The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2016-6853 | An issue was discovered in Open-Xchange OX Guard before 2.4.2-rev5. Script code and references to external websites can be injected to the names of PGP public keys. When requesting that key later on using a specific URL, such script code might get executed. In case of injecting external websites, users might get lured into a phishing scheme. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). | MEDIUM | Dec 16, 2016 | n/a |
| CVE-2016-6854 | An issue was discovered in Open-Xchange OX Guard before 2.4.2-rev5. Script code which got injected to a mail with inline PGP signature gets executed when verifying the signature. Malicious script code can be executed within a user's context. This can lead to session hijacking or triggering unwanted actions via the web interface (sending mail, deleting data etc.). | MEDIUM | Dec 16, 2016 | n/a |
| CVE-2016-6881 | The zlib_refill function in libavformat/swfdec.c in FFmpeg before 3.1.3 allows remote attackers to cause an infinite loop denial of service via a crafted SWF file. | MEDIUM | Dec 23, 2016 | n/a |
| CVE-2016-6910 | The non-existent notification listener vulnerability was introduced in the initial Android 5.0.2 builds for the Samsung Galaxy S6 Edge devices, but the vulnerability can persist on the device even after the device has been upgraded to an Android 5.1.1 or 6.0.1 build. The vulnerable system app gives a non-existent app the ability to read the notifications from the device, which a third-party app can utilize if it uses a package name of com.samsung.android.app.portalservicewidget. This vulnerability allows an unprivileged third-party app to obtain the text of the user's notifications, which tend to contain personal data. | MEDIUM | Dec 27, 2016 | n/a |
| CVE-2016-6933 | Adobe Experience Manager Forms versions 6.2 and earlier, LiveCycle 11.0.1, LiveCycle 10.0.4 have an input validation issue in the AACComponent that could be used in cross-site scripting attacks. | MEDIUM | Dec 22, 2016 | n/a |
| CVE-2016-6934 | Adobe Experience Manager Forms versions 6.2 and earlier, LiveCycle 11.0.1, LiveCycle 10.0.4 have an input validation issue in the PMAdmin module that could be used in cross-site scripting attacks. | MEDIUM | Dec 23, 2016 | n/a |
| CVE-2016-7091 | sudo: It was discovered that the default sudo configuration on Red Hat Enterprise Linux and possibly other Linux implementations preserves the value of INPUTRC which could lead to information disclosure. A local user with sudo access to a restricted program that uses readline could use this flaw to read content from specially formatted files with elevated privileges provided by sudo. | MEDIUM | Dec 23, 2016 | n/a |
| CVE-2016-7122 | The avi_read_nikon function in libavformat/avidec.c in FFmpeg before 3.1.4 is vulnerable to infinite loop when it decodes an AVI file that has a crafted \'nctg\' structure. | MEDIUM | Dec 23, 2016 | n/a |
| CVE-2016-7172 | NetApp Snap Creator Framework before 4.3.1 discloses sensitive information which could be viewed by an unauthorized user. | MEDIUM | Dec 23, 2016 | n/a |
| CVE-2016-7206 | Cross-site scripting (XSS) vulnerability in Microsoft Edge allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka Microsoft Edge Information Disclosure Vulnerability, a different vulnerability than CVE-2016-7280. | MEDIUM | Dec 23, 2016 | n/a |
| CVE-2016-7257 | The GDI component in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Office for Mac 2011, and Office 2016 for Mac allows remote attackers to obtain sensitive information from process memory via a crafted web site, aka GDI Information Disclosure Vulnerability. | MEDIUM | Dec 23, 2016 | n/a |
