The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2016-4886 | Cross-site request forgery (CSRF) vulnerability in baserCMS plugin Mail version 3.0.10 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors. | MEDIUM | May 12, 2017 |
| CVE-2016-4885 | Cross-site request forgery (CSRF) vulnerability in baserCMS plugin Feed version 3.0.10 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors. | MEDIUM | May 12, 2017 |
| CVE-2016-4884 | Cross-site request forgery (CSRF) vulnerability in baserCMS plugin Blog version 3.0.10 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors. | MEDIUM | May 12, 2017 |
| CVE-2016-4883 | Cross-site scripting vulnerability in baserCMS version 3.0.10 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | LOW | May 12, 2017 |
| CVE-2016-4882 | Cross-site request forgery (CSRF) vulnerability in baserCMS version 3.0.10 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors. | MEDIUM | May 12, 2017 |
| CVE-2016-4881 | Cross-site request forgery (CSRF) vulnerability in baserCMS plugin Blog version 3.0.10 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors. | MEDIUM | May 12, 2017 |
| CVE-2016-4880 | Cross-site scripting vulnerability in baserCMS plugin Blog version 3.0.10 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors. | LOW | May 12, 2017 |
| CVE-2016-4879 | Cross-site request forgery (CSRF) vulnerability in baserCMS plugin Mail version 3.0.10 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors. | MEDIUM | May 12, 2017 |
| CVE-2016-4878 | Cross-site request forgery (CSRF) vulnerability in baserCMS version 3.0.10 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors. | MEDIUM | May 12, 2017 |
| CVE-2016-4877 | Cross-site scripting vulnerability in baserCMS plugin Mail version 3.0.10 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors. | LOW | May 12, 2017 |
| CVE-2016-4876 | Cross-site request forgery (CSRF) vulnerability in baserCMS version 3.0.10 and earlier allows remote attackers to hijack the authentication of administrators to execute arbitrary PHP code via unspecified vectors. | MEDIUM | May 12, 2017 |
| CVE-2016-4875 | Multiple cross-site scripting (XSS) vulnerabilities in the IVYWE (1) Assist plugin before 1.1.2.test20160906, (2) dataBox plugin before 0.0.0.20160906, and (3) userBox plugin before 0.0.0.20160906 for Geeklog allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. | MEDIUM | Apr 21, 2017 |
| CVE-2016-4874 | Cybozu Office 9.0.0 through 10.4.0 allows remote attackers to conduct a reflected file download attack. | LOW | Apr 20, 2017 |
| CVE-2016-4873 | The Project function in Cybozu Office 9.0.0 through 10.4.0 does not properly check access permissions, which allows remote authenticated users to alter project information. | MEDIUM | Apr 20, 2017 |
| CVE-2016-4872 | The breadcrumb trail component in Cybozu Office 9.0.0 through 10.4.0 allows remote authenticated users to read the names of closed projects. | MEDIUM | Apr 20, 2017 |
| CVE-2016-4871 | Cybozu Office 9.0.0 through 10.4.0 allows remote attackers to cause a denial of service. | MEDIUM | Apr 20, 2017 |
| CVE-2016-4870 | Cross-site scripting (XSS) vulnerability in Schedule function in Cybozu Office 9.0.0 through 10.4.0. | LOW | Apr 20, 2017 |
| CVE-2016-4869 | Cybozu Office 9.0.0 through 10.4.0 allows remote attackers to obtain session information from users. | MEDIUM | Apr 20, 2017 |
| CVE-2016-4868 | Cybozu Office 9.0.0 through 10.4.0 allows remote attackers to inject arbitrary email headers. | MEDIUM | Apr 20, 2017 |
| CVE-2016-4867 | The Project function in Cybozu 9.0.0 through 10.4.0 allows remote authenticated users to read closed project information. | MEDIUM | Apr 20, 2017 |
| CVE-2016-4866 | Cross-site scripting (XSS) vulnerability in the Project function in Cybozu Office 9.0.0 through 10.4.0. | LOW | Apr 20, 2017 |
| CVE-2016-4865 | Cross-site scripting (XSS) vulnerability in the Customapp function in Cybozu Office 9.0.0 through 10.4.0. | LOW | Apr 20, 2017 |
| CVE-2016-4864 | H2O versions 2.0.3 and earlier and 2.1.0-beta2 and earlier allows remote attackers to cause a denial-of-service (DoS) via format string specifiers in a template file via fastcgi, mruby, proxy, redirect or reproxy. | MEDIUM | May 12, 2017 |
