Wind River Support Network

HomeCVE Database

The Common Vulnerabilities and Exposures (CVE) project, maintained by the MITRE Corporation, is a list of all standardized names for vulnerabilities and security exposures.

Reset
Showing
of 202651 entries
IDDescriptionPriorityModified dateFixed Release
CVE-2016-4466 Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2016. Notes: none -- Nov 7, 2023 n/a
CVE-2016-4462 By manipulating the URL parameter externalLoginKey, a malicious, logged in user could pass valid Freemarker directives to the Template Engine that are reflected on the webpage; a specially crafted Freemarker template could be used for remote code execution. Mitigation: Upgrade to Apache OFBiz 16.11.01 MEDIUM Aug 30, 2017 n/a
CVE-2016-4461 Apache Struts 2.x before 2.3.29 allows remote attackers to execute arbitrary code via a %{} sequence in a tag attribute, aka forced double OGNL evaluation. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0785. HIGH Oct 18, 2017 n/a
CVE-2016-4460 Apache Pony Mail 0.6c through 0.8b allows remote attackers to bypass authentication. HIGH Aug 22, 2017 n/a
CVE-2016-4459 Stack-based buffer overflow in native/mod_manager/node.c in mod_cluster 1.2.9. HIGH Apr 20, 2017 n/a
CVE-2016-4458 Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2016. Notes: none -- Nov 7, 2023 n/a
CVE-2016-4457 CloudForms Management Engine before 5.8 includes a default SSL/TLS certificate. MEDIUM Jun 8, 2017 n/a
CVE-2016-4456 The GNUTLS_KEYLOGFILE environment variable in gnutls 3.4.12 allows remote attackers to overwrite and corrupt arbitrary files in the filesystem. MEDIUM Aug 8, 2017 n/a
CVE-2016-4455 The Subscription Manager package (aka subscription-manager) before 1.17.7-1 for Candlepin uses weak permissions (755) for subscription-manager cache directories, which allows local users to obtain sensitive information by reading files in the directories. LOW Apr 14, 2017 n/a
CVE-2016-4452 Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2016. Notes: none -- Nov 7, 2023 n/a
CVE-2016-4446 The allow_execstack plugin for setroubleshoot allows local users to execute arbitrary commands by triggering an execstack SELinux denial with a crafted filename, related to the commands.getoutput function. MEDIUM Apr 17, 2017 n/a
CVE-2016-4445 The fix_lookup_id function in sealert in setroubleshoot before 3.2.23 allows local users to execute arbitrary commands as root by triggering an SELinux denial with a crafted file name, related to executing external commands with the commands.getstatusoutput function. MEDIUM Apr 17, 2017 n/a
CVE-2016-4444 The allow_execmod plugin for setroubleshoot before 3.2.23 allows local users to execute arbitrary commands by triggering an execmod SELinux denial with a crafted binary filename, related to the commands.getstatusoutput function. MEDIUM Apr 17, 2017 n/a
CVE-2016-4443 Red Hat Enterprise Virtualization (RHEV) Manager 3.6 allows local users to obtain encryption keys, certificates, and other sensitive information by reading the engine-setup log file. LOW Dec 16, 2016 n/a
CVE-2016-4442 The rack-mini-profiler gem before 0.10.1 for Ruby allows remote attackers to obtain sensitive information about allocated strings and objects by leveraging incorrect ordering of security checks. MEDIUM May 12, 2017 n/a
CVE-2016-4435 An endpoint of the Agent running on the BOSH Director VM with stemcell versions prior to 3232.6 and 3146.13 may allow unauthenticated clients to read or write blobs or cause a denial of service attack on the Director VM. This vulnerability requires that the unauthenticated clients guess or find a URL matching an existing GUID. MEDIUM Jun 8, 2017 n/a
CVE-2016-4434 Apache Tika before 1.13 does not properly initialize the XML parser or choose handlers, which might allow remote attackers to conduct XML External Entity (XXE) attacks via vectors involving (1) spreadsheets in OOXML files and (2) XMP metadata in PDF and other file formats, a related issue to CVE-2016-2175. Medium Oct 10, 2017 n/a
