Original release date: September 26, 2016
The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.
The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
-
High – Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 – 10.0
-
Medium – Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 – 6.9
-
Low – Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 – 3.9
Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.
High Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| adobe — acrobat | Adobe Reader and Acrobat before 11.0.17, Acrobat and Acrobat Reader DC Classic before 15.006.30198, and Acrobat and Acrobat Reader DC Continuous before 15.017.20050 on Windows and OS X allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2016-4191, CVE-2016-4192, CVE-2016-4193, CVE-2016-4194, CVE-2016-4195, CVE-2016-4196, CVE-2016-4197, CVE-2016-4198, CVE-2016-4199, CVE-2016-4200, CVE-2016-4201, CVE-2016-4202, CVE-2016-4203, CVE-2016-4204, CVE-2016-4205, CVE-2016-4206, CVE-2016-4207, CVE-2016-4208, CVE-2016-4211, CVE-2016-4212, CVE-2016-4213, CVE-2016-4214, CVE-2016-4250, CVE-2016-4251, CVE-2016-4252, CVE-2016-4254, CVE-2016-4265, CVE-2016-4266, CVE-2016-4267, CVE-2016-4268, CVE-2016-4269, and CVE-2016-4270. | 2016-09-16 | 10.0 | CVE-2016-6937 CONFIRM |
| adobe — acrobat | Use-after-free vulnerability in Adobe Reader and Acrobat before 11.0.17, Acrobat and Acrobat Reader DC Classic before 15.006.30198, and Acrobat and Acrobat Reader DC Continuous before 15.017.20050 on Windows and OS X allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2016-4255. | 2016-09-16 | 10.0 | CVE-2016-6938 CONFIRM |
| apache — cxf_fediz | The application plugins in Apache CXF Fediz 1.2.x before 1.2.3 and 1.3.x before 1.3.1 do not match SAML AudienceRestriction values against configured audience URIs, which might allow remote attackers to have bypass intended restrictions and have unspecified other impact via a crafted SAML token with a trusted signature. | 2016-09-21 | 7.5 | CVE-2016-4464 CONFIRM MLIST CONFIRM |
| apple — xcode | otool in Apple Xcode before 8 allows local users to gain privileges or cause a denial of service (memory corruption and application crash) via unspecified vectors, a different vulnerability than CVE-2016-4705. | 2016-09-18 | 7.2 | CVE-2016-4704 APPLE CONFIRM |
| apple — xcode | otool in Apple Xcode before 8 allows local users to gain privileges or cause a denial of service (memory corruption and application crash) via unspecified vectors, a different vulnerability than CVE-2016-4704. | 2016-09-18 | 7.2 | CVE-2016-4705 APPLE CONFIRM |
| artifex — mupdf | Heap-based buffer overflow in the pdf_load_mesh_params function in pdf/pdf-shade.c in MuPDF allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a large decode array. | 2016-09-22 | 7.5 | CVE-2016-6525 CONFIRM CONFIRM DEBIAN MLIST BID |
| aver — eh6108h+_firmware | AVer Information EH6108H+ devices with firmware X9.03.24.00.07l have hardcoded accounts, which allows remote attackers to obtain root access by leveraging knowledge of the credentials and establishing a TELNET session. | 2016-09-18 | 10.0 | CVE-2016-6535 CERT-VN |
| aver — eh6108h+_firmware | The /setup URI on AVer Information EH6108H+ devices with firmware X9.03.24.00.07l allows remote attackers to bypass intended page-access restrictions or modify passwords by leveraging knowledge of a handle parameter value. | 2016-09-18 | 10.0 | CVE-2016-6536 CERT-VN |
| cisco — webex_meetings_server | Cisco WebEx Meetings Server 2.6 allows remote attackers to execute arbitrary commands by injecting these commands into an application script, aka Bug ID CSCuy83130. | 2016-09-17 | 9.3 | CVE-2016-1482 CISCO |
| cisco — webex_meetings_server | Cisco WebEx Meetings Server 2.6 allows remote attackers to cause a denial of service (CPU consumption) by repeatedly accessing the account-validation component of an unspecified service, aka Bug ID CSCuy92704. | 2016-09-18 | 7.8 | CVE-2016-1483 CISCO |
| cisco — cloud_services_platform_2100 | The web-based GUI in Cisco Cloud Services Platform (CSP) 2100 2.0 allows remote authenticated administrators to execute arbitrary OS commands as root via crafted platform commands, aka Bug ID CSCva00541. | 2016-09-22 | 9.0 | CVE-2016-6373 CISCO |
| cisco — cloud_services_platform_2100 | Cisco Cloud Services Platform (CSP) 2100 2.0 allows remote attackers to execute arbitrary code via a crafted dnslookup command in an HTTP request, aka Bug ID CSCuz89093. | 2016-09-22 | 7.5 | CVE-2016-6374 CISCO |
| cisco — unified_computing_system | UCS Manager and UCS 6200 Fabric Interconnects in Cisco Unified Computing System (UCS) through 3.0(2d) allow local users to obtain OS root access via crafted CLI input, aka Bug ID CSCuz91263. | 2016-09-18 | 7.2 | CVE-2016-6402 CISCO |
| cisco — email_security_appliance | Cisco IronPort AsyncOS 9.1.2-023, 9.1.2-028, 9.1.2-036, 9.7.2-046, 9.7.2-047, 9.7.2-054, 10.0.0-124, and 10.0.0-125 on Email Security Appliance (ESA) devices, when Enrollment Client before 1.0.2-065 is installed, allows remote attackers to obtain root access via a connection to the testing/debugging interface, aka Bug ID CSCvb26017. | 2016-09-22 | 10.0 | CVE-2016-6406 CISCO |
| cisco — ios | iox in Cisco IOS, possibly 15.6 and earlier, and IOS XE, possibly 3.18 and earlier, allows local users to execute arbitrary IOx Linux commands on the guest OS via crafted iox command-line options, aka Bug ID CSCuz59223. | 2016-09-22 | 7.2 | CVE-2016-6414 CISCO |
| dentsply_sirona — cdr_dicom | Dentsply Sirona (formerly Schick) CDR Dicom 5 and earlier has default passwords for the sa and cdr accounts, which allows remote attackers to obtain administrative access by leveraging knowledge of these passwords. | 2016-09-20 | 10.0 | CVE-2016-6530 CERT-VN CONFIRM |
| emc — avamar_server | Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) in EMC Avamar Server before 7.3.0-233 allow local users to obtain root privileges by leveraging admin access and entering a sudo command. | 2016-09-20 | 7.2 | CVE-2016-0905 BUGTRAQ |
| emc — vnx1_oe_firmware | The SMB service in EMC VNXe, VNX1 File OE before 7.1.80.3, and VNX2 File OE before 8.1.9.155 does not prevent duplicate NTLM challenge-response nonces, which makes it easier for remote attackers to execute arbitrary code, or read or write to files, via a series of authentication requests, a related issue to CVE-2010-0231. | 2016-09-20 | 7.5 | CVE-2016-0917 BUGTRAQ |
