Office ASLR Bypass."
20 CVE-2016-0008 200 Bypass +Info 2016-01-13 2019-05-15
4.3
None Remote Medium Not required Partial None None
The graphics device interface in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to bypass the ASLR protection mechanism via unspecified vectors, aka "Windows GDI32.dll ASLR Bypass Vulnerability."
21 CVE-2015-8792 119 Overflow +Info 2016-01-29 2018-10-30
5.0
None Remote Low Not required Partial None None
The KaxInternalBlock::ReadData function in libMatroska before 1.4.4 allows context-dependent attackers to obtain sensitive information from process heap memory via crafted EBML lacing, which triggers an invalid memory access.
22 CVE-2015-8791 200 +Info 2016-01-29 2016-12-03
4.3
None Remote Medium Not required Partial None None
The EbmlElement::ReadCodedSizeValue function in libEBML before 1.3.3 allows context-dependent attackers to obtain sensitive information from process heap memory via a crafted length value in an EBML id, which triggers an invalid memory access.
23 CVE-2015-8790 200 +Info 2016-01-29 2017-01-20
4.3
None Remote Medium Not required Partial None None
The EbmlUnicodeString::UpdateFromUTF8 function in libEBML before 1.3.3 allows context-dependent attackers to obtain sensitive information from process heap memory via a crafted UTF-8 string, which triggers an invalid memory access.
24 CVE-2015-8772 19 DoS +Info 2016-01-29 2016-03-04
8.5
None Remote Low Not required Partial None Complete
McPvDrv.sys 4.6.111.0 in McAfee File Lock 5.x in McAfee Total Protection allows local users to obtain sensitive information from kernel memory or cause a denial of service (system crash) via a large VERIFY_INFORMATION.Length value in an IOCTL_DISK_VERIFY ioctl call.
25 CVE-2015-8749 200 +Info 2016-01-15 2018-11-16
4.3
None Remote Medium Not required Partial None None
The volume_utils._parse_volume_info function in OpenStack Compute (Nova) before 2015.1.3 (kilo) and 12.0.x before 12.0.1 (liberty) includes the connection_info dictionary in the StorageError message when using the Xen backend, which might allow attackers to obtain sensitive password information by reading log files or other unspecified vectors.
26 CVE-2015-8675 255 +Info 2016-01-15 2016-01-21
2.1
None Local Low Not required Partial None None
Huawei S5300 Campus Series switches with software before V200R005SPH008 do not mask the password when uploading files, which allows physically proximate attackers to obtain sensitive password information by reading the display.
27 CVE-2015-8618 200 +Info 2016-01-27 2018-10-30
5.0
None Remote Low Not required Partial None None
The Int.Exp Montgomery code in the math/big library in Go 1.5.x before 1.5.3 mishandles carry propagation and produces incorrect output, which makes it easier for attackers to obtain private RSA keys via unspecified vectors.
28 CVE-2015-8509 200 +Info 2016-01-03 2016-12-07
4.3
None Remote Medium Not required Partial None None
Template.pm in Bugzilla 2.x, 3.x, and 4.x before 4.2.16, 4.3.x and 4.4.x before 4.4.11, and 4.5.x and 5.0.x before 5.0.2 does not properly construct CSV files, which allows remote attackers to obtain sensitive information by leveraging a web browser that interprets CSV data as JavaScript code.
29 CVE-2015-8481 200 +Info 2016-01-08 2016-01-13
3.5
None Remote Medium ??? Partial None None
Atlassian JIRA Software 7.0.3, JIRA Core 7.0.3, and the bundled JIRA Service Desk 3.0.3 installer attaches the wrong image to e-mail notifications when a user views an issue with inline wiki markup referencing an image attachment, which might allow remote attackers to obtain sensitive information by updating a different issue that includes wiki markup for an external image reference.
30 CVE-2015-8397 125 DoS +Info 2016-01-12 2021-01-21
6.4
None Remote Low Not required Partial None Partial
The JPEGLSCodec::DecodeExtent function in MediaStorageAndFileFormat/gdcmJPEGLSCodec.cxx in Grassroots DICOM (aka GDCM) before 2.6.2 allows remote attackers to obtain sensitive information from process memory or cause a denial of service (application crash) via an embedded JPEG-LS image with dimensions larger than the selected region in a (1) two-dimensional or (2) three-dimensional DICOM image file, which triggers an out-of-bounds read.
