| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1301 |
CVE-2016-4893 |
89 |
|
Exec Code Sql |
2017-04-12 |
2017-05-23 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in the SetsucoCMS all versions allows remote authenticated attackers to execute arbitrary SQL commands via unspecified vectors. |
|
1302 |
CVE-2016-4892 |
79 |
|
XSS |
2017-04-12 |
2017-05-23 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting vulnerability in SetsucoCMS all versions allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
1303 |
CVE-2016-4891 |
352 |
|
CSRF |
2017-04-12 |
2017-05-23 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in SetsucoCMS all versions allows remote attackers to hijack the authentication of an administrator to change settings via unspecified vectors. |
|
1304 |
CVE-2016-4890 |
254 |
|
+Info |
2017-04-14 |
2017-05-13 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
ZOHO ManageEngine ServiceDesk Plus before 9.2 uses an insecure method for generating cookies, which makes it easier for attackers to obtain sensitive password information by leveraging access to a cookie. |
|
1305 |
CVE-2016-4889 |
264 |
|
|
2017-04-14 |
2017-05-13 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
ZOHO ManageEngine ServiceDesk Plus before 9.0 allows remote authenticated guest users to have unspecified impact by leveraging failure to restrict access to unknown functions. |
|
1306 |
CVE-2016-4888 |
79 |
|
XSS |
2017-04-14 |
2017-05-13 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in ZOHO ManageEngine ServiceDesk Plus before 9.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
1307 |
CVE-2016-4875 |
79 |
|
XSS |
2017-04-14 |
2017-04-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in the IVYWE (1) Assist plugin before 1.1.2.test20160906, (2) dataBox plugin before 0.0.0.20160906, and (3) userBox plugin before 0.0.0.20160906 for Geeklog allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
1308 |
CVE-2016-4874 |
284 |
|
|
2017-04-17 |
2017-04-20 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cybozu Office 9.0.0 through 10.4.0 allows remote attackers to conduct a "reflected file download" attack. |
|
1309 |
CVE-2016-4873 |
275 |
|
|
2017-04-17 |
2017-05-23 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
|
Cybozu Office 9.0.0 to 10.4.0 allows remote authenticated attackers to execute unintended operations via the Project function. |
|
1310 |
CVE-2016-4872 |
200 |
|
Bypass +Info |
2017-04-17 |
2017-05-23 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
Cybozu Office 9.0.0 to 10.4.0 allows remote authenticated attackers to bypass access restrictions to view the names of unauthorized projects via a breadcrumb trail. |
|
1311 |
CVE-2016-4871 |
399 |
|
DoS |
2017-04-17 |
2017-04-20 |
6.8 |
None |
Remote |
Low |
??? |
None |
None |
Complete |
|
Cybozu Office 9.0.0 through 10.4.0 allows remote attackers to cause a denial of service. |
|
1312 |
CVE-2016-4870 |
79 |
|
XSS |
2017-04-17 |
2017-05-23 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cross-site scripting vulnerability in Cybozu Office 9.0.0 to 10.4.0 allows remote authenticated attackers to inject arbitrary web script or HTML via the Schedule function. |
|
1313 |
CVE-2016-4869 |
200 |
|
+Info |
2017-04-17 |
2017-05-23 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Cybozu Office 9.0.0 to 10.4.0 allow remote attackers to obtain session information via a page where CGI environment variables are displayed. |
|
1314 |
CVE-2016-4868 |
20 |
|
|
2017-04-17 |
2017-05-23 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Email header injection vulnerability in Cybozu Office 9.0.0 to 10.4.0 allows remote attackers to inject arbitrary email headers to send unintended emails via specially crafted requests. |
|
1315 |
CVE-2016-4867 |
200 |
|
Bypass +Info |
2017-04-17 |
2017-05-23 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
Cybozu Office 9.0.0 to 10.4.0 allows remote authenticated attackers to bypass access restriction to view unauthorized project information via the Project function. |
|
1316 |
CVE-2016-4866 |
79 |
|
XSS |
2017-04-17 |
2017-05-23 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cross-site scripting vulnerability in Cybozu Office 9.0.0 to 10.4.0 allows attackers with administrator rights to inject arbitrary web script or HTML via the Project function. |
|
1317 |
CVE-2016-4865 |
79 |
|
XSS |
2017-04-17 |
2017-05-23 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cross-site scripting vulnerability in Cybozu Office 9.0.0 to 10.4.0 allows attackers with administrator rights to inject arbitrary web script or HTML via the Customapp function. |
|
1318 |
CVE-2016-4862 |
