The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.
ID | Description | Priority | Modified date | Fixed Release |
---|---|---|---|---|
CVE-2016-4466 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2016. Notes: none | -- | Nov 7, 2023 | n/a |
CVE-2016-4462 | By manipulating the URL parameter externalLoginKey, a malicious, logged in user could pass valid Freemarker directives to the Template Engine that are reflected on the webpage; a specially crafted Freemarker template could be used for remote code execution. Mitigation: Upgrade to Apache OFBiz 16.11.01 | MEDIUM | Aug 30, 2017 | n/a |
CVE-2016-4461 | Apache Struts 2.x before 2.3.29 allows remote attackers to execute arbitrary code via a %{} sequence in a tag attribute, aka forced double OGNL evaluation. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0785. | HIGH | Oct 18, 2017 | n/a |
CVE-2016-4460 | Apache Pony Mail 0.6c through 0.8b allows remote attackers to bypass authentication. | HIGH | Aug 22, 2017 | n/a |
CVE-2016-4459 | Stack-based buffer overflow in native/mod_manager/node.c in mod_cluster 1.2.9. | HIGH | Apr 20, 2017 | n/a |
CVE-2016-4458 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2016. Notes: none | -- | Nov 7, 2023 | n/a |
CVE-2016-4457 | CloudForms Management Engine before 5.8 includes a default SSL/TLS certificate. | MEDIUM | Jun 8, 2017 | n/a |
CVE-2016-4456 | The GNUTLS_KEYLOGFILE environment variable in gnutls 3.4.12 allows remote attackers to overwrite and corrupt arbitrary files in the filesystem. | MEDIUM | Aug 8, 2017 | n/a |
CVE-2016-4455 | The Subscription Manager package (aka subscription-manager) before 1.17.7-1 for Candlepin uses weak permissions (755) for subscription-manager cache directories, which allows local users to obtain sensitive information by reading files in the directories. | LOW | Apr 14, 2017 | n/a |
CVE-2016-4452 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2016. Notes: none | -- | Nov 7, 2023 | n/a |
CVE-2016-4446 | The allow_execstack plugin for setroubleshoot allows local users to execute arbitrary commands by triggering an execstack SELinux denial with a crafted filename, related to the commands.getoutput function. | MEDIUM | Apr 17, 2017 | n/a |
CVE-2016-4445 | The fix_lookup_id function in sealert in setroubleshoot before 3.2.23 allows local users to execute arbitrary commands as root by triggering an SELinux denial with a crafted file name, related to executing external commands with the commands.getstatusoutput function. | MEDIUM | Apr 17, 2017 | n/a |
CVE-2016-4444 | The allow_execmod plugin for setroubleshoot before 3.2.23 allows local users to execute arbitrary commands by triggering an execmod SELinux denial with a crafted binary filename, related to the commands.getstatusoutput function. | MEDIUM | Apr 17, 2017 | n/a |
CVE-2016-4443 | Red Hat Enterprise Virtualization (RHEV) Manager 3.6 allows local users to obtain encryption keys, certificates, and other sensitive information by reading the engine-setup log file. | LOW | Dec 16, 2016 | n/a |
CVE-2016-4442 | The rack-mini-profiler gem before 0.10.1 for Ruby allows remote attackers to obtain sensitive information about allocated strings and objects by leveraging incorrect ordering of security checks. | MEDIUM | May 12, 2017 | n/a |
CVE-2016-4435 | An endpoint of the Agent running on the BOSH Director VM with stemcell versions prior to 3232.6 and 3146.13 may allow unauthenticated clients to read or write blobs or cause a denial of service attack on the Director VM. This vulnerability requires that the unauthenticated clients guess or find a URL matching an existing GUID. | MEDIUM | Jun 8, 2017 | n/a |
CVE-2016-4434 | Apache Tika before 1.13 does not properly initialize the XML parser or choose handlers, which might allow remote attackers to conduct XML External Entity (XXE) attacks via vectors involving (1) spreadsheets in OOXML files and (2) XMP metadata in PDF and other file formats, a related issue to CVE-2016-2175. | Medium | Oct 10, 2017 | n/a |
