Total
7102 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2016-0259 | 1 Ibm | 1 Websphere Mq | 2016-11-30 | 2.1 LOW | 2.5 LOW |
| runmqsc in IBM WebSphere MQ 8.x before 8.0.0.5 allows local users to bypass an intended +dsp authority requirement and obtain sensitive information via unspecified display commands. | |||||
| CVE-2015-2108 | 1 Hp | 1 Operations Orchestration | 2016-11-30 | 3.5 LOW | N/A |
| Unspecified vulnerability in Powershell Operations in HP Operations Orchestration 9.x and 10.x allows remote authenticated users to obtain sensitive information via unknown vectors. | |||||
| CVE-2015-1982 | 1 Ibm | 1 Infosphere Master Data Management | 2016-11-30 | 4.0 MEDIUM | N/A |
| IBM InfoSphere Master Data Management Collaborative Edition 9.1, 10.1, 11.0, 11.3, and 11.4 before FP03 allows remote authenticated users to obtain sensitive information via a crafted request, which reveals the full path in an error message. | |||||
| CVE-2015-1984 | 1 Ibm | 1 Infosphere Master Data Management | 2016-11-30 | 4.0 MEDIUM | N/A |
| IBM InfoSphere Master Data Management Collaborative Edition 9.1, 10.1, 11.0, 11.3, and 11.4 before FP03 allows remote authenticated users to bypass intended access restrictions and read arbitrary profiles via unspecified vectors, as demonstrated by discovering usernames for use in brute-force attacks. | |||||
| CVE-2015-1915 | 1 Ibm | 1 Endpoint Manager Family | 2016-11-30 | 4.3 MEDIUM | N/A |
| The Endpoint Manager for Remote Control component in IBM Tivoli Endpoint Manager for Lifecycle Management 9.0.1 before IF6 and 9.1.0 before IF6 does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session. | |||||
| CVE-2015-1951 | 1 Ibm | 1 Maximo Asset Management | 2016-11-30 | 2.1 LOW | N/A |
| IBM Maximo Asset Management 7.1 through 7.1.1.13, 7.5.0 before 7.5.0.8 IFIX001, and 7.6.0 before 7.6.0.0 IFIX005 does not prevent caching of HTTPS responses, which allows physically proximate attackers to obtain sensitive local-cache information by leveraging an unattended workstation. | |||||
| CVE-2015-2058 | 1 Jabberd2 | 1 Jabberd2 | 2016-11-30 | 6.5 MEDIUM | N/A |
| c2s/c2s.c in Jabber Open Source Server 2.3.2 and earlier truncates data without ensuring it remains valid UTF-8, which allows remote authenticated users to read system memory or possibly have other unspecified impact via a crafted JID. | |||||
| CVE-2015-1907 | 1 Ibm | 1 Rational License Key Server | 2016-11-30 | 4.0 MEDIUM | N/A |
| The Administration and Reporting Tool in IBM Rational License Key Server (RLKS) 8.1.4 before 8.1.4.7 allows remote authenticated users to read cookies via unspecified vectors. | |||||
| CVE-2015-1901 | 1 Ibm | 1 Infosphere Information Server | 2016-11-30 | 1.9 LOW | N/A |
| The installer in IBM InfoSphere Information Server 8.5 through 11.3 before 11.3.1.2 allows local users to obtain sensitive information via unspecified commands. | |||||
| CVE-2016-8871 | 1 Botan Project | 1 Botan | 2016-11-29 | 2.1 LOW | 6.2 MEDIUM |
| In Botan 1.11.29 through 1.11.32, RSA decryption with certain padding options had a detectable timing channel which could given sufficient queries be used to recover plaintext, aka an "OAEP side channel" attack. | |||||
| CVE-2016-8889 | 1 Bitcoin Knots Project | 1 Bitcoin Knots | 2016-11-29 | 2.1 LOW | 6.2 MEDIUM |
| In Bitcoin Knots v0.11.0.ljr20150711 through v0.13.0.knots20160814 (fixed in v0.13.1.knots20161027), the debug console stores sensitive information including private keys and the wallet passphrase in its persistent command history. | |||||
| CVE-2016-9017 | 1 Artifex | 1 Mujs | 2016-11-29 | 5.0 MEDIUM | 7.5 HIGH |
| Artifex Software, Inc. MuJS before a5c747f1d40e8d6659a37a8d25f13fb5acf8e767 allows context-dependent attackers to obtain sensitive information by using the "opname in crafted JavaScript file" approach, related to an "Out-of-Bounds read" issue affecting the jsC_dumpfunction function in the jsdump.c component. | |||||
