CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In April 2017

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1251 CVE-2016-5682 79 XSS 2017-04-10 2020-05-07
4.3
None Remote Medium Not required None Partial None
Swagger-UI before 2.2.1 has XSS via the Default field in the Definitions section.
1252 CVE-2016-5642 79 XSS 2017-04-10 2017-04-14
3.5
None Remote Medium ??? None Partial None
Opmantek NMIS before 8.5.12G has XSS via SNMP.
1253 CVE-2016-5551 284 2017-04-24 2017-07-11
1.9
None Local Medium Not required Partial None None
Vulnerability in the Solaris Cluster component of Oracle Sun Systems Products Suite (subcomponent: NAS device addition). The supported version that is affected is 4.3. Easily "exploitable" vulnerability allows unauthenticated attacker with logon to the infrastructure where Solaris Cluster executes to compromise Solaris Cluster. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Solaris Cluster accessible data. CVSS 3.0 Base Score 3.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N).
1254 CVE-2016-5410 287 Bypass 2017-04-19 2017-04-25
2.1
None Local Low Not required None Partial None
firewalld.py in firewalld before 0.4.3.3 allows local users to bypass authentication and modify firewall configurations via the (1) addPassthrough, (2) removePassthrough, (3) addEntry, (4) removeEntry, or (5) setEntries D-Bus API method.
1255 CVE-2016-5409 200 +Info 2017-04-20 2019-12-17
5.0
None Remote Low Not required Partial None None
Red Hat OpenShift Enterprise 2 does not include the HTTPOnly flag in a Set-Cookie header for the GEARID cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to the cookies.
1256 CVE-2016-5401 352 CSRF 2017-04-20 2017-04-26
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in Red Hat JBoss BRMS and BPMS 6 allows remote attackers to hijack the authentication of users for requests that modify instances via a crafted web page.
1257 CVE-2016-5399 787 DoS Exec Code 2017-04-21 2018-10-09
6.8
None Remote Medium Not required Partial Partial Partial
The bzread function in ext/bz2/bz2.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a denial of service (out-of-bounds write) or execute arbitrary code via a crafted bz2 archive.
1258 CVE-2016-5396 399 2017-04-17 2017-07-11
7.8
None Remote Low Not required None None Complete
Apache Traffic Server 6.0.0 to 6.2.0 are affected by an HPACK Bomb Attack.
1259 CVE-2016-5349 200 +Info 2017-04-06 2017-07-11
4.3
None Remote Medium Not required Partial None None
The high level operating systems (HLOS) was not providing sufficient memory address information to ensure that secure applications inside Qualcomm Secure Execution Environment (QSEE) only write to legitimate memory ranges related to the QSEE secure application's HLOS client. When secure applications inside Qualcomm Secure Execution Environment (QSEE) receive memory addresses from a high level operating system (HLOS) such as Linux Android, those address have previously been verified as belonging to HLOS memory space rather than QSEE memory space, but they were not verified to be from HLOS user space rather than kernel space. This lack of verification could lead to privilege escalation within the HLOS.
1260 CVE-2016-5322 125 DoS 2017-04-11 2017-04-17
4.3
None Remote Medium Not required None None Partial
The setByteArray function in tif_dir.c in libtiff 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted tiff image.
1261 CVE-2016-5313 78 Exec Code 2017-04-12 2017-04-20
9.0
None Remote Low ??? Complete Complete Complete
Symantec Web Gateway (SWG) before 5.2.5 allows remote authenticated users to execute arbitrary OS commands.
1262 CVE-2016-5312 22 Dir. Trav. 2017-04-14 2017-04-22
4.0
None Remote Low ??? Partial None None
Directory traversal vulnerability in the charting component in Symantec Messaging Gateway before 10.6.2 allows remote authenticated users to read arbitrary files via a .. (dot dot) in the sn parameter to brightmail/servlet/com.ve.kavachart.servlet.ChartStream.
