Home
Vulnerability Summary for the Week of March 7, 2016
ITA
Questo articolo è scritto per te che “non capisci di esser abbastanza cretino” e ti credi molto perspicace e intelligente, una persona che snobba gli articoli e non ha bisogno di niente e prima si iscrive alla newsletter del mio sito e poi si lamenta cancellandosi dalla newsletter.
ENG
This article is written for you that “fairly stupid” and you think you’re very perceptive and intelligent, a person who snubs the articles and did not need anything and before he enrolled at the site of my newsletter and then complains removing himself from the newsletter.
High Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| adobe — digital_editions | Adobe Digital Editions before 4.5.1 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors. | 2016-03-09 | 10.0 | CVE-2016-0954 |
| adobe — acrobat | Adobe Reader and Acrobat before 11.0.15, Acrobat and Acrobat Reader DC Classic before 15.006.30121, and Acrobat and Acrobat Reader DC Continuous before 15.010.20060 on Windows and OS X allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2016-1009. | 2016-03-09 | 10.0 | CVE-2016-1007 |
| adobe — acrobat | Adobe Reader and Acrobat before 11.0.15, Acrobat and Acrobat Reader DC Classic before 15.006.30121, and Acrobat and Acrobat Reader DC Continuous before 15.010.20060 on Windows and OS X allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2016-1007. | 2016-03-09 | 10.0 | CVE-2016-1009 |
| adobe — acrobat | Untrusted search path vulnerability in Adobe Reader and Acrobat before 11.0.15, Acrobat and Acrobat Reader DC Classic before 15.006.30121, and Acrobat and Acrobat Reader DC Continuous before 15.010.20060 on Windows and OS X allows local users to gain privileges via a Trojan horse DLL in an unspecified directory. | 2016-03-09 | 7.2 | CVE-2016-1008 |
| microsoft — .net_framework | Microsoft .NET Framework 2.0 SP2, 3.0 SP2, 3.5, 3.5.1, 4.5.2, 4.6, and 4.6.1 mishandles signature validation for unspecified elements of XML documents, which allows remote attackers to spoof signatures via a modified document, aka “.NET XML Validation Security Feature Bypass.” | 2016-03-09 | 10.0 | CVE-2016-0132 |
| microsoft — infopath | Microsoft InfoPath 2007 SP3, 2010 SP2, and 2013 SP1 allows remote attackers to execute arbitrary code via a crafted Office document, aka “Microsoft Office Memory Corruption Vulnerability.” | 2016-03-09 | 9.3 | CVE-2016-0021 |
| microsoft — windows | OLE in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 allows remote attackers to execute arbitrary code via a crafted file, aka “Windows OLE Memory Remote Code Execution Vulnerability,” a different vulnerability than CVE-2016-0091. | 2016-03-09 | 9.3 | CVE-2016-0092 |
| microsoft — windows | Microsoft Windows Server 2008 R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 allow remote attackers to execute arbitrary code via crafted media content, aka “Windows Media Parsing Remote Code Execution Vulnerability.” | 2016-03-09 | 9.3 | CVE-2016-0098 |
| microsoft — windows | Microsoft Windows Server 2008 R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 allow remote attackers to execute arbitrary code via crafted media content, aka “Windows Media Parsing Remote Code Execution Vulnerability.” | 2016-03-09 | 9.3 | CVE-2016-0101 |
| microsoft — windows | The PDF library in Microsoft Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 allows remote attackers to execute arbitrary code via a crafted PDF document, aka “Windows Remote Code Execution Vulnerability.” | 2016-03-09 | 9.3 | CVE-2016-0117 |
| microsoft — windows | The PDF library in Microsoft Windows 10 Gold and 1511 allows remote attackers to execute arbitrary code via a crafted PDF document, aka “Windows Remote Code Execution Vulnerability.” | 2016-03-09 | 9.3 | CVE-2016-0118 |
| microsoft — windows | The Adobe Type Manager Library in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 allows remote attackers to execute arbitrary code via a crafted OpenType font, aka “OpenType Font Parsing Vulnerability.” | 2016-03-09 | 9.3 | CVE-2016-0121 |
| microsoft — office | Microsoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 SP1, Word 2013 RT SP1, Word 2016, Word for Mac 2011, Word 2016 for Mac, Office Compatibility Pack SP3, Word Viewer, Word Automation Services on SharePoint Server 2010 SP2 and 2013 SP1, Office Web Apps 2010 SP2, and Web Apps Server 2013 SP1 allow remote attackers to execute arbitrary code via a crafted Office document, aka “Microsoft Office Memory Corruption Vulnerability.” | 2016-03-09 | 9.3 | CVE-2016-0134 |
| microsoft — internet_explorer | Microsoft Internet Explorer 11 and Microsoft Edge allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka “Microsoft Browser Memory Corruption Vulnerability,” a different vulnerability than CVE-2016-0103, CVE-2016-0106, CVE-2016-0108, CVE-2016-0109, and CVE-2016-0114. | 2016-03-09 | 7.6 | CVE-2016-0102 |
| microsoft — internet_explorer | Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka “Internet Explorer Memory Corruption Vulnerability,” a different vulnerability than CVE-2016-0102, CVE-2016-0106, CVE-2016-0108, CVE-2016-0109, and CVE-2016-0114. | 2016-03-09 | 7.6 | CVE-2016-0103 |
| microsoft — internet_explorer | Microsoft Internet Explorer 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka “Internet Explorer Memory Corruption Vulnerability.” | 2016-03-09 | 7.6 | CVE-2016-0104 |
| microsoft — internet_explorer | Microsoft Internet Explorer 9 through 11 and Microsoft Edge allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka “Microsoft Browser Memory Corruption Vulnerability,” a different vulnerability than CVE-2016-0107, CVE-2016-0111, CVE-2016-0112, and CVE-2016-0113. | 2016-03-09 | 7.6 | CVE-2016-0105 |
| microsoft — internet_explorer | Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka “Internet Explorer Memory Corruption Vulnerability,” a different vulnerability than CVE-2016-0102, CVE-2016-0103, CVE-2016-0108, CVE-2016-0109, and CVE-2016-0114. | 2016-03-09 | 7.6 | CVE-2016-0106 |
| microsoft — internet_explorer | Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka “Internet Explorer Memory Corruption Vulnerability,” a different vulnerability than CVE-2016-0105, CVE-2016-0111, CVE-2016-0112, and CVE-2016-0113. | 2016-03-09 | 7.6 | CVE-2016-0107 |
| microsoft — internet_explorer | Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka “Internet Explorer Memory Corruption Vulnerability,” a different vulnerability than CVE-2016-0102, CVE-2016-0103, CVE-2016-0106, CVE-2016-0109, and CVE-2016-0114. | 2016-03-09 | 7.6 | CVE-2016-0108 |
| microsoft — internet_explorer | Microsoft Internet Explorer 11 and Microsoft Edge allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka “Microsoft Browser Memory Corruption Vulnerability,” a different vulnerability than CVE-2016-0102, CVE-2016-0103, CVE-2016-0106, CVE-2016-0108, and CVE-2016-0114. | 2016-03-09 | 7.6 | CVE-2016-0109 |
| microsoft — internet_explorer | Microsoft Internet Explorer 10 through 11 and Microsoft Edge allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka “Microsoft Browser Memory Corruption Vulnerability.” | 2016-03-09 | 7.6 | CVE-2016-0110 |