31 CVE-2015-8335 200 +Info 2016-01-11 2016-01-11
4.0
None Remote Low ??? Partial None None
Huawei VCN500 with software before V100R002C00SPC201 logs passwords in cleartext, which allows remote authenticated users to obtain sensitive information by triggering log generation and then reading the log.
32 CVE-2015-8303 200 +Info 2016-01-08 2016-01-13
2.1
None Local Low Not required Partial None None
Huawei Document Security Management (DSM) with software before V100R002C05SPC661 does not clear the clipboard when closing a secure file, which allows local users to obtain sensitive information by pasting the contents to another file.
33 CVE-2015-8280 200 +Info 2016-01-15 2016-01-21
5.0
None Remote Low Not required Partial None None
Web Viewer 1.0.0.193 on Samsung SRN-1670D devices allows remote attackers to discover credentials by reading detailed error messages.
34 CVE-2015-7886 200 +Info 2016-01-18 2017-11-16
4.3
None Remote Medium Not required Partial None None
NetApp Data ONTAP before 8.2.4P1, when 7-Mode and HTTP access are enabled, allows remote attackers to obtain sensitive volume information via unspecified vectors.
35 CVE-2015-7548 200 +Info 2016-01-12 2018-11-16
2.1
None Remote High ??? Partial None None
OpenStack Compute (Nova) before 2015.1.3 (kilo) and 12.0.x before 12.0.1 (liberty), when using libvirt to spawn instances and use_cow_images is set to false, allow remote authenticated users to read arbitrary files by overwriting an instance disk with a crafted image and requesting a snapshot.
36 CVE-2015-7488 200 +Info 2016-01-27 2016-01-28
2.1
None Local Low Not required Partial None None
IBM Spectrum Scale 4.1.1.x before 4.1.1.4 and 4.2.x before 4.2.0.1, in certain LDAP File protocol configurations, allows remote attackers to discover an LDAP password via unspecified vectors.
37 CVE-2015-7487 200 +Info 2016-01-27 2016-01-28
4.9
None Local Low Not required Complete None None
IBM Maximo Asset Management 7.1 through 7.1.1.13, 7.5.0 before 7.5.0.9 IFIX002, and 7.6.0 before 7.6.0.3 IFIX001; Maximo Asset Management 7.5.0 before 7.5.0.9 IFIX002, 7.5.1, and 7.6.0 before 7.6.0.3 IFIX001 for SmartCloud Control Desk; and Maximo Asset Management 7.1 through 7.1.1.13 and 7.2 for Tivoli IT Asset Management for IT and certain other products allow local users to obtain sensitive information by leveraging administrative privileges and reading log files.
38 CVE-2015-7470 200 +Info 2016-01-17 2016-01-21
5.0
None Remote Low Not required Partial None None
Report Builder in IBM Jazz Reporting Service (JRS) 5.x before 5.0.2-Rational-CLM-ifix011 and 6.0 before 6.0.0-Rational-CLM-ifix005 allows man-in-the-middle attackers to obtain sensitive information via unspecified vectors, as demonstrated by login information.
39 CVE-2015-7456 200 +Info 2016-01-01 2016-01-06
4.0
None Remote Low ??? Partial None None
IBM Spectrum Scale 4.1.1 before 4.1.1.4, and 4.2.0.0, allows remote authenticated users to discover object-storage admin passwords via unspecified vectors.
40 CVE-2015-7452 200 +Info 2016-01-02 2016-01-06
4.0
None Remote Low ??? Partial None None
IBM Maximo Asset Management 7.5 before 7.5.0.9 FP9 and 7.6 before 7.6.0.3 FP3 and Maximo Asset Management 7.5 before 7.5.0.9 FP9, 7.5.1, and 7.6 before 7.6.0.3 FP3 for SmartCloud Control Desk allow remote authenticated users to obtain sensitive information via the REST API.
