CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 3 and 3.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
5901 CVE-2016-5473 2016-07-21 2017-09-01
3.5
None Remote Medium ??? Partial None None
Unspecified vulnerability in the Oracle Agile PLM component in Oracle Supply Chain Products Suite 9.3.4 and 9.3.5 allows remote authenticated users to affect confidentiality via vectors related to File Folders / Attachment, a different vulnerability than CVE-2016-3537.
5902 CVE-2016-5464 2016-07-21 2017-09-01
3.5
None Remote Medium ??? None Partial None
Unspecified vulnerability in the Siebel UI Framework component in Oracle Siebel CRM 8.1.1, 8.2.2, IP2014, IP2015, and IP2016 allows remote authenticated users to affect integrity via vectors related to SWSE Server, a different vulnerability than CVE-2016-5463.
5903 CVE-2016-5463 2016-07-21 2017-09-01
3.5
None Remote Medium ??? None Partial None
Unspecified vulnerability in the Siebel UI Framework component in Oracle Siebel CRM 8.1.1, 8.2.2, IP2014, IP2015, and IP2016 allows remote authenticated users to affect integrity via vectors related to SWSE Server, a different vulnerability than CVE-2016-5464.
5904 CVE-2016-5398 79 XSS 2016-10-03 2016-10-04
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in Business Process Editor in Red Hat JBoss BPM Suite before 6.3.3 allows remote authenticated users to inject arbitrary web script or HTML by levering permission to create business processes.
5905 CVE-2016-5395 79 XSS 2016-09-26 2016-09-27
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the create user functionality in the policy admin tool in Apache Ranger before 0.6.1 allows remote authenticated administrators to inject arbitrary web script or HTML via vectors related to policies.
5906 CVE-2016-5390 200 +Info 2016-08-19 2019-03-08
3.5
None Remote Medium ??? Partial None None
Foreman before 1.11.4 and 1.12.x before 1.12.1 allow remote authenticated users with the view_hosts permission containing a filter to obtain sensitive network interface information via a request to API routes beneath "hosts," as demonstrated by a GET request to api/v2/hosts/secrethost/interfaces.
5907 CVE-2016-5305 79 XSS 2016-06-30 2017-09-01
3.5
None Remote Medium ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in management scripts in Symantec Endpoint Protection Manager (SEPM) 12.1 before RU6 MP5 allow remote authenticated users to inject arbitrary web script or HTML via a "DOM link manipulation" attack.
5908 CVE-2016-5236 79 XSS 2019-07-01 2019-07-02
3.5
None Remote Medium ??? None Partial None
Cross-Site-Scripting (XSS) vulnerabilities in F5 WebSafe Dashboard 3.9.5 and earlier, aka F5 WebSafe Alert Server, allow privileged authenticated users to inject arbitrary web script or HTML when creating a new user, account or signature.
5909 CVE-2016-5087 264 2016-06-26 2016-06-28
3.6
None Local Low Not required None Partial Partial
Alertus Desktop Notification before 2.9.31.1710 on OS X uses weak permissions for configuration files and unspecified other files, which allows local users to suppress emergency notifications or change content via standard filesystem operations.
5910 CVE-2016-5005 79 XSS 2016-07-28 2019-04-16
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in Apache Archiva 1.3.9 and earlier allows remote authenticated administrators to inject arbitrary web script or HTML via the connector.sourceRepoId parameter to admin/addProxyConnector_commit.action.
5911 CVE-2016-4995 200 +Info 2016-08-19 2019-02-26
3.5
None Remote Medium ??? Partial None None
Foreman before 1.11.4 and 1.12.x before 1.12.1 does not properly restrict access to preview provisioning templates, which allows remote authenticated users with permission to view some hosts to obtain sensitive host configuration information via a URL with a hostname.
5912 CVE-2016-4888 79 XSS 2017-04-14 2017-05-13
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in ZOHO ManageEngine ServiceDesk Plus before 9.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
5913 CVE-2016-4883 79 XSS 2017-05-12 2017-05-18
3.5
None Remote Medium ??? None Partial None
Cross-site scripting vulnerability in baserCMS version 3.0.10 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
5914 CVE-2016-4880 79 XSS 2017-05-12 2017-05-18
3.5
None Remote Medium ??? None Partial None
Cross-site scripting vulnerability in baserCMS plugin Blog version 3.0.10 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors.