| CVE-2016-7262 | Microsoft Excel 2007 SP3, Excel 2010 SP2, Excel 2013 SP1, Excel 2013 RT SP1, Excel 2016, Office Compatibility Pack SP3, and Excel Viewer allow user-assisted remote attackers to execute arbitrary commands via a crafted cell that is mishandled upon a click, aka Microsoft Office Security Feature Bypass Vulnerability. | MEDIUM | Dec 23, 2016 | n/a |
| CVE-2016-7264 | Microsoft Excel 2007 SP3, Office Compatibility Pack SP3, Excel Viewer, Excel for Mac 2011, and Excel 2016 for Mac allow remote attackers to obtain sensitive information from process memory or cause a denial of service (out-of-bounds read) via a crafted document, aka Microsoft Office Information Disclosure Vulnerability. | MEDIUM | Dec 23, 2016 | n/a |
| CVE-2016-7265 | Microsoft Excel 2007 SP3, Excel 2010 SP2, Excel 2013 SP1, Excel 2013 RT SP1, Excel 2016, Office Compatibility Pack SP3, Excel Viewer, Excel Services on SharePoint Server 2007 SP3, and Excel Services on SharePoint Server 2010 SP2 allow remote attackers to obtain sensitive information from process memory or cause a denial of service (out-of-bounds read) via a crafted document, aka Microsoft Office Information Disclosure Vulnerability. | MEDIUM | Dec 23, 2016 | n/a |
| CVE-2016-7266 | Microsoft Excel 2007 SP3, Excel 2010 SP2, Excel 2013 SP1, Excel 2013 RT SP1, Excel 2016, Office Compatibility Pack SP3, Excel Viewer, and Excel 2016 for Mac mishandle a registry check, which allows user-assisted remote attackers to execute arbitrary commands via crafted embedded content in a document, aka Microsoft Office Security Feature Bypass Vulnerability. | MEDIUM | Dec 23, 2016 | n/a |
| CVE-2016-7267 | Microsoft Excel 2010 SP2, 2013 SP1, 2013 RT SP1, and 2016 misparses file formats, which makes it easier for remote attackers to execute arbitrary code via a crafted document, aka Microsoft Office Security Feature Bypass Vulnerability. | MEDIUM | Dec 23, 2016 | n/a |
| CVE-2016-7268 | Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Office Compatibility Pack SP3, Word Viewer, Word for Mac 2011, Word Automation Services on SharePoint Server 2010 SP2, and Office Web Apps 2010 SP2 allow remote attackers to obtain sensitive information from process memory or cause a denial of service (out-of-bounds read) via a crafted document, aka Microsoft Office Information Disclosure Vulnerability. | MEDIUM | Dec 27, 2016 | n/a |
| CVE-2016-7270 | The Data Provider for SQL Server in Microsoft .NET Framework 4.6.2 mishandles a developer-supplied key, which allows remote attackers to bypass the Always Encrypted protection mechanism and obtain sensitive cleartext information by leveraging key guessability, aka .NET Information Disclosure Vulnerability. | MEDIUM | Dec 21, 2016 | n/a |
| CVE-2016-7271 | The Secure Kernel Mode implementation in Microsoft Windows 10 Gold, 1511, and 1607 and Windows Server 2016 allows local users to bypass the virtual trust level (VTL) protection mechanism via a crafted application, aka Secure Kernel Mode Elevation of Privilege Vulnerability. | MEDIUM | Dec 21, 2016 | n/a |
| CVE-2016-7276 | Microsoft Office 2007 SP3, Office 2010 SP2, Office 2013 SP1, Office for Mac 2011, and Office 2016 for Mac allow remote attackers to obtain sensitive information from process memory or cause a denial of service (out-of-bounds read) via a crafted document, aka Microsoft Office Information Disclosure Vulnerability. | MEDIUM | Dec 27, 2016 | n/a |
| CVE-2016-7280 | Cross-site scripting (XSS) vulnerability in Microsoft Edge allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka Microsoft Edge Information Disclosure Vulnerability, a different vulnerability than CVE-2016-7206. | MEDIUM | Dec 27, 2016 | n/a |
| CVE-2016-7282 | Cross-site scripting (XSS) vulnerability in Microsoft Internet Explorer 9 through 11 and Microsoft Edge allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka Microsoft Browser Information Disclosure Vulnerability. | MEDIUM | Dec 27, 2016 | n/a |
