cakephp --
cakephp |
CakePHP 2.x and 3.x
before 3.1.5 might allow remote attackers to
bypass the CSRF protection mechanism via the
_method parameter. |
2016-01-26 |
6.8 |
CVE-2015-8379
CONFIRM
BUGTRAQ
FULLDISC
MISC
MISC
MISC
CONFIRM |
cisco --
identity_services_engine_software |
Cisco Identity
Services Engine (ISE) before 2.0 allows remote
authenticated users to bypass intended
web-resource access restrictions via a direct
request, aka Bug ID CSCuu45926. |
2016-01-23 |
6.8 |
CVE-2015-6317
CISCO |
cisco --
application_policy_infrastructure_controller_enterprise_module |
Cross-site scripting
(XSS) vulnerability in Cisco Application Policy
Infrastructure Controller Enterprise Module
(APIC-EM) 1.0.10 allows remote attackers to
inject arbitrary web script or HTML via a
crafted hostname in an SNMP response, aka Bug ID
CSCuw47238. |
2016-01-26 |
4.3 |
CVE-2015-6337
CISCO |
cisco --
unified_contact_center_express |
Multiple cross-site
scripting (XSS) vulnerabilities in Cisco Unified
Contact Center Express 10.0(1), 10.5(1),
10.6(1), and 11.0(1) allow remote attackers to
inject arbitrary web script or HTML via vectors
related to permalinks, aka Bug ID CSCux92033. |
2016-01-26 |
4.3 |
CVE-2016-1298
CISCO |
cisco --
unity_connection |
Cross-site scripting
(XSS) vulnerability in Cisco Unity Connection
(UC) 10.5(2.3009) allows remote attackers to
inject arbitrary web script or HTML via a
crafted URL, aka Bug ID CSCux82582. |
2016-01-27 |
4.3 |
CVE-2016-1300
CISCO |
ecryptfs --
ecryptfs-utils |
mount.ecryptfs_private.c
in eCryptfs-utils does not validate mount
destination filesystem types, which allows local
users to gain privileges by mounting over a
nonstandard filesystem, as demonstrated by
/proc/$pid. |
2016-01-22 |
4.6 |
CVE-2016-1572
UBUNTU
DEBIAN
CONFIRM
CONFIRM
MLIST |
google --
chrome |
The
LoadIC::UpdateCaches function in ic/ic.cc in
Google V8, as used in Google Chrome before
48.0.2564.82, does not ensure receiver
compatibility before performing a cast of an
unspecified variable, which allows remote
attackers to cause a denial of service or
possibly have unknown other impact via crafted
JavaScript code. |
2016-01-25 |
6.8 |
CVE-2016-1612
CONFIRM
CONFIRM
CONFIRM
CONFIRM |
google --
chrome |
Multiple
use-after-free vulnerabilities in the formfiller
implementation in PDFium, as used in Google
Chrome before 48.0.2564.82, allow remote
attackers to cause a denial of service or
possibly have unspecified other impact via a
crafted PDF document, related to improper
tracking of the destruction of (1)
IPWL_FocusHandler and (2) IPWL_Provider objects. |
2016-01-25 |
6.8 |
CVE-2016-1613
CONFIRM
CONFIRM
CONFIRM
CONFIRM |
google --
chrome |
The
UnacceleratedImageBufferSurface class in
WebKit/Source/platform/graphics/UnacceleratedImageBufferSurface.cpp
in Blink, as used in Google Chrome before
48.0.2564.82, mishandles the initialization
mode, which allows remote attackers to obtain
sensitive information from process memory via a
crafted web site. |
2016-01-25 |
4.3 |
CVE-2016-1614
CONFIRM
CONFIRM
CONFIRM |
google --
chrome |
The Omnibox
implementation in Google Chrome before
48.0.2564.82 allows remote attackers to spoof a
document's origin via unspecified vectors. |
2016-01-25 |
4.3 |
CVE-2016-1615
CONFIRM
CONFIRM |
google --
chrome |
The
CustomButton::AcceleratorPressed function in
ui/views/controls/button/custom_button.cc in
Google Chrome before 48.0.2564.82 allows remote
attackers to spoof URLs via vectors involving an
unfocused custom button. |
2016-01-25 |
4.3 |
CVE-2016-1616
CONFIRM
CONFIRM
CONFIRM |
google --
chrome |
The
CSPSource::schemeMatches function in
WebKit/Source/core/frame/csp/CSPSource.cpp in
the Content Security Policy (CSP) implementation
in Blink, as used in Google Chrome before
48.0.2564.82, does not apply http policies to
https URLs and does not apply ws policies to wss
URLs, which makes it easier for remote attackers
to determine whether a specific HSTS web site
has been visited by reading a CSP report. |
2016-01-25 |
4.3 |
CVE-2016-1617
CONFIRM
CONFIRM
CONFIRM |
google --
chrome |
Blink, as used in
Google Chrome before 48.0.2564.82, does not
ensure that a proper
cryptographicallyRandomValues random number
generator is used, which makes it easier for
remote attackers to defeat cryptographic
protection mechanisms via unspecified vectors. |
2016-01-25 |
4.3 |
CVE-2016-1618
CONFIRM
CONFIRM
CONFIRM |
google --
chrome |
Multiple integer
overflows in the (1) sycc422_to_rgb and (2)
sycc444_to_rgb functions in