5915 CVE-2016-4877 79 XSS 2017-05-12 2020-01-23
3.5
None Remote Medium ??? None Partial None
Cross-site scripting vulnerability in baserCMS plugin Mail version 3.0.10 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors.
5916 CVE-2016-4874 284 2017-04-17 2017-04-20
3.5
None Remote Medium ??? None Partial None
Cybozu Office 9.0.0 through 10.4.0 allows remote attackers to conduct a "reflected file download" attack.
5917 CVE-2016-4870 79 XSS 2017-04-17 2017-05-23
3.5
None Remote Medium ??? None Partial None
Cross-site scripting vulnerability in Cybozu Office 9.0.0 to 10.4.0 allows remote authenticated attackers to inject arbitrary web script or HTML via the Schedule function.
5918 CVE-2016-4866 79 XSS 2017-04-17 2017-05-23
3.5
None Remote Medium ??? None Partial None
Cross-site scripting vulnerability in Cybozu Office 9.0.0 to 10.4.0 allows attackers with administrator rights to inject arbitrary web script or HTML via the Project function.
5919 CVE-2016-4865 79 XSS 2017-04-17 2017-05-23
3.5
None Remote Medium ??? None Partial None
Cross-site scripting vulnerability in Cybozu Office 9.0.0 to 10.4.0 allows attackers with administrator rights to inject arbitrary web script or HTML via the Customapp function.
5920 CVE-2016-4863 287 2017-05-22 2017-06-12
3.3
None Local Network Low Not required Partial None None
The Toshiba FlashAir SD-WD/WC series Class 6 model with firmware version 1.00.04 and later, FlashAir SD-WD/WC series Class 10 model W-02 with firmware version 2.00.02 and later, FlashAir SD-WE series Class 10 model W-03, FlashAir Class 6 model with firmware version 1.00.04 and later, FlashAir II Class 10 model W-02 series with firmware version 2.00.02 and later, FlashAir III Class 10 model W-03 series, FlashAir Class 6 model with firmware version 1.00.04 and later, FlashAir W-02 series Class 10 model with firmware version 2.00.02 and later, FlashAir W-03 series Class 10 model does not require authentication on accepting a connection from STA side LAN when "Internet pass-thru Mode" is enabled, which allows attackers with access to STA side LAN can obtain files or data.
5921 CVE-2016-4858 79 XSS 2017-05-12 2017-05-19
3.5
None Remote Medium ??? None Partial None
Cross-site scripting vulnerability in Splunk Enterprise 6.4.x prior to 6.4.2, Splunk Enterprise 6.3.x prior to 6.3.6, Splunk Enterprise 6.2.x prior to 6.2.10, Splunk Enterprise 6.1.x prior to 6.1.11, Splunk Enterprise 6.0.x prior to 6.0.12, Splunk Enterprise 5.0.x prior to 5.0.16 and Splunk Light prior to 6.4.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
5922 CVE-2016-4856 79 XSS 2017-05-12 2017-05-19
3.5
None Remote Medium ??? None Partial None
Cross-site scripting vulnerability in Splunk Enterprise 6.3.x prior to 6.3.5 and Splunk Light 6.3.x prior to 6.3.5 allows attacker with administrator rights to inject arbitrary web script or HTML via unspecified vectors.
5923 CVE-2016-4807 79 XSS 2017-01-11 2017-01-11
3.5
None Remote Medium ??? None Partial None
Web2py versions 2.14.5 and below was affected by Reflected XSS vulnerability, which allows an attacker to perform an XSS attack on logged in user (admin).
5924 CVE-2016-4790 79 XSS 2016-05-26 2020-04-29
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the administrative user interface in Pulse Connect Secure (PCS) 8.2 before 8.2r1, 8.1 before 8.1r2, 8.0 before 8.0r9, and 7.4 before 7.4r13.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
5925 CVE-2016-4686 264 2017-02-20 2017-07-29
3.6
None Local Low Not required Partial Partial None
An issue was discovered in certain Apple products. iOS before 10.1 is affected. The issue involves the "Contacts" component, which does not prevent an app's Address Book access after access revocation.
5926 CVE-2016-4652 264 DoS +Priv +Info 2016-07-22 2017-09-01
3.3
None Local Medium Not required Partial None Partial
CoreGraphics in Apple OS X before 10.11.6 allows local users to obtain sensitive information from kernel memory and consequently gain privileges, or cause a denial of service (out-of-bounds read), via unspecified vectors.