| microsoft — internet_explorer | Microsoft Internet Explorer 9 through 11 and Microsoft Edge allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka “Microsoft Browser Memory Corruption Vulnerability,” a different vulnerability than CVE-2016-0105, CVE-2016-0107, CVE-2016-0112, and CVE-2016-0113. | 2016-03-09 | 7.6 | CVE-2016-0111 |
| microsoft — internet_explorer | Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka “Internet Explorer Memory Corruption Vulnerability,” a different vulnerability than CVE-2016-0105, CVE-2016-0107, CVE-2016-0111, and CVE-2016-0113. | 2016-03-09 | 7.6 | CVE-2016-0112 |
| microsoft — internet_explorer | Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka “Internet Explorer Memory Corruption Vulnerability,” a different vulnerability than CVE-2016-0105, CVE-2016-0107, CVE-2016-0111, and CVE-2016-0112. | 2016-03-09 | 7.6 | CVE-2016-0113 |
| microsoft — internet_explorer | Microsoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka “Internet Explorer Memory Corruption Vulnerability,” a different vulnerability than CVE-2016-0102, CVE-2016-0103, CVE-2016-0106, CVE-2016-0108, and CVE-2016-0109. | 2016-03-09 | 7.6 | CVE-2016-0114 |
| microsoft — internet_explorer | Microsoft Edge allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka “Microsoft Edge Memory Corruption Vulnerability,” a different vulnerability than CVE-2016-0123, CVE-2016-0124, CVE-2016-0129, and CVE-2016-0130. | 2016-03-09 | 7.6 | CVE-2016-0116 |
| microsoft — edge | Microsoft Edge allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka “Microsoft Edge Memory Corruption Vulnerability,” a different vulnerability than CVE-2016-0116, CVE-2016-0124, CVE-2016-0129, and CVE-2016-0130. | 2016-03-09 | 7.6 | CVE-2016-0123 |
| microsoft — edge | Microsoft Edge allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka “Microsoft Edge Memory Corruption Vulnerability,” a different vulnerability than CVE-2016-0116, CVE-2016-0123, CVE-2016-0129, and CVE-2016-0130. | 2016-03-09 | 7.6 | CVE-2016-0124 |
| microsoft — edge | Microsoft Edge allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka “Microsoft Edge Memory Corruption Vulnerability,” a different vulnerability than CVE-2016-0116, CVE-2016-0123, CVE-2016-0124, and CVE-2016-0130. | 2016-03-09 | 7.6 | CVE-2016-0129 |
| microsoft — edge | Microsoft Edge allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka “Microsoft Edge Memory Corruption Vulnerability,” a different vulnerability than CVE-2016-0116, CVE-2016-0123, CVE-2016-0124, and CVE-2016-0129. | 2016-03-09 | 7.6 | CVE-2016-0130 |
| microsoft — office | Microsoft Office 2007 SP3, 2010 SP2, 2013 SP1, and 2016 does not properly sign an unspecified binary file, which allows local users to gain privileges via a Trojan horse file with a crafted signature, aka “Microsoft Office Security Feature Bypass Vulnerability.” | 2016-03-09 | 7.2 | CVE-2016-0057 |
| microsoft — windows | The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 allows local users to gain privileges via a crafted application, aka “Win32k Elevation of Privilege Vulnerability,” a different vulnerability than CVE-2016-0094, CVE-2016-0095, and CVE-2016-0096. | 2016-03-09 | 7.2 | CVE-2016-0093 |
| microsoft — windows | The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 allows local users to gain privileges via a crafted application, aka “Win32k Elevation of Privilege Vulnerability,” a different vulnerability than CVE-2016-0093, CVE-2016-0095, and CVE-2016-0096. | 2016-03-09 | 7.2 | CVE-2016-0094 |
| microsoft — windows | The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 allows local users to gain privileges via a crafted application, aka “Win32k Elevation of Privilege Vulnerability,” a different vulnerability than CVE-2016-0093, CVE-2016-0094, and CVE-2016-0096. | 2016-03-09 | 7.2 | CVE-2016-0095 |
| microsoft — windows | The kernel-mode driver in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 allows local users to gain privileges via a crafted application, aka “Win32k Elevation of Privilege Vulnerability,” a different vulnerability than CVE-2016-0093, CVE-2016-0094, and CVE-2016-0095. | 2016-03-09 | 7.2 | CVE-2016-0096 |
| microsoft — windows | The Secondary Logon Service in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 does not properly process request handles, which allows local users to gain privileges via a crafted application, aka “Secondary Logon Elevation of Privilege Vulnerability.” | 2016-03-09 | 7.2 | CVE-2016-0099 |
| microsoft — windows | The Adobe Type Manager Library in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 allows remote attackers to cause a denial of service (system hang) via a crafted OpenType font, aka “OpenType Font Parsing Vulnerability.” | 2016-03-09 | 7.1 | CVE-2016-0120 |
Medium Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| microsoft — windows | OLE in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 allows remote attackers to execute arbitrary code via a crafted file, aka “Windows OLE Memory Remote Code Execution Vulnerability,” a different vulnerability than CVE-2016-0092. | 2016-03-09 | 6.8 | CVE-2016-0091 |
Low Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| microsoft — edge | Microsoft Edge mishandles the Referer policy, which allows remote attackers to obtain sensitive browser-history and request information via a crafted HTTPS web site, aka “Microsoft Edge Information Disclosure Vulnerability.” | 2016-03-09 | 2.6 | CVE-2016-0125 |
Severity Not Yet Assigned
| Primary Vendor — Product |
Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| Adobe — Flash Player | Adobe Flash Player before 18.0.0.333 and 19.x through 21.x before 21.0.0.182 on Windows and OS X and before 11.2.202.577 on Linux, Adobe AIR before 21.0.0.176, Adobe AIR SDK before 21.0.0.176, and Adobe AIR SDK & Compiler before 21.0.0.176 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2016-0961, CVE-2016-0962, CVE-2016-0986, CVE-2016-0989, CVE-2016-0992, CVE-2016-1002, and CVE-2016-1005. | 2016-03-12 | N/A | CVE-2016-0960 |
| Adobe — Flash Player | Adobe Flash Player before 18.0.0.333 and 19.x through 21.x before 21.0.0.182 on Windows and OS X and before 11.2.202.577 on Linux, Adobe AIR before 21.0.0.176, Adobe AIR SDK before 21.0.0.176, and Adobe AIR SDK & Compiler before 21.0.0.176 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2016-0960, CVE-2016-0962, CVE-2016-0986, CVE-2016-0989, CVE-2016-0992, CVE-2016-1002, and CVE-2016-1005. | 2016-03-12 | N/A | CVE-2016-0961 |
| Adobe — Flash Player | Adobe Flash Player before 18.0.0.333 and 19.x through 21.x before 21.0.0.182 on Windows and OS X and before 11.2.202.577 on Linux, Adobe AIR before 21.0.0.176, Adobe AIR SDK before 21.0.0.176, and Adobe AIR SDK & Compiler before 21.0.0.176 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2016-0960, CVE-2016-0961, CVE-2016-0986, CVE-2016-0989, CVE-2016-0992, CVE-2016-1002, and CVE-2016-1005. | 2016-03-12 | N/A | CVE-2016-0962 |
