All CVEs — 2016 (Page 2/36)

Browse all CVEs by publication year. Use filters to refine.

CVSS ≥ 0.0

2016-12-20

Medium

CVE-2016-7278

Microsoft Internet Explorer 9 through 11 allows remote attackers to obtain sensitive information from process memory via a crafted web site, aka "Windows Hyperlink Object Library Information Disclosu…

CVSS: 5.3 CWE: CWE-200

Critical

CVE-2016-7277

Microsoft Office 2016 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted document, aka "Microsoft Office Memory Corruption Vulnerability."

CVSS: 9.6 CWE: CWE-119

High

CVE-2016-7276

Microsoft Office 2007 SP3, Office 2010 SP2, Office 2013 SP1, Office for Mac 2011, and Office 2016 for Mac allow remote attackers to obtain sensitive information from process memory or cause a denial…

CVSS: 7.1 CWE: CWE-125

High

CVE-2016-7268

Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Office Compatibility Pack SP3, Word Viewer, Word for Mac 2011, Word Automation Services on SharePoint Server 2010 SP2, and Office Web Apps 201…

CVSS: 7.1 CWE: CWE-125

Medium

CVE-2016-7267

Microsoft Excel 2010 SP2, 2013 SP1, 2013 RT SP1, and 2016 misparses file formats, which makes it easier for remote attackers to execute arbitrary code via a crafted document, aka "Microsoft Office Se…

CVSS: 5.5 CWE: CWE-20

High

CVE-2016-7266

Microsoft Excel 2007 SP3, Excel 2010 SP2, Excel 2013 SP1, Excel 2013 RT SP1, Excel 2016, Office Compatibility Pack SP3, Excel Viewer, and Excel 2016 for Mac mishandle a registry check, which allows u…

CVSS: 7.8 CWE: CWE-20

High

CVE-2016-7265

Microsoft Excel 2007 SP3, Excel 2010 SP2, Excel 2013 SP1, Excel 2013 RT SP1, Excel 2016, Office Compatibility Pack SP3, Excel Viewer, Excel Services on SharePoint Server 2007 SP3, and Excel Services…

CVSS: 7.1 CWE: CWE-125

High

CVE-2016-7264

Microsoft Excel 2007 SP3, Office Compatibility Pack SP3, Excel Viewer, Excel for Mac 2011, and Excel 2016 for Mac allow remote attackers to obtain sensitive information from process memory or cause a…

CVSS: 7.1 CWE: CWE-125

High

CVE-2016-7263

Microsoft Excel for Mac 2011 and Excel 2016 for Mac allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted document, aka "Microsoft Office Mem…

CVSS: 7.8 CWE: CWE-119

Medium

CVE-2016-7258

The kernel in Microsoft Windows 10 Gold, 1511, and 1607 and Windows Server 2016 mishandles page-fault system calls, which allows local users to obtain sensitive information from arbitrary processes v…

CVSS: 5.5 CWE: CWE-200

Medium

CVE-2016-7257

The GDI component in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Office for Mac 2011, and Office 2016 for Mac allows remote attackers to obtain sensitive informati…

CVSS: 6.5 CWE: CWE-200

Medium

CVE-2016-7219

The Crypto driver in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, and 1607, and…

CVSS: 5.5 CWE: CWE-200

Medium

CVE-2016-7206

Cross-site scripting (XSS) vulnerability in Microsoft Edge allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka "Microsoft Edge Information Disclosure Vulnerabi…

CVSS: 6.1 CWE: CWE-79

High

CVE-2016-7181

Microsoft Edge allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Microsoft Edge Memory Corruption Vulnerability."

CVSS: 7.5 CWE: CWE-119

2016-12-19

Critical

CVE-2016-2355

SQL injection vulnerability in the REST API in dotCMS before 3.3.2 allows remote attackers to execute arbitrary SQL commands via the stName parameter to api/content/save/1.

