2016 VULNERABILITY DATABASE
CVE-2016-3239
Summary: The Print Spooler service in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 allows local users to gain privileges via vectors involving filesystem write operations, aka "Windows Print Spooler Elevation of Privilege Vulnerability."
Published: 7/12/2016 9:59:02 PM
CVSS Severity: v3 - 7.8 HIGH v2 - 7.2 HIGH
CVE-2016-3238
Summary: The Print Spooler service in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 allows man-in-the-middle attackers to execute arbitrary code by providing a crafted print driver during printer installation, aka "Windows Print Spooler Remote Code Execution Vulnerability."
Published: 7/12/2016 9:59:01 PM
CVSS Severity: v3 - 8.1 HIGH v2 - 9.3 HIGH
CVE-2016-3204
Summary: The Microsoft (1) JScript 5.8 and 9 and (2) VBScript 5.7 and 5.8 engines, as used in Internet Explorer 9 through 11 and other products, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Scripting Engine Memory Corruption Vulnerability."
Published: 7/12/2016 9:59:00 PM
CVSS Severity: v3 - 8.8 HIGH v2 - 9.3 HIGH
CVE-2016-6174
Summary: applications/core/modules/front/system/content.php in Invision Power Services IPS Community Suite (aka Invision Power Board, IPB, or Power Board) before 4.1.13, when used with PHP before 5.4.24 or 5.5.x before 5.5.8, allows remote attackers to execute arbitrary code via the content_class parameter.
Published: 7/12/2016 3:59:09 PM
CVSS Severity: v3 - 8.1 HIGH v2 - 6.8 MEDIUM
CVE-2016-5850
Summary: Cross-site scripting (XSS) vulnerability in the volume backup service module in Huawei Public Cloud Solution before 1.0.5 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
Published: 7/12/2016 3:59:08 PM
CVSS Severity: v3 - 5.4 MEDIUM v2 - 3.5 LOW
CVE-2016-5774
Summary: The HTTPS server in Blue Coat PacketShaper S-Series 11.5.x before 11.5.3.2 might allow remote attackers to obtain sensitive credentials and other information via unspecified vectors, related to use of insecure cryptographic parameters.
Published: 7/12/2016 3:59:07 PM
CVSS Severity: v3 - 8.1 HIGH v2 - 4.3 MEDIUM
CVE-2016-5009
Summary: The handle_command function in mon/Monitor.cc in Ceph allows remote authenticated users to cause a denial of service (segmentation fault and ceph monitor crash) via an (1) empty or (2) crafted prefix.
Published: 7/12/2016 3:59:06 PM
CVSS Severity: v3 - 6.5 MEDIUM v2 - 4.0 MEDIUM
CVE-2016-4994
Summary: Use-after-free vulnerability in the xcf_load_image function in app/xcf/xcf-load.c in GIMP allows remote attackers to cause a denial of service (program crash) or possibly execute arbitrary code via a crafted XCF file.
Published: 7/12/2016 3:59:05 PM
CVSS Severity: v3 - 7.8 HIGH v2 - 6.8 MEDIUM
CVE-2016-4985
Summary: The ironic-api service in OpenStack Ironic before 4.2.5 (Liberty) and 5.x before 5.1.2 (Mitaka) allows remote attackers to obtain sensitive information about a registered node by leveraging knowledge of the MAC address of a network card belonging to that node and sending a crafted POST request to the v1/drivers/$DRIVER_NAME/vendor_passthru resource.
Published: 7/12/2016 3:59:04 PM
CVSS Severity: v3 - 7.5 HIGH v2 - 5.0 MEDIUM
CVE-2016-4428
Summary: Cross-site scripting (XSS) vulnerability in OpenStack Dashboard (Horizon) 8.0.1 and earlier and 9.0.0 through 9.0.1 allows remote authenticated users to inject arbitrary web script or HTML by injecting an AngularJS template in a dashboard form.
Published: 7/12/2016 3:59:03 PM
CVSS Severity: v3 - 5.4 MEDIUM v2 - 3.5 LOW
CVE-2016-2219
Summary: Cross-site scripting (XSS) vulnerability in the management interface in Palo Alto Networks PAN-OS 7.x before 7.0.8 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.
Published: 7/12/2016 3:59:02 PM
CVSS Severity: v3 - 5.4 MEDIUM v2 - 3.5 LOW
CVE-2015-3192
Summary: Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service (memory consumption and out-of-memory errors) via a crafted XML file.
Published: 7/12/2016 3:59:00 PM
CVSS Severity: v3 - 5.5 MEDIUM v2 - 4.3 MEDIUM
CVE-2016-5781
Summary: Stack-based buffer overflow in WECON LeviStudio allows remote attackers to execute arbitrary code via a crafted file.
Published: 7/11/2016 10:00:13 PM
CVE-2016-5308
Summary: The Client Intrusion Detection System (CIDS) driver before 15.0.6 in Symantec Endpoint Protection (SEP) and before 15.1.2 in Norton Security allows remote attackers to cause a denial of service (memory corruption and system crash) via a malformed Portable Executable (PE) file.
