CVEs from 2016
Total
8,431
critical
critical 1,165
high
high 3,521
medium
medium 3,172
low
low 248
% Critical
13.8%
% with KEV
0.7%
% with exploit
6.8%
Top vendors
Top products
- phpmyadmin 3,382
- php 1,748
- squid 1,549
- samba 1,093
- drupal 868
- firefox 757
- moodle 700
- openssl 664
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2016-3088 | unknown | — | 2.5 | 4y ago | The Fileserver web application in Apache ActiveMQ allows remote attackers to upload and execute arbitrary files via an HTTP PUT followed by an HTTP MOVE request | |||
| CVE-2016-0040 | unknown | — | 2.5 | 4y ago | The kernel in Microsoft Windows allows local users to gain privileges via a crafted application. | |||
| CVE-2016-0151 | unknown | — | 2.5 | 4y ago | The Client-Server Run-time Subsystem (CSRSS) in Microsoft mismanages process tokens, which allows local users to gain privileges via a crafted application. | |||
| CVE-2016-0189 | unknown | — | 2.5 | 4y ago | The Microsoft JScript nd VBScript engines, as used in Internet Explorer and other products, allow attackers to execute remote code or cause a denial of service (memory corruption) via a crafted web s… | |||
| CVE-2016-1555 | unknown | — | 2.5 | 4y ago | Multiple NETGEAR Wireless Access Point devices allows unauthenticated web pages to pass form input directly to the command-line interface. Exploitation allows for arbitrary code execution. | |||
| CVE-2016-10174 | unknown | — | 2.5 | 4y ago | The NETGEAR WNR2000v5 router contains a buffer overflow which can be exploited to achieve remote code execution. | |||
| CVE-2016-11021 | unknown | — | 2.5 | 4y ago | setSystemCommand on D-Link DCS-930L devices allows a remote attacker to execute code via an OS command. | |||
| CVE-2016-3309 | unknown | — | 2.5 | 4y ago | A privilege escalation vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in k… | |||
| CVE-2016-6277 | unknown | — | 2.5 | 4y ago | NETGEAR confirmed multiple routers allow unauthenticated web pages to pass form input directly to the command-line interface, permitting remote code execution. | |||
| CVE-2016-0099 | unknown | — | 2.5 | 4y ago | A privilege escalation vulnerability exists in Microsoft Windows if the Windows Secondary Logon Service fails to properly manage request handles in memory. An attacker who successfully exploited this… | |||
| CVE-2016-4117 | unknown | — | 2.5 | 4y ago | An access of resource using incompatible type vulnerability exists within Adobe Flash Player that allows an attacker to perform remote code execution. | |||
| CVE-2016-3718 | unknown | — | 2.5 | 5y ago | ImageMagick contains an unspecified vulnerability that allows attackers to perform server-side request forgery (SSRF) via a crafted image. | |||
| CVE-2016-3976 | unknown | — | 2.5 | 5y ago | SAP NetWeaver Application Server Java Platforms contains a directory traversal vulnerability via a ..\ (dot dot backslash) in the fileName parameter to CrashFileDownloadServlet. This allows remote at… | |||
| CVE-2016-3235 | unknown | — | 2.5 | 5y ago | Microsoft Office Object Linking & Embedding (OLE) dynamic link library (DLL) contains a side loading vulnerability due to it improperly validating input before loading libraries. Successful exploitat… | |||
| CVE-2016-3643 | unknown | — | 2.5 | 5y ago | SolarWinds Virtualization Manager allows for privilege escalation through leveraging a misconfiguration of sudo. | |||
| CVE-2016-0185 | unknown | — | 2.5 | 5y ago | Microsoft Windows Media Center contains a remote code execution vulnerability when Windows Media Center opens a specially crafted Media Center link (.mcl) file that references malicious code. | |||
