Total
1752 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2016-9815 | 1 Xen | 1 Xen | 2024-11-21 | 4.9 MEDIUM | 6.5 MEDIUM |
| Xen through 4.7.x allows local ARM guest OS users to cause a denial of service (host panic) by sending an asynchronous abort. | |||||
| CVE-2016-9722 | 1 Ibm | 1 Qradar Security Information And Event Manager | 2024-11-21 | 4.9 MEDIUM | 4.2 MEDIUM |
| IBM QRadar 7.2 and 7.3 specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. IBM X-Force ID: 119737. | |||||
| CVE-2016-9645 | 1 Ikiwiki | 1 Ikiwiki | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| The fix for ikiwiki for CVE-2016-10026 was incomplete resulting in editing restriction bypass for git revert when using git versions older than 2.8.0. This has been fixed in 3.20161229. | |||||
| CVE-2016-9639 | 1 Saltstack | 1 Salt | 2024-11-21 | 7.5 HIGH | 9.1 CRITICAL |
| Salt before 2015.8.11 allows deleted minions to read or write to minions with the same id, related to caching. | |||||
| CVE-2016-9599 | 2 Openstack, Redhat | 2 Puppet-tripleo, Openstack | 2024-11-21 | 6.0 MEDIUM | 7.1 HIGH |
| puppet-tripleo before versions 5.5.0, 6.2.0 is vulnerable to an access-control flaw in the IPtables rules management, which allowed the creation of TCP/UDP rules with empty port values. If SSL is enabled, a malicious user could use these open ports to gain access to unauthorized resources. | |||||
| CVE-2016-9565 | 1 Nagios | 1 Nagios | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| MagpieRSS, as used in the front-end component in Nagios Core before 4.2.2 might allow remote attackers to read or write to arbitrary files by spoofing a crafted response from the Nagios RSS feed server. NOTE: this vulnerability exists because of an incomplete fix for CVE-2008-4796. | |||||
| CVE-2016-9468 | 2 Nextcloud, Owncloud | 2 Nextcloud Server, Owncloud | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from content spoofing in the dav app. The exception message displayed on the DAV endpoints contained partially user-controllable input leading to a potential misrepresentation of information. | |||||
| CVE-2016-9467 | 2 Nextcloud, Owncloud | 2 Nextcloud Server, Owncloud | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Nextcloud Server before 9.0.54 and 10.0.1 & ownCloud Server before 9.0.6 and 9.1.2 suffer from content spoofing in the files app. The location bar in the files app was not verifying the passed parameters. An attacker could craft an invalid link to a fake directory structure and use this to display an attacker-controlled error message to the user. | |||||
| CVE-2016-9462 | 2 Nextcloud, Owncloud | 2 Nextcloud Server, Owncloud | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 are not properly verifying restore privileges when restoring a file. The restore capability of Nextcloud/ownCloud was not verifying whether a user has only read-only access to a share. Thus a user with read-only access was able to restore old versions. | |||||
| CVE-2016-9461 | 2 Nextcloud, Owncloud | 2 Nextcloud Server, Owncloud | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
| Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 are not properly verifying edit check permissions on WebDAV copy actions. The WebDAV endpoint was not properly checking the permission on a WebDAV COPY action. This allowed an authenticated attacker with access to a read-only share to put new files in there. It was not possible to modify existing files. | |||||
| CVE-2016-9460 | 2 Nextcloud, Owncloud | 2 Nextcloud, Owncloud | 2024-11-21 | 5.0 MEDIUM | 5.3 MEDIUM |
| Nextcloud Server before 9.0.52 & ownCloud Server before 9.0.4 are vulnerable to a content-spoofing attack in the files app. The location bar in the files app was not verifying the passed parameters. An attacker could craft an invalid link to a fake directory structure and use this to display an attacker-controlled error message to the user. | |||||
| CVE-2016-9415 | 2 Microsoft, Mybb | 3 Windows, Merge System, Mybb | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| MyBB (aka MyBulletinBoard) before 1.8.8 on Windows and MyBB Merge System before 1.8.8 on Windows allow remote attackers to overwrite arbitrary CSS files via vectors related to "style import." | |||||
| CVE-2016-9413 | 1 Mybb | 2 Merge System, Mybb | 2024-11-21 | 4.3 MEDIUM | 6.5 MEDIUM |
| The Admin control panel in MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allows remote attackers to conduct clickjacking attacks via unspecified vectors. | |||||
| CVE-2016-9412 | 1 Mybb | 2 Merge System, Mybb | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| MyBB (aka MyBulletinBoard) before 1.8.7 and MyBB Merge System before 1.8.7 allow attackers to have unspecified impact via vectors related to low adminsid and sid entropy. | |||||
| CVE-2016-9378 | 1 Xen | 1 Xen | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
| Xen 4.5.x through 4.7.x on AMD systems without the NRip feature, when emulating instructions that generate software interrupts, allows local HVM guest OS users to cause a denial of service (guest crash) by leveraging an incorrect choice for software interrupt delivery. | |||||
| CVE-2016-9368 | 1 Eaton | 1 Xcomfort Ethernet Communication Interface | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| An issue was discovered in Eaton xComfort Ethernet Communication Interface (ECI) Versions 1.07 and prior. By accessing a specific uniform resource locator (URL) on the webserver, a malicious user may be able to access files without authenticating. | |||||
| CVE-2016-9356 | 1 Moxa | 1 Dacenter | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
| An issue was discovered in Moxa DACenter Versions 1.4 and older. The application may suffer from an unquoted search path issue. | |||||
| CVE-2016-9245 | 1 F5 | 10 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Analytics and 7 more | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
| In F5 BIG-IP systems 12.1.0 - 12.1.2, malicious requests made to virtual servers with an HTTP profile can cause the TMM to restart. The issue is exposed with BIG-IP APM profiles, regardless of settings. The issue is also exposed with the non-default "Normalize URI" configuration options used in iRules and/or BIG-IP LTM policies. An attacker may be able to disrupt traffic or cause the BIG-IP system to fail over to another device in the device group. | |||||
| CVE-2016-9190 | 2 Debian, Python | 2 Debian Linux, Pillow | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
| Pillow before 3.3.2 allows context-dependent attackers to execute arbitrary code by using the "crafted image file" approach, related to an "Insecure Sign Extension" issue affecting the ImagingNew in Storage.c component. | |||||
| CVE-2016-9182 | 1 Exponentcms | 1 Exponent Cms | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| Exponent CMS 2.4 uses PHP reflection to call a method of a controller class, and then uses the method name to check user permission. But, the method name in PHP reflection is case insensitive, and Exponent CMS permits undefined actions to execute by default, so an attacker can use a capitalized method name to bypass the permission check, e.g., controller=expHTMLEditor&action=preview&editor=ckeditor and controller=expHTMLEditor&action=Preview&editor=ckeditor. An anonymous user will be rejected for the former but can access the latter. | |||||