The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date |
|---|---|---|---|
| CVE-2016-4818 | DMMFX Trade for Android 1.5.0 and earlier, DMMFX DEMO Trade for Android 1.5.0 and earlier, and GAITAMEJAPAN FX Trade for Android 1.4.0 and earlier do not verify SSL certificates. | MEDIUM | Apr 20, 2017 |
| CVE-2016-4829 | DMM Movie Player App for Android before 1.2.1, and DMM Movie Player App for iPhone/iPad before 2.1.3 does not verify SSL certificates. | MEDIUM | Apr 21, 2017 |
| CVE-2016-4830 | Sushiro App for iOS 2.1.16 and earlier and Sushiro App for Android 2.1.16.1 and earlier do not verify SSL certificates. | MEDIUM | Apr 21, 2017 |
| CVE-2016-4832 | WAON Service Application for Android 1.4.1 and earlier does not verify SSL certificates. | MEDIUM | Apr 21, 2017 |
| CVE-2016-4840 | Coordinate Plus App for Android 1.0.2 and earlier and Coordinate Plus App for iOS 1.0.2 and earlier do not verify SSL certificates. | MEDIUM | Apr 21, 2017 |
| CVE-2016-4841 | Cybozu Mailwise before 5.4.0 allows remote attackers to inject arbitrary email headers. | MEDIUM | Apr 21, 2017 |
| CVE-2016-4842 | Cybozu Mailwise before 5.4.0 allows remote attackers to obtain information on when an email is read. | MEDIUM | Apr 20, 2017 |
| CVE-2016-4843 | Cybozu Mailwise before 5.4.0 allows remote attackers to obtain sensitive cookie information. | MEDIUM | Apr 24, 2017 |
| CVE-2016-4844 | Cybozu Mailwise before 5.4.0 allows remote attackers to conduct clickjacking attacks. | MEDIUM | Apr 20, 2017 |
| CVE-2016-4847 | Cross-site scripting (XSS) vulnerability in site/search.php in OSSEC Web UI before 0.9 allows remote attackers to inject arbitrary web script or HTML by leveraging an unanchored regex. | MEDIUM | Apr 20, 2017 |
| CVE-2016-4849 | Multiple cross-site scripting (XSS) vulnerabilities in Geeklog IVYWE edition 2.1.1 allow remote attackers to inject arbitrary web script or HTML by leveraging use of the COM_getCurrentURL function in (1) public_html/layout/default/header.thtml, (2) public_html/layout/bento/header.thtml, (3) public_html/layout/fotos/header.thtml, or (4) public_html/layout/default/article/article.thtml. | MEDIUM | Apr 20, 2017 |
| CVE-2016-4850 | LINE for Windows before 4.8.3 allows man-in-the-middle attackers to execute arbitrary code. | MEDIUM | Apr 20, 2017 |
| CVE-2016-4862 | Twigmo bundled with CS-Cart 4.3.9 and earlier and Twigmo bundled with CS-Cart Multi-Vendor 4.3.9 and earlier allow remote authenticated users to execute arbitrary PHP code on the servers. | MEDIUM | Apr 20, 2017 |
| CVE-2016-4867 | The Project function in Cybozu 9.0.0 through 10.4.0 allows remote authenticated users to read closed project information. | MEDIUM | Apr 20, 2017 |
| CVE-2016-4868 | Cybozu Office 9.0.0 through 10.4.0 allows remote attackers to inject arbitrary email headers. | MEDIUM | Apr 20, 2017 |
| CVE-2016-4869 | Cybozu Office 9.0.0 through 10.4.0 allows remote attackers to obtain session information from users. | MEDIUM | Apr 20, 2017 |
| CVE-2016-4871 | Cybozu Office 9.0.0 through 10.4.0 allows remote attackers to cause a denial of service. | MEDIUM | Apr 20, 2017 |
| CVE-2016-4872 | The breadcrumb trail component in Cybozu Office 9.0.0 through 10.4.0 allows remote authenticated users to read the names of closed projects. | MEDIUM | Apr 20, 2017 |
