CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In April 2017

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1301 CVE-2016-4893 89 Exec Code Sql 2017-04-12 2017-05-23
6.5
None Remote Low ??? Partial Partial Partial
SQL injection vulnerability in the SetsucoCMS all versions allows remote authenticated attackers to execute arbitrary SQL commands via unspecified vectors.
1302 CVE-2016-4892 79 XSS 2017-04-12 2017-05-23
4.3
None Remote Medium Not required None Partial None
Cross-site scripting vulnerability in SetsucoCMS all versions allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
1303 CVE-2016-4891 352 CSRF 2017-04-12 2017-05-23
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in SetsucoCMS all versions allows remote attackers to hijack the authentication of an administrator to change settings via unspecified vectors.
1304 CVE-2016-4890 254 +Info 2017-04-14 2017-05-13
5.0
None Remote Low Not required Partial None None
ZOHO ManageEngine ServiceDesk Plus before 9.2 uses an insecure method for generating cookies, which makes it easier for attackers to obtain sensitive password information by leveraging access to a cookie.
1305 CVE-2016-4889 264 2017-04-14 2017-05-13
6.5
None Remote Low ??? Partial Partial Partial
ZOHO ManageEngine ServiceDesk Plus before 9.0 allows remote authenticated guest users to have unspecified impact by leveraging failure to restrict access to unknown functions.
1306 CVE-2016-4888 79 XSS 2017-04-14 2017-05-13
3.5
None Remote Medium ??? None Partial None
Cross-site scripting (XSS) vulnerability in ZOHO ManageEngine ServiceDesk Plus before 9.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
1307 CVE-2016-4875 79 XSS 2017-04-14 2017-04-21
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the IVYWE (1) Assist plugin before 1.1.2.test20160906, (2) dataBox plugin before 0.0.0.20160906, and (3) userBox plugin before 0.0.0.20160906 for Geeklog allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
1308 CVE-2016-4874 284 2017-04-17 2017-04-20
3.5
None Remote Medium ??? None Partial None
Cybozu Office 9.0.0 through 10.4.0 allows remote attackers to conduct a "reflected file download" attack.
1309 CVE-2016-4873 275 2017-04-17 2017-05-23
4.0
None Remote Low ??? None Partial None
Cybozu Office 9.0.0 to 10.4.0 allows remote authenticated attackers to execute unintended operations via the Project function.
1310 CVE-2016-4872 200 Bypass +Info 2017-04-17 2017-05-23
4.0
None Remote Low ??? Partial None None
Cybozu Office 9.0.0 to 10.4.0 allows remote authenticated attackers to bypass access restrictions to view the names of unauthorized projects via a breadcrumb trail.
1311 CVE-2016-4871 399 DoS 2017-04-17 2017-04-20
6.8
None Remote Low ??? None None Complete
Cybozu Office 9.0.0 through 10.4.0 allows remote attackers to cause a denial of service.
1312 CVE-2016-4870 79 XSS 2017-04-17 2017-05-23
3.5
None Remote Medium ??? None Partial None
Cross-site scripting vulnerability in Cybozu Office 9.0.0 to 10.4.0 allows remote authenticated attackers to inject arbitrary web script or HTML via the Schedule function.
1313 CVE-2016-4869 200 +Info 2017-04-17 2017-05-23
4.3
None Remote Medium Not required Partial None None
Cybozu Office 9.0.0 to 10.4.0 allow remote attackers to obtain session information via a page where CGI environment variables are displayed.
1314 CVE-2016-4868 20 2017-04-17 2017-05-23
4.3
None Remote Medium Not required None Partial None
Email header injection vulnerability in Cybozu Office 9.0.0 to 10.4.0 allows remote attackers to inject arbitrary email headers to send unintended emails via specially crafted requests.
1315 CVE-2016-4867 200 Bypass +Info 2017-04-17 2017-05-23
4.0
None Remote Low ??? Partial None None
Cybozu Office 9.0.0 to 10.4.0 allows remote authenticated attackers to bypass access restriction to view unauthorized project information via the Project function.
1316 CVE-2016-4866 79 XSS 2017-04-17 2017-05-23
3.5
None Remote Medium ??? None Partial None
Cross-site scripting vulnerability in Cybozu Office 9.0.0 to 10.4.0 allows attackers with administrator rights to inject arbitrary web script or HTML via the Project function.
1317 CVE-2016-4865 79 XSS 2017-04-17 2017-05-23
3.5
None Remote Medium ??? None Partial None
Cross-site scripting vulnerability in Cybozu Office 9.0.0 to 10.4.0 allows attackers with administrator rights to inject arbitrary web script or HTML via the Customapp function.