CVSS: 9.8 CWE: CWE-89

High

CVE-2016-10005

Webdynpro in SAP Solman 7.1 through 7.31 allows remote attackers to obtain sensitive information via webdynpro/dispatcher/sap.com/caf~eu~gp~example~timeoff~wd requests, aka SAP Security Note 2344524.

CVSS: 7.5 CWE: CWE-200

2016-12-18

Medium

CVE-2016-5193

Google Chrome prior to 54.0 for iOS had insufficient validation of URLs for windows open by DOM, which allowed a remote attacker to bypass restrictions on navigation to certain URL schemes via crafte…

CVSS: 4.3 CWE: CWE-20

Medium

CVE-2016-5192

Blink in Google Chrome prior to 54.0.2840.59 for Windows missed a CORS check on redirect in TextTrackLoader, which allowed a remote attacker to bypass cross-origin restrictions via crafted HTML pages.

CVSS: 6.5 CWE: CWE-284

Medium

CVE-2016-5191

Bookmark handling in Google Chrome prior to 54.0.2840.59 for Windows, Mac, and Linux; 54.0.2840.85 for Android had insufficient validation of supplied data, which allowed a remote attacker to inject…

CVSS: 6.1 CWE: CWE-79

Medium

CVE-2016-5190

Google Chrome prior to 54.0.2840.59 for Windows, Mac, and Linux; 54.0.2840.85 for Android incorrectly handled object lifecycles during shutdown, which allowed a remote attacker to perform an out of b…

CVSS: 6.3 CWE: CWE-416

Medium

CVE-2016-5189

Google Chrome prior to 54.0.2840.59 for Windows, Mac, and Linux; 54.0.2840.85 for Android permitted navigation to blob URLs with non-canonical origins, which allowed a remote attacker to spoof the co…

CVSS: 6.5 CWE: CWE-284

Medium

CVE-2016-5188

Multiple issues in Blink in Google Chrome prior to 54.0.2840.59 for Windows, Mac, and Linux allow a remote attacker to spoof various parts of browser UI via crafted HTML pages.

CVSS: 4.3 CWE: CWE-20

Medium

CVE-2016-5187

Google Chrome prior to 54.0.2840.85 for Android incorrectly handled rapid transition into and out of full screen mode, which allowed a remote attacker to spoof the contents of the Omnibox (URL bar) v…

CVSS: 6.5 CWE: CWE-20

Medium

CVE-2016-5186

Devtools in Google Chrome prior to 54.0.2840.59 for Windows, Mac, and Linux; 54.0.2840.85 for Android incorrectly handled objects after a tab crash, which allowed a remote attacker to perform an out…

CVSS: 5.3 CWE: CWE-125

High

CVE-2016-5185

Blink in Google Chrome prior to 54.0.2840.59 for Windows, Mac, and Linux; 54.0.2840.85 for Android incorrectly allowed reentrance of FrameView::updateLifecyclePhasesInternal(), which allowed a remote…

CVSS: 8.8 CWE: CWE-416

High

CVE-2016-5184

PDFium in Google Chrome prior to 54.0.2840.59 for Windows, Mac, and Linux; 54.0.2840.85 for Android incorrectly handled object lifecycles in CFFL_FormFillter::KillFocusForAnnot, which allowed a remot…

CVSS: 8.8 CWE: CWE-416

High

CVE-2016-5183

A heap use after free in PDFium in Google Chrome prior to 54.0.2840.59 for Windows, Mac, and Linux; 54.0.2840.85 for Android allows a remote attacker to potentially exploit heap corruption via crafte…

CVSS: 8.8 CWE: CWE-416

High

CVE-2016-5182

Blink in Google Chrome prior to 54.0.2840.59 for Windows, Mac, and Linux; 54.0.2840.85 for Android had insufficient validation in bitmap handling, which allowed a remote attacker to potentially explo…

CVSS: 8.8 CWE: CWE-119

Medium

CVE-2016-5181

Blink in Google Chrome prior to 54.0.2840.59 for Windows, Mac, and Linux; 54.0.2840.85 for Android permitted execution of v8 microtasks while the DOM was in an inconsistent state, which allowed a rem…

CVSS: 6.1 CWE: CWE-79

2016-12-17

Medium

CVE-2016-9998

SPIP 3.1.x suffer from a Reflected Cross Site Scripting Vulnerability in /ecrire/exec/info_plugin.php involving the `$plugin` parameter, as demonstrated by a /ecrire/?exec=info_plugin URL.