5927 CVE-2016-4635 200 +Info 2016-07-22 2017-09-01
3.5
None Remote Medium ??? Partial None None
FaceTime in Apple iOS before 9.3.3 and OS X before 10.11.6 allows man-in-the-middle attackers to spoof relayed-call termination, and obtain sensitive audio information in opportunistic circumstances, via unspecified vectors.
5928 CVE-2016-4534 264 Bypass 2016-05-05 2016-12-01
3.0
None Local Medium ??? None Partial Partial
The McAfee VirusScan Console (mcconsol.exe) in McAfee VirusScan Enterprise 8.8.0 before Hotfix 1123565 (8.8.0.1546) on Windows allows local administrators to bypass intended self-protection rules and unlock the console window by closing registry handles.
5929 CVE-2016-4525 +Info 2016-06-25 2016-06-28
3.3
None Local Medium Not required Partial Partial None
Unspecified ActiveX controls in Advantech WebAccess before 8.1_20160519 allow remote authenticated users to obtain sensitive information or modify data via unknown vectors, related to the INTERFACESAFE_FOR_UNTRUSTED_CALLER (aka safe for scripting) flag.
5930 CVE-2016-4474 200 +Info 2016-06-30 2021-08-04
3.3
None Local Network Low Not required Partial None None
The image build process for the overcloud images in Red Hat OpenStack Platform 8.0 (Liberty) director and Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) director (aka overcloud-full) use a default root password of ROOTPW, which allows attackers to gain access via unspecified vectors.
5931 CVE-2016-4454 119 DoS Overflow +Info 2016-06-01 2020-05-14
3.6
None Local Low Not required Partial None Partial
The vmsvga_fifo_read_raw function in hw/display/vmware_vga.c in QEMU allows local guest OS administrators to obtain sensitive host memory information or cause a denial of service (QEMU process crash) by changing FIFO registers and issuing a VGA command, which triggers an out-of-bounds read.
5932 CVE-2016-4428 79 XSS 2016-07-12 2021-08-04
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in OpenStack Dashboard (Horizon) 8.0.1 and earlier and 9.0.0 through 9.0.1 allows remote authenticated users to inject arbitrary web script or HTML by injecting an AngularJS template in a dashboard form.
5933 CVE-2016-4412 254 2016-12-11 2017-07-01
3.6
None Remote High ??? Partial Partial None
An issue was discovered in phpMyAdmin. A user can be tricked into following a link leading to phpMyAdmin, which after authentication redirects to another malicious site. The attacker must sniff the user's valid phpMyAdmin token. All 4.0.x versions (prior to 4.0.10.16) are affected.
5934 CVE-2016-4400 79 XSS 2018-08-06 2018-10-04
3.5
None Remote Medium ??? None Partial None
A security vulnerability was identified in HP Network Node Manager i (NNMi) Software 10.00, 10.01 (patch1), 10.01 (patch 2), 10.10. The vulnerability could result in cross-site scripting (XSS).
5935 CVE-2016-4399 79 XSS 2018-08-06 2018-10-04
3.5
None Remote Medium ??? None Partial None
A security vulnerability was identified in HP Network Node Manager i (NNMi) Software 10.00, 10.01 (patch1), 10.01 (patch 2), 10.10. The vulnerability could result in cross-site scripting (XSS).
5936 CVE-2016-4393 79 XSS +Info 2016-10-28 2017-02-17
3.5
None Remote Medium ??? None Partial None
HPE System Management Homepage before v7.6 allows "remote authenticated" attackers to obtain sensitive information via unspecified vectors, related to an "XSS" issue.
5937 CVE-2016-4392 79 XSS 2018-08-06 2018-10-05
3.5
None Remote Medium ??? None Partial None
A remote cross site scripting vulnerability has been identified in HP Business Service Management software v9.1x, v9.20 - v9.25IP1.
5938 CVE-2016-4380 79 XSS 2016-09-08 2016-11-28
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in the AdminUI in HPE Operations Manager 9.21.x before 9.21.130 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
5939 CVE-2016-4318 79 XSS 2017-04-10 2018-02-16
3.5
None Remote Medium ??? None Partial None
Atlassian JIRA Server before 7.1.9 has XSS in project/ViewDefaultProjectRoleActors.jspa via a role name.
5940 CVE-2016-4317 79 XSS 2017-04-10 2018-02-16
3.5
None Remote Medium ??? None Partial None
Atlassian Confluence Server before 5.9.11 has XSS on the viewmyprofile.action page.