| Adobe — Flash Player | Integer overflow in Adobe Flash Player before 18.0.0.333 and 19.x through 21.x before 21.0.0.182 on Windows and OS X and before 11.2.202.577 on Linux, Adobe AIR before 21.0.0.176, Adobe AIR SDK before 21.0.0.176, and Adobe AIR SDK & Compiler before 21.0.0.176 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2016-0993 and CVE-2016-1010. | 2016-03-12 | N/A | CVE-2016-0963 |
| Adobe — Flash Player | Adobe Flash Player before 18.0.0.333 and 19.x through 21.x before 21.0.0.182 on Windows and OS X and before 11.2.202.577 on Linux, Adobe AIR before 21.0.0.176, Adobe AIR SDK before 21.0.0.176, and Adobe AIR SDK & Compiler before 21.0.0.176 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2016-0960, CVE-2016-0961, CVE-2016-0962, CVE-2016-0989, CVE-2016-0992, CVE-2016-1002, and CVE-2016-1005. | 2016-03-12 | N/A | CVE-2016-0986 |
| Adobe — Flash Player | Use-after-free vulnerability in Adobe Flash Player before 18.0.0.333 and 19.x through 21.x before 21.0.0.182 on Windows and OS X and before 11.2.202.577 on Linux, Adobe AIR before 21.0.0.176, Adobe AIR SDK before 21.0.0.176, and Adobe AIR SDK & Compiler before 21.0.0.176 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2016-0988, CVE-2016-0990, CVE-2016-0991, CVE-2016-0994, CVE-2016-0995, CVE-2016-0996, CVE-2016-0997, CVE-2016-0998, CVE-2016-0999, and CVE-2016-1000. | 2016-03-12 | N/A | CVE-2016-0987 |
| Adobe — Flash Player | Use-after-free vulnerability in Adobe Flash Player before 18.0.0.333 and 19.x through 21.x before 21.0.0.182 on Windows and OS X and before 11.2.202.577 on Linux, Adobe AIR before 21.0.0.176, Adobe AIR SDK before 21.0.0.176, and Adobe AIR SDK & Compiler before 21.0.0.176 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2016-0987, CVE-2016-0990, CVE-2016-0991, CVE-2016-0994, CVE-2016-0995, CVE-2016-0996, CVE-2016-0997, CVE-2016-0998, CVE-2016-0999, and CVE-2016-1000. | 2016-03-12 | N/A | CVE-2016-0988 |
| Adobe — Flash Player | Adobe Flash Player before 18.0.0.333 and 19.x through 21.x before 21.0.0.182 on Windows and OS X and before 11.2.202.577 on Linux, Adobe AIR before 21.0.0.176, Adobe AIR SDK before 21.0.0.176, and Adobe AIR SDK & Compiler before 21.0.0.176 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2016-0960, CVE-2016-0961, CVE-2016-0962, CVE-2016-0986, CVE-2016-0992, CVE-2016-1002, and CVE-2016-1005. | 2016-03-12 | N/A | CVE-2016-0989 |
| Adobe — Flash Player | Use-after-free vulnerability in Adobe Flash Player before 18.0.0.333 and 19.x through 21.x before 21.0.0.182 on Windows and OS X and before 11.2.202.577 on Linux, Adobe AIR before 21.0.0.176, Adobe AIR SDK before 21.0.0.176, and Adobe AIR SDK & Compiler before 21.0.0.176 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2016-0987, CVE-2016-0988, CVE-2016-0991, CVE-2016-0994, CVE-2016-0995, CVE-2016-0996, CVE-2016-0997, CVE-2016-0998, CVE-2016-0999, and CVE-2016-1000. | 2016-03-12 | N/A | CVE-2016-0990 |
| Adobe — Flash Player | Use-after-free vulnerability in Adobe Flash Player before 18.0.0.333 and 19.x through 21.x before 21.0.0.182 on Windows and OS X and before 11.2.202.577 on Linux, Adobe AIR before 21.0.0.176, Adobe AIR SDK before 21.0.0.176, and Adobe AIR SDK & Compiler before 21.0.0.176 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2016-0987, CVE-2016-0988, CVE-2016-0990, CVE-2016-0994, CVE-2016-0995, CVE-2016-0996, CVE-2016-0997, CVE-2016-0998, CVE-2016-0999, and CVE-2016-1000. | 2016-03-12 | N/A | CVE-2016-0991 |
| Adobe — Flash Player | Adobe Flash Player before 18.0.0.333 and 19.x through 21.x before 21.0.0.182 on Windows and OS X and before 11.2.202.577 on Linux, Adobe AIR before 21.0.0.176, Adobe AIR SDK before 21.0.0.176, and Adobe AIR SDK & Compiler before 21.0.0.176 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2016-0960, CVE-2016-0961, CVE-2016-0962, CVE-2016-0986, CVE-2016-0989, CVE-2016-1002, and CVE-2016-1005. | 2016-03-12 | N/A | CVE-2016-0992 |
| Adobe — Flash Player | Integer overflow in Adobe Flash Player before 18.0.0.333 and 19.x through 21.x before 21.0.0.182 on Windows and OS X and before 11.2.202.577 on Linux, Adobe AIR before 21.0.0.176, Adobe AIR SDK before 21.0.0.176, and Adobe AIR SDK & Compiler before 21.0.0.176 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2016-0963 and CVE-2016-1010. | 2016-03-12 | N/A | CVE-2016-0993 |
| Adobe — Flash Player | Use-after-free vulnerability in Adobe Flash Player before 18.0.0.333 and 19.x through 21.x before 21.0.0.182 on Windows and OS X and before 11.2.202.577 on Linux, Adobe AIR before 21.0.0.176, Adobe AIR SDK before 21.0.0.176, and Adobe AIR SDK & Compiler before 21.0.0.176 allows attackers to execute arbitrary code by using the actionCallMethod opcode with crafted arguments, a different vulnerability than CVE-2016-0987, CVE-2016-0988, CVE-2016-0990, CVE-2016-0991, CVE-2016-0995, CVE-2016-0996, CVE-2016-0997, CVE-2016-0998, CVE-2016-0999, and CVE-2016-1000. | 2016-03-12 | N/A | CVE-2016-0994 |
| Adobe — Flash Player | Use-after-free vulnerability in Adobe Flash Player before 18.0.0.333 and 19.x through 21.x before 21.0.0.182 on Windows and OS X and before 11.2.202.577 on Linux, Adobe AIR before 21.0.0.176, Adobe AIR SDK before 21.0.0.176, and Adobe AIR SDK & Compiler before 21.0.0.176 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2016-0987, CVE-2016-0988, CVE-2016-0990, CVE-2016-0991, CVE-2016-0994, CVE-2016-0996, CVE-2016-0997, CVE-2016-0998, CVE-2016-0999, and CVE-2016-1000. | 2016-03-12 | N/A | CVE-2016-0995 |
| Adobe — Flash Player | Use-after-free vulnerability in the setInterval method in Adobe Flash Player before 18.0.0.333 and 19.x through 21.x before 21.0.0.182 on Windows and OS X and before 11.2.202.577 on Linux, Adobe AIR before 21.0.0.176, Adobe AIR SDK before 21.0.0.176, and Adobe AIR SDK & Compiler before 21.0.0.176 allows attackers to execute arbitrary code via crafted arguments, a different vulnerability than CVE-2016-0987, CVE-2016-0988, CVE-2016-0990, CVE-2016-0991, CVE-2016-0994, CVE-2016-0995, CVE-2016-0997, CVE-2016-0998, CVE-2016-0999, and CVE-2016-1000. | 2016-03-12 | N/A | CVE-2016-0996 |
| Adobe — Flash Player | Use-after-free vulnerability in Adobe Flash Player before 18.0.0.333 and 19.x through 21.x before 21.0.0.182 on Windows and OS X and before 11.2.202.577 on Linux, Adobe AIR before 21.0.0.176, Adobe AIR SDK before 21.0.0.176, and Adobe AIR SDK & Compiler before 21.0.0.176 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2016-0987, CVE-2016-0988, CVE-2016-0990, CVE-2016-0991, CVE-2016-0994, CVE-2016-0995, CVE-2016-0996, CVE-2016-0998, CVE-2016-0999, and CVE-2016-1000. | 2016-03-12 | N/A | CVE-2016-0997 |
| Adobe — Flash Player | Use-after-free vulnerability in Adobe Flash Player before 18.0.0.333 and 19.x through 21.x before 21.0.0.182 on Windows and OS X and before 11.2.202.577 on Linux, Adobe AIR before 21.0.0.176, Adobe AIR SDK before 21.0.0.176, and Adobe AIR SDK & Compiler before 21.0.0.176 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2016-0987, CVE-2016-0988, CVE-2016-0990, CVE-2016-0991, CVE-2016-0994, CVE-2016-0995, CVE-2016-0996, CVE-2016-0997, CVE-2016-0999, and CVE-2016-1000. | 2016-03-12 | N/A | CVE-2016-0998 |
