CVE-2016-0155
published 2016-04-12CVE-2016-0155: Microsoft Edge allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Microsoft Edge…
PriorityP345high7.5CVSS 3.0
AVNACHPRNUIRSUCHIHAH
EPSS
10.32%
95.1th percentile
Microsoft Edge allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Microsoft Edge Memory Corruption Vulnerability," a different vulnerability than CVE-2016-0156 and CVE-2016-0157.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| activerecord_project | activerecord | >= 4.2.0 < 4.2.7.1 | 4.2.7.1 |
| msrc | microsoft_edge_on_windows_10_version_1511_for_32-bit_systems | — | — |
| msrc | microsoft_edge_on_windows_10_version_1511_for_x64-based_systems | — | — |
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.07.6HIGHAV:N/AC:H/Au:N/C:C/I:C/A:C
ghsa6.4MEDIUM
vendor_msrc7.5CRITICAL
vendor_redhat6.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-x6m5-2286-wx7h: Microsoft Edge allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Microso
ghsa_unreviewed·2022-05-14·CVSS 7.5
CVE-2016-0157 [HIGH] CWE-119 GHSA-x6m5-2286-wx7h: Microsoft Edge allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Microso
Microsoft Edge allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Microsoft Edge Memory Corruption Vulnerability," a different vulnerability than CVE-2016-0155 and CVE-2016-0156.
GHSA
GHSA-5rxw-3g54-w95p: Microsoft Edge allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Microso
ghsa_unreviewed·2022-05-14·CVSS 7.5
CVE-2016-0156 [HIGH] CWE-119 GHSA-5rxw-3g54-w95p: Microsoft Edge allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Microso
Microsoft Edge allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Microsoft Edge Memory Corruption Vulnerability," a different vulnerability than CVE-2016-0155 and CVE-2016-0157.
GHSA
GHSA-vq45-h9rf-2687: Microsoft Edge allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Microso
ghsa_unreviewed·2022-05-14·CVSS 7.5
CVE-2016-0155 [HIGH] CWE-119 GHSA-vq45-h9rf-2687: Microsoft Edge allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Microso
Microsoft Edge allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Microsoft Edge Memory Corruption Vulnerability," a different vulnerability than CVE-2016-0156 and CVE-2016-0157.
GHSA
ActiveRecord in Ruby on Rails allows database-query bypass
ghsa·2017-10-24·CVSS 6.4
CVE-2016-6317 [MEDIUM] CWE-284 ActiveRecord in Ruby on Rails allows database-query bypass
ActiveRecord in Ruby on Rails allows database-query bypass
Active Record in Ruby on Rails 4.2.x before 4.2.7.1 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2660, CVE-2012-2694, and CVE-2013-0155.
Red Hat
rubygem-activerecord: unsafe query generation in Active Record
vendor_redhat·2016-08-11·CVSS 6.4
CVE-2016-6317 [MEDIUM] CWE-20 rubygem-activerecord: unsafe query generation in Active Record
rubygem-activerecord: unsafe query generation in Active Record
Action Record in Ruby on Rails 4.2.x before 4.2.7.1 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2660, CVE-2012-2694, and CVE-2013-0155.
A flaw was found in the way Active Record handled certain special values in dynamic finders and relations. If a Ruby on Rails application performed JSON parameter parsing, a remote attacker could possibly manipulate search conditions in SQL queries generated by the application.
Package:
Microsoft
Microsoft Edge Memory Corruption Vulnerability
vendor_msrc·2016-04-12·CVSS 7.5
CVE-2016-0155 [HIGH] Microsoft Edge Memory Corruption Vulnerability
Microsoft Edge Memory Corruption Vulnerability
Description: A remote code execution vulnerability exists when Microsoft Edge improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that enables an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
An attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge, and then convince a user to
No detection rules found.
No public exploits indexed.
2016-04-12
Published