CVSS: 6.1 CWE: CWE-79

Medium

CVE-2016-9997

SPIP 3.1.x suffers from a Reflected Cross Site Scripting Vulnerability in /ecrire/exec/puce_statut.php involving the `$id` parameter, as demonstrated by a /ecrire/?exec=puce_statut URL.

CVSS: 6.1 CWE: CWE-79

Medium

CVE-2016-9951

An issue was discovered in Apport before 2.20.4. A malicious Apport crash file can contain a restart command in `RespawnCommand` or `ProcCmdline` fields. This command will be executed if a user click…

CVSS: 6.5 CWE: CWE-284

High

CVE-2016-9950

An issue was discovered in Apport before 2.20.4. There is a path traversal issue in the Apport crash file "Package" and "SourcePackage" fields. These fields are used to build a path to the package sp…

CVSS: 7.8 CWE: CWE-22

High

CVE-2016-9949

An issue was discovered in Apport before 2.20.4. In apport/ui.py, Apport reads the CrashDB field and it then evaluates the field as Python code if it begins with a "{". This allows remote attackers t…

CVSS: 7.8 CWE: CWE-94

High

CVE-2016-9160

A vulnerability in SIEMENS SIMATIC WinCC (All versions < SIMATIC WinCC V7.2) and SIEMENS SIMATIC PCS 7 (All versions < SIMATIC PCS 7 V8.0 SP1) could allow a remote attacker to crash an ActiveX compon…

CVSS: 8.1 CWE: CWE-111

Medium

CVE-2016-9159

A vulnerability has been identified in SIMATIC S7-300 CPU family (All versions), SIMATIC S7-300 CPU family (incl. related ET200 CPUs and SIPLUS variants) (All versions), SIMATIC S7-400 PN/DP V6 and b…

CVSS: 5.9 CWE: CWE-200

High

CVE-2016-9158

CVSS: 7.5 CWE: CWE-20

High

CVE-2016-7454

CSRF vulnerability on Technicolor TC dpc3941T (formerly Cisco dpc3941T) devices with firmware dpc3941-P20-18-v303r20421733-160413a-CMCST allows an attacker to change the Wi-Fi password, open the remo…

CVSS: 8.0 CWE: CWE-352

2016-12-16

Medium

CVE-2016-8827

NVIDIA GeForce Experience 3.x before GFE 3.1.0.52 contains a vulnerability in NVIDIA Web Helper.exe where a local web API endpoint, /VisualOPS/v.1.0./, lacks proper access control and parameter valid…

CVSS: 6.5 CWE: CWE-22

High

CVE-2016-8825

All versions of NVIDIA Windows GPU Display Driver contain a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgDdiEscape where the size of an input buffer is not validated, leading…

CVSS: 7.8 CWE: CWE-119

High

CVE-2016-8824

All versions of NVIDIA Windows GPU Display Driver contain a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgDdiEscape where improper access controls allow a regular user to write…

CVSS: 7.8 CWE: CWE-284

High

CVE-2016-8823

All versions of NVIDIA Windows GPU Display Driver contain a vulnerability in the kernel mode layer handler for DxgDdiEscape where the size of an input buffer is not validated leading to a denial of s…

CVSS: 7.8 CWE: CWE-119

High

CVE-2016-8822

All versions of NVIDIA Windows GPU Display Driver contain a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgDdiEscape ID 0x600000E, 0x600000F, and 0x6000010 where a value passed…

CVSS: 7.8 CWE: CWE-20

High

CVE-2016-8821

All versions of NVIDIA Windows GPU Display Driver contain a vulnerability in the kernel mode layer handler for DxgDdiEscape where improper access controls may allow a user to access arbitrary physica…