| CVE-2016-7255 | unknown | — | 2.5 | 5y ago | Microsoft Win32k kernel-mode driver fails to properly handle objects in memory which allows for privilege escalation. Successful exploitation allows an attacker to run code in kernel mode. | |||
| CVE-2016-3715 | unknown | — | 2.5 | 5y ago | ImageMagick contains an unspecified vulnerability that could allow users to delete files by using ImageMagick's 'ephemeral' pseudo protocol, which deletes files after reading. | |||
| CVE-2016-5992 | low | 2.5 | 2.5 | 10y ago | IBM Sterling Connect:Direct 4.5.00, 4.5.01, 4.6.0 before 4.6.0.6 iFix008, and 4.7.0 before 4.7.0.4 on Windows allows local users to cause a denial of service via unspecified vectors. | |||
| CVE-2016-6450 | low | 2.5 | 2.5 | 10y ago | A vulnerability in the package unbundle utility of Cisco IOS XE Software could allow an authenticated, local attacker to gain write access to some files in the underlying operating system. This vulne… | |||
| CVE-2016-7960 | low | 2.5 | 2.5 | 10y ago | Siemens SIMATIC STEP 7 (TIA Portal) before 14 uses an improper format for managing TIA project files during version updates, which makes it easier for local users to obtain sensitive configuration in… | |||
| CVE-2016-5849 | low | 2.5 | 2.5 | 10y ago | Siemens SICAM PAS through 8.07 allows local users to obtain sensitive configuration information by leveraging database stoppage. | |||
| CVE-2016-2894 | low | 2.5 | 2.5 | 10y ago | IBM Spectrum Protect (formerly Tivoli Storage Manager) 5.5 through 6.3 before 6.3.2.6, 6.4 before 6.4.3.3, and 7.1 before 7.1.6 allows local users to obtain sensitive retrieved data from arbitrary ac… | |||
| CVE-2016-0259 | low | 2.5 | 2.5 | 10y ago | runmqsc in IBM WebSphere MQ 8.x before 8.0.0.5 allows local users to bypass an intended +dsp authority requirement and obtain sensitive information via unspecified display commands. | |||
| CVE-2016-1185 | low | 2.5 | 2.5 | 10y ago | The Cybozu kintone mobile application 1.x before 1.0.6 for Android allows attackers to discover an authentication token via a crafted application. | |||
| CVE-2016-0752 | unknown | — | 2.5 | 11y ago | Directory traversal vulnerability in Action View in Ruby on Rails allows remote attackers to read arbitrary files. | |||
| CVE-2016-7765 | low | 2.4 | 2.4 | 9y ago | An issue was discovered in certain Apple products. iOS before 10.2 is affected. The issue involves the "Clipboard" component, which allows physically proximate attackers to obtain sensitive informati… | |||
| CVE-2016-7664 | low | 2.4 | 2.4 | 9y ago | An issue was discovered in certain Apple products. iOS before 10.2 is affected. The issue involves the "Accessibility" component. which allows physically proximate attackers to obtain sensitive photo… | |||
| CVE-2016-7653 | low | 2.4 | 2.4 | 9y ago | An issue was discovered in certain Apple products. iOS before 10.2 is affected. The issue involves the "Media Player" component, which allows physically proximate attackers to obtain sensitive photo … | |||
| CVE-2016-9703 | low | 2.4 | 2.4 | 10y ago | IBM Security Identity Manager Virtual Appliance does not invalidate session tokens which could allow an unauthorized user with physical access to the work station to obtain sensitive information. | |||
| CVE-2016-3562 | low | 2.4 | 2.4 | 10y ago | Unspecified vulnerability in the RDBMS Security and SQL*Plus components in Oracle Database Server 11.2.0.4 and 12.1.0.2 allows remote administrators to affect confidentiality via vectors related to D… | |||
| CVE-2016-3291 | low | 2.4 | 2.4 | 10y ago | Microsoft Internet Explorer 11 and Microsoft Edge mishandle cross-origin requests, which allows remote attackers to obtain sensitive information via a crafted web site, aka "Microsoft Browser Informa… | |||
