| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
901 |
CVE-2016-4617 |
264 |
|
|
2017-02-20 |
2017-03-24 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
An issue was discovered in certain Apple products. macOS before 10.12 is affected. The issue involves a sandbox escape related to launchctl process spawning in the "libxpc" component. |
|
902 |
CVE-2016-4613 |
200 |
|
+Info |
2017-02-20 |
2017-07-29 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
An issue was discovered in certain Apple products. Safari before 10.0.1 is affected. iCloud before 6.0.1 is affected. iTunes before 12.5.2 is affected. tvOS before 10.0.1 is affected. The issue involves the "WebKit" component. It allows remote attackers to obtain sensitive information via a crafted web site. |
|
903 |
CVE-2016-4571 |
400 |
|
DoS |
2017-02-03 |
2021-06-17 |
7.1 |
None |
Remote |
Medium |
Not required |
None |
None |
Complete |
|
The mxml_write_node function in mxml-file.c in mxml 2.9, 2.7, and possibly earlier allows remote attackers to cause a denial of service (stack consumption) via crafted xml file. |
|
904 |
CVE-2016-4570 |
400 |
|
DoS |
2017-02-03 |
2021-06-16 |
7.1 |
None |
Remote |
Medium |
Not required |
None |
None |
Complete |
|
The mxmlDelete function in mxml-node.c in mxml 2.9, 2.7, and possibly earlier allows remote attackers to cause a denial of service (stack consumption) via crafted xml file. |
|
905 |
CVE-2016-4547 |
20 |
|
DoS |
2017-02-13 |
2017-02-16 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Samsung devices with Android KK(4.4), L(5.0/5.1), or M(6.0) allow attackers to cause a denial of service (system crash) via a crafted system call to TvoutService_C. |
|
906 |
CVE-2016-4546 |
20 |
|
DoS |
2017-02-13 |
2017-02-16 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
Samsung devices with Android KK(4.4) or L(5.0/5.1) allow local users to cause a denial of service (IAndroidShm service crash) via crafted data in a service call. |
|
907 |
CVE-2016-4493 |
125 |
|
DoS |
2017-02-24 |
2017-07-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The demangle_template_value_parm and do_hpacc_template_literal functions in cplus-dem.c in libiberty allow remote attackers to cause a denial of service (out-of-bounds read and crash) via a crafted binary. |
|
908 |
CVE-2016-4492 |
119 |
|
DoS Overflow |
2017-02-24 |
2017-07-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Buffer overflow in the do_type function in cplus-dem.c in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary. |
|
909 |
CVE-2016-4491 |
119 |
|
DoS Overflow |
2017-02-24 |
2017-07-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The d_print_comp function in cp-demangle.c in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, which triggers infinite recursion and a buffer overflow, related to a node having "itself as ancestor more than once." |
|
910 |
CVE-2016-4490 |
190 |
|
DoS Overflow |
2017-02-24 |
2017-07-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Integer overflow in cp-demangle.c in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, related to inconsistent use of the long and int types for lengths. |
|
911 |
CVE-2016-4489 |
190 |
|
DoS Overflow |
2017-02-24 |
2017-07-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Integer overflow in the gnu_special function in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, related to the "demangling of virtual tables." |
|
912 |
CVE-2016-4488 |
416 |
|
DoS |
2017-02-24 |
2017-07-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Use-after-free vulnerability in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, related to "ktypevec." |
|
913 |
CVE-2016-4487 |
416 |
|
DoS |
2017-02-24 |
2017-07-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Use-after-free vulnerability in libiberty allows remote attackers to cause a denial of service (segmentation fault and crash) via a crafted binary, related to "btypevec." |
|
914 |
CVE-2016-4352 |
190 |
|
DoS Overflow |
2017-02-03 |
2017-02-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Integer overflow in the demuxer function in libmpdemux/demux_gif.c in Mplayer allows remote attackers to cause a denial of service (crash) via large dimensions in a gif file. |
|
915 |
CVE-2016-4341 |
200 |
|
+Info |
2017-02-07 |
2017-02-24 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
NetApp Clustered Data ONTAP before 8.3.2P7 allows remote attackers to obtain SMB share information via unspecified vectors. |
|
916 |
CVE-2016-4327 |
79 |
|
XSS |
2017-02-17 |
2018-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in WSO2 SOA Enablement Server for Java/6.6 build SSJ-6.6-20090827-1616 and earlier allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO. |
|
917 |
CVE-2016-4316 |
79 |
|
XSS |
2017-02-17 |
2018-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in WSO2 Carbon 4.4.5 allow remote attackers to inject arbitrary web script or HTML via the (1) setName parameter to identity-mgt/challenges-mgt.jsp; the (2) webappType or (3) httpPort parameter to webapp-list/webapp_info.jsp; the (4) dsName or (5) description parameter to ndatasource/newdatasource.jsp; the (6) phase parameter to viewflows/handlers.jsp; or the (7) url parameter to ndatasource/validateconnection-ajaxprocessor.jsp. |