CVE-2016-4427 In zulip before 1.3.12, deactivated users could access messages if SSO was enabled. -- Jul 28, 2022 n/a
CVE-2016-4426 In zulip before 1.3.12, bot API keys were accessible to other users in the same realm. -- Jul 28, 2022 n/a
CVE-2016-4425 Jansson 2.7 and earlier allows context-dependent attackers to cause a denial of service (deep recursion, stack consumption, and crash) via crafted JSON data. MEDIUM May 19, 2016 23.09 (VxWorks 7)
CVE-2016-4412 An issue was discovered in phpMyAdmin. A user can be tricked into following a link leading to phpMyAdmin, which after authentication redirects to another malicious site. The attacker must sniff the user\'s valid phpMyAdmin token. All 4.0.x versions (prior to 4.0.10.16) are affected. LOW Dec 13, 2016 n/a
CVE-2016-4406 A remote cross site scripting vulnerability was identified in HPE iLO 3 all version prior to v1.88 and HPE iLO 4 all versions prior to v2.44. MEDIUM Aug 7, 2018 n/a
CVE-2016-4405 A remote code execution vulnerability was identified in HP Business Service Management (BSM) using Apache Commons Collection Java Deserialization versions v9.20-v9.26 MEDIUM Aug 7, 2018 n/a
CVE-2016-4404 A security vulnerability was identified in the Filter SDK component of HP KeyView earlier than v11.2. The vulnerability could be exploited remotely to allow code execution via a memory allocation issue. HIGH Aug 7, 2018 n/a
CVE-2016-4403 A security vulnerability was identified in the Filter SDK component of HP KeyView earlier than v11.2. The vulnerability could be exploited remotely to allow code execution via memory corruption. HIGH Aug 7, 2018 n/a
CVE-2016-4402 A security vulnerability was identified in the Filter SDK component of HP KeyView earlier than v11.2. The vulnerability could be exploited remotely to allow code execution via buffer overflow. HIGH Aug 7, 2018 n/a
CVE-2016-4401 Aruba ClearPass Policy Manager before 6.5.7 and 6.6.x before 6.6.2 allows attackers to obtain database credentials. HIGH Nov 8, 2019 n/a
CVE-2016-4400 A security vulnerability was identified in HP Network Node Manager i (NNMi) Software 10.00, 10.01 (patch1), 10.01 (patch 2), 10.10. The vulnerability could result in cross-site scripting (XSS). LOW Aug 7, 2018 n/a
CVE-2016-4399 A security vulnerability was identified in HP Network Node Manager i (NNMi) Software 10.00, 10.01 (patch1), 10.01 (patch 2), 10.10. The vulnerability could result in cross-site scripting (XSS). LOW Aug 7, 2018 n/a
CVE-2016-4398 A remote arbitrary code execution vulnerability was identified in HP Network Node Manager i (NNMi) Software 10.00, 10.01 (patch1), 10.01 (patch 2), 10.10 using Java Deserialization. MEDIUM Aug 7, 2018 n/a
CVE-2016-4397 A local code execution security vulnerability was identified in HP Network Node Manager i (NNMi) v10.00, v10.10 and v10.20 Software. MEDIUM Aug 7, 2018 n/a
CVE-2016-4396 HPE System Management Homepage before v7.6 allows remote attackers to have an unspecified impact via unknown vectors, related to a Buffer Overflow issue. HIGH Oct 31, 2016 n/a
CVE-2016-4395 HPE System Management Homepage before v7.6 allows remote attackers to have an unspecified impact via unknown vectors, related to a Buffer Overflow issue. HIGH Oct 31, 2016 n/a
CVE-2016-4394 HPE System Management Homepage before v7.6 allows remote attackers to obtain sensitive information via unspecified vectors, related to an HSTS issue. MEDIUM Oct 31, 2016 n/a
CVE-2016-4393 HPE System Management Homepage before v7.6 allows remote authenticated attackers to obtain sensitive information via unspecified vectors, related to an XSS issue. LOW Oct 31, 2016 n/a
CVE-2016-4392 A remote cross site scripting vulnerability has been identified in HP Business Service Management software v9.1x, v9.20 - v9.25IP1. LOW Aug 7, 2018 n/a
CVE-2016-4391 A remote code execution security vulnerability has been identified in all versions of the HP ArcSight WINC Connector prior to v7.3.0. HIGH Aug 7, 2018 n/a