| Adobe — Flash Player | Use-after-free vulnerability in Adobe Flash Player before 18.0.0.333 and 19.x through 21.x before 21.0.0.182 on Windows and OS X and before 11.2.202.577 on Linux, Adobe AIR before 21.0.0.176, Adobe AIR SDK before 21.0.0.176, and Adobe AIR SDK & Compiler before 21.0.0.176 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2016-0987, CVE-2016-0988, CVE-2016-0990, CVE-2016-0991, CVE-2016-0994, CVE-2016-0995, CVE-2016-0996, CVE-2016-0997, CVE-2016-0998, and CVE-2016-1000. | 2016-03-12 | N/A | CVE-2016-0999 |
| Adobe — Flash Player | Use-after-free vulnerability in Adobe Flash Player before 18.0.0.333 and 19.x through 21.x before 21.0.0.182 on Windows and OS X and before 11.2.202.577 on Linux, Adobe AIR before 21.0.0.176, Adobe AIR SDK before 21.0.0.176, and Adobe AIR SDK & Compiler before 21.0.0.176 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2016-0987, CVE-2016-0988, CVE-2016-0990, CVE-2016-0991, CVE-2016-0994, CVE-2016-0995, CVE-2016-0996, CVE-2016-0997, CVE-2016-0998, and CVE-2016-0999. | 2016-03-12 | N/A | CVE-2016-1000 |
| Adobe — Flash Player | Heap-based buffer overflow in Adobe Flash Player before 18.0.0.333 and 19.x through 21.x before 21.0.0.182 on Windows and OS X and before 11.2.202.577 on Linux, Adobe AIR before 21.0.0.176, Adobe AIR SDK before 21.0.0.176, and Adobe AIR SDK & Compiler before 21.0.0.176 allows attackers to execute arbitrary code via unspecified vectors. | 2016-03-12 | N/A | CVE-2016-1001 |
| Adobe — Flash Player | Adobe Flash Player before 18.0.0.333 and 19.x through 21.x before 21.0.0.182 on Windows and OS X and before 11.2.202.577 on Linux, Adobe AIR before 21.0.0.176, Adobe AIR SDK before 21.0.0.176, and Adobe AIR SDK & Compiler before 21.0.0.176 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2016-0960, CVE-2016-0961, CVE-2016-0962, CVE-2016-0986, CVE-2016-0989, CVE-2016-0992, and CVE-2016-1005. | 2016-03-12 | N/A | CVE-2016-1002 |
| Adobe — Flash Player | Adobe Flash Player before 18.0.0.333 and 19.x through 21.x before 21.0.0.182 on Windows and OS X and before 11.2.202.577 on Linux, Adobe AIR before 21.0.0.176, Adobe AIR SDK before 21.0.0.176, and Adobe AIR SDK & Compiler before 21.0.0.176 allow attackers to execute arbitrary code or cause a denial of service (uninitialized pointer dereference and memory corruption) via crafted MPEG-4 data, a different vulnerability than CVE-2016-0960, CVE-2016-0961, CVE-2016-0962, CVE-2016-0986, CVE-2016-0989, CVE-2016-0992, and CVE-2016-1002. | 2016-03-12 | N/A | CVE-2016-1005 |
| Adobe — Flash Player | Integer overflow in Adobe Flash Player before 18.0.0.333 and 19.x through 21.x before 21.0.0.182 on Windows and OS X and before 11.2.202.577 on Linux, Adobe AIR before 21.0.0.176, Adobe AIR SDK before 21.0.0.176, and Adobe AIR SDK & Compiler before 21.0.0.176 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2016-0963 and CVE-2016-0993. | 2016-03-12 | N/A | CVE-2016-1010 |
| Android — mediaserver | The MPEG4Source::fragmentedRead function in MPEG4Extractor.cpp in libstagefright in mediaserver in Android 4.x before 4.4.4, 5.x before 5.1.1 LMY49H, and 6.x before 2016-03-01 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted media file, aka internal bug 26365349. | 2016-03-12 | N/A | CVE-2016-0815 |
| Android — mediaserver | mediaserver in Android 6.x before 2016-03-01 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted media file, related to decoder/ih264d_parse_islice.c and decoder/ih264d_parse_pslice.c, aka internal bug 25928803. | 2016-03-12 | N/A | CVE-2016-0816 |
| Android — Conscrypt | The caching functionality in the TrustManagerImpl class in TrustManagerImpl.java in Conscrypt in Android 4.x before 4.4.4, 5.x before 5.1.1 LMY49H, and 6.x before 2016-03-01 mishandles the distinction between an intermediate CA and a trusted root CA, which allows man-in-the-middle attackers to spoof servers by leveraging access to an intermediate CA to issue a certificate, aka internal bug 26232830. | 2016-03-12 | N/A | CVE-2016-0818 |
| Android — Qualcomm performance | The Qualcomm performance component in Android 4.x before 4.4.4, 5.x before 5.1.1 LMY49H, and 6.x before 2016-03-01 allows attackers to gain privileges via a crafted application, aka internal bug 25364034. | 2016-03-12 | N/A | CVE-2016-0819 |
| Android — MediaTek | The MediaTek Wi-Fi kernel driver in Android 6.0.1 before 2016-03-01 allows attackers to gain privileges via a crafted application, aka internal bug 26267358. | 2016-03-12 | N/A | CVE-2016-0820 |
| Android — Linux kernel | The LIST_POISON feature in include/linux/poison.h in the Linux kernel before 4.3, as used in Android 6.0.1 before 2016-03-01, does not properly consider the relationship to the mmap_min_addr value, which makes it easier for attackers to bypass a poison-pointer protection mechanism by triggering the use of an uninitialized list entry, aka Android internal bug 26186802, a different vulnerability than CVE-2015-3636. | 2016-03-12 | N/A | CVE-2016-0821 |
| Android — MediaTek | The MediaTek connectivity kernel driver in Android 6.0.1 before 2016-03-01 allows attackers to gain privileges via a crafted application that leverages conn_launcher access, aka internal bug 25873324. | 2016-03-12 | N/A | CVE-2016-0822 |
| Android — Linux kernel | The pagemap_open function in fs/proc/task_mmu.c in the Linux kernel before 3.19.3, as used in Android 6.0.1 before 2016-03-01, allows local users to obtain sensitive physical-address information by reading a pagemap file, aka Android internal bug 25739721. | 2016-03-12 | N/A | CVE-2016-0823 |
| Android — Widevine | The Widevine Trusted Application in Android 6.0.1 before 2016-03-01 allows attackers to obtain sensitive TrustZone secure-storage information by leveraging kernel access, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 20860039. | 2016-03-12 | N/A | CVE-2016-0825 |
| Android — mediaserver | libcameraservice in mediaserver in Android 4.x before 4.4.4, 5.x before 5.1.1 LMY49H, and 6.x before 2016-03-01 does not require use of the ICameraService::dump method for a camera service dump, which allows attackers to gain privileges via a crafted application that directly dumps, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 26265403. | 2016-03-12 | N/A | CVE-2016-0826 |
| Android — mediaserver | Multiple integer overflows in libeffects in mediaserver in Android 4.x before 4.4.4, 5.x before 5.1.1 LMY49H, and 6.x before 2016-03-01 allow attackers to gain privileges via a crafted application, as demonstrated by obtaining Signature or SignatureOrSystem access, related to EffectBundle.cpp and EffectReverb.cpp, aka internal bug 26347509. | 2016-03-12 | N/A | CVE-2016-0827 |
| Android — mediaserver | The BnGraphicBufferConsumer:: |
2016-03-12 | N/A | CVE-2016-0828 |
| Android — mediaserver | The BnGraphicBufferProducer:: |
2016-03-12 | N/A | CVE-2016-0829 |
| Android — DTE Energy Insight application | The REST API in the DTE Energy Insight application before 1.7.8 for Android allows remote authenticated users to obtain unspecified customer information via a SQL expression in the filter parameter. | 2016-03-11 | N/A | CVE-2016-1562 |
