The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2016-3018 | IBM Security Access Manager for Web is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | MEDIUM | Feb 5, 2017 | n/a |
| CVE-2016-3020 | IBM Security Access Manager for Web 7.0.0, 8.0.0, and 9.0.0 could allow a remote attacker to bypass security restrictions, caused by improper content validation. By persuading a victim to open specially-crafted content, an attacker could exploit this vulnerability to bypass validation and load a page with malicious content. | MEDIUM | Feb 7, 2017 | n/a |
| CVE-2016-3021 | IBM Security Access Manager for Web could allow an authenticated attacker to obtain sensitive information from error message using a specially crafted HTTP request. | MEDIUM | Feb 7, 2017 | n/a |
| CVE-2016-3022 | IBM Security Access Manager for Web could allow an authenticated user to gain access to highly sensitive information due to incorrect file permissions. | MEDIUM | Feb 7, 2017 | n/a |
| CVE-2016-3023 | IBM Security Access Manager for Web could allow an unauthenticated user to gain access to sensitive information by entering invalid file names. | MEDIUM | Feb 7, 2017 | n/a |
| CVE-2016-3027 | IBM Security Access Manager for Web is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error when processing XML data. A remote attacker could exploit this vulnerability to expose highly sensitive information or consume all available memory resources. | MEDIUM | Feb 7, 2017 | n/a |
| CVE-2016-3029 | IBM Security Access Manager for Web is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. | MEDIUM | Feb 7, 2017 | n/a |
| CVE-2016-3035 | IBM AppScan Source could reveal some sensitive information through the browsing of testlinks on the server. | MEDIUM | Feb 5, 2017 | n/a |
| CVE-2016-3043 | IBM Security Access Manager for Web could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. | MEDIUM | Feb 2, 2017 | n/a |
| CVE-2016-3045 | IBM Security Access Manager for Web stores sensitive information in URL parameters. This may lead to information disclosure if unauthorized parties have access to the URLs via server logs, referer header or browser history. | MEDIUM | Feb 2, 2017 | n/a |
| CVE-2016-3046 | IBM Security Access Manager for Web is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements which could allow the attacker to view information in the back-end database. | MEDIUM | Feb 2, 2017 | n/a |
| CVE-2016-3063 | Multiple functions in NetApp OnCommand System Manager before 8.3.2 do not properly escape special characters, which allows remote authenticated users to execute arbitrary API calls via unspecified vectors. | MEDIUM | Feb 7, 2017 | n/a |
| CVE-2016-3124 | The sanitycheck module in SimpleSAMLphp before 1.14.1 allows remote attackers to learn the PHP version on the system via unspecified vectors. | MEDIUM | Feb 7, 2017 | n/a |
| CVE-2016-3176 | Salt before 2015.5.10 and 2015.8.x before 2015.8.8, when PAM external authentication is enabled, allows attackers to bypass the configured authentication service by passing an alternate service with a command sent to LocalClient. | MEDIUM | Feb 7, 2017 | n/a |
| CVE-2016-3180 | Tor Browser Launcher (aka torbrowser-launcher) before 0.2.4, during the initial run, allows man-in-the-middle attackers to bypass the PGP signature verification and execute arbitrary code via a Trojan horse tar file and a signature file with the valid tarball and signature. | MEDIUM | Feb 7, 2017 | n/a |
| CVE-2016-3183 | The sycc422_t_rgb function in common/color.c in OpenJPEG before 2.1.1 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted jpeg2000 file. | MEDIUM | Feb 7, 2017 | n/a |
| CVE-2016-3401 | Unspecified vulnerability in Zimbra Collaboration before 8.7.0 allows remote authenticated users to affect integrity via unknown vectors, aka bug 99810. | MEDIUM | Jan 31, 2017 | n/a |
