Log

CVE-2016-9903 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Cross-site scripting
Description
+ Mozilla's add-ons SDK had a world-accessible resource with an HTML injection vulnerability. If an additional vulnerability allowed this resource to be loaded as a document it could allow injecting content and script into an add-on's context.
References
+ https://www.mozilla.org/en-US/security/advisories/mfsa2016-94/#CVE-2016-9903
Notes
CVE-2016-9904 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Information disclosure
Description
+ An attacker could use a JavaScript Map/Set timing attack to determine whether an atom is used by another compartment/zone in specific contexts. This could be used to leak information, such as usernames embedded in JavaScript code, across websites.
References
+ https://www.mozilla.org/en-US/security/advisories/mfsa2016-94/#CVE-2016-9904
Notes
CVE-2016-9909 created at 25 Sep 2019 19:31:40
Severity
+ Low
Remote
+ Remote
Type
+ Cross-site scripting
Description
+ A potential cross site scripting vulnerability was found in python- html5lib due to unquoted attributes that need escaping in legacy browsers.
References
+ https://github.com/html5lib/html5lib-python/issues/11
Notes
CVE-2016-9910 created at 25 Sep 2019 19:31:40
Severity
+ Low
Remote
+ Remote
Type
+ Cross-site scripting
Description
+ A potential cross site scripting vulnerability was found in python-html5lib due to unquoted attributes that need escaping in legacy browsers.
References
+ https://github.com/html5lib/html5lib-python/issues/12
Notes
CVE-2016-9919 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Denial of service
Description
+ The icmp6_send function in net/ipv6/icmp.c in the Linux kernel through 4.8.12 omits a certain check of the dst data structure, which allows remote attackers to cause a denial of service (panic) via a fragmented IPv6 packet.
References
+ https://bugzilla.kernel.org/show_bug.cgi?id=189851
+ https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=79dc7e3f1cd323be4c81aa1a94faa1b3ed987fb2
Notes
+ The issue was introduced in 4.8.10 by 5d41ce29e ("net: icmp6_send should use dst dev to determine L3 domain") and fixed in trunk by 79dc7e3f1cd323be4c81aa1a94faa1b3ed987fb2 ("net: handle no dst on skb in icmp6_send").
CVE-2016-9933 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Denial of service
Description
+ Stack consumption vulnerability has been discovered in the gdImageFillToBorder function in gd.c in the GD Graphics Library (aka libgd) before 2.2.2, as used in PHP before 5.6.28 and 7.x before 7.0.13, allows remote attackers to cause a denial of service (segmentation violation) via a crafted imagefilltoborder call that triggers use of a negative color value.
References
+ https://bugs.php.net/bug.php?id=72696
+ https://github.com/php/php-src/commit/863d37ea66d5c960db08d6f4a2cbd2518f0f80d1
+ http://www.openwall.com/lists/oss-security/2016/12/12/2
Notes
CVE-2016-9934 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Denial of service
Description
+ It has been discovered that ext/wddx/wddx.c in PHP before 5.6.28 and 7.x before 7.0.13 allows remote attackers to cause a denial of service (NULL pointer dereference) via crafted serialized data in a wddxPacket XML document, as demonstrated by a PDORow string.
References
+ https://bugs.php.net/bug.php?id=73331
+ https://github.com/php/php-src/commit/6045de69c7dedcba3eadf7c4bba424b19c81d00d
+ http://www.openwall.com/lists/oss-security/2016/12/12/2
Notes
CVE-2016-9935 created at 25 Sep 2019 19:31:40
Severity
+ Medium
Remote
+ Remote
Type
+ Denial of service
Description
+ The php_wddx_push_element function in ext/wddx/wddx.c in PHP before 5.6.29 and 7.x before 7.0.14 allows remote attackers to cause a denial of service (out-of-bounds read and memory corruption) or possibly have unspecified other impact via an empty boolean element in a wddxPacket XML document.
References
+ https://bugs.php.net/bug.php?id=73631
+ https://github.com/php/php-src/commit/66fd44209d5ffcb9b3d1bc1b9fd8e35b485040c0
+ http://seclists.org/oss-sec/2016/q4/658
Notes
CVE-2016-9936 created at 25 Sep 2019 19:31:40
Severity
+ High
Remote
+ Remote
Type
+ Arbitrary code execution
Description
+ The unserialize implementation in ext/standard/var.c in PHP 7.x before 7.0.14 allows remote attackers to cause a denial of service (use-after-free) or possibly execute arbitrary code via crafted serialized data.
References
+ https://github.com/php/php-src/commit/b2af4e8868726a040234de113436c6e4f6372d17
+ https://bugs.php.net/bug.php?id=72978
+ http://www.openwall.com/lists/oss-security/2016/12/12/2
Notes
CVE-2016-9941 created at 25 Sep 2019 19:31:40
Severity
+ Critical
Remote
+ Remote
Type
+ Arbitrary code execution
Description
+ A heap-based buffer overflow has been discovered in rfbproto.c in the LibVNCClient part of LibVNCServer before 0.9.11 allows remote servers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted FramebufferUpdate message containing a subrectangle outside of the client drawing area.
References
+ https://github.com/LibVNC/libvncserver/pull/137
Notes