CVSS: 7.8 CWE: CWE-284

Medium

CVE-2016-8820

All versions of NVIDIA Windows GPU Display Driver contain a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgDdiEscape where a check on a function return value is missing, potenti…

CVSS: 6.1 CWE: CWE-20

High

CVE-2016-8819

All versions of NVIDIA Windows GPU Display Driver contain a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgkDdiEscape where a handle to a kernel object may be returned to the us…

CVSS: 7.8 CWE: CWE-775

High

CVE-2016-8818

All versions of NVIDIA Windows GPU Display contain a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgDdiEscape where a pointer passed from a user to the driver is used without va…

CVSS: 7.8 CWE: CWE-20

High

CVE-2016-8817

All versions of NVIDIA Windows GPU Display Driver contain a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgDdiEscape where a value passed from a user to the driver is used witho…

CVSS: 7.8 CWE: CWE-119

High

CVE-2016-8816

CVSS: 7.8 CWE: CWE-129

High

CVE-2016-8815

CVSS: 7.8 CWE: CWE-129

High

CVE-2016-8814

All versions of NVIDIA Windows GPU Display Driver contain a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgDdiEscape where multiple pointers are used without checking for NULL,…

CVSS: 7.8 CWE: CWE-476

High

CVE-2016-8813

CVSS: 7.8 CWE: CWE-476

Medium

CVE-2016-9964

redirect() in bottle.py in bottle 0.12.10 doesn't filter a "\r\n" sequence, which leads to a CRLF attack, as demonstrated by a redirect("233\r\nSet-Cookie: name=salt") call.

CVSS: 6.5 CWE: CWE-93

High

CVE-2016-9838

An issue was discovered in components/com_users/models/registration.php in Joomla! before 3.6.5. Incorrect filtering of registration form data stored to the session on a validation error enables a us…

CVSS: 7.5 CWE: CWE-284

High

CVE-2016-6657

An open redirect vulnerability has been detected with some Pivotal Cloud Foundry Elastic Runtime components. Users of affected versions should apply the following mitigation: Upgrade PCF Elastic Runt…

CVSS: 7.4 CWE: CWE-601

High

CVE-2016-6656

An issue was discovered in Pivotal Greenplum before 4.3.10.0. Creation of external tables using GPHDFS protocol has a vulnerability whereby arbitrary commands can be injected into the system. In orde…

CVSS: 7.2 CWE: CWE-77

2016-12-15

High

CVE-2016-9566

base/logging.c in Nagios Core before 4.2.4 allows local users with access to an account in the nagios group to gain root privileges via a symlink attack on the log file. NOTE: this can be leveraged…

CVSS: 7.8 CWE: CWE-59

Critical

CVE-2016-9565

MagpieRSS, as used in the front-end component in Nagios Core before 4.2.2 might allow remote attackers to read or write to arbitrary files by spoofing a crafted response from the Nagios RSS feed serv…

CVSS: 9.8 CWE: CWE-284

Medium

CVE-2015-3271

Apache Tika server (aka tika-server) in Apache Tika 1.9 might allow remote attackers to read arbitrary files via the HTTP fileUrl header.

CVSS: 5.3 CWE: CWE-200

High

CVE-2016-7892

Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and earlier have an exploitable use after free vulnerability in the TextField class. Successful exploitation could lead to arbitrary c…

CVSS: 8.8 CWE: CWE-416

Medium

CVE-2016-7891

Adobe RoboHelp version 2015.0.3 and earlier, RoboHelp 11 and earlier have an input validation issue that could be used in cross-site scripting attacks.

CVSS: 6.1 CWE: CWE-79

High

CVE-2016-7889

Adobe Digital Editions versions 4.5.2 and earlier has an issue with parsing crafted XML entries that could lead to information disclosure.

CVSS: 7.5 CWE: CWE-200

Medium

CVE-2016-7888

Adobe Digital Editions versions 4.5.2 and earlier has an important vulnerability that could lead to memory address leak.

CVSS: 5.3 CWE: CWE-200

High

CVE-2016-7887

Adobe ColdFusion Builder versions 2016 update 2 and earlier, 3.0.3 and earlier have an important vulnerability that could lead to information disclosure.