1263 CVE-2016-5310 787 DoS Mem. Corr. 2017-04-14 2021-09-09
4.3
None Remote Medium Not required None None Partial
The RAR file parser component in the AntiVirus Decomposer engine in Symantec Advanced Threat Protection: Network (ATP); Symantec Email Security.Cloud; Symantec Data Center Security: Server; Symantec Endpoint Protection (SEP) for Windows before 12.1.6 MP5; Symantec Endpoint Protection (SEP) for Mac; Symantec Endpoint Protection (SEP) for Linux before 12.1.6 MP6; Symantec Endpoint Protection for Small Business Enterprise (SEP SBE/SEP.Cloud); Symantec Endpoint Protection Cloud (SEPC) for Windows/Mac; Symantec Endpoint Protection Small Business Edition 12.1; CSAPI before 10.0.4 HF02; Symantec Protection Engine (SPE) before 7.0.5 HF02, 7.5.x before 7.5.4 HF02, 7.5.5 before 7.5.5 HF01, and 7.8.x before 7.8.0 HF03; Symantec Mail Security for Domino (SMSDOM) before 8.0.9 HF2.1, 8.1.x before 8.1.2 HF2.3, and 8.1.3 before 8.1.3 HF2.2; Symantec Mail Security for Microsoft Exchange (SMSMSE) before 6.5.8_3968140 HF2.3, 7.x before 7.0_3966002 HF2.1, and 7.5.x before 7.5_3966008 VHF2.2; Symantec Protection for SharePoint Servers (SPSS) before SPSS_6.0.3_To_6.0.5_HF_2.5 update, 6.0.6 before 6.0.6 HF_2.6, and 6.0.7 before 6.0.7_HF_2.7; Symantec Messaging Gateway (SMG) before 10.6.2; Symantec Messaging Gateway for Service Providers (SMG-SP) before 10.5 patch 260 and 10.6 before patch 259; Symantec Web Gateway; and Symantec Web Security.Cloud allows remote attackers to cause a denial of service (memory corruption) via a crafted RAR file that is mishandled during decompression.
1264 CVE-2016-5309 125 DoS 2017-04-14 2021-09-09
4.3
None Remote Medium Not required None None Partial
The RAR file parser component in the AntiVirus Decomposer engine in Symantec Advanced Threat Protection: Network (ATP); Symantec Email Security.Cloud; Symantec Data Center Security: Server; Symantec Endpoint Protection (SEP) for Windows before 12.1.6 MP5; Symantec Endpoint Protection (SEP) for Mac; Symantec Endpoint Protection (SEP) for Linux before 12.1.6 MP6; Symantec Endpoint Protection for Small Business Enterprise (SEP SBE/SEP.Cloud); Symantec Endpoint Protection Cloud (SEPC) for Windows/Mac; Symantec Endpoint Protection Small Business Edition 12.1; CSAPI before 10.0.4 HF02; Symantec Protection Engine (SPE) before 7.0.5 HF02, 7.5.x before 7.5.4 HF02, 7.5.5 before 7.5.5 HF01, and 7.8.x before 7.8.0 HF03; Symantec Mail Security for Domino (SMSDOM) before 8.0.9 HF2.1, 8.1.x before 8.1.2 HF2.3, and 8.1.3 before 8.1.3 HF2.2; Symantec Mail Security for Microsoft Exchange (SMSMSE) before 6.5.8_3968140 HF2.3, 7.x before 7.0_3966002 HF2.1, and 7.5.x before 7.5_3966008 VHF2.2; Symantec Protection for SharePoint Servers (SPSS) before SPSS_6.0.3_To_6.0.5_HF_2.5 update, 6.0.6 before 6.0.6 HF_2.6, and 6.0.7 before 6.0.7_HF_2.7; Symantec Messaging Gateway (SMG) before 10.6.2; Symantec Messaging Gateway for Service Providers (SMG-SP) before 10.5 patch 260 and 10.6 before patch 259; Symantec Web Gateway; and Symantec Web Security.Cloud allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted RAR file that is mishandled during decompression.
1265 CVE-2016-5168 346 Bypass +Info 2017-04-21 2017-04-27
5.0
None Remote Low Not required Partial None None
Skia, as used in Google Chrome before 50.0.2661.94, allows remote attackers to bypass the Same Origin Policy and obtain sensitive information.
1266 CVE-2016-5078 79 XSS 2017-04-10 2021-06-29
4.3
None Remote Medium Not required None Partial None
Paessler PRTG before 16.2.24.4045 has XSS via SNMP.
1267 CVE-2016-5077 79 XSS 2017-04-10 2017-04-14
4.3
None Remote Medium Not required None Partial None
Netikus EventSentry before 3.2.1.44 has XSS via SNMP.
1268 CVE-2016-5076 200 +Info 2017-04-10 2017-04-14
5.0
None Remote Low Not required Partial None None
CloudView NMS before 2.10a allows remote attackers to obtain sensitive information via a direct request for admin/auto.def.