| CVE-2016-9134 | 1 Exponentcms | 1 Exponent Cms | 2016-11-29 | 5.0 MEDIUM | 7.5 HIGH |
| Exponent CMS 2.3.9 suffers from a SQL injection vulnerability in "/expPaginator.php" affecting the order parameter. Impact is Information Disclosure. | |||||
| CVE-2016-9086 | 1 Gitlab | 1 Gitlab | 2016-11-29 | 4.0 MEDIUM | 6.5 MEDIUM |
| GitLab versions 8.9.x and above contain a critical security flaw in the "import/export project" feature of GitLab. Added in GitLab 8.9, this feature allows a user to export and then re-import their projects as tape archive files (tar). All GitLab versions prior to 8.13.0 restricted this feature to administrators only. Starting with version 8.13.0 this feature was made available to all users. This feature did not properly check for symbolic links in user-provided archives and therefore it was possible for an authenticated user to retrieve the contents of any file accessible to the GitLab service account. This included sensitive files such as those that contain secret tokens used by the GitLab service to authenticate users. GitLab CE and EE versions 8.13.0 through 8.13.2, 8.12.0 through 8.12.7, 8.11.0 through 8.11.10, 8.10.0 through 8.10.12, and 8.9.0 through 8.9.11 are affected. | |||||
| CVE-2016-9135 | 1 Exponentcms | 1 Exponent Cms | 2016-11-29 | 5.0 MEDIUM | 7.5 HIGH |
| Exponent CMS 2.3.9 suffers from a SQL injection vulnerability in "/framework/modules/help/controllers/helpController.php" affecting the version parameter. Impact is Information Disclosure. | |||||
| CVE-2016-9184 | 1 Exponentcms | 1 Exponent Cms | 2016-11-29 | 5.0 MEDIUM | 7.5 HIGH |
| In /framework/modules/core/controllers/expHTMLEditorController.php of Exponent CMS 2.4.0, untrusted input is used to construct a table name, and in the selectObject method in mysqli class, table names are wrapped with a character that common filters do not filter, allowing for SQL Injection. Impact is Information Disclosure. | |||||
| CVE-2016-9183 | 1 Exponentcms | 1 Exponent Cms | 2016-11-29 | 5.0 MEDIUM | 7.5 HIGH |
| In /framework/modules/ecommerce/controllers/orderController.php of Exponent CMS 2.4.0, untrusted input is passed into selectObjectsBySql. The method selectObjectsBySql of class mysqli_database uses the injectProof method to prevent SQL injection, but this filter can be bypassed easily: it only sanitizes user input if there are odd numbers of ' or " characters. Impact is Information Disclosure. | |||||
| CVE-2016-9567 | 1 Samsung | 1 Samsung Mobile | 2016-11-29 | 4.3 MEDIUM | 5.5 MEDIUM |
| The mDNIe system service on Samsung Mobile S7 devices with M(6.0) software does not properly restrict setmDNIeScreenCurtain API calls, enabling attackers to control a device's screen. This can be exploited via a crafted application to eavesdrop after phone shutdown or record a conversation. The Samsung ID is SVE-2016-6343. | |||||
| CVE-2016-9178 | 1 Linux | 1 Linux Kernel | 2016-11-28 | 2.1 LOW | 5.5 MEDIUM |
| The __get_user_asm_ex macro in arch/x86/include/asm/uaccess.h in the Linux kernel before 4.7.5 does not initialize a certain integer variable, which allows local users to obtain sensitive information from kernel stack memory by triggering failure of a get_user_ex call. | |||||
| CVE-2016-7420 | 1 Cryptopp | 1 Crypto\+\+ | 2016-11-28 | 4.3 MEDIUM | 5.9 MEDIUM |
| Crypto++ (aka cryptopp) through 5.6.4 does not document the requirement for a compile-time NDEBUG definition disabling the many assert calls that are unintended in production use, which might allow context-dependent attackers to obtain sensitive information by leveraging access to process memory after an assertion failure, as demonstrated by reading a core dump. | |||||