The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2016-1187 | Cybozu KUNAI for iPhone 2.0.3 through 3.1.5 and for Android 2.1.2 through 3.0.4 does not verify SSL certificates. | MEDIUM | Apr 21, 2017 | n/a |
| CVE-2016-1194 | Cybozu Garoon before 4.2.1 allows remote attackers to cause a denial of service. | MEDIUM | Apr 21, 2017 | n/a |
| CVE-2016-1198 | Photopt for Android before 2.0.1 does not verify SSL certificates. | MEDIUM | Apr 21, 2017 | n/a |
| CVE-2016-1210 | The 105 BANK app 1.0 and 1.1 for Android and 1.0 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | MEDIUM | Apr 21, 2017 | n/a |
| CVE-2016-1213 | The Scheduler function in Cybozu Garoon before 4.2.2 allows remote attackers to redirect users to arbitrary websites. | MEDIUM | Apr 20, 2017 | n/a |
| CVE-2016-1214 | Cross-site scripting (XSS) vulnerability in the Response request function in Cybozu Garoon before 4.2.2. | MEDIUM | Apr 20, 2017 | n/a |
| CVE-2016-1215 | Cross-site scripting (XSS) vulnerability in the User details function in Cybozu Garoon before 4.2.2. | MEDIUM | Apr 20, 2017 | n/a |
| CVE-2016-1216 | Cross-site scripting (XSS) vulnerability in the New appointment function in Cybozu Garoon before 4.2.2. | MEDIUM | Apr 20, 2017 | n/a |
| CVE-2016-1217 | Cross-site scripting (XSS) vulnerability in the Check available times function in Cybozu Garoon before 4.2.2. | MEDIUM | Apr 20, 2017 | n/a |
| CVE-2016-1218 | SQL injection vulnerability in Cybozu Garoon before 4.2.2. | MEDIUM | Apr 20, 2017 | n/a |
| CVE-2016-1220 | Cybozu Garoon before 4.2.2 does not properly restrict access. | MEDIUM | Apr 20, 2017 | n/a |
| CVE-2016-1221 | Jetstar App for iOS before 3.0.0 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | MEDIUM | Apr 21, 2017 | n/a |
| CVE-2016-1518 | The auto-provisioning mechanism in the Grandstream Wave app 1.0.1.26 and earlier for Android and Grandstream Video IP phones allows man-in-the-middle attackers to spoof provisioning data and consequently modify device functionality, obtain sensitive information from system logs, and have unspecified other impact by leveraging failure to use an HTTPS session for downloading configuration files from http://fm.grandstream.com/gs/. | MEDIUM | Apr 21, 2017 | n/a |
| CVE-2016-1519 | The com.softphone.common package in the Grandstream Wave app 1.0.1.26 and earlier for Android does not properly validate SSL certificates, which allows man-in-the-middle attackers to spoof the Grandstream provisioning server via a crafted certificate. | MEDIUM | Apr 21, 2017 | n/a |
| CVE-2016-1520 | The Grandstream Wave app 1.0.1.26 and earlier for Android does not use HTTPS when retrieving update information, which might allow man-in-the-middle attackers to execute arbitrary code via a crafted application. | MEDIUM | Apr 21, 2017 | n/a |
| CVE-2016-1556 | Information disclosure in Netgear WN604 before 3.3.3; WNAP210, WNAP320, WNDAP350, and WNDAP360 before 3.5.5.0; and WND930 before 2.0.11 allows remote attackers to read the wireless WPS PIN or passphrase by visiting unauthenticated webpages. | MEDIUM | Apr 21, 2017 | n/a |
| CVE-2016-1557 | Netgear WNAP320, WNDAP350, and WNDAP360 before 3.5.5.0 reveal wireless passwords and administrative usernames and passwords over SNMP. | MEDIUM | Apr 21, 2017 | n/a |
| CVE-2016-1561 | ExaGrid appliances with firmware before 4.8 P26 have a default SSH public key in the authorized_keys file for root, which allows remote attackers to obtain SSH access by leveraging knowledge of a private key from another installation or a firmware image. | MEDIUM | Apr 21, 2017 | n/a |
| CVE-2016-1914 | Multiple SQL injection vulnerabilities in the com.rim.mdm.ui.server.ImageServlet servlet in BlackBerry Enterprise Server 12 (BES12) Self-Service before 12.4 allow remote attackers to execute arbitrary SQL commands via the imageName parameter to (1) mydevice/client/image, (2) admin/client/image, (3) myapps/client/image, (4) ssam/client/image, or (5) all/client/image. | MEDIUM | Apr 19, 2017 | n/a |
