Wind River Support Network

HomeCVE Database

The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.

Reset
Showing
of 202651 entries
IDDescriptionPriorityModified dateFixed Release
CVE-2016-4882 Cross-site request forgery (CSRF) vulnerability in baserCMS version 3.0.10 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors. MEDIUM May 12, 2017 n/a
CVE-2016-4881 Cross-site request forgery (CSRF) vulnerability in baserCMS plugin Blog version 3.0.10 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors. MEDIUM May 12, 2017 n/a
CVE-2016-4880 Cross-site scripting vulnerability in baserCMS plugin Blog version 3.0.10 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors. LOW May 12, 2017 n/a
CVE-2016-4879 Cross-site request forgery (CSRF) vulnerability in baserCMS plugin Mail version 3.0.10 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors. MEDIUM May 12, 2017 n/a
CVE-2016-4878 Cross-site request forgery (CSRF) vulnerability in baserCMS version 3.0.10 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors. MEDIUM May 12, 2017 n/a
CVE-2016-4877 Cross-site scripting vulnerability in baserCMS plugin Mail version 3.0.10 and earlier allows remote authenticated attackers to inject arbitrary web script or HTML via unspecified vectors. LOW May 12, 2017 n/a
CVE-2016-4876 Cross-site request forgery (CSRF) vulnerability in baserCMS version 3.0.10 and earlier allows remote attackers to hijack the authentication of administrators to execute arbitrary PHP code via unspecified vectors. MEDIUM May 12, 2017 n/a
CVE-2016-4875 Multiple cross-site scripting (XSS) vulnerabilities in the IVYWE (1) Assist plugin before 1.1.2.test20160906, (2) dataBox plugin before 0.0.0.20160906, and (3) userBox plugin before 0.0.0.20160906 for Geeklog allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. MEDIUM Apr 21, 2017 n/a
CVE-2016-4874 Cybozu Office 9.0.0 through 10.4.0 allows remote attackers to conduct a reflected file download attack. LOW Apr 20, 2017 n/a
CVE-2016-4873 The Project function in Cybozu Office 9.0.0 through 10.4.0 does not properly check access permissions, which allows remote authenticated users to alter project information. MEDIUM Apr 20, 2017 n/a
CVE-2016-4872 The breadcrumb trail component in Cybozu Office 9.0.0 through 10.4.0 allows remote authenticated users to read the names of closed projects. MEDIUM Apr 20, 2017 n/a
CVE-2016-4871 Cybozu Office 9.0.0 through 10.4.0 allows remote attackers to cause a denial of service. MEDIUM Apr 20, 2017 n/a
CVE-2016-4870 Cross-site scripting (XSS) vulnerability in Schedule function in Cybozu Office 9.0.0 through 10.4.0. LOW Apr 20, 2017 n/a
CVE-2016-4869 Cybozu Office 9.0.0 through 10.4.0 allows remote attackers to obtain session information from users. MEDIUM Apr 20, 2017 n/a
CVE-2016-4868 Cybozu Office 9.0.0 through 10.4.0 allows remote attackers to inject arbitrary email headers. MEDIUM Apr 20, 2017 n/a
CVE-2016-4867 The Project function in Cybozu 9.0.0 through 10.4.0 allows remote authenticated users to read closed project information. MEDIUM Apr 20, 2017 n/a
CVE-2016-4866 Cross-site scripting (XSS) vulnerability in the Project function in Cybozu Office 9.0.0 through 10.4.0. LOW Apr 20, 2017 n/a
CVE-2016-4865 Cross-site scripting (XSS) vulnerability in the Customapp function in Cybozu Office 9.0.0 through 10.4.0. LOW Apr 20, 2017 n/a
CVE-2016-4864 H2O versions 2.0.3 and earlier and 2.1.0-beta2 and earlier allows remote attackers to cause a denial-of-service (DoS) via format string specifiers in a template file via fastcgi, mruby, proxy, redirect or reproxy. MEDIUM May 12, 2017 n/a
CVE-2016-4863 The Toshiba FlashAir SD-WD/WC series Class 6 model with firmware version 1.00.04 and later, FlashAir SD-WD/WC series Class 10 model W-02 with firmware version 2.00.02 and later, FlashAir SD-WE series Class 10 model W-03, FlashAir Class 6 model with firmware version 1.00.04 and later, FlashAir II Class 10 model W-02 series with firmware version 2.00.02 and later, FlashAir III Class 10 model W-03 series, FlashAir Class 6 model with firmware version 1.00.04 and later, FlashAir W-02 series Class 10 model with firmware version 2.00.02 and later, FlashAir W-03 series Class 10 model does not require authentication on accepting a connection from STA side LAN when Internet pass-thru Mode is enabled, which allows attackers with access to STA side LAN can obtain files or data. LOW May 23, 2017 n/a