| emc — avamar_server | Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) in EMC Avamar Server before 7.3.0-233 allow local users to obtain root access via a crafted parameter to a command that is available in the sudo configuration. | 2016-09-20 | 7.2 | CVE-2016-0920 BUGTRAQ |
| flex_project — flex | Heap-based buffer overflow in the yy_get_next_buffer function in Flex before 2.6.1 might allow context-dependent attackers to cause a denial of service or possibly execute arbitrary code via vectors involving num_to_read. | 2016-09-21 | 7.5 | CVE-2016-6354 DEBIAN MLIST MLIST CONFIRM |
| fortinet — fortiwan | Fortinet FortiWan (formerly AscernLink) before 4.2.5 allows remote authenticated users with access to the nslookup functionality to execute arbitrary commands with root privileges via the graph parameter to diagnosis_control.php. | 2016-09-21 | 9.0 | CVE-2016-4965 CONFIRM CONFIRM BID CERT-VN |
| hp — loadrunner | HPE Performance Center before 12.50 and LoadRunner before 12.50 allow remote attackers to cause a denial of service via unspecified vectors. | 2016-09-20 | 9.0 | CVE-2016-4384 CONFIRM |
| huawei — ws331a_router_firmware | Multiple cross-site request forgery (CSRF) vulnerabilities in Huawei WS331a routers with software before WS331a-10 V100R001C01B112 allow remote attackers to hijack the authentication of administrators for requests that (1) restore factory settings or (2) reboot the device via unspecified vectors. | 2016-09-21 | 7.1 | CVE-2016-6158 CONFIRM |
| huawei — usg2100_firmware | Buffer overflow in the Authentication, Authorization and Accounting (AAA) module in Huawei USG2100, USG2200, USG5100, and USG5500 unified security gateways with software before V300R001C10SPC600 allows remote authenticated RADIUS servers to execute arbitrary code by sending a crafted EAP packet. | 2016-09-22 | 7.1 | CVE-2016-6669 CONFIRM |
| icu_project — international_components_for_unicode | Stack-based buffer overflow in the Locale class in common/locid.cpp in International Components for Unicode (ICU) through 57.1 for C/C++ allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a long locale string. | 2016-09-17 | 7.5 | CVE-2016-7415 MLIST MISC |
| lenovo — bios | The BIOS for Lenovo ThinkCentre E93, M6500t/s, M6600, M6600q, M6600t/s, M73p, M800, M83, M8500t/s, M8600t/s, M900, M93, and M93P devices; ThinkServer RQ940, RS140, TS140, TS240, TS440, and TS540 devices; and ThinkStation E32, P300, and P310 devices might allow local users or physically proximate attackers to bypass the Secure Boot protection mechanism by leveraging an AMI test key. | 2016-09-22 | 7.2 | CVE-2016-5247 BID CONFIRM |
| libarchive — libarchive | Integer overflow in the ISO9660 writer in libarchive before 3.2.1 allows remote attackers to cause a denial of service (application crash) or execute arbitrary code via vectors related to verifying filename lengths when writing an ISO9660 archive, which trigger a buffer overflow. | 2016-09-21 | 7.5 | CVE-2016-6250 MLIST MLIST SECTRACK CONFIRM CONFIRM MISC CONFIRM |
| mariadb — mariadb | Oracle MySQL through 5.5.52, 5.6.x through 5.6.33, and 5.7.x through 5.7.15; MariaDB before 5.5.51, 10.0.x before 10.0.27, and 10.1.x before 10.1.17; and Percona Server before 5.5.51-38.1, 5.6.x before 5.6.32-78.0, and 5.7.x before 5.7.14-7 allow local users to create arbitrary configurations and bypass certain protection mechanisms by setting general_log_file to a my.cnf configuration. NOTE: this can be leveraged to execute arbitrary code with root privileges by setting malloc_lib. | 2016-09-20 | 10.0 | CVE-2016-6662 MISC FULLDISC MLIST CONFIRM CONFIRM CONFIRM CONFIRM EXPLOIT-DB CONFIRM |
| mozilla — firefox | Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 49.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. | 2016-09-22 | 7.5 | CVE-2016-5256 CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM |
| mozilla — firefox | Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 49.0 and Firefox ESR 45.x before 45.4 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. | 2016-09-22 | 7.5 | CVE-2016-5257 CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM CONFIRM |
| mozilla — firefox | Heap-based buffer overflow in the nsCaseTransformTextRunFactory::TransformString function in Mozilla Firefox before 49.0 and Firefox ESR 45.x before 45.4 allows remote attackers to cause a denial of service (boolean out-of-bounds write) or possibly have unspecified other impact via Unicode characters that are mishandled during text conversion. | 2016-09-22 | 7.5 | CVE-2016-5270 CONFIRM CONFIRM |
| mozilla — firefox | Use-after-free vulnerability in the nsFrameManager::CaptureFrameState function in Mozilla Firefox before 49.0 and Firefox ESR 45.x before 45.4 allows remote attackers to execute arbitrary code by leveraging improper interaction between restyling and the Web Animations model implementation. | 2016-09-22 | 7.5 | CVE-2016-5274 CONFIRM CONFIRM |
| mozilla — firefox | Use-after-free vulnerability in the mozilla::a11y::DocAccessible::ProcessInvalidationList function in Mozilla Firefox before 49.0 and Firefox ESR 45.x before 45.4 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via an aria-owns attribute. | 2016-09-22 | 7.5 | CVE-2016-5276 CONFIRM CONFIRM |
| mozilla — firefox | Use-after-free vulnerability in the nsRefreshDriver::Tick function in Mozilla Firefox before 49.0 and Firefox ESR 45.x before 45.4 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) by leveraging improper interaction between timeline destruction and the Web Animations model implementation. | 2016-09-22 | 7.5 | CVE-2016-5277 CONFIRM CONFIRM |
| mozilla — firefox | Use-after-free vulnerability in the mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap function in Mozilla Firefox before 49.0 and Firefox ESR 45.x before 45.4 allows remote attackers to execute arbitrary code via bidirectional text. | 2016-09-22 | 7.5 | CVE-2016-5280 CONFIRM CONFIRM |
| mozilla — firefox | Use-after-free vulnerability in the DOMSVGLength class in Mozilla Firefox before 49.0 and Firefox ESR 45.x before 45.4 allows remote attackers to execute arbitrary code by leveraging improper interaction between JavaScript code and an SVG document. | 2016-09-22 | 7.5 | CVE-2016-5281 MISC CONFIRM CONFIRM |
| openjpeg — openjpeg | Use-after-free vulnerability in the opj_j2k_write_mco function in j2k.c in OpenJPEG before 2.1.1 allows remote attackers to have unspecified impact via unknown vectors. | 2016-09-21 | 7.5 | CVE-2015-8871 DEBIAN MLIST MLIST CONFIRM CONFIRM CONFIRM CONFIRM |
