The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2016-4437 | Apache Shiro before 1.2.5, when a cipher key has not been configured for the remember me feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter. | MEDIUM | Jun 9, 2016 |
| CVE-2016-4436 | Apache Struts 2 before 2.3.29 and 2.5.x before 2.5.1 allow attackers to have unspecified impact via vectors related to improper action name clean up. | HIGH | Oct 4, 2016 |
| CVE-2016-4435 | An endpoint of the Agent running on the BOSH Director VM with stemcell versions prior to 3232.6 and 3146.13 may allow unauthenticated clients to read or write blobs or cause a denial of service attack on the Director VM. This vulnerability requires that the unauthenticated clients guess or find a URL matching an existing GUID. | MEDIUM | Jun 8, 2017 |
| CVE-2016-4434 | Apache Tika before 1.13 does not properly initialize the XML parser or choose handlers, which might allow remote attackers to conduct XML External Entity (XXE) attacks via vectors involving (1) spreadsheets in OOXML files and (2) XMP metadata in PDF and other file formats, a related issue to CVE-2016-2175. | Medium | Oct 10, 2017 |
| CVE-2016-4433 | Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks via a crafted request. | MEDIUM | Jul 6, 2016 |
| CVE-2016-4432 | The AMQP 0-8, 0-9, 0-91, and 0-10 connection handling in Apache Qpid Java before 6.0.3 might allow remote attackers to bypass authentication and consequently perform actions via vectors related to connection state logging. | MEDIUM | Jun 3, 2016 |
| CVE-2016-4431 | Apache Struts 2 2.3.20 through 2.3.28.1 allows remote attackers to bypass intended access restrictions and conduct redirection attacks by leveraging a default method. | MEDIUM | Jul 6, 2016 |
| CVE-2016-4430 | Apache Struts 2 2.3.20 through 2.3.28.1 mishandles token validation, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks via unspecified vectors. | MEDIUM | Jul 6, 2016 |
| CVE-2016-4429 | Stack-based buffer overflow in the clntudp_call function in sunrpc/clnt_udp.c in the GNU C Library (aka glibc or libc6) allows remote servers to cause a denial of service (crash) or possibly unspecified other impact via a flood of crafted ICMP and UDP packets. | HIGH | Jun 10, 2016 |
| CVE-2016-4428 | Cross-site scripting (XSS) vulnerability in OpenStack Dashboard (Horizon) 8.0.1 and earlier and 9.0.0 through 9.0.1 allows remote authenticated users to inject arbitrary web script or HTML by injecting an AngularJS template in a dashboard form. | LOW | Jul 12, 2016 |
| CVE-2016-4427 | In zulip before 1.3.12, deactivated users could access messages if SSO was enabled. | -- | Jul 28, 2022 |
| CVE-2016-4426 | In zulip before 1.3.12, bot API keys were accessible to other users in the same realm. | -- | Jul 28, 2022 |
| CVE-2016-4425 | Jansson 2.7 and earlier allows context-dependent attackers to cause a denial of service (deep recursion, stack consumption, and crash) via crafted JSON data. | MEDIUM | May 19, 2016 |
| CVE-2016-4423 | The attemptAuthentication function in Component/Security/Http/Firewall/UsernamePasswordFormAuthenticationListener.php in Symfony before 2.3.41, 2.7.x before 2.7.13, 2.8.x before 2.8.6, and 3.0.x before 3.0.6 does not limit the length of a username stored in a session, which allows remote attackers to cause a denial of service (session storage consumption) via a series of authentication attempts with long, non-existent usernames. | MEDIUM | Jun 3, 2016 |
| CVE-2016-4422 | The pam_sm_authenticate function in pam_sshauth.c in libpam-sshauth might allow context-dependent attackers to bypass authentication or gain privileges via a system user account. | HIGH | May 10, 2016 |
| CVE-2016-4421 | epan/dissectors/packet-ber.c in the ASN.1 BER dissector in Wireshark 1.12.x before 1.12.10 and 2.x before 2.0.2 allows remote attackers to cause a denial of service (deep recursion, stack consumption, and application crash) via a packet that specifies deeply nested data. | MEDIUM | May 4, 2016 |