41 CVE-2015-7445 200 +Info 2016-01-01 2016-11-28
3.5
None Remote Medium ??? Partial None None
IBM Multi-Enterprise Integration Gateway 1.0 through 1.0.0.1 and B2B Advanced Communications 1.x before 1.0.0.4, when guest access is configured, allow remote authenticated users to obtain sensitive information by reading error messages in responses.
42 CVE-2015-7441 17 +Info 2016-01-01 2016-12-07
4.9
None Remote Medium ??? Partial Partial None
Remote Artifact Loader (RAL) in IBM WebSphere Process Server 7 and Business Process Manager Advanced 7.5 through 7.5.1.2, 8.0 through 8.0.1.3, 8.5.0 through 8.5.0.2, 8.5.5 through 8.5.5.0, and 8.5.6 through 8.5.6.2 does not properly use SSL for its HTTPS connection, which allows remote authenticated users to obtain sensitive information or modify data via unspecified vectors.
43 CVE-2015-7438 200 +Info 2016-01-02 2016-01-06
1.9
None Local Medium Not required Partial None None
IBM Sterling B2B Integrator 5.2 allows local users to obtain sensitive cleartext web-services information by leveraging database access.
44 CVE-2015-7437 200 +Info 2016-01-02 2016-01-07
2.1
None Local Low Not required Partial None None
Queue Watcher in IBM Sterling B2B Integrator 5.2 allows local users to obtain sensitive information via unspecified vectors.
45 CVE-2015-7429 200 +Info 2016-01-02 2016-11-28
4.0
None Remote Low ??? None Partial None
The Data Protection extension in the VMware GUI in IBM Tivoli Storage Manager for Virtual Environments: Data Protection for VMware (aka Spectrum Protect for Virtual Environments) 7.1 before 7.1.4 and Tivoli Storage FlashCopy Manager for VMware (aka Spectrum Protect Snapshot) 4.1 before 4.1.4 allows remote authenticated users to restore arbitrary virtual machines and consequently obtain sensitive information by visiting the vSphere inventory.
46 CVE-2015-7421 200 +Info 2016-01-01 2016-12-07
5.0
None Remote Low Not required Partial None None
Unspecified vulnerability in GSKit on IBM MQ M2000 appliances before 8.0.0.4 allows remote attackers to obtain sensitive information via unknown vectors, a different vulnerability than CVE-2015-7420.
47 CVE-2015-7420 200 +Info 2016-01-01 2016-12-07
5.0
None Remote Low Not required Partial None None
Unspecified vulnerability in GSKit on IBM MQ M2000 appliances before 8.0.0.4 allows remote attackers to obtain sensitive information via unknown vectors, a different vulnerability than CVE-2015-7421.
48 CVE-2015-7410 17 +Info 2016-01-01 2016-11-28
5.8
None Remote Medium Not required Partial Partial None
The Health Check tool in IBM Sterling B2B Integrator 5.2 does not properly use cookies in conjunction with HTTPS sessions, which allows man-in-the-middle attackers to obtain sensitive information or modify data via unspecified vectors.
49 CVE-2015-7399 200 +Info 2016-01-11 2016-12-06
5.0
None Remote Low Not required Partial None None
IBM WebSphere Message Broker 7 before 7.0.0.8 and 8 before 8.0.0.6 and IBM Integration Bus 9 before 9.0.0.3 and 10 before 10.0.0.0 allow remote attackers to obtain sensitive information about the HTTP server via unspecified vectors.
50 CVE-2015-7396 264 Bypass +Info 2016-01-02 2016-01-07
5.5
None Remote Low ??? Partial Partial None
The Scheduler in IBM Maximo Asset Management 7.5 before 7.5.0.8 IF6 and 7.6 before 7.6.0.1 FP1 and Maximo Asset Management 7.5 before 7.5.0.8 IF6, 7.5.1, and 7.6 before 7.6.0.1 FP1 for SmartCloud Control Desk allows remote authenticated users to bypass intended access restrictions, and obtain sensitive information or modify data, via unspecified vectors.
Total number of vulnerabilities : 65   Page : 1 (This Page)2
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.