Search Results (24238 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2015-8602 1 Token Insert Entity Project 1 Token Insert Entity 2025-04-12 N/A
The Token Insert Entity module 7.x-1.x before 7.x-1.1 for Drupal does not properly check permissions, which allows remote authenticated users with certain permissions to bypass intended access restrictions and possibly obtain sensitive information by inserting a token, which embeds a rendered entity in the main node.
CVE-2016-2156 1 Moodle 1 Moodle 2025-04-12 N/A
calendar/externallib.php in Moodle through 2.6.11, 2.7.x before 2.7.13, 2.8.x before 2.8.11, 2.9.x before 2.9.5, and 3.0.x before 3.0.3 provides calendar-event data without considering whether an activity is hidden, which allows remote authenticated users to obtain sensitive information via a web-service request.
CVE-2016-7216 1 Microsoft 3 Windows 7, Windows Server 2008, Windows Vista 2025-04-12 N/A
The kernel API in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 mishandles permissions, which allows local users to gain privileges via a crafted application, aka "Windows Kernel Elevation of Privilege Vulnerability."
CVE-2016-10011 2 Openbsd, Redhat 2 Openssh, Enterprise Linux 2025-04-12 N/A
authfile.c in sshd in OpenSSH before 7.4 does not properly consider the effects of realloc on buffer contents, which might allow local users to obtain sensitive private-key information by leveraging access to a privilege-separated child process.
CVE-2016-0132 1 Microsoft 1 .net Framework 2025-04-12 N/A
Microsoft .NET Framework 2.0 SP2, 3.0 SP2, 3.5, 3.5.1, 4.5.2, 4.6, and 4.6.1 mishandles signature validation for unspecified elements of XML documents, which allows remote attackers to spoof signatures via a modified document, aka ".NET XML Validation Security Feature Bypass."
CVE-2013-0334 4 Bundler, Fedoraproject, Opensuse and 1 more 4 Bundler, Fedora, Opensuse and 1 more 2025-04-12 N/A
Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source.
CVE-2013-0336 1 Redhat 1 Freeipa 2025-04-12 N/A
The ipapwd_chpwop function in daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c in the directory server (dirsrv) in FreeIPA before 3.2.0 allows remote attackers to cause a denial of service (crash) via a connection request without a username/dn, related to the 389 directory server.
CVE-2016-4071 3 Apple, Php, Redhat 3 Mac Os X, Php, Rhel Software Collections 2025-04-12 N/A
Format string vulnerability in the php_snmp_error function in ext/snmp/snmp.c in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allows remote attackers to execute arbitrary code via format string specifiers in an SNMP::get call.
CVE-2016-4554 4 Canonical, Oracle, Redhat and 1 more 4 Ubuntu Linux, Linux, Enterprise Linux and 1 more 2025-04-12 N/A
mime_header.cc in Squid before 3.5.18 allows remote attackers to bypass intended same-origin restrictions and possibly conduct cache-poisoning attacks via a crafted HTTP Host header, aka a "header smuggling" issue.
CVE-2014-3081 1 Ibm 2 Global Console Manager 16 Firmware, Global Console Manager 32 Firmware 2025-04-12 N/A
prodtest.php on IBM GCM16 and GCM32 Global Console Manager switches with firmware before 1.20.20.23447 allows remote authenticated users to read arbitrary files via the filename parameter.
CVE-2015-5696 1 Dell 1 Netvault Backup 2025-04-12 N/A
Dell Netvault Backup before 10.0.5 allows remote attackers to cause a denial of service (crash) via a crafted request.
CVE-2015-1595 1 Siemens 1 Spcanywhere 2025-04-12 N/A
The Siemens SPCanywhere application for Android and iOS does not use encryption during lookups of system ID to IP address mappings, which allows man-in-the-middle attackers to discover alarm IP addresses and spoof servers by intercepting the client-server data stream.
CVE-2015-1604 1 Adminsystems Cms Project 1 Adminsystems Cms 2025-04-12 N/A
Unrestricted file upload vulnerability in asys/site/files.php in Adminsystems CMS before 4.0.2 allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in upload/files/.
CVE-2016-2107 8 Canonical, Debian, Google and 5 more 18 Ubuntu Linux, Debian Linux, Android and 15 more 2025-04-12 5.9 Medium
The AES-NI implementation in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h does not consider memory allocation during a certain padding check, which allows remote attackers to obtain sensitive cleartext information via a padding-oracle attack against an AES CBC session. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-0169.
CVE-2016-2216 2 Fedoraproject, Nodejs 2 Fedora, Node.js 2025-04-12 N/A
The HTTP header parsing code in Node.js 0.10.x before 0.10.42, 0.11.6 through 0.11.16, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x before 5.6.0 allows remote attackers to bypass an HTTP response-splitting protection mechanism via UTF-8 encoded Unicode characters in the HTTP header, as demonstrated by %c4%8d%c4%8a.
CVE-2015-2980 1 Yodobashi 1 Yodobashi 2025-04-12 N/A
The Yodobashi application 1.2.1.0 and earlier for Android allows remote attackers to execute arbitrary Java methods, and consequently obtain sensitive information or execute OS commands, via a crafted HTML document.
CVE-2013-1946 2 Drupal, Restful Web Services Project 2 Drupal, Restful Web Services 2025-04-12 N/A
The RESTful Web Services (RESTWS) module 7.x-1.x before 7.x-1.3 and 7.x-2.x before 7.x-2.0-alpha5 for Drupal, when page caching is enabled and anonymous users are assigned RESTWS permissions, allows remote attackers to cause a denial of service via a GET request with an HTTP Accept header set to a non-HTML type, which can "interfere with Drupal's page cache."
CVE-2013-2014 2 Fedoraproject, Openstack 2 Fedora, Keystone 2025-04-12 N/A
OpenStack Identity (Keystone) before 2013.1 allows remote attackers to cause a denial of service (memory consumption and crash) via multiple long requests.
CVE-2014-2880 1 Oracle 1 Identity Manager 2025-04-12 N/A
Open redirect vulnerability in the Oracle Identity Manager component in Oracle Fusion Middleware 11.1.1.5, 11.1.1.7, 11.1.2.1, and 11.1.2.2 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the backUrl parameter in a changepwd action to identity/faces/firstlogin.
CVE-2016-6515 3 Fedoraproject, Openbsd, Redhat 3 Fedora, Openssh, Enterprise Linux 2025-04-12 N/A
The auth_password function in auth-passwd.c in sshd in OpenSSH before 7.3 does not limit password lengths for password authentication, which allows remote attackers to cause a denial of service (crypt CPU consumption) via a long string.