| CVE-2016-4873 | The Project function in Cybozu Office 9.0.0 through 10.4.0 does not properly check access permissions, which allows remote authenticated users to alter project information. | MEDIUM | Apr 20, 2017 |
| CVE-2016-4875 | Multiple cross-site scripting (XSS) vulnerabilities in the IVYWE (1) Assist plugin before 1.1.2.test20160906, (2) dataBox plugin before 0.0.0.20160906, and (3) userBox plugin before 0.0.0.20160906 for Geeklog allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. | MEDIUM | Apr 21, 2017 |
| CVE-2016-4889 | ZOHO ManageEngine ServiceDesk Plus before 9.0 allows remote authenticated guest users to have unspecified impact by leveraging failure to restrict access to unknown functions. | MEDIUM | Apr 21, 2017 |
| CVE-2016-4890 | ZOHO ManageEngine ServiceDesk Plus before 9.2 uses an insecure method for generating cookies, which makes it easier for attackers to obtain sensitive password information by leveraging access to a cookie. | MEDIUM | Apr 21, 2017 |
| CVE-2016-4891 | Cross-site request forgery (CSRF) vulnerability in SetucoCMS. | MEDIUM | Apr 20, 2017 |
| CVE-2016-4892 | Cross-site scripting (XSS) vulnerability in SetucoCMS. | MEDIUM | Apr 19, 2017 |
| CVE-2016-4893 | SQL injection vulnerability in SetucoCMS. | MEDIUM | Apr 20, 2017 |
| CVE-2016-4894 | SetucoCMS allows remote attackers to cause a denial of service. | MEDIUM | Apr 20, 2017 |
| CVE-2016-4895 | SetucoCMS allows remote authenticated users to execute arbitrary code. | MEDIUM | Apr 20, 2017 |
| CVE-2016-4896 | SetucoCMS allows remote attackers to alter or disclose information, related to session information. | MEDIUM | Apr 20, 2017 |
| CVE-2016-4897 | Multiple cross-site scripting (XSS) vulnerabilities in (1) filter/save_forward.cgi, (2) filter/save.cgi, (3) /man/search.cgi in Usermin before 1.690. | MEDIUM | Apr 19, 2017 |
| CVE-2016-4989 | setroubleshoot allows local users to bypass an intended container protection mechanism and execute arbitrary commands by (1) triggering an SELinux denial with a crafted file name, which is handled by the _set_tpath function in audit_data.py or via a crafted (2) local_id or (3) analysis_id field in a crafted XML document to the run_fix function in SetroubleshootFixit.py, related to the subprocess.check_output and commands.getstatusoutput functions, a different vulnerability than CVE-2016-4445. | MEDIUM | Apr 17, 2017 |
| CVE-2016-5010 | coders/tiff.c in ImageMagick before 6.9.5-3 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted TIFF file. | MEDIUM | Apr 20, 2017 |
| CVE-2016-5016 | Pivotal Cloud Foundry 239 and earlier, UAA (aka User Account and Authentication Server) 3.4.1 and earlier, UAA release 12.2 and earlier, PCF (aka Pivotal Cloud Foundry) Elastic Runtime 1.6.x before 1.6.35, and PCF Elastic Runtime 1.7.x before 1.7.13 does not validate if a certificate is expired. | MEDIUM | Apr 24, 2017 |
| CVE-2016-5168 | Skia, as used in Google Chrome before 50.0.2661.94, allows remote attackers to bypass the Same Origin Policy and obtain sensitive information. | MEDIUM | Apr 21, 2017 |
