| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1351 |
CVE-2016-4032 |
284 |
|
|
2017-04-13 |
2017-04-25 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
|
Samsung SM-G920F build G920FXXU2COH2 (Galaxy S6), SM-N9005 build N9005XXUGBOK6 (Galaxy Note 3), GT-I9192 build I9192XXUBNB1 (Galaxy S4 mini), GT-I9195 build I9195XXUCOL1 (Galaxy S4 mini LTE), and GT-I9505 build I9505XXUHOJ2 (Galaxy S4) devices do not block AT+USBDEBUG and AT+WIFIVALUE, which allows attackers to modify Android settings by leveraging AT access, aka SVE-2016-5301. |
|
1352 |
CVE-2016-4031 |
284 |
|
|
2017-04-13 |
2017-04-25 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Samsung SM-G920F build G920FXXU2COH2 (Galaxy S6), SM-N9005 build N9005XXUGBOK6 (Galaxy Note 3), GT-I9192 build I9192XXUBNB1 (Galaxy S4 mini), GT-I9195 build I9195XXUCOL1 (Galaxy S4 mini LTE), and GT-I9505 build I9505XXUHOJ2 (Galaxy S4) devices allow attackers to send AT commands by plugging the device into a Linux host, aka SVE-2016-5301. |
|
1353 |
CVE-2016-4030 |
284 |
|
|
2017-04-13 |
2017-04-25 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Samsung SM-G920F build G920FXXU2COH2 (Galaxy S6), SM-N9005 build N9005XXUGBOK6 (Galaxy Note 3), GT-I9192 build I9192XXUBNB1 (Galaxy S4 mini), GT-I9195 build I9195XXUCOL1 (Galaxy S4 mini LTE), and GT-I9505 build I9505XXUHOJ2 (Galaxy S4) devices have unintended availability of the modem in USB configuration number 2 within the secure lockscreen state, allowing an attacker to make phone calls, send text messages, or issue commands, aka SVE-2016-5301. |
|
1354 |
CVE-2016-3740 |
119 |
|
Exec Code Overflow |
2017-04-04 |
2017-04-11 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Heap-based buffer overflow in the CreateFXPDFConvertor function in ConvertToPdf_x86.dll in Foxit Reader 7.3.4.311 allows remote attackers to execute arbitrary code via a large SamplesPerPixel value in a crafted TIFF image that is mishandled during PDF conversion. This is fixed in 8.0. |
|
1355 |
CVE-2016-3734 |
352 |
|
CSRF |
2017-04-20 |
2020-12-01 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in markposts.php in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.11, 2.7 through 2.7.13 and earlier allows remote attackers to hijack the authentication of users for requests that marks forum posts as read. |
|
1356 |
CVE-2016-3733 |
284 |
|
|
2017-04-20 |
2020-12-01 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
|
The "restore teacher" feature in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.11, 2.7 through 2.7.13, and earlier allows remote authenticated users to overwrite the course idnumber. |
|
1357 |
CVE-2016-3732 |
200 |
|
+Info |
2017-04-20 |
2020-12-01 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
The capability check to access other badges in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.11, 2.7 through 2.7.13, and earlier allows remote authenticated users to read the badges of other users. |
|
1358 |
CVE-2016-3731 |
200 |
|
+Info |
2017-04-20 |
2020-12-01 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, and 2.8 through 2.8.11 allows remote attackers to obtain the names of hidden forums and forum discussions. |
|
1359 |
CVE-2016-3729 |
284 |
|
|
2017-04-20 |
2020-12-01 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
|
The user editing form in Moodle 3.0 through 3.0.3, 2.9 through 2.9.5, 2.8 through 2.8.11, 2.7 through 2.7.13, and earlier allows remote authenticated users to edit profile fields locked by the administrator. |
|
1360 |
CVE-2016-3702 |
200 |
|
+Info |
2017-04-21 |
2017-04-27 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Padding oracle flaw in CloudForms Management Engine (aka CFME) 5 allows remote attackers to obtain sensitive cleartext information. |
|
1361 |
CVE-2016-3691 |
352 |
|
Bypass CSRF |
2017-04-24 |
2020-05-28 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Routes in Kallithea before 0.3.2 allows remote attackers to bypass the CSRF protection by using the GET HTTP request method. |
|
1362 |
CVE-2016-3114 |
264 |
|
|
2017-04-24 |
2017-04-27 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
|
Kallithea before 0.3.2 allows remote authenticated users to edit or delete open pull requests or delete comments by leveraging read access. |
|
1363 |
CVE-2016-3109 |
20 |
|
Exec Code |
2017-04-21 |
