Search
Total
4224 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2012-2121 | 1 Linux | 1 Linux Kernel | 2018-01-05 | 4.9 MEDIUM | N/A |
| The KVM implementation in the Linux kernel before 3.3.4 does not properly manage the relationships between memory slots and the iommu, which allows guest OS users to cause a denial of service (memory leak and host OS crash) by leveraging administrative access to the guest OS to conduct hotunplug and hotplug operations on devices. | |||||
| CVE-2012-2111 | 1 Samba | 1 Samba | 2018-01-05 | 6.5 MEDIUM | N/A |
| The (1) CreateAccount, (2) OpenAccount, (3) AddAccountRights, and (4) RemoveAccountRights LSA RPC procedures in smbd in Samba 3.4.x before 3.4.17, 3.5.x before 3.5.15, and 3.6.x before 3.6.5 do not properly restrict modifications to the privileges database, which allows remote authenticated users to obtain the "take ownership" privilege via an LSA connection. | |||||
| CVE-2012-0371 | 1 Cisco | 13 2000 Wireless Lan Controller, 2100 Wireless Lan Controller, 2106 Wireless Lan Controller and 10 more | 2018-01-05 | 9.3 HIGH | N/A |
| Cisco Wireless LAN Controller (WLC) devices with software 4.x, 5.x, 6.0, and 7.0 before 7.0.220.4, when CPU-based ACLs are enabled, allow remote attackers to read or modify the configuration via unspecified vectors, aka Bug ID CSCtu56709. | |||||
| CVE-2015-0223 | 1 Apache | 1 Qpid | 2018-01-05 | 5.0 MEDIUM | N/A |
| Unspecified vulnerability in Apache Qpid 0.30 and earlier allows remote attackers to bypass access restrictions on qpidd via unknown vectors, related to 0-10 connection handling. | |||||
| CVE-2012-0364 | 1 Cisco | 12 Small Business Srp520-u Series Firmware, Small Business Srp520 Series Firmware, Small Business Srp521w and 9 more | 2018-01-04 | 7.8 HIGH | N/A |
| Cisco SRP 520 series devices with firmware before 1.1.26 and SRP 520W-U and 540 series devices with firmware before 1.2.4 allow remote attackers to replace the configuration file via an upload request to an unspecified URL, aka Bug ID CSCtw55495. | |||||
| CVE-2014-0622 | 1 Emc | 1 Documentum Foundation Services | 2018-01-03 | 9.0 HIGH | N/A |
| The web service in EMC Documentum Foundation Services (DFS) 6.5 through 6.7 before 6.7 SP1 P22, 6.7 SP2 before P08, 7.0 before P12, and 7.1 before P01 does not properly implement content uploading, which allows remote authenticated users to bypass intended content access restrictions via unspecified vectors. | |||||
| CVE-2014-0686 | 1 Cisco | 1 Unified Communications Manager | 2018-01-03 | 6.0 MEDIUM | N/A |
| Cisco Unified Communications Manager (aka Unified CM) 9.1 (2.10000.28) and earlier allows local users to gain privileges by leveraging incorrect file permissions, aka Bug IDs CSCul24917 and CSCul24908. | |||||
| CVE-2014-0682 | 1 Cisco | 1 Webex Meetings Server | 2018-01-03 | 4.9 MEDIUM | N/A |
| Cisco WebEx Meetings Server allows remote authenticated users to bypass authorization checks and (1) join arbitrary meetings, or (2) terminate a meeting without having a host role, via a crafted URL, aka Bug ID CSCuj42346. | |||||
| CVE-2014-0833 | 1 Ibm | 1 Financial Transaction Manager | 2018-01-03 | 5.5 MEDIUM | N/A |
| The OAC component in IBM Financial Transaction Manager (FTM) 2.0 before 2.0.0.3 does not properly enforce operator-intervention requirements, which allows remote authenticated users to bypass intended access restrictions via an unspecified process step. | |||||
| CVE-2014-1666 | 1 Xen | 1 Xen | 2018-01-03 | 8.3 HIGH | N/A |
