CVEs from 2016
Total
8,439
critical
critical 1,165
high
high 3,521
medium
medium 3,172
low
low 248
% Critical
13.8%
% with KEV
0.7%
% with exploit
6.8%
Top vendors
Top products
- phpmyadmin 3,382
- php 1,748
- squid 1,549
- samba 1,093
- drupal 868
- firefox 757
- moodle 700
- openssl 664
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2016-4844 | medium | 4.3 | 4.3 | 9y ago | Cybozu Mailwise before 5.4.0 allows remote attackers to conduct clickjacking attacks. | |||
| CVE-2016-4842 | medium | 4.3 | 4.3 | 9y ago | Cybozu Mailwise before 5.4.0 allows remote attackers to obtain information on when an email is read. | |||
| CVE-2016-1220 | medium | 4.3 | 4.3 | 9y ago | Cybozu Garoon before 4.2.2 does not properly restrict access. | |||
| CVE-2016-4873 | medium | 4.3 | 4.3 | 9y ago | Cybozu Office 9.0.0 to 10.4.0 allows remote authenticated attackers to execute unintended operations via the Project function. | |||
| CVE-2016-4872 | medium | 4.3 | 4.3 | 9y ago | Cybozu Office 9.0.0 to 10.4.0 allows remote authenticated attackers to bypass access restrictions to view the names of unauthorized projects via a breadcrumb trail. | |||
| CVE-2016-4868 | medium | 4.3 | 4.3 | 9y ago | Email header injection vulnerability in Cybozu Office 9.0.0 to 10.4.0 allows remote attackers to inject arbitrary email headers to send unintended emails via specially crafted requests. | |||
| CVE-2016-4867 | medium | 4.3 | 4.3 | 9y ago | Cybozu Office 9.0.0 to 10.4.0 allows remote authenticated attackers to bypass access restriction to view unauthorized project information via the Project function. | |||
| CVE-2016-8926 | medium | 4.3 | 4.3 | 9y ago | IBM Tivoli Application Dependency Discovery Manager 7.2.2 and 7.3 could allow a remote attacker to read system files or data that is restricted to authorized users. IBM X-Force ID: 118539. | |||
| CVE-2016-8720 | medium | 4.3 | 4.3 | 9y ago | An exploitable HTTP Header Injection vulnerability exists in the Web Application functionality of the Moxa AWK-3131A Wireless Access Point running firmware 1.1. A specially crafted HTTP request can i… | |||
| CVE-2016-4320 | medium | 4.3 | 4.3 | 9y ago | Atlassian Bitbucket Server before 4.7.1 allows remote attackers to read the first line of an arbitrary file via a directory traversal attack on the pull requests resource. | |||
| CVE-2016-10221 | medium | 4.3 | 4.3 | 9y ago | The count_entries function in pdf-layer.c in Artifex Software, Inc. MuPDF 1.10a allows remote attackers to cause a denial of service (stack consumption and application crash) via a crafted PDF docume… | |||
| CVE-2016-9464 | medium | 4.3 | 4.3 | 9y ago | Nextcloud Server before 9.0.54 and 10.0.0 suffers from an improper authorization check on removing shares. The Sharing Backend as implemented in Nextcloud does differentiate between shares to users a… | |||
| CVE-2016-9462 | medium | 4.3 | 4.3 | 9y ago | Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 are not properly verifying restore privileges when restoring a file. The restore capability of Nextcloud/ownCloud was not verifying wheth… | |||
| CVE-2016-9461 | medium | 4.3 | 4.3 | 9y ago | Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 are not properly verifying edit check permissions on WebDAV copy actions. The WebDAV endpoint was not properly checking the permission on… | |||
| CVE-2016-8973 | medium | 4.3 | 4.3 | 9y ago | IBM Rhapsody DM 4.0, 5.0 and 6.0 contains an undisclosed vulnerability that may allow an authenticated user to upload infected malicious files to the server. IBM Reference #: 1999960. | |||
| CVE-2016-2406 | medium | 4.3 | 4.3 | 9y ago | The permission control module in Huawei Document Security Management (aka DSM) before V100R002C05SPC670 allows remote authenticated users to obtain sensitive information from encrypted documents by l… | |||