| Android — mediaserver | libvpx in mediaserver in Android 4.x before 4.4.4, 5.x before 5.1.1 LMY49H, and 6.0 before 2016-03-01 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted media file, related to libwebm/mkvparser.cpp and other files, aka internal bug 23452792. | 2016-03-12 | N/A | CVE-2016-1621 |
| Android — libstagefright | libmpeg2 in libstagefright in Android 6.x before 2016-03-01 allows attackers to obtain sensitive information, and consequently bypass an unspecified protection mechanism, via crafted Bitstream data, as demonstrated by obtaining Signature or SignatureOrSystem access, aka internal bug 25765591. | 2016-03-12 | N/A | CVE-2016-0824 |
| Android — Bluetooth | btif_config.c in Bluetooth in Android 6.x before 2016-03-01 allows remote attackers to cause a denial of service (memory corruption and persistent daemon crash) by triggering a large number of configuration entries, and consequently exceeding the maximum size of a configuration file, aka internal bug 26071376. | 2016-03-12 | N/A | CVE-2016-0830 |
| Android — Telephony | The getDeviceIdForPhone function in internal/telephony/ |
2016-03-12 | N/A | CVE-2016-0831 |
| Android — Setup Wizard | Setup Wizard in Android 5.1.x before LMY49H and 6.x before 2016-03-01 allows physically proximate attackers to bypass the Factory Reset Protection protection mechanism and delete data via unspecified vectors, aka internal bug 25955042. | 2016-03-12 | N/A | CVE-2016-0832 |
| Apple — Apple Software Update | Apple Software Update before 2.2 on Windows does not use HTTPS, which makes it easier for man-in-the-middle attackers to spoof updates by modifying the client-server data stream. | 2016-03-13 | N/A | CVE-2016-1731 |
| Cisco — HTTPS inspection engine | The HTTPS inspection engine in the Content Security and Control Security Services Module (CSC-SSM) 6.6 before 6.6.1164.0 for Cisco ASA 5500 devices allows remote attackers to cause a denial of service (memory consumption or device reload) via a flood of HTTPS packets, aka Bug ID CSCue76147. | 2016-03-09 | N/A | CVE-2016-1312 |
| Cisco — administration interface | The administration interface on Cisco DPC3939B and DPC3941 devices allows remote attackers to obtain sensitive information via a crafted HTTP request, aka Bug ID CSCus49506. | 2016-03-09 | N/A | CVE-2016-1325 |
| Cisco — administration interface | The administration interface on Cisco DPQ3925 devices with firmware r1 allows remote attackers to cause a denial of service (device restart) via a crafted HTTP request, aka Bug ID CSCup48105. | 2016-03-09 | N/A | CVE-2016-1326 |
| Cisco — web server | Buffer overflow in the web server on Cisco DPC2203 and EPC2203 devices with firmware r1_customer_image allows remote attackers to execute arbitrary code via a crafted HTTP request, aka Bug ID CSCuv05935. | 2016-03-09 | N/A | CVE-2016-1327 |
| Cisco — TelePresence Video Communication Server | Cisco TelePresence Video Communication Server (VCS) X8.5.1 and X8.5.2 allows remote authenticated users to cause a denial of service (VoIP outage) via a crafted SIP message, aka Bug ID CSCuu43026. | 2016-03-11 | N/A | CVE-2016-1338 |
| Cisco — Prime LAN Management Solution | Cisco Prime LAN Management Solution (LMS) through 4.2.5 uses the same database decryption key across different customers’ installations, which allows local users to obtain cleartext data by leveraging console connectivity, aka Bug ID CSCuw85390. | 2016-03-11 | N/A | CVE-2016-1360 |
| Cisco — IOS XR | Cisco IOS XR through 4.3.2 on Gigabit Switch Router (GSR) 12000 devices does not properly check for a Bidirectional Forwarding Detection (BFD) header in a UDP packet, which allows remote attackers to cause a denial of service (line-card restart) via a crafted packet, aka Bug ID CSCuw56900. | 2016-03-11 | N/A | CVE-2016-1361 |
| Debian — jessie | pt_chown in the glibc package before 2.19-18+deb8u4 on Debian jessie lacks a namespace check associated with file-descriptor passing, which allows local users to capture keystrokes and spoof data, and possibly gain privileges, via pts read and write operations, related to debian/sysdeps/linux.mk. NOTE: this is not considered a vulnerability in the upstream GNU C Library because the upstream documentation has a clear security recommendation against the –enable-pt_chown option. | 2016-03-13 | N/A | CVE-2016-2856 |
| EMC — Documentum xCP | EMC Documentum xCP 2.1 before patch 24 and 2.2 before patch 12 allows remote authenticated users to obtain sensitive user-account metadata via a members/xcp_member API call. | 2016-03-09 | N/A | CVE-2016-0886 |
| Google — Chrome | The ImageInputType:: |
2016-03-13 | N/A | CVE-2016-1643 |
| Google — Chrome | WebKit/Source/core/layout/ |
2016-03-13 | N/A | CVE-2016-1644 |
| Google — Chrome | Multiple integer signedness errors in the opj_j2k_update_image_data function in j2k.c in OpenJPEG, as used in PDFium in Google Chrome before 49.0.2623.87, allow remote attackers to cause a denial of service (incorrect cast and out-of-bounds write) or possibly have unspecified other impact via crafted JPEG 2000 data. | 2016-03-13 | N/A | CVE-2016-1645 |
| IBM — Tivoli Monitoring | The portal client in IBM Tivoli Monitoring (ITM) 6.2.2 through FP9, 6.2.3 through FP5, and 6.3.0 through FP6 allows remote authenticated users to gain privileges via unspecified vectors. | 2016-03-11 | N/A | CVE-2015-7411 |
| IBM — Flash System V9000 | Cross-site request forgery (CSRF) vulnerability in IBM Flash System V9000 7.4 before 7.4.1.4, 7.5 before 7.5.1.3, and 7.6 before 7.6.0.4 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences. | 2016-03-12 | N/A | CVE-2015-7446 |
| IBM — Maximo Asset Management | IBM Maximo Asset Management 7.6 before 7.6.0.3 IFIX001 allows remote authenticated users to bypass intended access restrictions and read arbitrary purchase-order work logs via unspecified vectors. | 2016-03-13 | N/A | CVE-2016-0222 |
| IBM — Maximo Asset Management | Cross-site scripting (XSS) vulnerability in IBM Maximo Asset Management 7.1.1 through 7.1.1.3, 7.5.0 before 7.5.0.9 IFIX004, and 7.6.0 before 7.6.0.3 IFIX001 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL. | 2016-03-13 | N/A | CVE-2016-0262 |
| IBM — Maximo Asset Management | SQL injection vulnerability in IBM Maximo Asset Management 7.1 through 7.1.1.13, 7.5.0 before 7.5.0.9 IFIX003, and 7.6.0 before 7.6.0.3 IFIX001; Maximo Asset Management 7.5.0 before 7.5.0.9 IFIX003, 7.5.1, and 7.6.0 before 7.6.0.3 IFIX001 for SmartCloud Control Desk; and Maximo Asset Management 7.1 through 7.1.1.13 and 7.2 for Tivoli IT Asset Management for IT and certain other products allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. | 2016-03-12 | N/A | CVE-2015-7448 |
| IBM — WebSphere Commerce | IBM WebSphere Commerce 6.x through 6.0.0.11, 7.x through 7.0.0.9, and 8.x before 8.0.0.3 allows remote attackers to cause a denial of service (order-processing outage) via unspecified vectors. | 2016-03-13 | N/A | CVE-2016-0208 |
| ISC — BIND | named in ISC BIND 9.x before 9.9.8-P4 and 9.10.x before 9.10.3-P4 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a malformed packet to the rndc (aka control channel) interface, related to alist.c and sexpr.c. | 2016-03-09 | N/A | CVE-2016-1285 |