| The do_physdev_op function in Xen 4.1.5, 4.1.6.1, 4.2.2 through 4.2.3, and 4.3.x does not properly restrict access to the (1) PHYSDEVOP_prepare_msix and (2) PHYSDEVOP_release_msix operations, which allows local PV guests to cause a denial of service (host or guest malfunction) or possibly gain privileges via unspecified vectors. | |||||
| CVE-2014-1672 | 1 Checkpoint | 2 Management Server, Security Gateway | 2018-01-03 | 4.0 MEDIUM | N/A |
| Check Point R75.47 Security Gateway and Management Server does not properly enforce Anti-Spoofing when the routing table is modified and the "Get - Interfaces with Topology" action is performed, which allows attackers to bypass intended access restrictions. | |||||
| CVE-2014-1643 | 1 Symantec | 1 Encryption Management Server | 2018-01-03 | 4.0 MEDIUM | N/A |
| The Web Email Protection component in Symantec Encryption Management Server (aka PGP Universal Server) before 3.3.2 allows remote authenticated users to read the stored outbound e-mail messages of arbitrary users via a modified URL. | |||||
| CVE-2012-1518 | 1 Vmware | 5 Esx, Esxi, Fusion and 2 more | 2017-12-29 | 8.3 HIGH | N/A |
| VMware Workstation 8.x before 8.0.2, VMware Player 4.x before 4.0.2, VMware Fusion 4.x before 4.1.2, VMware ESXi 3.5 through 5.0, and VMware ESX 3.5 through 4.1 use an incorrect ACL for the VMware Tools folder, which allows guest OS users to gain guest OS privileges via unspecified vectors. | |||||
| CVE-2012-1241 | 1 Artonx.org | 1 Activescriptruby | 2017-12-29 | 7.5 HIGH | N/A |
| GRScript18.dll before 1.2.2.0 in ActiveScriptRuby (ASR) before 1.8.7 does not properly restrict interaction with an Internet Explorer ActiveX environment, which allows remote attackers to execute arbitrary Ruby code via a crafted HTML document. | |||||
| CVE-2012-1179 | 1 Linux | 1 Linux Kernel | 2017-12-29 | 5.2 MEDIUM | N/A |
| The Linux kernel before 3.3.1, when KVM is used, allows guest OS users to cause a denial of service (host OS crash) by leveraging administrative access to the guest OS, related to the pmd_none_or_clear_bad function and page faults for huge pages. | |||||
| CVE-2012-0946 | 1 Nvidia | 1 Unix Driver | 2017-12-29 | 4.6 MEDIUM | N/A |
| The NVIDIA UNIX driver before 295.40 allows local users to access arbitrary memory locations by leveraging GPU device-node read/write privileges. | |||||
| CVE-2011-4127 | 2 Linux, Suse | 2 Linux Kernel, Linux Enterprise Server | 2017-12-29 | 4.6 MEDIUM | N/A |
| The Linux kernel before 3.2.2 does not properly restrict SG_IO ioctl calls, which allows local users to bypass intended restrictions on disk read and write operations by sending a SCSI command to (1) a partition block device or (2) an LVM volume. | |||||
| CVE-2011-3084 | 1 Google | 1 Chrome | 2017-12-29 | 7.5 HIGH | N/A |
| Google Chrome before 19.0.1084.46 does not use a dedicated process for the loading of links found on an internal page, which might allow attackers to bypass intended sandbox restrictions via a crafted page. | |||||
| CVE-2012-1963 | 1 Mozilla | 5 Firefox, Firefox Esr, Seamonkey and 2 more | 2017-12-29 | 4.3 MEDIUM | N/A |
| The Content Security Policy (CSP) functionality in Mozilla Firefox 4.x through 13.0, Firefox ESR 10.x before 10.0.6, Thunderbird 5.0 through 13.0, Thunderbird ESR 10.x before 10.0.6, and SeaMonkey before 2.11 does not properly restrict the strings placed into the blocked-uri parameter of a violation report, which allows remote web servers to capture OpenID credentials and OAuth 2.0 access tokens by triggering a violation. | |||||
| CVE-2012-1942 | 2 Microsoft, Mozilla | 4 Windows, Firefox, Seamonkey and 1 more | 2017-12-29 | 7.2 HIGH | N/A |