Published: 7/11/2016 10:00:12 PM
CVE-2016-4831
Summary: Untrusted search path vulnerability in LINE and LINE Installer 4.7.0 and earlier on Windows allows local users to gain privileges via a Trojan horse DLL in an unspecified directory.
Published: 7/11/2016 10:00:11 PM
CVE-2016-4533
Summary: Heap-based buffer overflow in WECON LeviStudio allows remote attackers to execute arbitrary code via a crafted file.
Published: 7/11/2016 10:00:10 PM
CVE-2016-4503
Summary: Moxa Device Server Web Console 5232-N allows remote attackers to bypass authentication, and consequently modify settings and data, via vectors related to reading a cookie parameter containing a UserId value.
Published: 7/11/2016 10:00:09 PM
CVE-2016-2206
Summary: The management console in Symantec Workspace Streaming (SWS) 7.5.x before 7.5 SP1 HF9 and 7.6.0 before 7.6 HF5 and Symantec Workspace Virtualization (SWV) 7.5.x before 7.5 SP1 HF9 and 7.6.0 before 7.6 HF5 allows remote authenticated users to read arbitrary files by modifying the file-download configuration file.
Published: 7/11/2016 10:00:06 PM
CVE-2016-2205
Summary: Directory traversal vulnerability in the file-download configuration file in the management console in Symantec Workspace Streaming (SWS) 7.5.x before 7.5 SP1 HF9 and 7.6.0 before 7.6 HF5 and Symantec Workspace Virtualization (SWV) 7.5.x before 7.5 SP1 HF9 and 7.6.0 before 7.6 HF5 allows remote authenticated users to read unspecified application files via unknown vectors.
Published: 7/11/2016 10:00:05 PM
CVE-2016-1445
Summary: Cisco Adaptive Security Appliance (ASA) Software 8.2 through 9.4.3.3 allows remote attackers to bypass intended ICMP Echo Reply ACLs via vectors related to subtypes.
Published: 7/11/2016 9:59:45 PM
CVE-2016-3818
Summary: libc in Android 4.x before 4.4.4 allows remote attackers to cause a denial of service (device hang or reboot) via a crafted file, aka internal bug 28740702.
Published: 7/10/2016 10:00:40 PM
CVE-2016-3816
Summary: The MediaTek display driver in Android before 2016-07-05 on Android One devices allows attackers to obtain sensitive information via a crafted application, aka Android internal bug 28402240.
Published: 7/10/2016 10:00:39 PM
CVE-2016-3815
Summary: The NVIDIA camera driver in Android before 2016-07-05 on Nexus 9 devices allows attackers to obtain sensitive information via a crafted application, aka Android internal bug 28522274.
Published: 7/10/2016 10:00:38 PM
CVE-2016-3814
Summary: The NVIDIA camera driver in Android before 2016-07-05 on Nexus 9 devices allows attackers to obtain sensitive information via a crafted application, aka Android internal bug 28193342.
Published: 7/10/2016 10:00:37 PM
CVE-2016-3813
Summary: The Qualcomm USB driver in Android before 2016-07-05 on Nexus 5, 5X, 6, and 6P devices allows attackers to obtain sensitive information via a crafted application, aka Android internal bug 28172322 and Qualcomm internal bug CR1010222.
Published: 7/10/2016 10:00:36 PM
CVE-2016-3812
Summary: The MediaTek video codec driver in Android before 2016-07-05 on Android One devices allows attackers to obtain sensitive information via a crafted application, aka Android internal bug 28174833 and MediaTek internal bug ALPS02688832.
Published: 7/10/2016 10:00:35 PM
CVE-2016-3811
Summary: The kernel video driver in Android before 2016-07-05 on Nexus 9 devices allows attackers to gain privileges via a crafted application, aka internal bug 28447556.
Published: 7/10/2016 10:00:34 PM
CVE-2016-3810
Summary: The MediaTek Wi-Fi driver in Android before 2016-07-05 on Android One devices allows attackers to obtain sensitive information via a crafted application, aka Android internal bug 28175522 and MediaTek internal bug ALPS02694389.
Published: 7/10/2016 10:00:34 PM
CVE-2016-3809
Summary: The networking component in Android before 2016-07-05 on Android One, Nexus 5, Nexus 5X, Nexus 6, Nexus 6P, Nexus 7 (2013), Nexus 9, Nexus Player, and Pixel C devices allows attackers to obtain sensitive information via a crafted application, aka internal bug 27532522.
Published: 7/10/2016 10:00:33 PM
CVE-2016-3808
Summary: The serial peripheral interface driver in Android before 2016-07-05 on Pixel C devices allows attackers to gain privileges via a crafted application, aka internal bug 28430009.
Published: 7/10/2016 10:00:32 PM
CVE-2016-3807
Summary: The serial peripheral interface driver in Android before 2016-07-05 on Nexus 5X and 6P devices allows attackers to gain privileges via a crafted application, aka internal bug 28402196.
Published: 7/10/2016 10:00:31 PM
CVE-2016-3806
Summary: The MediaTek display driver in Android before 2016-07-05 on Android One devices allows attackers to gain privileges via a crafted application, aka Android internal bug 28402341 and MediaTek internal bug ALPS02715341.
Published: 7/10/2016 10:00:30 PM