Total
407 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2015-1796 | 1 Shibboleth | 2 Identity Provider, Opensaml Java | 2025-04-12 | 4.3 MEDIUM | N/A |
| The PKIX trust engines in Shibboleth Identity Provider before 2.4.4 and OpenSAML Java (OpenSAML-J) before 2.6.5 trust candidate X.509 credentials when no trusted names are available for the entityID, which allows remote attackers to impersonate an entity via a certificate issued by a shibmd:KeyAuthority trust anchor. | |||||
| CVE-2016-2296 | 1 Meteocontrol | 4 Web\'log Basic 100, Web\'log Light, Web\'log Pro and 1 more | 2025-04-12 | 7.5 HIGH | 9.4 CRITICAL |
| Meteocontrol WEB'log Basic 100, Light, Pro, and Pro Unlimited does not require authentication for "post-admin" login pages, which allows remote attackers to obtain sensitive information or modify data via unspecified vectors. | |||||
| CVE-2016-9207 | 1 Cisco | 1 Expressway | 2025-04-12 | 6.4 MEDIUM | 6.5 MEDIUM |
| A vulnerability in the HTTP traffic server component of Cisco Expressway could allow an unauthenticated, remote attacker to initiate TCP connections to arbitrary hosts. This does not allow for full traffic proxy through the Expressway. Affected Products: This vulnerability affects Cisco Expressway Series Software and Cisco TelePresence Video Communication Server (VCS). More Information: CSCvc10834. Known Affected Releases: X8.7.2 X8.8.3. Known Fixed Releases: X8.9. | |||||
| CVE-2015-0993 | 1 Inductiveautomation | 1 Ignition | 2025-04-12 | 6.4 MEDIUM | N/A |
| Inductive Automation Ignition 7.7.2 does not terminate a session upon a logout action, which allows remote attackers to bypass intended access restrictions by leveraging an unattended workstation. | |||||
| CVE-2016-2112 | 2 Canonical, Samba | 2 Ubuntu Linux, Samba | 2025-04-12 | 4.3 MEDIUM | 5.9 MEDIUM |
| The bundled LDAP client library in Samba 3.x and 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 does not recognize the "client ldap sasl wrapping" setting, which allows man-in-the-middle attackers to perform LDAP protocol-downgrade attacks by modifying the client-server data stream. | |||||
| CVE-2016-7959 | 1 Siemens | 1 Simatic Step 7 | 2025-04-12 | 1.9 LOW | 4.7 MEDIUM |
| Siemens SIMATIC STEP 7 (TIA Portal) before 14 improperly stores pre-shared key data in TIA project files, which makes it easier for local users to obtain sensitive information by leveraging access to a file and conducting a brute-force attack. | |||||
| CVE-2015-3973 | 1 Janitza | 5 Umg 508, Umg 509, Umg 511 and 2 more | 2025-04-12 | 5.0 MEDIUM | N/A |
| Janitza UMG 508, 509, 511, 604, and 605 devices improperly generate session tokens, which makes it easier for remote attackers to determine a PIN value via unspecified computations on session-token values. | |||||
| CVE-2016-6493 | 1 Citrix | 2 Xenapp, Xendesktop | 2025-04-12 | 7.5 HIGH | 9.8 CRITICAL |
| Citrix XenApp 6.x before 6.5 HRP07 and 7.x before 7.9 and Citrix XenDesktop before 7.9 might allow attackers to weaken an unspecified security mitigation via vectors related to memory permission. | |||||
| CVE-2016-0818 | 1 Google | 1 Android | 2025-04-12 | 4.3 MEDIUM | 5.9 MEDIUM |
| The caching functionality in the TrustManagerImpl class in TrustManagerImpl.java in Conscrypt in Android 4.x before 4.4.4, 5.x before 5.1.1 LMY49H, and 6.x before 2016-03-01 mishandles the distinction between an intermediate CA and a trusted root CA, which allows man-in-the-middle attackers to spoof servers by leveraging access to an intermediate CA to issue a certificate, aka internal bug 26232830. | |||||
| CVE-2016-1664 | 3 Google, Opensuse, Redhat | 6 Chrome, Opensuse, Enterprise Linux Desktop Supplementary and 3 more | 2025-04-12 | 4.3 MEDIUM | 4.3 MEDIUM |
| The HistoryController::UpdateForCommit function in content/renderer/history_controller.cc in Google Chrome before 50.0.2661.94 mishandles the interaction between subframe forward navigations and other forward navigations, which allows remote attackers to spoof the address bar via a crafted web site. | |||||