| CVE-2016-7284 | Microsoft Internet Explorer 10 and 11 allows remote attackers to obtain sensitive information from process memory via a crafted web site, aka Internet Explorer Information Disclosure Vulnerability. | MEDIUM | Dec 21, 2016 | n/a |
| CVE-2016-7290 | Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Office Compatibility Pack SP3, Word for Mac 2011, Word Automation Services on SharePoint Server 2010 SP2, and Office Web Apps 2010 SP2 allow remote attackers to obtain sensitive information from process memory or cause a denial of service (out-of-bounds read) via a crafted document, aka Microsoft Office Information Disclosure Vulnerability, a different vulnerability than CVE-2016-7291. | MEDIUM | Dec 27, 2016 | n/a |
| CVE-2016-7291 | Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Office Compatibility Pack SP3, Word for Mac 2011, Word Automation Services on SharePoint Server 2010 SP2, and Office Web Apps 2010 SP2 allow remote attackers to obtain sensitive information from process memory or cause a denial of service (out-of-bounds read) via a crafted document, aka Microsoft Office Information Disclosure Vulnerability, a different vulnerability than CVE-2016-7290. | MEDIUM | Dec 27, 2016 | n/a |
| CVE-2016-7300 | Untrusted search path vulnerability in Microsoft Auto Updater for Mac allows local users to gain privileges via a Trojan horse executable file, aka Microsoft (MAU) Office Elevation of Privilege Vulnerability. | MEDIUM | Dec 27, 2016 | n/a |
| CVE-2016-7450 | The ff_log2_16bit_c function in libavutil/intmath.h in FFmpeg before 3.1.4 is vulnerable to reading out-of-bounds memory when it decodes a malformed AIFF file. | MEDIUM | Dec 23, 2016 | n/a |
| CVE-2016-7502 | The cavs_idct8_add_c function in libavcodec/cavsdsp.c in FFmpeg before 3.1.4 is vulnerable to reading out-of-bounds memory when decoding with cavs_decode. | MEDIUM | Dec 23, 2016 | n/a |
| CVE-2016-7555 | The avi_read_header function in libavformat/avidec.c in FFmpeg before 3.1.4 is vulnerable to memory leak when decoding an AVI file that has a crafted strh structure. | MEDIUM | Dec 23, 2016 | n/a |
| CVE-2016-7562 | The ff_draw_pc_font function in libavcodec/cga_data.c in FFmpeg before 3.1.4 allows remote attackers to cause a denial of service (buffer overflow) via a crafted AVI file. | MEDIUM | Dec 23, 2016 | n/a |
| CVE-2016-7785 | The avi_read_seek function in libavformat/avidec.c in FFmpeg before 3.1.4 allows remote attackers to cause a denial of service (assert fault) via a crafted AVI file. | MEDIUM | Dec 23, 2016 | n/a |
| CVE-2016-7787 | A maliciously crafted command line for kdesu can result in the user only seeing part of the commands that will actually get executed as super user. | MEDIUM | Dec 27, 2016 | n/a |
| CVE-2016-7882 | Adobe Experience Manager versions 6.2 and earlier have an input validation issue in the WCMDebug filter that could be used in cross-site scripting attacks. | MEDIUM | Dec 21, 2016 | n/a |
| CVE-2016-7883 | Adobe Experience Manager version 6.2 has an input validation issue in create Launch wizard that could be used in cross-site scripting attacks. | MEDIUM | Dec 21, 2016 | n/a |
| CVE-2016-7884 | Adobe Experience Manager versions 6.1 and earlier have an input validation issue in the DAM create assets that could be used in cross-site scripting attacks. | MEDIUM | Dec 21, 2016 | n/a |
| CVE-2016-7885 | Adobe Experience Manager versions 6.2 and earlier have a vulnerability that could be used in Cross-Site Request Forgery attacks. | MEDIUM | Dec 21, 2016 | n/a |
| CVE-2016-7887 | Adobe ColdFusion Builder versions 2016 update 2 and earlier, 3.0.3 and earlier have an important vulnerability that could lead to information disclosure. | MEDIUM | Dec 21, 2016 | n/a |
| CVE-2016-7888 | Adobe Digital Editions versions 4.5.2 and earlier has an important vulnerability that could lead to memory address leak. | MEDIUM | Dec 21, 2016 | n/a |
