Category Archives: US-CERT

US-CERT Alerts – Alerts warn about vulnerabilities, incidents, and other security issues that pose a significant risk.

Cisco Releases Security Updates

Original release date: August 03, 2016

Cisco has released security updates to address vulnerabilities in several products. Exploitation of some of these vulnerabilities could allow an unauthenticated remote attacker to take control of an affected system.

US-CERT encourages users and administrators to review the following Cisco Security Advisories and apply the necessary updates:


This product is provided subject to this Notification and this Privacy & Use policy.

Mozilla Releases Security Updates

Original release date: August 03, 2016

Mozilla has released security updates to address multiple vulnerabilities in Firefox and Firefox ESR. Exploitation of some of these vulnerabilities may allow a remote attacker to take control of an affected system.

Available updates include:

  • Firefox 48
  • Firefox ESR 45.3

Users and administrators are encouraged to review the Mozilla Security Advisories for Firefox and Firefox ESR and apply the necessary updates.


This product is provided subject to this Notification and this Privacy & Use policy.

Cybersecurity Tips for the Rio Olympics

Original release date: August 02, 2016

As the 2016 Olympic Games begin in Rio de Janeiro, US-CERT reminds travelers to be aware of cybersecurity risks. At high-profile events, hacktivists may take advantage of the large audience to spread their message. Cyber criminals may attempt to steal personally identifiable information or harvest users’ credentials for financial gain. There’s also the possibility that mobile or other communications will be monitored.

US-CERT encourages users to protect themselves against these risks, especially risks associated with portable devices such as smart phones and tablets. Following the security practices suggested in the documents listed below will help travelers stay more secure in Rio and other travel destinations:


This product is provided subject to this Notification and this Privacy & Use policy.

ACSC Releases Risk Mitigation Strategies Against Malicious Email

Original release date: August 01, 2016

The Australian Cyber Security Centre (ACSC) has published guidance to organizations on risks posed by malicious email. Systems infected through targeted email phishing campaigns act as an entry point for attackers to spread throughout an organization’s entire enterprise, steal sensitive business or personal information, or disrupt business operations.

US-CERT encourages users and administrators to review the ACSC publication on Malicious Email Mitigation Strategies and US-CERT Alert TA15-213A for additional information.


This product is provided subject to this Notification and this Privacy & Use policy.

SB16-214: Vulnerability Summary for the Week of July 25, 2016

Original release date: August 01, 2016

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High – Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 – 10.0

  • Medium – Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 – 6.9

  • Low – Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 – 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

High Vulnerabilities

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
ca — ehealth CA eHealth 6.2.x allows remote authenticated users to cause a denial of service or possibly execute arbitrary commands via unspecified vectors. 2016-07-25 9.0 CVE-2016-6151
CONFIRM
ca — ehealth CA eHealth 6.2.x and 6.3.x before 6.3.2.13 allows remote authenticated users to cause a denial of service or possibly execute arbitrary commands via unspecified vectors. 2016-07-25 9.0 CVE-2016-6152
CONFIRM
cisco — unified_computing_system_performance_manager The web framework in Cisco Unified Computing System (UCS) Performance Manager 2.0.0 and earlier allows remote authenticated users to execute arbitrary commands via crafted parameters in a GET request, aka Bug ID CSCuy07827. 2016-07-27 9.0 CVE-2016-1374
CISCO
google — chrome The PPAPI implementation in Google Chrome before 52.0.2743.82 does not validate the origin of IPC messages to the plugin broker process that should have come from the browser process, which allows remote attackers to bypass a sandbox protection mechanism via an unexpected message type, related to broker_process_dispatcher.cc, ppapi_plugin_process_host.cc, ppapi_thread.cc, and render_frame_message_filter.cc. 2016-07-23 9.3 CVE-2016-1706
CONFIRM
CONFIRM
CONFIRM
icu_project — international_components_for_unicode The uloc_acceptLanguageFromHTTP function in common/uloc.cpp in International Components for Unicode (ICU) through 57.1 for C/C++ does not ensure that there is a ” character at the end of a certain temporary array, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a call with a long httpAcceptLanguage argument. 2016-07-25 7.5 CVE-2016-6293
MISC
MLIST
MISC
php — php The php_url_parse_ex function in ext/standard/url.c in PHP before 5.5.38 allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via vectors involving the smart_str data type. 2016-07-25 7.5 CVE-2016-6288
CONFIRM
MLIST
CONFIRM
CONFIRM
php — php ext/session/session.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 does not properly maintain a certain hash data structure, which allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via vectors related to session deserialization. 2016-07-25 7.5 CVE-2016-6290
CONFIRM
MLIST
CONFIRM
CONFIRM
CONFIRM
php — php The exif_process_IFD_in_MAKERNOTE function in ext/exif/exif.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a denial of service (out-of-bounds array access and memory corruption), obtain sensitive information from process memory, or possibly have unspecified other impact via a crafted JPEG image. 2016-07-25 7.5 CVE-2016-6291
CONFIRM
MLIST
CONFIRM
CONFIRM
CONFIRM
php — php The locale_accept_from_http function in ext/intl/locale/locale_methods.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 does not properly restrict calls to the ICU uloc_acceptLanguageFromHTTP function, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a call with a long argument. 2016-07-25 7.5 CVE-2016-6294
CONFIRM
MLIST
CONFIRM
CONFIRM
CONFIRM
php — php ext/snmp/snmp.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to cause a denial of service (use-after-free and application crash) or possibly have unspecified other impact via crafted serialized data, a related issue to CVE-2016-5773. 2016-07-25 7.5 CVE-2016-6295
CONFIRM
MLIST
CONFIRM
CONFIRM
CONFIRM
php — php Integer signedness error in the simplestring_addn function in simplestring.c in xmlrpc-epi through 0.54.2, as used in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9, allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a long first argument to the PHP xmlrpc_encode_request function. 2016-07-25 7.5 CVE-2016-6296
CONFIRM
MLIST
CONFIRM
CONFIRM
CONFIRM
rockwellautomation — factorytalk_energrymetrix SQL injection vulnerability in Rockwell Automation FactoryTalk EnergyMetrix before 2.20.00 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. 2016-07-27 7.5 CVE-2016-4522
MISC
rockwellautomation — factorytalk_energrymetrix Rockwell Automation FactoryTalk EnergyMetrix before 2.20.00 does not invalidate credentials upon a logout action, which makes it easier for remote attackers to obtain access by leveraging an unattended workstation. 2016-07-27 7.5 CVE-2016-4531
MISC
siemens — simatic_batch Siemens SIMATIC WinCC before 7.3 Update 10 and 7.4 before Update 1, SIMATIC BATCH before 8.1 SP1 Update 9 as distributed in SIMATIC PCS 7 through 8.1 SP1, SIMATIC OpenPCS 7 before 8.1 Update 3 as distributed in SIMATIC PCS 7 through 8.1 SP1, SIMATIC OpenPCS 7 before 8.2 Update 1 as distributed in SIMATIC PCS 7 8.2, and SIMATIC WinCC Runtime Professional before 13 SP1 Update 9 allow remote attackers to execute arbitrary code via crafted packets. 2016-07-22 10.0 CVE-2016-5743
CONFIRM

Back to top

Medium Vulnerabilities

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
apache — archiva Multiple cross-site request forgery (CSRF) vulnerabilities in Apache Archiva 1.3.9 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) add new repository proxy connectors via the token parameter to admin/addProxyConnector_commit.action, (2) new repositories via the token parameter to admin/addRepository_commit.action, (3) edit existing repositories via the token parameter to admin/editRepository_commit.action, (4) add legacy artifact paths via the token parameter to admin/addLegacyArtifactPath_commit.action, (5) change the organizational appearance via the token parameter to admin/saveAppearance.action, or (6) upload new artifacts via the token parameter to upload_submit.action. 2016-07-28 6.8 CVE-2016-4469
MISC
BUGTRAQ
cisco — wireless_lan_controller_software Cisco Wireless LAN Controller (WLC) devices 7.4(121.0) and 8.0(0.30220.385) allow remote attackers to cause a denial of service via crafted wireless management frames, aka Bug ID CSCun92979. 2016-07-27 6.1 CVE-2016-1460
CISCO
cisco — prime_service_catalog Cross-site scripting (XSS) vulnerability in the web-based management interface in Cisco Prime Service Catalog (PSC) 11.0 allows remote attackers to inject arbitrary web script or HTML via a crafted value, aka Bug ID CSCuz63795. 2016-07-27 4.3 CVE-2016-1462
CISCO
cisco — firesight_system_software Cisco FireSIGHT System Software 5.3.0, 5.3.1, 5.4.0, 6.0, and 6.0.1 allows remote attackers to bypass Snort rules via crafted parameters in the header of an HTTP packet, aka Bug ID CSCuz20737. 2016-07-27 5.0 CVE-2016-1463
CISCO
cisco — nx-os Cisco Nexus 1000v Application Virtual Switch (AVS) devices before 5.2(1)SV3(1.5i) allow remote attackers to cause a denial of service (ESXi hypervisor crash and purple screen) via a crafted Cisco Discovery Protocol packet that triggers an out-of-bounds memory access, aka Bug ID CSCuw57985. 2016-07-27 6.1 CVE-2016-1465
CISCO
cisco — videoscape_session_resource_manager Cisco Videoscape Session Resource Manager (VSRM) allows remote attackers to cause a denial of service (device restart) by sending a traffic flood to upstream devices, aka Bug ID CSCva01813. 2016-07-27 6.1 CVE-2016-1467
CISCO
google — chrome Multiple unspecified vulnerabilities in Google Chrome before 52.0.2743.82 allow attackers to cause a denial of service or possibly have other impact via unknown vectors. 2016-07-23 6.8 CVE-2016-1705
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
google — chrome ios/web/web_state/ui/crw_web_controller.mm in Google Chrome before 52.0.2743.82 on iOS does not ensure that an invalid URL is replaced with the about:blank URL, which allows remote attackers to spoof the URL display via a crafted web site. 2016-07-23 4.3 CVE-2016-1707
CONFIRM
CONFIRM
CONFIRM
google — chrome The Chrome Web Store inline-installation implementation in the Extensions subsystem in Google Chrome before 52.0.2743.82 does not properly consider object lifetimes during progress observation, which allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via a crafted web site. 2016-07-23 6.8 CVE-2016-1708
CONFIRM
CONFIRM
CONFIRM
google — chrome Heap-based buffer overflow in the ByteArray::Get method in data/byte_array.cc in Google sfntly before 2016-06-10, as used in Google Chrome before 52.0.2743.82, allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted SFNT font. 2016-07-23 6.8 CVE-2016-1709
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
google — chrome The ChromeClientImpl::createWindow method in WebKit/Source/web/ChromeClientImpl.cpp in Blink, as used in Google Chrome before 52.0.2743.82, does not prevent window creation by a deferred frame, which allows remote attackers to bypass the Same Origin Policy via a crafted web site. 2016-07-23 6.8 CVE-2016-1710
CONFIRM
CONFIRM
CONFIRM
google — chrome WebKit/Source/core/loader/FrameLoader.cpp in Blink, as used in Google Chrome before 52.0.2743.82, does not disable frame navigation during a detach operation on a DocumentLoader object, which allows remote attackers to bypass the Same Origin Policy via a crafted web site. 2016-07-23 6.8 CVE-2016-1711
CONFIRM
CONFIRM
CONFIRM
google — chrome Use-after-free vulnerability in WebKit/Source/core/editing/VisibleUnits.cpp in Blink, as used in Google Chrome before 52.0.2743.82, allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted JavaScript code involving an @import at-rule in a Cascading Style Sheets (CSS) token sequence in conjunction with a rel=import attribute of a LINK element. 2016-07-23 6.8 CVE-2016-5127
CONFIRM
CONFIRM
CONFIRM
CONFIRM
google — chrome objects.cc in Google V8 before 5.2.361.27, as used in Google Chrome before 52.0.2743.82, does not prevent API interceptors from modifying a store target without setting a property, which allows remote attackers to bypass the Same Origin Policy via a crafted web site. 2016-07-23 6.8 CVE-2016-5128
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
google — chrome Google V8 before 5.2.361.32, as used in Google Chrome before 52.0.2743.82, does not properly process left-trimmed objects, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted JavaScript code. 2016-07-23 6.8 CVE-2016-5129
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
google — chrome content/renderer/history_controller.cc in Google Chrome before 52.0.2743.82 does not properly restrict multiple uses of a JavaScript forward method, which allows remote attackers to spoof the URL display via a crafted web site. 2016-07-23 4.3 CVE-2016-5130
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
google — chrome Use-after-free vulnerability in libxml2 through 2.9.4, as used in Google Chrome before 52.0.2743.82, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function. 2016-07-23 6.8 CVE-2016-5131
CONFIRM
CONFIRM
CONFIRM
CONFIRM
google — chrome The Service Workers subsystem in Google Chrome before 52.0.2743.82 does not properly implement the Secure Contexts specification during decisions about whether to control a subframe, which allows remote attackers to bypass the Same Origin Policy via an https IFRAME element inside an http IFRAME element. 2016-07-23 6.8 CVE-2016-5132
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
google — chrome Google Chrome before 52.0.2743.82 mishandles origin information during proxy authentication, which allows man-in-the-middle attackers to spoof a proxy-authentication login prompt or trigger incorrect credential storage by modifying the client-server data stream. 2016-07-23 4.3 CVE-2016-5133
CONFIRM
CONFIRM
CONFIRM
google — chrome net/proxy/proxy_service.cc in the Proxy Auto-Config (PAC) feature in Google Chrome before 52.0.2743.82 does not ensure that URL information is restricted to a scheme, host, and port, which allows remote attackers to discover credentials by operating a server with a PAC script, a related issue to CVE-2016-3763. 2016-07-23 4.3 CVE-2016-5134
CONFIRM
CONFIRM
CONFIRM
google — chrome WebKit/Source/core/html/parser/HTMLPreloadScanner.cpp in Blink, as used in Google Chrome before 52.0.2743.82, does not consider referrer-policy information inside an HTML document during a preload request, which allows remote attackers to bypass the Content Security Policy (CSP) protection mechanism via a crafted web site, as demonstrated by a “Content-Security-Policy: referrer origin-when-cross-origin” header that overrides a “<META name=’referrer’ content=’no-referrer’>” element. 2016-07-23 4.3 CVE-2016-5135
CONFIRM
CONFIRM
CONFIRM
google — chrome Use-after-free vulnerability in extensions/renderer/user_script_injector.cc in the Extensions subsystem in Google Chrome before 52.0.2743.82 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to script deletion. 2016-07-23 6.8 CVE-2016-5136
CONFIRM
CONFIRM
CONFIRM
CONFIRM
google — chrome The CSPSource::schemeMatches function in WebKit/Source/core/frame/csp/CSPSource.cpp in the Content Security Policy (CSP) implementation in Blink, as used in Google Chrome before 52.0.2743.82, does not apply http :80 policies to https :443 URLs and does not apply ws :80 policies to wss :443 URLs, which makes it easier for remote attackers to determine whether a specific HSTS web site has been visited by reading a CSP report. NOTE: this vulnerability is associated with a specification change after CVE-2016-1617 resolution. 2016-07-23 4.3 CVE-2016-5137
CONFIRM
CONFIRM
CONFIRM
php — php Integer overflow in the virtual_file_ex function in TSRM/tsrm_virtual_cwd.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a crafted extract operation on a ZIP archive. 2016-07-25 6.8 CVE-2016-6289
CONFIRM
MLIST
CONFIRM
CONFIRM
CONFIRM
php — php The exif_process_user_comment function in ext/exif/exif.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted JPEG image. 2016-07-25 4.3 CVE-2016-6292
CONFIRM
MLIST
CONFIRM
CONFIRM
CONFIRM
php — php Integer overflow in the php_stream_zip_opener function in ext/zip/zip_stream.c in PHP before 5.5.38, 5.6.x before 5.6.24, and 7.x before 7.0.9 allows remote attackers to cause a denial of service (stack-based buffer overflow) or possibly have unspecified other impact via a crafted zip:// URL. 2016-07-25 6.8 CVE-2016-6297
CONFIRM
MLIST
CONFIRM
CONFIRM
CONFIRM
project_cronic — cronic cronic before 3 allows local users to write to arbitrary files via a symlink attack on a (1) cronic.out.$$, (2) cronic.err.$$, or (3) cronic.trace.$$ file in /tmp. 2016-07-26 4.9 CVE-2016-3992
SUSE
MLIST
MLIST
CONFIRM
siemens — simatic_wincc Siemens SIMATIC WinCC 7.0 through SP3 and 7.2 allows remote attackers to read arbitrary WinCC station files via crafted packets. 2016-07-22 5.0 CVE-2016-5744
CONFIRM
siemens — simatic_net_pc-software Siemens SIMATIC NET PC-Software before 13 SP2 allows remote attackers to cause a denial of service (OPC UA service outage) via crafted TCP packets. 2016-07-22 5.0 CVE-2016-5874
CONFIRM
siemens — sinema_remote_connect_server Cross-site scripting (XSS) vulnerability in the integrated web server in Siemens SINEMA Remote Connect Server before 1.2 allows remote attackers to inject arbitrary web script or HTML via a crafted URL. 2016-07-22 4.3 CVE-2016-6204
CONFIRM