1269 CVE-2016-5075 79 XSS 2017-04-10 2017-04-14
4.3
None Remote Medium Not required None Partial None
CloudView NMS before 2.10a has XSS via a TELNET login.
1270 CVE-2016-5074 134 2017-04-10 2017-06-02
7.5
None Remote Low Not required Partial Partial Partial
CloudView NMS before 2.10a has a format string issue exploitable over SNMP.
1271 CVE-2016-5073 79 XSS 2017-04-10 2017-04-14
4.3
None Remote Medium Not required None Partial None
CloudView NMS before 2.10a has XSS via SNMP.
1272 CVE-2016-5072 94 Exec Code 2017-04-10 2017-04-14
6.5
None Remote Low ??? Partial Partial Partial
OXID eShop before 2016-06-13 allows remote attackers to execute arbitrary code via a GET or POST request to the oxuser class. Fixed versions are Enterprise Edition v5.1.12, Enterprise Edition v5.2.9, Professional Edition v4.8.12, Professional Edition v4.9.9, Community Edition v4.8.12, Community Edition v4.9.9.
1273 CVE-2016-5071 264 2017-04-10 2017-04-14
10.0
None Remote Low Not required Complete Complete Complete
Sierra Wireless GX 440 devices with ALEOS firmware 4.3.2 execute the management web application as root.
1274 CVE-2016-5070 255 2017-04-10 2017-04-14
5.0
None Remote Low Not required Partial None None
Sierra Wireless GX 440 devices with ALEOS firmware 4.3.2 store passwords in cleartext.
1275 CVE-2016-5069 613 2017-04-10 2017-04-14
7.5
None Remote Low Not required Partial Partial Partial
Sierra Wireless GX 440 devices with ALEOS firmware 4.3.2 use guessable session tokens, which are in the URL.
1276 CVE-2016-5068 287 2017-04-10 2017-04-14
7.5
None Remote Low Not required Partial Partial Partial
Sierra Wireless GX 440 devices with ALEOS firmware 4.3.2 do not require authentication for Embedded_Ace_Get_Task.cgi requests.
1277 CVE-2016-5067 77 2017-04-10 2017-04-14
9.0
None Remote Low ??? Complete Complete Complete
Sierra Wireless GX 440 devices with ALEOS firmware 4.3.2 allow Hayes AT command injection.
1278 CVE-2016-5066 255 2017-04-10 2017-04-14
10.0
None Remote Low Not required Complete Complete Complete
Sierra Wireless GX 440 devices with ALEOS firmware 4.3.2 have weak passwords for admin, rauser, sconsole, and user.
1279 CVE-2016-5065 77 2017-04-10 2017-04-14
7.5
None Remote Low Not required Partial Partial Partial
Sierra Wireless GX 440 devices with ALEOS firmware 4.3.2 allow Embedded_Ace_Set_Task.cgi command injection.
1280 CVE-2016-5059 200 +Info 2017-04-10 2017-04-14
4.0
None Remote Low ??? Partial None None
OSRAM SYLVANIA Osram Lightify Pro before 2016-07-26 allows attackers to obtain sensitive information by reading screenshots under /private/var/mobile/Containers/Data/Application.
1281 CVE-2016-5058 284 2017-04-10 2017-04-14
5.0
None Remote Low Not required None Partial None
OSRAM SYLVANIA Osram Lightify Pro through 2016-07-26 allows Zigbee replay.
1282 CVE-2016-5057 254 2017-04-10 2017-04-14
5.0
None Remote Low Not required None Partial None
OSRAM SYLVANIA Osram Lightify Pro through 2016-07-26 does not use SSL pinning.
1283 CVE-2016-5056 326 2017-04-10 2017-04-14
5.0
None Remote Low Not required Partial None None
OSRAM SYLVANIA Osram Lightify Pro before 2016-07-26 uses only 8 hex digits for a PSK.
1284 CVE-2016-5055 79 XSS 2017-04-10 2017-04-14
4.3
None Remote Medium Not required None Partial None
OSRAM SYLVANIA Osram Lightify Pro before 2016-07-26 has XSS in the username field and Wireless Client Mode configuration page.
1285 CVE-2016-5054 284 2017-04-10 2017-04-14
5.0
None Remote Low Not required None Partial None
OSRAM SYLVANIA Osram Lightify Home through 2016-07-26 allows Zigbee replay.
1286 CVE-2016-5053 306 Exec Code 2017-04-10 2017-04-14
7.5
None Remote Low Not required Partial Partial Partial
OSRAM SYLVANIA Osram Lightify Home before 2016-07-26 allows remote attackers to execute arbitrary commands via TCP port 4000.