| CVE-2016-7889 | Adobe Digital Editions versions 4.5.2 and earlier has an issue with parsing crafted XML entries that could lead to information disclosure. | MEDIUM | Dec 22, 2016 | n/a |
| CVE-2016-7891 | Adobe RoboHelp version 2015.0.3 and earlier, RoboHelp 11 and earlier have an input validation issue that could be used in cross-site scripting attacks. | MEDIUM | Dec 22, 2016 | n/a |
| CVE-2016-7905 | The read_gab2_sub function in libavformat/avidec.c in FFmpeg before 3.1.4 allows remote attackers to cause a denial of service (NULL pointer used) via a crafted AVI file. | MEDIUM | Dec 23, 2016 | n/a |
| CVE-2016-7967 | KMail since version 5.3.0 used a QWebEngine based viewer that had JavaScript enabled. Since the generated html is executed in the local file security context by default access to remote and local URLs was enabled. | MEDIUM | Dec 27, 2016 | n/a |
| CVE-2016-8595 | The gsm_parse function in libavcodec/gsm_parser.c in FFmpeg before 3.1.5 allows remote attackers to cause a denial of service (assert fault) via a crafted AVI file. | MEDIUM | Dec 23, 2016 | n/a |
| CVE-2016-8707 | An exploitable out of bounds write exists in the handling of compressed TIFF images in ImageMagicks\'s convert utility. A crafted TIFF document can lead to an out of bounds write which in particular circumstances could be leveraged into remote code execution. The vulnerability can be triggered through any user controlled TIFF that is handled by this functionality. | MEDIUM | Dec 27, 2016 | n/a |
| CVE-2016-8820 | All versions of NVIDIA Windows GPU Display Driver contain a vulnerability in the kernel mode layer (nvlddmkm.sys) handler for DxgDdiEscape where a check on a function return value is missing, potentially allowing an uninitialized value to be used as the source of a strcpy() call, leading to denial of service or information disclosure. | MEDIUM | Dec 23, 2016 | n/a |
| CVE-2016-8826 | All versions of NVIDIA GPU Display Driver contain a vulnerability in the kernel mode layer (nvlddmkm.sys for Windows or nvidia.ko for Linux) where a user can cause a GPU interrupt storm, leading to a denial of service. | MEDIUM | Dec 22, 2016 | n/a |
| CVE-2016-8827 | NVIDIA GeForce Experience 3.x before GFE 3.1.0.52 contains a vulnerability in NVIDIA Web Helper.exe where a local web API endpoint, /VisualOPS/v.1.0./, lacks proper access control and parameter validation, allowing for information disclosure via a directory traversal attack. | MEDIUM | Dec 22, 2016 | n/a |
| CVE-2016-9031 | An exploitable integer overflow exists in the Joyent SmartOS 20161110T013148Z Hyprlofs file system. The vulnerability is present in the Ioctl system call with the command HYPRLOFS_ADD_ENTRIES when dealing with 32-bit file systems. An attacker can craft an input that can cause a kernel panic and potentially be leveraged into a full privilege escalation vulnerability. This vulnerability is distinct from CVE-2016-8733. | MEDIUM | Dec 22, 2016 | n/a |
| CVE-2016-9032 | An exploitable buffer overflow exists in the Joyent SmartOS 20161110T013148Z Hyprlofs file system. The vulnerability is present in the Ioctl system call with the command HYPRLOFS_ADD_ENTRIES when dealing with native file systems. An attacker can craft an input that can cause a buffer overflow in the nm variable leading to an out of bounds memory access and could result in potential privilege escalation. This vulnerability is distinct from CVE-2016-9034. | MEDIUM | Dec 22, 2016 | n/a |
| CVE-2016-9033 | An exploitable buffer overflow exists in the Joyent SmartOS 20161110T013148Z Hyprlofs file system. The vulnerability is present in the Ioctl system call with the command HYPRLOFS_ADD_ENTRIES when dealing with native file systems. An attacker can craft an input that can cause a buffer overflow in the path variable leading to an out of bounds memory access and could result in potential privilege escalation. This vulnerability is distinct from CVE-2016-9035. | MEDIUM | Dec 22, 2016 | n/a |