20 |
|
Exec Code |
2017-04-20 |
2017-04-26 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
Twigmo bundled with CS-Cart 4.3.9 and earlier and Twigmo bundled with CS-Cart Multi-Vendor 4.3.9 and earlier allow remote authenticated users to execute arbitrary PHP code on the servers. |
|
1319 |
CVE-2016-4850 |
284 |
|
Exec Code |
2017-04-20 |
2017-04-26 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
LINE for Windows before 4.8.3 allows man-in-the-middle attackers to execute arbitrary code. |
|
1320 |
CVE-2016-4849 |
79 |
|
XSS |
2017-04-20 |
2017-04-25 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in Geeklog IVYWE edition 2.1.1 allow remote attackers to inject arbitrary web script or HTML by leveraging use of the COM_getCurrentURL function in (1) public_html/layout/default/header.thtml, (2) public_html/layout/bento/header.thtml, (3) public_html/layout/fotos/header.thtml, or (4) public_html/layout/default/article/article.thtml. |
|
1321 |
CVE-2016-4847 |
79 |
|
XSS |
2017-04-20 |
2017-04-25 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in site/search.php in OSSEC Web UI before 0.9 allows remote attackers to inject arbitrary web script or HTML by leveraging an unanchored regex. |
|
1322 |
CVE-2016-4846 |
426 |
|
|
2017-04-21 |
2017-04-26 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Untrusted search path vulnerability in the installer of PhishWall Client Internet Explorer before 3.7.8.2. |
|
1323 |
CVE-2016-4844 |
200 |
|
+Info |
2017-04-20 |
2017-04-25 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cybozu Mailwise before 5.4.0 allows remote attackers to conduct clickjacking attacks. |
|
1324 |
CVE-2016-4843 |
200 |
|
+Info |
2017-04-20 |
2017-04-24 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Cybozu Mailwise before 5.4.0 allows remote attackers to obtain sensitive cookie information. |
|
1325 |
CVE-2016-4842 |
200 |
|
+Info |
2017-04-20 |
2017-04-25 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Cybozu Mailwise before 5.4.0 allows remote attackers to obtain information on when an email is read. |
|
1326 |
CVE-2016-4841 |
20 |
|
|
2017-04-21 |
2017-04-27 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cybozu Mailwise before 5.4.0 allows remote attackers to inject arbitrary email headers. |
|
1327 |
CVE-2016-4840 |
295 |
|
|
2017-04-21 |
2021-09-09 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Coordinate Plus App for Android 1.0.2 and earlier and Coordinate Plus App for iOS 1.0.2 and earlier do not verify SSL certificates. |
|
1328 |
CVE-2016-4832 |
295 |
|
|
2017-04-21 |
2017-04-27 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
WAON "Service Application" for Android 1.4.1 and earlier does not verify SSL certificates. |
|
1329 |
CVE-2016-4830 |
295 |
|
|
2017-04-21 |
2021-04-01 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Sushiro App for iOS 2.1.16 and earlier and Sushiro App for Android 2.1.16.1 and earlier do not verify SSL certificates. |
|
1330 |
CVE-2016-4829 |
295 |
|
|
2017-04-21 |
2017-04-26 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
DMM Movie Player App for Android before 1.2.1, and DMM Movie Player App for iPhone/iPad before 2.1.3 does not verify SSL certificates. |
|
1331 |
CVE-2016-4818 |
295 |
|
|
2017-04-20 |
2017-04-26 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
DMMFX Trade for Android 1.5.0 and earlier, DMMFX DEMO Trade for Android 1.5.0 and earlier, and GAITAMEJAPAN FX Trade for Android 1.4.0 and earlier do not verify SSL certificates. |
|
1332 |
CVE-2016-4800 |
284 |
|
Bypass |
2017-04-13 |
2020-10-20 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The path normalization mechanism in PathResource class in Eclipse Jetty 9.3.x before 9.3.9 on Windows allows remote attackers to bypass protected resource restrictions and other security constraints via a URL with certain escaped characters, related to backslashes. |
|
1333 |
CVE-2016-4650 |
119 |
|
DoS Exec Code Overflow Mem. Corr. |
2017-04-20 |
2019-03-25 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Heap-based buffer overflow in IOHIDFamily in Apple iOS before 9.3.2, OS X before 10.11.5, and tvOS before 9.2.1 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app. |
|
1334 |
CVE-2016-4483 |
502 |
|
DoS |
2017-04-11 |
2021-06-29 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The xmlBufAttrSerializeTxtContent function in xmlsave.c in libxml2 allows context-dependent attackers to cause a denial of service (out-of-bounds read and application crash) via a non-UTF-8 attribute value, related to serialization. NOTE: this vulnerability may be a duplicate of CVE-2016-3627. |
|
1335 |
CVE-2016-4468 |
89 |
|