| CVE-2016-1915 | Multiple cross-site scripting (XSS) vulnerabilities in BlackBerry Enterprise Server 12 (BES12) Self-Service before 12.4 allow remote attackers to inject arbitrary web script or HTML via the locale parameter to (1) mydevice/index.jsp or (2) mydevice/loggedOut.jsp. | MEDIUM | Apr 19, 2017 | n/a |
| CVE-2016-2104 | Multiple cross-site scripting (XSS) vulnerabilities in Red Hat Satellite 5 allow remote attackers to inject arbitrary web script or HTML via (1) the label parameter to admin/BunchDetail.do; (2) the package_name, (3) search_subscribed_channels, or (4) channel_filter parameter to software/packages/NameOverview.do; or unspecified vectors related to (5) <input:hidden> or (6) <bean:message> tags. | MEDIUM | Apr 19, 2017 | n/a |
| CVE-2016-2161 | It was discovered that the mod_auth_digest module of httpd did not properly check for memory allocation failures. A remote attacker could use this flaw to cause httpd child processes to repeatedly crash if the server used HTTP digest authentication. could use this flaw to decrypt and modify session data using a padding oracle attack. | MEDIUM | Apr 24, 2017 | n/a |
| CVE-2016-2347 | Integer underflow in the decode_level3_header function in lib/lha_file_header.c in Lhasa before 0.3.1 allows remote attackers to execute arbitrary code via a crafted archive. | MEDIUM | Apr 21, 2017 | n/a |
| CVE-2016-2564 | Invision Power Services (IPS) Community Suite before 4.1.9 makes session hijack easier by relying on the PHP uniqid function without the more_entropy flag. Attackers can guess an Invision Power Board session cookie if they can predict the exact time of cookie generation. | MEDIUM | Apr 23, 2017 | n/a |
| CVE-2016-2803 | Cross-site scripting (XSS) vulnerability in the dependency graphs in Bugzilla 2.16rc1 through 4.4.11, and 4.5.1 through 5.0.2 allows remote attackers to inject arbitrary web script or HTML. | MEDIUM | Apr 20, 2017 | n/a |
| CVE-2016-3036 | IBM Cognos TM1 10.1 and 10.2 is vulnerable to a denial of service, caused by a stack-based buffer overflow when parsing packets. A remote attacker could exploit this vulnerability to cause a denial of service. IBM X-Force ID: 114612. | MEDIUM | Apr 21, 2017 | n/a |
| CVE-2016-3076 | Heap-based buffer overflow in the j2k_encode_entry function in Pillow 2.5.0 through 3.1.1 allows remote attackers to cause a denial of service (memory corruption) via a crafted Jpeg2000 file. | MEDIUM | Apr 24, 2017 | n/a |
| CVE-2016-3104 | mongod in MongoDB 2.6, when using 2.4-style users, and 2.4 allow remote attackers to cause a denial of service (memory consumption and process termination) by leveraging in-memory database representation when authenticating against a non-existent database. | MEDIUM | Apr 22, 2017 | n/a |
| CVE-2016-3106 | Pulp before 2.8.3 creates a temporary directory during CA key generation in an insecure manner. | MEDIUM | Apr 20, 2017 | n/a |
| CVE-2016-3114 | Kallithea before 0.3.2 allows remote authenticated users to edit or delete open pull requests or delete comments by leveraging read access. | MEDIUM | Apr 24, 2017 | n/a |
| CVE-2016-3691 | Routes in Kallithea before 0.3.2 allows remote attackers to bypass the CSRF protection by using the GET HTTP request method. | MEDIUM | Apr 24, 2017 | n/a |
| CVE-2016-3702 | Padding oracle flaw in CloudForms Management Engine (aka CFME) 5 allows remote attackers to obtain sensitive cleartext information. | MEDIUM | Apr 21, 2017 | n/a |
| CVE-2016-3729 | The user editing form in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.11, 2.7 through 2.7.13, and earlier allows remote authenticated users to edit profile fields locked by the administrator. | MEDIUM | Apr 20, 2017 | n/a |
| CVE-2016-3731 | Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, and 2.8 through 2.8.11 allows remote attackers to obtain the names of hidden forums and forum discussions. | MEDIUM | Apr 20, 2017 | n/a |
| CVE-2016-3732 | The capability check to access other badges in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.11, 2.7 through 2.7.13, and earlier allows remote authenticated users to read the badges of other users. | MEDIUM | Apr 20, 2017 | n/a |