| CVE-2016-4593 | low | 2.4 | 2.4 | 10y ago | The Siri Contacts component in Apple iOS before 9.3.3 allows physically proximate attackers to read arbitrary Contact card information via unspecified vectors. | |||
| CVE-2016-1852 | low | 2.4 | 2.4 | 10y ago | Siri in Apple iOS before 9.3.2 does not block data detectors within results in the lock-screen state, which allows physically proximate attackers to obtain sensitive contact and photo information via… | |||
| CVE-2016-8305 | low | 2.1 | 2.1 | 10y ago | Vulnerability in the Oracle FLEXCUBE Universal Banking component of Oracle Financial Services Applications (subcomponent: Core). Supported versions that are affected are 11.3.0, 11.4.0, 12.0.1, 12.0.… | |||
| CVE-2016-3002 | low | 2.1 | 2.1 | 10y ago | IBM Connections 4.0 through CR4, 4.5 through CR5, and 5.0 before CR4 allows physically proximate attackers to obtain sensitive information by reading cached data on a client device. | |||
| CVE-2016-3888 | low | 2.1 | 2.1 | 10y ago | internal/telephony/SMSDispatcher.java in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, 6.x before 2016-09-01, and 7.0 before 2016-09-01 allows physically proximate attackers to by… | |||
| CVE-2016-0605 | low | — | 2.1 | 11y ago | Unspecified vulnerability in Oracle MySQL 5.6.26 and earlier allows remote authenticated users to affect availability via unknown vectors. | |||
| CVE-2016-0592 | low | — | 2.1 | 11y ago | Unspecified vulnerability in the Oracle VM VirtualBox component in Oracle Virtualization VirtualBox before 4.3.36 and before 5.0.14 allows local users to affect availability via unknown vectors relat… | |||
| CVE-2016-0454 | low | — | 2.1 | 11y ago | Unspecified vulnerability in the Oracle Mobile Application Servlet component in Oracle E-Business Suite 12.1 and 12.2 allows local users to affect confidentiality via vectors related to MWA Server Ma… | |||
| CVE-2016-0446 | low | — | 2.1 | 11y ago | Unspecified vulnerability in the Enterprise Manager Base Platform component in Oracle Enterprise Manager Grid Control 11.1.0.1, 11.2.0.4, 12.1.0.4, and 12.1.0.5 allows local users to affect confident… | |||
| CVE-2016-2943 | low | 1.9 | 1.9 | 10y ago | IBM BigFix Remote Control before 9.1.3 allows local users to obtain sensitive information by leveraging unspecified privileges to read a log file. | |||
| CVE-2016-0438 | low | — | 1.9 | 11y ago | Unspecified vulnerability in the Oracle Retail Point-of-Service component in Oracle Retail Applications 13.4, 14.0, and 14.1 allows local users to affect confidentiality via vectors related to Mobile… | |||
| CVE-2016-0437 | low | — | 1.9 | 11y ago | Unspecified vulnerability in the Oracle Retail Point-of-Service component in Oracle Retail Applications 13.4, 14.0, and 14.1 allows local users to affect confidentiality via vectors related to Mobile… | |||
| CVE-2016-0436 | low | — | 1.9 | 11y ago | Unspecified vulnerability in the Oracle Retail Point-of-Service component in Oracle Retail Applications 13.4, 14.0, and 14.1 allows local users to affect confidentiality via vectors related to Mobile… | |||
| CVE-2016-0434 | low | — | 1.9 | 11y ago | Unspecified vulnerability in the Oracle Retail Point-of-Service component in Oracle Retail Applications 13.4, 14.0, and 14.1 allows local users to affect confidentiality via vectors related to Mobile… | |||
| CVE-2016-0432 | low | — | 1.9 | 11y ago | Unspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.5.0, 8.5.1, and 8.5.2 allows local users to affect availability via unknown vectors related to Ou… | |||
| CVE-2016-8284 | low | 1.8 | 1.8 | 10y ago | Unspecified vulnerability in Oracle MySQL 5.6.31 and earlier and 5.7.13 and earlier allows local users to affect availability via vectors related to Server: Replication. | |||
