Total
412 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2015-7188 | 1 Mozilla | 2 Firefox, Firefox Esr | 2016-12-07 | 7.5 HIGH | N/A |
| Mozilla Firefox before 42.0 and Firefox ESR 38.x before 38.4 allow remote attackers to bypass the Same Origin Policy for an IP address origin, and conduct cross-site scripting (XSS) attacks, by appending whitespace characters to an IP address string. | |||||
| CVE-2015-7193 | 1 Mozilla | 2 Firefox, Firefox Esr | 2016-12-07 | 7.5 HIGH | N/A |
| Mozilla Firefox before 42.0 and Firefox ESR 38.x before 38.4 improperly follow the CORS cross-origin request algorithm for the POST method in situations involving an unspecified Content-Type header manipulation, which allows remote attackers to bypass the Same Origin Policy by leveraging the lack of a preflight-request step. | |||||
| CVE-2015-7187 | 1 Mozilla | 1 Firefox | 2016-12-07 | 4.3 MEDIUM | N/A |
| The Add-on SDK in Mozilla Firefox before 42.0 misinterprets a "script: false" panel setting, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via inline JavaScript code that is executed within a third-party extension. | |||||
| CVE-2015-7185 | 2 Google, Mozilla | 2 Android, Firefox | 2016-12-07 | 4.3 MEDIUM | N/A |
| Mozilla Firefox before 42.0 on Android does not ensure that the address bar is restored upon fullscreen-mode exit, which allows remote attackers to spoof the address bar via crafted JavaScript code. | |||||
| CVE-2015-6427 | 1 Cisco | 1 Firesight System Software | 2016-12-07 | 5.0 MEDIUM | N/A |
| Cisco FireSIGHT Management Center allows remote attackers to bypass the HTTP attack detection feature and avoid triggering Snort IDS rules via an SSL session that is mishandled after decryption, aka Bug ID CSCux53437. | |||||
| CVE-2015-4640 | 2 Samsung, Swiftkey | 5 Galaxy S4, Galaxy S4 Mini, Galaxy S5 and 2 more | 2016-12-07 | 2.9 LOW | N/A |
| The SwiftKey language-pack update implementation on Samsung Galaxy S4, S4 Mini, S5, and S6 devices relies on an HTTP connection to the skslm.swiftkey.net server, which allows man-in-the-middle attackers to write to language-pack files by modifying an HTTP response. NOTE: CVE-2015-4640 exploitation can be combined with CVE-2015-4641 exploitation for man-in-the-middle code execution. | |||||
| CVE-2015-4112 | 1 Blackberry | 1 Enterprise Server | 2016-12-07 | 4.3 MEDIUM | N/A |
| The Management Console in BlackBerry Enterprise Server (BES) 12 before 12.2 does not properly restrict use of FRAME elements, which makes it easier for remote attackers to conduct clickjacking attacks via a crafted web site, related to a "cross frame scripting" issue. | |||||
| CVE-2016-6460 | 1 Cisco | 1 Firesight System Software | 2016-12-06 | 5.0 MEDIUM | 7.5 HIGH |
| A vulnerability in the FTP Representational State Transfer Application Programming Interface (REST API) for Cisco Firepower System Software could allow an unauthenticated, remote attacker to bypass FTP malware detection rules and download malware over an FTP connection. Cisco Firepower System Software is affected when the device has a file policy with malware block configured for FTP connections. More Information: CSCuv36188 CSCuy91156. Known Affected Releases: 5.4.0.2 5.4.1.1 5.4.1.6 6.0.0 6.1.0 6.2.0. Known Fixed Releases: 6.0.0. | |||||
| CVE-2016-6708 | 1 Google | 1 Android | 2016-12-06 | 2.1 LOW | 5.5 MEDIUM |
| An elevation of privilege in the System UI in Android 7.0 before 2016-11-01 could enable a local malicious user to bypass the security prompt of your work profile in Multi-Window mode. This issue is rated as High because it is a local bypass of user interaction requirements for any developer or security setting modifications. Android ID: A-30693465. | |||||