Exec Code Sql |
2017-04-11 |
2021-08-06 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in Pivotal Cloud Foundry (PCF) before 238; UAA 2.x before 2.7.4.4, 3.x before 3.3.0.2, and 3.4.x before 3.4.1; UAA BOSH before 11.2 and 12.x before 12.2; Elastic Runtime before 1.6.29 and 1.7.x before 1.7.7; and Ops Manager 1.7.x before 1.7.8 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. |
|
1336 |
CVE-2016-4459 |
119 |
|
Overflow |
2017-04-12 |
2019-04-22 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
Stack-based buffer overflow in native/mod_manager/node.c in mod_cluster 1.2.9. |
|
1337 |
CVE-2016-4455 |
264 |
|
+Info |
2017-04-14 |
2020-09-02 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The Subscription Manager package (aka subscription-manager) before 1.17.7-1 for Candlepin uses weak permissions (755) for subscription-manager cache directories, which allows local users to obtain sensitive information by reading files in the directories. |
|
1338 |
CVE-2016-4446 |
77 |
|
Exec Code |
2017-04-11 |
2017-04-17 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
The allow_execstack plugin for setroubleshoot allows local users to execute arbitrary commands by triggering an execstack SELinux denial with a crafted filename, related to the commands.getoutput function. |
|
1339 |
CVE-2016-4445 |
77 |
|
Exec Code |
2017-04-11 |
2017-04-17 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
The fix_lookup_id function in sealert in setroubleshoot before 3.2.23 allows local users to execute arbitrary commands as root by triggering an SELinux denial with a crafted file name, related to executing external commands with the commands.getstatusoutput function. |
|
1340 |
CVE-2016-4444 |
77 |
|
Exec Code |
2017-04-11 |
2017-04-17 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
The allow_execmod plugin for setroubleshoot before 3.2.23 allows local users to execute arbitrary commands by triggering an execmod SELinux denial with a crafted binary filename, related to the commands.getstatusoutput function. |
|
1341 |
CVE-2016-4337 |
89 |
|
Exec Code Sql |
2017-04-12 |
2017-04-19 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in the mgr.login.php file in Ktools.net Photostore before 4.7.5 allows remote attackers to execute arbitrary SQL commands via the email parameter in a recover_login action. |
|
1342 |
CVE-2016-4334 |
601 |
|
|
2017-04-10 |
2021-04-20 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Jive before 2016.3.1 has an open redirect from the external-link.jspa page. |
|
1343 |
CVE-2016-4320 |
22 |
|
Dir. Trav. |
2017-04-10 |
2018-10-12 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
Atlassian Bitbucket Server before 4.7.1 allows remote attackers to read the first line of an arbitrary file via a directory traversal attack on the pull requests resource. |
|
1344 |
CVE-2016-4319 |
352 |
|
CSRF |
2017-04-10 |
2018-02-16 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Atlassian JIRA Server before 7.1.9 has CSRF in auditing/settings. |
|
1345 |
CVE-2016-4318 |
79 |
|
XSS |
2017-04-10 |
2018-02-16 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Atlassian JIRA Server before 7.1.9 has XSS in project/ViewDefaultProjectRoleActors.jspa via a role name. |
|
1346 |
CVE-2016-4317 |
79 |
|
XSS |
2017-04-10 |
2018-02-16 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Atlassian Confluence Server before 5.9.11 has XSS on the viewmyprofile.action page. |
|
1347 |
CVE-2016-4313 |
22 |
|
Dir. Trav. |
2017-04-24 |
2018-10-09 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Directory traversal vulnerability in unzip/extract feature in eXtplorer 2.1.9 allows remote attackers to execute arbitrary files via a .. (dot dot) in an archive file. |
|
1348 |
CVE-2016-4293 |
119 |
|
Exec Code Overflow |
2017-04-20 |
2017-04-27 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Multiple heap-based buffer overflows in the (1) CBookBase::SetDefTableStyle and (2) CBookBase::SetDefPivotStyle functions in Hancom Office 2014 VP allow remote attackers to execute arbitrary code via a crafted Hangul Hcell Document (.cell) file. |
|
1349 |
CVE-2016-4075 |
601 |
|
|
2017-04-21 |
2022-04-06 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Opera Mini 13 and Opera Stable 36 allow remote attackers to spoof the displayed URL via a crafted HTML document, related to the about:blank URL. |
|
1350 |
CVE-2016-4068 |
79 |
|
XSS |
2017-04-13 |
2018-10-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Roundcube Webmail before 1.0.9 and 1.1.x before 1.1.5 allows remote attackers to inject arbitrary web script or HTML via a crafted SVG, a different vulnerability than CVE-2015-8864. |