| CVE-2016-4863 | The Toshiba FlashAir SD-WD/WC series Class 6 model with firmware version 1.00.04 and later, FlashAir SD-WD/WC series Class 10 model W-02 with firmware version 2.00.02 and later, FlashAir SD-WE series Class 10 model W-03, FlashAir Class 6 model with firmware version 1.00.04 and later, FlashAir II Class 10 model W-02 series with firmware version 2.00.02 and later, FlashAir III Class 10 model W-03 series, FlashAir Class 6 model with firmware version 1.00.04 and later, FlashAir W-02 series Class 10 model with firmware version 2.00.02 and later, FlashAir W-03 series Class 10 model does not require authentication on accepting a connection from STA side LAN when Internet pass-thru Mode is enabled, which allows attackers with access to STA side LAN can obtain files or data. | LOW | May 23, 2017 |
| CVE-2016-4862 | Twigmo bundled with CS-Cart 4.3.9 and earlier and Twigmo bundled with CS-Cart Multi-Vendor 4.3.9 and earlier allow remote authenticated users to execute arbitrary PHP code on the servers. | MEDIUM | Apr 20, 2017 |
| CVE-2016-4861 | The (1) order and (2) group methods in Zend_Db_Select in the Zend Framework before 1.12.20 might allow remote attackers to conduct SQL injection attacks by leveraging failure to remove comments from an SQL statement before validation. | HIGH | Feb 22, 2017 |
| CVE-2016-4860 | Yokogawa STARDOM FCN/FCJ controller R1.01 through R4.01 does not require authentication for Logic Designer connections, which allows remote attackers to reconfigure the device or cause a denial of service via a (1) stop application program, (2) change value, or (3) modify application command. | HIGH | Sep 20, 2016 |
| CVE-2016-4859 | Open redirect vulnerability in Splunk Enterprise 6.4.x prior to 6.4.3, Splunk Enterprise 6.3.x prior to 6.3.6, Splunk Enterprise 6.2.x prior to 6.2.10, Splunk Enterprise 6.1.x prior to 6.1.11, Splunk Enterprise 6.0.x prior to 6.0.12, Splunk Enterprise 5.0.x prior to 5.0.16 and Splunk Light prior to 6.4.3 allows to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. | MEDIUM | May 12, 2017 |
| CVE-2016-4858 | Cross-site scripting vulnerability in Splunk Enterprise 6.4.x prior to 6.4.2, Splunk Enterprise 6.3.x prior to 6.3.6, Splunk Enterprise 6.2.x prior to 6.2.10, Splunk Enterprise 6.1.x prior to 6.1.11, Splunk Enterprise 6.0.x prior to 6.0.12, Splunk Enterprise 5.0.x prior to 5.0.16 and Splunk Light prior to 6.4.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | LOW | May 12, 2017 |
| CVE-2016-4857 | Open redirect vulnerability in Splunk Enterprise 6.4.x prior to 6.4.2, Splunk Enterprise 6.3.x prior to 6.3.6, Splunk Enterprise 6.2.x prior to 6.2.11 and Splunk Light prior to 6.4.2 allows to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. | MEDIUM | May 12, 2017 |
| CVE-2016-4856 | Cross-site scripting vulnerability in Splunk Enterprise 6.3.x prior to 6.3.5 and Splunk Light 6.3.x prior to 6.3.5 allows attacker with administrator rights to inject arbitrary web script or HTML via unspecified vectors. | LOW | May 12, 2017 |
| CVE-2016-4855 | Cross-site scripting vulnerability in ADOdb versions prior to 5.20.6 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | MEDIUM | May 12, 2017 |
| CVE-2016-4854 | Cross-site request forgery (CSRF) vulnerability in L-04D firmware version V10a and V10b allows remote attackers to hijack the authentication of administrators to perform arbitrary operations via unspecified vectors. | MEDIUM | May 23, 2017 |
| CVE-2016-4853 | AKABEi SOFT2 games allow remote attackers to execute arbitrary OS commands via crafted saved data, as demonstrated by Happy Wardrobe. | MEDIUM | Sep 2, 2016 |
| CVE-2016-4852 | YoruFukurou (NightOwl) before 2.85 relies on support for emoji skin-tone modifiers even though this support is missing from the CoreText CTFramesetter API on OS X 10.9, which allows remote attackers to cause a denial of service (application crash) via a crafted emoji character sequence. | MEDIUM | Sep 13, 2016 |