1318 CVE-2016-4862 20 Exec Code 2017-04-20 2017-04-26
6.5
None Remote Low ??? Partial Partial Partial
Twigmo bundled with CS-Cart 4.3.9 and earlier and Twigmo bundled with CS-Cart Multi-Vendor 4.3.9 and earlier allow remote authenticated users to execute arbitrary PHP code on the servers.
1319 CVE-2016-4850 284 Exec Code 2017-04-20 2017-04-26
6.8
None Remote Medium Not required Partial Partial Partial
LINE for Windows before 4.8.3 allows man-in-the-middle attackers to execute arbitrary code.
1320 CVE-2016-4849 79 XSS 2017-04-20 2017-04-25
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Geeklog IVYWE edition 2.1.1 allow remote attackers to inject arbitrary web script or HTML by leveraging use of the COM_getCurrentURL function in (1) public_html/layout/default/header.thtml, (2) public_html/layout/bento/header.thtml, (3) public_html/layout/fotos/header.thtml, or (4) public_html/layout/default/article/article.thtml.
1321 CVE-2016-4847 79 XSS 2017-04-20 2017-04-25
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in site/search.php in OSSEC Web UI before 0.9 allows remote attackers to inject arbitrary web script or HTML by leveraging an unanchored regex.
1322 CVE-2016-4846 426 2017-04-21 2017-04-26
9.3
None Remote Medium Not required Complete Complete Complete
Untrusted search path vulnerability in the installer of PhishWall Client Internet Explorer before 3.7.8.2.
1323 CVE-2016-4844 200 +Info 2017-04-20 2017-04-25
4.3
None Remote Medium Not required None Partial None
Cybozu Mailwise before 5.4.0 allows remote attackers to conduct clickjacking attacks.
1324 CVE-2016-4843 200 +Info 2017-04-20 2017-04-24
4.3
None Remote Medium Not required Partial None None
Cybozu Mailwise before 5.4.0 allows remote attackers to obtain sensitive cookie information.
1325 CVE-2016-4842 200 +Info 2017-04-20 2017-04-25
4.3
None Remote Medium Not required Partial None None
Cybozu Mailwise before 5.4.0 allows remote attackers to obtain information on when an email is read.
1326 CVE-2016-4841 20 2017-04-21 2017-04-27
4.3
None Remote Medium Not required None Partial None
Cybozu Mailwise before 5.4.0 allows remote attackers to inject arbitrary email headers.
1327 CVE-2016-4840 295 2017-04-21 2021-09-09
4.3
None Remote Medium Not required Partial None None
Coordinate Plus App for Android 1.0.2 and earlier and Coordinate Plus App for iOS 1.0.2 and earlier do not verify SSL certificates.
1328 CVE-2016-4832 295 2017-04-21 2017-04-27
4.3
None Remote Medium Not required Partial None None
WAON "Service Application" for Android 1.4.1 and earlier does not verify SSL certificates.
1329 CVE-2016-4830 295 2017-04-21 2021-04-01
4.3
None Remote Medium Not required Partial None None
Sushiro App for iOS 2.1.16 and earlier and Sushiro App for Android 2.1.16.1 and earlier do not verify SSL certificates.
1330 CVE-2016-4829 295 2017-04-21 2017-04-26
4.3
None Remote Medium Not required None Partial None
DMM Movie Player App for Android before 1.2.1, and DMM Movie Player App for iPhone/iPad before 2.1.3 does not verify SSL certificates.
1331 CVE-2016-4818 295 2017-04-20 2017-04-26
4.3
None Remote Medium Not required Partial None None
DMMFX Trade for Android 1.5.0 and earlier, DMMFX DEMO Trade for Android 1.5.0 and earlier, and GAITAMEJAPAN FX Trade for Android 1.4.0 and earlier do not verify SSL certificates.
1332 CVE-2016-4800 284 Bypass 2017-04-13 2020-10-20
7.5
None Remote Low Not required Partial Partial Partial
The path normalization mechanism in PathResource class in Eclipse Jetty 9.3.x before 9.3.9 on Windows allows remote attackers to bypass protected resource restrictions and other security constraints via a URL with certain escaped characters, related to backslashes.
1333 CVE-2016-4650 119 DoS Exec Code Overflow Mem. Corr. 2017-04-20 2019-03-25
9.3
None Remote Medium Not required Complete Complete Complete
Heap-based buffer overflow in IOHIDFamily in Apple iOS before 9.3.2, OS X before 10.11.5, and tvOS before 9.2.1 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app.
1334 CVE-2016-4483 502 DoS 2017-04-11 2021-06-29
5.0
None Remote Low Not required None None Partial
The xmlBufAttrSerializeTxtContent function in xmlsave.c in libxml2 allows context-dependent attackers to cause a denial of service (out-of-bounds read and application crash) via a non-UTF-8 attribute value, related to serialization. NOTE: this vulnerability may be a duplicate of CVE-2016-3627.
