CVEs from 2016
Total
8,471
critical
critical 1,164
high
high 3,521
medium
medium 3,172
low
low 249
% Critical
13.7%
% with KEV
0.7%
% with exploit
1.8%
Top vendors
Top products
- phpmyadmin 3,382
- php 1,748
- squid 1,549
- samba 1,093
- drupal 868
- firefox 757
- moodle 700
- openssl 664
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2016-9079 | critical | — | 10.0 | 3y ago | Mozilla Firefox, Firefox ESR, and Thunderbird contain a use-after-free vulnerability in SVG Animation, targeting Firefox and Tor browser users on Windows. | |||
| CVE-2016-10033 | high | — | 10.0 | 6y ago | PHPMailer contains a command injection vulnerability because it fails to sanitize user-supplied input. Specifically, this issue affects the 'mail()' function of 'class.phpmailer.php' script. An attac… | |||
| CVE-2016-10372 | critical | 9.8 | 10.0 | 9y ago | The Eir D1000 modem does not properly restrict the TR-064 protocol, which allows remote attackers to execute arbitrary commands via TCP port 7547, as demonstrated by opening WAN access to TCP port 80… | |||
| CVE-2016-1560 | critical | 9.8 | 10.0 | 9y ago | ExaGrid appliances with firmware before 4.8 P26 have a default password of (1) inflection for the root shell account and (2) support for the support account in the web interface, which allows remote … | |||
| CVE-2016-2555 | critical | 9.8 | 10.0 | 9y ago | SQL injection vulnerability in include/lib/mysql_connect.inc.php in ATutor 2.2.1 allows remote attackers to execute arbitrary SQL commands via the searchFriends function to friends.inc.php. | |||
| CVE-2016-7552 | critical | 9.8 | 10.0 | 9y ago | On the Trend Micro Threat Discovery Appliance 2.6.1062r1, directory traversal when processing a session_id cookie allows a remote, unauthenticated attacker to delete arbitrary files as root. This can… | |||
| CVE-2016-7547 | critical | 9.8 | 10.0 | 9y ago | A command execution flaw on the Trend Micro Threat Discovery Appliance 2.6.1062r1 exists with the timezone parameter in the admin_sys_time.cgi interface. | |||
| CVE-2016-8027 | critical | 10.0 | 10.0 | 9y ago | SQL injection vulnerability in core services in Intel Security McAfee ePolicy Orchestrator (ePO) 5.3.2 and earlier and 5.1.3 and earlier allows attackers to alter a SQL query, which can result in dis… | |||
| CVE-2016-10134 | critical | 9.8 | 10.0 | 9y ago | SQL injection vulnerability in Zabbix before 2.2.14 and 3.0 before 3.0.4 allows remote attackers to execute arbitrary SQL commands via the toggle_ids array parameter in latest.php. | |||
| CVE-2016-9361 | critical | 9.8 | 10.0 | 9y ago | An issue was discovered in Moxa NPort 5110 versions prior to 2.6, NPort 5130/5150 Series versions prior to 3.6, NPort 5200 Series versions prior to 2.8, NPort 5400 Series versions prior to 3.11, NPor… | |||
| CVE-2016-9343 | critical | 10.0 | 10.0 | 9y ago | An issue was discovered in Rockwell Automation Logix5000 Programmable Automation Controller FRN 16.00 through 21.00 (excluding all firmware versions prior to FRN 16.00, which are not affected). By se… | |||
| CVE-2016-8363 | critical | 10.0 | 10.0 | 9y ago | An issue was discovered in Moxa OnCell OnCellG3470A-LTE, AWK-1131A/3131A/4131A Series, AWK-3191 Series, AWK-5232/6232 Series, AWK-1121/1127 Series, WAC-1001 V2 Series, WAC-2004 Series, AWK-3121-M12-R… | |||
| CVE-2016-8352 | critical | 10.0 | 10.0 | 9y ago | An issue was discovered in Schneider Electric ConneXium firewalls TCSEFEC23F3F20 all versions, TCSEFEC23F3F21 all versions, TCSEFEC23FCF20 all versions, TCSEFEC23FCF21 all versions, and TCSEFEC2CF3F2… | |||
| CVE-2016-8938 | critical | 10.0 | 10.0 | 9y ago | IBM UrbanCode Deploy could allow a user to execute code using a specially crafted file upload that would replace code on the server. This code could be executed on the UCD agent machines that host cu… | |||
| CVE-2016-6082 | critical | 10.0 | 10.0 | 9y ago | IBM BigFix Platform could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free race condition. An attacker could exploit this vulnerability to execute arbitrary… | |||
| CVE-2016-10043 | critical | 10.0 | 10.0 | 9y ago | An issue was discovered in Radisys MRF Web Panel (SWMS) 9.0.1. The MSM_MACRO_NAME POST parameter in /swms/ms.cgi was discovered to be vulnerable to OS command injection attacks. It is possible to use… | |||