CVE-2016-4427 | In zulip before 1.3.12, deactivated users could access messages if SSO was enabled. | -- | Jul 28, 2022 | n/a |
CVE-2016-4426 | In zulip before 1.3.12, bot API keys were accessible to other users in the same realm. | -- | Jul 28, 2022 | n/a |
CVE-2016-4425 | Jansson 2.7 and earlier allows context-dependent attackers to cause a denial of service (deep recursion, stack consumption, and crash) via crafted JSON data. | MEDIUM | May 19, 2016 | 23.09 (VxWorks 7) |
CVE-2016-4412 | An issue was discovered in phpMyAdmin. A user can be tricked into following a link leading to phpMyAdmin, which after authentication redirects to another malicious site. The attacker must sniff the user\'s valid phpMyAdmin token. All 4.0.x versions (prior to 4.0.10.16) are affected. | LOW | Dec 13, 2016 | n/a |
CVE-2016-4406 | A remote cross site scripting vulnerability was identified in HPE iLO 3 all version prior to v1.88 and HPE iLO 4 all versions prior to v2.44. | MEDIUM | Aug 7, 2018 | n/a |
CVE-2016-4405 | A remote code execution vulnerability was identified in HP Business Service Management (BSM) using Apache Commons Collection Java Deserialization versions v9.20-v9.26 | MEDIUM | Aug 7, 2018 | n/a |
CVE-2016-4404 | A security vulnerability was identified in the Filter SDK component of HP KeyView earlier than v11.2. The vulnerability could be exploited remotely to allow code execution via a memory allocation issue. | HIGH | Aug 7, 2018 | n/a |
CVE-2016-4403 | A security vulnerability was identified in the Filter SDK component of HP KeyView earlier than v11.2. The vulnerability could be exploited remotely to allow code execution via memory corruption. | HIGH | Aug 7, 2018 | n/a |
CVE-2016-4402 | A security vulnerability was identified in the Filter SDK component of HP KeyView earlier than v11.2. The vulnerability could be exploited remotely to allow code execution via buffer overflow. | HIGH | Aug 7, 2018 | n/a |
CVE-2016-4401 | Aruba ClearPass Policy Manager before 6.5.7 and 6.6.x before 6.6.2 allows attackers to obtain database credentials. | HIGH | Nov 8, 2019 | n/a |
CVE-2016-4400 | A security vulnerability was identified in HP Network Node Manager i (NNMi) Software 10.00, 10.01 (patch1), 10.01 (patch 2), 10.10. The vulnerability could result in cross-site scripting (XSS). | LOW | Aug 7, 2018 | n/a |
CVE-2016-4399 | A security vulnerability was identified in HP Network Node Manager i (NNMi) Software 10.00, 10.01 (patch1), 10.01 (patch 2), 10.10. The vulnerability could result in cross-site scripting (XSS). | LOW | Aug 7, 2018 | n/a |
CVE-2016-4398 | A remote arbitrary code execution vulnerability was identified in HP Network Node Manager i (NNMi) Software 10.00, 10.01 (patch1), 10.01 (patch 2), 10.10 using Java Deserialization. | MEDIUM | Aug 7, 2018 | n/a |
CVE-2016-4397 | A local code execution security vulnerability was identified in HP Network Node Manager i (NNMi) v10.00, v10.10 and v10.20 Software. | MEDIUM | Aug 7, 2018 | n/a |
CVE-2016-4396 | HPE System Management Homepage before v7.6 allows remote attackers to have an unspecified impact via unknown vectors, related to a Buffer Overflow issue. | HIGH | Oct 31, 2016 | n/a |
CVE-2016-4395 | HPE System Management Homepage before v7.6 allows remote attackers to have an unspecified impact via unknown vectors, related to a Buffer Overflow issue. | HIGH | Oct 31, 2016 | n/a |
CVE-2016-4394 | HPE System Management Homepage before v7.6 allows remote attackers to obtain sensitive information via unspecified vectors, related to an HSTS issue. | MEDIUM | Oct 31, 2016 | n/a |
CVE-2016-4393 | HPE System Management Homepage before v7.6 allows remote authenticated attackers to obtain sensitive information via unspecified vectors, related to an XSS issue. | LOW | Oct 31, 2016 | n/a |