1287 CVE-2016-5052 254 2017-04-10 2017-04-14
5.0
None Remote Low Not required None Partial None
OSRAM SYLVANIA Osram Lightify Home through 2016-07-26 does not use SSL pinning.
1288 CVE-2016-5051 200 +Info 2017-04-10 2017-04-14
5.0
None Remote Low Not required Partial None None
OSRAM SYLVANIA Osram Lightify Home before 2016-07-26 stores a PSK in cleartext under /private/var/mobile/Containers/Data/Application.
1289 CVE-2016-5041 476 DoS 2017-04-10 2020-02-27
5.0
None Remote Low Not required None None Partial
dwarf_macro5.c in libdwarf before 20160923 allows remote attackers to cause a denial of service (NULL pointer dereference) via a debugging information entry using DWARF5 and without a DW_AT_name.
1290 CVE-2016-5016 295 2017-04-24 2019-02-26
4.3
None Remote Medium Not required None Partial None
Pivotal Cloud Foundry 239 and earlier, UAA (aka User Account and Authentication Server) 3.4.1 and earlier, UAA release 12.2 and earlier, PCF (aka Pivotal Cloud Foundry) Elastic Runtime 1.6.x before 1.6.35, and PCF Elastic Runtime 1.7.x before 1.7.13 does not validate if a certificate is expired.
1291 CVE-2016-5011 DoS 2017-04-11 2020-09-11
4.9
None Local Low Not required None None Complete
The parse_dos_extended function in partitions/dos.c in the libblkid library in util-linux allows physically proximate attackers to cause a denial of service (memory consumption) via a crafted MSDOS partition table with an extended partition boot record at zero offset.
1292 CVE-2016-5010 125 DoS 2017-04-20 2017-07-01
4.3
None Remote Medium Not required None None Partial
coders/tiff.c in ImageMagick before 6.9.5-3 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted TIFF file.
1293 CVE-2016-4989 77 Exec Code Bypass 2017-04-11 2017-04-17
6.9
None Local Medium Not required Complete Complete Complete
setroubleshoot allows local users to bypass an intended container protection mechanism and execute arbitrary commands by (1) triggering an SELinux denial with a crafted file name, which is handled by the _set_tpath function in audit_data.py or via a crafted (2) local_id or (3) analysis_id field in a crafted XML document to the run_fix function in SetroubleshootFixit.py, related to the subprocess.check_output and commands.getstatusoutput functions, a different vulnerability than CVE-2016-4445.
1294 CVE-2016-4970 835 DoS 2017-04-13 2021-02-14
7.8
None Remote Low Not required None None Complete
handler/ssl/OpenSslEngine.java in Netty 4.0.x before 4.0.37.Final and 4.1.x before 4.1.1.Final allows remote attackers to cause a denial of service (infinite loop).
1295 CVE-2016-4899 20 Exec Code 2017-04-13 2017-04-19
10.0
None Remote Low Not required Complete Complete Complete
The datamover module in the Linux version of NovaBACKUP DataCenter before 09.06.03.0353 is vulnerable to remote command execution via unspecified attack vectors.
1296 CVE-2016-4898 20 Exec Code 2017-04-13 2017-04-19
10.0
None Remote Low Not required Complete Complete Complete
The datamover module in the Linux version of NovaBACKUP DataCenter before 09.06.03.0353 is vulnerable to remote command execution via unspecified attack vectors.
1297 CVE-2016-4897 79 XSS 2017-04-12 2017-04-19
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in (1) filter/save_forward.cgi, (2) filter/save.cgi, (3) /man/search.cgi in Usermin before 1.690.
1298 CVE-2016-4896 264 2017-04-12 2017-05-23
6.4
None Remote Low Not required Partial Partial None
SetsucoCMS all versions does not properly manage sessions, which allows remote attackers to disclose or alter unauthorized information via unspecified vectors.
1299 CVE-2016-4895 94 2017-04-12 2017-05-23
6.5
None Remote Low ??? Partial Partial Partial
SetsucoCMS all versions allows remote authenticated attackers to conduct code injection attacks via unspecified vectors.
1300 CVE-2016-4894 DoS 2017-04-12 2017-05-23
5.0
None Remote Low Not required None None Partial
SetsucoCMS all versions allows remote attackers to cause a denial of service via unspecified vectors.
Total number of vulnerabilities : 1574   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 (This Page)27 28 29 30 31 32
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.