2018-10-09 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
The backend/Login/load/ script in Shopware before 5.1.5 allows remote attackers to execute arbitrary code. |
|
1364 |
CVE-2016-3106 |
362 |
|
|
2017-04-13 |
2017-04-26 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Pulp before 2.8.3 creates a temporary directory during CA key generation in an insecure manner. |
|
1365 |
CVE-2016-3104 |
400 |
|
DoS |
2017-04-14 |
2017-04-22 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
mongod in MongoDB 2.6, when using 2.4-style users, and 2.4 allow remote attackers to cause a denial of service (memory consumption and process termination) by leveraging in-memory database representation when authenticating against a non-existent database. |
|
1366 |
CVE-2016-3076 |
119 |
|
DoS Overflow Mem. Corr. |
2017-04-24 |
2017-04-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
Heap-based buffer overflow in the j2k_encode_entry function in Pillow 2.5.0 through 3.1.1 allows remote attackers to cause a denial of service (memory corruption) via a crafted Jpeg2000 file. |
|
1367 |
CVE-2016-3067 |
264 |
|
+Priv |
2017-04-21 |
2017-04-27 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Cygwin before 2.5.0 does not properly handle updating permissions when changing users, which allows attackers to gain privileges. |
|
1368 |
CVE-2016-3038 |
79 |
|
XSS |
2017-04-17 |
2017-04-21 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
IBM Cognos TM1 10.1 and 10.2 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 114614. |
|
1369 |
CVE-2016-3037 |
200 |
|
+Info |
2017-04-17 |
2017-04-21 |
3.5 |
None |
Remote |
Medium |
??? |
Partial |
None |
None |
|
IBM Cognos TM1 10.1 and 10.2 provides a service to return the victim's password with a valid session key. An authenticated attacker with user interaction could obtain this sensitive information. IBM X-Force ID: 114613. |
|
1370 |
CVE-2016-3036 |
119 |
|
DoS Overflow |
2017-04-17 |
2017-04-21 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
IBM Cognos TM1 10.1 and 10.2 is vulnerable to a denial of service, caused by a stack-based buffer overflow when parsing packets. A remote attacker could exploit this vulnerability to cause a denial of service. IBM X-Force ID: 114612. |
|
1371 |
CVE-2016-3031 |
79 |
|
XSS |
2017-04-05 |
2019-09-30 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
IBM Cognos Analytics 11.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM Reference #: 1998887. |
|
1372 |
CVE-2016-3015 |
79 |
|
XSS |
2017-04-05 |
2019-09-30 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
IBM Cognos Analytics 11.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM Reference #: 1998887. |
|
1373 |
CVE-2016-2803 |
79 |
|
XSS |
2017-04-12 |
2018-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the dependency graphs in Bugzilla 2.16rc1 through 4.4.11, and 4.5.1 through 5.0.2 allows remote attackers to inject arbitrary web script or HTML. |
|
1374 |
CVE-2016-2567 |
20 |
|
Bypass |
2017-04-13 |
2017-04-25 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
|
secfilter in the Samsung kernel for Android on SM-N9005 build N9005XXUGBOB6 (Note 3) and SM-G920F build G920FXXU2COH2 (Galaxy S6) devices allows attackers to bypass URL filtering by inserting an "exceptional URL" in the query string, as demonstrated by the http://should-have-been-filtered.example.com/?http://google.com URL. |
|
1375 |
CVE-2016-2566 |
89 |
|
Sql |
2017-04-13 |
2017-04-21 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Samsung SecEmailSync on SM-G920F build G920FXXU2COH2 (Galaxy S6) devices has SQL injection, aka SVE-2015-5081. |
|
1376 |
CVE-2016-2565 |
200 |
|
+Info |
2017-04-13 |
2017-04-22 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
Samsung SecEmailSync on SM-G920F build G920FXXU2COH2 (Galaxy S6) devices allows attackers to read sent e-mail messages, aka SVE-2015-5081. |
|
1377 |
CVE-2016-2564 |
331 |
|
|
2017-04-23 |
2020-06-03 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Invision Power Services (IPS) Community Suite before 4.1.9 makes session hijack easier by relying on the PHP uniqid function without the more_entropy flag. Attackers can guess an Invision Power Board session cookie if they can predict the exact time of cookie generation. |
|
1378 |
CVE-2016-2555 |
89 |
|
Exec Code Sql |
2017-04-13 |
