Default configuration

IBM Integration Bus, under non default configurations, could allow a remote user to authenticate without providing valid credentials...

Design/Logic Flaw

The handlecertificate function in /vmi/manager/engine/management/commands/apnsworker.py in Trend Micro Virtual Mobile Infrastructure before 5.1 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the password to api/v1/cfg/oauth/saveidentifypfx/...

UBUNTU-CVE-2016-4340

The impersonate feature in Gitlab 8.7.0, 8.6.0 through 8.6.7, 8.5.0 through 8.5.11, 8.4.0 through 8.4.9, 8.3.0 through 8.3.8, and 8.2.0 through 8.2.4 allows remote authenticated users to "log in" as any other user via unspecified vectors...

CVE-2016-4340

Removed by vendor...

CVE-2016-3414

Unspecified vulnerability in Zimbra Collaboration before 8.6.0 Patch 7 allows remote authenticated users to affect availability via unknown vectors, aka bug 102029...

CVE-2016-3414

Unspecified vulnerability in Zimbra Collaboration before 8.6.0 Patch 7 allows remote authenticated users to affect availability via unknown vectors, aka bug 102029...

CVE-2016-10148

The CVE-2016-10148 entry concerns WordPress before 4.6. The vulnerable component is wp_ajax_update_plugin in wp-admin/includes/ajax-actions.php. The root cause is that a get_plugin_data call is performed before checking the update_plugins capability, allowing remote authenticated users to bypass ...

MS15-007: Vulnerability in Network Policy Server RADIUS implementation could cause denial of service: January 13, 2015

MS15-007: Vulnerability in Network Policy Server RADIUS implementation could cause denial of service: January 13, 2015 Summary This security update resolves a privately reported vulnerability in Windows. The vulnerability could allow denial of service on Internet Authentication Service IAS or...

Code injection

The Parental Control panel in Genexis devices with DRGOS before 1.14.1 allows remote authenticated users to execute arbitrary CLI commands via the 1 starthour, 2 startminute, 3 endhour, 4 endminute, or 5 hostname parameter...

CVE-2015-3441

Genexis DRGOS devices prior to version 1.14.1 are affected by a remote code execution flaw in the Parental Control panel. An authenticated remote attacker can exploit this by supplying values to (start_hour, start_minute, end_hour, end_minute, or hostname) to execute arbitrary CLI commands. The v...

CVE-2017-5179

Cross-site scripting XSS vulnerability in Tenable Nessus before 6.9.3 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors...

CVE-2016-10085

admin/languages.php in Piwigo through 2.8.3 allows remote authenticated administrators to conduct File Inclusion attacks via the tab parameter...

UBUNTU-CVE-2016-2126

Samba version 4.0.0 up to 4.5.2 is vulnerable to privilege elevation due to incorrect handling of the PAC Privilege Attribute Certificate checksum. A remote, authenticated, attacker can cause the winbindd process to crash using a legitimate Kerberos ticket. A local service with access to the...

CVE-2016-3055

IBM FileNet Workplace 4.0.2 before 4.0.2.14 LA012 allows remote authenticated users to read arbitrary files or cause a denial of service memory consumption via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity XXE...

CVE-2016-3033

IBM AppScan Source 8.7 through 9.0.3.3 allows remote authenticated users to read arbitrary files or cause a denial of service memory consumption via an XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity XXE issue...

CVE-2016-2917

The notifications component in IBM TRIRIGA Applications 10.4 and 10.5 before 10.5.1 allows remote authenticated users to obtain sensitive password information, and consequently gain privileges, via unspecified vectors...

CVE-2016-2884

Cross-site request forgery CSRF vulnerability in IBM Forms Experience Builder 8.5.x and 8.6.x before 8.6.3.1, in an unspecified non-default configuration, allows remote authenticated users to hijack the authentication of arbitrary users for requests that insert XSS sequences...

Default credentials

The notifications component in IBM TRIRIGA Applications 10.4 and 10.5 before 10.5.1 allows remote authenticated users to obtain sensitive password information, and consequently gain privileges, via unspecified vectors...

cfme: RCE via Capacity & Utilization feature

A code injection flaw was found in the way capacity and utilization imported control files are processed. A remote, authenticated attacker with access to the capacity and utilization feature could use this flaw to execute arbitrary code as the user CFME runs as...

CVE-2016-2876

IBM QRadar SIEM 7.1 before MR2 Patch 13 and 7.2 before 7.2.7 executes unspecified processes at an incorrect privilege level, which makes it easier for remote authenticated users to obtain root access by leveraging a command-injection issue...