| CVE-2016-4420 | The NFS dissector in Wireshark 2.x before 2.0.2 allows remote attackers to cause a denial of service (application crash) via a crafted packet. | MEDIUM | May 4, 2016 |
| CVE-2016-4419 | epan/dissectors/packet-spice.c in the SPICE dissector in Wireshark 2.x before 2.0.2 mishandles capability data, which allows remote attackers to cause a denial of service (large loop) via a crafted packet. | MEDIUM | May 4, 2016 |
| CVE-2016-4418 | epan/dissectors/packet-ber.c in the ASN.1 BER dissector in Wireshark 1.12.x before 1.12.10 and 2.x before 2.0.2 allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted packet that triggers an empty set. | MEDIUM | May 4, 2016 |
| CVE-2016-4417 | Off-by-one error in epan/dissectors/packet-gsm_abis_oml.c in the GSM A-bis OML dissector in Wireshark 1.12.x before 1.12.10 and 2.x before 2.0.2 allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted packet that triggers a 0xff tag value. | MEDIUM | May 4, 2016 |
| CVE-2016-4416 | epan/dissectors/packet-ieee80211.c in the IEEE 802.11 dissector in Wireshark 2.x before 2.0.2 mishandles the Grouping subfield, which allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted packet. | MEDIUM | May 4, 2016 |
| CVE-2016-4415 | wiretap/vwr.c in the Ixia IxVeriWave file parser in Wireshark 2.x before 2.0.2 incorrectly increases a certain octet count, which allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) via a crafted file. | MEDIUM | May 4, 2016 |
| CVE-2016-4414 | The onReadyRead function in core/coreauthhandler.cpp in Quassel before 0.12.4 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via invalid handshake data.<a href=http://cwe.mitre.org/data/definitions/476.html>CWE-476: NULL Pointer Dereference</a> | MEDIUM | Jun 15, 2016 |
| CVE-2016-4412 | An issue was discovered in phpMyAdmin. A user can be tricked into following a link leading to phpMyAdmin, which after authentication redirects to another malicious site. The attacker must sniff the user\'s valid phpMyAdmin token. All 4.0.x versions (prior to 4.0.10.16) are affected. | LOW | Dec 13, 2016 |
| CVE-2016-4407 | The DSA algorithm implementation in SAP SAPCRYPTOLIB 5.555.38 does not properly check signatures, which allows remote authenticated users to impersonate arbitrary users via unspecified vectors, aka SAP Security Note 2223008. | MEDIUM | Oct 14, 2016 |
| CVE-2016-4406 | A remote cross site scripting vulnerability was identified in HPE iLO 3 all version prior to v1.88 and HPE iLO 4 all versions prior to v2.44. | MEDIUM | Aug 7, 2018 |
| CVE-2016-4405 | A remote code execution vulnerability was identified in HP Business Service Management (BSM) using Apache Commons Collection Java Deserialization versions v9.20-v9.26 | MEDIUM | Aug 7, 2018 |
| CVE-2016-4404 | A security vulnerability was identified in the Filter SDK component of HP KeyView earlier than v11.2. The vulnerability could be exploited remotely to allow code execution via a memory allocation issue. | HIGH | Aug 7, 2018 |
| CVE-2016-4403 | A security vulnerability was identified in the Filter SDK component of HP KeyView earlier than v11.2. The vulnerability could be exploited remotely to allow code execution via memory corruption. | HIGH | Aug 7, 2018 |
| CVE-2016-4402 | A security vulnerability was identified in the Filter SDK component of HP KeyView earlier than v11.2. The vulnerability could be exploited remotely to allow code execution via buffer overflow. | HIGH | Aug 7, 2018 |
| CVE-2016-4401 | Aruba ClearPass Policy Manager before 6.5.7 and 6.6.x before 6.6.2 allows attackers to obtain database credentials. | HIGH | Nov 8, 2019 |