| ISC — BIND | named in ISC BIND 9.x before 9.9.8-P4 and 9.10.x before 9.10.3-P4 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a crafted signature record for a DNAME record, related to db.c and resolver.c. | 2016-03-09 | N/A | CVE-2016-1286 |
| ISC — BIND | resolver.c in named in ISC BIND 9.10.x before 9.10.3-P4, when DNS cookies are enabled, allows remote attackers to cause a denial of service (INSIST assertion failure and daemon exit) via a malformed packet with more than one cookie option. | 2016-03-09 | N/A | CVE-2016-2088 |
| ISC — DHCP | ISC DHCP 4.1.x before 4.1-ESV-R13 and 4.2.x and 4.3.x before 4.3.4 does not restrict the number of concurrent TCP sessions, which allows remote attackers to cause a denial of service (INSIST assertion failure or request-processing outage) by establishing many sessions. | 2016-03-09 | N/A | CVE-2016-2774 |
| microsoft — internet_explorer | The CAttrArray object implementation in Microsoft Internet Explorer 7 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and memory corruption) via a malformed Cascading Style Sheets (CSS) token sequence in conjunction with modifications to HTML elements, aka “Internet Explorer Memory Corruption Vulnerability,” a different vulnerability than CVE-2015-6048 and CVE-2015-6049. | 2016-03-09 | N/A | CVE-2015-6184 |
| microsoft — windows | Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 do not properly validate handles, which allows local users to gain privileges via a crafted application, aka “Windows Elevation of Privilege Vulnerability.” | 2016-03-09 | N/A | CVE-2016-0087 |
| microsoft — windows | Microsoft Windows Vista SP2 and Server 2008 SP2 mishandle library loading, which allows local users to gain privileges via a crafted application, aka “Library Loading Input Validation Remote Code Execution Vulnerability.” | 2016-03-09 | N/A | CVE-2016-0100 |
| microsoft — windows | The USB Mass Storage Class driver in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 allows physically proximate attackers to execute arbitrary code by inserting a crafted USB device, aka “USB Mass Storage Elevation of Privilege Vulnerability.” | 2016-03-09 | N/A | CVE-2016-0133 |
| Mozilla — Firefox | Heap-based buffer overflow in Mozilla Network Security Services (NSS) before 3.19.2.3 and 3.20.x and 3.21.x before 3.21.1, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to execute arbitrary code via crafted ASN.1 data in an X.509 certificate. | 2016-03-13 | N/A | CVE-2016-1950 |
| Mozilla — Firefox | Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. | 2016-03-13 | N/A | CVE-2016-1952 |
| Mozilla — Firefox | Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 45.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via vectors related to js/src/jit/arm/Assembler-arm. |
2016-03-13 | N/A | CVE-2016-1953 |
| Mozilla — Firefox | The nsCSPContext::SendReports function in dom/security/nsCSPContext.cpp in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7 does not prevent use of a non-HTTP report-uri for a Content Security Policy (CSP) violation report, which allows remote attackers to cause a denial of service (data overwrite) or possibly gain privileges by specifying a URL of a local file. | 2016-03-13 | N/A | CVE-2016-1954 |
| Mozilla — Firefox | Mozilla Firefox before 45.0 allows remote attackers to bypass the Same Origin Policy and obtain sensitive information by reading a Content Security Policy (CSP) violation report that contains path information associated with an IFRAME element. | 2016-03-13 | N/A | CVE-2016-1955 |
| Mozilla — Firefox | Mozilla Firefox before 45.0 on Linux, when an Intel video driver is used, allows remote attackers to cause a denial of service (memory consumption or stack memory corruption) by triggering use of a WebGL shader. | 2016-03-13 | N/A | CVE-2016-1956 |
| Mozilla — Firefox | Memory leak in libstagefright in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7 allows remote attackers to cause a denial of service (memory consumption) via an MPEG-4 file that triggers a delete operation on an array. | 2016-03-13 | N/A | CVE-2016-1957 |
| Mozilla — Firefox | browser/base/content/browser. |
2016-03-13 | N/A | CVE-2016-1958 |
| Mozilla — Firefox | The ServiceWorkerManager class in Mozilla Firefox before 45.0 allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds read and memory corruption) via unspecified use of the Clients API. | 2016-03-13 | N/A | CVE-2016-1959 |
| Mozilla — Firefox | Integer underflow in the nsHtml5TreeBuilder class in the HTML5 string parser in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7 allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free) by leveraging mishandling of end tags, as demonstrated by incorrect SVG processing, aka ZDI-CAN-3545. | 2016-03-13 | N/A | CVE-2016-1960 |
| Mozilla — Firefox | Use-after-free vulnerability in the nsHTMLDocument::SetBody function in dom/html/nsHTMLDocument.cpp in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7 allows remote attackers to execute arbitrary code by leveraging mishandling of a root element, aka ZDI-CAN-3574. | 2016-03-13 | N/A | CVE-2016-1961 |
| Mozilla — Firefox | Use-after-free vulnerability in the mozilla:: |
2016-03-13 | N/A | CVE-2016-1962 |
| Mozilla — Firefox | The FileReader class in Mozilla Firefox before 45.0 allows local users to gain privileges or cause a denial of service (memory corruption) by changing a file during a FileReader API read operation. | 2016-03-13 | N/A | CVE-2016-1963 |
| Mozilla — Firefox | Use-after-free vulnerability in the AtomicBaseIncDec function in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) by leveraging mishandling of XML transformations. | 2016-03-13 | N/A | CVE-2016-1964 |
| Mozilla — Firefox | Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7 mishandle a navigation sequence that returns to the original page, which allows remote attackers to spoof the address bar via vectors involving the history.back method and the location.protocol property. | 2016-03-13 | N/A | CVE-2016-1965 |
| Mozilla — Firefox | The nsNPObjWrapper::GetNewOrUsed function in dom/plugins/base/ |
2016-03-13 | N/A | CVE-2016-1966 |
| Mozilla — Firefox | Mozilla Firefox before 45.0 does not properly restrict the availability of IFRAME Resource Timing API times, which allows remote attackers to bypass the Same Origin Policy and obtain sensitive information via crafted JavaScript code that leverages history.back and performance.getEntries calls after restoring a browser session. NOTE: this vulnerability exists because of an incomplete fix for CVE-2015-7207. | 2016-03-13 | N/A | CVE-2016-1967 |
| Mozilla — Firefox | Integer underflow in Brotli, as used in Mozilla Firefox before 45.0, allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow) via crafted data with brotli compression. | 2016-03-13 | N/A | CVE-2016-1968 |
| Mozilla — Firefox | The setAttr function in Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.6.1, allows remote attackers to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact via a crafted Graphite smart font. | 2016-03-13 | N/A | CVE-2016-1969 |