| CVE-2016-5309 | The RAR file parser component in the AntiVirus Decomposer engine in Symantec Advanced Threat Protection: Network (ATP); Symantec Email Security.Cloud; Symantec Data Center Security: Server; Symantec Endpoint Protection (SEP) for Windows before 12.1.6 MP5; Symantec Endpoint Protection (SEP) for Mac; Symantec Endpoint Protection (SEP) for Linux before 12.1.6 MP6; Symantec Endpoint Protection for Small Business Enterprise (SEP SBE/SEP.Cloud); Symantec Endpoint Protection Cloud (SEPC) for Windows/Mac; Symantec Endpoint Protection Small Business Edition 12.1; CSAPI before 10.0.4 HF02; Symantec Protection Engine (SPE) before 7.0.5 HF02, 7.5.x before 7.5.4 HF02, 7.5.5 before 7.5.5 HF01, and 7.8.x before 7.8.0 HF03; Symantec Mail Security for Domino (SMSDOM) before 8.0.9 HF2.1, 8.1.x before 8.1.2 HF2.3, and 8.1.3 before 8.1.3 HF2.2; Symantec Mail Security for Microsoft Exchange (SMSMSE) before 6.5.8_3968140 HF2.3, 7.x before 7.0_3966002 HF2.1, and 7.5.x before 7.5_3966008 VHF2.2; Symantec Protection for SharePoint Servers (SPSS) before SPSS_6.0.3_To_6.0.5_HF_2.5 update, 6.0.6 before 6.0.6 HF_2.6, and 6.0.7 before 6.0.7_HF_2.7; Symantec Messaging Gateway (SMG) before 10.6.2; Symantec Messaging Gateway for Service Providers (SMG-SP) before 10.5 patch 260 and 10.6 before patch 259; Symantec Web Gateway; and Symantec Web Security.Cloud allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted RAR file that is mishandled during decompression. | MEDIUM | Apr 14, 2017 |
| CVE-2016-5310 | The RAR file parser component in the AntiVirus Decomposer engine in Symantec Advanced Threat Protection: Network (ATP); Symantec Email Security.Cloud; Symantec Data Center Security: Server; Symantec Endpoint Protection (SEP) for Windows before 12.1.6 MP5; Symantec Endpoint Protection (SEP) for Mac; Symantec Endpoint Protection (SEP) for Linux before 12.1.6 MP6; Symantec Endpoint Protection for Small Business Enterprise (SEP SBE/SEP.Cloud); Symantec Endpoint Protection Cloud (SEPC) for Windows/Mac; Symantec Endpoint Protection Small Business Edition 12.1; CSAPI before 10.0.4 HF02; Symantec Protection Engine (SPE) before 7.0.5 HF02, 7.5.x before 7.5.4 HF02, 7.5.5 before 7.5.5 HF01, and 7.8.x before 7.8.0 HF03; Symantec Mail Security for Domino (SMSDOM) before 8.0.9 HF2.1, 8.1.x before 8.1.2 HF2.3, and 8.1.3 before 8.1.3 HF2.2; Symantec Mail Security for Microsoft Exchange (SMSMSE) before 6.5.8_3968140 HF2.3, 7.x before 7.0_3966002 HF2.1, and 7.5.x before 7.5_3966008 VHF2.2; Symantec Protection for SharePoint Servers (SPSS) before SPSS_6.0.3_To_6.0.5_HF_2.5 update, 6.0.6 before 6.0.6 HF_2.6, and 6.0.7 before 6.0.7_HF_2.7; Symantec Messaging Gateway (SMG) before 10.6.2; Symantec Messaging Gateway for Service Providers (SMG-SP) before 10.5 patch 260 and 10.6 before patch 259; Symantec Web Gateway; and Symantec Web Security.Cloud allows remote attackers to cause a denial of service (memory corruption) via a crafted RAR file that is mishandled during decompression. | MEDIUM | Apr 14, 2017 |
| CVE-2016-5312 | Directory traversal vulnerability in the charting component in Symantec Messaging Gateway before 10.6.2 allows remote authenticated users to read arbitrary files via a .. (dot dot) in the sn parameter to brightmail/servlet/com.ve.kavachart.servlet.ChartStream. | MEDIUM | Apr 22, 2017 |
| CVE-2016-5322 | The setByteArray function in tif_dir.c in libtiff 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted tiff image. | MEDIUM | Apr 17, 2017 |
| CVE-2016-5399 | The bzread function in ext/bz2/bz2.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a denial of service (out-of-bounds write) or execute arbitrary code via a crafted bz2 archive. | MEDIUM | Apr 21, 2017 |