| CVE-2016-4851 | Cross-site scripting (XSS) vulnerability in Let's PHP! simple chat before 2016-08-15 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | MEDIUM | Sep 2, 2016 |
| CVE-2016-4850 | LINE for Windows before 4.8.3 allows man-in-the-middle attackers to execute arbitrary code. | MEDIUM | Apr 20, 2017 |
| CVE-2016-4849 | Multiple cross-site scripting (XSS) vulnerabilities in Geeklog IVYWE edition 2.1.1 allow remote attackers to inject arbitrary web script or HTML by leveraging use of the COM_getCurrentURL function in (1) public_html/layout/default/header.thtml, (2) public_html/layout/bento/header.thtml, (3) public_html/layout/fotos/header.thtml, or (4) public_html/layout/default/article/article.thtml. | MEDIUM | Apr 20, 2017 |
| CVE-2016-4848 | Cross-site scripting (XSS) vulnerability in ClipBucket before 2.8.1 RC2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | MEDIUM | Sep 2, 2016 |
| CVE-2016-4847 | Cross-site scripting (XSS) vulnerability in site/search.php in OSSEC Web UI before 0.9 allows remote attackers to inject arbitrary web script or HTML by leveraging an unanchored regex. | MEDIUM | Apr 20, 2017 |
| CVE-2016-4846 | Untrusted search path vulnerability in the installer of PhishWall Client Internet Explorer before 3.7.8.2. | HIGH | Apr 21, 2017 |
| CVE-2016-4845 | Cross-site request forgery (CSRF) vulnerability on I-O DATA DEVICE HVL-A2.0, HVL-A3.0, HVL-A4.0, HVL-AT1.0S, HVL-AT2.0, HVL-AT3.0, HVL-AT4.0, HVL-AT2.0A, HVL-AT3.0A, and HVL-AT4.0A devices with firmware before 2.04 allows remote attackers to hijack the authentication of arbitrary users for requests that delete content. | MEDIUM | Sep 28, 2016 |
| CVE-2016-4844 | Cybozu Mailwise before 5.4.0 allows remote attackers to conduct clickjacking attacks. | MEDIUM | Apr 20, 2017 |
| CVE-2016-4843 | Cybozu Mailwise before 5.4.0 allows remote attackers to obtain sensitive cookie information. | MEDIUM | Apr 24, 2017 |
| CVE-2016-4842 | Cybozu Mailwise before 5.4.0 allows remote attackers to obtain information on when an email is read. | MEDIUM | Apr 20, 2017 |
| CVE-2016-4841 | Cybozu Mailwise before 5.4.0 allows remote attackers to inject arbitrary email headers. | MEDIUM | Apr 21, 2017 |
| CVE-2016-4840 | Coordinate Plus App for Android 1.0.2 and earlier and Coordinate Plus App for iOS 1.0.2 and earlier do not verify SSL certificates. | MEDIUM | Apr 21, 2017 |
| CVE-2016-4839 | The Android Apps Money Forward (prior to v7.18.0), Money Forward for The Gunma Bank (prior to v1.2.0), Money Forward for SHIGA BANK (prior to v1.2.0), Money Forward for SHIZUOKA BANK (prior to v1.4.0), Money Forward for SBI Sumishin Net Bank (prior to v1.6.0), Money Forward for Tokai Tokyo Securities (prior to v1.4.0), Money Forward for THE TOHO BANK (prior to v1.3.0), Money Forward for YMFG (prior to v1.5.0) provided by Money Forward, Inc. and Money Forward for AppPass (prior to v7.18.3), Money Forward for au SMARTPASS (prior to v7.18.0), Money Forward for Chou Houdai (prior to v7.18.3) provided by SOURCENEXT CORPORATION do not properly implement the WebView class, which allows an attacker to disclose information stored on the device via a specially crafted application. | MEDIUM | May 12, 2017 |
| CVE-2016-4838 | The Android Apps Money Forward (prior to v7.18.0), Money Forward for The Gunma Bank (prior to v1.2.0), Money Forward for SHIGA BANK (prior to v1.2.0), Money Forward for SHIZUOKA BANK (prior to v1.4.0), Money Forward for SBI Sumishin Net Bank (prior to v1.6.0), Money Forward for Tokai Tokyo Securities (prior to v1.4.0), Money Forward for THE TOHO BANK (prior to v1.3.0), Money Forward for YMFG (prior to v1.5.0) provided by Money Forward, Inc. and Money Forward for AppPass (prior to v7.18.3), Money Forward for au SMARTPASS (prior to v7.18.0), Money Forward for Chou Houdai (prior to v7.18.3) provided by SOURCENEXT CORPORATION allows an attacker to execute unintended operations via a specially crafted application. | MEDIUM | May 12, 2017 |
| CVE-2016-4837 | SQL injection vulnerability in the Seed Coupon plugin before 1.6 for EC-CUBE allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | HIGH | Aug 1, 2016 |
