Exploit Database

145,434 exploits tracked across all sources.

Sort: Activity Stars
CVE-2016-4009 WRITEUP CRITICAL
Pillow < 3.1.1 - Heap-Based Buffer Overflow via Negative Resample Size
Integer overflow in the ImagingResampleHorizontal function in libImaging/Resample.c in Pillow before 3.1.1 allows remote attackers to have unspecified impact via negative values of the new size, which triggers a heap-based buffer overflow.
CVSS 9.8
CVE-2016-4069 WRITEUP HIGH
Roundcube Webmail <1.1.5 - CSRF
Cross-site request forgery (CSRF) vulnerability in Roundcube Webmail before 1.1.5 allows remote attackers to hijack the authentication of users for requests that download attachments and cause a denial of service (disk consumption) via unspecified vectors.
CVSS 8.8
CVE-2016-4309 WRITEUP HIGH
Symphony CMS 2.6.7 - Info Disclosure
Session fixation vulnerability in Symphony CMS 2.6.7, when session.use_only_cookies is disabled, allows remote attackers to hijack web sessions via the PHPSESSID parameter.
CVSS 7.5
CVE-2016-4340 WRITEUP HIGH
GitLab 8.2.0-8.6.7 Authenticated Privilege Escalation via Impersonate
The impersonate feature in Gitlab 8.7.0, 8.6.0 through 8.6.7, 8.5.0 through 8.5.11, 8.4.0 through 8.4.9, 8.3.0 through 8.3.8, and 8.2.0 through 8.2.4 allows remote authenticated users to "log in" as any other user via unspecified vectors.
CVSS 8.8
CVE-2016-4442 WRITEUP MEDIUM
Rack-Mini-Profiler <0.10.1 - Info Disclosure
The rack-mini-profiler gem before 0.10.1 for Ruby allows remote attackers to obtain sensitive information about allocated strings and objects by leveraging incorrect ordering of security checks.
CVSS 5.3
CVE-2016-4455 WRITEUP LOW
Red Hat Enterprise Linux Subscription Manager < 1.17.7-1 - Information Disclosure via Weak Cache Directory Permissions
The Subscription Manager package (aka subscription-manager) before 1.17.7-1 for Candlepin uses weak permissions (755) for subscription-manager cache directories, which allows local users to obtain sensitive information by reading files in the directories.
CVSS 3.3
CVE-2016-4567 WRITEUP MEDIUM
MediaElement.js < 2.21.0 - Cross-Site Scripting via FlashMediaElement.as jsinitfunction Parameter
Cross-site scripting (XSS) vulnerability in flash/FlashMediaElement.as in MediaElement.js before 2.21.0, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via an obfuscated form of the jsinitfunction parameter, as demonstrated by "jsinitfunctio%gn."
CVSS 6.1
CVE-2016-4567 WRITEUP MEDIUM
MediaElement.js < 2.21.0 - Cross-Site Scripting via FlashMediaElement.as jsinitfunction Parameter
Cross-site scripting (XSS) vulnerability in flash/FlashMediaElement.as in MediaElement.js before 2.21.0, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via an obfuscated form of the jsinitfunction parameter, as demonstrated by "jsinitfunctio%gn."
CVSS 6.1
CVE-2016-4849 WRITEUP MEDIUM
Geeklog IVYWE 2.1.1 - Cross-Site Scripting via COM_getCurrentURL Function
Multiple cross-site scripting (XSS) vulnerabilities in Geeklog IVYWE edition 2.1.1 allow remote attackers to inject arbitrary web script or HTML by leveraging use of the COM_getCurrentURL function in (1) public_html/layout/default/header.thtml, (2) public_html/layout/bento/header.thtml, (3) public_html/layout/fotos/header.thtml, or (4) public_html/layout/default/article/article.thtml.
CVSS 6.1
CVE-2016-4875 WRITEUP MEDIUM
Assist Plugin < 1.1.2.test20160906 - Cross-Site Scripting
Multiple cross-site scripting (XSS) vulnerabilities in the IVYWE (1) Assist plugin before 1.1.2.test20160906, (2) dataBox plugin before 0.0.0.20160906, and (3) userBox plugin before 0.0.0.20160906 for Geeklog allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVSS 6.1
CVE-2016-4989 WRITEUP HIGH
setroubleshoot - Command Injection via Crafted File Name or XML Document
setroubleshoot allows local users to bypass an intended container protection mechanism and execute arbitrary commands by (1) triggering an SELinux denial with a crafted file name, which is handled by the _set_tpath function in audit_data.py or via a crafted (2) local_id or (3) analysis_id field in a crafted XML document to the run_fix function in SetroubleshootFixit.py, related to the subprocess.check_output and commands.getstatusoutput functions, a different vulnerability than CVE-2016-4445.
CVSS 7.0
CVE-2016-4997 WRITEUP HIGH
Linux Kernel 4.6.3 Netfilter Privilege Escalation
The compat IPT_SO_SET_REPLACE and IP6T_SO_SET_REPLACE setsockopt implementations in the netfilter subsystem in the Linux kernel before 4.6.3 allow local users to gain privileges or cause a denial of service (memory corruption) by leveraging in-container root access to provide a crafted offset value that triggers an unintended decrement.