| CVE-2016-4400 | A security vulnerability was identified in HP Network Node Manager i (NNMi) Software 10.00, 10.01 (patch1), 10.01 (patch 2), 10.10. The vulnerability could result in cross-site scripting (XSS). | LOW | Aug 7, 2018 |
| CVE-2016-4399 | A security vulnerability was identified in HP Network Node Manager i (NNMi) Software 10.00, 10.01 (patch1), 10.01 (patch 2), 10.10. The vulnerability could result in cross-site scripting (XSS). | LOW | Aug 7, 2018 |
| CVE-2016-4398 | A remote arbitrary code execution vulnerability was identified in HP Network Node Manager i (NNMi) Software 10.00, 10.01 (patch1), 10.01 (patch 2), 10.10 using Java Deserialization. | MEDIUM | Aug 7, 2018 |
| CVE-2016-4397 | A local code execution security vulnerability was identified in HP Network Node Manager i (NNMi) v10.00, v10.10 and v10.20 Software. | MEDIUM | Aug 7, 2018 |
| CVE-2016-4396 | HPE System Management Homepage before v7.6 allows remote attackers to have an unspecified impact via unknown vectors, related to a Buffer Overflow issue. | HIGH | Oct 31, 2016 |
| CVE-2016-4395 | HPE System Management Homepage before v7.6 allows remote attackers to have an unspecified impact via unknown vectors, related to a Buffer Overflow issue. | HIGH | Oct 31, 2016 |
| CVE-2016-4394 | HPE System Management Homepage before v7.6 allows remote attackers to obtain sensitive information via unspecified vectors, related to an HSTS issue. | MEDIUM | Oct 31, 2016 |
| CVE-2016-4393 | HPE System Management Homepage before v7.6 allows remote authenticated attackers to obtain sensitive information via unspecified vectors, related to an XSS issue. | LOW | Oct 31, 2016 |
| CVE-2016-4392 | A remote cross site scripting vulnerability has been identified in HP Business Service Management software v9.1x, v9.20 - v9.25IP1. | LOW | Aug 7, 2018 |
| CVE-2016-4391 | A remote code execution security vulnerability has been identified in all versions of the HP ArcSight WINC Connector prior to v7.3.0. | HIGH | Aug 7, 2018 |
| CVE-2016-4390 | The Filter SDK in HPE KeyView 10.18 through 10.24 allows remote attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2016-4387, CVE-2016-4388, and CVE-2016-4389. | MEDIUM | Oct 5, 2016 |
| CVE-2016-4389 | The Filter SDK in HPE KeyView 10.18 through 10.24 allows remote attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2016-4387, CVE-2016-4388, and CVE-2016-4390. | MEDIUM | Oct 5, 2016 |
| CVE-2016-4388 | The Filter SDK in HPE KeyView 10.18 through 10.24 allows remote attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2016-4387, CVE-2016-4389, and CVE-2016-4390. | MEDIUM | Oct 5, 2016 |
| CVE-2016-4387 | The Filter SDK in HPE KeyView 10.18 through 10.24 allows remote attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2016-4388, CVE-2016-4389, and CVE-2016-4390. | MEDIUM | Oct 5, 2016 |
| CVE-2016-4386 | HPE Network Automation Software 10.10 allows local users to write to arbitrary files via unspecified vectors. | MEDIUM | Sep 29, 2016 |
| CVE-2016-4385 | The RMI service in HP Network Automation Software 9.1x, 9.2x, 10.0x before 10.00.02.01, and 10.1x before 10.11.00.01 allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) and Commons BeanUtils libraries. | HIGH | Oct 11, 2016 |
| CVE-2016-4384 | HPE Performance Center before 12.50 and LoadRunner before 12.50 allow remote attackers to cause a denial of service via unspecified vectors. | HIGH | Sep 20, 2016 |
| CVE-2016-4383 | The glance-manage db in all versions of HPE Helion Openstack Glance allows deleted image ids to be reassigned, which allows remote authenticated users to cause other users to boot into a modified image without notification of the change. | HIGH | Jun 27, 2017 |
| CVE-2016-4382 | HPE Performance Center 11.52, 12.00, 12.01, 12.20, and 12.50 allows remote attackers to bypass intended access restrictions via unspecified vectors, related to a remote user validation failure issue. | MEDIUM | Sep 20, 2016 |