| CVE-2016-3402 | Unspecified vulnerability in Zimbra Collaboration before 8.7.0 allows remote attackers to affect confidentiality via unknown vectors, aka bug 99167. | MEDIUM | Feb 1, 2017 | n/a |
| CVE-2016-3404 | Unspecified vulnerability in Zimbra Collaboration before 8.7.0 allows remote attackers to affect integrity via unknown vectors, aka bug 103959. | MEDIUM | Feb 1, 2017 | n/a |
| CVE-2016-3405 | Multiple unspecified vulnerabilities in Zimbra Collaboration before 8.7.0 allow remote attackers to affect integrity via unknown vectors, aka bugs 103961 and 104828. | MEDIUM | Feb 1, 2017 | n/a |
| CVE-2016-3406 | Multiple cross-site request forgery (CSRF) vulnerabilities in Zimbra Collaboration before 8.7.0 allow remote attackers to hijack the authentication of unspecified victims via vectors involving (1) the Client uploader extension or (2) extension REST handlers, aka bugs 104294 and 104456. | MEDIUM | Feb 1, 2017 | n/a |
| CVE-2016-3407 | Multiple cross-site scripting (XSS) vulnerabilities in Zimbra Collaboration before 8.7.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka bugs 104222, 104910, 105071, and 105175. | MEDIUM | Feb 1, 2017 | n/a |
| CVE-2016-3408 | Cross-site scripting (XSS) vulnerability in Zimbra Collaboration before 8.7.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka bug 101813. | MEDIUM | Feb 2, 2017 | n/a |
| CVE-2016-3409 | Cross-site scripting (XSS) vulnerability in Zimbra Collaboration before 8.7.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka bug 102637. | MEDIUM | Feb 1, 2017 | n/a |
| CVE-2016-3410 | Multiple cross-site scripting (XSS) vulnerabilities in Zimbra Collaboration before 8.7.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka bugs 103956, 103995, 104475, 104838, and 104839. | MEDIUM | Feb 1, 2017 | n/a |
| CVE-2016-3411 | Cross-site scripting (XSS) vulnerability in Zimbra Collaboration before 8.7.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka bug 103609. | MEDIUM | Feb 1, 2017 | n/a |
| CVE-2016-3412 | Multiple cross-site scripting (XSS) vulnerabilities in Zimbra Collaboration before 8.7.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka bugs 103997, 104413, 104414, 104777, and 104791. | MEDIUM | Feb 1, 2017 | n/a |
| CVE-2016-3413 | Unspecified vulnerability in Zimbra Collaboration before 8.7.0 allows remote attackers to affect integrity via unknown vectors, aka bug 103996. | MEDIUM | Feb 1, 2017 | n/a |
| CVE-2016-3414 | Unspecified vulnerability in Zimbra Collaboration before 8.6.0 Patch 7 allows remote authenticated users to affect availability via unknown vectors, aka bug 102029. | MEDIUM | Feb 2, 2017 | n/a |
| CVE-2016-3415 | Zimbra Collaboration before 8.7.0 allows remote attackers to conduct deserialization attacks via unspecified vectors, aka bug 102276. | MEDIUM | Feb 2, 2017 | n/a |
| CVE-2016-3996 | ClipboardDataMgr in Samsung KNOX 1.0.0 and 2.3.0 does not properly check the caller, which allows local users to read KNOX clipboard data via a crafted application. | MEDIUM | Feb 7, 2017 | n/a |
| CVE-2016-3999 | Multiple cross-site scripting (XSS) vulnerabilities in Zimbra Collaboration before 8.7.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka bugs 104552 and 104703. | MEDIUM | Feb 2, 2017 | n/a |
| CVE-2016-4019 | Unspecified vulnerability in Zimbra Collaboration before 8.7.0 allows remote attackers to affect integrity via unknown vectors, aka bug 104477. | MEDIUM | Feb 2, 2017 | n/a |
| CVE-2016-4056 | Cross-site scripting (XSS) vulnerability in the Backend component in TYPO3 6.2.x before 6.2.19 allows remote attackers to inject arbitrary web script or HTML via the module parameter when creating a bookmark. | MEDIUM | Jan 24, 2017 | n/a |