1335 CVE-2016-4468 89 Exec Code Sql 2017-04-11 2021-08-06
6.5
None Remote Low ??? Partial Partial Partial
SQL injection vulnerability in Pivotal Cloud Foundry (PCF) before 238; UAA 2.x before 2.7.4.4, 3.x before 3.3.0.2, and 3.4.x before 3.4.1; UAA BOSH before 11.2 and 12.x before 12.2; Elastic Runtime before 1.6.29 and 1.7.x before 1.7.7; and Ops Manager 1.7.x before 1.7.8 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.
1336 CVE-2016-4459 119 Overflow 2017-04-12 2019-04-22
7.8
None Remote Low Not required None None Complete
Stack-based buffer overflow in native/mod_manager/node.c in mod_cluster 1.2.9.
1337 CVE-2016-4455 264 +Info 2017-04-14 2020-09-02
2.1
None Local Low Not required Partial None None
The Subscription Manager package (aka subscription-manager) before 1.17.7-1 for Candlepin uses weak permissions (755) for subscription-manager cache directories, which allows local users to obtain sensitive information by reading files in the directories.
1338 CVE-2016-4446 77 Exec Code 2017-04-11 2017-04-17
6.9
None Local Medium Not required Complete Complete Complete
The allow_execstack plugin for setroubleshoot allows local users to execute arbitrary commands by triggering an execstack SELinux denial with a crafted filename, related to the commands.getoutput function.
1339 CVE-2016-4445 77 Exec Code 2017-04-11 2017-04-17
6.9
None Local Medium Not required Complete Complete Complete
The fix_lookup_id function in sealert in setroubleshoot before 3.2.23 allows local users to execute arbitrary commands as root by triggering an SELinux denial with a crafted file name, related to executing external commands with the commands.getstatusoutput function.
1340 CVE-2016-4444 77 Exec Code 2017-04-11 2017-04-17
6.9
None Local Medium Not required Complete Complete Complete
The allow_execmod plugin for setroubleshoot before 3.2.23 allows local users to execute arbitrary commands by triggering an execmod SELinux denial with a crafted binary filename, related to the commands.getstatusoutput function.
1341 CVE-2016-4337 89 Exec Code Sql 2017-04-12 2017-04-19
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the mgr.login.php file in Ktools.net Photostore before 4.7.5 allows remote attackers to execute arbitrary SQL commands via the email parameter in a recover_login action.
1342 CVE-2016-4334 601 2017-04-10 2021-04-20
5.8
None Remote Medium Not required Partial Partial None
Jive before 2016.3.1 has an open redirect from the external-link.jspa page.
1343 CVE-2016-4320 22 Dir. Trav. 2017-04-10 2018-10-12
4.0
None Remote Low ??? Partial None None
Atlassian Bitbucket Server before 4.7.1 allows remote attackers to read the first line of an arbitrary file via a directory traversal attack on the pull requests resource.
1344 CVE-2016-4319 352 CSRF 2017-04-10 2018-02-16
6.8
None Remote Medium Not required Partial Partial Partial
Atlassian JIRA Server before 7.1.9 has CSRF in auditing/settings.
1345 CVE-2016-4318 79 XSS 2017-04-10 2018-02-16
3.5
None Remote Medium ??? None Partial None
Atlassian JIRA Server before 7.1.9 has XSS in project/ViewDefaultProjectRoleActors.jspa via a role name.
1346 CVE-2016-4317 79 XSS 2017-04-10 2018-02-16
3.5
None Remote Medium ??? None Partial None
Atlassian Confluence Server before 5.9.11 has XSS on the viewmyprofile.action page.
1347 CVE-2016-4313 22 Dir. Trav. 2017-04-24 2018-10-09
6.8
None Remote Medium Not required Partial Partial Partial
Directory traversal vulnerability in unzip/extract feature in eXtplorer 2.1.9 allows remote attackers to execute arbitrary files via a .. (dot dot) in an archive file.
1348 CVE-2016-4293 119 Exec Code Overflow 2017-04-20 2017-04-27
6.8
None Remote Medium Not required Partial Partial Partial
Multiple heap-based buffer overflows in the (1) CBookBase::SetDefTableStyle and (2) CBookBase::SetDefPivotStyle functions in Hancom Office 2014 VP allow remote attackers to execute arbitrary code via a crafted Hangul Hcell Document (.cell) file.
1349 CVE-2016-4075 601 2017-04-21 2022-04-06
5.8
None Remote Medium Not required Partial Partial None
Opera Mini 13 and Opera Stable 36 allow remote attackers to spoof the displayed URL via a crafted HTML document, related to the about:blank URL.
1350 CVE-2016-4068 79 XSS 2017-04-13 2018-10-30
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG, a different vulnerability than CVE-2015-8864.
Total number of vulnerabilities : 1574   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 (This Page)28 29 30 31 32
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.