CVE-2016-4862 Twigmo bundled with CS-Cart 4.3.9 and earlier and Twigmo bundled with CS-Cart Multi-Vendor 4.3.9 and earlier allow remote authenticated users to execute arbitrary PHP code on the servers. MEDIUM Apr 20, 2017 n/a
CVE-2016-4861 The (1) order and (2) group methods in Zend_Db_Select in the Zend Framework before 1.12.20 might allow remote attackers to conduct SQL injection attacks by leveraging failure to remove comments from an SQL statement before validation. HIGH Feb 22, 2017 n/a
CVE-2016-4859 Open redirect vulnerability in Splunk Enterprise 6.4.x prior to 6.4.3, Splunk Enterprise 6.3.x prior to 6.3.6, Splunk Enterprise 6.2.x prior to 6.2.10, Splunk Enterprise 6.1.x prior to 6.1.11, Splunk Enterprise 6.0.x prior to 6.0.12, Splunk Enterprise 5.0.x prior to 5.0.16 and Splunk Light prior to 6.4.3 allows to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. MEDIUM May 12, 2017 n/a
CVE-2016-4858 Cross-site scripting vulnerability in Splunk Enterprise 6.4.x prior to 6.4.2, Splunk Enterprise 6.3.x prior to 6.3.6, Splunk Enterprise 6.2.x prior to 6.2.10, Splunk Enterprise 6.1.x prior to 6.1.11, Splunk Enterprise 6.0.x prior to 6.0.12, Splunk Enterprise 5.0.x prior to 5.0.16 and Splunk Light prior to 6.4.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. LOW May 12, 2017 n/a
CVE-2016-4857 Open redirect vulnerability in Splunk Enterprise 6.4.x prior to 6.4.2, Splunk Enterprise 6.3.x prior to 6.3.6, Splunk Enterprise 6.2.x prior to 6.2.11 and Splunk Light prior to 6.4.2 allows to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. MEDIUM May 12, 2017 n/a
CVE-2016-4856 Cross-site scripting vulnerability in Splunk Enterprise 6.3.x prior to 6.3.5 and Splunk Light 6.3.x prior to 6.3.5 allows attacker with administrator rights to inject arbitrary web script or HTML via unspecified vectors. LOW May 12, 2017 n/a
CVE-2016-4855 Cross-site scripting vulnerability in ADOdb versions prior to 5.20.6 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. MEDIUM May 12, 2017 n/a
CVE-2016-4854 Cross-site request forgery (CSRF) vulnerability in L-04D firmware version V10a and V10b allows remote attackers to hijack the authentication of administrators to perform arbitrary operations via unspecified vectors. MEDIUM May 23, 2017 n/a
CVE-2016-4850 LINE for Windows before 4.8.3 allows man-in-the-middle attackers to execute arbitrary code. MEDIUM Apr 20, 2017 n/a
CVE-2016-4849 Multiple cross-site scripting (XSS) vulnerabilities in Geeklog IVYWE edition 2.1.1 allow remote attackers to inject arbitrary web script or HTML by leveraging use of the COM_getCurrentURL function in (1) public_html/layout/default/header.thtml, (2) public_html/layout/bento/header.thtml, (3) public_html/layout/fotos/header.thtml, or (4) public_html/layout/default/article/article.thtml. MEDIUM Apr 20, 2017 n/a
CVE-2016-4847 Cross-site scripting (XSS) vulnerability in site/search.php in OSSEC Web UI before 0.9 allows remote attackers to inject arbitrary web script or HTML by leveraging an unanchored regex. MEDIUM Apr 20, 2017 n/a
CVE-2016-4846 Untrusted search path vulnerability in the installer of PhishWall Client Internet Explorer before 3.7.8.2. HIGH Apr 21, 2017 n/a
CVE-2016-4844 Cybozu Mailwise before 5.4.0 allows remote attackers to conduct clickjacking attacks. MEDIUM Apr 20, 2017 n/a
CVE-2016-4843 Cybozu Mailwise before 5.4.0 allows remote attackers to obtain sensitive cookie information. MEDIUM Apr 24, 2017 n/a
CVE-2016-4842 Cybozu Mailwise before 5.4.0 allows remote attackers to obtain information on when an email is read. MEDIUM Apr 20, 2017 n/a
CVE-2016-4841 Cybozu Mailwise before 5.4.0 allows remote attackers to inject arbitrary email headers. MEDIUM Apr 21, 2017 n/a
CVE-2016-4840 Coordinate Plus App for Android 1.0.2 and earlier and Coordinate Plus App for iOS 1.0.2 and earlier do not verify SSL certificates. MEDIUM Apr 21, 2017 n/a