| otrs — faq | Multiple SQL injection vulnerabilities in the FAQ package 2.x before 2.3.6, 4.x before 4.0.5, and 5.x before 5.0.5 in Open Ticket Request System (OTRS) allow remote attackers to execute arbitrary SQL commands via crafted search parameters. | 2016-09-16 | 9.0 | CVE-2016-5843 CONFIRM CONFIRM CONFIRM CONFIRM |
| php — php | ext/standard/var_unserializer.re in PHP before 5.6.26 mishandles object-deserialization failures, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an unserialize call that references a partially constructed object. | 2016-09-17 | 7.5 | CVE-2016-7411 MLIST CONFIRM CONFIRM CONFIRM |
| php — php | Use-after-free vulnerability in the wddx_stack_destroy function in ext/wddx/wddx.c in PHP before 5.6.26 and 7.x before 7.0.11 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a wddxPacket XML document that lacks an end-tag for a recordset field element, leading to mishandling in a wddx_deserialize call. | 2016-09-17 | 7.5 | CVE-2016-7413 MLIST CONFIRM CONFIRM CONFIRM CONFIRM |
| php — php | The ZIP signature-verification feature in PHP before 5.6.26 and 7.x before 7.0.11 does not ensure that the uncompressed_filesize field is large enough, which allows remote attackers to cause a denial of service (out-of-bounds memory access) or possibly have unspecified other impact via a crafted PHAR archive, related to ext/phar/util.c and ext/phar/zip.c. | 2016-09-17 | 7.5 | CVE-2016-7414 MLIST CONFIRM CONFIRM CONFIRM CONFIRM |
| php — php | ext/spl/spl_array.c in PHP before 5.6.26 and 7.x before 7.0.11 proceeds with SplArray unserialization without validating a return value and data type, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data. | 2016-09-17 | 7.5 | CVE-2016-7417 MLIST CONFIRM CONFIRM CONFIRM CONFIRM |
| pivotal — cloud_foundry_elastic_runtime | Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.6.34 and 1.7.x before 1.7.12 places 169.254.0.0/16 in the all_open Application Security Group, which might allow remote attackers to bypass intended network-connectivity restrictions by leveraging access to the 169.254.169.254 address. | 2016-09-17 | 7.5 | CVE-2016-0896 CONFIRM |
| pivotal — operations_manager | Pivotal Cloud Foundry (PCF) Ops Manager before 1.6.17 and 1.7.x before 1.7.8, when vCloud or vSphere is used, does not properly enable SSH access for operators, which has unspecified impact and remote attack vectors. | 2016-09-17 | 7.5 | CVE-2016-0897 CONFIRM |
| pivotal — rabbitmq | The metrics-collection component in RabbitMQ for Pivotal Cloud Foundry (PCF) 1.6.x before 1.6.4 logs command lines of failed commands, which might allow context-dependent attackers to obtain sensitive information by reading the log data, as demonstrated by a syslog message that contains credentials from a command line. | 2016-09-17 | 7.8 | CVE-2016-0929 CONFIRM |
| redhat — quickstart_cloud_installer | Red Hat QuickStart Cloud Installer (QCI) uses world-readable permissions for /etc/qci/answers, which allows local users to obtain the root password for the deployed system by reading the file. | 2016-09-22 | 7.2 | CVE-2016-6322 BID CONFIRM |
| rockwellautomation — rslogix_500_professional_edition | Buffer overflow in Rockwell Automation RSLogix Micro Starter Lite, RSLogix Micro Developer, RSLogix 500 Starter Edition, RSLogix 500 Standard Edition, and RSLogix 500 Professional Edition allows remote attackers to execute arbitrary code via a crafted RSS project file. | 2016-09-18 | 9.3 | CVE-2016-5814 MISC |
| xen — xen | Xen 4.5.3, 4.6.3, and 4.7.x allow local HVM guest OS administrators to overwrite hypervisor memory and consequently gain host OS privileges by leveraging mishandling of instruction pointer truncation during emulation. | 2016-09-21 | 7.2 | CVE-2016-7093 CONFIRM SECTRACK CONFIRM CONFIRM |
| xen — xen | Use-after-free vulnerability in the FIFO event channel code in Xen 4.4.x allows local guest OS administrators to cause a denial of service (host crash) and possibly execute arbitrary code or obtain sensitive information via an invalid guest frame number. | 2016-09-21 | 7.2 | CVE-2016-7154 CONFIRM CONFIRM BID SECTRACK CONFIRM CONFIRM |
| yokogawa — stardom_fcn/fcj | Yokogawa STARDOM FCN/FCJ controller R1.01 through R4.01 does not require authentication for Logic Designer connections, which allows remote attackers to reconfigure the device or cause a denial of service via a (1) stop application program, (2) change value, or (3) modify application command. | 2016-09-18 | 7.5 | CVE-2016-4860 MISC CONFIRM |
Medium Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| adobe — air_sdk_&_compiler | Adobe AIR SDK & Compiler before 23.0.0.257 on Windows does not support Android runtime-analytics transport security, which might allow remote attackers to obtain sensitive information by leveraging access to a network over which analytics data is sent. | 2016-09-16 | 5.0 | CVE-2016-6936 CONFIRM MISC |
| apache — zookeeper | Buffer overflow in the C cli shell in Apache Zookeeper before 3.4.9 and 3.5.x before 3.5.3, when using the “cmd:” batch mode syntax, allows attackers to have unspecified impact via a long command string. | 2016-09-21 | 6.8 | CVE-2016-5017 MISC MLIST CONFIRM CONFIRM CONFIRM |
| apache — jackrabbit | Cross-site request forgery (CSRF) vulnerability in the CSRF content-type check in Jackrabbit-Webdav in Apache Jackrabbit 2.4.x before 2.4.6, 2.6.x before 2.6.6, 2.8.x before 2.8.3, 2.10.x before 2.10.4, 2.12.x before 2.12.4, and 2.13.x before 2.13.3 allows remote attackers to hijack the authentication of unspecified victims for requests that create a resource via an HTTP POST request with a (1) missing or (2) crafted Content-Type header. | 2016-09-21 | 6.8 | CVE-2016-6801 MLIST CONFIRM |
| apache — shiro | Apache Shiro before 1.3.2 allows attackers to bypass intended servlet filters and gain access by leveraging use of a non-root servlet context path. | 2016-09-20 | 5.0 | CVE-2016-6802 MISC BUGTRAQ BID |
| apple — safari | The TLS protocol 1.2 and earlier supports the rsa_fixed_dh, dss_fixed_dh, rsa_fixed_ecdh, and ecdsa_fixed_ecdh values for ClientCertificateType but does not directly document the ability to compute the master secret in certain situations with a client secret key and server public key but not a server secret key, which makes it easier for man-in-the-middle attackers to spoof TLS servers by leveraging knowledge of the secret key for an arbitrary installed client X.509 certificate, aka the “Key Compromise Impersonation (KCI)” issue. | 2016-09-20 | 6.8 | CVE-2015-8960 MISC MLIST MISC MISC |