| CVE-2016-0453 | low | — | 1.8 | 11y ago | Unspecified vulnerability in the Oracle GlassFish Server component in Oracle Fusion Middleware 3.1.2 allows remote attackers to affect integrity via unknown vectors related to Embedded Server. | |||
| CVE-2016-0609 | low | — | 1.7 | 11y ago | Unspecified vulnerability in Oracle MySQL 5.5.46 and earlier, 5.6.27 and earlier, and 5.7.9 and MariaDB before 5.5.47, 10.0.x before 10.0.23, and 10.1.x before 10.1.10 allows remote authenticated use… | |||
| CVE-2016-0405 | low | — | 1.7 | 11y ago | Unspecified vulnerability in the Solaris Cluster component in Oracle Sun Systems Products Suite 3.3 and 4 allows local users to affect confidentiality via vectors related to Cluster Manageability and… | |||
| CVE-2016-7836 | unknown | — | 1.5 | 8mo ago | SKYSEA Client View contains an improper authentication vulnerability that allows remote code execution via a flaw in processing authentication on the TCP connection with the management console progra… | |||
| CVE-2016-3427 | unknown | — | 1.5 | 3y ago | Oracle Java SE and JRockit contains an unspecified vulnerability that allows remote attackers to affect confidentiality, integrity, and availability via vectors related to Java Management Extensions … | |||
| CVE-2016-1646 | unknown | — | 1.5 | 4y ago | Google Chromium V8 Engine contains an out-of-bounds read vulnerability that allows a remote attacker to cause a denial of service or possibly have another unspecified impact via crafted JavaScript co… | |||
| CVE-2016-5198 | unknown | — | 1.5 | 4y ago | Google Chromium V8 Engine contains an out-of-bounds memory access vulnerability that allows a remote attacker to perform read/write operations, leading to code execution, via a crafted HTML page. Thi… | |||
| CVE-2016-7256 | unknown | — | 1.5 | 4y ago | A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploits this vulnerability could take con… | |||
| CVE-2016-1010 | unknown | — | 1.5 | 4y ago | Integer overflow vulnerability in Adobe Flash Player and AIR allows attackers to execute code. | |||
| CVE-2016-0034 | unknown | — | 1.5 | 4y ago | Microsoft Silverlight mishandles negative offsets during decoding, which allows attackers to execute remote code or cause a denial-of-service (DoS). | |||
| CVE-2016-3393 | unknown | — | 1.5 | 4y ago | A remote code execution vulnerability exists due to the way the Windows GDI component handles objects in the memory. An attacker who successfully exploits this vulnerability could take control of the… | |||
| CVE-2016-3351 | unknown | — | 1.5 | 4y ago | An information disclosure vulnerability exists in the way that certain functions in Internet Explorer and Edge handle objects in memory. The vulnerability could allow an attacker to detect specific f… | |||
| CVE-2016-3298 | unknown | — | 1.5 | 4y ago | An information disclosure vulnerability exists when the Microsoft Internet Messaging API improperly handles objects in memory. An attacker who successfully exploited this vulnerability could allow th… | |||
| CVE-2016-0162 | unknown | — | 1.5 | 4y ago | An information disclosure vulnerability exists when Internet Explorer does not properly handle JavaScript. The vulnerability could allow an attacker to detect specific files on the user's computer. | |||
| CVE-2016-8735 | unknown | — | 1.5 | 4y ago | Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an att… | |||
| CVE-2016-4523 | unknown | — | 1.5 | 4y ago | The WAP interface in Trihedral VTScada (formerly VTS) allows remote attackers to cause a denial-of-service (DoS). | |||
| CVE-2016-4171 | unknown | — | 1.5 | 4y ago | Unspecified vulnerability in Adobe Flash Player allows for remote code execution. | |||