| CVE-2016-2114 | 2 Canonical, Samba | 2 Ubuntu Linux, Samba | 2025-04-12 | 4.3 MEDIUM | 5.9 MEDIUM |
| The SMB1 protocol implementation in Samba 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 does not recognize the "server signing = mandatory" setting, which allows man-in-the-middle attackers to spoof SMB servers by modifying the client-server data stream. | |||||
| CVE-2016-5160 | 2 Google, Opensuse | 2 Chrome, Leap | 2025-04-12 | 4.3 MEDIUM | 6.5 MEDIUM |
| The AllowCrossRendererResourceLoad function in extensions/browser/url_request_util.cc in Google Chrome before 53.0.2785.89 on Windows and OS X and before 53.0.2785.92 on Linux does not properly use an extension's manifest.json web_accessible_resources field for restrictions on IFRAME elements, which makes it easier for remote attackers to conduct clickjacking attacks, and trick users into changing extension settings, via a crafted web site, a different vulnerability than CVE-2016-5162. | |||||
| CVE-2016-3279 | 1 Microsoft | 9 Excel, Excel Rt, Office and 6 more | 2025-04-12 | 4.3 MEDIUM | 5.5 MEDIUM |
| Microsoft Office 2010 SP2, Excel 2010 SP2, PowerPoint 2010 SP2, Word 2010 SP2, Excel 2013 SP1, PowerPoint 2013 SP1, Word 2013 SP1, Excel 2013 RT SP1, PowerPoint 2013 RT SP1, Word 2013 RT SP1, Excel 2016, Word 2016, Word Automation Services on SharePoint Server 2010 SP2, and Office Web Apps 2010 SP2 allow remote attackers to execute arbitrary code via a crafted XLA file, aka "Microsoft Office Remote Code Execution Vulnerability." | |||||
| CVE-2015-7185 | 2 Google, Mozilla | 2 Android, Firefox | 2025-04-12 | 4.3 MEDIUM | N/A |
| Mozilla Firefox before 42.0 on Android does not ensure that the address bar is restored upon fullscreen-mode exit, which allows remote attackers to spoof the address bar via crafted JavaScript code. | |||||
| CVE-2016-4824 | 1 Corega | 4 Cg-wlr300gnv, Cg-wlr300gnv-w, Cg-wlr300gnv-w Firmware and 1 more | 2025-04-12 | 5.0 MEDIUM | 5.3 MEDIUM |
| The Wi-Fi Protected Setup (WPS) implementation on Corega CG-WLR300GNV and CG-WLR300GNV-W devices does not restrict the number of PIN authentication attempts, which makes it easier for remote attackers to obtain network access via a brute-force attack. | |||||
| CVE-2014-9039 | 3 Debian, Mageia Project, Wordpress | 3 Debian Linux, Mageia, Wordpress | 2025-04-12 | 4.3 MEDIUM | N/A |
| wp-login.php in WordPress before 3.7.5, 3.8.x before 3.8.5, 3.9.x before 3.9.3, and 4.x before 4.0.1 might allow remote attackers to reset passwords by leveraging access to an e-mail account that received a password-reset message. | |||||
| CVE-2016-8600 | 1 Dotcms | 1 Dotcms | 2025-04-12 | 5.0 MEDIUM | 7.5 HIGH |
| In dotCMS 3.2.1, attacker can load captcha once, fill it with correct value and then this correct value is ok for forms with captcha check later. | |||||
| CVE-2015-6029 | 1 Hp | 1 Arcsight Logger | 2025-04-12 | 5.0 MEDIUM | N/A |
| HP ArcSight Logger before 6.0 P2 does not limit attempts to authenticate to the SOAP interface, which makes it easier for remote attackers to obtain access via a brute-force approach. | |||||
| CVE-2016-6597 | 1 Sophos | 1 Mobile Control Eas Proxy | 2025-04-12 | 5.0 MEDIUM | 8.6 HIGH |
| Sophos EAS Proxy before 6.2.0 for Sophos Mobile Control, when Lotus Traveler is enabled, allows remote attackers to access arbitrary web-resources from the backend mail system via a request for the resource, aka an Open Reverse Proxy vulnerability. | |||||
| CVE-2015-7288 | 1 Csl Dualcom | 2 Gprs, Gprs Cs2300-r Firmware | 2025-04-12 | 4.3 MEDIUM | N/A |
| CSL DualCom GPRS CS2300-R devices with firmware 1.25 through 3.53 allow remote attackers to modify the configuration via a command in an SMS message, as demonstrated by a "4 2" command. | |||||