| CVE-2016-10176 | critical | 9.8 | 10.0 | 10y ago | The NETGEAR WNR2000v5 router allows an administrator to perform sensitive actions by invoking the apply.cgi URL on the web server of the device. This special URL is handled by the embedded web server… | |||
| CVE-2016-10175 | critical | 9.8 | 10.0 | 10y ago | The NETGEAR WNR2000v5 router leaks its serial number when performing a request to the /BRS_netgear_success.html URI. This serial number allows a user to obtain the administrator username and password… | |||
| CVE-2016-6602 | critical | 9.8 | 10.0 | 10y ago | ZOHO WebNMS Framework 5.2 and 5.2 SP1 use a weak obfuscation algorithm to store passwords, which allows context-dependent attackers to obtain cleartext passwords by leveraging access to WEB-INF/conf/… | |||
| CVE-2016-6600 | critical | 9.8 | 10.0 | 10y ago | Directory traversal vulnerability in the file upload functionality in ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows remote attackers to upload and execute arbitrary JSP files via a .. (dot dot) in the… | |||
| CVE-2016-4010 | critical | 9.8 | 10.0 | 10y ago | Magento CE and EE before 2.0.6 allows remote attackers to conduct PHP objection injection attacks and execute arbitrary PHP code via crafted serialized shopping cart data. | |||
| CVE-2016-9299 | critical | 9.8 | 10.0 | 10y ago | Improper Neutralization of Special Elements used in an LDAP Query in Jenkins | |||
| CVE-2016-10108 | critical | 9.8 | 10.0 | 10y ago | Unauthenticated Remote Command injection as root occurs in the Western Digital MyCloud NAS 2.11.142 /web/google_analytics.php URL via a modified arg parameter in the POST data. | |||
| CVE-2016-10045 | critical | 9.8 | 10.0 | 10y ago | Remote code execution in PHPMailer | |||
| CVE-2016-7457 | critical | 10.0 | 10.0 | 10y ago | VMware vRealize Operations (aka vROps) 6.x before 6.4.0 allows remote authenticated users to gain privileges, or halt and remove virtual machines, via unspecified vectors. | |||
| CVE-2016-7456 | critical | 9.8 | 10.0 | 10y ago | VMware vSphere Data Protection (VDP) 5.5.x though 6.1.x has an SSH private key with a publicly known password, which makes it easier for remote attackers to obtain login access via an SSH session. | |||
| CVE-2016-5788 | critical | 10.0 | 10.0 | 10y ago | General Electric (GE) Bently Nevada 3500/22M USB with firmware before 5.0 and Bently Nevada 3500/22M Serial have open ports, which makes it easier for remote attackers to obtain privileged access via… | |||
| CVE-2016-8869 | critical | 9.8 | 10.0 | 10y ago | The register method in the UsersModelRegistration class in controllers/user.php in the Users component in Joomla! before 3.6.4 allows remote attackers to gain privileges by leveraging incorrect use o… | |||
| CVE-2016-8582 | critical | 9.8 | 10.0 | 10y ago | A vulnerability exists in gauge.php of AlienVault OSSIM and USM before 5.3.2 that allows an attacker to execute an arbitrary SQL query and retrieve database information or read local system files via… | |||
| CVE-2016-5675 | critical | 9.8 | 10.0 | 10y ago | handle_daylightsaving.php in NUUO NVRmini 2 1.7.5 through 3.0.0, NUUO NVRsolo 1.0.0 through 3.0.0, NUUO Crystal 2.2.1 through 3.2.0, and NETGEAR ReadyNAS Surveillance 1.1.1 through 1.4.1 allows remot… | |||
| CVE-2016-5674 | critical | 9.8 | 10.0 | 10y ago | __debugging_center_utils___.php in NUUO NVRmini 2 1.7.5 through 3.0.0, NUUO NVRsolo 1.7.5 through 3.0.0, and NETGEAR ReadyNAS Surveillance 1.1.1 through 1.4.1 allows remote attackers to execute arbit… | |||
| CVE-2016-3510 | critical | 9.8 | 10.0 | 10y ago | Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to affect confidentiality, integrity, and availa… | |||
| CVE-2016-5734 | critical | 9.8 | 10.0 | 10y ago | phpMyAdmin Code Injection vulnerability | |||
| CVE-2016-3236 | critical | 9.8 | 10.0 | 10y ago | The Web Proxy Auto Discovery (WPAD) protocol implementation in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT… | |||
| CVE-2016-3087 | critical | 9.8 | 10.0 | 10y ago | Apache Struts vulnerable to arbitrary remote code execution due to improper input validation | |||