| CVE-2016-7892 | unknown | — | 1.5 | 4y ago | Adobe Flash Player has an exploitable use-after-free vulnerability in the TextField class. | |||
| CVE-2016-7262 | unknown | — | 1.5 | 4y ago | A security feature bypass vulnerability exists when Microsoft Office improperly handles input. An attacker who successfully exploited the vulnerability could execute arbitrary commands. | |||
| CVE-2016-1019 | unknown | — | 1.5 | 4y ago | Adobe Flash Player allows remote attackers to cause a denial of service or possibly execute arbitrary code. | |||
| CVE-2016-7855 | unknown | — | 1.5 | 4y ago | Use-after-free vulnerability in Adobe Flash Player Windows and OS and Linux allows remote attackers to execute arbitrary code. | |||
| CVE-2016-8562 | unknown | — | 1.5 | 4y ago | An improper privilege management vulnerability exists within the Siemens SIMATIC Communication Processor (CP) that allows a privileged attacker to remotely cause a denial of service. | |||
| CVE-2016-7193 | unknown | — | 1.5 | 4y ago | Microsoft Office contains a memory corruption vulnerability which can allow for remote code execution. | |||
| CVE-2016-0167 | unknown | — | 1.5 | 5y ago | Microsoft Win32k contains an unspecified vulnerability that allows for privilege escalation via a crafted application | |||
| CVE-2016-9563 | unknown | — | 1.5 | 5y ago | SAP NetWeaver Application Server Java Platforms contains an unspecified vulnerability in BC-BMT-BPM-DSK which allows remote, authenticated users to conduct XML External Entity (XXE) attacks. | |||
| CVE-2016-0498 | low | — | 1.5 | 11y ago | Unspecified vulnerability in the Oracle Agile Engineering Data Management component in Oracle Supply Chain Products Suite 6.1.2.2, 6.1.3.0, and 6.2.0.0 allows local users to affect confidentiality vi… | |||
| CVE-2016-0618 | low | — | 1.4 | 11y ago | Unspecified vulnerability in Oracle Sun Solaris 11 allows local users to affect confidentiality via unknown vectors related to Zones. | |||
| CVE-2016-0431 | low | — | 1.2 | 11y ago | Unspecified vulnerability in Oracle Sun Solaris 11 allows local users to affect availability via unknown vectors related to Solaris Kernel Zones, a different vulnerability than CVE-2016-0419. | |||
| CVE-2016-15057 | unknown | — | 1.0 | 4mo ago | Apache Continuum vulnerable to Command Injection through Installations REST API | |||
| CVE-2016-7076 | unknown | — | — | — | sudo before version 1.8.18p1 is vulnerable to a bypass in the sudo noexec restriction if application run via sudo executed wordexp() C library function with a user supplied argument. A local user per… | |||
| CVE-2016-9905 | unknown | — | — | — | A potentially exploitable crash in "EnumerateSubDocuments" while adding or removing sub-documents. This vulnerability affects Firefox ESR < 45.6 and Thunderbird < 45.6. | |||
| CVE-2016-10711 | unknown | — | — | — | Apsis Pound before 2.8a allows request smuggling via crafted headers, a different vulnerability than CVE-2005-3751. | |||
| CVE-2016-1000107 | unknown | — | — | — | inets in Erlang possibly 22.1 and earlier follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable… | |||
| CVE-2016-10723 | unknown | — | — | — | An issue was discovered in the Linux kernel through 4.17.2. Since the page allocator does not yield CPU resources to the owner of the oom_lock mutex, a local unprivileged user can trivially lock up t… | |||
| CVE-2016-9069 | unknown | — | — | — | A use-after-free in nsINode::ReplaceOrInsertBefore during DOM operations resulting in potentially exploitable crashes. This vulnerability affects Firefox < 50. | |||
| CVE-2016-10741 | unknown | — | — | — | In the Linux kernel before 4.9.3, fs/xfs/xfs_aops.c allows local users to cause a denial of service (system crash) because there is a race condition between direct and memory-mapped I/O (associated w… | |||