2017-09-08 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in include/lib/mysql_connect.inc.php in ATutor 2.2.1 allows remote attackers to execute arbitrary SQL commands via the searchFriends function to friends.inc.php. |
|
1379 |
CVE-2016-2433 |
284 |
|
Exec Code |
2017-04-21 |
2017-05-02 |
8.3 |
None |
Local Network |
Low |
Not required |
Complete |
Complete |
Complete |
|
The Broadcom Wi-Fi driver for Android, as used by BlackBerry smartphones before Build AAE570, allows remote attackers to execute arbitrary code in the context of the kernel. |
|
1380 |
CVE-2016-2404 |
264 |
|
|
2017-04-02 |
2017-04-11 |
6.0 |
None |
Remote |
Medium |
??? |
Partial |
Partial |
Partial |
|
Huawei switches S5700, S6700, S7700, S9700 with software V200R001C00SPC300, V200R002C00SPC100, V200R003C00SPC300, V200R005C00SPC500, V200R006C00; S12700 with software V200R005C00SPC500, V200R006C00; ACU2 with software V200R005C00SPC500, V200R006C00 have a permission control vulnerability. If a switch enables Authentication, Authorization, and Accounting (AAA) for permission control and user permissions are not appropriate, AAA users may obtain the virtual type terminal (VTY) access permission, resulting in privilege escalation. |
|
1381 |
CVE-2016-2347 |
190 |
|
Exec Code |
2017-04-21 |
2018-10-30 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Integer underflow in the decode_level3_header function in lib/lha_file_header.c in Lhasa before 0.3.1 allows remote attackers to execute arbitrary code via a crafted archive. |
|
1382 |
CVE-2016-2173 |
20 |
|
Exec Code |
2017-04-21 |
2020-05-28 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
org.springframework.core.serializer.DefaultDeserializer in Spring AMQP before 1.5.5 allows remote attackers to execute arbitrary code. |
|
1383 |
CVE-2016-2104 |
79 |
|
XSS |
2017-04-13 |
2017-04-19 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in Red Hat Satellite 5 allow remote attackers to inject arbitrary web script or HTML via (1) the label parameter to admin/BunchDetail.do; (2) the package_name, (3) search_subscribed_channels, or (4) channel_filter parameter to software/packages/NameOverview.do; or unspecified vectors related to (5) <input:hidden> or (6) <bean:message> tags. |
|
1384 |
CVE-2016-2036 |
476 |
|
|
2017-04-13 |
2017-04-25 |
2.1 |
None |
Local |
Low |
Not required |
None |
None |
Partial |
|
The getURL function in drivers/secfilter/urlparser.c in secfilter in the Samsung kernel for Android on SM-N9005 build N9005XXUGBOB6 (Note 3) and SM-G920F build G920FXXU2COH2 (Galaxy S6) devices allows attackers to trigger a NULL pointer dereference via a "GET HTTP/1.1" request, aka SVE-2016-5036. |
|
1385 |
CVE-2016-1915 |
79 |
|
XSS |
2017-04-13 |
2017-09-10 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in BlackBerry Enterprise Server 12 (BES12) Self-Service before 12.4 allow remote attackers to inject arbitrary web script or HTML via the locale parameter to (1) mydevice/index.jsp or (2) mydevice/loggedOut.jsp. |
|
1386 |
CVE-2016-1914 |
89 |
|
Exec Code Sql |
2017-04-13 |
2017-09-10 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Multiple SQL injection vulnerabilities in the com.rim.mdm.ui.server.ImageServlet servlet in BlackBerry Enterprise Server 12 (BES12) Self-Service before 12.4 allow remote attackers to execute arbitrary SQL commands via the imageName parameter to (1) mydevice/client/image, (2) admin/client/image, (3) myapps/client/image, (4) ssam/client/image, or (5) all/client/image. |
|
1387 |
CVE-2016-1908 |
254 |
|
|
2017-04-11 |
2018-09-11 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The client in OpenSSH before 7.2 mishandles failed cookie generation for untrusted X11 forwarding and relies on the local X11 server for access-control decisions, which allows remote X11 clients to trigger a fallback and obtain trusted X11 forwarding privileges by leveraging configuration issues on this X11 server, as demonstrated by lack of the SECURITY extension on this X11 server. |
|
1388 |
CVE-2016-1713 |
434 |
|
Exec Code |
2017-04-14 |
2018-04-02 |
8.5 |
None |
Remote |
Medium |
??? |
Complete |
Complete |
Complete |
|
Unrestricted file upload vulnerability in the Settings_Vtiger_CompanyDetailsSave_Action class in modules/Settings/Vtiger/actions/CompanyDetailsSave.php in Vtiger CRM 6.4.0 allows remote authenticated users to execute arbitrary code by uploading a crafted image file with an executable extension, then accessing it via a direct request to the file in test/logo/. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-6000. |