CVE-2016-4392 | A remote cross site scripting vulnerability has been identified in HP Business Service Management software v9.1x, v9.20 - v9.25IP1. | LOW | Aug 7, 2018 | n/a |
CVE-2016-4391 | A remote code execution security vulnerability has been identified in all versions of the HP ArcSight WINC Connector prior to v7.3.0. | HIGH | Aug 7, 2018 | n/a |
CVE-2016-4383 | The glance-manage db in all versions of HPE Helion Openstack Glance allows deleted image ids to be reassigned, which allows remote authenticated users to cause other users to boot into a modified image without notification of the change. | HIGH | Jun 27, 2017 | n/a |
CVE-2016-4352 | Integer overflow in the demuxer function in libmpdemux/demux_gif.c in Mplayer allows remote attackers to cause a denial of service (crash) via large dimensions in a gif file. | MEDIUM | Feb 7, 2017 | n/a |
CVE-2016-4347 | Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2015-7558. Reason: This candidate is a reservation duplicate of CVE-2015-7558. Notes: All CVE users should reference CVE-2015-7558 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage | -- | Nov 7, 2023 | n/a |
CVE-2016-4341 | NetApp Clustered Data ONTAP before 8.3.2P7 allows remote attackers to obtain SMB share information via unspecified vectors. | MEDIUM | Feb 7, 2017 | n/a |
CVE-2016-4340 | The impersonate feature in Gitlab 8.7.0, 8.6.0 through 8.6.7, 8.5.0 through 8.5.11, 8.4.0 through 8.4.9, 8.3.0 through 8.3.8, and 8.2.0 through 8.2.4 allows remote authenticated users to log in as any other user via unspecified vectors. | MEDIUM | Jan 25, 2017 | n/a |
CVE-2016-4338 | The mysql user parameter configuration script (userparameter_mysql.conf) in the agent in Zabbix before 2.0.18, 2.2.x before 2.2.13, and 3.0.x before 3.0.3, when used with a shell other than bash, allows context-dependent attackers to execute arbitrary code or SQL commands via the mysql.size parameter. | MEDIUM | Jan 26, 2017 | n/a |
CVE-2016-4337 | SQL injection vulnerability in the mgr.login.php file in Ktools.net Photostore before 4.7.5 allows remote attackers to execute arbitrary SQL commands via the email parameter in a recover_login action. | HIGH | Apr 19, 2017 | n/a |
CVE-2016-4336 | An exploitable out-of-bounds write exists in the Bzip2 parsing of the Lexmark Perspective Document Filters conversion functionality. A crafted Bzip2 document can lead to a stack-based buffer overflow causing an out-of-bounds write which under the right circumstance could potentially be leveraged by an attacker to gain arbitrary code execution. | HIGH | Jan 10, 2017 | n/a |
CVE-2016-4335 | An exploitable buffer overflow exists in the XLS parsing of the Lexmark Perspective Document Filters conversion functionality. A crafted XLS document can lead to a stack based buffer overflow resulting in remote code execution. | MEDIUM | Jan 10, 2017 | n/a |
CVE-2016-4334 | Jive before 2016.3.1 has an open redirect from the external-link.jspa page. | MEDIUM | Apr 9, 2017 | n/a |
CVE-2016-4333 | The HDF5 1.8.16 library allocating space for the array using a value from the file has an impact within the loop for initializing said array allowing a value within the file to modify the loop's terminator. Due to this, an aggressor can cause the loop's index to point outside the bounds of the array when initializing it. | MEDIUM | Nov 21, 2016 | n/a |
CVE-2016-4332 | The library\'s failure to check if certain message types support a particular flag, the HDF5 1.8.16 library will cast the structure to an alternative structure and then assign to fields that aren\'t supported by the message type and the library will write outside the bounds of the heap buffer. This can lead to code execution under the context of the library. | MEDIUM | Nov 21, 2016 | n/a |
CVE-2016-4331 | When decoding data out of a dataset encoded with the H5Z_NBIT decoding, the HDF5 1.8.16 library will fail to ensure that the precision is within the bounds of the size leading to arbitrary code execution. | MEDIUM | Nov 21, 2016 | n/a |