Back to top

Low Vulnerabilities

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
apache — archiva Cross-site scripting (XSS) vulnerability in Apache Archiva 1.3.9 and earlier allows remote authenticated administrators to inject arbitrary web script or HTML via the connector.sourceRepoId parameter to admin/addProxyConnector_commit.action. 2016-07-28 3.5 CVE-2016-5005
MISC
BUGTRAQ
ecryptfs — ecryptfs-utils ecryptfs-setup-swap in eCryptfs before 111 does not prevent the unencrypted swap partition from activating during boot when using GPT partitioning and certain versions of systemd, which allows local users to obtain sensitive information via unspecified vectors. 2016-07-22 2.1 CVE-2015-8946
MLIST
MLIST
UBUNTU
CONFIRM
CONFIRM
ecryptfs — ecryptfs-utils ecryptfs-setup-swap in eCryptfs does not prevent the unencrypted swap partition from activating during boot when using GPT partitioning on a (1) NVMe or (2) MMC drive, which allows local users to obtain sensitive information via unspecified vectors. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-8946. 2016-07-22 2.1 CVE-2016-6224
MLIST
MLIST
UBUNTU
CONFIRM
CONFIRM
CONFIRM

Back to top

Severity Not Yet Assigned

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
cavium — software_ development_kit_2.x The RSA-CRT implementation in the Cavium Software Development Kit (SDK) 2.x, when used on OCTEON II CN6xxx Hardware on Linux to support TLS with Perfect Forward Secrecy (PFS), makes it easier for remote attackers to obtain private RSA keys by conducting a Lenstra side-channel attack. 2016-07-26 Not yet calculated CVE-2015-5738
CONFIRM
MISC
CONFIRM

Back to top


This product is provided subject to this Notification and this Privacy & Use policy.

DHS Announces Cyber Incident Reporting Information

Original release date: July 29, 2016

The United States Department of Homeland Security (DHS) has released guidelines and points of contact for reporting cyber incidents to the Federal Government. This communication follows the recent release of Presidential Policy Directive 41 (PPD-41)—United States Cyber Incident Coordination—which outlines how the Federal Government will handle cyber incidents.

Users and administrators are encouraged to review these documents to learn when, what, and how to report cyber incidents to the National Cybersecurity and Communications Integration Center (NCCIC) and other entities.


This product is provided subject to this Notification and this Privacy & Use policy.

SB16-207: Vulnerability Summary for the Week of July 18, 2016

Original release date: July 25, 2016

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High – Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 – 10.0

  • Medium – Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 – 6.9

  • Low – Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 – 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

High Vulnerabilities

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
cisco — ios_xr Cisco IOS XR 5.x through 5.2.5 on NCS 6000 devices allows remote attackers to cause a denial of service (timer consumption and Route Processor reload) via crafted SSH traffic, aka Bug ID CSCux76819. 2016-07-15 7.8 CVE-2016-1426
CISCO
cisco — ios_xr The CLI in Cisco IOS XR 6.x through 6.0.1 allows local users to execute arbitrary OS commands in a privileged context by leveraging unspecified container access, aka Bug ID CSCuz62721. 2016-07-15 7.2 CVE-2016-1456
CISCO
harfbuzz_project — harfbuzz hb-ot-layout-gpos-table.hh in HarfBuzz before 1.0.5 allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via crafted data, a different vulnerability than CVE-2016-2052. 2016-07-19 7.5 CVE-2015-8947
CONFIRM
CONFIRM
hp — intelligent_management_center_application_performance_manager HPE iMC PLAT before 7.2 E0403P04, iMC EAD before 7.2 E0405P05, iMC APM before 7.2 E0401P04, iMC NTA before 7.2 E0401P01, iMC BIMS before 7.2 E0402P02, and iMC UAM_TAM before 7.2 E0405P05 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library. 2016-07-15 7.5 CVE-2016-4372
CONFIRM
ibm — traveler IBM Traveler 8.x and 9.x before 9.0.1.12 allows remote authenticated users to read arbitrary files or cause a denial of service (memory consumption) via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. 2016-07-17 8.5 CVE-2016-3039
AIXAPAR
CONFIRM
misys — fusioncapital_opics_plus Misys FusionCapital Opics Plus allows remote authenticated users to gain privileges via a man-in-the-middle attack that modifies the xmlMessageOut parameter. 2016-07-19 8.5 CVE-2016-5654
CERT-VN
objective_systems — asn1c Integer overflow in the rtxMemHeapAlloc function in asn1rt_a.lib in Objective Systems ASN1C for C/C++ before 7.0.2 allows context-dependent attackers to execute arbitrary code or cause a denial of service (heap-based buffer overflow), on a system running an application compiled by ASN1C, via crafted ASN.1 data. 2016-07-19 10.0 CVE-2016-5080
CERT-VN
MISC
MISC
oracle — retail_integration_bus Unspecified vulnerability in the Oracle Retail Integration Bus component in Oracle Retail Applications 13.0, 13.1, 13.2, 14.0, 14.1, and 15.0 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Install. 2016-07-21 10.0 CVE-2016-3444
CONFIRM
oracle — business_intelligence Unspecified vulnerability in the Oracle Business Intelligence Enterprise Edition component in Oracle Fusion Middleware 11.1.1.7.0 and 11.1.1.9.0 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Analytics Web Administration. 2016-07-21 7.5 CVE-2016-3446
CONFIRM
oracle — agile_engineering_data_management Unspecified vulnerability in the Oracle Agile Engineering Data Management component in Oracle Supply Chain Products Suite 6.1.3.0 and 6.2.0.0 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Install. 2016-07-21 10.0 CVE-2016-3468
CONFIRM
oracle — transportation_management Unspecified vulnerability in the Oracle Transportation Management component in Oracle Supply Chain Products Suite 6.4.1 allows remote authenticated users to affect confidentiality and integrity via vectors related to Install. 2016-07-21 7.5 CVE-2016-3470
CONFIRM
oracle — mysql Unspecified vulnerability in Oracle MySQL 5.5.45 and earlier and 5.6.26 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Option. 2016-07-21 7.1 CVE-2016-3471
CONFIRM
oracle — mysql Unspecified vulnerability in Oracle MySQL 5.5.49 and earlier, 5.6.30 and earlier, and 5.7.12 and earlier allows local users to affect confidentiality, integrity, and availability via vectors related to Server: Parser. 2016-07-21 7.2 CVE-2016-3477
CONFIRM
oracle — database Unspecified vulnerability in the Portable Clusterware component in Oracle Database Server 11.2.0.4 and 12.1.0.2 allows remote attackers to affect availability via unknown vectors. 2016-07-21 7.8 CVE-2016-3479
CONFIRM
oracle — webcenter_sites Unspecified vulnerability in the Oracle WebCenter Sites component in Oracle Fusion Middleware 11.1.1.8, and 12.2.1.0 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. 2016-07-21 10.0 CVE-2016-3487
CONFIRM
oracle — database Unspecified vulnerability in the Data Pump Import component in Oracle Database Server 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows local users to affect confidentiality, integrity, and availability via unknown vectors. 2016-07-21 7.2 CVE-2016-3489
CONFIRM
oracle — crm_technical_foundation Unspecified vulnerability in the Oracle CRM Technical Foundation component in Oracle E-Business Suite 12.1.3 allows remote attackers to affect confidentiality and integrity via vectors related to Wireless Framework. 2016-07-21 8.5 CVE-2016-3491
CONFIRM
oracle — hyperion_financial_reporting Unspecified vulnerability in the Hyperion Financial Reporting component in Oracle Hyperion 11.1.2.4 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Security Models. 2016-07-21 10.0 CVE-2016-3493
CONFIRM
oracle — weblogic_server Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 12.1.3.0 and 12.2.1.0 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Web Container. 2016-07-21 10.0 CVE-2016-3499
CONFIRM
oracle — weblogic_server Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to WLS Core Components, a different vulnerability than CVE-2016-3586. 2016-07-21 10.0 CVE-2016-3510
CONFIRM
oracle — customer_interaction_history Unspecified vulnerability in the Oracle Customer Interaction History component in Oracle E-Business Suite 12.1.1, 12.1.2, and 12.1.3 allows remote attackers to affect confidentiality and integrity via vectors related to Function Security. 2016-07-21 7.8 CVE-2016-3512
CONFIRM
oracle — enterprise_communications_broker Unspecified vulnerability in the Oracle Enterprise Communications Broker component in Oracle Communications Applications before PCz 2.0.0m4p1 allows remote attackers to affect confidentiality via unknown vectors. 2016-07-21 7.8 CVE-2016-3515
CONFIRM
oracle — web_applications_desktop_integrator Unspecified vulnerability in the Oracle Web Applications Desktop Integrator component in Oracle E-Business Suite 12.1.3, 12.2.3, 12.2.4, and 12.2.5 allows remote attackers to affect confidentiality and integrity via vectors related to Application Service. 2016-07-21 8.5 CVE-2016-3522
CONFIRM
oracle — agile_product_lifecycle_management_framework Unspecified vulnerability in the Oracle Agile PLM component in Oracle Supply Chain Products Suite 9.3.4 and 9.3.5 allows remote attackers to affect confidentiality via vectors related to SDK, a different vulnerability than CVE-2016-3529 and CVE-2016-3560. 2016-07-21 7.8 CVE-2016-3526
CONFIRM
oracle — agile_product_lifecycle_management_framework Unspecified vulnerability in the Oracle Agile PLM component in Oracle Supply Chain Products Suite 9.3.4 and 9.3.5 allows remote authenticated users to affect integrity and availability via vectors related to PGC / Import. 2016-07-21 7.5 CVE-2016-3530
CONFIRM
oracle — advanced_inbound_telephony Unspecified vulnerability in the Oracle Advanced Inbound Telephony component in Oracle E-Business Suite 12.1.1, 12.1.2, and 12.1.3 allows remote attackers to affect confidentiality and integrity via vectors related to SDK client integration. 2016-07-21 7.8 CVE-2016-3532
CONFIRM
oracle — crm_technical_foundation Unspecified vulnerability in the Oracle CRM Technical Foundation component in Oracle E-Business Suite 12.1.3 allows remote attackers to affect confidentiality and integrity via vectors related to Remote Launch. 2016-07-21 7.8 CVE-2016-3535
CONFIRM
oracle — marketing Unspecified vulnerability in the Oracle Marketing component in Oracle E-Business Suite 12.1.1, 12.1.2, and 12.1.3 allows remote attackers to affect confidentiality and integrity via vectors related to Deliverables. 2016-07-21 7.0 CVE-2016-3536
CONFIRM
oracle — agile_product_lifecycle_management_framework Unspecified vulnerability in the Oracle Agile PLM component in Oracle Supply Chain Products Suite 9.3.4 and 9.3.5 allows remote authenticated users to affect integrity and availability via vectors related to File Folders / Attachment, a different vulnerability than CVE-2016-3539. 2016-07-21 7.5 CVE-2016-3538
CONFIRM
oracle — agile_product_lifecycle_management_framework Unspecified vulnerability in the Oracle Agile PLM component in Oracle Supply Chain Products Suite 9.3.4 and 9.3.5 allows remote authenticated users to affect integrity and availability via vectors related to File Folders / Attachment, a different vulnerability than CVE-2016-3538. 2016-07-21 7.5 CVE-2016-3539
CONFIRM
oracle — integrated_lights_out_manager_firmware Unspecified vulnerability in the ILOM component in Oracle Sun Systems Products Suite 3.0, 3.1, and 3.2 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. 2016-07-21 7.5 CVE-2016-5445
CONFIRM
oracle — integrated_lights_out_manager_firmware Unspecified vulnerability in the ILOM component in Oracle Sun Systems Products Suite 3.0, 3.1, and 3.2 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Infrastructure. 2016-07-21 7.5 CVE-2016-5446
CONFIRM
oracle — integrated_lights_out_manager_firmware Unspecified vulnerability in the ILOM component in Oracle Sun Systems Products Suite 3.0, 3.1, and 3.2 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to IPMI. 2016-07-21 7.5 CVE-2016-5453
CONFIRM
oracle — peoplesoft_enterprise_peopletools Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.54 and 8.55 allows local users to affect confidentiality, integrity, and availability via vectors related to Install and Packaging. 2016-07-21 7.2 CVE-2016-5472
CONFIRM
schneider-electric — pelco_digital_sentry_video_management_system_firmware Schneider Electric Pelco Digital Sentry Video Management System with firmware before 7.14 has hardcoded credentials, which allows remote attackers to obtain access, and consequently execute arbitrary code, via unspecified vectors. 2016-07-15 10.0 CVE-2016-4520
CONFIRM
MISC
schneider-electric — somachine_hvac_firmware An unspecified ActiveX control in Schneider Electric SoMachine HVAC Programming Software for M171/M172 Controllers before 2.1.0 allows remote attackers to execute arbitrary code via unknown vectors, related to the INTERFACESAFE_FOR_UNTRUSTED_CALLER (aka safe for scripting) flag. 2016-07-15 7.5 CVE-2016-4529
CONFIRM
MISC