|
1389 |
CVE-2016-1561 |
200 |
|
+Info |
2017-04-21 |
2017-04-27 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
ExaGrid appliances with firmware before 4.8 P26 have a default SSH public key in the authorized_keys file for root, which allows remote attackers to obtain SSH access by leveraging knowledge of a private key from another installation or a firmware image. |
|
1390 |
CVE-2016-1560 |
798 |
|
|
2017-04-21 |
2017-04-27 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
ExaGrid appliances with firmware before 4.8 P26 have a default password of (1) inflection for the root shell account and (2) support for the support account in the web interface, which allows remote attackers to obtain administrative access via an SSH or HTTP session. |
|
1391 |
CVE-2016-1559 |
200 |
|
+Info |
2017-04-21 |
2017-04-28 |
2.6 |
None |
Remote |
High |
Not required |
Partial |
None |
None |
|
D-Link DAP-1353 H/W vers. B1 3.15 and earlier, D-Link DAP-2553 H/W ver. A1 1.31 and earlier, and D-Link DAP-3520 H/W ver. A1 1.16 and earlier reveal wireless passwords and administrative usernames and passwords over SNMP. |
|
1392 |
CVE-2016-1558 |
119 |
|
Overflow |
2017-04-21 |
2017-04-27 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Buffer overflow in D-Link DAP-2310 2.06 and earlier, DAP-2330 1.06 and earlier, DAP-2360 2.06 and earlier, DAP-2553 H/W ver. B1 3.05 and earlier, DAP-2660 1.11 and earlier, DAP-2690 3.15 and earlier, DAP-2695 1.16 and earlier, DAP-3320 1.00 and earlier, and DAP-3662 1.01 and earlier allows remote attackers to have unspecified impact via a crafted 'dlink_uid' cookie. |
|
1393 |
CVE-2016-1557 |
200 |
|
+Info |
2017-04-21 |
2017-04-27 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Netgear WNAP320, WNDAP350, and WNDAP360 before 3.5.5.0 reveal wireless passwords and administrative usernames and passwords over SNMP. |
|
1394 |
CVE-2016-1556 |
200 |
|
+Info |
2017-04-21 |
2017-04-28 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Information disclosure in Netgear WN604 before 3.3.3; WNAP210, WNAP320, WNDAP350, and WNDAP360 before 3.5.5.0; and WND930 before 2.0.11 allows remote attackers to read the wireless WPS PIN or passphrase by visiting unauthenticated webpages. |
|
1395 |
CVE-2016-1555 |
77 |
|
Exec Code |
2017-04-21 |
2019-04-16 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear WN604 before 3.3.3 and WN802Tv2, WNAP210v2, WNAP320, WNDAP350, WNDAP360, and WNDAP660 before 3.5.5.0 allow remote attackers to execute arbitrary commands. |
|
1396 |
CVE-2016-1520 |
254 |
|
Exec Code |
2017-04-21 |
2018-10-09 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The Grandstream Wave app 1.0.1.26 and earlier for Android does not use HTTPS when retrieving update information, which might allow man-in-the-middle attackers to execute arbitrary code via a crafted application. |
|
1397 |
CVE-2016-1519 |
295 |
|
|
2017-04-21 |
2018-10-09 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The com.softphone.common package in the Grandstream Wave app 1.0.1.26 and earlier for Android does not properly validate SSL certificates, which allows man-in-the-middle attackers to spoof the Grandstream provisioning server via a crafted certificate. |
|
1398 |
CVE-2016-1518 |
284 |
|
+Info |
2017-04-21 |
2018-10-09 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The auto-provisioning mechanism in the Grandstream Wave app 1.0.1.26 and earlier for Android and Grandstream Video IP phones allows man-in-the-middle attackers to spoof provisioning data and consequently modify device functionality, obtain sensitive information from system logs, and have unspecified other impact by leveraging failure to use an HTTPS session for downloading configuration files from http://fm.grandstream.com/gs/. |
|
1399 |
CVE-2016-1517 |
20 |
|
DoS |
2017-04-10 |
2017-04-14 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
OpenCV 3.0.0 allows remote attackers to cause a denial of service (segfault) via vectors involving corrupt chunks. |
|
1400 |
CVE-2016-1516 |
415 |
|
Exec Code |
2017-04-10 |
2021-12-16 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
OpenCV 3.0.0 has a double free issue that allows attackers to execute arbitrary code. |
