CVE-2016-1562

The REST API in the DTE Energy Insight application before 1.7.8 for Android allows remote authenticated users to obtain unspecified customer information via a SQL expression in the filter parameter...

CVE-2015-7411

The portal client in IBM Tivoli Monitoring ITM 6.2.2 through FP9, 6.2.3 through FP5, and 6.3.0 through FP6 allows remote authenticated users to gain privileges via unspecified vectors...

CVE-2016-1562

The REST API in the DTE Energy Insight application before 1.7.8 for Android allows remote authenticated users to obtain unspecified customer information via a SQL expression in the filter parameter...

CVE-2015-7411

IBM Tivoli Monitoring (ITM) portal client v6.2.2–6.3.0 FP6 includes a Privileges Escalation vulnerability (CVE-2015-7411) that allows an authenticated user to increase authority and run commands they should not have. Affects the portal server component; exploit would enable administrator-level ac...

CVE-2016-1359

CVE-2016-1359 affects Cisco Prime Infrastructure 3.0. The vulnerability exists in log-file handling where a crafted HTTP request, while viewing logs, can be mishandled, allowing an authenticated remote attacker to execute arbitrary code on the affected system (Bug CSCuw81494). Root cause is impro...

Cisco Nexus 3000 and 3500 Insecure Default Telnet Credentials (cisco-sa-20160302-n3k)

The remote Cisco Nexus device has a known set of hardcoded default user credentials. An unauthenticated, remote attacker can exploit this to authenticate remotely to the device via Telnet with the privileges of the root user with bash shell access. TRUSTED...

Input validation

Schneider Electric Struxureware Building Operations Automation Server AS 1.7 and earlier and AS-P 1.7 and earlier allows remote authenticated administrators to execute arbitrary OS commands by defeating an msh aka Minimal Shell protection mechanism...

CVE-2016-2278

Schneider Electric Struxureware Building Operations Automation Server AS 1.7 and earlier and AS-P 1.7 and earlier allows remote authenticated administrators to execute arbitrary OS commands by defeating an msh aka Minimal Shell protection mechanism...

CVE-2016-0225

IBM WebSphere Commerce 6.x through 6.0.0.11 and 7.x through 7.0.0.9 allows remote authenticated Commerce Accelerator administrators to obtain sensitive information via unspecified vectors...

CVE-2016-0225

IBM WebSphere Commerce 6.x through 6.0.0.11 and 7.x through 7.0.0.9 allows remote authenticated Commerce Accelerator administrators to obtain sensitive information via unspecified vectors...

Code injection

QNAP iArtist Lite before 1.4.54, as distributed with QNAP Signage Station before 2.0.1, allows remote authenticated users to gain privileges by registering an executable file, and then waiting for this file to be run in a privileged context after a reboot...

CVE-2015-7262

CVE-2015-7262 affects QNAP iArtist Lite (before 1.4.54) as distributed with Signage Station (before 2.0.1). A privileged execution flaw lets remote authenticated users register an executable that is run in a privileged context after a reboot, effectively gaining SYSTEM-level access. Root cause li...

Design/Logic Flaw

The Device Manager GUI in Cisco Application Control Engine ACE 4710 A5 before A53.1 allows remote authenticated users to bypass intended RBAC restrictions and execute arbitrary CLI commands with admin privileges via an unspecified parameter in a POST request, aka Bug ID CSCul84801...

CVE-2016-0763

The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass...

CVE-2015-5174

Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. slash dot dot in a pathname used by a web...

CVE-2016-0763

The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass...

CVE-2016-0706

CVE-2016-0706 affects Apache Tomcat. Root cause: StatusManagerServlet not on RestrictedServlets.properties, enabling remote authenticated users to bypass SecurityManager and read arbitrary HTTP requests, potentially exposing session IDs. Affected versions include Tomcat 6.x before 6.0.45, 7.x bef...

Design/Logic Flaw

Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 does not consider the moodle/badges:viewbadges capability, which allows remote authenticated users to obtain sensitive badge information via a request involving 1 badges/overview.php or 2 badges/view.php...

CVE-2015-5340

Moodle through 2.6.11, 2.7.x before 2.7.11, 2.8.x before 2.8.9, and 2.9.x before 2.9.3 does not consider the moodle/badges:viewbadges capability, which allows remote authenticated users to obtain sensitive badge information via a request involving 1 badges/overview.php or 2 badges/view.php...

CVE-2015-5265

CVE-2015-5265 affects Moodle wiki component: versions up to 2.6.11, 2.7.x before 2.7.10, 2.8.x before 2.8.8 and 2.9.x before 2.9.2 fail to enforce the mod/wiki:managefiles capability when authorizing file management. This allows remote authenticated users to delete arbitrary files via a manage-fi...