| Mozilla — Firefox | Integer underflow in the srtp_unprotect function in the WebRTC implementation in Mozilla Firefox before 45.0 on Windows might allow remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via unknown vectors. | 2016-03-13 | N/A | CVE-2016-1970 |
| Mozilla — Firefox | The I420VideoFrame::CreateFrame function in the WebRTC implementation in Mozilla Firefox before 45.0 on Windows omits an unspecified status check, which might allow remote attackers to cause a denial of service (memory corruption) or possibly have other impact via unknown vectors. | 2016-03-13 | N/A | CVE-2016-1971 |
| Mozilla — Firefox | Race condition in libvpx in Mozilla Firefox before 45.0 on Windows might allow remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via unknown vectors. | 2016-03-13 | N/A | CVE-2016-1972 |
| Mozilla — Firefox | Race condition in the GetStaticInstance function in the WebRTC implementation in Mozilla Firefox before 45.0 might allow remote attackers to execute arbitrary code or cause a denial of service (use-after-free) via unspecified vectors. | 2016-03-13 | N/A | CVE-2016-1973 |
| Mozilla — Firefox | The nsScannerString:: |
2016-03-13 | N/A | CVE-2016-1974 |
| Mozilla — Firefox | Multiple race conditions in dom/media/systemservices/ |
2016-03-13 | N/A | CVE-2016-1975 |
| Mozilla — Firefox | Use-after-free vulnerability in the DesktopDisplayDevice class in the WebRTC implementation in Mozilla Firefox before 45.0 on Windows might allow remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. | 2016-03-13 | N/A | CVE-2016-1976 |
| Mozilla — Firefox | The Machine::Code::decoder:: |
2016-03-13 | N/A | CVE-2016-1977 |
| Mozilla — Firefox | Use-after-free vulnerability in the ssl3_ |
2016-03-13 | N/A | CVE-2016-1978 |
| Mozilla — Firefox | Use-after-free vulnerability in the PK11_ |
2016-03-13 | N/A | CVE-2016-1979 |
| Mozilla — Firefox | The graphite2::TtfUtil:: |
2016-03-13 | N/A | CVE-2016-2790 |
| Mozilla — Firefox | The graphite2::GlyphCache::glyph function in Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted Graphite smart font. | 2016-03-13 | N/A | CVE-2016-2791 |
| Mozilla — Firefox | The graphite2::Slot::getAttr function in Slot.cpp in Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted Graphite smart font, a different vulnerability than CVE-2016-2800. | 2016-03-13 | N/A | CVE-2016-2792 |
| Mozilla — Firefox | CachedCmap.cpp in Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted Graphite smart font. | 2016-03-13 | N/A | CVE-2016-2793 |
| Mozilla — Firefox | The graphite2::TtfUtil:: |
2016-03-13 | N/A | CVE-2016-2794 |
| Mozilla — Firefox | The graphite2::FileFace::get_ |
2016-03-13 | N/A | CVE-2016-2795 |
| Mozilla — Firefox | Heap-based buffer overflow in the graphite2::vm::Machine::Code:: |
2016-03-13 | N/A | CVE-2016-2796 |
| Mozilla — Firefox | The graphite2::TtfUtil:: |
2016-03-13 | N/A | CVE-2016-2797 |
| Mozilla — Firefox | The graphite2::GlyphCache::Loader: |
2016-03-13 | N/A | CVE-2016-2798 |
| Mozilla — Firefox | Heap-based buffer overflow in the graphite2::Slot::setAttr function in Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted Graphite smart font. | 2016-03-13 | N/A | CVE-2016-2799 |
| Mozilla — Firefox | The graphite2::Slot::getAttr function in Slot.cpp in Graphite 2 before 1.3.6, as used in Mozilla Firefox before 45.0 and Firefox ESR 38.x before 38.7, allows remote attackers to cause a denial of service (buffer over-read) or possibly have unspecified other impact via a crafted Graphite smart font, a different vulnerability than CVE-2016-2792. | 2016-03-13 | N/A | CVE-2016-2800 |
| Mozilla — Firefox | The graphite2::TtfUtil:: |
2016-03-13 | N/A | CVE-2016-2801 |
| Mozilla — Firefox | The graphite2::TtfUtil:: |
2016-03-13 | N/A | CVE-2016-2802 |
| Samba — smbd | The SMB1 implementation in smbd in Samba 3.x and 4.x before 4.1.23, 4.2.x before 4.2.9, 4.3.x before 4.3.6, and 4.4.x before 4.4.0rc4 allows remote authenticated users to modify arbitrary ACLs by using a UNIX SMB1 call to create a symlink, and then using a non-UNIX SMB1 call to write to the ACL content. | 2016-03-13 | N/A | CVE-2015-7560 |
| Samba — internal DNS server | The internal DNS server in Samba 4.x before 4.1.23, 4.2.x before 4.2.9, 4.3.x before 4.3.6, and 4.4.x before 4.4.0rc4, when an AD DC is configured, allows remote authenticated users to cause a denial of service (out-of-bounds read) or possibly obtain sensitive information from process memory by uploading a crafted DNS TXT record. | 2016-03-13 | N/A | CVE-2016-0771 |
| Schneider — Electric Telvent Sage | Schneider Electric Telvent Sage 2300 RTUs with firmware before C3413-500-S01, and LANDAC II-2, Sage 1410, Sage 1430, Sage 1450, Sage 2400, and Sage 3030M RTUs with firmware before C3414-500-S02J2, allow remote attackers to obtain sensitive information from device memory by reading a padding field of an Ethernet packet. | 2016-03-11 | N/A | CVE-2015-6485 |
Categories : English Articles,ICT and Computer Security
G.U.P. Tribunale di Brescia, Sentenza 3 marzo 2011 (dep. 30 marzo 2011), n. 293
Si tratta di :sentenze
Reato di accesso abusivo a sistema informatico (art. 615 ter c.p.) – Soggetto legittimato all’accesso al sistema che abbia posto in essere la condotta per finalità diverse da quelle per cui è autorizzato – Configurabilità del reato solo nel caso finalità illecite
REPUBBLICA ITALIANA
IN NOME DEL POPOLO ITALIANA
IL GIUDICE PER L’UDIENZA PRELIMINARE
DEL TRIBUNALE ORDINARIO DI BRESCIA
Dr. Lorenzo Benini
Ha pronunciato la seguente
SENTENZA
ex art. 425 cpp
Sentenza N. 293/11
In data 03/03/2011
Sentenza depositata il:
30/03/2011
Nella causa penale contro:
1. C. S., nato a G. il ***, con domicilio eletto in P.A. Attualmente sottoposto p.q.c. all’obbligo di presentazione c/o la Guardia di Finanza di P.A.
Difeso di fiducia dagli Avvocati Liborio Paolo PASTORELLO del Foro di Caltanissetta e Gianfranco ABATE del Foro di Brescia
LIBERO CON OBBL – ASSENTE
2. F. L. nato a R. il ***, con domicilio eletto in Brescia, via Solferino n. 51, c/o lo studio del difensore di fiducia.
Difeso di fiducia dall’Avvocato Luigi FRATTINI del Foro di Brescia
LIBERO – ASSENTE
IMPUTATI
C. S. e M. F.(per il quale si è proceduto separatamente)
29. reati d cui agli artt. 640 – 2° comma, 1, 482 e 61, 2 l C.P. perché, in concorso tra loro, esibivano agli ispettori della Direzione Provinciale del Lavoro di Brescia e dell’I.N.P.S. di Brescia atti falsi, rappresentati da modelli F24 apparentemente attestanti il versamento di tributi, effettuati per conto della società A… S.r.l. e A…P… S.c.a.r.l., laddove in realtà tali modelli, così come trasmessi telematicamente all’Agenzia delle Entrate, risultavano illecitamente compensati con inesistenti crediti tributari. I modelli F24 così esibiti rappresentavano documento strumentale ad indurre in errore il personale deputato all’accertamento e garantire a sé ed agli altri associati i proventi dei reati ex art. 10 quater del Decreto Lgs. Nr. 74/2000;
In Brescia il 15 giugno 2009.