Back to top

Medium Vulnerabilities

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
accela — civic_platform_citizen_access_portal Cross-site scripting (XSS) vulnerability in AttachmentsList.aspx in Accela Civic Platform Citizen Access portal allows remote attackers to inject arbitrary web script or HTML via the iframeid parameter. 2016-07-15 4.3 CVE-2016-5660
CERT-VN
MISC
accela — civic_platform_citizen_access_portal Accela Civic Platform Citizen Access portal relies on the client to restrict file types for uploads, which allows remote authenticated users to execute arbitrary code via modified _EventArgument and filename parameters. 2016-07-15 6.5 CVE-2016-5661
CERT-VN
MISC
apache — http_server The Apache HTTP Server through 2.4.23 follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application’s outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an “httpoxy” issue. NOTE: the vendor states “This mitigation has been assigned the identifier CVE-2016-5387”; in other words, this is not a CVE ID for a vulnerability. 2016-07-18 5.1 CVE-2016-5387
CERT-VN
MISC
CONFIRM
apache — tomcat Apache Tomcat through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application’s outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an “httpoxy” issue. NOTE: the vendor states “A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388”; in other words, this is not a CVE ID for a vulnerability. 2016-07-18 5.1 CVE-2016-5388
CERT-VN
MISC
CONFIRM
cisco — webex_meetings_server Cross-site request forgery (CSRF) vulnerability in Cisco WebEx Meetings Server 2.7 allows remote attackers to hijack the authentication of arbitrary users, aka Bug ID CSCuy92706. 2016-07-17 6.8 CVE-2016-1448
CISCO
cisco — meeting_server Cross-site scripting (XSS) vulnerability in the web-based management interface in Cisco Meeting Server (formerly Acano Conferencing Server) 1.7 through 1.9 allows remote attackers to inject arbitrary web script or HTML via crafted parameters, aka Bug ID CSCva19922. 2016-07-15 4.3 CVE-2016-1451
CISCO
cisco — asr_5000_software Cisco ASR 5000 devices with software 18.3 through 20.0.0 allow remote attackers to make configuration changes over SNMP by leveraging knowledge of the read-write community, aka Bug ID CSCuz29526. 2016-07-15 6.4 CVE-2016-1452
CISCO
cisco — ios Cisco IOS 12.4 and 15.0 through 15.5 and IOS XE 3.13 through 3.17 allow remote authenticated users to cause a denial of service (device reload) via crafted attributes in a BGP message, aka Bug ID CSCuz21061. 2016-07-17 4.9 CVE-2016-1459
CISCO
general_electric — cimplicity General Electric (GE) Digital Proficy HMI/SCADA – CIMPLICITY before 8.2 SIM 27 mishandles service DACLs, which allows local users to modify a service configuration via unspecified vectors. 2016-07-15 4.6 CVE-2016-5787
CONFIRM
MISC
golang — go The net/http package in Go through 1.6 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application’s outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an “httpoxy” issue. 2016-07-18 5.1 CVE-2016-5386
CERT-VN
CONFIRM
MISC
ibm — security_directory_server Directory traversal vulnerability in the Web Administration tool in IBM Tivoli Directory Server (ITDS) before 6.1.0.74-ISS-ISDS-IF0074, 6.2.x before 6.2.0.50-ISS-ISDS-IF0050, and 6.3.x before 6.3.0.43-ISS-ISDS-IF0043 and IBM Security Directory Server (ISDS) before 6.3.1.18-ISS-ISDS-IF0018 and 6.4.x before 6.4.0.9-ISS-ISDS-IF0009 allows remote attackers to read arbitrary files via a .. (dot dot) in a URL. 2016-07-15 5.0 CVE-2015-1977
CONFIRM
ibm — security_identity_manager_adapter IBM Security Identity Manager (ISIM) Virtual Appliance 7.0.0.0 through 7.0.1.1 before 7.0.1-ISS-SIM-FP0003 mishandles password creation, which makes it easier for remote attackers to obtain access by leveraging an attack against the password algorithm. 2016-07-15 5.0 CVE-2016-0330
CONFIRM
ibm — security_identity_manager_adapter IBM Security Identity Manager (ISIM) Virtual Appliance 7.0.0.0 through 7.0.1.1 before 7.0.1-ISS-SIM-FP0003 mishandles session identifiers after logout, which makes it easier for remote attackers to spoof users by leveraging knowledge of “traffic records.” 2016-07-15 4.3 CVE-2016-0339
CONFIRM
ibm — security_identity_manager_adapter IBM Security Identity Manager (ISIM) Virtual Appliance 7.0.0.0 through 7.0.1.1 before 7.0.1-ISS-SIM-FP0003 mishandles session expiration, which allows remote attackers to hijack sessions by leveraging an unattended workstation. 2016-07-15 4.4 CVE-2016-0340
CONFIRM
ibm — security_identity_manager_adapter IBM Security Identity Manager (ISIM) Virtual Appliance 7.0.0.0 through 7.0.1.1 before 7.0.1-ISS-SIM-FP0003 allows remote attackers to conduct clickjacking attacks via a crafted web site. 2016-07-15 4.3 CVE-2016-0357
CONFIRM
ibm — maximo_asset_management IBM Maximo Asset Management 7.5 before 7.5.0.10-TIV-MBS-IFIX002 and 7.6 before 7.6.0.5-TIV-MAMMT-FP001 allows remote attackers to obtain sensitive URL information by reading log files. 2016-07-17 5.0 CVE-2016-0393
CONFIRM
ibm — rational_collaborative_lifecycle_management The GIT Integration component in IBM Rational Team Concert (RTC) 5.x before 5.0.2 iFix14 and 6.x before 6.0.1 iFix5 and Rational Collaborative Lifecycle Management 5.x before 5.0.2 iFix14 and 6.x before 6.0.1 iFix5 allows remote authenticated users to obtain sensitive information via a malformed request. 2016-07-15 4.0 CVE-2016-2865
CONFIRM
isc — bind ISC BIND 9.x before 9.9.9-P2, 9.10.x before 9.10.4-P2, and 9.11.x before 9.11.0b2, when lwresd or the named lwres option is enabled, allows remote attackers to cause a denial of service (daemon crash) via a long request that uses the lightweight resolver protocol. 2016-07-19 4.3 CVE-2016-2775
CONFIRM
mirrorer — libbpg The restore_tqb_pixels function in libbpg 0.9.5 through 0.9.7 mishandles the transquant_bypass_enable_flag value, which allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds write) via a crafted BPG image, related to a “type confusion” issue. 2016-07-15 6.8 CVE-2016-5637
CERT-VN
misys — fusioncapital_opics_plus Multiple SQL injection vulnerabilities in Misys FusionCapital Opics Plus allow remote authenticated users to execute arbitrary SQL commands via the (1) ID or (2) Branch parameter. 2016-07-19 4.0 CVE-2016-5653
CERT-VN
misys — fusioncapital_opics_plus Misys FusionCapital Opics Plus does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to obtain sensitive information via a crafted certificate. 2016-07-19 4.3 CVE-2016-5655
CERT-VN
moxa — mgate_mb3170_router_firmware Moxa MGate MB3180 before 1.8, MGate MB3280 before 2.7, MGate MB3480 before 2.6, MGate MB3170 before 2.5, and MGate MB3270 before 2.7 use weak encryption, which allows remote attackers to bypass authentication via a brute-force series of guesses for a parameter value. 2016-07-15 5.0 CVE-2016-5804
MISC
oracle — mysql Unspecified vulnerability in Oracle MySQL 5.7.12 and earlier allows remote administrators to affect availability via vectors related to Server: Optimizer. 2016-07-21 4.0 CVE-2016-3424
CONFIRM
oracle — business_intelligence_publisher Unspecified vulnerability in the BI Publisher (formerly XML Publisher) component in Oracle Fusion Middleware 11.1.1.7.0 and 11.1.1.9.0 allows remote authenticated users to affect confidentiality and integrity via vectors related to Web Server. 2016-07-21 4.9 CVE-2016-3432
CONFIRM
oracle — business_intelligence Unspecified vulnerability in the Oracle Business Intelligence Enterprise Edition component in Oracle Fusion Middleware 11.1.1.7.0 and 11.1.1.9.0 allows remote authenticated users to affect confidentiality and integrity via vectors related to Analytics Web Administration. 2016-07-21 4.9 CVE-2016-3433
CONFIRM
oracle — mysql Unspecified vulnerability in Oracle MySQL 5.7.11 and earlier allows remote authenticated users to affect availability via vectors related to Server: Optimizer. 2016-07-21 4.0 CVE-2016-3440
CONFIRM
oracle — weblogic_server Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0 and 12.1.3.0 allows remote attackers to affect availability via vectors related to Web Container. 2016-07-21 5.0 CVE-2016-3445
CONFIRM
oracle — application_express Unspecified vulnerability in the Application Express component in Oracle Database Server before 5.0.4 allows remote attackers to affect confidentiality and integrity via unknown vectors. 2016-07-21 5.8 CVE-2016-3448
CONFIRM
oracle — siebel_core-server_framework Unspecified vulnerability in the Siebel Core – Server Framework component in Oracle Siebel CRM 8.1.1, 8.2.2, IP2014, IP2015, and IP2016 allows remote attackers to affect confidentiality via vectors related to Services, a different vulnerability than CVE-2016-5460 and CVE-2016-5466. 2016-07-21 4.3 CVE-2016-3450
CONFIRM

oracle — integrated_lights_out_manager_firmware

 