fxcodec/codec/fx_codec_jpx_opj.cpp in PDFium, as
used in Google Chrome before 48.0.2564.82, allow
remote attackers to cause a denial of service
(out-of-bounds read) or possibly have
unspecified other impact via a crafted PDF
document. |
2016-01-25 |
6.8 |
CVE-2016-1619
CONFIRM
CONFIRM
CONFIRM |
google --
chrome |
Multiple unspecified
vulnerabilities in Google V8 before 4.8.271.17,
as used in Google Chrome before 48.0.2564.82,
allow attackers to cause a denial of service or
possibly have other impact via unknown vectors. |
2016-01-25 |
6.8 |
CVE-2016-2051
CONFIRM |
greenbone --
greenbone_os |
Cross-site scripting
(XSS) vulnerability in the charts module in
Greenbone Security Assistant (GSA) 6.x before
6.0.8 allows remote attackers to inject
arbitrary web script or HTML via the
aggregate_type parameter in a get_aggregate
command to omp. |
2016-01-26 |
4.3 |
CVE-2016-1926
MISC
BUGTRAQ
CONFIRM
CONFIRM
MISC |
ibm --
rational_software_architect |
Cross-site scripting
(XSS) vulnerability in InfoSphere Data Architect
(IDA), as distributed in IBM Rational Software
Architect 8.5 through 9.5, Rational Software
Architect for WebSphere Software (RSA4WS) 8.5
through 9.5, and Rational Software Architect
RealTime (RSART) 8.5 through 9.5, allows remote
attackers to inject arbitrary web script or HTML
via a crafted URL. |
2016-01-27 |
4.3 |
CVE-2015-7439
CONFIRM |
ibm --
change_and_configuration_management_database |
IBM Maximo Asset
Management 7.1 through 7.1.1.13, 7.5.0 before
7.5.0.9 IFIX002, and 7.6.0 before 7.6.0.3
IFIX001; Maximo Asset Management 7.5.0 before
7.5.0.9 IFIX002, 7.5.1, and 7.6.0 before 7.6.0.3
IFIX001 for SmartCloud Control Desk; and Maximo
Asset Management 7.1 through 7.1.1.13 and 7.2
for Tivoli IT Asset Management for IT and
certain other products allow local users to
obtain sensitive information by leveraging
administrative privileges and reading log files. |
2016-01-27 |
4.9 |
CVE-2015-7487
CONFIRM |
ibm --
websphere_portal |
Cross-site scripting
(XSS) vulnerability in IBM WebSphere Portal
8.5.0 before CF09 allows remote attackers to
inject arbitrary web script or HTML via
unspecified vectors. |
2016-01-27 |
4.3 |
CVE-2016-0209
CONFIRM |
lenovo --
shareit |
Lenovo SHAREit
before 3.2.0 for Windows and SHAREit before
3.5.48_ww for Android transfer files in
cleartext, which allows remote attackers to (1)
obtain sensitive information by sniffing the
network or (2) conduct man-in-the-middle (MITM)
attacks via unspecified vectors. |
2016-01-26 |
4.3 |
CVE-2016-1489
CONFIRM
MISC
FULLDISC |
privoxy --
privoxy |
The
remove_chunked_transfer_coding function in
filters.c in Privoxy before 3.0.24 allows remote
attackers to cause a denial of service (invalid
read and crash) via crafted chunk-encoded
content. |
2016-01-27 |
5.0 |
CVE-2016-1982
CONFIRM
MLIST
MLIST |
privoxy --
privoxy |
The client_host
function in parsers.c in Privoxy before 3.0.24
allows remote attackers to cause a denial of
service (invalid read and crash) via an empty
HTTP Host header. |
2016-01-27 |
5.0 |
CVE-2016-1983
CONFIRM
MLIST
MLIST
CONFIRM |
tuxfamily --
chrony |
chrony before 1.31.2
and 2.x before 2.2.1 do not verify peer
associations of symmetric keys when
authenticating packets, which might allow remote
attackers to conduct impersonation attacks via
an arbitrary trusted key, aka a "skeleton key." |
2016-01-26 |
6.8 |
CVE-2016-1567
FEDORA
MISC
CONFIRM |
wolfssl --
wolfssl |
wolfSSL (formerly
CyaSSL) before 3.6.8 allows remote attackers to
cause a denial of service (resource consumption
or traffic amplification) via a crafted DTLS
cookie in a ClientHello message. |
2016-01-22 |
5.0 |
CVE-2015-6925
CONFIRM
MISC
CONFIRM |
xen -- xen |
The PV superpage
functionality in arch/x86/mm.c in Xen 3.4.0,
3.4.1, and 4.1.x through 4.6.x allows local PV
guests to obtain sensitive information, cause a
denial of service, gain privileges, or have
unspecified other impact via a crafted page
identifier (MFN) to the (1) MMUEXT_MARK_SUPER or
(2) MMUEXT_UNMARK_SUPER sub-op in the
HYPERVISOR_mmuext_op hypercall or (3) unknown
vectors related to page table updates. |
2016-01-22 |
6.9 |
CVE-2016-1570
CONFIRM
SECTRACK |
xen -- xen |
The paging_invlpg
function in include/asm-x86/paging.h in Xen
3.3.x through 4.6.x, when using shadow mode
paging or nested virtualization is enabled,
allows local HVM guest users to cause a denial
of service (host crash) via a non-canonical
guest address in an INVVPID instruction, which
triggers a hypervisor bug check. |
2016-01-22 |
4.7 |
CVE-2016-1571
CONFIRM
SECTRACK |