CVSS: 7.5 CWE: CWE-200

Critical

CVE-2016-7886

Adobe InDesign version 11.4.1 and earlier, Adobe InDesign Server 11.0.0 and earlier have an exploitable memory corruption vulnerability. Successful exploitation could lead to arbitrary code execution.

CVSS: 9.8 CWE: CWE-119

High

CVE-2016-7885

Adobe Experience Manager versions 6.2 and earlier have a vulnerability that could be used in Cross-Site Request Forgery attacks.

CVSS: 8.8 CWE: CWE-352

Medium

CVE-2016-7884

Adobe Experience Manager versions 6.1 and earlier have an input validation issue in the DAM create assets that could be used in cross-site scripting attacks.

CVSS: 6.1 CWE: CWE-79

Medium

CVE-2016-7883

Adobe Experience Manager version 6.2 has an input validation issue in create Launch wizard that could be used in cross-site scripting attacks.

CVSS: 6.1 CWE: CWE-79

Medium

CVE-2016-7882

Adobe Experience Manager versions 6.2 and earlier have an input validation issue in the WCMDebug filter that could be used in cross-site scripting attacks.

CVSS: 6.1 CWE: CWE-79

High

CVE-2016-7881

Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and earlier have an exploitable use after free vulnerability in the MovieClip class when handling conversion to an object. Successful…

CVSS: 8.8 CWE: CWE-416

High

CVE-2016-7880

Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and earlier have an exploitable use after free vulnerability when setting the length property of an array object. Successful exploitat…

CVSS: 8.8 CWE: CWE-416

High

CVE-2016-7879

Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and earlier have an exploitable use after free vulnerability in the NetConnection class when handling an attached script object. Succe…

CVSS: 8.8 CWE: CWE-416

High

CVE-2016-7878

Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and earlier have an exploitable use after free vulnerability in the PSDK's MediaPlayer class. Successful exploitation could lead to ar…

CVSS: 8.8 CWE: CWE-416

High

CVE-2016-7877

Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and earlier have an exploitable use after free vulnerability in the Action Message Format serialization (AFM0). Successful exploitatio…

CVSS: 8.8 CWE: CWE-416

High

CVE-2016-7876

Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and earlier have an exploitable memory corruption vulnerability in the Clipboard class related to data handling functionality. Success…

CVSS: 8.8 CWE: CWE-787

High

CVE-2016-7875

Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and earlier have an exploitable integer overflow vulnerability in the BitmapData class. Successful exploitation could lead to arbitrar…

CVSS: 8.8 CWE: CWE-190

High

CVE-2016-7874

Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and earlier have an exploitable memory corruption vulnerability in the NetConnection class when handling the proxy types. Successful e…

CVSS: 8.8 CWE: CWE-787

High

CVE-2016-7873

Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and earlier have an exploitable memory corruption vulnerability in the PSDK class related to ad policy functionality method. Successfu…

CVSS: 8.8 CWE: CWE-787

High

CVE-2016-7872

Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and earlier have an exploitable use after free vulnerability in the MovieClip class related to objects at multiple presentation levels…

CVSS: 8.8 CWE: CWE-416

High

CVE-2016-7871

Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and earlier have an exploitable memory corruption vulnerability in the Worker class. Successful exploitation could lead to arbitrary c…

CVSS: 8.8 CWE: CWE-787

High

CVE-2016-7870

Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and earlier have an exploitable buffer overflow / underflow vulnerability in the RegExp class for specific search strategies. Successf…

CVSS: 8.8 CWE: CWE-787

High

CVE-2016-7869

Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and earlier have an exploitable buffer overflow / underflow vulnerability in the RegExp class related to backtrack search functionalit…

CVSS: 8.8 CWE: CWE-787

High

CVE-2016-7868

Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and earlier have an exploitable buffer overflow / underflow vulnerability in the RegExp class related to alternation functionality. Su…

CVSS: 8.8 CWE: CWE-787

High

CVE-2016-7867

Adobe Flash Player versions 23.0.0.207 and earlier, 11.2.202.644 and earlier have an exploitable buffer overflow / underflow vulnerability in the RegExp class related to bookmarking in searches. Succ…

CVSS: 8.8 CWE: CWE-787

Critical

CVE-2016-7866

Adobe Animate versions 15.2.1.95 and earlier have an exploitable memory corruption vulnerability. Successful exploitation could lead to arbitrary code execution.