| The Mozilla Updater and Windows Updater Service in Mozilla Firefox 12.0, Thunderbird 12.0, and SeaMonkey 2.9 on Windows allow local users to gain privileges by loading a DLL file in a privileged context. | |||||
| CVE-2012-1959 | 1 Mozilla | 5 Firefox, Firefox Esr, Seamonkey and 2 more | 2017-12-29 | 5.0 MEDIUM | N/A |
| Mozilla Firefox 4.x through 13.0, Firefox ESR 10.x before 10.0.6, Thunderbird 5.0 through 13.0, Thunderbird ESR 10.x before 10.0.6, and SeaMonkey before 2.11 do not consider the presence of same-compartment security wrappers (SCSW) during the cross-compartment wrapping of objects, which allows remote attackers to bypass intended XBL access restrictions via crafted content. | |||||
| CVE-2012-2123 | 1 Linux | 1 Linux Kernel | 2017-12-29 | 7.2 HIGH | N/A |
| The cap_bprm_set_creds function in security/commoncap.c in the Linux kernel before 3.3.3 does not properly handle the use of file system capabilities (aka fcaps) for implementing a privileged executable file, which allows local users to bypass intended personality restrictions via a crafted application, as demonstrated by an attack that uses a parent process to disable ASLR. | |||||
| CVE-2012-1966 | 1 Mozilla | 2 Firefox, Firefox Esr | 2017-12-29 | 4.3 MEDIUM | N/A |
| Mozilla Firefox 4.x through 13.0 and Firefox ESR 10.x before 10.0.6 do not have the same context-menu restrictions for data: URLs as for javascript: URLs, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL. | |||||
| CVE-2012-2267 | 1 Realnetworks | 2 Helix Mobile Server, Helix Server | 2017-12-29 | 5.0 MEDIUM | N/A |
| master.exe in the SNMP Master Agent in RealNetworks Helix Server and Helix Mobile Server 14.x before 14.3.x allows remote attackers to cause a denial of service (daemon crash) by establishing and closing a port-705 TCP connection, a different vulnerability than CVE-2012-1923. | |||||
| CVE-2012-0478 | 1 Mozilla | 5 Firefox, Firefox Esr, Seamonkey and 2 more | 2017-12-29 | 9.3 HIGH | N/A |
| The texImage2D implementation in the WebGL subsystem in Mozilla Firefox 4.x through 11.0, Firefox ESR 10.x before 10.0.4, Thunderbird 5.0 through 11.0, Thunderbird ESR 10.x before 10.0.4, and SeaMonkey before 2.9 does not properly restrict JSVAL_TO_OBJECT casts, which might allow remote attackers to execute arbitrary code via a crafted web page. | |||||
| CVE-2012-2957 | 1 Symantec | 1 Web Gateway | 2017-12-22 | 7.2 HIGH | N/A |
| The management console in Symantec Web Gateway 5.0.x before 5.0.3.18 allows local users to gain privileges by modifying files, related to a "file inclusion" issue. | |||||
| CVE-2012-2977 | 1 Symantec | 1 Web Gateway | 2017-12-22 | 5.0 MEDIUM | N/A |
| The management console in Symantec Web Gateway 5.0.x before 5.0.3.18 allows remote attackers to change arbitrary passwords via crafted input to an application script. | |||||
| CVE-2014-0534 | 4 Adobe, Apple, Linux and 1 more | 6 Adobe Air, Adobe Air Sdk, Flash Player and 3 more | 2017-12-22 | 7.5 HIGH | N/A |
| Adobe Flash Player before 13.0.0.223 and 14.x before 14.0.0.125 on Windows and OS X and before 11.2.202.378 on Linux, Adobe AIR before 14.0.0.110, Adobe AIR SDK before 14.0.0.110, and Adobe AIR SDK & Compiler before 14.0.0.110 allow attackers to bypass intended access restrictions via unspecified vectors, a different vulnerability than CVE-2014-0535. | |||||
| CVE-2014-0535 | 4 Adobe, Apple, Linux and 1 more | 6 Adobe Air, Adobe Air Sdk, Flash Player and 3 more | 2017-12-22 | 7.5 HIGH | N/A |
| Adobe Flash Player before 13.0.0.223 and 14.x before 14.0.0.125 on Windows and OS X and before 11.2.202.378 on Linux, Adobe AIR before 14.0.0.110, Adobe AIR SDK before 14.0.0.110, and Adobe AIR SDK & Compiler before 14.0.0.110 allow attackers to bypass intended access restrictions via unspecified vectors, a different vulnerability than CVE-2014-0534. | |||||
