The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2016-3163 | The XML-RPC system in Drupal 6.x before 6.38 and 7.x before 7.43 might make it easier for remote attackers to conduct brute-force attacks via a large number of calls made at once to the same method. | MEDIUM | Apr 12, 2016 |
| CVE-2016-3164 | Drupal 6.x before 6.38, 7.x before 7.43, and 8.x before 8.0.4 might allow remote attackers to conduct open redirect attacks by leveraging (1) custom code or (2) a form shown on a 404 error page, related to path manipulation.<a href=http://cwe.mitre.org/data/definitions/601.html>CWE-601: URL Redirection to Untrusted Site ('Open Redirect')</a> | MEDIUM | Apr 12, 2016 |
| CVE-2016-3165 | The Form API in Drupal 6.x before 6.38 ignores access restrictions on submit buttons, which might allow remote attackers to bypass intended access restrictions by leveraging permission to submit a form with a button that has #access set to FALSE in the server-side form definition. | MEDIUM | Apr 12, 2016 |
| CVE-2016-3166 | CRLF injection vulnerability in the drupal_set_header function in Drupal 6.x before 6.38, when used with PHP before 5.1.2, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks by leveraging a module that allows user-submitted data to appear in HTTP headers.<a href=https://cwe.mitre.org/data/definitions/93.html>CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')</a> | MEDIUM | Apr 12, 2016 |
| CVE-2016-3167 | Open redirect vulnerability in the drupal_goto function in Drupal 6.x before 6.38, when used with PHP before 5.4.7, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a double-encoded URL in the destination parameter.<a href=http://cwe.mitre.org/data/definitions/601.html>CWE-601: URL Redirection to Untrusted Site ('Open Redirect')</a> | MEDIUM | Apr 12, 2016 |
| CVE-2016-3169 | The User module in Drupal 6.x before 6.38 and 7.x before 7.43 allows remote attackers to gain privileges by leveraging contributed or custom code that calls the user_save function with an explicit category and loads all roles into the array. | MEDIUM | Apr 12, 2016 |
| CVE-2016-3170 | The have you forgotten your password links in the User module in Drupal 7.x before 7.43 and 8.x before 8.0.4 allow remote attackers to obtain sensitive username information by leveraging a configuration that permits using an email address to login and a module that permits logging in. | MEDIUM | Apr 12, 2016 |
| CVE-2016-3171 | Drupal 6.x before 6.38, when used with PHP before 5.4.45, 5.5.x before 5.5.29, or 5.6.x before 5.6.13, might allow remote attackers to execute arbitrary code via vectors related to session data truncation. | MEDIUM | Apr 12, 2016 |
| CVE-2016-3172 | SQL injection vulnerability in tree.php in Cacti 0.8.8g and earlier allows remote authenticated users to execute arbitrary SQL commands via the parent_id parameter in an item_edit action. | MEDIUM | Apr 12, 2016 |
| CVE-2016-3185 | The make_http_soap_request function in ext/soap/php_http.c in PHP before 5.4.44, 5.5.x before 5.5.28, 5.6.x before 5.6.12, and 7.x before 7.0.4 allows remote attackers to obtain sensitive information from process memory or cause a denial of service (type confusion and application crash) via crafted serialized _cookies data, related to the SoapClient::__call method in ext/soap/soap.c. | MEDIUM | May 19, 2016 |
| CVE-2016-3186 | Buffer overflow in the readextension function in gif2tiff.c in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (application crash) via a crafted GIF file. | MEDIUM | Apr 19, 2016 |
| CVE-2016-3189 | Use-after-free vulnerability in bzip2recover in bzip2 1.0.6 allows remote attackers to cause a denial of service (crash) via a crafted bzip2 file, related to block ends set to before the start of the block.<a href=http://cwe.mitre.org/data/definitions/416.html>CWE-416: Use After Free</a> | MEDIUM | Jul 1, 2016 |
| CVE-2016-3190 | The fill_xrgb32_lerp_opaque_spans function in cairo-image-compositor.c in cairo before 1.14.2 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a negative span length. | MEDIUM | Apr 21, 2016 |
| CVE-2016-3198 | Microsoft Edge allows remote attackers to bypass the Content Security Policy (CSP) protection mechanism via a crafted document, aka Microsoft Edge Security Feature Bypass. | MEDIUM | Jun 16, 2016 |
| CVE-2016-3201 | Microsoft Windows 8.1, Windows Server 2012 Gold and R2, Windows 10 Gold and 1511, and Microsoft Edge allow remote attackers to obtain sensitive information from process memory via a crafted PDF document, aka Windows PDF Information Disclosure Vulnerability, a different vulnerability than CVE-2016-3215. | MEDIUM | Jun 20, 2016 |