CVE-2016-4839 The Android Apps Money Forward (prior to v7.18.0), Money Forward for The Gunma Bank (prior to v1.2.0), Money Forward for SHIGA BANK (prior to v1.2.0), Money Forward for SHIZUOKA BANK (prior to v1.4.0), Money Forward for SBI Sumishin Net Bank (prior to v1.6.0), Money Forward for Tokai Tokyo Securities (prior to v1.4.0), Money Forward for THE TOHO BANK (prior to v1.3.0), Money Forward for YMFG (prior to v1.5.0) provided by Money Forward, Inc. and Money Forward for AppPass (prior to v7.18.3), Money Forward for au SMARTPASS (prior to v7.18.0), Money Forward for Chou Houdai (prior to v7.18.3) provided by SOURCENEXT CORPORATION do not properly implement the WebView class, which allows an attacker to disclose information stored on the device via a specially crafted application. MEDIUM May 12, 2017 n/a
CVE-2016-4838 The Android Apps Money Forward (prior to v7.18.0), Money Forward for The Gunma Bank (prior to v1.2.0), Money Forward for SHIGA BANK (prior to v1.2.0), Money Forward for SHIZUOKA BANK (prior to v1.4.0), Money Forward for SBI Sumishin Net Bank (prior to v1.6.0), Money Forward for Tokai Tokyo Securities (prior to v1.4.0), Money Forward for THE TOHO BANK (prior to v1.3.0), Money Forward for YMFG (prior to v1.5.0) provided by Money Forward, Inc. and Money Forward for AppPass (prior to v7.18.3), Money Forward for au SMARTPASS (prior to v7.18.0), Money Forward for Chou Houdai (prior to v7.18.3) provided by SOURCENEXT CORPORATION allows an attacker to execute unintended operations via a specially crafted application. MEDIUM May 12, 2017 n/a
CVE-2016-4836 Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2016. Notes: none -- Nov 7, 2023 n/a
CVE-2016-4835 Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2016. Notes: none -- Nov 7, 2023 n/a
CVE-2016-4832 WAON Service Application for Android 1.4.1 and earlier does not verify SSL certificates. MEDIUM Apr 21, 2017 n/a
CVE-2016-4830 Sushiro App for iOS 2.1.16 and earlier and Sushiro App for Android 2.1.16.1 and earlier do not verify SSL certificates. MEDIUM Apr 21, 2017 n/a
CVE-2016-4829 DMM Movie Player App for Android before 1.2.1, and DMM Movie Player App for iPhone/iPad before 2.1.3 does not verify SSL certificates. MEDIUM Apr 21, 2017 n/a
CVE-2016-4818 DMMFX Trade for Android 1.5.0 and earlier, DMMFX DEMO Trade for Android 1.5.0 and earlier, and GAITAMEJAPAN FX Trade for Android 1.4.0 and earlier do not verify SSL certificates. MEDIUM Apr 20, 2017 n/a
CVE-2016-4808 Web2py versions 2.14.5 and below was affected by CSRF (Cross Site Request Forgery) vulnerability, which allows an attacker to trick a logged in user to perform some unwanted actions i.e An attacker can trick an victim to disable the installed application just by sending a URL to victim. MEDIUM Jan 12, 2017 n/a
CVE-2016-4807 Web2py versions 2.14.5 and below was affected by Reflected XSS vulnerability, which allows an attacker to perform an XSS attack on logged in user (admin). LOW Jan 11, 2017 n/a
CVE-2016-4806 Web2py versions 2.14.5 and below was affected by Local File Inclusion vulnerability, which allows a malicious intended user to read/access web server sensitive files. MEDIUM Jan 12, 2017 n/a
CVE-2016-4804 The read_boot function in boot.c in dosfstools before 4.0 allows attackers to cause a denial of service (crash) via a crafted filesystem, which triggers a heap-based buffer overflow in the (1) read_fat function or an out-of-bounds heap read in (2) get_fat function. LOW Jun 3, 2016 n/a
CVE-2016-4802 Multiple untrusted search path vulnerabilities in cURL and libcurl before 7.49.1, when built with SSPI or telnet is enabled, allow local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse (1) security.dll, (2) secur32.dll, or (3) ws2_32.dll in the application or current working directory. MEDIUM Jun 27, 2016 webcli_curl-7.50.3.0 (VxWorks 7)
The 'Fixed Release' column is displayed if a single product version is selected from the filter. The fixed release is applicable in cases when the CVE has been addressed and fixed for that product version. Requires LTSS - customers must have active LTSS (Long Term Security Shield) Support to receive up-to-date information about vulnerabilities that may affect legacy software. Please contact your Wind River account team or see https://docs.windriver.com/bundle/Support_and_Maintenance_Supplemental_Terms_and_Conditions and https://support2.windriver.com/index.php?page=plc for more information.
Live chat
Online