CVE-2016-4383 The glance-manage db in all versions of HPE Helion Openstack Glance allows deleted image ids to be reassigned, which allows remote authenticated users to cause other users to boot into a modified image without notification of the change. HIGH Jun 27, 2017 n/a
CVE-2016-4352 Integer overflow in the demuxer function in libmpdemux/demux_gif.c in Mplayer allows remote attackers to cause a denial of service (crash) via large dimensions in a gif file. MEDIUM Feb 7, 2017 n/a
CVE-2016-4347 Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2015-7558. Reason: This candidate is a reservation duplicate of CVE-2015-7558. Notes: All CVE users should reference CVE-2015-7558 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage -- Nov 7, 2023 n/a
CVE-2016-4341 NetApp Clustered Data ONTAP before 8.3.2P7 allows remote attackers to obtain SMB share information via unspecified vectors. MEDIUM Feb 7, 2017 n/a
CVE-2016-4340 The impersonate feature in Gitlab 8.7.0, 8.6.0 through 8.6.7, 8.5.0 through 8.5.11, 8.4.0 through 8.4.9, 8.3.0 through 8.3.8, and 8.2.0 through 8.2.4 allows remote authenticated users to log in as any other user via unspecified vectors. MEDIUM Jan 25, 2017 n/a
CVE-2016-4338 The mysql user parameter configuration script (userparameter_mysql.conf) in the agent in Zabbix before 2.0.18, 2.2.x before 2.2.13, and 3.0.x before 3.0.3, when used with a shell other than bash, allows context-dependent attackers to execute arbitrary code or SQL commands via the mysql.size parameter. MEDIUM Jan 26, 2017 n/a
CVE-2016-4337 SQL injection vulnerability in the mgr.login.php file in Ktools.net Photostore before 4.7.5 allows remote attackers to execute arbitrary SQL commands via the email parameter in a recover_login action. HIGH Apr 19, 2017 n/a
CVE-2016-4336 An exploitable out-of-bounds write exists in the Bzip2 parsing of the Lexmark Perspective Document Filters conversion functionality. A crafted Bzip2 document can lead to a stack-based buffer overflow causing an out-of-bounds write which under the right circumstance could potentially be leveraged by an attacker to gain arbitrary code execution. HIGH Jan 10, 2017 n/a
CVE-2016-4335 An exploitable buffer overflow exists in the XLS parsing of the Lexmark Perspective Document Filters conversion functionality. A crafted XLS document can lead to a stack based buffer overflow resulting in remote code execution. MEDIUM Jan 10, 2017 n/a
CVE-2016-4334 Jive before 2016.3.1 has an open redirect from the external-link.jspa page. MEDIUM Apr 9, 2017 n/a
CVE-2016-4333 The HDF5 1.8.16 library allocating space for the array using a value from the file has an impact within the loop for initializing said array allowing a value within the file to modify the loop's terminator. Due to this, an aggressor can cause the loop's index to point outside the bounds of the array when initializing it. MEDIUM Nov 21, 2016 n/a
CVE-2016-4332 The library\'s failure to check if certain message types support a particular flag, the HDF5 1.8.16 library will cast the structure to an alternative structure and then assign to fields that aren\'t supported by the message type and the library will write outside the bounds of the heap buffer. This can lead to code execution under the context of the library. MEDIUM Nov 21, 2016 n/a
CVE-2016-4331 When decoding data out of a dataset encoded with the H5Z_NBIT decoding, the HDF5 1.8.16 library will fail to ensure that the precision is within the bounds of the size leading to arbitrary code execution. MEDIUM Nov 21, 2016 n/a
The 'Fixed Release' column is displayed if a single product version is selected from the filter. The fixed release is applicable in cases when the CVE has been addressed and fixed for that product version. Requires LTSS - customers must have active LTSS (Long Term Security Shield) Support to receive up-to-date information about vulnerabilities that may affect legacy software. Please contact your Wind River account team or see https://docs.windriver.com/bundle/Support_and_Maintenance_Supplemental_Terms_and_Conditions and https://support2.windriver.com/index.php?page=plc for more information.
Live chat
Online