Total
3294 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2015-0914 | 1 Kozos | 1 Easyctf | 2025-04-12 | 5.0 MEDIUM | N/A |
| EasyCTF before 1.4 does not validate the session ID, which allows remote attackers to obtain access via a crafted HTTP request. | |||||
| CVE-2016-4495 | 1 Kmc Controls | 2 Bac-5051e, Bac-5051e Firmware | 2025-04-12 | 5.0 MEDIUM | 5.3 MEDIUM |
| KMC Controls BAC-5051E devices with firmware before E0.2.0.2 allow remote attackers to bypass intended access restrictions and read a configuration file via unspecified vectors. | |||||
| CVE-2016-5599 | 1 Oracle | 1 Advanced Supply Chain Planning | 2025-04-12 | 6.4 MEDIUM | 9.1 CRITICAL |
| Unspecified vulnerability in the Oracle Advanced Supply Chain Planning component in Oracle Supply Chain Products Suite 12.2.3 through 12.2.5 allows remote attackers to affect confidentiality and integrity via vectors related to MscObieeSrvlt. | |||||
| CVE-2016-5807 | 1 Tollgrade | 1 Lighthouse Sms | 2025-04-12 | 5.5 MEDIUM | 8.1 HIGH |
| Tollgrade LightHouse SMS before 5.1 patch 3 allows remote authenticated users to bypass an intended administrative-authentication requirement, and read or change parameter values, via a direct request. | |||||
| CVE-2014-3120 | 1 Elasticsearch | 1 Elasticsearch | 2025-04-12 | 6.8 MEDIUM | 8.1 HIGH |
| The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. NOTE: this only violates the vendor's intended security policy if the user does not run Elasticsearch in its own independent virtual machine. | |||||
| CVE-2016-2278 | 1 Schneider-electric | 4 Struxureware Building Operations Automation Server As, Struxureware Building Operations Automation Server As-p, Struxureware Building Operations Automation Server As-p Firmware and 1 more | 2025-04-12 | 9.0 HIGH | 7.2 HIGH |
| Schneider Electric Struxureware Building Operations Automation Server AS 1.7 and earlier and AS-P 1.7 and earlier allows remote authenticated administrators to execute arbitrary OS commands by defeating an msh (aka Minimal Shell) protection mechanism. | |||||
| CVE-2016-5386 | 4 Fedoraproject, Golang, Oracle and 1 more | 6 Fedora, Go, Linux and 3 more | 2025-04-12 | 6.8 MEDIUM | 8.1 HIGH |
| The net/http package in Go through 1.6 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect CGI applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect a CGI application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. | |||||
| CVE-2016-4373 | 1 Hp | 1 Operations Manager | 2025-04-12 | 7.5 HIGH | 9.8 CRITICAL |
| The AdminUI in HPE Operations Manager (OM) before 9.21.130 on Linux, Unix, and Solaris allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library. | |||||
| CVE-2015-3854 | 1 Google | 1 Android | 2025-04-12 | 5.0 MEDIUM | 7.5 HIGH |
| packages/SystemUI/src/com/android/systemui/power/PowerNotificationWarnings.java in Android 5.x allows attackers to bypass a DEVICE_POWER permission requirement via a broadcast intent with the PNW.stopSaver action, aka internal bug 20918350. | |||||
| CVE-2016-1699 | 6 Canonical, Debian, Google and 3 more | 9 Ubuntu Linux, Debian Linux, Chrome and 6 more | 2025-04-12 | 4.3 MEDIUM | 6.5 MEDIUM |
| WebKit/Source/devtools/front_end/devtools.js in the Developer Tools (aka DevTools) subsystem in Blink, as used in Google Chrome before 51.0.2704.79, does not ensure that the remoteFrontendUrl parameter is associated with a chrome-devtools-frontend.appspot.com URL, which allows remote attackers to bypass intended access restrictions via a crafted URL. | |||||
| CVE-2016-7248 | 1 Microsoft | 5 Windows 10, Windows 7, Windows 8.1 and 2 more | 2025-04-12 | 9.3 HIGH | 7.8 HIGH |
| Microsoft Video Control in Microsoft Windows Vista SP2, Windows 7 SP1, Windows 8.1, Windows RT 8.1, and Windows 10 Gold, 1511, and 1607 allows remote attackers to execute arbitrary code via a crafted file, aka "Microsoft Video Control Remote Code Execution Vulnerability." | |||||
| CVE-2016-5189 | 1 Google | 1 Chrome | 2025-04-12 | 4.3 MEDIUM | 6.5 MEDIUM |
| Google Chrome prior to 54.0.2840.59 for Windows, Mac, and Linux; 54.0.2840.85 for Android permitted navigation to blob URLs with non-canonical origins, which allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via crafted HTML pages. | |||||
| CVE-2016-2929 | 1 Ibm | 1 Bigfix Remote Control | 2025-04-12 | 4.3 MEDIUM | 8.1 HIGH |
| IBM BigFix Remote Control before 9.1.3 does not properly restrict password choices, which makes it easier for remote attackers to obtain access via a brute-force approach. | |||||
| CVE-2015-3675 | 1 Apple | 1 Mac Os X | 2025-04-12 | 5.0 MEDIUM | N/A |
| The default configuration of the Apache HTTP Server on Apple OS X before 10.10.4 does not enable the mod_hfs_apple module, which allows remote attackers to bypass HTTP authentication via a crafted URL. | |||||
| CVE-2016-5495 | 1 Oracle | 1 Discoverer | 2025-04-12 | 5.0 MEDIUM | 7.5 HIGH |
| Unspecified vulnerability in the Oracle Discoverer component in Oracle Fusion Middleware 11.1.1.7.0 allows remote attackers to affect confidentiality via vectors related to EUL Code & Schema. | |||||
| CVE-2016-6714 | 1 Google | 1 Android | 2025-04-12 | 7.1 HIGH | 5.5 MEDIUM |
| A remote denial of service vulnerability in Mediaserver in Android 6.x before 2016-11-01 and 7.0 before 2016-11-01 could enable an attacker to use a specially crafted file to cause a device hang or reboot. This issue is rated as High due to the possibility of remote denial of service. Android ID: A-31092462. | |||||
| CVE-2016-7224 | 1 Microsoft | 5 Windows 10, Windows 8.1, Windows Rt 8.1 and 2 more | 2025-04-12 | 3.6 LOW | 6.1 MEDIUM |
| Virtual Hard Disk Driver in Microsoft Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, and 1607, and Windows Server 2016 does not properly restrict access to files, which allows local users to gain privileges via a crafted application, aka "VHD Driver Elevation of Privilege Vulnerability." | |||||
| CVE-2015-3757 | 1 Apple | 1 Mac Os X | 2025-04-12 | 2.1 LOW | N/A |
| Apple OS X before 10.10.5 does not properly restrict access to the Date & Time preferences pane, which allows local users to spoof the time by visiting this pane. | |||||
| CVE-2016-5388 | 4 Apache, Hp, Oracle and 1 more | 11 Tomcat, System Management Homepage, Linux and 8 more | 2025-04-12 | 5.1 MEDIUM | 8.1 HIGH |
| Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability. | |||||
| CVE-2015-5838 | 1 Apple | 1 Iphone Os | 2025-04-12 | 4.3 MEDIUM | N/A |
| SpringBoard in Apple iOS before 9 does not properly restrict access to privileged API calls, which allows attackers to spoof the dialog windows of an arbitrary app via a crafted app. | |||||