| CVE-2016-5401 | Cross-site request forgery (CSRF) vulnerability in Red Hat JBoss BRMS and BPMS 6 allows remote attackers to hijack the authentication of users for requests that modify instances via a crafted web page. | MEDIUM | Apr 20, 2017 |
| CVE-2016-5409 | Red Hat OpenShift Enterprise 2 does not include the HTTPOnly flag in a Set-Cookie header for the GEARID cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to the cookies. | MEDIUM | Apr 20, 2017 |
| CVE-2016-5760 | Multiple cross-site scripting (XSS) vulnerabilities in the administrator console in Novell GroupWise before 2014 R2 Service Pack 1 Hot Patch 1 allow remote attackers to inject arbitrary web script or HTML via the (1) token parameter to gwadmin-console/install/login.jsp or (2) PATH_INFO to gwadmin-console/index.jsp. | MEDIUM | Apr 20, 2017 |
| CVE-2016-5761 | Cross-site scripting (XSS) vulnerability in Novell GroupWise before 2014 R2 Service Pack 1 Hot Patch 1 allows remote attackers to inject arbitrary web script or HTML via a crafted email. | MEDIUM | Apr 20, 2017 |
| CVE-2016-6331 | ApiParse in MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 allows remote attackers to bypass intended per-title read restrictions via a parse action to api.php. | MEDIUM | Apr 24, 2017 |
| CVE-2016-6332 | MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1, when $wgBlockDisablesLogin is true, might allow remote attackers to obtain sensitive information by leveraging failure to terminate sessions when a user account is blocked. | MEDIUM | Apr 24, 2017 |
| CVE-2016-6333 | Cross-site scripting (XSS) vulnerability in the CSS user subpage preview feature in MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 allows remote attackers to inject arbitrary web script or HTML via the edit box in Special:MyPage/common.css. | MEDIUM | Apr 24, 2017 |
| CVE-2016-6334 | Cross-site scripting (XSS) vulnerability in the Parser::replaceInternalLinks2 method in MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 allows remote attackers to inject arbitrary web script or HTML via vectors involving replacement of percent encoding in unclosed internal links. | MEDIUM | Apr 24, 2017 |
| CVE-2016-6335 | MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 does not generate head items in the context of a given title, which allows remote attackers to obtain sensitive information via a parse action to api.php. | MEDIUM | Apr 24, 2017 |
| CVE-2016-6336 | MediaWiki before 1.23.15, 1.26.x before 1.26.4, and 1.27.x before 1.27.1 allows remote authenticated users with undelete permissions to bypass intended suppressrevision and deleterevision restrictions and remove the revision deletion status of arbitrary file revisions by using Special:Undelete. | MEDIUM | Apr 24, 2017 |
| CVE-2016-6337 | MediaWiki 1.27.x before 1.27.1 might allow remote attackers to bypass intended session access restrictions by leveraging a call to the UserGetRights function after Session::getAllowedUserRights. | MEDIUM | Apr 24, 2017 |
| CVE-2016-6338 | ovirt-engine-webadmin, as used in Red Hat Enterprise Virtualization Manager (aka RHEV-M) for Servers and RHEV-M 4.0, allows physically proximate attackers to bypass a webadmin session timeout restriction via vectors related to UI selections, which trigger repeating queries. | MEDIUM | Apr 20, 2017 |
