The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
| ID | Description | Priority | Modified date | Fixed Release |
|---|---|---|---|---|
| CVE-2016-6061 | IBM Jazz Foundation is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | LOW | Feb 7, 2017 | n/a |
| CVE-2016-6065 | IBM Security Guardium Database Activity Monitor appliance could allow a local user to inject commands that would be executed as root. | HIGH | Feb 7, 2017 | n/a |
| CVE-2016-6080 | The WebAdmin context for WebSphere Message Broker allows directory listings which could disclose sensitive information to the attacker. | MEDIUM | Feb 7, 2017 | n/a |
| CVE-2016-6084 | IBM BigFix Platform could allow an attacker on the local network to crash the BES server using a specially crafted XMLSchema request. | LOW | Feb 7, 2017 | n/a |
| CVE-2016-6092 | IBM Tivoli Key Lifecycle Manager 2.0.1, 2.5, and 2.6 stores user credentials in plain in clear text which can be read by a local user. | LOW | Feb 7, 2017 | n/a |
| CVE-2016-6094 | IBM Tivoli Key Lifecycle Manager 2.0.1, 2.5, and 2.6 generates an error message that includes sensitive information about its environment, users, or associated data. | MEDIUM | Feb 7, 2017 | n/a |
| CVE-2016-6095 | IBM Tivoli Key Lifecycle Manager 2.5 and 2.6 uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. | MEDIUM | Feb 7, 2017 | n/a |
| CVE-2016-6096 | IBM Tivoli Key Lifecycle Manager 2.0.1, 2.5, and 2.6 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | MEDIUM | Feb 7, 2017 | n/a |
| CVE-2016-6097 | IBM Tivoli Key Lifecycle Manager 2.0.1, 2.5, and 2.6 allows web pages to be stored locally which can be read by another user on the system. | LOW | Feb 7, 2017 | n/a |
| CVE-2016-6103 | IBM Tivoli Key Lifecycle Manager 2.5 and 2.6 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. | MEDIUM | Feb 7, 2017 | n/a |
| CVE-2016-6104 | IBM Tivoli Key Lifecycle Manager 2.5, and 2.6 could allow a remote attacker to upload arbitrary files, caused by the improper validation of file extensions, which could allow the attacker to execute arbitrary code on the vulnerable system. | MEDIUM | Feb 7, 2017 | n/a |
| CVE-2016-6105 | IBM Tivoli Key Lifecycle Manager 2.5 and 2.6 do not perform an authentication check for a critical resource or functionality allowing anonymous users access to protected areas. | MEDIUM | Feb 7, 2017 | n/a |
| CVE-2016-6116 | IBM Tivoli Key Lifecycle Manager 2.5 and 2.6 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. | MEDIUM | Feb 7, 2017 | n/a |
| CVE-2016-6117 | IBM Tivoli Key Lifecycle Manager 2.5 and 2.6 can be deployed with active debugging code that can disclose sensitive information. | MEDIUM | Feb 7, 2017 | n/a |
| CVE-2016-6124 | IBM Kenexa LMS on Cloud 13.1 and 13.2 - 13.2.4 could allow a remote attacker to upload arbitrary files, which could allow the attacker to execute arbitrary code on the vulnerable server. | MEDIUM | Feb 7, 2017 | n/a |
| CVE-2016-6126 | IBM Kenexa LMS on Cloud 13.1 and 13.2 - 13.2.4 could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing dot dot sequences (/../) to view arbitrary files on the system. | MEDIUM | Feb 7, 2017 | n/a |
| CVE-2016-6131 | The demangler in GNU Libiberty allows remote attackers to cause a denial of service (infinite loop, stack overflow, and crash) via a cycle in the references of remembered mangled types. | MEDIUM | Feb 7, 2017 | n/a |
| CVE-2016-6163 | The rsvg_pattern_fix_fallback function in rsvg-paint_server.c in librsvg2 2.40.2 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted svg file. | MEDIUM | Feb 7, 2017 | n/a |