| CVE-2016-9730 | medium | 4.3 | 4.3 | 9y ago | IBM QRadar Incident Forensics 7.2 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trus… | |||
| CVE-2016-7759 | medium | 4.3 | 4.3 | 9y ago | An issue was discovered in certain Apple products. iOS before 10 is affected. The issue involves the "Springboard" component, which allows physically proximate attackers to obtain sensitive informati… | |||
| CVE-2016-7592 | medium | 4.3 | 4.3 | 9y ago | An issue was discovered in certain Apple products. iOS before 10.2 is affected. Safari before 10.0.2 is affected. iCloud before 6.1 is affected. iTunes before 12.5.4 is affected. The issue involves t… | |||
| CVE-2016-7581 | medium | 4.3 | 4.3 | 9y ago | An issue was discovered in certain Apple products. iOS before 10.1 is affected. The issue involves the "Safari" component, which allows remote web servers to cause a denial of service via a crafted U… | |||
| CVE-2016-6190 | medium | 4.3 | 4.3 | 9y ago | SOGo before 2.3.12 and 3.x before 3.1.1 does not restrict access to the UID and DTSTAMP attributes, which allows remote authenticated users to obtain sensitive information about appointments with the… | |||
| CVE-2016-6189 | medium | 4.3 | 4.3 | 9y ago | Incomplete blacklist in SOGo before 2.3.12 and 3.x before 3.1.1 allows remote authenticated users to obtain sensitive information by reading the fields in the (1) ics or (2) XML calendar feeds. | |||
| CVE-2016-6060 | medium | 4.3 | 4.3 | 9y ago | An undisclosed vulnerability in IBM Rational DOORS Next Generation 4.0, 5.0, and 6.0 could allow a JazzGuest user to see project names. IBM Reference #: 1995547. | |||
| CVE-2016-0308 | medium | 4.3 | 4.3 | 9y ago | IBM Connections 5.5 and earlier is vulnerable to possible link manipulation attack that could result in the display of inappropriate background images. | |||
| CVE-2016-0307 | medium | 4.3 | 4.3 | 9y ago | IBM Connections 5.5 and earlier allows remote attackers to obtain sensitive information by reading stack traces in returned responses. | |||
| CVE-2016-9748 | medium | 4.3 | 4.3 | 9y ago | IBM Rational DOORS Next Generation 5.0 and 6.0 discloses sensitive information in error response messages that could be used for further attacks against the system. | |||
| CVE-2016-2866 | medium | 4.3 | 4.3 | 9y ago | An unspecified vulnerability in IBM Jazz Team Server may disclose some deployment information to an authenticated user. | |||
| CVE-2016-6094 | medium | 4.3 | 4.3 | 9y ago | IBM Tivoli Key Lifecycle Manager 2.0.1, 2.5, and 2.6 generates an error message that includes sensitive information about its environment, users, or associated data. | |||
| CVE-2016-10208 | medium | 4.3 | 4.3 | 9y ago | The ext4_fill_super function in fs/ext4/super.c in the Linux kernel through 4.9.8 does not properly validate meta block groups, which allows physically proximate attackers to cause a denial of servic… | |||
| CVE-2016-0320 | medium | 4.3 | 4.3 | 10y ago | IBM UrbanCode Deploy could allow an authenticated user to modify Ucd objects due to multiple REST endpoints not properly authorizing users editing UCD objects. This could affect the behavior of legit… | |||
| CVE-2016-8912 | medium | 4.3 | 4.3 | 10y ago | IBM Kenexa LMS on Cloud 13.1 and 13.2 - 13.2.4 stores potentially sensitive information in in log files that could be read by an authenticated user. | |||
| CVE-2016-6122 | medium | 4.3 | 4.3 | 10y ago | IBM Kenexa LMS on Cloud 13.1 and 13.2 - 13.2.4 discloses answers to security questions in a response to authenticated users. | |||