| CVE-2016-3212 | The XSS Filter in Microsoft Internet Explorer 9 through 11 does not properly identify JavaScript, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted web site, aka Internet Explorer XSS Filter Vulnerability. | MEDIUM | Jun 16, 2016 |
| CVE-2016-3215 | Microsoft Windows 8.1, Windows Server 2012 Gold and R2, Windows 10 1511, and Microsoft Edge allow remote attackers to obtain sensitive information from process memory via a crafted PDF document, aka Windows PDF Information Disclosure Vulnerability, a different vulnerability than CVE-2016-3201. | MEDIUM | Jun 16, 2016 |
| CVE-2016-3216 | GDI32.dll in the Graphics component in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 allows remote attackers to bypass the ASLR protection mechanism via unspecified vectors, aka Windows Graphics Component Information Disclosure Vulnerability. | MEDIUM | Jun 16, 2016 |
| CVE-2016-3218 | The kernel-mode drivers in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 allow local users to gain privileges via a crafted application, aka Win32k Elevation of Privilege Vulnerability, a different vulnerability than CVE-2016-3221. | MEDIUM | Jun 16, 2016 |
| CVE-2016-3219 | The kernel-mode driver in Microsoft Windows 10 Gold and 1511 allows local users to gain privileges via a crafted application, aka Win32k Elevation of Privilege Vulnerability. | MEDIUM | Jun 16, 2016 |
| CVE-2016-3220 | atmfd.dll in the Adobe Type Manager Font Driver in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 allows local users to gain privileges via a crafted application, aka ATMFD.dll Elevation of Privilege Vulnerability. | MEDIUM | Jun 16, 2016 |
| CVE-2016-3221 | The kernel-mode drivers in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 allow local users to gain privileges via a crafted application, aka Win32k Elevation of Privilege Vulnerability, a different vulnerability than CVE-2016-3218. | MEDIUM | Jun 16, 2016 |
| CVE-2016-3225 | The SMB server component in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 allows local users to gain privileges via a crafted application that forwards an authentication request to an unintended service, aka Windows SMB Server Elevation of Privilege Vulnerability. | MEDIUM | Jun 16, 2016 |
| CVE-2016-3226 | Active Directory in Microsoft Windows Server 2008 R2 SP1 and Server 2012 Gold and R2 allows remote authenticated users to cause a denial of service (service hang) by creating many machine accounts, aka Active Directory Denial of Service Vulnerability. | MEDIUM | Jun 16, 2016 |
| CVE-2016-3234 | Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Office Compatibility Pack SP3, Word Viewer, Word Automation Services on SharePoint Server 2010 SP2, Word Automation Services on SharePoint Server 2013 SP1, Office Web Apps 2010 SP2, and Office Web Apps Server 2013 SP1 allow remote attackers to obtain sensitive information from process memory via a crafted Office document, aka Microsoft Office Information Disclosure Vulnerability. | MEDIUM | Jun 17, 2016 |
| CVE-2016-3244 | Microsoft Edge allows remote attackers to bypass the ASLR protection mechanism via a crafted web site, aka Microsoft Edge Security Feature Bypass. | MEDIUM | Jul 12, 2016 |
| CVE-2016-3245 | Microsoft Internet Explorer 9 through 11 allows remote attackers to trick users into making TCP connections to a restricted port via a crafted web site, aka Internet Explorer Security Feature Bypass Vulnerability. | MEDIUM | Jul 12, 2016 |
| CVE-2016-3255 | Microsoft .NET Framework 2.0 SP2, 3.5, 3.5.1, 4.5.2, 4.6, and 4.6.1 allows remote attackers to read arbitrary files via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, aka .NET Information Disclosure Vulnerability. | MEDIUM | Jul 12, 2016 |
| CVE-2016-3271 | The VBScript engine in Microsoft Edge allows remote attackers to obtain sensitive information from process memory via a crafted web site, aka Scripting Engine Information Disclosure Vulnerability. | MEDIUM | Jul 12, 2016 |
| CVE-2016-3279 | Microsoft Office 2010 SP2, Excel 2010 SP2, PowerPoint 2010 SP2, Word 2010 SP2, Excel 2013 SP1, PowerPoint 2013 SP1, Word 2013 SP1, Excel 2013 RT SP1, PowerPoint 2013 RT SP1, Word 2013 RT SP1, Excel 2016, Word 2016, Word Automation Services on SharePoint Server 2010 SP2, and Office Web Apps 2010 SP2 allow remote attackers to execute arbitrary code via a crafted XLA file, aka Microsoft Office Remote Code Execution Vulnerability. | MEDIUM | Jul 12, 2016 |
| CVE-2016-3416 | Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6, 12.1.2, 12.1.3, and 12.2.1 allows remote attackers to affect confidentiality and integrity via vectors related to Console. | MEDIUM | Apr 21, 2016 |