CVSS: 9.8 CWE: CWE-119

Critical

CVE-2016-7856

Adobe DNG Converter versions 9.7 and earlier have an exploitable memory corruption vulnerability. Successful exploitation could lead to arbitrary code execution.

CVSS: 9.8 CWE: CWE-119

Medium

CVE-2016-6934

Adobe Experience Manager Forms versions 6.2 and earlier, LiveCycle 11.0.1, LiveCycle 10.0.4 have an input validation issue in the PMAdmin module that could be used in cross-site scripting attacks.

CVSS: 6.1 CWE: CWE-79

Medium

CVE-2016-6933

Adobe Experience Manager Forms versions 6.2 and earlier, LiveCycle 11.0.1, LiveCycle 10.0.4 have an input validation issue in the AACComponent that could be used in cross-site scripting attacks.

CVSS: 6.1 CWE: CWE-79

Medium

CVE-2016-6854

An issue was discovered in Open-Xchange OX Guard before 2.4.2-rev5. Script code which got injected to a mail with inline PGP signature gets executed when verifying the signature. Malicious script cod…

CVSS: 6.1 CWE: CWE-79

Medium

CVE-2016-6853

An issue was discovered in Open-Xchange OX Guard before 2.4.2-rev5. Script code and references to external websites can be injected to the names of PGP public keys. When requesting that key later on…

CVSS: 6.1 CWE: CWE-79

Medium

CVE-2016-6852

An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Users can provide local file paths to the RSS reader; the response and error code give hints about whether the provided file ex…

CVSS: 4.3 CWE: CWE-200

Medium

CVE-2016-6851

An issue was discovered in Open-Xchange OX Guard before 2.4.2-rev5. Script code can be provided as parameter to the OX Guard guest reader web application. This allows cross-site scripting attacks aga…

CVSS: 6.1 CWE: CWE-79

Medium

CVE-2016-6850

An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. SVG files can be used as profile pictures. In case their XML structure contains iframes and script code, that code may get exec…

CVSS: 6.1 CWE: CWE-79

Medium

CVE-2016-6847

An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. SVG files can be used as mp3 album covers. In case their XML structure contains script code, that code may get executed when ca…

CVSS: 6.1 CWE: CWE-79

Medium

CVE-2016-6845

An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Script code within hyperlinks at HTML E-Mails is not getting correctly sanitized when using base64 encoded "data" resources. Th…

CVSS: 6.1 CWE: CWE-79

Medium

CVE-2016-6844

An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Script code within SVG files is maintained when opening such files "in browser" based on our Mail or Drive app. In case of "a"…

CVSS: 6.1 CWE: CWE-79

Medium

CVE-2016-6843

An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Script code can be injected to contact names. When adding those contacts to a group, the script code gets executed in the conte…

CVSS: 6.1 CWE: CWE-79

Medium

CVE-2016-6842

An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Setting the user's name to JS code makes that code execute when selecting that user's "Templates" folder from OX Documents sett…

CVSS: 6.1 CWE: CWE-79

Medium

CVE-2016-5740

An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev5. JavaScript code can be used as part of ical attachments within scheduling E-Mails. This content, for example an appointment's l…

CVSS: 6.1 CWE: CWE-79

Medium

CVE-2016-5124

An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev14. Adding images from external sources to HTML editors by drag&drop can potentially lead to script code execution in the context…

CVSS: 6.1 CWE: CWE-79

Medium

CVE-2016-4047

An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev8. References to external Open XML document type definitions (.dtd resources) can be placed within .docx and .xslx files. Those re…