| CVE-2016-6044 | medium | 4.3 | 4.3 | 10y ago | IBM Tivoli Storage Manager Operations Center could allow an authenticated attacker to enable or disable the application's REST API, which may let the attacker violate security policy. | |||
| CVE-2016-6028 | medium | 4.3 | 4.3 | 10y ago | IBM Jazz technology based products might allow an attacker to view work item titles that they do not have privilege to view. | |||
| CVE-2016-5949 | medium | 4.3 | 4.3 | 10y ago | IBM Kenexa LCMS Premier on Cloud could allow an authenticated user to obtain sensitive user data with a specially crafted HTTP request. | |||
| CVE-2016-5898 | medium | 4.3 | 4.3 | 10y ago | IBM Jazz Reporting Service (JRS) could allow a remote attacker to obtain sensitive information, caused by not restricting JSON serialization. By sending a direct request, an attacker could exploit th… | |||
| CVE-2016-2987 | medium | 4.3 | 4.3 | 10y ago | An undisclosed vulnerability in CLM applications may result in some administrative deployment parameters being shown to an attacker. | |||
| CVE-2016-8322 | medium | 4.3 | 4.3 | 10y ago | Vulnerability in the Oracle FLEXCUBE Core Banking component of Oracle Financial Services Applications (subcomponent: Core). Supported versions that are affected are 5.1.0, 5.2.0 and 11.5.0. Easily ex… | |||
| CVE-2016-8309 | medium | 4.3 | 4.3 | 10y ago | Vulnerability in the Oracle FLEXCUBE Investor Servicing component of Oracle Financial Services Applications (subcomponent: Core). Supported versions that are affected are 12.0.1, 12.0.2,12.0.4,12.1.0… | |||
| CVE-2016-8308 | medium | 4.3 | 4.3 | 10y ago | Vulnerability in the Oracle FLEXCUBE Private Banking component of Oracle Financial Services Applications (subcomponent: Product / Instrument Search). Supported versions that are affected are 2.0.1, 2… | |||
| CVE-2016-8302 | medium | 4.3 | 4.3 | 10y ago | Vulnerability in the Oracle FLEXCUBE Universal Banking component of Oracle Financial Services Applications (subcomponent: Core). Supported versions that are affected are 11.3.0, 11.4.0, 12.0.1, 12.0.… | |||
| CVE-2016-8301 | medium | 4.3 | 4.3 | 10y ago | Vulnerability in the Oracle FLEXCUBE Universal Banking component of Oracle Financial Services Applications (subcomponent: Core). Supported versions that are affected are 11.3.0, 11.4.0, 12.0.1, 12.0.… | |||
| CVE-2016-5614 | medium | 4.3 | 4.3 | 10y ago | Vulnerability in the Oracle FLEXCUBE Private Banking component of Oracle Financial Services Applications (subcomponent: Product / Instrument Search). Supported versions that are affected are 2.0.1, 2… | |||
| CVE-2016-9221 | medium | 4.3 | 4.3 | 10y ago | A Denial of Service Vulnerability in 802.11 ingress connection authentication handling for the Cisco Mobility Express 2800 and 3800 Access Points (APs) could allow an unauthenticated, adjacent attack… | |||
| CVE-2016-9220 | medium | 4.3 | 4.3 | 10y ago | A Denial of Service Vulnerability in 802.11 ingress packet processing of the Cisco Mobility Express 2800 and 3800 Access Points (APs) could allow an unauthenticated, adjacent attacker to cause the co… | |||
| CVE-2016-8643 | medium | 4.3 | 4.3 | 10y ago | In Moodle 2.x and 3.x, non-admin site managers may accidentally edit admins via web services. | |||
| CVE-2016-9650 | medium | 4.3 | 4.3 | 10y ago | multiple issues in chromium | |||
| CVE-2016-5225 | medium | 4.3 | 4.3 | 10y ago | multiple issues in chromium | |||
| CVE-2016-5224 | medium | 4.3 | 4.3 | 10y ago | multiple issues in chromium | |||
| CVE-2016-5214 | medium | 4.3 | 4.3 | 10y ago | multiple issues in chromium | |||
| CVE-2016-10148 | medium | 4.3 | 4.3 | 10y ago | The wp_ajax_update_plugin function in wp-admin/includes/ajax-actions.php in WordPress before 4.6 makes a get_plugin_data call before checking the update_plugins capability, which allows remote authen… | |||