Unspecified vulnerability in the ILOM component in Oracle Sun Systems Products Suite 3.0, 3.1, and 3.2 allows remote attackers to affect integrity via vectors related to Web. 2016-07-21 4.3 CVE-2016-3451
CONFIRM
oracle — mysql Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.10 and earlier allows remote attackers to affect confidentiality via vectors related to Server: Security: Encryption. 2016-07-21 4.3 CVE-2016-3452
CONFIRM
oracle — solaris Unspecified vulnerability in Oracle Sun Solaris 10 allows local users to affect availability via vectors related to Kernel. 2016-07-21 4.9 CVE-2016-3453
CONFIRM
oracle — java Unspecified vulnerability in Oracle Java SE 6u115, 7u101, and 8u92; and Java SE Embedded 8u91 allows remote attackers to affect integrity via vectors related to CORBA. 2016-07-21 4.3 CVE-2016-3458
CONFIRM
oracle — mysql Unspecified vulnerability in Oracle MySQL 5.6.30 and earlier and 5.7.12 and earlier allows remote administrators to affect availability via vectors related to Server: InnoDB. 2016-07-21 4.0 CVE-2016-3459
CONFIRM
oracle — application_express Unspecified vulnerability in the Application Express component in Oracle Database Server before 5.0.4 allows remote attackers to affect availability via unknown vectors. 2016-07-21 5.0 CVE-2016-3467
CONFIRM
oracle — business_intelligence_publisher Unspecified vulnerability in the BI Publisher (formerly XML Publisher) component in Oracle Fusion Middleware 11.1.1.7.0, 11.1.1.9.0, and 12.2.1.0.0 allows remote attackers to affect confidentiality via vectors related to Security. 2016-07-21 4.3 CVE-2016-3474
CONFIRM
oracle — knowledge Unspecified vulnerability in the Oracle Knowledge component in Oracle Siebel CRM 8.5.x allows remote authenticated users to affect confidentiality via vectors related to Information Manager Console. 2016-07-21 4.0 CVE-2016-3475
CONFIRM
oracle — knowledge Unspecified vulnerability in the Oracle Knowledge component in Oracle Siebel CRM 8.5.x allows remote attackers to affect confidentiality and integrity via vectors related to Information Manager Console. 2016-07-21 6.4 CVE-2016-3476
CONFIRM
oracle — peoplesoft_enterprise_peopletools Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.53, 8.54, and 8.55 allows remote attackers to affect confidentiality and integrity via vectors related to File Processing. 2016-07-21 4.3 CVE-2016-3478
CONFIRM
oracle — solaris_cluster Unspecified vulnerability in the Solaris Cluster component in Oracle Sun Systems Products Suite 3.3 and 4.3 allows local users to affect confidentiality via vectors related to HA for Postgresql. 2016-07-21 4.9 CVE-2016-3480
CONFIRM
oracle — integrated_lights_out_manager_firmware Unspecified vulnerability in the ILOM component in Oracle Sun Systems Products Suite 3.0, 3.1, and 3.2 allows remote authenticated users to affect availability via vectors related to Web. 2016-07-21 4.0 CVE-2016-3481
CONFIRM
oracle — http_server Unspecified vulnerability in the Oracle HTTP Server component in Oracle Fusion Middleware 11.1.1.9 and 12.1.3.0 allows remote attackers to affect confidentiality via vectors related to SSL/TLS Module. 2016-07-21 5.0 CVE-2016-3482
CONFIRM
oracle — peoplesoft_enterprise_peopletools Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.53, 8.54, and 8.55 allows remote attackers to affect confidentiality and availability via vectors related to File Processing. 2016-07-21 6.4 CVE-2016-3483
CONFIRM
oracle — mysql Unspecified vulnerability in Oracle MySQL 5.6.30 and earlier and 5.7.12 and earlier allows remote authenticated users to affect availability via vectors related to Server: FTS. 2016-07-21 6.8 CVE-2016-3486
CONFIRM
oracle — database Unspecified vulnerability in the DB Sharding component in Oracle Database Server 12.1.0.2 allows local users to affect integrity via unknown vectors. 2016-07-21 4.9 CVE-2016-3488
CONFIRM
oracle — enterprise_manager_ops_center Unspecified vulnerability in the Enterprise Manager Ops Center component in Oracle Enterprise Manager Grid Control 12.1.4, 12.2.2, and 12.3.2 allows remote attackers to affect availability via vectors related to OS Provisioning. 2016-07-21 6.1 CVE-2016-3494
CONFIRM
oracle — enterprise_manager_for_fusion_middleware Unspecified vulnerability in the Enterprise Manager for Fusion Middleware component in Oracle Enterprise Manager Grid Control 11.1.1.7, and 11.1.1.9 allows remote attackers to affect confidentiality via vectors related to SOA Topology Viewer. 2016-07-21 4.3 CVE-2016-3496
CONFIRM
oracle — java Unspecified vulnerability in Oracle Java SE 6u115, 7u101, and 8u92; Java SE Embedded 8u91; and JRockit R28.3.10 allows remote attackers to affect availability via vectors related to JAXP, a different vulnerability than CVE-2016-3508. 2016-07-21 5.0 CVE-2016-3500
CONFIRM
oracle — mysql Unspecified vulnerability in Oracle MySQL 5.6.30 and earlier and 5.7.12 and earlier allows remote authenticated users to affect availability via vectors related to Server: Optimizer. 2016-07-21 4.0 CVE-2016-3501
CONFIRM
oracle — webcenter_sites Unspecified vulnerability in the Oracle WebCenter Sites component in Oracle Fusion Middleware 11.1.1.8 and 12.2.1.0 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors. 2016-07-21 6.0 CVE-2016-3502
CONFIRM
oracle — java Unspecified vulnerability in Oracle Java SE 6u115, 7u101, and 8u92 allows local users to affect confidentiality, integrity, and availability via vectors related to Install. 2016-07-21 4.4 CVE-2016-3503
CONFIRM
oracle — jdeveloper Unspecified vulnerability in the Oracle JDeveloper component in Oracle Fusion Middleware 11.1.1.7.0, 11.1.1.9.0, 11.1.2.4.0, 12.1.3.0.0, and 12.2.1.0.0 allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to ADF Faces. 2016-07-21 6.5 CVE-2016-3504
CONFIRM
oracle — jdbc Unspecified vulnerability in the JDBC component in Oracle Database Server 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. 2016-07-21 6.8 CVE-2016-3506
CONFIRM
oracle — agile_product_lifecycle_management_framework Unspecified vulnerability in the Oracle Agile PLM component in Oracle Supply Chain Products Suite 9.3.4 and 9.3.5 allows remote attackers to affect integrity via vectors related to WebClient / Admin. 2016-07-21 4.3 CVE-2016-3507
CONFIRM
oracle — java Unspecified vulnerability in Oracle Java SE 6u115, 7u101, and 8u92; Java SE Embedded 8u91; and JRockit R28.3.10 allows remote attackers to affect availability via vectors related to JAXP, a different vulnerability than CVE-2016-3500. 2016-07-21 5.0 CVE-2016-3508
CONFIRM
oracle — agile_product_lifecycle_management_framework Unspecified vulnerability in the Oracle Agile PLM component in Oracle Supply Chain Products Suite 9.3.4 and 9.3.5 allows remote authenticated users to affect confidentiality and integrity via vectors related to File Folders / URL Attachment. 2016-07-21 4.9 CVE-2016-3509
CONFIRM
oracle — communications_operations_monitor Unspecified vulnerability in the Oracle Communications Operations Monitor component in Oracle Communications Applications before 3.3.92.0.0 allows remote authenticated users to affect confidentiality via vectors related to Infrastructure. 2016-07-21 6.8 CVE-2016-3513
CONFIRM
oracle — enterprise_communications_broker Unspecified vulnerability in the Oracle Enterprise Communications Broker component in Oracle Communications Applications before PCz 2.0.0m4p1 allows remote authenticated users to affect confidentiality via vectors related to GUI, a different vulnerability than CVE-2016-3516. 2016-07-21 6.8 CVE-2016-3514
CONFIRM
oracle — enterprise_communications_broker Unspecified vulnerability in the Oracle Enterprise Communications Broker component in Oracle Communications Applications before PCz 2.0.0m4p1 allows remote authenticated users to affect confidentiality via vectors related to GUI, a different vulnerability than CVE-2016-3514. 2016-07-21 4.0 CVE-2016-3516
CONFIRM
oracle — agile_product_lifecycle_management_framework Unspecified vulnerability in the Oracle Agile PLM component in Oracle Supply Chain Products Suite 9.3.4 and 9.3.5 allows remote attackers to affect integrity via vectors related to PC / Get Shortcut. 2016-07-21 4.3 CVE-2016-3517
CONFIRM
oracle — mysql Unspecified vulnerability in Oracle MySQL 5.7.12 and earlier allows remote authenticated users to affect availability via vectors related to Server: Optimizer. 2016-07-21 6.8 CVE-2016-3518
CONFIRM
oracle — agile_product_lifecycle_management_framework Unspecified vulnerability in the Oracle Agile PLM component in Oracle Supply Chain Products Suite 9.3.4 and 9.3.5 allows remote attackers to affect confidentiality and integrity via vectors related to PC / Get Shortcut. 2016-07-21 4.3 CVE-2016-3519
CONFIRM
oracle — e-business_suite Unspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite 12.1.3, 12.2.3, 12.2.4, and 12.2.5 allows remote administrators to affect confidentiality via vectors related to AOL Diagnostic tests. 2016-07-21 6.8 CVE-2016-3520
CONFIRM
oracle — mysql Unspecified vulnerability in Oracle MySQL 5.5.49 and earlier, 5.6.30 and earlier, and 5.7.12 and earlier allows remote authenticated users to affect availability via vectors related to Server: Types. 2016-07-21 6.8 CVE-2016-3521
CONFIRM
oracle — web_applications_desktop_integrator Unspecified vulnerability in the Oracle Web Applications Desktop Integrator component in Oracle E-Business Suite 12.1.3, 12.2.3, 12.2.4, and 12.2.5 allows remote attackers to affect integrity via vectors related to Application Service. 2016-07-21 4.3 CVE-2016-3523
CONFIRM
oracle — e-business_suite Unspecified vulnerability in the Oracle Applications Technology Stack component in Oracle E-Business Suite 12.1.3, 12.2.3, 12.2.4, and 12.2.5 allows remote attackers to affect confidentiality and integrity via vectors related to Configuration. 2016-07-21 5.5 CVE-2016-3524
CONFIRM
oracle — applications_manager Unspecified vulnerability in the Oracle Applications Manager component in Oracle E-Business Suite 12.1.3 allows remote attackers to affect confidentiality via vectors related to Cookie Management. 2016-07-21 5.4 CVE-2016-3525
CONFIRM
oracle — agile_product_lifecycle_management_framework Unspecified vulnerability in the Oracle Agile PLM component in Oracle Supply Chain Products Suite 9.3.4 and 9.3.5 allows remote attackers to affect confidentiality via vectors related to SDK, a different vulnerability than CVE-2016-3526 and CVE-2016-3560. 2016-07-21 5.0 CVE-2016-3529
CONFIRM
oracle — knowledge_management Unspecified vulnerability in the Oracle Knowledge Management component in Oracle E-Business Suite 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, and 12.2.5 allows remote attackers to affect integrity via vectors related to Search. 2016-07-21 4.3 CVE-2016-3533
CONFIRM
oracle — installed_base Unspecified vulnerability in the Oracle Installed Base component in Oracle E-Business Suite 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, and 12.2.5 allows remote attackers to affect integrity via vectors related to Engineering Change Order. 2016-07-21 4.3 CVE-2016-3534
CONFIRM
oracle — agile_product_lifecycle_management_framework Unspecified vulnerability in the Oracle Agile PLM component in Oracle Supply Chain Products Suite 9.3.4 and 9.3.5 allows remote authenticated users to affect confidentiality via vectors related to File Folders / Attachment, a different vulnerability than CVE-2016-5473. 2016-07-21 6.8 CVE-2016-3537
CONFIRM
oracle — solaris Unspecified vulnerability in Oracle Sun Solaris 11.3 allows local users to affect confidentiality, integrity, and availability via vectors related to Libadimalloc. 2016-07-21 4.4 CVE-2016-3584
CONFIRM
oracle — integrated_lights_out_manager_firmware Unspecified vulnerability in the ILOM component in Oracle Sun Systems Products Suite 3.0, 3.1, and 3.2 allows remote attackers to affect confidentiality and integrity via vectors related to Emulex. 2016-07-21 5.8 CVE-2016-3585
CONFIRM
oracle — mysql Unspecified vulnerability in Oracle MySQL 5.7.12 and earlier allows remote authenticated users to affect integrity and availability via vectors related to Server: InnoDB. 2016-07-21 4.9 CVE-2016-3588
CONFIRM
oracle — vm_virtualbox Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 5.0.22 allows remote attackers to affect confidentiality via vectors related to Core. 2016-07-21 4.3 CVE-2016-3612
CONFIRM
oracle — mysql Unspecified vulnerability in Oracle MySQL 5.5.49 and earlier, 5.6.30 and earlier, and 5.7.12 and earlier allows remote authenticated users to affect availability via vectors related to Server: DML. 2016-07-21 4.3 CVE-2016-3615
CONFIRM
oracle — mysql Unspecified vulnerability in Oracle MySQL 5.7.12 and earlier allows remote administrators to affect availability via vectors related to Server: InnoDB. 2016-07-21 4.0 CVE-2016-5436
CONFIRM
oracle — mysql Unspecified vulnerability in Oracle MySQL 5.7.12 and earlier allows remote administrators to affect availability via vectors related to Server: Log. 2016-07-21 4.0 CVE-2016-5437
CONFIRM
oracle — mysql Unspecified vulnerability in Oracle MySQL 5.6.30 and earlier and 5.7.12 and earlier allows remote administrators to affect availability via vectors related to Server: Privileges. 2016-07-21 4.0 CVE-2016-5439
CONFIRM
oracle — mysql Unspecified vulnerability in Oracle MySQL 5.5.49 and earlier, 5.6.30 and earlier, and 5.7.12 and earlier allows remote administrators to affect availability via vectors related to Server: RBR. 2016-07-21 4.0 CVE-2016-5440
CONFIRM
oracle — mysql Unspecified vulnerability in Oracle MySQL 5.7.12 and earlier allows remote administrators to affect availability via vectors related to Server: Replication. 2016-07-21 4.0 CVE-2016-5441
CONFIRM
oracle — mysql Unspecified vulnerability in Oracle MySQL 5.7.12 and earlier allows remote administrators to affect availability via vectors related to Server: Security: Encryption. 2016-07-21 4.0 CVE-2016-5442
CONFIRM
oracle — mysql Unspecified vulnerability in Oracle MySQL 5.5.48 and earlier, 5.6.29 and earlier, and 5.7.11 and earlier allows remote attackers to affect confidentiality via vectors related to Server: Connection. 2016-07-21 4.3 CVE-2016-5444
CONFIRM
oracle — integrated_lights_out_manager_firmware Unspecified vulnerability in the ILOM component in Oracle Sun Systems Products Suite 3.0, 3.1, and 3.2 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors. 2016-07-21 6.5 CVE-2016-5447
CONFIRM
oracle — integrated_lights_out_manager_firmware Unspecified vulnerability in the ILOM component in Oracle Sun Systems Products Suite 3.0, 3.1, and 3.2 allows remote attackers to affect integrity and availability via vectors related to SNMP. 2016-07-21 6.4 CVE-2016-5448
CONFIRM
oracle — integrated_lights_out_manager_firmware Unspecified vulnerability in the ILOM component in Oracle Sun Systems Products Suite 3.0, 3.1, and 3.2 allows remote attackers to affect availability via vectors related to Console Redirection. 2016-07-21 5.0 CVE-2016-5449
CONFIRM
oracle — siebel_ui_framework Unspecified vulnerability in the Siebel UI Framework component in Oracle Siebel CRM 8.1.1, 8.2.2, IP2014, IP2015, and IP2016 allows remote attackers to affect integrity via vectors related to UIF Open UI. 2016-07-21 4.3 CVE-2016-5450
CONFIRM
oracle — siebel_ui_framework Unspecified vulnerability in the Siebel UI Framework component in Oracle Siebel CRM 8.1.1, 8.2.2, IP2014, IP2015, and IP2016 allows remote authenticated users to affect confidentiality and integrity via vectors related to EAI, a different vulnerability than CVE-2016-5468. 2016-07-21 5.5 CVE-2016-5451
CONFIRM
oracle — solaris Unspecified vulnerability in Oracle Sun Solaris 11.3 allows local users to affect integrity and availability via vectors related to Verified Boot. 2016-07-21 5.4 CVE-2016-5454
CONFIRM
oracle — communications_messaging_server Unspecified vulnerability in the Oracle Communications Messaging Server component in Oracle Communications Applications 6.3, 7.0, and 8.0 allows remote attackers to affect confidentiality via vectors related to Multiplexor. 2016-07-21 5.0 CVE-2016-5455
CONFIRM
oracle — siebel_core-server_framework Unspecified vulnerability in the Siebel Core – Server Framework component in Oracle Siebel CRM 8.1.1, 8.2.2, IP2014, IP2015, and IP2016 allows remote authenticated users to affect confidentiality via vectors related to Object Manager. 2016-07-21 4.0 CVE-2016-5461
CONFIRM
oracle — siebel_core-server_framework Unspecified vulnerability in the Siebel Core – Server Framework component in Oracle Siebel CRM 8.1.1, 8.2.2, IP2014, IP2015, and IP2016 allows remote administrators to affect confidentiality via vectors related to Workspaces. 2016-07-21 4.0 CVE-2016-5462
CONFIRM
oracle — peoplesoft_enterprise_peopletools Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.53, 8.54, and 8.55 allows remote attackers to affect confidentiality and integrity via vectors related to Panel Processor. 2016-07-21 5.8 CVE-2016-5465
CONFIRM
oracle — siebel_core-server_framework Unspecified vulnerability in the Siebel Core – Server Framework component in Oracle Siebel CRM 8.1.1, 8.2.2, IP2014, IP2015, and IP2016 allows remote attackers to affect confidentiality via vectors related to Services, a different vulnerability than CVE-2016-3450 and CVE-2016-5460. 2016-07-21 4.3 CVE-2016-5466
CONFIRM
oracle — peoplesoft_enterprise_scm_eprocurement Unspecified vulnerability in the PeopleSoft Enterprise FSCM component in Oracle PeopleSoft Products 9.1 and 9.2 allows remote authenticated users to affect confidentiality and integrity via vectors related to eProcurement. 2016-07-21 5.5 CVE-2016-5467
CONFIRM
oracle — retail_integration_bus Unspecified vulnerability in the Oracle Retail Integration Bus component in Oracle Retail Applications 13.0, 13.1, 13.2, 14.0, 14.1, and 15.0 allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to Install. 2016-07-21 6.5 CVE-2016-5476
CONFIRM
oracle — glassfish_server Unspecified vulnerability in the Oracle GlassFish Server component in Oracle Fusion Middleware 2.1.1 and 3.0.1 allows remote attackers to affect confidentiality via vectors related to Administration. 2016-07-21 5.0 CVE-2016-5477
CONFIRM
php — php PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application’s outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, as demonstrated by (1) an application that makes a getenv(‘HTTP_PROXY’) call or (2) a CGI configuration of PHP, aka an “httpoxy” issue. 2016-07-18 5.1 CVE-2016-5385
CERT-VN
CONFIRM
MISC
tollgrade — lighthouse_sms Tollgrade LightHouse SMS before 5.1 patch 3 allows remote attackers to bypass authentication and restart the software via unspecified vectors. 2016-07-15 5.0 CVE-2016-5790
MISC
tollgrade — lighthouse_sms Tollgrade LightHouse SMS before 5.1 patch 3 provides different error messages for failed authentication attempts depending on whether the username exists, which allows remote attackers to enumerate account names via a series of attempts. 2016-07-15 5.0 CVE-2016-5797
MISC
tollgrade — lighthouse_sms Tollgrade LightHouse SMS before 5.1 patch 3 allows remote authenticated users to bypass an intended administrative-authentication requirement, and read or change parameter values, via a direct request. 2016-07-15 5.5 CVE-2016-5807
MISC

Back to top

Low Vulnerabilities

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
ibm — bigfix_platform Cross-site scripting (XSS) vulnerability in IBM BigFix Platform 9.x before 9.1.8 and 9.2.x before 9.2.7 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL. 2016-07-15 3.5 CVE-2016-0269
CONFIRM
ibm — personal_communications IBM Personal Communications (aka PCOMM) 6.x before 6.0.17 and 12.x before 12.0.0.1 does not properly restrict credential extraction, which allows local users to discover passwords by leveraging access to the victim account and executing a PowerShell script. 2016-07-17 2.1 CVE-2016-0321
AIXAPAR
CONFIRM
ibm — security_identity_manager_adapter IBM Security Identity Manager (ISIM) Virtual Appliance 7.0.0.0 through 7.0.1.1 before 7.0.1-ISS-SIM-FP0003 allows local users to discover cleartext passwords by (1) reading a configuration file or (2) examining a process. 2016-07-15 2.1 CVE-2016-0338
CONFIRM
oracle — siebel_core-server_framework Unspecified vulnerability in the Siebel Core – Server Framework component in Oracle Siebel CRM 8.1.1, 8.2.2, IP2014, IP2015, and IP2016 allows local users to affect confidentiality via vectors related to Services. 2016-07-21 2.1 CVE-2016-3469
CONFIRM
oracle — siebel_engineering-installer_and_deployment Unspecified vulnerability in the Siebel Engineering – Installer and Deployment component in Oracle Siebel CRM 8.1.1, 8.2.2, IP2014, IP2015, and IP2016 allows remote authenticated users to affect confidentiality via vectors related to Web Server. 2016-07-21 3.5 CVE-2016-3472
CONFIRM
oracle — database Unspecified vulnerability in the Database Vault component in Oracle Database Server 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows local users to affect confidentiality and integrity via unknown vectors. 2016-07-21 3.2 CVE-2016-3484
CONFIRM
oracle — java Unspecified vulnerability in Oracle Java SE 6u115, 7u101, and 8u92; Java SE Embedded 8u91; and JRockit R28.3.10 allows local users to affect integrity via vectors related to Networking. 2016-07-21 2.1 CVE-2016-3485
CONFIRM
oracle — transportation_management Unspecified vulnerability in the Oracle Transportation Management component in Oracle Supply Chain Products Suite 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.4.0, and 6.4.1 allows remote authenticated users to affect confidentiality via vectors related to Database. 2016-07-21 3.5 CVE-2016-3490
CONFIRM
oracle — agile_product_lifecycle_management_framework Unspecified vulnerability in the Oracle Agile PLM component in Oracle Supply Chain Products Suite 9.3.4 and 9.3.5 allows remote authenticated users to affect confidentiality via vectors related to PC / Notification. 2016-07-21 3.5 CVE-2016-3531
CONFIRM
oracle — vm_virtualbox Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 5.0.26 allows local users to affect availability via vectors related to Core. 2016-07-21 2.1 CVE-2016-3597
CONFIRM
oracle — mysql Unspecified vulnerability in Oracle MySQL 5.6.30 and earlier and 5.7.12 and earlier allows remote authenticated users to affect availability via vectors related to Server: Security: Encryption. 2016-07-21 3.5 CVE-2016-3614
CONFIRM
oracle — mysql Unspecified vulnerability in Oracle MySQL 5.7.12 and earlier allows local users to affect availability via vectors related to Server: Connection. 2016-07-21 1.2 CVE-2016-5443
CONFIRM
oracle — solaris Unspecified vulnerability in Oracle Sun Solaris 11.3 allows local users to affect confidentiality via vectors related to Verified Boot. 2016-07-21 2.1 CVE-2016-5452
CONFIRM
oracle — siebel_ui_framework Unspecified vulnerability in the Siebel UI Framework component in Oracle Siebel CRM 8.1.1, 8.2.2, IP2014, IP2015, and IP2016 allows remote authenticated users to affect integrity via vectors related to SWSE Server, a different vulnerability than CVE-2016-5464. 2016-07-21 3.5 CVE-2016-5463
CONFIRM
oracle — siebel_ui_framework Unspecified vulnerability in the Siebel UI Framework component in Oracle Siebel CRM 8.1.1, 8.2.2, IP2014, IP2015, and IP2016 allows remote authenticated users to affect integrity via vectors related to SWSE Server, a different vulnerability than CVE-2016-5463. 2016-07-21 3.5 CVE-2016-5464
CONFIRM
oracle — solaris Unspecified vulnerability in Oracle Sun Solaris 11.3 allows local users to affect availability via vectors related to Kernel, a different vulnerability than CVE-2016-3497 and CVE-2016-5471. 2016-07-21 2.1 CVE-2016-5469
CONFIRM
oracle — solaris Unspecified vulnerability in Oracle Sun Solaris 11.3 allows local users to affect availability via vectors related to Kernel, a different vulnerability than CVE-2016-3497 and CVE-2016-5469. 2016-07-21 2.1 CVE-2016-5471
CONFIRM