| apple — iphone_os | The Sandbox Profiles component in Apple iOS before 10 does not properly restrict access to directory metadata for SMS draft directories, which allows attackers to discover text-message recipients via a crafted app. | 2016-09-18 | 4.3 | CVE-2016-4620 APPLE CONFIRM |
| apple — iphone_os | The GeoServices component in Apple iOS before 10 and watchOS before 3 does not properly restrict access to PlaceData information, which allows attackers to discover physical locations via a crafted application. | 2016-09-18 | 4.3 | CVE-2016-4719 APPLE CONFIRM |
| apple — iphone_os | The Assets component in Apple iOS before 10 allows man-in-the-middle attackers to block software updates via vectors related to lack of an HTTPS session for retrieving updates. | 2016-09-18 | 4.3 | CVE-2016-4741 APPLE CONFIRM |
| apple — iphone_os | The Keyboards component in Apple iOS before 10 does not properly use a cache for auto-correct suggestions, which allows remote attackers to obtain sensitive information in opportunistic circumstances by leveraging an unintended correction. | 2016-09-18 | 5.0 | CVE-2016-4746 APPLE CONFIRM |
| apple — iphone_os | Mail in Apple iOS before 10 mishandles certificates, which makes it easier for man-in-the-middle attackers to discover mail credentials via unspecified vectors. | 2016-09-18 | 4.3 | CVE-2016-4747 APPLE CONFIRM |
| artifex — mupdf | Use-after-free vulnerability in the pdf_load_xref function in pdf/pdf-xref.c in MuPDF allows remote attackers to cause a denial of service (crash) via a crafted PDF file. | 2016-09-22 | 4.3 | CVE-2016-6265 CONFIRM CONFIRM SUSE MLIST BID |
| aver — eh6108h+_firmware | AVer Information EH6108H+ devices with firmware X9.03.24.00.07l store passwords in a cleartext base64 format and require cleartext credentials in HTTP Cookie headers, which allows context-dependent attacks to obtain sensitive information by reading these strings. | 2016-09-18 | 5.0 | CVE-2016-6537 CERT-VN |
| charybdis_project — charybdis | The m_authenticate function in modules/m_sasl.c in Charybdis before 3.5.3 allows remote attackers to spoof certificate fingerprints and consequently log in as another user via a crafted AUTHENTICATE parameter. | 2016-09-21 | 6.8 | CVE-2016-7143 DEBIAN MLIST MLIST CONFIRM CONFIRM |
| cisco — ios | The Zone-Based Firewall (ZBFW) functionality in Cisco IOS, possibly 15.4 and earlier, and IOS XE, possibly 3.13 and earlier, mishandles zone checking for existing sessions, which allows remote attackers to bypass intended resource-access restrictions via spoofed traffic that matches one of these sessions, aka Bug IDs CSCun94946 and CSCun96847. | 2016-09-22 | 4.3 | CVE-2014-2146 MISC MISC CISCO |
| cisco — ios_xr | Cisco IOS XR 6.0 and 6.0.1 on NCS 6000 devices allows remote attackers to cause a denial of service (OSPFv3 process reload) via crafted OSPFv3 packets, aka Bug ID CSCuz66289. | 2016-09-18 | 5.0 | CVE-2016-1433 CISCO |
| cisco — carrier_routing_system | Cisco Carrier Routing System (CRS) 5.1 and 5.1.4, as used in CRS Carrier Grade Services for CRS-1 and CRS-3 devices, allows remote attackers to cause a denial of service (line-card reload) via crafted IPv6-over-MPLS packets, aka Bug ID CSCva32494. | 2016-09-16 | 5.7 | CVE-2016-6401 CISCO |
| cisco — ios | The Data in Motion (DMo) application in Cisco IOS 15.6(1)T and IOS XE, when the IOx feature set is enabled, allows remote attackers to cause a denial of service via a crafted packet, aka Bug IDs CSCuy82904, CSCuy82909, and CSCuy82912. | 2016-09-18 | 4.3 | CVE-2016-6403 CISCO |
| cisco — ios | Cross-site scripting (XSS) vulnerability in the web framework in Cisco IOx Local Manager in IOS 15.5(2)T and IOS XE allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug ID CSCuy19854. | 2016-09-18 | 4.3 | CVE-2016-6404 CISCO |
| cisco — fog_director | Cisco Fog Director 1.0(0) for IOx allows remote authenticated users to bypass intended access restrictions and write to arbitrary files via the Cartridge interface, aka Bug ID CSCuz89368. | 2016-09-18 | 6.8 | CVE-2016-6405 CISCO |
| cisco — web_security_appliance | Cisco AsyncOS through 9.5.0-444 on Web Security Appliance (WSA) devices allows remote attackers to cause a denial of service (link saturation) by making many HTTP requests for overlapping byte ranges simultaneously, aka Bug ID CSCuz27219. | 2016-09-16 | 5.0 | CVE-2016-6407 CISCO |
| cisco — ios | The server IKEv1 implementation in Cisco IOS 12.2 through 12.4 and 15.0 through 15.6, IOS XE through 3.18S, IOS XR 4.3.x and 5.0.x through 5.2.x, and PIX before 7.0 allows remote attackers to obtain sensitive information from device memory via a Security Association (SA) negotiation request, aka Bug IDs CSCvb29204 and CSCvb36055 or BENIGNCERTAIN. | 2016-09-18 | 5.0 | CVE-2016-6415 CISCO |
| cloud_foundry — php_buildpack | Cloud Foundry PHP Buildpack (aka php-buildpack) before 4.3.18 and PHP Buildpack Cf-release before 242, as used in Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.6.38 and 1.7.x before 1.7.19 and other products, place the .profile file in the htdocs directory, which might allow remote attackers to obtain sensitive information via an HTTP GET request for this file. | 2016-09-17 | 5.0 | CVE-2016-6639 CONFIRM CONFIRM |
| emc — avamar_server | Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) in EMC Avamar Server before 7.3.0-233 rely on client-side authentication, which allows remote attackers to spoof clients and read backup data via a modified client agent. | 2016-09-20 | 6.4 | CVE-2016-0903 BUGTRAQ |
| emc — avamar_server | Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) in EMC Avamar Server before 7.3.0-233 use the same encryption key across different customers’ installations, which allows remote attackers to defeat cryptographic protection mechanisms and obtain sensitive client-server traffic information by leveraging knowledge of this key from another installation. | 2016-09-20 | 5.0 | CVE-2016-0904 BUGTRAQ |
| emc — avamar_server | Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) in EMC Avamar Server before 7.3.0-233 use weak permissions for unspecified directories, which allows local users to obtain root access by replacing a script with a Trojan horse program. | 2016-09-20 | 6.9 | CVE-2016-0921 BUGTRAQ |
| emc — vipr_srm | EMC ViPR SRM before 3.7.2 does not restrict the number of password-authentication attempts, which makes it easier for remote attackers to obtain access via a brute-force guessing attack. | 2016-09-17 | 5.0 | CVE-2016-0922 BUGTRAQ |