| CVE-2016-6175 | Eval injection vulnerability in php-gettext 1.0.12 and earlier allows remote attackers to execute arbitrary PHP code via a crafted plural forms header. | HIGH | Feb 7, 2017 | n/a |
| CVE-2016-6199 | ObjectSocketWrapper.java in Gradle 2.12 allows remote attackers to execute arbitrary code via a crafted serialized object. | HIGH | Feb 7, 2017 | n/a |
| CVE-2016-6234 | The process_file function in lepton/jpgcoder.cc in Dropbox lepton 1.0 allows remote attackers to cause a denial of service (crash) via a crafted jpeg file. | MEDIUM | Feb 7, 2017 | n/a |
| CVE-2016-6235 | The setup_imginfo_jpg function in lepton/jpgcoder.cc in Dropbox lepton 1.0 allows remote attackers to cause a denial of service (segmentation fault) via a crafted jpeg file. | MEDIUM | Feb 7, 2017 | n/a |
| CVE-2016-6236 | The setup_imginfo_jpg function in lepton/jpgcoder.cc in Dropbox lepton 1.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted jpeg file. | MEDIUM | Feb 7, 2017 | n/a |
| CVE-2016-6237 | The build_huffcodes function in lepton/jpgcoder.cc in Dropbox lepton 1.0 allows remote attackers to cause denial of service (out-of-bounds write) via a crafted jpeg file. | MEDIUM | Feb 7, 2017 | n/a |
| CVE-2016-6238 | The write_ujpg function in lepton/jpgcoder.cc in Dropbox lepton 1.0 allows remote attackers to cause denial of service (out-of-bounds read) via a crafted jpeg file. | MEDIUM | Feb 7, 2017 | n/a |
| CVE-2016-6264 | Integer signedness error in libc/string/arm/memset.S in uClibc and uClibc-ng before 1.0.16 allows context-dependent attackers to cause a denial of service (crash) via a negative length value to the memset function. | MEDIUM | Feb 7, 2017 | n/a |
| CVE-2016-6270 | The handle_certificate function in /vmi/manager/engine/management/commands/apns_worker.py in Trend Micro Virtual Mobile Infrastructure before 5.1 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the password to api/v1/cfg/oauth/save_identify_pfx/. | HIGH | Feb 7, 2017 | n/a |
| CVE-2016-6495 | NetApp Data ONTAP before 8.2.4P5, when operating in 7-Mode, allows remote attackers to obtain information about the volumes configured for HTTP access. | MEDIUM | Feb 7, 2017 | n/a |
| CVE-2016-6600 | Directory traversal vulnerability in the file upload functionality in ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows remote attackers to upload and execute arbitrary JSP files via a .. (dot dot) in the fileName parameter to servlets/FileUploadServlet. | HIGH | Feb 7, 2017 | n/a |
| CVE-2016-6601 | Directory traversal vulnerability in the file download functionality in ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows remote attackers to read arbitrary files via a .. (dot dot) in the fileName parameter to servlets/FetchFile. | MEDIUM | Feb 7, 2017 | n/a |
| CVE-2016-6602 | ZOHO WebNMS Framework 5.2 and 5.2 SP1 use a weak obfuscation algorithm to store passwords, which allows context-dependent attackers to obtain cleartext passwords by leveraging access to WEB-INF/conf/securitydbData.xml. NOTE: this issue can be combined with CVE-2016-6601 for a remote exploit. | MEDIUM | Feb 7, 2017 | n/a |
| CVE-2016-6603 | ZOHO WebNMS Framework 5.2 and 5.2 SP1 allows remote attackers to bypass authentication and impersonate arbitrary users via the UserName HTTP header. | MEDIUM | Feb 7, 2017 | n/a |
| CVE-2016-6604 | NULL pointer dereference in Samsung Exynos fimg2d driver for Android L(5.0/5.1) and M(6.0) allows attackers to have unspecified impact via unknown vectors. | HIGH | Feb 7, 2017 | n/a |