Back to top

Severity Not Yet Assigned

Primary
Vendor — Product
Description Published CVSS Score Source & Patch Info
apple — ios WebKit in Apple iOS before 9.3.3, Safari before 9.1.2, and tvOS before 9.2.2 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-4589, CVE-2016-4622, and CVE-2016-4623. 2016-07-21

Not yet calculated

CVE-2016-4624
APPLE
APPLE
APPLE
CONFIRM
CONFIRM
CONFIRM
apple — ios The Siri Contacts component in Apple iOS before 9.3.3 allows physically proximate attackers to read arbitrary Contact card information via unspecified vectors. 2016-07-21

Not yet calculated

CVE-2016-4593
APPLE
CONFIRM
apple — ios WebKit in Apple iOS before 9.3.3, Safari before 9.1.2, and tvOS before 9.2.2 mishandles the location variable, which allows remote attackers to access the local filesystem via unspecified vectors. 2016-07-21

Not yet calculated

CVE-2016-4591
APPLE
APPLE
APPLE
CONFIRM
CONFIRM
CONFIRM
apple — ios WebKit in Apple iOS before 9.3.3 and Safari before 9.1.2 mishandles about: URLs, which allows remote attackers to bypass the Same Origin Policy via a crafted web site. 2016-07-21

Not yet calculated

CVE-2016-4590
APPLE
APPLE
CONFIRM
CONFIRM
apple — ios The WebKit Page Loading implementation in Apple iOS before 9.3.3, Safari before 9.1.2, and tvOS before 9.2.2 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site. 2016-07-21 Not yet calculated CVE-2016-4584
APPLE
APPLE
APPLE
CONFIRM
CONFIRM
CONFIRM
apple — ios WebKit in Apple iOS before 9.3.3, Safari before 9.1.2, and tvOS before 9.2.2 allows remote attackers to bypass the Same Origin Policy and obtain image date from an unintended web site via a timing attack involving an SVG document. 2016-07-21 Not yet calculated CVE-2016-4583
APPLE
APPLE
APPLE
CONFIRM
CONFIRM
CONFIRM
apple — ios WebKit in Apple iOS before 9.3.3, Safari before 9.1.2, and tvOS before 9.2.2 allows remote attackers to cause a denial of service (memory consumption) via a crafted web site. 2016-07-21

Not yet calculated

CVE-2016-4592
APPLE
APPLE
APPLE
CONFIRM
CONFIRM
CONFIRM
apple — ios Safari in Apple iOS before 9.3.3 allows remote attackers to spoof the displayed URL via an HTTP response specifying redirection to an invalid TCP port number. 2016-07-21

Not yet calculated

CVE-2016-4604
APPLE
CONFIRM
apple — ios The kernel in Apple iOS before 9.3.3, OS X before 10.11.6, tvOS before 9.2.2, and watchOS before 2.2.2 allows local users to gain privileges or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2016-1863 and CVE-2016-4582. 2016-07-21

Not yet calculated

CVE-2016-4653
APPLE
APPLE
APPLE
APPLE
CONFIRM
CONFIRM
CONFIRM
CONFIRM
apple — ios IOAcceleratorFamily in Apple iOS before 9.3.3, tvOS before 9.2.2, and watchOS before 2.2.2 allows local users to gain privileges or cause a denial of service (NULL pointer dereference) via unspecified vectors. 2016-07-21

Not yet calculated

CVE-2016-4627
APPLE
APPLE
APPLE
CONFIRM
CONFIRM
CONFIRM
apple — ios Cross-site scripting (XSS) vulnerability in the WebKit JavaScript bindings in Apple iOS before 9.3.3 and Safari before 9.1.2 allows remote attackers to inject arbitrary web script or HTML via a crafted HTTP/0.9 response, related to a “cross-protocol cross-site scripting (XPXSS)” vulnerability. 2016-07-21

Not yet calculated

CVE-2016-4651
APPLE
APPLE
CONFIRM
CONFIRM
apple — ios IOAcceleratorFamily in Apple iOS before 9.3.3 and watchOS before 2.2.2 allows local users to obtain sensitive information from kernel memory or cause a denial of service (out-of-bounds read) via unspecified vectors. 2016-07-21

Not yet calculated

CVE-2016-4628
APPLE
APPLE
CONFIRM
CONFIRM
apple — ios libxml2 in Apple iOS before 9.3.3, OS X before 10.11.6, iTunes before 12.4.2 on Windows, iCloud before 5.2.1 on Windows, tvOS before 9.2.2, and watchOS before 2.2.2 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors, a different vulnerability than CVE-2016-4614, CVE-2016-4615, and CVE-2016-4616. 2016-07-21

Not yet calculated

CVE-2016-4619
APPLE
APPLE
APPLE
APPLE
APPLE
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
apple — ios The kernel in Apple iOS before 9.3.3, OS X before 10.11.6, tvOS before 9.2.2, and watchOS before 2.2.2 allows local users to cause a denial of service (NULL pointer dereference) via unspecified vectors. 2016-07-21 Not yet calculated CVE-2016-1865
APPLE
APPLE
APPLE
APPLE
CONFIRM
CONFIRM
CONFIRM
CONFIRM
apple — ios Cross-site scripting (XSS) vulnerability in the WebKit Page Loading implementation in Apple iOS before 9.3.3, Safari before 9.1.2, and tvOS before 9.2.2 allows remote attackers to inject arbitrary web script or HTML via an HTTP response specifying redirection that is mishandled by Safari. 2016-07-21

Not yet calculated

CVE-2016-4585
APPLE
APPLE
APPLE
CONFIRM
CONFIRM
CONFIRM
apple — ios The Sandbox Profiles component in Apple iOS before 9.3.3, OS X before 10.11.6, tvOS before 9.2.2, and watchOS before 2.2.2 allows attackers to access the process list via a crafted app that makes an API call. 2016-07-21

Not yet calculated

CVE-2016-4594
APPLE
APPLE
APPLE
APPLE
CONFIRM
CONFIRM
CONFIRM
CONFIRM
apple — ios libxslt in Apple iOS before 9.3.3, OS X before 10.11.6, iTunes before 12.4.2 on Windows, iCloud before 5.2.1 on Windows, tvOS before 9.2.2, and watchOS before 2.2.2 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors, a different vulnerability than CVE-2016-4607, CVE-2016-4608, CVE-2016-4609, and CVE-2016-4610. 2016-07-21

Not yet calculated

CVE-2016-4612
APPLE
APPLE
APPLE
APPLE
APPLE
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
apple — ios libxslt in Apple iOS before 9.3.3, OS X before 10.11.6, iTunes before 12.4.2 on Windows, iCloud before 5.2.1 on Windows, tvOS before 9.2.2, and watchOS before 2.2.2 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors, a different vulnerability than CVE-2016-4607, CVE-2016-4609, CVE-2016-4610, and CVE-2016-4612. 2016-07-21

Not yet calculated

CVE-2016-4608
APPLE
APPLE
APPLE
APPLE
APPLE
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
apple — ios libxml2 in Apple iOS before 9.3.3, OS X before 10.11.6, iTunes before 12.4.2 on Windows, iCloud before 5.2.1 on Windows, tvOS before 9.2.2, and watchOS before 2.2.2 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors, a different vulnerability than CVE-2016-4614, CVE-2016-4616, and CVE-2016-4619. 2016-07-21

Not yet calculated

CVE-2016-4615
APPLE
APPLE
APPLE
APPLE
APPLE
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
apple — ios libxslt in Apple iOS before 9.3.3, OS X before 10.11.6, iTunes before 12.4.2 on Windows, iCloud before 5.2.1 on Windows, tvOS before 9.2.2, and watchOS before 2.2.2 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors, a different vulnerability than CVE-2016-4607, CVE-2016-4608, CVE-2016-4610, and CVE-2016-4612. 2016-07-21

Not yet calculated

CVE-2016-4609
APPLE
APPLE
APPLE
APPLE
APPLE
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
apple — ios libxslt in Apple iOS before 9.3.3, OS X before 10.11.6, iTunes before 12.4.2 on Windows, iCloud before 5.2.1 on Windows, tvOS before 9.2.2, and watchOS before 2.2.2 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors, a different vulnerability than CVE-2016-4608, CVE-2016-4609, CVE-2016-4610, and CVE-2016-4612. 2016-07-21

Not yet calculated

CVE-2016-4607
APPLE
APPLE
APPLE
APPLE
APPLE
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
apple — ios WebKit in Apple iOS before 9.3.3, Safari before 9.1.2, and tvOS before 9.2.2 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-4622, CVE-2016-4623, and CVE-2016-4624. 2016-07-21

Not yet calculated

apple — N/A
apple — ios WebKit in Apple iOS before 9.3.3 and tvOS before 9.2.2 allows remote attackers to obtain sensitive information from uninitialized process memory via a crafted web site. 2016-07-21

Not yet calculated

CVE-2016-4587
APPLE
APPLE
CONFIRM
CONFIRM
apple — ios WebKit in Apple iOS before 9.3.3, Safari before 9.1.2, and tvOS before 9.2.2 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-4589, CVE-2016-4623, and CVE-2016-4624. 2016-07-21

Not yet calculated

CVE-2016-4622
APPLE
APPLE
APPLE
CONFIRM
CONFIRM
CONFIRM
apple — ios libxslt in Apple iOS before 9.3.3, OS X before 10.11.6, iTunes before 12.4.2 on Windows, iCloud before 5.2.1 on Windows, tvOS before 9.2.2, and watchOS before 2.2.2 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors, a different vulnerability than CVE-2016-4607, CVE-2016-4608, CVE-2016-4609, and CVE-2016-4612. 2016-07-21

Not yet calculated

CVE-2016-4610
APPLE
APPLE
APPLE
APPLE
APPLE
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
apple — ios libxml2 in Apple iOS before 9.3.3, OS X before 10.11.6, iTunes before 12.4.2 on Windows, iCloud before 5.2.1 on Windows, tvOS before 9.2.2, and watchOS before 2.2.2 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors, a different vulnerability than CVE-2016-4615, CVE-2016-4616, and CVE-2016-4619. 2016-07-21

Not yet calculated

CVE-2016-4614
APPLE
APPLE
APPLE
APPLE
APPLE
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
apple — ios WebKit in Apple iOS before 9.3.3, Safari before 9.1.2, and tvOS before 9.2.2 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, a different vulnerability than CVE-2016-4589, CVE-2016-4622, and CVE-2016-4624. 2016-07-21

Not yet calculated

CVE-2016-4623
APPLE
APPLE
APPLE
CONFIRM
CONFIRM
CONFIRM
apple — ios Calendar in Apple iOS before 9.3.3 allows remote attackers to cause a denial of service (NULL pointer dereference and device restart) via a crafted invitation. 2016-07-21

Not yet calculated

CVE-2016-4605
APPLE
CONFIRM
apple — ios Web Media in Apple iOS before 9.3.3 allows attackers to bypass the Private Browsing protection mechanism and obtain sensitive video URL information by leveraging Safari View Controller misbehavior. 2016-07-21

Not yet calculated

CVE-2016-4603
APPLE
CONFIRM
apple — ios libxml2 in Apple iOS before 9.3.3, OS X before 10.11.6, iTunes before 12.4.2 on Windows, iCloud before 5.2.1 on Windows, tvOS before 9.2.2, and watchOS before 2.2.2 allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors, a different vulnerability than CVE-2016-4614, CVE-2016-4615, and CVE-2016-4619. 2016-07-21

Not yet calculated

CVE-2016-4616
APPLE
APPLE
APPLE
APPLE
APPLE
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
apple — ios The kernel in Apple iOS before 9.3.3, OS X before 10.11.6, tvOS before 9.2.2, and watchOS before 2.2.2 allows local users to gain privileges or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2016-1863 and CVE-2016-4653. 2016-07-21 Not yet calculated CVE-2016-4582
APPLE
APPLE
APPLE
APPLE
CONFIRM
CONFIRM
CONFIRM
CONFIRM
apple — os_x libc++abi in Apple OS X before 10.11.6 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app. 2016-07-21

Not yet calculated

CVE-2016-4621
APPLE
CONFIRM
apple — os_x QuickTime in Apple OS X before 10.11.6 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted FlashPix bitmap image, a different vulnerability than CVE-2016-4596, CVE-2016-4597, and CVE-2016-4602. 2016-07-21

Not yet calculated

CVE-2016-4600
APPLE
CONFIRM
apple — os_x Intel Graphics Driver in Apple OS X before 10.11.6 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app. 2016-07-21

Not yet calculated

CVE-2016-4633
APPLE
MISC
CONFIRM
apple — os_x ImageIO in Apple OS X before 10.11.6 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted xStride and yStride values in an EXR image. 2016-07-21

Not yet calculated

CVE-2016-4629
APPLE
MISC
CONFIRM
apple — os_x The Graphics Drivers subsystem in Apple OS X before 10.11.6 allows local users to gain privileges or cause a denial of service (memory corruption) via unspecified vectors. 2016-07-21

Not yet calculated

CVE-2016-4634
APPLE
CONFIRM
apple — os_x ImageIO in Apple OS X before 10.11.6 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted EXR image with B44 compression. 2016-07-21

Not yet calculated

apple — N/Aapple — N/A
apple — os_x IOHIDFamily in Apple iOS before 9.3.3, OS X before 10.11.6, tvOS before 9.2.2, and watchOS before 2.2.2 allows local users to gain privileges or cause a denial of service (NULL pointer dereference) via unspecified vectors. 2016-07-21

Not yet calculated

CVE-2016-4626
APPLE
APPLE
APPLE
APPLE
CONFIRM
CONFIRM
CONFIRM
CONFIRM
apple — os_x Login Window in Apple OS X before 10.11.6 does not properly initialize memory, which allows local users to cause a denial of service via unspecified vectors. 2016-07-21

Not yet calculated

CVE-2016-4639
APPLE
MISC
CONFIRM
apple — os_x FaceTime in Apple iOS before 9.3.3 and OS X before 10.11.6 allows man-in-the-middle attackers to spoof relayed-call termination, and obtain sensitive audio information in opportunistic circumstances, via unspecified vectors. 2016-07-21

Not yet calculated

CVE-2016-4635
APPLE
APPLE
CONFIRM
CONFIRM
apple — os_x ImageIO in Apple iOS before 9.3.3, OS X before 10.11.6, tvOS before 9.2.2, and watchOS before 2.2.2 allows remote attackers to cause a denial of service (memory consumption) via unspecified vectors. 2016-07-21