|
918 |
CVE-2016-4315 |
352 |
|
CSRF |
2017-02-17 |
2018-10-09 |
3.5 |
None |
Remote |
Medium |
??? |
None |
None |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in WSO2 Carbon 4.4.5 allows remote attackers to hijack the authentication of privileged users for requests that shutdown a server via a shutdown action to server-admin/proxy_ajaxprocessor.jsp. |
|
919 |
CVE-2016-4314 |
22 |
|
Dir. Trav. |
2017-02-17 |
2018-10-09 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
Directory traversal vulnerability in the LogViewer Admin Service in WSO2 Carbon 4.4.5 allows remote authenticated administrators to read arbitrary files via a .. (dot dot) in the logFile parameter to downloadgz-ajaxprocessor.jsp. |
|
920 |
CVE-2016-4312 |
611 |
|
DoS |
2017-02-17 |
2018-10-09 |
6.0 |
None |
Remote |
Medium |
??? |
Partial |
Partial |
Partial |
|
XML external entity (XXE) vulnerability in the XACML flow feature in WSO2 Identity Server 5.1.0 before WSO2-CARBON-PATCH-4.4.0-0231 allows remote authenticated users with access to XACML features to read arbitrary files, cause a denial of service, conduct server-side request forgery (SSRF) attacks, or have unspecified other impact via a crafted XACML request to entitlement/eval-policy-submit.jsp. NOTE: this issue can be combined with CVE-2016-4311 to exploit the vulnerability without credentials. |
|
921 |
CVE-2016-4311 |
352 |
|
CSRF |
2017-02-17 |
2018-10-09 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in the XACML flow feature in WSO2 Identity Server 5.1.0 allows remote attackers to hijack the authentication of privileged users for requests that process XACML requests via an entitlement/eval-policy-submit.jsp request. |
|
922 |
CVE-2016-4043 |
264 |
|
Bypass |
2017-02-24 |
2017-02-28 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Chameleon (five.pt) in Plone 5.0rc1 through 5.1a1 allows remote authenticated users to bypass Restricted Python by leveraging permissions to create or edit templates. |
|
923 |
CVE-2016-4042 |
200 |
|
+Info |
2017-02-24 |
2017-02-27 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Plone 3.3 through 5.1a1 allows remote attackers to obtain information about the ID of sensitive content via unspecified vectors. |
|
924 |
CVE-2016-4041 |
264 |
|
|
2017-02-24 |
2017-02-27 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Plone 4.0 through 5.1a1 does not have security declarations for Dexterity content-related WebDAV requests, which allows remote attackers to gain webdav access via unspecified vectors. |
|
925 |
CVE-2016-4038 |
20 |
|
|
2017-02-01 |
2017-03-04 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
Array index error in the msm_sensor_config function in kernel/SM-G9008V_CHN_KK_Opensource/Kernel/drivers/media/platform/msm/camera_v2/sensor/msm_sensor.c in Samsung devices with Android KK(4.4) or L and an APQ8084, MSM8974, or MSM8974pro chipset allows local users to have unspecified impact via the gpio_config.gpio_name value. |
|
926 |
CVE-2016-3995 |
200 |
|
+Info |
2017-02-13 |
2017-03-03 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The timing attack protection in Rijndael::Enc::ProcessAndXorBlock and Rijndael::Dec::ProcessAndXorBlock in Crypto++ (aka cryptopp) before 5.6.4 may be optimized out by the compiler, which allows attackers to conduct timing attacks. |
|
927 |
CVE-2016-3694 |
89 |
|
Exec Code Sql |
2017-02-15 |
2017-02-23 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Multiple SQL injection vulnerabilities in modified eCommerce Shopsoftware 2.0.0.0 revision 9678, when the easybill-module is not installed, allow remote attackers to execute arbitrary SQL commands via the (1) orders_status or (2) customers_status parameter to api/easybill/easybillcsv.php. |
|
928 |
CVE-2016-3616 |
476 |
|
DoS Exec Code |
2017-02-13 |
2019-08-06 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The cjpeg utility in libjpeg allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or execute arbitrary code via a crafted file. |
|
929 |
CVE-2016-3183 |
125 |
|
DoS |
2017-02-03 |
2020-09-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The sycc422_t_rgb function in common/color.c in OpenJPEG before 2.1.1 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted jpeg2000 file. |
|
930 |
CVE-2016-3180 |
254 |
|
Exec Code Bypass |
2017-02-07 |
2017-02-28 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Tor Browser Launcher (aka torbrowser-launcher) before 0.2.4, during the initial run, allows man-in-the-middle attackers to bypass the PGP signature verification and execute arbitrary code via a Trojan horse tar file and a signature file with the valid tarball and signature. |
|
931 |
CVE-2016-3124 |
200 |
|
+Info |
2017-02-07 |
2018-10-02 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The sanitycheck module in SimpleSAMLphp before 1.14.1 allows remote attackers to learn the PHP version on the system via unspecified vectors. |
|
932 |
CVE-2016-3102 |
254 |
|
Bypass |
2017-02-09 |