| CVE-2016-6667 | NetApp OnCommand Unified Manager for Clustered Data ONTAP 6.3 through 6.4P1 contain a default privileged account, which allows remote attackers to execute arbitrary code via unspecified vectors. | HIGH | Feb 7, 2017 | n/a |
| CVE-2016-7164 | The construct function in puff.cpp in Libtorrent 1.1.0 allows remote torrent trackers to cause a denial of service (segmentation fault and crash) via a crafted GZIP response. | MEDIUM | Feb 7, 2017 | n/a |
| CVE-2016-7400 | Multiple SQL injection vulnerabilities in Exponent CMS before 2.4.0 allow remote attackers to execute arbitrary SQL commands via the (1) id parameter in an activate_address address controller action, (2) title parameter in a show blog controller action, or (3) content_id parameter in a showComments expComment controller action. | HIGH | Feb 7, 2017 | n/a |
| CVE-2016-7544 | Crypto++ 5.6.4 incorrectly uses Microsoft's stack-based _malloca and _freea functions. The library will request a block of memory to align a table in memory. If the table is later reallocated, then the wrong pointer could be freed. | MEDIUM | Feb 7, 2017 | n/a |
| CVE-2016-7798 | The openssl gem for Ruby uses the same initialization vector (IV) in GCM Mode (aes-*-gcm) when the IV is set before the key, which makes it easier for context-dependent attackers to bypass the encryption protection mechanism. | MEDIUM | Feb 7, 2017 | n/a |
| CVE-2016-8411 | Buffer overflow vulnerability while processing QMI QOS TLVs. Product: Android. Versions: versions that have qmi_qos_srvc.c. Android ID: 31805216. References: QC CR#912775. | HIGH | Feb 7, 2017 | n/a |
| CVE-2016-8568 | The git_commit_message function in oid.c in libgit2 before 0.24.3 allows remote attackers to cause a denial of service (out-of-bounds read) via a cat-file command with a crafted object file. | MEDIUM | Feb 7, 2017 | n/a |
| CVE-2016-8569 | The git_oid_nfmt function in commit.c in libgit2 before 0.24.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via a cat-file command with a crafted object file. | MEDIUM | Feb 7, 2017 | n/a |
| CVE-2016-8911 | IBM Kenexa LMS on Cloud 13.1 and 13.2 - 13.2.4 could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim. | LOW | Feb 7, 2017 | n/a |
| CVE-2016-8912 | IBM Kenexa LMS on Cloud 13.1 and 13.2 - 13.2.4 stores potentially sensitive information in in log files that could be read by an authenticated user. | MEDIUM | Feb 7, 2017 | n/a |
| CVE-2016-8913 | IBM Kenexa LMS on Cloud 13.1 and 13.2 - 13.2.4 could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing dot dot sequences (/../) to view arbitrary files on the system. | MEDIUM | Feb 7, 2017 | n/a |
| CVE-2016-8928 | IBM Kenexa LMS on Cloud is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. | MEDIUM | Feb 7, 2017 | n/a |
| CVE-2016-8929 | IBM Kenexa LMS on Cloud is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. | MEDIUM | Feb 7, 2017 | n/a |
| CVE-2016-8930 | IBM Kenexa LMS on Cloud is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database. | MEDIUM | Feb 7, 2017 | n/a |
| CVE-2016-8931 | IBM Kenexa LMS on Cloud could allow a remote attacker to upload arbitrary files, which could allow the attacker to execute arbitrary code on the vulnerable server. | MEDIUM | Feb 7, 2017 | n/a |
| CVE-2016-8932 | IBM Kenexa LMS on Cloud could allow a remote attacker to upload arbitrary files, which could allow the attacker to execute arbitrary code on the vulnerable server. | MEDIUM | Feb 7, 2017 | n/a |
| CVE-2016-8933 | IBM Kenexa LMS on Cloud could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing dot dot sequences (/../) to view arbitrary files on the system. | MEDIUM | Feb 7, 2017 | n/a |