| CVE-2016-7428 | medium | 4.3 | 4.3 | 10y ago | ntpd in NTP before 4.2.8p9 allows remote attackers to cause a denial of service (reject broadcast mode packets) via the poll interval in a broadcast packet. | |||
| CVE-2016-7427 | medium | 4.3 | 4.3 | 10y ago | The broadcast mode replay prevention functionality in ntpd in NTP before 4.2.8p9 allows remote attackers to cause a denial of service (reject broadcast mode packets) via a crafted broadcast mode pack… | |||
| CVE-2016-6859 | medium | 4.3 | 4.3 | 10y ago | Hybris Management Console (HMC) in SAP Hybris before 6.0 allows remote attackers to obtain sensitive information by triggering an error and then reading a Java stack trace. | |||
| CVE-2016-7284 | medium | 4.3 | 4.3 | 10y ago | Microsoft Internet Explorer 10 and 11 allows remote attackers to obtain sensitive information from process memory via a crafted web site, aka "Internet Explorer Information Disclosure Vulnerability." | |||
| CVE-2016-5193 | medium | 4.3 | 4.3 | 10y ago | multiple issues in chromium | |||
| CVE-2016-5188 | medium | 4.3 | 4.3 | 10y ago | multiple issues in chromium | |||
| CVE-2016-6852 | medium | 4.3 | 4.3 | 10y ago | An issue was discovered in Open-Xchange OX App Suite before 7.8.2-rev8. Users can provide local file paths to the RSS reader; the response and error code give hints about whether the provided file ex… | |||
| CVE-2016-4048 | medium | 4.3 | 4.3 | 10y ago | An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev11. Custom messages can be shown at the login screen to notify external users about issues with sharing links. This mechanism can … | |||
| CVE-2016-4047 | medium | 4.3 | 4.3 | 10y ago | An issue was discovered in Open-Xchange OX App Suite before 7.8.1-rev8. References to external Open XML document type definitions (.dtd resources) can be placed within .docx and .xslx files. Those re… | |||
| CVE-2016-9209 | medium | 4.3 | 4.3 | 10y ago | A vulnerability in TCP processing in Cisco FirePOWER system software could allow an unauthenticated, remote attacker to download files that would normally be blocked. Affected Products: The following… | |||
| CVE-2016-6465 | medium | 4.3 | 4.3 | 10y ago | A vulnerability in the content filtering functionality of Cisco AsyncOS Software for Cisco Email Security Appliances and Cisco Web Security Appliances could allow an unauthenticated, remote attacker … | |||
| CVE-2016-6625 | medium | 4.3 | 4.3 | 10y ago | phpMyAdmin allows to detect if user is logged in | |||
| CVE-2016-6610 | medium | 4.3 | 4.3 | 10y ago | A full path disclosure vulnerability was discovered in phpMyAdmin where a user can trigger a particular error in the export mechanism to discover the full path of phpMyAdmin on the disk. All 4.6.x ve… | |||
| CVE-2016-2958 | medium | 4.3 | 4.3 | 10y ago | IBM Connections 4.0 through CR4, 4.5 through CR5, and 5.0 before CR4 allows remote authenticated users to obtain sensitive information by reading an "archaic" e-mail address in a response. | |||
| CVE-2016-2957 | medium | 4.3 | 4.3 | 10y ago | IBM Connections 4.0 through CR4, 4.5 through CR5, and 5.0 before CR4 allows remote authenticated users to obtain sensitive information by reading a stack trace in a response. | |||
| CVE-2016-2928 | medium | 4.3 | 4.3 | 10y ago | IBM BigFix Remote Control before 9.1.3 allows remote authenticated users to obtain sensitive information by reading error logs. | |||
| CVE-2016-9449 | medium | 4.3 | 4.3 | 10y ago | Drupal sensitive information disclosure | |||