| emc — vipr_srm | Cross-site request forgery (CSRF) vulnerability in EMC ViPR SRM before 3.7.2 allows remote attackers to hijack the authentication of administrators for requests that upload files. | 2016-09-17 | 5.8 | CVE-2016-6642 BUGTRAQ |
| emc — vipr_srm | Cross-site scripting (XSS) vulnerability in EMC ViPR SRM before 3.7.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 2016-09-17 | 4.3 | CVE-2016-6643 BUGTRAQ |
| emc — documentum_d2 | EMC Documentum D2 4.5 before patch 15 and 4.6 before patch 03 allows remote attackers to read arbitrary Docbase documents by leveraging knowledge of an r_object_id value. | 2016-09-17 | 5.0 | CVE-2016-6644 BUGTRAQ |
| fortinet — fortiwan | The diagnosis_control.php page in Fortinet FortiWan (formerly AscernLink) before 4.2.5 allows remote authenticated users to download PCAP files via vectors related to the UserName GET parameter. | 2016-09-21 | 4.0 | CVE-2016-4966 CONFIRM CONFIRM BID CERT-VN |
| fortinet — fortiwan | Fortinet FortiWan (formerly AscernLink) before 4.2.5 allows remote authenticated users to obtain sensitive information from (1) a backup of the device configuration via script/cfg_show.php or (2) PCAP files via script/system/tcpdump.php. | 2016-09-21 | 4.0 | CVE-2016-4967 CONFIRM CONFIRM BID CERT-VN |
| fortinet — fortiwan | The linkreport/tmp/admin_global page in Fortinet FortiWan (formerly AscernLink) before 4.2.5 allows remote authenticated users to discover administrator cookies via a GET request. | 2016-09-21 | 4.0 | CVE-2016-4968 CONFIRM CONFIRM BID CERT-VN |
| fortinet — fortiwan | Cross-site scripting (XSS) vulnerability in Fortinet FortiWan (formerly AscernLink) before 4.2.5 allows remote attackers to inject arbitrary web script or HTML via the IP parameter to script/statistics/getconn.php. | 2016-09-21 | 4.3 | CVE-2016-4969 CONFIRM CONFIRM BID CERT-VN |
| hp — performance_center | HPE Performance Center 11.52, 12.00, 12.01, 12.20, and 12.50 allows remote attackers to bypass intended access restrictions via unspecified vectors, related to a “remote user validation failure” issue. | 2016-09-20 | 6.0 | CVE-2016-4382 CONFIRM |
| huawei — ws331a_router_firmware | The management interface of Huawei WS331a routers with software before WS331a-10 V100R001C01B112 allows remote attackers to bypass authentication and obtain administrative access by sending “special packages” to the LAN interface. | 2016-09-21 | 6.8 | CVE-2016-6159 CONFIRM |
| huawei — ac6003_firmware | Huawei AC6003, AC6005, AC6605, and ACU2 access controllers with software before V200R006C10SPC200 allows remote authenticated users to cause a denial of service (device restart) via crafted CAPWAP packets. | 2016-09-22 | 6.8 | CVE-2016-6824 CONFIRM BID |
| libarchive — libarchive | bsdcpio in libarchive before 3.2.0 allows remote attackers to cause a denial of service (invalid read and crash) via crafted cpio file. | 2016-09-20 | 4.3 | CVE-2015-8915 MLIST MLIST MISC MISC |
| libarchive — libarchive | bsdtar in libarchive before 3.2.0 returns a success code without filling the entry when the header is a “split file in multivolume RAR,” which allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted rar file. | 2016-09-20 | 4.3 | CVE-2015-8916 MLIST MLIST UBUNTU MISC CONFIRM CONFIRM |
| libarchive — libarchive | bsdtar in libarchive before 3.2.0 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via an invalid character in the name of a cab file. | 2016-09-20 | 5.0 | CVE-2015-8917 MLIST MLIST UBUNTU MISC CONFIRM CONFIRM |
| libarchive — libarchive | The archive_string_append function in archive_string.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (crash) via a crafted cab files, related to “overlapping memcpy.” | 2016-09-20 | 5.0 | CVE-2015-8918 SUSE MLIST MLIST MISC CONFIRM |
| libarchive — libarchive | The lha_read_file_extended_header function in archive_read_support_format_lha.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (out-of-bounds heap) via a crafted (1) lzh or (2) lha file. | 2016-09-20 | 5.0 | CVE-2015-8919 SUSE MLIST MLIST UBUNTU MISC CONFIRM |
| libarchive — libarchive | The _ar_read_header function in archive_read_support_format_ar.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (out-of-bounds stack read) via a crafted ar file. | 2016-09-20 | 4.3 | CVE-2015-8920 SUSE MLIST MLIST UBUNTU MISC CONFIRM |
| libarchive — libarchive | The ae_strtofflags function in archive_entry.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted mtree file. | 2016-09-20 | 5.0 | CVE-2015-8921 SUSE MLIST MLIST UBUNTU MISC CONFIRM |
| libarchive — libarchive | The read_CodersInfo cuntion in archive_read_support_format_7zip.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (NULL pointer derference and crash) via a crafted 7z file, related to the _7z_folder struct. | 2016-09-20 | 4.3 | CVE-2015-8922 SUSE MLIST MLIST UBUNTU MISC CONFIRM CONFIRM |
| libarchive — libarchive | The process_extra function in libarchive before 3.2.0 uses the size field and a signed number in an offset, which allows remote attackers to cause a denial of service (crash) via a crafted zip file. | 2016-09-20 | 4.3 | CVE-2015-8923 SUSE MLIST MLIST UBUNTU MISC CONFIRM |
| libarchive — libarchive | The archive_read_format_tar_read_header function in archive_read_support_format_tar.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted tar file. | 2016-09-20 | 4.3 | CVE-2015-8924 SUSE MLIST MLIST UBUNTU MISC CONFIRM |
| libarchive — libarchive | The readline function in archive_read_support_format_mtree.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (invalid read) via a crafted mtree file, related to newline parsing. | 2016-09-20 | 4.3 | CVE-2015-8925 SUSE MLIST MLIST UBUNTU MISC CONFIRM |
| libarchive — libarchive | The archive_read_format_rar_read_data function in archive_read_support_format_rar.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (crash) via a crafted rar archive. | 2016-09-20 | 4.3 | CVE-2015-8926 SUSE MLIST MLIST UBUNTU MISC CONFIRM |
| libarchive — libarchive | The trad_enc_decrypt_update function in archive_read_support_format_zip.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (out-of-bounds heap read and crash) via a crafted zip file, related to reading the password. | 2016-09-20 | 4.3 | CVE-2015-8927 MLIST MLIST MISC MISC |
| libarchive — libarchive | The process_add_entry function in archive_read_support_format_mtree.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted mtree file. | 2016-09-20 | 4.3 | CVE-2015-8928 SUSE MLIST MLIST UBUNTU CONFIRM |