| CVE-2016-1567 | 1 Tuxfamily | 1 Chrony | 2016-12-05 | 6.8 MEDIUM | 8.1 HIGH |
| chrony before 1.31.2 and 2.x before 2.2.1 do not verify peer associations of symmetric keys when authenticating packets, which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a "skeleton key." | |||||
| CVE-2016-0950 | 1 Adobe | 1 Connect | 2016-12-05 | 5.0 MEDIUM | 5.3 MEDIUM |
| Adobe Connect before 9.5.2 allows remote attackers to spoof the user interface via unspecified vectors. | |||||
| CVE-2015-3693 | 1 Apple | 1 Mac Os X | 2016-12-05 | 9.3 HIGH | N/A |
| Apple Mac EFI before 2015-001, as used in OS X before 10.10.4 and other products, does not properly set refresh rates for DDR3 RAM, which might make it easier for remote attackers to conduct row-hammer attacks, and consequently gain privileges or cause a denial of service (memory corruption), by triggering certain patterns of access to memory locations. | |||||
| CVE-2015-3449 | 1 Sap | 1 Afaria | 2016-12-05 | 7.2 HIGH | N/A |
| The Windows client in SAP Afaria 7.0.6398.0 uses weak permissions (Everyone: read and Everyone: write) for the install folder, which allows local users to gain privileges via a Trojan horse XeService.exe file. | |||||
| CVE-2016-2846 | 1 Siemens | 2 Simatic S7 1200 Cpu, Simatic S7 Cpu 1200 Firmware | 2016-12-02 | 6.4 MEDIUM | 6.5 MEDIUM |
| Siemens SIMATIC S7-1200 CPU devices before 4.0 allow remote attackers to bypass a "user program block" protection mechanism via unspecified vectors. | |||||
| CVE-2016-2072 | 1 Citrix | 3 Netscaler, Netscaler Application Delivery Controller, Netscaler Gateway | 2016-12-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| The Administrative Web Interface in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway 11.x before 11.0 Build 64.34, 10.5 before 10.5 Build 59.13, 10.5.e before Build 59.1305.e, and 10.1 allows remote attackers to conduct clickjacking attacks via unspecified vectors. | |||||
| CVE-2016-1738 | 1 Apple | 1 Mac Os X | 2016-12-02 | 7.2 HIGH | 7.8 HIGH |
| dyld in Apple OS X before 10.11.4 allows attackers to bypass a code-signing protection mechanism via a modified app. | |||||
| CVE-2015-7914 | 1 Sauter | 1 Moduweb Vision | 2016-12-02 | 9.3 HIGH | 8.1 HIGH |
| Sauter EY-WS505F0x0 moduWeb Vision before 1.6.0 allows remote attackers to bypass authentication by leveraging knowledge of a password hash without knowledge of the associated password. | |||||
| CVE-2016-8503 | 1 Yandex | 1 Yandex Browser | 2016-12-02 | 5.0 MEDIUM | 7.3 HIGH |
| Yandex Protect Anti-phishing warning in Yandex Browser for desktop from version 16.7 to 16.9 could be used by remote attacker for brute-forcing passwords from important web-resource with special JavaScript. | |||||
| CVE-2016-8502 | 1 Yandex | 1 Yandex Browser | 2016-12-02 | 5.0 MEDIUM | 7.3 HIGH |
| Yandex Protect Anti-phishing warning in Yandex Browser for desktop from version 15.12.0 to 16.2 could be used by remote attacker for brute-forcing passwords from important web-resource with special JavaScript. | |||||
| CVE-2016-7989 | 2 Google, Samsung | 6 Android, Galaxy S4, Galaxy S4 Mini and 3 more | 2016-12-02 | 7.8 HIGH | 7.5 HIGH |
| On Samsung Galaxy S4 through S7 devices, a malformed OTA WAP PUSH SMS containing an OMACP message sent remotely triggers an unhandled ArrayIndexOutOfBoundsException in Samsung's implementation of the WifiServiceImpl class within wifi-service.jar. This causes the Android runtime to continually crash, rendering the device unusable until a factory reset is performed, a subset of SVE-2016-6542. | |||||