| CVE-2016-3733 | The restore teacher feature in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.11, 2.7 through 2.7.13, and earlier allows remote authenticated users to overwrite the course idnumber. | MEDIUM | Apr 20, 2017 | n/a |
| CVE-2016-3734 | Cross-site request forgery (CSRF) vulnerability in markposts.php in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.11, 2.7 through 2.7.13 and earlier allows remote attackers to hijack the authentication of users for requests that marks forum posts as read. | MEDIUM | Apr 21, 2017 | n/a |
| CVE-2016-4030 | Samsung SM-G920F build G920FXXU2COH2 (Galaxy S6), SM-N9005 build N9005XXUGBOK6 (Galaxy Note 3), GT-I9192 build I9192XXUBNB1 (Galaxy S4 mini), GT-I9195 build I9195XXUCOL1 (Galaxy S4 mini LTE), and GT-I9505 build I9505XXUHOJ2 (Galaxy S4) devices have unintended availability of the modem in USB configuration number 2 within the secure lockscreen state, allowing an attacker to make phone calls, send text messages, or issue commands, aka SVE-2016-5301. | MEDIUM | Apr 18, 2017 | n/a |
| CVE-2016-4031 | Samsung SM-G920F build G920FXXU2COH2 (Galaxy S6), SM-N9005 build N9005XXUGBOK6 (Galaxy Note 3), GT-I9192 build I9192XXUBNB1 (Galaxy S4 mini), GT-I9195 build I9195XXUCOL1 (Galaxy S4 mini LTE), and GT-I9505 build I9505XXUHOJ2 (Galaxy S4) devices allow attackers to send AT commands by plugging the device into a Linux host, aka SVE-2016-5301. | MEDIUM | Apr 18, 2017 | n/a |
| CVE-2016-4068 | Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG, a different vulnerability than CVE-2015-8864. | MEDIUM | Apr 19, 2017 | n/a |
| CVE-2016-4075 | Opera Mini 13 and Opera Stable 36 allow remote attackers to spoof the displayed URL via a crafted HTML document, related to the about:blank URL. | MEDIUM | Apr 20, 2017 | n/a |
| CVE-2016-4293 | Multiple heap-based buffer overflows in the (1) CBookBase::SetDefTableStyle and (2) CBookBase::SetDefPivotStyle functions in Hancom Office 2014 VP allow remote attackers to execute arbitrary code via a crafted Hangul Hcell Document (.cell) file. | MEDIUM | Apr 20, 2017 | n/a |
| CVE-2016-4313 | Directory traversal vulnerability in unzip/extract feature in eXtplorer 2.1.9 allows remote attackers to execute arbitrary files via a .. (dot dot) in an archive file. | MEDIUM | Apr 24, 2017 | n/a |
| CVE-2016-4444 | The allow_execmod plugin for setroubleshoot before 3.2.23 allows local users to execute arbitrary commands by triggering an execmod SELinux denial with a crafted binary filename, related to the commands.getstatusoutput function. | MEDIUM | Apr 17, 2017 | n/a |
| CVE-2016-4445 | The fix_lookup_id function in sealert in setroubleshoot before 3.2.23 allows local users to execute arbitrary commands as root by triggering an SELinux denial with a crafted file name, related to executing external commands with the commands.getstatusoutput function. | MEDIUM | Apr 17, 2017 | n/a |
| CVE-2016-4446 | The allow_execstack plugin for setroubleshoot allows local users to execute arbitrary commands by triggering an execstack SELinux denial with a crafted filename, related to the commands.getoutput function. | MEDIUM | Apr 17, 2017 | n/a |
| CVE-2016-4468 | SQL injection vulnerability in Pivotal Cloud Foundry (PCF) before 238; UAA 2.x before 2.7.4.4, 3.x before 3.3.0.2, and 3.4.x before 3.4.1; UAA BOSH before 11.2 and 12.x before 12.2; Elastic Runtime before 1.6.29 and 1.7.x before 1.7.7; and Ops Manager 1.7.x before 1.7.8 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. | MEDIUM | Apr 17, 2017 | n/a |
| CVE-2016-4818 | DMMFX Trade for Android 1.5.0 and earlier, DMMFX DEMO Trade for Android 1.5.0 and earlier, and GAITAMEJAPAN FX Trade for Android 1.4.0 and earlier do not verify SSL certificates. | MEDIUM | Apr 20, 2017 | n/a |
| CVE-2016-4829 | DMM Movie Player App for Android before 1.2.1, and DMM Movie Player App for iPhone/iPad before 2.1.3 does not verify SSL certificates. | MEDIUM | Apr 21, 2017 | n/a |
| CVE-2016-4830 | Sushiro App for iOS 2.1.16 and earlier and Sushiro App for Android 2.1.16.1 and earlier do not verify SSL certificates. | MEDIUM | Apr 21, 2017 | n/a |