| CVE-2016-9185 | medium | 4.3 | 4.3 | 10y ago | In OpenStack Heat, by launching a new Heat stack with a local URL an authenticated user may conduct network discovery revealing internal network configuration. Affected versions are <=5.0.3, >=6.0.0 … | |||
| CVE-2016-8504 | medium | 4.3 | 4.3 | 10y ago | CSRF of synchronization form in Yandex Browser for desktop before version 16.6 could be used by remote attacker to steal saved data in browser profile. | |||
| CVE-2016-8295 | medium | 4.3 | 4.3 | 10y ago | Unspecified vulnerability in the PeopleSoft Enterprise HCM component in Oracle PeopleSoft Products 9.2 allows remote authenticated users to affect confidentiality via unknown vectors. | |||
| CVE-2016-8294 | medium | 4.3 | 4.3 | 10y ago | Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.54 and 8.55 allows remote authenticated users to affect confidentiality via unknown vector… | |||
| CVE-2016-8283 | medium | 4.3 | 4.3 | 10y ago | Unspecified vulnerability in Oracle MySQL 5.5.51 and earlier, 5.6.32 and earlier, and 5.7.14 and earlier allows remote authenticated users to affect availability via vectors related to Server: Types. | |||
| CVE-2016-5621 | medium | 4.3 | 4.3 | 10y ago | Unspecified vulnerability in the Oracle FLEXCUBE Universal Banking component in Oracle Financial Services Applications 11.3.0, 11.4.0, 12.0.1 and 12.0.3, 12.1.0, and 12.2.0 allows remote authenticate… | |||
| CVE-2016-5613 | medium | 4.3 | 4.3 | 10y ago | Unspecified vulnerability in the Oracle VM VirtualBox component before 5.0.28 and 5.1.x before 5.1.8 in Oracle Virtualization allows local users to affect availability via vectors related to Core, a … | |||
| CVE-2016-5611 | medium | 4.3 | 4.3 | 10y ago | Unspecified vulnerability in the Oracle VM VirtualBox component before 5.0.28 and 5.1.x before 5.1.8 in Oracle Virtualization allows local users to affect confidentiality via vectors related to Core. | |||
| CVE-2016-5603 | medium | 4.3 | 4.3 | 10y ago | Unspecified vulnerability in the Oracle FLEXCUBE Universal Banking component in Oracle Financial Services Applications 11.3.0, 11.4.0, 12.0.1 through 12.0.3, 12.1.0, and 12.2.0 allows remote authenti… | |||
| CVE-2016-5596 | medium | 4.3 | 4.3 | 10y ago | Unspecified vulnerability in the Oracle CRM Technical Foundation component in Oracle E-Business Suite 12.1.1 through 12.1.3 and 12.2.3 through 12.2.6 allows remote authenticated users to affect confi… | |||
| CVE-2016-5554 | medium | 4.3 | 4.3 | 10y ago | Unspecified vulnerability in Oracle Java SE 6u121, 7u111, 8u102; and Java SE Embedded 8u101 allows remote attackers to affect integrity via vectors related to JMX. | |||
| CVE-2016-5522 | medium | 4.3 | 4.3 | 10y ago | Unspecified vulnerability in the Oracle Agile PLM component in Oracle Supply Chain Products Suite 9.3.4 and 9.3.5 allows remote authenticated users to affect confidentiality via unknown vectors. | |||
| CVE-2016-5513 | medium | 4.3 | 4.3 | 10y ago | Unspecified vulnerability in the Oracle Agile PLM component in Oracle Supply Chain Products Suite 9.3.4 and 9.3.5 allows remote authenticated users to affect confidentiality via vectors related to Fi… | |||
| CVE-2016-5511 | medium | 4.3 | 4.3 | 10y ago | Unspecified vulnerability in the Oracle WebCenter Sites component in Oracle Fusion Middleware 12.2.1.0.0, 12.2.1.1.0, and 12.2.1.2.0 allows remote attackers to affect integrity via unknown vectors. | |||
| CVE-2016-5479 | medium | 4.3 | 4.3 | 10y ago | Unspecified vulnerability in the Oracle FLEXCUBE Universal Banking component in Oracle Financial Services Applications 11.3.0, 11.4.0, and 12.0.1 allows remote authenticated users to affect confident… | |||
| CVE-2016-0377 | medium | 4.3 | 4.3 | 10y ago | The Administrative Console in IBM WebSphere Application Server (WAS) 7.x before 7.0.0.43, 8.0.x before 8.0.0.13, and 8.5.x before 8.5.5.10 mishandles CSRFtoken cookies, which allows remote authentica… | |||