| CVE-2016-10905 | unknown | — | — | — | An issue was discovered in fs/gfs2/rgrp.c in the Linux kernel before 4.8. A use-after-free is caused by the functions gfs2_clear_rgrpd and read_rindex_entry. | |||
| CVE-2016-10906 | unknown | — | — | — | An issue was discovered in drivers/net/ethernet/arc/emac_main.c in the Linux kernel before 4.5. A use-after-free is caused by a race condition between the functions arc_emac_tx and arc_emac_tx_clean. | |||
| CVE-2016-10907 | unknown | — | — | — | An issue was discovered in drivers/iio/dac/ad5755.c in the Linux kernel before 4.8.6. There is an out of bounds write in the function ad5755_parse_dt. | |||
| CVE-2016-9598 | unknown | — | — | — | libxml2, as used in Red Hat JBoss Core Services, allows context-dependent attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted XML document. NOTE: this vuln… | |||
| CVE-2016-20022 | unknown | — | — | — | In the Linux kernel before 4.8, usb_parse_endpoint in drivers/usb/core/config.c does not validate the wMaxPacketSize field of an endpoint descriptor. NOTE: This vulnerability only affects products th… | |||
| CVE-2016-9597 | unknown | — | — | — | It was found that Red Hat JBoss Core Services erratum RHSA-2016:2957 for CVE-2016-3705 did not actually include the fix for the issue found in libxml2, making it vulnerable to a Denial of Service att… | |||
| CVE-2016-8626 | unknown | — | — | — | A flaw was found in Red Hat Ceph before 0.94.9-8. The way Ceph Object Gateway handles POST object requests permits an authenticated attacker to launch a denial of service attack by sending null or sp… | |||
| CVE-2016-7523 | unknown | — | — | — | coders/meta.c in ImageMagick allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted file. | |||
| CVE-2016-9579 | unknown | — | — | — | A flaw was found in the way Ceph Object Gateway would process cross-origin HTTP requests if the CORS policy was set to allow origin on a bucket. A remote unauthenticated attacker could use this flaw … | |||
| CVE-2016-4975 | unknown | — | — | — | Possible CRLF injection allowing HTTP response splitting attacks for sites which use mod_userdir. This issue was mitigated by changes made in 2.4.25 and 2.2.32 which prohibit CR or LF injection into … | |||
| CVE-2016-5287 | unknown | — | — | — | A potentially exploitable use-after-free crash during actor destruction with service workers. This issue does not affect releases earlier than Firefox 49. This vulnerability affects Firefox < 49.0.2. | |||
| CVE-2016-7524 | unknown | — | — | — | coders/meta.c in ImageMagick allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted file. | |||
| CVE-2016-9062 | unknown | — | — | — | Private browsing mode leaves metadata information, such as URLs, for sites visited in "browser.db" and "browser.db-wal" files within the Firefox profile after the mode is exited. Note: This issue onl… | |||
| CVE-2016-9072 | unknown | — | — | — | When a new Firefox profile is created on 64-bit Windows installations, the sandbox for 64-bit NPAPI plugins is not enabled by default. Note: This issue only affects 64-bit Windows. 32-bit Windows and… | |||
| CVE-2016-10764 | unknown | — | — | — | In the Linux kernel before 4.9.6, there is an off by one in the drivers/mtd/spi-nor/cadence-quadspi.c cqspi_setup_flash() function. There are CQSPI_MAX_CHIPSELECT elements in the ->f_pdata array so t… | |||
| CVE-2016-5295 | unknown | — | — | — | This vulnerability allows an attacker to use the Mozilla Maintenance Service to escalate privilege by having the Maintenance Service invoke the Mozilla Updater to run malicious local files. This vuln… |