Not yet calculated

CVE-2016-4632
APPLE
APPLE
APPLE
APPLE
CONFIRM
CONFIRM
CONFIRM
CONFIRM
apple — os_x Login Window in Apple OS X before 10.11.6 allows attackers to gain privileges via a crafted app that leverages a “type confusion.” 2016-07-21

Not yet calculated

CVE-2016-4638
APPLE
CONFIRM
apple — os_x CoreGraphics in Apple iOS before 9.3.3, OS X before 10.11.6, tvOS before 9.2.2, and watchOS before 2.2.2 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted BMP image. 2016-07-21

Not yet calculated

CVE-2016-4637
APPLE
APPLE
APPLE
APPLE
MISC
CONFIRM
CONFIRM
CONFIRM
CONFIRM
apple — os_x Use-after-free vulnerability in IOSurface in Apple OS X before 10.11.6 allows local users to gain privileges via unspecified vectors. 2016-07-21

Not yet calculated

CVE-2016-4625
APPLE
CONFIRM
apple — os_x Login Window in Apple OS X before 10.11.6 allows attackers to execute arbitrary code in a privileged context, obtain sensitive user information, or cause a denial of service (memory corruption) via a crafted app. 2016-07-21

Not yet calculated

CVE-2016-4640
APPLE
MISC
CONFIRM
apple — os_x QuickTime in Apple OS X before 10.11.6 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted FlashPix bitmap image, a different vulnerability than CVE-2016-4596, CVE-2016-4597, and CVE-2016-4600. 2016-07-21

Not yet calculated

CVE-2016-4602
APPLE
CONFIRM
apple — os_x QuickTime in Apple OS X before 10.11.6 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted FlashPix bitmap image, a different vulnerability than CVE-2016-4596, CVE-2016-4600, and CVE-2016-4602. 2016-07-21

Not yet calculated

CVE-2016-4597
APPLE
CONFIRM
apple — os_x QuickTime in Apple OS X before 10.11.6 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted FlashPix bitmap image, a different vulnerability than CVE-2016-4597, CVE-2016-4600, and CVE-2016-4602. 2016-07-21

Not yet calculated

CVE-2016-4596
APPLE
CONFIRM
apple — os_x Audio in Apple OS X before 10.11.6 allows local users to gain privileges or cause a denial of service (memory corruption) via a crafted file. 2016-07-21

Not yet calculated

CVE-2016-4647
APPLE
MISC
MISC
CONFIRM
apple — os_x Login Window in Apple OS X before 10.11.6 allows attackers to execute arbitrary code in a privileged context or obtain sensitive user information via a crafted app that leverages a “type confusion.” 2016-07-21

Not yet calculated

CVE-2016-4641
APPLE
MISC
CONFIRM
apple — os_x QuickTime in Apple OS X before 10.11.6 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted image. 2016-07-21

Not yet calculated

CVE-2016-4598
APPLE
CONFIRM
apple — os_x Safari Login AutoFill in Apple OS X before 10.11.6 allows physically proximate attackers to discover passwords by reading the screen during the login procedure. 2016-07-21

Not yet calculated

CVE-2016-4595
APPLE
CONFIRM
apple — os_x ImageIO in Apple iOS before 9.3.3, OS X before 10.11.6, tvOS before 9.2.2, and watchOS before 2.2.2 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted TIFF file. 2016-07-21

Not yet calculated

CVE-2016-4631
APPLE
APPLE
APPLE
APPLE
MISC
CONFIRM
CONFIRM
CONFIRM
CONFIRM
apple — os_x Audio in Apple OS X before 10.11.6 allows local users to cause a denial of service (NULL pointer dereference) via unspecified vectors. 2016-07-21

Not yet calculated

CVE-2016-4649
APPLE
CONFIRM
apple — os_x The kernel in Apple iOS before 9.3.3, OS X before 10.11.6, tvOS before 9.2.2, and watchOS before 2.2.2 allows local users to gain privileges or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2016-4582 and CVE-2016-4653. 2016-07-21 Not yet calculated CVE-2016-1863
APPLE
APPLE
APPLE
APPLE
CONFIRM
CONFIRM
CONFIRM
CONFIRM
apple — os_x CFNetwork in Apple OS X before 10.11.6 uses weak permissions for web-browser cookies, which allows local users to obtain sensitive information via unspecified vectors. 2016-07-21

Not yet calculated

CVE-2016-4645
APPLE
CONFIRM
apple — os_x QuickTime in Apple OS X before 10.11.6 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted SGI image. 2016-07-21

Not yet calculated

CVE-2016-4601
APPLE
CONFIRM
apple — os_x Audio in Apple OS X before 10.11.6 mishandles a size value, which allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read) via a crafted audio file. 2016-07-21

Not yet calculated

CVE-2016-4646
APPLE
MISC
CONFIRM
apple — os_x QuickTime in Apple OS X before 10.11.6 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted Photoshop document. 2016-07-21

Not yet calculated

CVE-2016-4599
APPLE
CONFIRM
apple — os_x Audio in Apple OS X before 10.11.6 allows local users to obtain sensitive kernel memory-layout information or cause a denial of service (out-of-bounds read) via unspecified vectors. 2016-07-21

Not yet calculated

CVE-2016-4648
APPLE
CONFIRM
apple — os_x Integer signedness error in bspatch.c in bspatch in bsdiff, as used in Apple OS X before 10.11.6 and other products, allows remote attackers to execute arbitrary code or cause a denial of service (heap-based buffer overflow) via a crafted patch file. 2016-07-21 Not yet calculated CVE-2014-9862
APPLE
CONFIRM
CONFIRM
CONFIRM
CONFIRM
apple — ox_x CoreGraphics in Apple OS X before 10.11.6 allows local users to obtain sensitive information from kernel memory and consequently gain privileges, or cause a denial of service (out-of-bounds read), via unspecified vectors. 2016-07-21

Not yet calculated

CVE-2016-4652
APPLE
MISC
CONFIRM
apple — safari WebKit in Apple Safari before 9.1.2 and tvOS before 9.2.2 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site. 2016-07-21

Not yet calculated

CVE-2016-4586
APPLE
APPLE
CONFIRM
CONFIRM
apple — tvos WebKit in Apple tvOS before 9.2.2 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site. 2016-07-21

Not yet calculated

CVE-2016-4588
APPLE
CONFIRM
eCryptfs — ecryptfs_setup_swap ecryptfs-setup-swap in eCryptfs does not prevent the unencrypted swap partition from activating during boot when using GPT partitioning on a (1) NVMe or (2) MMC drive, which allows local users to obtain sensitive information via unspecified vectors. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-8946. 2016-07-22

Not yet calculated

CVE-2016-6224
MLIST
MLIST
UBUNTU
CONFIRM
CONFIRM
CONFIRM
ecryptfs — ecryptfs_setup_swap ecryptfs-setup-swap in eCryptfs before 111 does not prevent the unencrypted swap partition from activating during boot when using GPT partitioning and certain versions of systemd, which allows local users to obtain sensitive information via unspecified vectors. 2016-07-22   CVE-2015-8946
MLIST
MLIST
UBUNTU
CONFIRM
CONFIRM
google — chrome ios/web/web_state/ui/crw_web_controller.mm in Google Chrome before 52.0.2743.82 on iOS does not ensure that an invalid URL is replaced with the about:blank URL, which allows remote attackers to spoof the URL display via a crafted web site. 2016-07-23 Not yet calculated CVE-2016-1707
CONFIRM
CONFIRM
CONFIRM
google — chrome The Chrome Web Store inline-installation implementation in the Extensions subsystem in Google Chrome before 52.0.2743.82 does not properly consider object lifetimes during progress observation, which allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via a crafted web site. 2016-07-23 Not yet calculated CVE-2016-1708
CONFIRM
CONFIRM
CONFIRM
google — chrome Heap-based buffer overflow in the ByteArray::Get method in data/byte_array.cc in Google sfntly before 2016-06-10, as used in Google Chrome before 52.0.2743.82, allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted SFNT font. 2016-07-23 Not yet calculated CVE-2016-1709
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
google — chrome Multiple unspecified vulnerabilities in Google Chrome before 52.0.2743.82 allow attackers to cause a denial of service or possibly have other impact via unknown vectors. 2016-07-23 Not yet calculated CVE-2016-1705
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
google — chrome The CSPSource::schemeMatches function in WebKit/Source/core/frame/csp/CSPSource.cpp in the Content Security Policy (CSP) implementation in Blink, as used in Google Chrome before 52.0.2743.82, does not apply http :80 policies to https :443 URLs and does not apply ws :80 policies to wss :443 URLs, which makes it easier for remote attackers to determine whether a specific HSTS web site has been visited by reading a CSP report. NOTE: this vulnerability is associated with a specification change after CVE-2016-1617 resolution. 2016-07-23

Not yet calculated

CVE-2016-5137
CONFIRM
CONFIRM
CONFIRM
google — chrome Use-after-free vulnerability in extensions/renderer/user_script_injector.cc in the Extensions subsystem in Google Chrome before 52.0.2743.82 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to script deletion. 2016-07-23

Not yet calculated

CVE-2016-5136
CONFIRM
CONFIRM
CONFIRM
CONFIRM
google — chrome WebKit/Source/core/loader/FrameLoader.cpp in Blink, as used in Google Chrome before 52.0.2743.82, does not disable frame navigation during a detach operation on a DocumentLoader object, which allows remote attackers to bypass the Same Origin Policy via a crafted web site. 2016-07-23 Not yet calculated CVE-2016-1711
CONFIRM
CONFIRM
CONFIRM
google — chrome The Service Workers subsystem in Google Chrome before 52.0.2743.82 does not properly implement the Secure Contexts specification during decisions about whether to control a subframe, which allows remote attackers to bypass the Same Origin Policy via an https IFRAME element inside an http IFRAME element. 2016-07-23

Not yet calculated

CVE-2016-5132
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
google — chrome WebKit/Source/core/html/parser/HTMLPreloadScanner.cpp in Blink, as used in Google Chrome before 52.0.2743.82, does not consider referrer-policy information inside an HTML document during a preload request, which allows remote attackers to bypass the Content Security Policy (CSP) protection mechanism via a crafted web site, as demonstrated by a “Content-Security-Policy: referrer origin-when-cross-origin” header that overrides a “<META name=’referrer’ content=’no-referrer’>” element. 2016-07-23

Not yet calculated

CVE-2016-5135
CONFIRM
CONFIRM
CONFIRM
google — chrome content/renderer/history_controller.cc in Google Chrome before 52.0.2743.82 does not properly restrict multiple uses of a JavaScript forward method, which allows remote attackers to spoof the URL display via a crafted web site. 2016-07-23

Not yet calculated

CVE-2016-5130
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
google — chrome Use-after-free vulnerability in WebKit/Source/core/editing/VisibleUnits.cpp in Blink, as used in Google Chrome before 52.0.2743.82, allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted JavaScript code involving an @import at-rule in a Cascading Style Sheets (CSS) token sequence in conjunction with a rel=import attribute of a LINK element. 2016-07-23

Not yet calculated

CVE-2016-5127
CONFIRM
CONFIRM
CONFIRM
CONFIRM
google — chrome objects.cc in Google V8 before 5.2.361.27, as used in Google Chrome before 52.0.2743.82, does not prevent API interceptors from modifying a store target without setting a property, which allows remote attackers to bypass the Same Origin Policy via a crafted web site. 2016-07-23

Not yet calculated

CVE-2016-5128
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
google — chrome net/proxy/proxy_service.cc in the Proxy Auto-Config (PAC) feature in Google Chrome before 52.0.2743.82 does not ensure that URL information is restricted to a scheme, host, and port, which allows remote attackers to discover credentials by operating a server with a PAC script, a related issue to CVE-2016-3763. 2016-07-23

Not yet calculated

CVE-2016-5134
CONFIRM
CONFIRM
CONFIRM
google — chrome Google Chrome before 52.0.2743.82 mishandles origin information during proxy authentication, which allows man-in-the-middle attackers to spoof a proxy-authentication login prompt or trigger incorrect credential storage by modifying the client-server data stream. 2016-07-23

Not yet calculated

CVE-2016-5133
CONFIRM
CONFIRM
CONFIRM
google — chrome The PPAPI implementation in Google Chrome before 52.0.2743.82 does not validate the origin of IPC messages to the plugin broker process that should have come from the browser process, which allows remote attackers to bypass a sandbox protection mechanism via an unexpected message type, related to broker_process_dispatcher.cc, ppapi_plugin_process_host.cc, ppapi_thread.cc, and render_frame_message_filter.cc. 2016-07-23 Not yet calculated CVE-2016-1706
CONFIRM
CONFIRM
CONFIRM
google — chrome Use-after-free vulnerability in libxml2 through 2.9.4, as used in Google Chrome before 52.0.2743.82, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the XPointer range-to function. 2016-07-23

Not yet calculated

CVE-2016-5131
CONFIRM
CONFIRM
CONFIRM
CONFIRM
google — chrome The ChromeClientImpl::createWindow method in WebKit/Source/web/ChromeClientImpl.cpp in Blink, as used in Google Chrome before 52.0.2743.82, does not prevent window creation by a deferred frame, which allows remote attackers to bypass the Same Origin Policy via a crafted web site. 2016-07-23 Not yet calculated CVE-2016-1710
CONFIRM
CONFIRM
CONFIRM
google –chrome Google V8 before 5.2.361.32, as used in Google Chrome before 52.0.2743.82, does not properly process left-trimmed objects, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted JavaScript code. 2016-07-23

Not yet calculated

CVE-2016-5129
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
oracle — java_se Unspecified vulnerability in Oracle Java SE 8u92 and Java SE Embedded 8u91 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Hotspot. 2016-07-21 Not yet calculated CVE-2016-3587
CONFIRM
oracle — outside_in_technology Unspecified vulnerability in the Outside In Technology component in Oracle Fusion Middleware 8.5.0, 8.5.1, and 8.5.2 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Outside In Filters, a different vulnerability than CVE-2016-3575, CVE-2016-3576, CVE-2016-3577, CVE-2016-3578, CVE-2016-3579, CVE-2016-3580, CVE-2016-3581, CVE-2016-3582, CVE-2016-3583, CVE-2016-3590, CVE-2016-3591, CVE-2016-3592, CVE-2016-3593, CVE-2016-3594, CVE-2016-3595, and CVE-2016-3596. 2016-07-21 Not yet calculated CVE-2016-3574
CONFIRM
oracle — agile_plm Unspecified vulnerability in the Oracle Agile PLM component in Oracle Supply Chain Products Suite 9.3.4 and 9.3.5 allows remote authenticated users to affect confidentiality and integrity via vectors related to PC Core. 2016-07-21 Not yet calculated CVE-2016-3553
CONFIRM
oracle — communications_eagle_application Unspecified vulnerability in the Oracle Communications EAGLE Application Processor component in Oracle Communications Applications 16.0 allows remote authenticated users to affect confidentiality and integrity via vectors related to APPL. 2016-07-21