CVSS 7.8
CVE-2016-4997 WRITEUP HIGH
Linux Kernel 4.6.3 Netfilter Privilege Escalation
The compat IPT_SO_SET_REPLACE and IP6T_SO_SET_REPLACE setsockopt implementations in the netfilter subsystem in the Linux kernel before 4.6.3 allow local users to gain privileges or cause a denial of service (memory corruption) by leveraging in-container root access to provide a crafted offset value that triggers an unintended decrement.
CVSS 7.8
CVE-2016-4998 WRITEUP HIGH
Linux Kernel < 4.6 - Denial of Service via IPT_SO_SET_REPLACE Out-of-Bounds Read
The IPT_SO_SET_REPLACE setsockopt implementation in the netfilter subsystem in the Linux kernel before 4.6 allows local users to cause a denial of service (out-of-bounds read) or possibly obtain sensitive information from kernel heap memory by leveraging in-container root access to provide a crafted offset value that leads to crossing a ruleset blob boundary.
CVSS 7.1
CVE-2016-4999 WRITEUP CRITICAL
Dashbuilder < 0.6.0.Beta1 - SQL Injection via Data Set Lookup Filter
SQL injection vulnerability in the getStringParameterSQL method in main/java/org/dashbuilder/dataprovider/sql/dialect/DefaultDialect.java in Dashbuilder before 0.6.0.Beta1 allows remote attackers to execute arbitrary SQL commands via a data set lookup filter in the (1) Data Set Authoring or (2) Displayer editor UI.
CVSS 9.8
CVE-2016-5097 WRITEUP MEDIUM
Opensuse < 4.6.1 - Information Disclosure
phpMyAdmin before 4.6.2 places tokens in query strings and does not arrange for them to be stripped before external navigation, which allows remote attackers to obtain sensitive information by reading (1) HTTP requests or (2) server logs.
CVSS 5.3
CVE-2016-5195 WRITEUP HIGH
Linux Kernel 2.x-4.x < 4.8.3 - Local Privilege Escalation via Dirty COW Race Condition
Race condition in mm/gup.c in the Linux kernel 2.x through 4.x before 4.8.3 allows local users to gain privileges by leveraging incorrect handling of a copy-on-write (COW) feature to write to a read-only memory mapping, as exploited in the wild in October 2016, aka "Dirty COW."
CVSS 7.0
CVE-2016-5303 WRITEUP MEDIUM
Horde Groupware - Cross-Site Scripting via Text Filter API
Cross-site scripting (XSS) vulnerability in the Horde Text Filter API in Horde Groupware and Horde Groupware Webmail Edition before 5.2.16 allows remote attackers to inject arbitrary web script or HTML via crafted data:text/html content in a form (1) action or (2) xlink attribute.
CVSS 6.1
CVE-2016-5355 WRITEUP MEDIUM
Wireshark 1.12.x < 1.12.12 and 2.x < 2.0.4 - Denial of Service in Toshiba File Parser
wiretap/toshiba.c in the Toshiba file parser in Wireshark 1.12.x before 1.12.12 and 2.x before 2.0.4 mishandles sscanf unsigned-integer processing, which allows remote attackers to cause a denial of service (application crash) via a crafted file.
CVSS 5.9
CVE-2016-5356 WRITEUP MEDIUM
Wireshark 1.12.x < 1.12.12 and 2.x < 2.0.4 - Denial of Service in CoSine File Parser
wiretap/cosine.c in the CoSine file parser in Wireshark 1.12.x before 1.12.12 and 2.x before 2.0.4 mishandles sscanf unsigned-integer processing, which allows remote attackers to cause a denial of service (application crash) via a crafted file.
CVSS 5.9
CVE-2016-5357 WRITEUP MEDIUM
Wireshark 1.12.x < 1.12.12 and 2.x < 2.0.4 - Denial of Service in NetScreen File Parser
wiretap/netscreen.c in the NetScreen file parser in Wireshark 1.12.x before 1.12.12 and 2.x before 2.0.4 mishandles sscanf unsigned-integer processing, which allows remote attackers to cause a denial of service (application crash) via a crafted file.
CVSS 5.9
CVE-2016-5364 WRITEUP MEDIUM
MantisBT < 1.2.19 - Cross-Site Scripting via manage_custom_field_edit_page.php Return Parameter
Cross-site scripting (XSS) vulnerability in manage_custom_field_edit_page.php in MantisBT 1.2.19 and earlier allows remote attackers to inject arbitrary web script or HTML via the return parameter.
CVSS 6.1
CVE-2016-5412 WRITEUP MEDIUM
Linux Kernel < 4.7 - Denial of Service via H_CEDE Hypercall
arch/powerpc/kvm/book3s_hv_rmhandlers.S in the Linux kernel through 4.7 on PowerPC platforms, when CONFIG_KVM_BOOK3S_64_HV is enabled, allows guest OS users to cause a denial of service (host OS infinite loop) by making a H_CEDE hypercall during the existence of a suspended transaction.
CVSS 6.5
CVE-2016-5418 WRITEUP HIGH
libarchive <3.2.0 - Code Injection
The sandboxing code in libarchive 3.2.0 and earlier mishandles hardlink archive entries of non-zero data size, which might allow remote attackers to write to arbitrary files via a crafted archive file.
CVSS 7.5
CVE-2016-5429 WRITEUP LOW
jose-php < 2.2.0 - Timing Attack via HMAC Comparison
jose-php before 2.2.1 does not use constant-time operations for HMAC comparison, which makes it easier for remote attackers to obtain sensitive information via a timing attack, related to JWE.php and JWS.php.
CVSS 3.7