| libarchive — libarchive | Memory leak in the __archive_read_get_extract function in archive_read_extract2.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service via a tar file. | 2016-09-20 | 4.3 | CVE-2015-8929 SUSE MLIST MLIST MISC CONFIRM |
| libarchive — libarchive | bsdtar in libarchive before 3.2.0 allows remote attackers to cause a denial of service (infinite loop) via an ISO with a directory that is a member of itself. | 2016-09-20 | 5.0 | CVE-2015-8930 SUSE MLIST MLIST UBUNTU MISC CONFIRM |
| libarchive — libarchive | Multiple integer overflows in the (1) get_time_t_max and (2) get_time_t_min functions in archive_read_support_format_mtree.c in libarchive before 3.2.0 allow remote attackers to have unspecified impact via a crafted mtree file, which triggers undefined behavior. | 2016-09-20 | 6.8 | CVE-2015-8931 SUSE MLIST MLIST UBUNTU MISC CONFIRM MISC |
| libarchive — libarchive | The compress_bidder_init function in archive_read_support_filter_compress.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (crash) via a crafted tar file, which triggers an invalid left shift. | 2016-09-20 | 4.3 | CVE-2015-8932 SUSE MLIST MLIST UBUNTU MISC CONFIRM CONFIRM |
| libarchive — libarchive | Integer overflow in the archive_read_format_tar_skip function in archive_read_support_format_tar.c in libarchive before 3.2.0 allows remote attackers to cause a denial of service (crash) via a crafted tar file. | 2016-09-20 | 4.3 | CVE-2015-8933 SUSE MLIST MLIST UBUNTU MISC CONFIRM |
| libarchive — libarchive | The copy_from_lzss_window function in archive_read_support_format_rar.c in libarchive 3.2.0 and earlier allows remote attackers to cause a denial of service (out-of-bounds heap read) via a crafted rar file. | 2016-09-20 | 4.3 | CVE-2015-8934 SUSE MLIST MLIST CONFIRM UBUNTU MISC CONFIRM |
| libarchive — libarchive | Integer overflow in the read_SubStreamsInfo function in archive_read_support_format_7zip.c in libarchive before 3.2.1 allows remote attackers to execute arbitrary code via a 7zip file with a large number of substreams, which triggers a heap-based buffer overflow. | 2016-09-21 | 6.8 | CVE-2016-4300 MISC REDHAT BID MISC CONFIRM CONFIRM CONFIRM |
| libarchive — libarchive | Stack-based buffer overflow in the parse_device function in archive_read_support_format_mtree.c in libarchive before 3.2.1 allows remote attackers to execute arbitrary code via a crafted mtree file. | 2016-09-21 | 6.8 | CVE-2016-4301 MISC MISC CONFIRM CONFIRM CONFIRM |
| libarchive — libarchive | Heap-based buffer overflow in the parse_codes function in archive_read_support_format_rar.c in libarchive before 3.2.1 allows remote attackers to execute arbitrary code via a RAR file with a zero-sized dictionary. | 2016-09-21 | 6.8 | CVE-2016-4302 MISC CONFIRM REDHAT BID MISC CONFIRM CONFIRM |
| libarchive — libarchive | The archive_read_format_cpio_read_header function in archive_read_support_format_cpio.c in libarchive before 3.2.1 allows remote attackers to cause a denial of service (application crash) via a CPIO archive with a large symlink. | 2016-09-21 | 5.0 | CVE-2016-4809 REDHAT REDHAT BID CONFIRM CONFIRM CONFIRM |
| libarchive — libarchive | The sandboxing code in libarchive 3.2.0 and earlier mishandles hardlink archive entries of non-zero data size, which might allow remote attackers to write to arbitrary files via a crafted archive file. | 2016-09-21 | 5.0 | CVE-2016-5418 REDHAT REDHAT MLIST REDHAT REDHAT CONFIRM MISC CONFIRM CONFIRM |
| libarchive — libarchive | Integer overflow in the ISO parser in libarchive before 3.2.1 allows remote attackers to cause a denial of service (application crash) via a crafted ISO file. | 2016-09-21 | 4.3 | CVE-2016-5844 REDHAT REDHAT MLIST MLIST SECTRACK MISC CONFIRM CONFIRM CONFIRM |
| libarchive — libarchive | libarchive before 3.2.0 does not limit the number of recursive decompressions, which allows remote attackers to cause a denial of service (memory consumption and application crash) via a crafted gzip file. | 2016-09-21 | 4.3 | CVE-2016-7166 REDHAT REDHAT MLIST MLIST BID CONFIRM CONFIRM CONFIRM CONFIRM |
| libtiff_project — libtiff | The _TIFFVGetField function in tif_dirinfo.c in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) or execute arbitrary code via a crafted TIFF image. | 2016-09-21 | 6.8 | CVE-2016-3632 CONFIRM MLIST CONFIRM BID CONFIRM |
| libtiff_project — libtiff | Multiple integer overflows in the (1) cvt_by_strip and (2) cvt_by_tile functions in the tiff2rgba tool in LibTIFF 4.0.6 and earlier, when -b mode is enabled, allow remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted TIFF image, which triggers an out-of-bounds write. | 2016-09-21 | 6.8 | CVE-2016-3945 CONFIRM MLIST CONFIRM BID CONFIRM |
| libtiff_project — libtiff | Heap-based buffer overflow in the horizontalDifference8 function in tif_pixarlog.c in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted TIFF image to tiffcp. | 2016-09-21 | 6.8 | CVE-2016-3990 CONFIRM MLIST CONFIRM BID CONFIRM |
| libtiff_project — libtiff | Heap-based buffer overflow in the loadImage function in the tiffcrop tool in LibTIFF 4.0.6 and earlier allows remote attackers to cause a denial of service (out-of-bounds write) or execute arbitrary code via a crafted TIFF image with zero tiles. | 2016-09-21 | 6.8 | CVE-2016-3991 CONFIRM MLIST CONFIRM BID CONFIRM |
| mozilla — firefox | The mozilla::net::IsValidReferrerPolicy function in Mozilla Firefox before 49.0 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a Content Security Policy (CSP) referrer directive with zero values. | 2016-09-22 | 4.3 | CVE-2016-2827 CONFIRM CONFIRM |
| mozilla — firefox | The PropertyProvider::GetSpacingInternal function in Mozilla Firefox before 49.0 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via text runs in conjunction with a “display: contents” Cascading Style Sheets (CSS) property. | 2016-09-22 | 4.3 | CVE-2016-5271 CONFIRM CONFIRM |
| mozilla — firefox | The nsImageGeometryMixin class in Mozilla Firefox before 49.0 and Firefox ESR 45.x before 45.4 does not properly perform a cast of an unspecified variable during handling of INPUT elements, which allows remote attackers to execute arbitrary code via a crafted web site. | 2016-09-22 | 6.8 | CVE-2016-5272 CONFIRM CONFIRM |
| mozilla — firefox | The mozilla::a11y::HyperTextAccessible::GetChildOffset function in the accessibility implementation in Mozilla Firefox before 49.0 allows remote attackers to execute arbitrary code via a crafted web site. | 2016-09-22 | 6.8 | CVE-2016-5273 CONFIRM CONFIRM |