| CVE-2016-4787 | critical | 10.0 | 10.0 | 10y ago | Pulse Connect Secure (PCS) 8.2 before 8.2r1, 8.1 before 8.1r2, 8.0 before 8.0r10, and 7.4 before 7.4r13.4 allow remote attackers to read sensitive system authentication files in an unspecified direct… | |||
| CVE-2016-2298 | critical | 9.8 | 10.0 | 10y ago | Meteocontrol WEB'log Basic 100, Light, Pro, and Pro Unlimited allows remote attackers to obtain sensitive cleartext information via unspecified vectors. | |||
| CVE-2016-2296 | critical | 9.4 | 10.0 | 10y ago | Meteocontrol WEB'log Basic 100, Light, Pro, and Pro Unlimited does not require authentication for "post-admin" login pages, which allows remote attackers to obtain sensitive information or modify dat… | |||
| CVE-2016-1209 | critical | 9.8 | 10.0 | 10y ago | The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via crafted serialized values in a POST request. | |||
| CVE-2016-1044 | critical | 10.0 | 10.0 | 10y ago | Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC Classic before 15.006.30172, and Acrobat and Acrobat Reader DC Continuous before 15.016.20039 on Windows and OS X allow attacker… | |||
| CVE-2016-1041 | critical | 10.0 | 10.0 | 10y ago | Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC Classic before 15.006.30172, and Acrobat and Acrobat Reader DC Continuous before 15.016.20039 on Windows and OS X allow attacker… | |||
| CVE-2016-1038 | critical | 10.0 | 10.0 | 10y ago | Adobe Reader and Acrobat before 11.0.16, Acrobat and Acrobat Reader DC Classic before 15.006.30172, and Acrobat and Acrobat Reader DC Continuous before 15.016.20039 on Windows and OS X allow attacker… | |||
| CVE-2016-1343 | critical | 10.0 | 10.0 | 10y ago | The XML parser in Cisco Information Server (CIS) 6.2 allows remote attackers to read arbitrary files or cause a denial of service (CPU and memory consumption) via an external entity declaration in co… | |||
| CVE-2016-2004 | critical | 9.8 | 10.0 | 10y ago | HPE Data Protector before 7.03_108, 8.x before 8.15, and 9.x before 9.06 allow remote attackers to execute arbitrary code via unspecified vectors related to lack of authentication. NOTE: this vulner… | |||
| CVE-2016-1524 | critical | 9.6 | 10.0 | 10y ago | Multiple unrestricted file upload vulnerabilities in NETGEAR Management System NMS300 1.5.0.11 and earlier allow remote attackers to execute arbitrary Java code by using (1) fileUpload.do or (2) lib-… | |||
| CVE-2016-1505 | critical | 10.0 | 10.0 | 11y ago | Radicale is vulnerable to directory traversal on Windows Filesystem Storage Backend component | |||
| CVE-2016-1931 | critical | 10.0 | 10.0 | 11y ago | Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 44.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly exe… | |||
| CVE-2016-1985 | critical | 10.0 | 10.0 | 11y ago | HPE Operations Manager 8.x and 9.0 on Windows allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections library. | |||
| CVE-2016-0494 | critical | — | 10.0 | 11y ago | Unspecified vulnerability in the Java SE and Java SE Embedded components in Oracle Java SE 6u105, 7u91, and 8u66 and Java SE Embedded 8u65 allows remote attackers to affect confidentiality, integrity… | |||
| CVE-2016-0483 | critical | — | 10.0 | 11y ago | Unspecified vulnerability in Oracle Java SE 6u105, 7u91, and 8u66; Java SE Embedded 8u65; and JRockit R28.3.8 allows remote attackers to affect confidentiality, integrity, and availability via vector… | |||
| CVE-2016-0452 | critical | — | 10.0 | 11y ago | Unspecified vulnerability in the Oracle GoldenGate component in Oracle GoldenGate 11.2 and 12.1.2 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors, a… | |||
| CVE-2016-0451 | critical | — | 10.0 | 11y ago | Unspecified vulnerability in the Oracle GoldenGate component in Oracle GoldenGate 11.2 and 12.1.2 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors, a… | |||
| CVE-2016-1909 | critical | 9.8 | 10.0 | 11y ago | Fortinet FortiAnalyzer before 5.0.12 and 5.2.x before 5.2.5; FortiSwitch 3.3.x before 3.3.3; FortiCache 3.0.x before 3.0.8; and FortiOS 4.1.x before 4.1.11, 4.2.x before 4.2.16, 4.3.x before 4.3.17 a… | |||
| CVE-2016-0854 | critical | 9.8 | 10.0 | 11y ago | Unrestricted file upload vulnerability in the uploadImageCommon function in the UploadAjaxAction script in the WebAccess Dashboard Viewer in Advantech WebAccess before 8.1 allows remote attackers to … | |||