Not yet calculated

CVE-2016-5458
CONFIRM
oracle — database Unspecified vulnerability in the OJVM component in Oracle Database Server 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors. 2016-07-21 Not yet calculated CVE-2016-3609
CONFIRM
oracle — one_to_one_fulfillment Unspecified vulnerability in the Oracle One-to-One Fulfillment component in Oracle E-Business Suite 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, and 12.2.5 allows remote attackers to affect confidentiality via vectors related to Content Manager. 2016-07-21 Not yet calculated CVE-2016-3547
CONFIRM
oracle — application_object_library Unspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite 12.1.3, 12.2.3, 12.2.4, and 12.2.5 allows remote attackers to affect confidentiality via vectors related to Web based help screens. 2016-07-21 Not yet calculated CVE-2016-3545
CONFIRM
oracle — email_center Unspecified vulnerability in the Oracle Email Center component in Oracle E-Business Suite 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, and 12.2.5 allows remote attackers to affect integrity via vectors related to Email Center Agent Console, a different vulnerability than CVE-2016-3558. 2016-07-21 Not yet calculated CVE-2016-3559
CONFIRM
oracle — e_business_suite Unspecified vulnerability in the Oracle E-Business Suite Secure Enterprise Search component in Oracle E-Business Suite 12.1.3, 12.2.3, 12.2.4, and 12.2.5 allows remote attackers to affect confidentiality via vectors related to Search Integration Engine. 2016-07-21 Not yet calculated CVE-2016-3549
CONFIRM
oracle — marketing Unspecified vulnerability in the Oracle Marketing component in Oracle E-Business Suite 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, and 12.2.5 allows remote attackers to affect confidentiality via vectors related to Marketing activity collateral. 2016-07-21 Not yet calculated CVE-2016-3548
CONFIRM
oracle — advanced_collections Unspecified vulnerability in the Oracle Advanced Collections component in Oracle E-Business Suite 12.1.1, 12.1.2, and 12.1.3 allows remote attackers to affect confidentiality and integrity via vectors related to Report JSPs. 2016-07-21 Not yet calculated CVE-2016-3546
CONFIRM
oracle — knowledge_management Unspecified vulnerability in the Oracle Knowledge Management component in Oracle E-Business Suite 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, and 12.2.5 allows remote administrators to affect confidentiality and integrity via unknown vectors. 2016-07-21 Not yet calculated CVE-2016-3542
CONFIRM
oracle — common_applications_calendar Unspecified vulnerability in the Oracle Common Applications Calendar component in Oracle E-Business Suite 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, and 12.2.5 allows remote attackers to affect confidentiality and integrity via vectors related to Notes. 2016-07-21 Not yet calculated CVE-2016-3541
CONFIRM
oracle — email_center Unspecified vulnerability in the Oracle Email Center component in Oracle E-Business Suite 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, and 12.2.5 allows remote attackers to affect integrity via vectors related to Email Center Agent Console, a different vulnerability than CVE-2016-3559. 2016-07-21 Not yet calculated CVE-2016-3558
CONFIRM
oracle — internet_expenses Unspecified vulnerability in the Oracle Internet Expenses component in Oracle E-Business Suite 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, and 12.2.5 allows remote attackers to affect availability via vectors related to Expenses Admin Utilities. 2016-07-21 Not yet calculated CVE-2016-3528
CONFIRM
oracle — common_applications_calendar Unspecified vulnerability in the Oracle Common Applications Calendar component in Oracle E-Business Suite 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, and 12.2.5 allows remote attackers to affect confidentiality and integrity via vectors related to Tasks. 2016-07-21 Not yet calculated CVE-2016-3543
CONFIRM
oracle — enterprise_manager_grid_control Unspecified vulnerability in the Enterprise Manager Ops Center component in Oracle Enterprise Manager Grid Control 12.1.4, 12.2.2, and 12.3.2; the Oracle Health Sciences Information Manager component in Oracle Health Sciences Applications 1.2.8.3, 2.0.2.3, and 3.0.1.0; the Oracle Healthcare Master Person Index component in Oracle Health Sciences Applications 2.0.12, 3.0.0, and 4.0.1; the Oracle Documaker component in Oracle Insurance Applications before 12.5; the Oracle Insurance Calculation Engine component in Oracle Insurance Applications 9.7.1, 10.1.2, and 10.2.2; the Oracle Insurance Policy Administration J2EE and Oracle Insurance Rules Palette components in Oracle Insurance Applications 9.6.1, 9.7.1, 10.0.1, 10.1.2, 10.2.0, and 10.2.2; the Oracle Retail Integration Bus component in Oracle Retail Applications 15.0; the Oracle Retail Order Broker component in Oracle Retail Applications 5.1, 5.2, and 15.0; the Primavera Contract Management component in Oracle Primavera Products Suite 14.2; and the Primavera P6 Enterprise Project Portfolio Management component in Oracle Primavera Products Suite 8.2, 8.3, 8.4, 15.1, 15.2, and 16.1 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors. 2016-07-21 Not yet calculated CVE-2016-0635
CONFIRM
oracle — enterprise_manager_grid_control Unspecified vulnerability in the Enterprise Manager Base Platform component in Oracle Enterprise Manager Grid Control 12.1.0.5 and 13.1.0.0 allows remote attackers to affect confidentiality via vectors related to UI Framework. 2016-07-21 Not yet calculated CVE-2016-3540
CONFIRM
oracle — enterprise_manager_grid_control Unspecified vulnerability in the Enterprise Manager Base Platform component in Oracle Enterprise Manager Grid Control 12.1.0.5 allows local users to affect confidentiality and integrity via vectors related to Security Framework. 2016-07-21 Not yet calculated CVE-2016-3563
CONFIRM
oracle — financial_services Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking component in Oracle Financial Services Applications 12.0.1, 12.0.2, and 12.0.3 allows remote attackers to affect confidentiality and integrity via unknown vectors. 2016-07-21 Not yet calculated CVE-2016-3589
CONFIRM
oracle — toplink Unspecified vulnerability in the Oracle TopLink component in Oracle Fusion Middleware 12.1.3.0, 12.2.1.0, and 12.2.1.1 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JPA-RS. 2016-07-21 Not yet calculated CVE-2016-3564
CONFIRM
oracle — glassfish Unspecified vulnerability in the Oracle GlassFish Server component in Oracle Fusion Middleware 3.0.1 and 3.1.2 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Web Container. 2016-07-21 Not yet calculated CVE-2016-3607
CONFIRM
oracle — outside_in_technology Unspecified vulnerability in the Outside In Technology component in Oracle Fusion Middleware 8.5.0, 8.5.1, and 8.5.2 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Outside In Filters, a different vulnerability than CVE-2016-3574, CVE-2016-3575, CVE-2016-3576, CVE-2016-3577, CVE-2016-3578, CVE-2016-3579, CVE-2016-3580, CVE-2016-3581, CVE-2016-3582, CVE-2016-3583, CVE-2016-3590, CVE-2016-3592, CVE-2016-3593, CVE-2016-3594, CVE-2016-3595, and CVE-2016-3596. 2016-07-21 Not yet calculated CVE-2016-3591
CONFIRM
oracle — outside_in_technology Unspecified vulnerability in the Outside In Technology component in Oracle Fusion Middleware 8.5.0, 8.5.1, and 8.5.2 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Outside In Filters, a different vulnerability than CVE-2016-3574, CVE-2016-3575, CVE-2016-3576, CVE-2016-3577, CVE-2016-3578, CVE-2016-3579, CVE-2016-3580, CVE-2016-3581, CVE-2016-3582, CVE-2016-3583, CVE-2016-3591, CVE-2016-3592, CVE-2016-3593, CVE-2016-3594, CVE-2016-3595, and CVE-2016-3596. 2016-07-21 Not yet calculated CVE-2016-3590
CONFIRM
oracle — outside_in_technology Unspecified vulnerability in the Outside In Technology component in Oracle Fusion Middleware 8.5.0, 8.5.1, and 8.5.2 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Outside In Filters, a different vulnerability than CVE-2016-3574, CVE-2016-3575, CVE-2016-3576, CVE-2016-3577, CVE-2016-3578, CVE-2016-3579, CVE-2016-3580, CVE-2016-3581, CVE-2016-3582, CVE-2016-3583, CVE-2016-3590, CVE-2016-3591, CVE-2016-3593, CVE-2016-3594, CVE-2016-3595, and CVE-2016-3596. 2016-07-21 Not yet calculated CVE-2016-3592
CONFIRM
oracle — outside_in_technology Unspecified vulnerability in the Outside In Technology component in Oracle Fusion Middleware 8.5.0, 8.5.1, and 8.5.2 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Outside In Filters, a different vulnerability than CVE-2016-3574, CVE-2016-3575, CVE-2016-3576, CVE-2016-3577, CVE-2016-3578, CVE-2016-3579, CVE-2016-3580, CVE-2016-3581, CVE-2016-3582, CVE-2016-3583, CVE-2016-3590, CVE-2016-3591, CVE-2016-3592, CVE-2016-3593, CVE-2016-3594, and CVE-2016-3595. 2016-07-21 Not yet calculated CVE-2016-3596
CONFIRM
oracle — weblogic Unspecified vulnerability in the Oracle WebLogic Server component in Oracle Fusion Middleware 10.3.6.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to WLS Core Components, a different vulnerability than CVE-2016-3510. 2016-07-21 Not yet calculated CVE-2016-3586
CONFIRM
oracle — outside_in_technology Unspecified vulnerability in the Outside In Technology component in Oracle Fusion Middleware 8.5.0, 8.5.1, and 8.5.2 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Outside In Filters, a different vulnerability than CVE-2016-3574, CVE-2016-3575, CVE-2016-3576, CVE-2016-3577, CVE-2016-3578, CVE-2016-3579, CVE-2016-3580, CVE-2016-3581, CVE-2016-3582, CVE-2016-3583, CVE-2016-3590, CVE-2016-3591, CVE-2016-3592, CVE-2016-3593, CVE-2016-3595, and CVE-2016-3596. 2016-07-21 Not yet calculated CVE-2016-3594
CONFIRM
oracle — outside_in_technology Unspecified vulnerability in the Outside In Technology component in Oracle Fusion Middleware 8.5.0, 8.5.1, and 8.5.2 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Outside In Filters, a different vulnerability than CVE-2016-3574, CVE-2016-3575, CVE-2016-3576, CVE-2016-3577, CVE-2016-3578, CVE-2016-3579, CVE-2016-3580, CVE-2016-3581, CVE-2016-3582, CVE-2016-3583, CVE-2016-3590, CVE-2016-3591, CVE-2016-3592, CVE-2016-3593, CVE-2016-3594, and CVE-2016-3596. 2016-07-21 Not yet calculated CVE-2016-3595
CONFIRM
oracle — outside_in_technology Unspecified vulnerability in the Outside In Technology component in Oracle Fusion Middleware 8.5.0, 8.5.1, and 8.5.2 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Outside In Filters, a different vulnerability than CVE-2016-3574, CVE-2016-3575, CVE-2016-3576, CVE-2016-3577, CVE-2016-3578, CVE-2016-3579, CVE-2016-3581, CVE-2016-3582, CVE-2016-3583, CVE-2016-3590, CVE-2016-3591, CVE-2016-3592, CVE-2016-3593, CVE-2016-3594, CVE-2016-3595, and CVE-2016-3596. 2016-07-21 Not yet calculated CVE-2016-3580
CONFIRM
oracle — glassfish Unspecified vulnerability in the Oracle GlassFish Server component in Oracle Fusion Middleware 3.0.1 allows remote attackers to affect confidentiality via vectors related to Administration. 2016-07-21 Not yet calculated CVE-2016-3608
CONFIRM
oracle — outside_in_technology Unspecified vulnerability in the Outside In Technology component in Oracle Fusion Middleware 8.5.0, 8.5.1, and 8.5.2 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Outside In Filters, a different vulnerability than CVE-2016-3574, CVE-2016-3575, CVE-2016-3576, CVE-2016-3577, CVE-2016-3579, CVE-2016-3580, CVE-2016-3581, CVE-2016-3582, CVE-2016-3583, CVE-2016-3590, CVE-2016-3591, CVE-2016-3592, CVE-2016-3593, CVE-2016-3594, CVE-2016-3595, and CVE-2016-3596. 2016-07-21 Not yet calculated CVE-2016-3578
CONFIRM
oracle — business_intelligence_enterprise_edition Unspecified vulnerability in the Oracle Business Intelligence Enterprise Edition component in Oracle Fusion Middleware 11.1.1.7.0, 11.1.1.9.0, and 11.2.1.0.0 allows remote authenticated users to affect confidentiality and integrity via vectors related to Analytics Web General. 2016-07-21 Not yet calculated CVE-2016-3544
CONFIRM
Oracle — outside_in_technology Unspecified vulnerability in the Outside In Technology component in Oracle Fusion Middleware 8.5.0, 8.5.1, and 8.5.2 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Outside In Filters, a different vulnerability than CVE-2016-3574, CVE-2016-3575, CVE-2016-3577, CVE-2016-3578, CVE-2016-3579, CVE-2016-3580, CVE-2016-3581, CVE-2016-3582, CVE-2016-3583, CVE-2016-3590, CVE-2016-3591, CVE-2016-3592, CVE-2016-3593, CVE-2016-3594, CVE-2016-3595, and CVE-2016-3596. 2016-07-21 Not yet calculated CVE-2016-3576
CONFIRM
oracle — outside_in_technology Unspecified vulnerability in the Outside In Technology component in Oracle Fusion Middleware 8.5.0, 8.5.1, and 8.5.2 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Outside In Filters, a different vulnerability than CVE-2016-3574, CVE-2016-3575, CVE-2016-3576, CVE-2016-3577, CVE-2016-3578, CVE-2016-3579, CVE-2016-3580, CVE-2016-3581, CVE-2016-3583, CVE-2016-3590, CVE-2016-3591, CVE-2016-3592, CVE-2016-3593, CVE-2016-3594, CVE-2016-3595, and CVE-2016-3596. 2016-07-21 Not yet calculated CVE-2016-3582
CONFIRM
oracle — outside_in_technology Unspecified vulnerability in the Outside In Technology component in Oracle Fusion Middleware 8.5.0, 8.5.1, and 8.5.2 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Outside In Filters, a different vulnerability than CVE-2016-3574, CVE-2016-3576, CVE-2016-3577, CVE-2016-3578, CVE-2016-3579, CVE-2016-3580, CVE-2016-3581, CVE-2016-3582, CVE-2016-3583, CVE-2016-3590, CVE-2016-3591, CVE-2016-3592, CVE-2016-3593, CVE-2016-3594, CVE-2016-3595, and CVE-2016-3596. 2016-07-21 Not yet calculated CVE-2016-3575
CONFIRM
oracle — outside_in_technology Unspecified vulnerability in the Outside In Technology component in Oracle Fusion Middleware 8.5.0, 8.5.1, and 8.5.2 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Outside In Filters, a different vulnerability than CVE-2016-3574, CVE-2016-3575, CVE-2016-3576, CVE-2016-3578, CVE-2016-3579, CVE-2016-3580, CVE-2016-3581, CVE-2016-3582, CVE-2016-3583, CVE-2016-3590, CVE-2016-3591, CVE-2016-3592, CVE-2016-3593, CVE-2016-3594, CVE-2016-3595, and CVE-2016-3596. 2016-07-21 Not yet calculated CVE-2016-3577
CONFIRM
oracle — outside_in_technology Unspecified vulnerability in the Outside In Technology component in Oracle Fusion Middleware 8.5.0, 8.5.1, and 8.5.2 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Outside In Filters, a different vulnerability than CVE-2016-3574, CVE-2016-3575, CVE-2016-3576, CVE-2016-3577, CVE-2016-3578, CVE-2016-3579, CVE-2016-3580, CVE-2016-3581, CVE-2016-3582, CVE-2016-3590, CVE-2016-3591, CVE-2016-3592, CVE-2016-3593, CVE-2016-3594, CVE-2016-3595, and CVE-2016-3596. 2016-07-21 Not yet calculated CVE-2016-3583
CONFIRM
oracle — outside_in_technology Unspecified vulnerability in the Outside In Technology component in Oracle Fusion Middleware 8.5.0, 8.5.1, and 8.5.2 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Outside In Filters, a different vulnerability than CVE-2016-3574, CVE-2016-3575, CVE-2016-3576, CVE-2016-3577, CVE-2016-3578, CVE-2016-3579, CVE-2016-3580, CVE-2016-3582, CVE-2016-3583, CVE-2016-3590, CVE-2016-3591, CVE-2016-3592, CVE-2016-3593, CVE-2016-3594, CVE-2016-3595, and CVE-2016-3596. 2016-07-21 Not yet calculated CVE-2016-3581
CONFIRM
oracle — outside_in_technology Unspecified vulnerability in the Outside In Technology component in Oracle Fusion Middleware 8.5.0, 8.5.1, and 8.5.2 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Outside In Filters, a different vulnerability than CVE-2016-3574, CVE-2016-3575, CVE-2016-3576, CVE-2016-3577, CVE-2016-3578, CVE-2016-3579, CVE-2016-3580, CVE-2016-3581, CVE-2016-3582, CVE-2016-3583, CVE-2016-3590, CVE-2016-3591, CVE-2016-3592, CVE-2016-3594, CVE-2016-3595, and CVE-2016-3596. 2016-07-21 Not yet calculated CVE-2016-3593
CONFIRM
oracle — outside_in_technology Unspecified vulnerability in the Outside In Technology component in Oracle Fusion Middleware 8.5.0, 8.5.1, and 8.5.2 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Outside In Filters, a different vulnerability than CVE-2016-3574, CVE-2016-3575, CVE-2016-3576, CVE-2016-3577, CVE-2016-3578, CVE-2016-3580, CVE-2016-3581, CVE-2016-3582, CVE-2016-3583, CVE-2016-3590, CVE-2016-3591, CVE-2016-3592, CVE-2016-3593, CVE-2016-3594, CVE-2016-3595, and CVE-2016-3596. 2016-07-21 Not yet calculated CVE-2016-3579
CONFIRM
oracle — java Unspecified vulnerability in Oracle Java SE 8u92 and Java SE Embedded 8u91 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Libraries, a different vulnerability than CVE-2016-3598. 2016-07-21 Not yet calculated CVE-2016-3610
CONFIRM
oracle — java Unspecified vulnerability in Oracle Java SE 8u92 and Java SE Embedded 8u91 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Libraries, a different vulnerability than CVE-2016-3610. 2016-07-21 Not yet calculated CVE-2016-3598
CONFIRM
oracle — java Unspecified vulnerability in Oracle Java SE 8u92 allows local users to affect confidentiality, integrity, and availability via vectors related to Install. 2016-07-21 Not yet calculated CVE-2016-3552
CONFIRM
oracle — java Unspecified vulnerability in Oracle Java SE 7u101 and 8u92 allows remote attackers to affect availability via vectors related to JavaFX. 2016-07-21 Not yet calculated CVE-2016-3498
CONFIRM
oracle — java Unspecified vulnerability in Oracle Java SE 6u115, 7u101, and 8u92 and Java SE Embedded 8u91 allows remote attackers to affect confidentiality via vectors related to Hotspot. 2016-07-21 Not yet calculated CVE-2016-3550
CONFIRM
oracle — java Unspecified vulnerability in Oracle Java SE 7u101 and 8u92 and Java SE Embedded 8u91 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Hotspot. 2016-07-21 Not yet calculated CVE-2016-3606
CONFIRM
oracle — java Unspecified vulnerability in Oracle Java SE 7u101 and 8u92 allows local users to affect confidentiality, integrity, and availability via vectors related to Deployment. 2016-07-21 Not yet calculated CVE-2016-3511
CONFIRM
oracle — peoplesoft_enterprise_peopletools Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.54 and 8.55 allows remote attackers to affect confidentiality via vectors related to Application Designer. 2016-07-21