C. S.
30. reati di cui agli artt. 640 – 2° comma, 1, 482 e 61, 2 l C.P. perché in data 18.02.2010 esibiva ai militari della Guardia di Finanza, nel corso delle operazioni di perquisizione nell’ambito del procedimento penale nr. *****/** della Procura della Repubblica di Brescia presso il suo studio di Gela, atti falsi, rappresentati da modelli F24 apparentemente attestanti il versamento di tributi, effettuati per conto della società A… S.r.l. e A…P… S.c.a.r.l., laddove in realtà tali modelli, così come trasmessi telematicamente all’Agenzia delle Entrate, risultavano illecitamente compensati con inesistenti crediti tributari. I modelli F24 così esibiti rappresentavano documento strumentale ad indurre in errore il personale deputato all’accertamento e garantire a sé ed agli altri associati i proventi dei reati ex art. 10 quater del Decreto Lgs. Nr. 74/2000;
In Gela (CL) il 18 febbraio 2010
F. L.
31. reato di cui all’art. 615 ter I e II n. 1) e III c. C.P. perché, nella sua qualità di appartenente alla Sezione PG – PS della Procura della Repubblica di Brescia, abilitato all’accesso al sistema informatico denominato RE.GE., s’introduceva in detto sistema, effettuando interrogazioni sui nominativi di M. C. e C. G., senzo che la ricerca fosse giustificata da alcuna motivazione d’ufficio, ma per scopi meramente personali, e così accedeva ai dati informatici di registrazione del procedimento n. *****/** Mod. U, che vedeva indagati proprio i predetti;
fatto pluriaggravato perché commesso da pubblico ufficiale con abuso dei poteri e comunque con violazione dei doveri inerenti alla funzione nonché con abuso della qualità di operatore del sistema, nonché, infine, perché trattasi di sistema informatico relativo alla sicurezza pubblica e comunque di interesse pubblico;
In Brescia il 9 luglio 2010
CONCLUSIONI
Il P.M. chiede emettersi sentenza di NLP per C. S. in relazione ai capi 29) e 30); chiede il rinvio a giudizio per F. L.
La difesa di C. S. si associa.
La difesa di F. L. chiede sentenza di NLP.
MOTIVI DI FATTO E DI DIRITTO
1. A seguito della richiesta di rinvio a giudizio depositata dal Pubblico ministero si giungeva all’odierna udienza preliminare, ove il Pubblico ministero e i difensori degli imputati concludevano come in epigrafe trascritto.
2. Ritiene il Giudice che gli atti di indagine contenuti nel fascicolo del Pubblico ministero impongano di pronunciare sentenza di non luogo a procedere nei confronti di F.L. con riguardo all’unica imputazione formulata, perché il fatto non è previsto dalla legge come reato.
La contestazione ha riguardo al delitto di cui all’art. 615-ter c.p. per essersi l’imputato introdotto, nella sua qualità di appartenente alla Sezione di polizia giudiziaria della Procura della Repubblica di Brescia e quindi all’uopo abilitato, nel sistema informatico denominato RE.GE, effettuando interrogazioni sui nominativi M*** C*** e C*** G***, senza che la ricerca fosse giustificata da alcuna motivazione d’ufficio, ma per scopi meramente personali, così accedendo ai dati di registrazione del procedimento R.G.N.R. *****/**, che vedeva indagati proprio i predetti.
Le risultanze della consulenza disposta dal Pubblico ministero (fd 9, fg 674) impongono di ritenere provata la contestazione, peraltro ammessa dallo stesso imputato negli interrogatori del 28/7/2010 e del 27/9/2010. F.L. ha voluto però precisare che l’interrogazione sui nominativi di cui sopra era il frutto di una semplice curiosità, trattandosi di colleghi a suo dire ‘chiacchierati’.
Il Pubblico ministero ha, in sede di requisitoria, dichiarato di non dubitare che tale fosse effettivamente la finalità dell’atto, non risultando che di quanto appreso con la consultazione sia stato fatto alcun uso. Si è però richiamato alla prevalente giurisprudenza della Corte di Cassazione, per la quale commette il reato previsto dall’art. 615-ter c.p. non solo chi non abbia titolo per accedere al sistema, ma anche chi, pur avendo titolo, lo utilizzi per finalità diverse da quelle consentite; tanto che anche la semplice curiosità sulla situazione di un collega integrerebbe un accesso abusivo e quindi penalmente rilevante.
Ritiene il Giudice di non poter consentire con tale soluzione interpretativa.
Il principio di diritto, per essere correttamente inteso, va considerato alla luce dei casi concreti con riguardo ai quali si è formato; ed in nessuno di essi l’accesso al sistema informatico per finalità diverse da quelle consentite si era esaurito in quanto tale, essendosi il soggetto attivo introdotto su altrui istigazione criminosa nel contesto di un accordo di corruzione propria (Cass. Sez. 5, Sentenza n. 19463 del 16/02/2010 – Rv. 247144); o per utilizzare le informazioni acquisite in agenzie di investigazione privata nelle quali prestava la propria attività (Cass. Sez. 5, Sentenza n. 18006 del 13/02/2009 – Rv. 243602); o allo scopo di estrarre copia dei dati ed utilizzarli per attività di concorrenza sleale (Cass. Sez. 5, Sentenza n. 2987 del 10/12/2009 – Rv. 245842; Cass. Sez. 5, Sentenza n. 37322 del 08/07/2008 Ud. (dep. 01/10/2008) Rv. 241201).
Pare evidente, quindi, come il concetto di ‘finalità diverse da quelle consentite’ vada necessariamente circoscritto alle finalità illecite: ad accessi che costituiscano quanto meno comportamenti sanzionabili sotto il profilo disciplinare, in quanto contrastanti con una specifica previsione di legge o di regolamento.
Nulla di questo può dirsi realizzato con riguardo a quanto posto in essere da F.L.; va quindi pronunciata sentenza di non luogo a procedere, non essendo il fatto previsto dalla legge come reato.
3. Ritiene il Giudice che gli atti di indagine contenuti nel fascicolo del Pubblico ministero impongano di pronunciare sentenza di non luogo a procedere nei confronti di C.S. in relazione ai reati di cui ai capi 29 e 30, perché il fatto non sussiste.
Come correttamente argomentato dal Giudice per le indagini preliminari nell’ordinanza 20/9/2010, nessun atto di disposizione patrimoniale, con conseguimento di ulteriori erogazioni ad opera dello Stato, si è verificato in conseguenza dell’esibizione dei modelli F24 al personale dell’I.N.P.S. e della Guardia di Finanza da parte dell’imputato.
Né può ritenersi la falsità di detti modelli, poiché, come emerge dalla stessa ordinanza, essi si limitavano a non indicare, nella sezione erario, gli importi a credito con il codice tributo 6751, cosa che avrebbe determinato un saldo della delega pari a zero; operazione ben diversa dalla contestata falsificazione.
P.Q.M.
Il Giudice
visto l’art. 425 c.p.p.
Dichiara il non luogo a procedere nei confronti di F.L. perché il fatto non è previsto dalla legge come reato.
Nei confronti di C.S. in relazione ai capi 29 e 30 dell’imputazione perché il fatto non sussiste.
Motivazione riservata in giorni trenta.
Brescia, 3/3/2011
IL GIUDICE
(Dott. L. Benini)
Categories : sentenze