| CVE-2016-6903 | critical | 9.9 | 9.9 | 9y ago | lshell 0.9.16 allows remote authenticated users to break out of a limited shell and execute arbitrary commands. | |||
| CVE-2016-6902 | critical | 9.9 | 9.9 | 9y ago | lshell 0.9.16 allows remote authenticated users to break out of a limited shell and execute arbitrary commands. | |||
| CVE-2016-9269 | critical | 9.9 | 9.9 | 9y ago | Remote Command Execution in com.trend.iwss.gui.servlet.ManagePatches in Trend Micro Interscan Web Security Virtual Appliance (IWSVA) version 6.5-SP2_Build_Linux_1707 and earlier allows authenticated,… | |||
| CVE-2016-8355 | critical | 9.9 | 9.9 | 9y ago | An issue was discovered in Smiths-Medical CADD-Solis Medication Safety Software, Version 1.0; 2.0; 3.0; and 3.1. CADD-Solis Medication Safety Software grants an authenticated user elevated privileges… | |||
| CVE-2016-9832 | critical | 9.9 | 9.9 | 10y ago | PricewaterhouseCoopers (PwC) ACE-ABAP 8.10.304 for SAP Security allows remote authenticated users to conduct ABAP injection attacks and execute arbitrary code via (1) SAPGUI or (2) Internet Communica… | |||
| CVE-2016-2396 | critical | 9.9 | 9.9 | 10y ago | The GMS ViewPoint (GMSVP) web application in Dell SonicWALL GMS, Analyzer, and UMA EM5000 7.2, 8.0, and 8.1 before Hotfix 168056 allows remote authenticated users to execute arbitrary commands via ve… | |||
| CVE-2016-5713 | critical | 9.8 | 9.8 | 9y ago | Versions of Puppet Agent prior to 1.6.0 included a version of the Puppet Execution Protocol (PXP) agent that passed environment variables through to Puppet runs. This could allow unauthorized code to… | |||
| CVE-2016-1253 | critical | 9.8 | 9.8 | 9y ago | The most package in Debian wheezy before 5.0.0a-2.2, in Debian jessie before 5.0.0a-2.3+deb8u1, and in Debian unstable before 5.0.0a-3 allows remote attackers to execute arbitrary commands via shell … | |||
| CVE-2016-0872 | critical | 9.8 | 9.8 | 9y ago | A Plaintext Storage of a Password issue was discovered in Kabona AB WebDatorCentral (WDC) versions prior to Version 3.4.0. WDC stores password credentials in plaintext. | |||
| CVE-2016-5003 | critical | 9.8 | 9.8 | 9y ago | Apache XML-RPC vulnerable to Deserialization of Untrusted Data | |||
| CVE-2016-1265 | critical | 9.8 | 9.8 | 9y ago | A remote unauthenticated network based attacker with access to Junos Space may execute arbitrary code on Junos Space or gain access to devices managed by Junos Space using cross site request forgery … | |||
| CVE-2016-5791 | critical | 9.8 | 9.8 | 9y ago | An Improper Authentication issue was discovered in JanTek JTC-200, all versions. The improper authentication could provide an undocumented BusyBox Linux shell accessible over the TELNET service witho… | |||
| CVE-2016-8736 | critical | 9.8 | 9.8 | 9y ago | Apache OpenMeetings RCE | |||
| CVE-2016-8937 | critical | 9.8 | 9.8 | 9y ago | The IBM Tivoli Storage Manager (IBM Spectrum Protect 7.1 and 8.1) default authentication protocol is vulnerable to a brute force attack due to disclosing too much information during authentication. A… | |||
| CVE-2016-10512 | critical | 9.8 | 9.8 | 9y ago | MultiTech FaxFinder before 4.1.2 stores Passwords unencrypted for maintaining the test connectivity function of its LDAP configuration. These credentials are retrieved by the system when the LDAP con… | |||
| CVE-2016-6795 | critical | 9.8 | 9.8 | 9y ago | Path Traversal in Apache Struts | |||
| CVE-2016-10405 | critical | 9.8 | 9.8 | 9y ago | Session fixation vulnerability in D-Link DIR-600L routers (rev. Ax) with firmware before FW1.17.B01 allows remote attackers to hijack web sessions via unspecified vectors. | |||
| CVE-2016-3086 | critical | 9.8 | 9.8 | 9y ago | Exposure of Sensitive Information to an Unauthorized Actor in Apache Hadoop | |||
| CVE-2016-4460 | critical | 9.8 | 9.8 | 9y ago | Apache Pony Mail 0.6c through 0.8b allows remote attackers to bypass authentication. | |||
| CVE-2016-5872 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, arguments to several QTEE syscalls are not properly validated. | |||
| CVE-2016-5871 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, an integer overflow to buffer overflow vulnerability exists when loading an image file. | |||