| mozilla — firefox | Buffer overflow in the mozilla::gfx::FilterSupport::ComputeSourceNeededRegions function in Mozilla Firefox before 49.0 allows remote attackers to execute arbitrary code by leveraging improper interaction between empty filters and CANVAS element rendering. | 2016-09-22 | 6.8 | CVE-2016-5275 CONFIRM CONFIRM |
| mozilla — firefox | Heap-based buffer overflow in the nsBMPEncoder::AddImageFrame function in Mozilla Firefox before 49.0 and Firefox ESR 45.x before 45.4 allows remote attackers to execute arbitrary code via a crafted image data that is mishandled during the encoding of an image frame to an image. | 2016-09-22 | 6.8 | CVE-2016-5278 CONFIRM CONFIRM |
| mozilla — firefox | Mozilla Firefox before 49.0 allows user-assisted remote attackers to obtain sensitive full-pathname information during a local-file drag-and-drop operation via crafted JavaScript code. | 2016-09-22 | 4.3 | CVE-2016-5279 CONFIRM CONFIRM |
| mozilla — firefox | Mozilla Firefox before 49.0 does not properly restrict the scheme in favicon requests, which might allow remote attackers to obtain sensitive information via unspecified vectors, as demonstrated by a jar: URL for a favicon resource. | 2016-09-22 | 4.3 | CVE-2016-5282 CONFIRM CONFIRM |
| mozilla — firefox | Mozilla Firefox before 49.0 allows remote attackers to bypass the Same Origin Policy via a crafted fragment identifier in the SRC attribute of an IFRAME element, leading to insufficient restrictions on link-color information after a document is resized. | 2016-09-22 | 6.8 | CVE-2016-5283 CONFIRM CONFIRM |
| mozilla — firefox | Mozilla Firefox before 49.0 and Firefox ESR 45.x before 45.4 rely on unintended expiration dates for Preloaded Public Key Pinning, which allows man-in-the-middle attackers to spoof add-on updates by leveraging possession of an X.509 server certificate for addons.mozilla.org signed by an arbitrary built-in Certification Authority. | 2016-09-22 | 4.3 | CVE-2016-5284 MLIST CONFIRM CONFIRM CONFIRM MISC |
| openjpeg — openjpeg | Integer overflow in the opj_pi_create_decode function in pi.c in OpenJPEG allows remote attackers to execute arbitrary code via a crafted JP2 file, which triggers an out-of-bounds read or write. | 2016-09-21 | 6.8 | CVE-2016-7163 DEBIAN MLIST MLIST BID CONFIRM CONFIRM CONFIRM CONFIRM FEDORA FEDORA FEDORA FEDORA FEDORA FEDORA |
| php — php | ext/mysqlnd/mysqlnd_wireprotocol.c in PHP before 5.6.26 and 7.x before 7.0.11 does not verify that a BIT field has the UNSIGNED_FLAG flag, which allows remote MySQL servers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted field metadata. | 2016-09-17 | 6.8 | CVE-2016-7412 MLIST CONFIRM CONFIRM CONFIRM CONFIRM |
| php — php | ext/intl/msgformat/msgformat_format.c in PHP before 5.6.26 and 7.x before 7.0.11 does not properly restrict the locale length provided to the Locale class in the ICU library, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a MessageFormatter::formatMessage call with a long first argument. | 2016-09-17 | 5.0 | CVE-2016-7416 MLIST CONFIRM CONFIRM CONFIRM CONFIRM |
| php — php | The php_wddx_push_element function in ext/wddx/wddx.c in PHP before 5.6.26 and 7.x before 7.0.11 allows remote attackers to cause a denial of service (invalid pointer access and out-of-bounds read) or possibly have unspecified other impact via an incorrect boolean element in a wddxPacket XML document, leading to mishandling in a wddx_deserialize call. | 2016-09-17 | 5.0 | CVE-2016-7418 MLIST CONFIRM CONFIRM CONFIRM CONFIRM |
| pivotal — operations_manager | Pivotal Cloud Foundry (PCF) Ops Manager before 1.5.14 and 1.6.x before 1.6.9 uses the same cookie-encryption key across different customers’ installations, which allows remote attackers to bypass session authentication by leveraging knowledge of this key from another installation. | 2016-09-17 | 5.0 | CVE-2016-0883 CONFIRM |
| pivotal — cloud_foundry_elastic_runtime | Cross-site scripting (XSS) vulnerability in Apps Manager in Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.6.32 and 1.7.x before 1.7.8 allows remote attackers to inject arbitrary web script or HTML via unspecified input that improperly interacts with the AngularJS framework. | 2016-09-17 | 4.3 | CVE-2016-0926 CONFIRM |
| pivotal — cloud_foundry_elastic_runtime | Cross-site scripting (XSS) vulnerability in Pivotal Cloud Foundry (PCF) Ops Manager before 1.6.17 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 2016-09-17 | 4.3 | CVE-2016-0927 CONFIRM |
| pivotal — cloud_foundry_elastic_runtime | Multiple open redirect vulnerabilities in Pivotal Cloud Foundry (PCF) Elastic Runtime before 1.6.30 and 1.7.x before 1.7.8 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. | 2016-09-17 | 5.8 | CVE-2016-0928 CONFIRM |
| pivotal — operations_manager | Pivotal Cloud Foundry (PCF) Ops Manager before 1.6.19 and 1.7.x before 1.7.10, when vCloud or vSphere is used, has a default password for compilation VMs, which allows remote attackers to obtain SSH access by connecting within an installation-time period during which these VMs exist. | 2016-09-17 | 5.0 | CVE-2016-0930 CONFIRM |
| powerdns — authoritative | PowerDNS (aka pdns) Authoritative Server before 3.4.10 allows remote attackers to cause a denial of service (backend CPU consumption) via a long qname. | 2016-09-21 | 5.0 | CVE-2016-5426 MLIST CONFIRM CONFIRM |
| powerdns — authoritative | PowerDNS (aka pdns) Authoritative Server before 3.4.10 does not properly handle a . (dot) inside labels, which allows remote attackers to cause a denial of service (backend CPU consumption) via a crafted DNS query. | 2016-09-21 | 5.0 | CVE-2016-5427 MLIST CONFIRM CONFIRM |
| trane — tracer_sc | The web server in Trane Tracer SC 4.2.1134 and earlier allows remote attackers to read sensitive configuration files via a direct request. | 2016-09-18 | 5.0 | CVE-2016-0870 MISC |
| trane — tracer_sc | ABB DataManagerPro 1.x before 1.7.1 allows local users to gain privileges by replacing a DLL file in the package directory. | 2016-09-18 | 6.9 | CVE-2016-4526 MISC CONFIRM |
| xen — xen | The get_page_from_l3e function in arch/x86/mm.c in Xen allows local 32-bit PV guest OS administrators to gain host OS privileges via vectors related to L3 recursive pagetables. | 2016-09-21 | 6.8 | CVE-2016-7092 CONFIRM CONFIRM BID SECTRACK CONFIRM CONFIRM |
Low Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| apple — iphone_os | Apple iOS before 10, when Handoff for Messages is used, does not ensure that a Messages signin has occurred before displaying messages, which might allow attackers to obtain sensitive information via unspecified vectors. | 2016-09-18 | 1.9 | CVE-2016-4740 APPLE CONFIRM |