CVSS: 4.3 CWE: CWE-200

Medium

CVE-2016-4046

An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev11. The API to configure external mail accounts can be abused to map and access network components within the trust boundary of th…

CVSS: 5.8 CWE: CWE-918

Medium

CVE-2016-4045

An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev11. Script code can be embedded to RSS feeds using a URL notation. In case a user clicks the corresponding link at the RSS reader…

CVSS: 6.1 CWE: CWE-79

Low

CVE-2016-4027

An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev10. App Suite frontend offers to control whether a user wants to store cookies that exceed the session duration. This functionalit…

CVSS: 3.5 CWE: CWE-200

Medium

CVE-2016-4026

An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev11. The content sanitizer component has an issue with filtering malicious content in case invalid HTML code is provided. In such c…

CVSS: 6.1 CWE: CWE-79

High

CVE-2016-3174

An issue was discovered in Open-Xchange OX AppSuite before 7.8.0-rev27. The "defer" servlet offers to redirect a client to a specified URL. Since some checks were missing, arbitrary URLs could be pro…

CVSS: 7.4 CWE: CWE-601

Medium

CVE-2016-3173

An issue was discovered in Open-Xchange OX AppSuite before 7.8.0-rev27. The aria-label parameter of tiles at the Portal can be used to inject script code. Those labels use the name of the file (e.g.…

CVSS: 5.4 CWE: CWE-79

Medium

CVE-2016-2840

An issue was discovered in Open-Xchange Server 6 / OX AppSuite before 7.8.0-rev26. The "session" parameter for file-download requests can be used to inject script code that gets reflected through the…

CVSS: 6.1 CWE: CWE-79

2016-12-14

Critical

CVE-2014-8241

XRegion in TigerVNC allows remote VNC servers to cause a denial of service (NULL pointer dereference) by leveraging failure to check a malloc return value, a similar issue to CVE-2014-6052.

CVSS: 9.8 CWE: CWE-476

Medium

CVE-2016-4443

Red Hat Enterprise Virtualization (RHEV) Manager 3.6 allows local users to obtain encryption keys, certificates, and other sensitive information by reading the engine-setup log file.

CVSS: 5.5 CWE: CWE-532

Critical

CVE-2016-1000156

Mailcwp remote file upload vulnerability incomplete fix v1.100

CVSS: 9.8 CWE: CWE-77

High

CVE-2016-9035

An exploitable buffer overflow exists in the Joyent SmartOS 20161110T013148Z Hyprlofs file system. The vulnerability is present in the Ioctl system call with the command HYPRLOFS_ADD_ENTRIES when dea…

CVSS: 7.0 CWE: CWE-120

High

CVE-2016-9034

CVSS: 7.0 CWE: CWE-120

High

CVE-2016-9033

CVSS: 7.0 CWE: CWE-120

High

CVE-2016-9032

CVSS: 7.0 CWE: CWE-120

High

CVE-2016-9031

An exploitable integer overflow exists in the Joyent SmartOS 20161110T013148Z Hyprlofs file system. The vulnerability is present in the Ioctl system call with the command HYPRLOFS_ADD_ENTRIES when de…

CVSS: 7.8 CWE: CWE-190

High

CVE-2016-8733

CVSS: 8.8 CWE: CWE-190

High

CVE-2016-6277

NETGEAR R6250 before 1.0.4.6.Beta, R6400 before 1.0.1.18.Beta, R6700 before 1.0.1.14.Beta, R6900, R7000 before 1.0.7.6.Beta, R7100LG before 1.0.0.28.Beta, R7300DST before 1.0.0.46.Beta, R7900 before…

CVSS: 8.8 CWE: CWE-352

Medium

CVE-2016-9214

Cisco Identity Services Engine (ISE) contains a vulnerability that could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against the user of the web interface…

CVSS: 6.1 CWE: CWE-79

High

CVE-2016-9212

A vulnerability in the Decrypt for End-User Notification configuration parameter of Cisco AsyncOS Software for Cisco Web Security Appliances could allow an unauthenticated, remote attacker to connect…

CVSS: 7.5 CWE: CWE-20