| CVE-2016-3417 | Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.53, 8.54, and 8.55 allows remote authenticated users to affect confidentiality and integrity via vectors related to PIA Search Functionality. | MEDIUM | Apr 21, 2016 |
| CVE-2016-3418 | Unspecified vulnerability in the DataStore component in Oracle Berkeley DB 11.2.5.0.32, 11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35, and 12.1.6.1.26 allows local users to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2016-0682, CVE-2016-0689, CVE-2016-0692, and CVE-2016-0694. | MEDIUM | Apr 21, 2016 |
| CVE-2016-3421 | Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.53, 8.54, and 8.55 allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to Activity Guide. | MEDIUM | Apr 21, 2016 |
| CVE-2016-3422 | Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77 allows remote attackers to affect availability via vectors related to 2D. | MEDIUM | Apr 21, 2016 |
| CVE-2016-3424 | Unspecified vulnerability in Oracle MySQL 5.7.12 and earlier allows remote administrators to affect availability via vectors related to Server: Optimizer. | MEDIUM | Jul 21, 2016 |
| CVE-2016-3425 | Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77; Java SE Embedded 8u77; and JRockit R28.3.9 allows remote attackers to affect availability via vectors related to JAXP. | MEDIUM | Apr 21, 2016 |
| CVE-2016-3426 | Unspecified vulnerability in Oracle Java SE 8u77 and Java SE Embedded 8u77 allows remote attackers to affect confidentiality via vectors related to JCE. | MEDIUM | Apr 21, 2016 |
| CVE-2016-3429 | Unspecified vulnerability in the Oracle Retail Xstore Point of Service component in Oracle Retail Applications 5.0, 5.5, 6.0, 6.5, 7.0, and 7.1 allows remote authenticated users to affect confidentiality and integrity via vectors related to Xstore Services. | MEDIUM | Apr 21, 2016 |
| CVE-2016-3432 | Unspecified vulnerability in the BI Publisher (formerly XML Publisher) component in Oracle Fusion Middleware 11.1.1.7.0 and 11.1.1.9.0 allows remote authenticated users to affect confidentiality and integrity via vectors related to Web Server. | MEDIUM | Jul 21, 2016 |
| CVE-2016-3433 | Unspecified vulnerability in the Oracle Business Intelligence Enterprise Edition component in Oracle Fusion Middleware 11.1.1.7.0 and 11.1.1.9.0 allows remote authenticated users to affect confidentiality and integrity via vectors related to Analytics Web Administration. | MEDIUM | Jul 21, 2016 |
| CVE-2016-3434 | Unspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite 12.1.3, 12.2.3, 12.2.4, and 12.2.5 allows remote attackers to affect integrity via vectors related to Logout. | MEDIUM | Apr 21, 2016 |
| CVE-2016-3435 | Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.53, 8.54, and 8.55 allows remote attackers to affect availability via vectors related to PIA Core Technology. | MEDIUM | Apr 21, 2016 |
| CVE-2016-3436 | Unspecified vulnerability in the Oracle Common Applications Calendar component in Oracle E-Business Suite 12.1.1, 12.1.2, and 12.1.3 allows remote attackers to affect confidentiality and integrity via vectors related to Tasks. | MEDIUM | Apr 21, 2016 |
| CVE-2016-3437 | Unspecified vulnerability in the Oracle CRM Wireless component in Oracle E-Business Suite 12.1.3 allows remote attackers to affect confidentiality and integrity via vectors related to Person Address Page. | MEDIUM | Apr 21, 2016 |
| CVE-2016-3438 | Unspecified vulnerability in the Oracle Configurator component in Oracle Supply Chain Products Suite 12.0.6, 12.1, and 12.2 allows remote attackers to affect confidentiality and integrity via vectors related to JRAD Heartbeat. | MEDIUM | Apr 21, 2016 |
| CVE-2016-3439 | Unspecified vulnerability in the Oracle CRM Wireless component in Oracle E-Business Suite 12.1.3 allows remote attackers to affect confidentiality and integrity via vectors related to Call Phone Number Page. | MEDIUM | Apr 21, 2016 |
| CVE-2016-3440 | Unspecified vulnerability in Oracle MySQL 5.7.11 and earlier allows remote authenticated users to affect availability via vectors related to Server: Optimizer. | MEDIUM | Jul 21, 2016 |
| CVE-2016-3442 | Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.53, 8.54, and 8.55 allows remote authenticated users to affect confidentiality and integrity via vectors related to Portal. | MEDIUM | Apr 21, 2016 |
| CVE-2016-3445 | Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0 and 12.1.3.0 allows remote attackers to affect availability via vectors related to Web Container. | MEDIUM | Jul 21, 2016 |