| apple — iphone_os | Printing UIKit in Apple iOS before 10 mishandles environment variables, which allows local users to discover cleartext AirPrint preview content by reading a temporary file. | 2016-09-18 | 2.1 | CVE-2016-4749 APPLE CONFIRM |
| emc — rsa_bsafe | The client in EMC RSA BSAFE Micro Edition Suite (MES) 4.0.x before 4.0.9 and 4.1.x before 4.1.5 places the weakest algorithms first in a signature-algorithm list transmitted to a server, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging server behavior in which the first algorithm is used. | 2016-09-17 | 2.6 | CVE-2016-0923 BUGTRAQ |
| emc — rsa_bsafe | The TLS 1.2 implementation in EMC RSA BSAFE Micro Edition Suite (MES) 4.0.x before 4.0.9 and 4.1.x before 4.1.5 supports MD5 signatures, which makes it easier for man-in-the-middle attackers to impersonate clients via a transcript-collision attack. | 2016-09-17 | 2.6 | CVE-2016-0924 BUGTRAQ MISC |
| emc — rsa_adaptive_authentication_on-premise | Cross-site scripting (XSS) vulnerability in the Case Management application in EMC RSA Adaptive Authentication (On-Premise) before 6.0.2.1.SP3.P4 HF210, 7.0.x and 7.1.x before 7.1.0.0.SP0.P6 HF50, and 7.2.x before 7.2.0.0.SP0.P0 HF20 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. | 2016-09-20 | 3.5 | CVE-2016-0925 BUGTRAQ |
| emc — vipr_srm | Cross-site scripting (XSS) vulnerability in EMC ViPR SRM before 3.7.2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. | 2016-09-17 | 3.5 | CVE-2016-6641 BUGTRAQ |
| nextcloud — nextcloud | Cross-site scripting (XSS) vulnerability in share.js in the gallery application in ownCloud Server before 9.0.4 and Nextcloud Server before 9.0.52 allows remote authenticated users to inject arbitrary web script or HTML via a crafted directory name. | 2016-09-17 | 3.5 | CVE-2016-7419 CONFIRM MISC CONFIRM CONFIRM |
| redhat — quickstart_cloud_installer | The kickstart file in Red Hat QuickStart Cloud Installer (QCI) forces use of MD5 passwords on deployed systems, which makes it easier for attackers to determine cleartext passwords via a brute-force attack. | 2016-09-22 | 2.1 | CVE-2016-6340 BID CONFIRM |
| xen — xen | Buffer overflow in Xen 4.7.x and earlier allows local x86 HVM guest OS administrators on guests running with shadow paging to cause a denial of service via a pagetable update. | 2016-09-21 | 1.5 | CVE-2016-7094 CONFIRM CONFIRM BID SECTRACK CONFIRM CONFIRM |
Severity Not Yet Assigned
| Primary Vendor — Product |
Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
|
cisco — application_hosting _framework |
The Cisco Application-hosting Framework (CAF) component in Cisco IOS 15.6(1)T1 and IOS XE, when the IOx feature set is enabled, allows man-in-the-middle attackers to trigger arbitrary downloads via crafted HTTP headers, aka Bug ID CSCuz84773. | 2016-09-23 | Not Yet Calculated | CVE-2016-6412 CISCO |
| cisco — application_hosting _framework | The Cisco Application-hosting Framework (CAF) component in Cisco IOS 15.6(1)T1 and IOS XE, when the IOx feature set is enabled, allows remote authenticated users to read arbitrary files via unspecified vectors, aka Bug ID CSCuy19856. | 2016-09-23 | Not Yet Calculated | CVE-2016-6410 CISCO |
| cisco — application_policy_infrastructure_controller | The installation procedure on Cisco Application Policy Infrastructure Controller (APIC) devices 1.3(2f) mishandles binary files, which allows local users to obtain root access via unspecified vectors, aka Bug ID CSCva50496. | 2016-09-23 | Not Yet Calculated | CVE-2016-6413 CISCO |
| cisco — data_in_motion | The Data in Motion (DMo) component in Cisco IOS 15.6(1)T and IOS XE, when the IOx feature set is enabled, allows remote attackers to cause a denial of service (out-of-bounds access) via crafted traffic, aka Bug ID CSCuy54015. | 2016-09-23 | Not Yet Calculated | CVE-2016-6409 CISCO |
| cisco — firepower_management_center _and_firesight_system | Cisco Firepower Management Center and FireSIGHT System Software 6.0.1 mishandle comparisons between URLs and X.509 certificates, which allows remote attackers to bypass intended do-not-decrypt settings via a crafted URL, aka Bug ID CSCva50585. | 2016-09-23 | Not Yet Calculated | CVE-2016-6411 CISCO |
| cisco — prime_home | Cisco Prime Home 5.2.0 allows remote attackers to read arbitrary files via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, aka Bug ID CSCvb17814. | 2016-09-23 | Not Yet Calculated | CVE-2016-6408 CISCO |
| dexis — imaging_suite_10 | DEXIS Imaging Suite 10 has a hardcoded password for the sa account, which allows remote attackers to obtain administrative access by entering this password in a DEXIS_DATA SQL Server session. | 2016-09-24 | Not Yet Calculated | CVE-2016-6532 CERT-VN |
| emc — rsa_identity_management_and_governance | EMC RSA Identity Management and Governance before 6.8.1 P25 and 6.9.x before 6.9.1 P15 and RSA Via Lifecycle and Governance before 7.0.0 P04 allow remote authenticated users to obtain User Detail Popup information via a modified URL. | 2016-09-24 | Not Yet Calculated | CVE-2016-0918 BUGTRAQ |
| i_o_data_device — i_o_data_devices | Cross-site request forgery (CSRF) vulnerability on I-O DATA DEVICE HVL-A2.0, HVL-A3.0, HVL-A4.0, HVL-AT1.0S, HVL-AT2.0, HVL-AT3.0, HVL-AT4.0, HVL-AT2.0A, HVL-AT3.0A, and HVL-AT4.0A devices with firmware before 2.04 allows remote attackers to hijack the authentication of arbitrary users for requests that delete content. | 2016-09-24 | Not Yet Calculated | CVE-2016-4845 JVN JVNDB CONFIRM |
| moxa — active_opc_server | Unquoted Windows search path vulnerability in Moxa Active OPC Server before 2.4.19 allows local users to gain privileges via a Trojan horse executable file in the %SYSTEMDRIVE% directory. | 2016-09-24 | Not Yet Calculated | CVE-2016-5793 MISC |
| open_dental — open_dental | ** DISPUTED ** Open Dental 16.1 and earlier has a hardcoded MySQL root password, which allows remote attackers to obtain administrative access by leveraging access to intranet TCP port 3306. NOTE: the vendor disputes this issue, stating that the “vulnerability note … is factually false … there is indeed a default blank password, but it can be changed … We recommend that users change it, each customer receives direction.” | 2016-09-24 | Not Yet Calculated | CVE-2016-6531 CERT-VN MISC |
This product is provided subject to this Notification and this Privacy & Use policy.