Not yet calculated

CVE-2016-5470
CONFIRM
oracle — primavera_p6_enterprise_project_portfolio_man Unspecified vulnerability in the Primavera P6 Enterprise Project Portfolio Management component in Oracle Primavera Products Suite 8.3, 8.4, 15.1, 15.2, and 16.1 allows remote attackers to affect confidentiality and integrity via vectors related to Web access, a different vulnerability than CVE-2016-3566, CVE-2016-3568, CVE-2016-3569, CVE-2016-3570, and CVE-2016-3573. 2016-07-21 Not yet calculated CVE-2016-3571
CONFIRM
oracle — primavera_products_suite Unspecified vulnerability in the Primavera P6 Enterprise Project Portfolio Management component in Oracle Primavera Products Suite 8.3, 8.4, 15.1, 15.2, and 16.1 allows remote authenticated users to affect confidentiality and integrity via vectors related to Web access. 2016-07-21 Not yet calculated CVE-2016-3567
CONFIRM
oracle — primavera_products_suite Unspecified vulnerability in the Primavera P6 Enterprise Project Portfolio Management component in Oracle Primavera Products Suite 8.3, 8.4, 15.1, 15.2, and 16.1 allows remote attackers to affect confidentiality and integrity via vectors related to Web access, a different vulnerability than CVE-2016-3568, CVE-2016-3569, CVE-2016-3570, CVE-2016-3571, and CVE-2016-3573. 2016-07-21 Not yet calculated CVE-2016-3566
CONFIRM
oracle — primavera_products_suite Unspecified vulnerability in the Primavera P6 Enterprise Project Portfolio Management component in Oracle Primavera Products Suite 8.3, 8.4, 15.1, 15.2, and 16.1 allows remote attackers to affect confidentiality and integrity via vectors related to Web access, a different vulnerability than CVE-2016-3566, CVE-2016-3568, CVE-2016-3569, CVE-2016-3570, and CVE-2016-3571. 2016-07-21 Not yet calculated CVE-2016-3573
CONFIRM
oracle — primavera_products_suite Unspecified vulnerability in the Primavera P6 Enterprise Project Portfolio Management component in Oracle Primavera Products Suite 8.3, 8.4, 15.1, 15.2, and 16.1 allows remote attackers to affect confidentiality and integrity via vectors related to Web access, a different vulnerability than CVE-2016-3566, CVE-2016-3568, CVE-2016-3570, CVE-2016-3571, and CVE-2016-3573. 2016-07-21 Not yet calculated CVE-2016-3569
CONFIRM
oracle — primavera_products_suite Unspecified vulnerability in the Primavera P6 Enterprise Project Portfolio Management component in Oracle Primavera Products Suite 8.3, 8.4, 15.1, 15.2, and 16.1 allows remote authenticated users to affect confidentiality and integrity via vectors related to Web Access. 2016-07-21 Not yet calculated CVE-2016-3572
CONFIRM
oracle — primavera_products_suite Unspecified vulnerability in the Primavera P6 Enterprise Project Portfolio Management component in Oracle Primavera Products Suite 8.3, 8.4, 15.1, 15.2, and 16.1 allows remote attackers to affect confidentiality and integrity via vectors related to Web access, a different vulnerability than CVE-2016-3566, CVE-2016-3568, CVE-2016-3569, CVE-2016-3571, and CVE-2016-3573. 2016-07-21 Not yet calculated CVE-2016-3570
CONFIRM
oracle — primavera_products_suite Unspecified vulnerability in the Primavera P6 Enterprise Project Portfolio Management component in Oracle Primavera Products Suite 8.3, 8.4, 15.1, 15.2, and 16.1 allows remote attackers to affect confidentiality and integrity via vectors related to Web access, a different vulnerability than CVE-2016-3566, CVE-2016-3569, CVE-2016-3570, CVE-2016-3571, and CVE-2016-3573. 2016-07-21 Not yet calculated CVE-2016-3568
CONFIRM
oracle — retail_applications Unspecified vulnerability in the Oracle Retail Order Broker component in Oracle Retail Applications 5.1 and 5.2 allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to System Administration. 2016-07-21 Not yet calculated CVE-2016-3565
CONFIRM
oracle — retail_applications Unspecified vulnerability in the Oracle Retail Service Backbone component in Oracle Retail Applications 14.0, 14.1, and 15.0 allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to Install. 2016-07-21

Not yet calculated

CVE-2016-5475
CONFIRM
oracle — retail_applications Unspecified vulnerability in the Oracle Retail Order Broker component in Oracle Retail Applications 15.0 allows remote attackers to affect confidentiality and integrity via vectors related to System Administration. 2016-07-21 Not yet calculated CVE-2016-3611
CONFIRM
oracle — retail_applications Unspecified vulnerability in the Oracle Retail Service Backbone component in Oracle Retail Applications 14.0, 14.1, and 15.0 allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to RSB Kernel. 2016-07-21

Not yet calculated

CVE-2016-5474
CONFIRM
oracle — siebel_crm Unspecified vulnerability in the Siebel Core – Common Components component in Oracle Siebel CRM 8.1.1, 8.2.2, IP2014, IP2015, and IP2016 allows remote attackers to affect integrity via vectors related to iHelp. 2016-07-21

Not yet calculated

CVE-2016-5459
CONFIRM
oracle — siebel_crm Unspecified vulnerability in the Siebel Core – Server Framework component in Oracle Siebel CRM 8.1.1, 8.2.2, IP2014, IP2015, and IP2016 allows remote attackers to affect confidentiality via vectors related to Services, a different vulnerability than CVE-2016-3450 and CVE-2016-5466. 2016-07-21

Not yet calculated

CVE-2016-5460
CONFIRM
oracle — siebel_crm Unspecified vulnerability in the Siebel Core – Server Framework component in Oracle Siebel CRM 8.1.1, 8.2.2, IP2014, IP2015, and IP2016 allows remote authenticated users to affect confidentiality via vectors related to Services. 2016-07-21

Not yet calculated

CVE-2016-5456
CONFIRM
oracle — siebel_crm Unspecified vulnerability in the Siebel UI Framework component in Oracle Siebel CRM 8.1.1, 8.2.2, IP2014, IP2015, and IP2016 allows remote authenticated users to affect confidentiality and integrity via vectors related to EAI, a different vulnerability than CVE-2016-5451. 2016-07-21

Not yet calculated

CVE-2016-5468
CONFIRM
oracle — sun_solaris Unspecified vulnerability in Oracle Sun Solaris 11.3 allows local users to affect availability via vectors related to Kernel, a different vulnerability than CVE-2016-5469 and CVE-2016-5471. 2016-07-21 Not yet calculated CVE-2016-3497
CONFIRM
oracle — integrated_lights_out_manager_firmware Unspecified vulnerability in the ILOM component in Oracle Sun Systems Products Suite 3.0, 3.1, and 3.2 allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to LUMAIN. 2016-07-21

Not yet calculated

CVE-2016-5457
CONFIRM
oracle — agile_plm Unspecified vulnerability in the Oracle Agile PLM component in Oracle Supply Chain Products Suite 9.3.4 and 9.3.5 allows remote attackers to affect confidentiality and integrity via vectors related to File Load. 2016-07-21 Not yet calculated CVE-2016-3557
CONFIRM
oracle — demand_planning Unspecified vulnerability in the Oracle Demand Planning component in Oracle Supply Chain Products Suite 12.1 and 12.2 allows remote attackers to affect confidentiality and integrity via vectors related to ODPDA Servlet. 2016-07-21 Not yet calculated CVE-2016-3527
CONFIRM
oracle — agile_plm Unspecified vulnerability in the Oracle Agile PLM component in Oracle Supply Chain Products Suite 9.3.4 and 9.3.5 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to EM Integration. 2016-07-21 Not yet calculated CVE-2016-3556
CONFIRM
oracle — agile_plm Unspecified vulnerability in the Oracle Agile PLM component in Oracle Supply Chain Products Suite 9.3.4 and 9.3.5 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to SDK. 2016-07-21 Not yet calculated CVE-2016-3561
CONFIRM
oracle — agile_plm Unspecified vulnerability in the Oracle Agile PLM component in Oracle Supply Chain Products Suite 9.3.4 and 9.3.5 allows remote attackers to affect confidentiality via vectors related to SDK, a different vulnerability than CVE-2016-3526 and CVE-2016-3529. 2016-07-21 Not yet calculated CVE-2016-3560
CONFIRM
oracle — agile_plm Unspecified vulnerability in the Oracle Agile PLM component in Oracle Supply Chain Products Suite 9.3.4 and 9.3.5 allows remote authenticated users to affect confidentiality via vectors related to File Folders / Attachment, a different vulnerability than CVE-2016-3537. 2016-07-21

Not yet calculated

CVE-2016-5473
CONFIRM
oracle — agile_plm Unspecified vulnerability in the Oracle Agile PLM component in Oracle Supply Chain Products Suite 9.3.4 and 9.3.5 allows remote authenticated users to affect confidentiality, integrity, and availability via vectors related to PC / BOM, MCAD, and Design. 2016-07-21 Not yet calculated CVE-2016-3554
CONFIRM
oracle — agile_plm Unspecified vulnerability in the Oracle Agile PLM component in Oracle Supply Chain Products Suite 9.3.4 and 9.3.5 allows remote attackers to affect confidentiality and integrity via vectors related to PGC / Excel Plugin. 2016-07-21 Not yet calculated CVE-2016-3555
CONFIRM
oracle — virtualization Unspecified vulnerability in the Oracle Secure Global Desktop component in Oracle Virtualization 4.63, 4.71, and 5.2 allows remote attackers to affect confidentiality, integrity, and availability via vectors related to OpenSSL. 2016-07-21 Not yet calculated CVE-2016-3613
CONFIRM
siemens — simatic_wincc Siemens SIMATIC WinCC before 7.3 Update 10 and 7.4 before Update 1, SIMATIC BATCH before 8.1 SP1 Update 9 as distributed in SIMATIC PCS 7 through 8.1 SP1, SIMATIC OpenPCS 7 before 8.1 Update 3 as distributed in SIMATIC PCS 7 through 8.1 SP1, SIMATIC OpenPCS 7 before 8.2 Update 1 as distributed in SIMATIC PCS 7 8.2, and SIMATIC WinCC Runtime Professional before 13 SP1 Update 9 allow remote attackers to execute arbitrary code via crafted packets. 2016-07-22

Not yet calculated

CVE-2016-5743
CONFIRM
siemens — simatic_wincc Siemens SIMATIC WinCC 7.0 through SP3 and 7.2 allows remote attackers to read arbitrary WinCC station files via crafted packets. 2016-07-22

Not yet calculated

CVE-2016-5744
CONFIRM
siemens — simatic_net_pc Siemens SIMATIC NET PC-Software before 13 SP2 allows remote attackers to cause a denial of service (OPC UA service outage) via crafted TCP packets. 2016-07-22

Not yet calculated

CVE-2016-5874
CONFIRM
siemens — sinema_remote_connect_server Cross-site scripting (XSS) vulnerability in the integrated web server in Siemens SINEMA Remote Connect Server before 1.2 allows remote attackers to inject arbitrary web script or HTML via a crafted URL. 2016-07-22

Not yet calculated

CVE-2016-6204
CONFIRM

Back to top


This product is provided subject to this Notification and this Privacy & Use policy.

Google Releases Security Update for Chrome

Original release date: July 21, 2016

Google has released Chrome version 52.0.2743.82 to address multiple vulnerabilities for Windows, Mac, and Linux. Exploitation of some of these vulnerabilities may allow a remote attacker to take control of an affected system.

US-CERT encourages users and administrators to review the Chrome Releases page and apply the necessary update.


This product is provided subject to this Notification and this Privacy & Use policy.

Cisco Releases Security Update

Original release date: July 20, 2016

Cisco has released a security update to address a vulnerability in its Unified Computing System (UCS) Performance Manager. Exploitation of this vulnerability could allow an authenticated remote attacker to take control of an affected system.

Users and administrators are encouraged to review the following Cisco Security Advisory and apply the necessary update:


This product is provided subject to this Notification and this Privacy & Use policy.

Oracle Releases Security Bulletin

Original release date: July 19, 2016

Oracle has released its Critical Patch Update for July 2016 to address 276 vulnerabilities across multiple products. Exploitation of some of these vulnerabilities may allow a remote attacker to take control of an affected system.

US-CERT encourages users and administrators to review the Oracle July 2016 Critical Patch Update and apply the necessary updates.


This product is provided subject to this Notification and this Privacy & Use policy.