| CVE-2016-0242 | medium | 4.3 | 4.3 | 10y ago | IBM Security Guardium 10.x through 10.1 before p100 allows remote authenticated users to obtain sensitive information by reading an Application Error message. | |||
| CVE-2016-7572 | medium | 4.3 | 4.3 | 10y ago | Drupal Unprivileged access to config export | |||
| CVE-2016-7570 | medium | 4.3 | 4.3 | 10y ago | Drupal Users without "Administer comments" can set comment visibility on nodes they can edit | |||
| CVE-2016-3639 | medium | 4.3 | 4.3 | 10y ago | SAP HANA DB 1.00.091.00.1418659308 allows remote attackers to obtain sensitive topology information via an unspecified HTTP request, aka SAP Security Note 2176128. | |||
| CVE-2016-5945 | medium | 4.3 | 4.3 | 10y ago | IBM Spectrum Control (formerly Tivoli Storage Productivity Center) 5.2.x before 5.2.11 allows remote authenticated users to upload non-executable files via a crafted HTTP request. | |||
| CVE-2016-3000 | medium | 4.3 | 4.3 | 10y ago | The help service in IBM Connections 4.x through 4.5 CR5, 5.0 before CR4, and 5.5 before CR1 allows remote authenticated users to cause a denial of service (service degradation) via a crafted URL. | |||
| CVE-2016-0918 | medium | 4.3 | 4.3 | 10y ago | EMC RSA Identity Management and Governance before 6.8.1 P25 and 6.9.x before 6.9.1 P15 and RSA Via Lifecycle and Governance before 7.0.0 P04 allow remote authenticated users to obtain User Detail Pop… | |||
| CVE-2016-5279 | medium | 4.3 | 4.3 | 10y ago | Mozilla Firefox before 49.0 allows user-assisted remote attackers to obtain sensitive full-pathname information during a local-file drag-and-drop operation via crafted JavaScript code. | |||
| CVE-2016-0138 | medium | 4.3 | 4.3 | 10y ago | Microsoft Exchange Server 2007 SP3, 2010 SP3, 2013 SP1, 2013 Cumulative Update 12, 2013 Cumulative Update 13, 2016 Cumulative Update 1, and 2016 Cumulative Update 2 misparses e-mail messages, which a… | |||
| CVE-2016-6370 | medium | 4.3 | 4.3 | 10y ago | Directory traversal vulnerability in the web interface in Cisco Hosted Collaboration Mediation Fulfillment (HCM-F) 10.6(3) and earlier allows remote authenticated users to read arbitrary files via a … | |||
| CVE-2016-5163 | medium | 4.3 | 4.3 | 10y ago | The bidirectional-text implementation in Google Chrome before 53.0.2785.89 on Windows and OS X and before 53.0.2785.92 on Linux does not ensure left-to-right (LTR) rendering of URLs, which allows rem… | |||
| CVE-2016-5664 | medium | 4.3 | 4.3 | 10y ago | Directory traversal vulnerability on Accellion Kiteworks appliances before kw2016.03.00 allows remote attackers to read files via a crafted URI. | |||
| CVE-2016-1474 | medium | 4.3 | 4.3 | 10y ago | Cisco Prime Infrastructure 2.2(2) does not properly restrict use of IFRAME elements, which makes it easier for remote attackers to conduct clickjacking attacks and unspecified other attacks via a cra… | |||
| CVE-2016-5400 | medium | 4.3 | 4.3 | 10y ago | Memory leak in the airspy_probe function in drivers/media/usb/airspy/airspy.c in the airspy USB driver in the Linux kernel before 4.7 allows local users to cause a denial of service (memory consumpti… | |||
| CVE-2016-5268 | medium | 4.3 | 4.3 | 10y ago | Mozilla Firefox before 48.0 does not properly set the LINKABLE and URI_SAFE_FOR_UNTRUSTED_CONTENT flags of about: URLs that are used for error pages, which makes it easier for remote attackers to con… | |||
| CVE-2016-5251 | medium | 4.3 | 4.3 | 10y ago | Mozilla Firefox before 48.0 allows remote attackers to spoof the location bar via crafted characters in the media type of a data: URL. |