| CVE-2016-4338 | The mysql user parameter configuration script (userparameter_mysql.conf) in the agent in Zabbix before 2.0.18, 2.2.x before 2.2.13, and 3.0.x before 3.0.3, when used with a shell other than bash, allows context-dependent attackers to execute arbitrary code or SQL commands via the mysql.size parameter. | MEDIUM | Jan 26, 2017 | n/a |
| CVE-2016-4340 | The impersonate feature in Gitlab 8.7.0, 8.6.0 through 8.6.7, 8.5.0 through 8.5.11, 8.4.0 through 8.4.9, 8.3.0 through 8.3.8, and 8.2.0 through 8.2.4 allows remote authenticated users to log in as any other user via unspecified vectors. | MEDIUM | Jan 25, 2017 | n/a |
| CVE-2016-4341 | NetApp Clustered Data ONTAP before 8.3.2P7 allows remote attackers to obtain SMB share information via unspecified vectors. | MEDIUM | Feb 7, 2017 | n/a |
| CVE-2016-4352 | Integer overflow in the demuxer function in libmpdemux/demux_gif.c in Mplayer allows remote attackers to cause a denial of service (crash) via large dimensions in a gif file. | MEDIUM | Feb 7, 2017 | n/a |
| CVE-2016-4793 | The clientIp function in CakePHP 3.2.4 and earlier allows remote attackers to spoof their IP via the CLIENT-IP HTTP header. | MEDIUM | Jan 31, 2017 | n/a |
| CVE-2016-4796 | Heap-based buffer overflow in the color_cmyk_to_rgb in common/color.c in OpenJPEG before 2.1.1 allows remote attackers to cause a denial of service (crash) via a crafted .j2k file. | MEDIUM | Feb 7, 2017 | n/a |
| CVE-2016-4797 | Divide-by-zero vulnerability in the opj_tcd_init_tile function in tcd.c in OpenJPEG before 2.1.1 allows remote attackers to cause a denial of service (application crash) via a crafted jp2 file. NOTE: this issue exists because of an incorrect fix for CVE-2014-7947. | MEDIUM | Feb 7, 2017 | n/a |
| CVE-2016-5012 | In Moodle 3.x, glossary search displays entries without checking user permissions to view them. | MEDIUM | Jan 25, 2017 | n/a |
| CVE-2016-5013 | In Moodle 2.x and 3.x, text injection can occur in email headers, potentially leading to outbound spam. | MEDIUM | Jan 25, 2017 | n/a |
| CVE-2016-5014 | In Moodle 2.x and 3.x, an unenrolled user still receives event monitor notifications even though they can no longer access the course. | MEDIUM | Jan 25, 2017 | n/a |
| CVE-2016-5091 | Extbase in TYPO3 4.3.0 before 6.2.24, 7.x before 7.6.8, and 8.1.1 allows remote attackers to obtain sensitive information or possibly execute arbitrary code via a crafted Extbase action. | MEDIUM | Jan 26, 2017 | n/a |
| CVE-2016-5102 | Buffer overflow in the readgifimage function in gif2tiff.c in the gif2tiff tool in LibTIFF 4.0.6 allows remote attackers to cause a denial of service (segmentation fault) via a crafted gif file. | MEDIUM | Feb 7, 2017 | n/a |
| CVE-2016-5115 | The avcodec_decode_audio4 function in libavcodec in libavformat 57.34.103, as used in MPlayer, allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted mp3 file. | MEDIUM | Feb 7, 2017 | n/a |
| CVE-2016-5117 | OpenNTPD before 6.0p1 does not validate the CN for HTTPS constraint requests, which allows remote attackers to bypass the man-in-the-middle mitigations via a crafted timestamp constraint with a valid certificate. | MEDIUM | Jan 31, 2017 | n/a |
| CVE-2016-5119 | The automatic update feature in KeePass 2.33 and earlier allows man-in-the-middle attackers to execute arbitrary code by spoofing the version check response and supplying a crafted update. | MEDIUM | Jan 24, 2017 | n/a |
| CVE-2016-5196 | The content renderer client in Google Chrome prior to 54.0.2840.85 for Android insufficiently enforced the Same Origin Policy amongst downloaded files, which allowed a remote attacker to access any downloaded file and interact with sites, including those the user was logged into, via a crafted HTML page. | MEDIUM | Jan 20, 2017 | n/a |