5941 CVE-2016-4315 352 CSRF 2017-02-17 2018-10-09
3.5
None Remote Medium ??? None None Partial
Cross-site request forgery (CSRF) vulnerability in WSO2 Carbon 4.4.5 allows remote attackers to hijack the authentication of privileged users for requests that shutdown a server via a shutdown action to server-admin/proxy_ajaxprocessor.jsp.
5942 CVE-2016-4058 79 XSS 2016-09-27 2016-11-28
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in Huawei Policy Center before V100R003C10SPC020 allows remote authenticated users to inject arbitrary web script or HTML via vectors related to "special characters on pages."
5943 CVE-2016-4043 264 Bypass 2017-02-24 2017-02-28
3.5
None Remote Medium ??? None Partial None
Chameleon (five.pt) in Plone 5.0rc1 through 5.1a1 allows remote authenticated users to bypass Restricted Python by leveraging permissions to create or edit templates.
5944 CVE-2016-4028 255 2016-12-15 2018-10-19
3.5
None Remote Medium ??? Partial None None
An issue was discovered in Open-Xchange OX Guard before 2.4.0-rev8. OX Guard uses an authentication token to identify and transfer guest users' credentials. The OX Guard API acts as a padding oracle by responding with different error codes depending on whether the provided token matches the encryption padding. In combination with AES-CBC, this allows attackers to guess the correct padding. Attackers may run brute-forcing attacks on the content of the guest authentication token and discover user credentials. For a practical attack vector, the guest users needs to have logged in, the content of the guest user's "OxReaderID" cookie and the value of the "auth" parameter needs to be known to the attacker.
5945 CVE-2016-4027 200 +Info 2016-12-15 2018-10-19
3.5
None Remote Medium ??? Partial None None
An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev10. App Suite frontend offers to control whether a user wants to store cookies that exceed the session duration. This functionality is useful when logging in from clients with reduced privileges or shared environments. However the setting was incorrectly recognized and cookies were stored regardless of this setting when the login was performed using a non-interactive login method. In case the setting was enforced by middleware configuration or the user went through the interactive login page, the workflow was correct. Cookies with authentication information may become available to other users on shared environments. In case the user did not properly log out from the session, third parties with access to the same client can access a user's account.
5946 CVE-2016-3985 284 Bypass 2016-04-12 2016-04-18
3.3
None Remote Low ??? None Partial None
The Terminal Services Remote Desktop Protocol (RDP) client session restrictions feature in Pulse Connect Secure (aka PCS) 8.1R7 and 8.2R1 allow remote authenticated users to bypass intended access restrictions via unspecified vectors.
5947 CVE-2016-3984 284 Bypass 2016-04-08 2016-05-18
3.6
None Local Low Not required None Partial Partial
The McAfee VirusScan Console (mcconsol.exe) in McAfee Active Response (MAR) before 1.1.0.161, Agent (MA) 5.x before 5.0.2 Hotfix 1110392 (5.0.2.333), Data Exchange Layer 2.x (DXL) before 2.0.1.140.1, Data Loss Prevention Endpoint (DLPe) 9.3 before Patch 6 and 9.4 before Patch 1 HF3, Device Control (MDC) 9.3 before Patch 6 and 9.4 before Patch 1 HF3, Endpoint Security (ENS) 10.x before 10.1, Host Intrusion Prevention Service (IPS) 8.0 before 8.0.0.3624, and VirusScan Enterprise (VSE) 8.8 before P7 (8.8.0.1528) on Windows allows local administrators to bypass intended self-protection rules and disable the antivirus engine by modifying registry keys.
5948 CVE-2016-3971 79 XSS 2016-04-18 2016-12-16
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in lucene_search.jsp in dotCMS before 3.5.1 allows remote attackers to inject arbitrary web script or HTML via the query parameter to c/portal/layout.
5949 CVE-2016-3703 284 2016-06-08 2016-06-09
3.5
None Remote Medium ??? Partial None None
Red Hat OpenShift Enterprise 3.2 and 3.1 do not properly validate the origin of a request when anonymous access is granted to a service/proxy or pod/proxy API for a specific pod, which allows remote attackers to access API credentials in the web browser localStorage via an access_token in the query parameter.
5950 CVE-2016-3652 79 XSS 2016-06-30 2017-09-03
3.5
None Remote Medium ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in management scripts in Symantec Endpoint Protection Manager (SEPM) 12.1 before RU6 MP5 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.