| CVE-2016-10392 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, a driver can potentially leak kernel memory. | |||
| CVE-2016-10391 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, the length in an HCI command is not properly checked for validity. | |||
| CVE-2016-10390 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, when downloading a file, an excessive amount of memory may be consumed. | |||
| CVE-2016-10388 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, a configuration vulnerability exists when loading a 3rd-party QTEE application. | |||
| CVE-2016-10387 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, an assertion was potentially reachable in a handover scenario. | |||
| CVE-2016-10386 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, an array index out of bounds vulnerability exists in LPP. | |||
| CVE-2016-10385 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, a use-after-free vulnerability exists in IMS RCS. | |||
| CVE-2016-10384 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, an assertion was potentially reachable in a WLAN driver ioctl. | |||
| CVE-2016-10382 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, access control to the I2C bus is not sufficient. | |||
| CVE-2016-10381 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, the UE can send unprotected MeasurementReports revealing UE location. | |||
| CVE-2016-10380 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, the UE can send unprotected MeasurementReports revealing UE location. | |||
| CVE-2016-10347 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, an argument to a hypervisor function is not properly validated. | |||
| CVE-2016-10346 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, an integer overflow vulnerability exists in the hypervisor. | |||
| CVE-2016-10344 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, the use of an out-of-range pointer offset is potentially possible in LTE. | |||
| CVE-2016-10343 | critical | 9.8 | 9.8 | 9y ago | In all Qualcomm products with Android releases from CAF using the Linux kernel, sSL handshake failure with ClientHello rejection results in memory leak. | |||
| CVE-2016-7976 | high | 8.8 | 9.8 | 9y ago | The PS Interpreter in Ghostscript 9.18 and 9.20 allows remote attackers to execute arbitrary code via crafted userparams. | |||
| CVE-2016-6798 | critical | 9.8 | 9.8 | 9y ago | XML External Entity Reference in Apache Sling | |||
| CVE-2016-8964 | critical | 9.8 | 9.8 | 9y ago | IBM BigFix Inventory v9 9.2 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 118853. | |||
| CVE-2016-4000 | critical | 9.8 | 9.8 | 9y ago | Deserialization of Untrusted Data in Jython | |||
| CVE-2016-9358 | critical | 9.8 | 9.8 | 9y ago | A Hard-Coded Passwords issue was discovered in Marel Food Processing Systems M3000 terminal associated with the following systems: A320, A325, A371, A520 Master, A520 Slave, A530, A542, A571, Check B… | |||
| CVE-2016-0959 | critical | 9.8 | 9.8 | 9y ago | Use after free vulnerability in Adobe Flash Player Desktop Runtime before 20.0.0.267, Adobe Flash Player Extended Support Release before 18.0.0.324, Adobe Flash Player for Google Chrome before 20.0.0… | |||
| CVE-2016-8731 | critical | 9.8 | 9.8 | 9y ago | Hard-coded FTP credentials (r:r) are included in the Foscam C1 running firmware 1.9.1.12. Knowledge of these credentials would allow remote access to any cameras found on the internet that do not hav… | |||
| CVE-2016-5411 | critical | 9.8 | 9.8 | 9y ago | /var/lib/ovirt-engine/setup/engine-DC-config.py in Red Hat QuickStart Cloud Installer (QCI) before 1.0 GA is created world readable and contains the root password of the deployed system. | |||
| CVE-2016-8218 | critical | 9.8 | 9.8 | 9y ago | An issue was discovered in Cloud Foundry Foundation routing-release versions prior to 0.142.0 and cf-release versions 203 to 231. Incomplete validation logic in JSON Web Token (JWT) libraries can all… | |||
| CVE-2016-6655 | critical | 9.8 | 9.8 | 9y ago | An issue was discovered in Cloud Foundry Foundation Cloud Foundry release versions prior to v245 and cf-mysql-release versions prior to v31. A command injection vulnerability was discovered in a comm… |