2017-02-28 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The Script Security plugin before 1.18.1 in Jenkins might allow remote attackers to bypass a Groovy sandbox protection mechanism via a plugin that performs (1) direct field access or (2) get/set array operations. |
|
933 |
CVE-2016-3101 |
79 |
|
XSS |
2017-02-09 |
2019-10-28 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Extra Columns plugin before 1.17 in Jenkins allows remote attackers to inject arbitrary web script or HTML by leveraging failure to filter tool tips through the configured markup formatter. |
|
934 |
CVE-2016-3063 |
116 |
|
Exec Code |
2017-02-07 |
2017-11-16 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Multiple functions in NetApp OnCommand System Manager before 8.3.2 do not properly escape special characters, which allows remote authenticated users to execute arbitrary API calls via unspecified vectors. |
|
935 |
CVE-2016-3053 |
264 |
|
|
2017-02-01 |
2017-09-03 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
IBM AIX contains an unspecified vulnerability that would allow a locally authenticated user to obtain root level privileges. |
|
936 |
CVE-2016-3052 |
200 |
|
+Info |
2017-02-22 |
2017-07-12 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Under non-standard configurations, IBM WebSphere MQ might send password data in clear text over the network. This data could be intercepted using man in the middle techniques. |
|
937 |
CVE-2016-3046 |
89 |
|
Sql |
2017-02-01 |
2020-10-27 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
IBM Security Access Manager for Web is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements which could allow the attacker to view information in the back-end database. |
|
938 |
CVE-2016-3045 |
200 |
|
+Info |
2017-02-01 |
2017-02-09 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
IBM Security Access Manager for Web stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referer header or browser history. |
|
939 |
CVE-2016-3043 |
200 |
|
+Info |
2017-02-01 |
2020-10-27 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
IBM Security Access Manager for Web could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. |
|
940 |
CVE-2016-3035 |
200 |
|
+Info |
2017-02-01 |
2017-02-05 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
IBM AppScan Source could reveal some sensitive information through the browsing of testlinks on the server. |
|
941 |
CVE-2016-3034 |
326 |
|
|
2017-02-01 |
2017-02-13 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
IBM AppScan Source uses a one-way hash without salt to encrypt highly sensitive information, which could allow a local attacker to decrypt information more easily. |
|
942 |
CVE-2016-3029 |
352 |
|
CSRF |
2017-02-01 |
2020-10-27 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
IBM Security Access Manager for Web is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. |
|
943 |
CVE-2016-3027 |
611 |
|
DoS |
2017-02-01 |
2020-10-27 |
5.5 |
None |
Remote |
Low |
??? |
Partial |
None |
Partial |
|
IBM Security Access Manager for Web is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all available memory resources. |
|
944 |
CVE-2016-3024 |
200 |
|
+Info |
2017-02-01 |
2020-10-27 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
IBM Security Access Manager for Web allows web pages to be stored locally which can be read by another user on the system. |
|
945 |
CVE-2016-3023 |
200 |
|
+Info |
2017-02-01 |
2020-10-27 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
IBM Security Access Manager for Web could allow an unauthenticated user to gain access to sensitive information by entering invalid file names. |
|
946 |
CVE-2016-3022 |
275 |
|
|
2017-02-01 |
2020-11-10 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
IBM Security Access Manager for Web could allow an authenticated user to gain access to highly sensitive information due to incorrect file permissions. |
|
947 |
CVE-2016-3021 |
200 |
|
+Info |
2017-02-01 |
2020-10-27 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
IBM Security Access Manager for Web could allow an authenticated attacker to obtain sensitive information from error message using a specially crafted HTTP request. |
|
948 |
CVE-2016-3020 |
284 |
|
Bypass |
2017-02-07 |
2020-10-27 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
IBM Security Access Manager for Web 7.0.0, 8.0.0, and 9.0.0 could allow a remote attacker to bypass security restrictions, caused by improper content validation. By persuading a victim to open specially-crafted content, an attacker could exploit this vulnerability to bypass validation and load a page with malicious content. |
|
949 |
CVE-2016-3018 |
79 |
|
XSS |
2017-02-01 |
2017-03-02 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
IBM Security Access Manager for Web is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. |
|
950 |
CVE-2016-3017 |
358 |
|
+Info |
2017-02-01 |
2020-10-27 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
IBM Security Access Manager for Web could allow a remote attacker to obtain sensitive information due to security misconfigurations. |