| CVE-2014-1402 | 1 Pocoo | 1 Jinja2 | 2017-12-22 | 4.4 MEDIUM | N/A |
| The default configuration for bccache.FileSystemBytecodeCache in Jinja2 before 2.7.2 does not properly create temporary files, which allows local users to gain privileges via a crafted .cache file with a name starting with __jinja2_ in /tmp. | |||||
| CVE-2014-0240 | 1 Modwsgi | 1 Mod Wsgi | 2017-12-21 | 6.2 MEDIUM | N/A |
| The mod_wsgi module before 3.5 for Apache, when daemon mode is enabled, does not properly handle error codes returned by setuid when run on certain Linux kernels, which allows local users to gain privileges via vectors related to the number of running processes. | |||||
| CVE-2012-2225 | 1 360zip | 1 360zip | 2017-12-20 | 7.5 HIGH | N/A |
| 360zip 1.93beta allows remote attackers to execute arbitrary code via vectors related to file browsing and file extraction. | |||||
| CVE-2012-2053 | 1 F5 | 1 Firepass | 2017-12-20 | 7.2 HIGH | N/A |
| The sudoers file in the Linux system configuration in F5 FirePass 6.0.0 through 6.1.0 and 7.0.0 does not require a password for executing commands as root, which allows local users to gain privileges via the sudo program, as demonstrated by the user account that executes PHP scripts, a different vulnerability than CVE-2012-1777. | |||||
| CVE-2012-0475 | 1 Mozilla | 3 Firefox, Seamonkey, Thunderbird | 2017-12-19 | 2.6 LOW | N/A |
| Mozilla Firefox 4.x through 11.0, Thunderbird 5.0 through 11.0, and SeaMonkey before 2.9 do not properly construct the Origin and Sec-WebSocket-Origin HTTP headers, which might allow remote attackers to bypass an IPv6 literal ACL via a cross-site (1) XMLHttpRequest or (2) WebSocket operation involving a nonstandard port number and an IPv6 address that contains certain zero fields. | |||||
| CVE-2012-2402 | 1 Wordpress | 1 Wordpress | 2017-12-19 | 5.5 MEDIUM | N/A |
| wp-admin/plugins.php in WordPress before 3.3.2 allows remote authenticated site administrators to bypass intended access restrictions and deactivate network-wide plugins via unspecified vectors. | |||||
| CVE-2012-2401 | 2 Moxiecode, Wordpress | 2 Plupload, Wordpress | 2017-12-19 | 5.0 MEDIUM | N/A |
| Plupload before 1.5.4, as used in wp-includes/js/plupload/ in WordPress before 3.3.2 and other products, enables scripting regardless of the domain from which the SWF content was loaded, which allows remote attackers to bypass the Same Origin Policy via crafted content. | |||||
| CVE-2014-0165 | 1 Wordpress | 1 Wordpress | 2017-12-16 | 4.0 MEDIUM | N/A |
| WordPress before 3.7.2 and 3.8.x before 3.8.2 allows remote authenticated users to publish posts by leveraging the Contributor role, related to wp-admin/includes/post.php and wp-admin/includes/class-wp-posts-list-table.php. | |||||
| CVE-2014-0508 | 4 Adobe, Apple, Linux and 1 more | 6 Adobe Air, Adobe Air Sdk, Flash Player and 3 more | 2017-12-16 | 5.0 MEDIUM | N/A |
| Adobe Flash Player before 11.7.700.275 and 11.8.x through 13.0.x before 13.0.0.182 on Windows and OS X and before 11.2.202.350 on Linux, Adobe AIR before 13.0.0.83 on Android, Adobe AIR SDK before 13.0.0.83, and Adobe AIR SDK & Compiler before 13.0.0.83 allow attackers to bypass intended access restrictions and obtain sensitive information via unspecified vectors. | |||||
| CVE-2014-0067 | 2 Apple, Postgresql | 3 Mac Os X, Mac Os X Server, Postgresql | 2017-12-16 | 4.6 MEDIUM | N/A |
| The "make check" command for the test suites in PostgreSQL 9.3.3 and earlier does not properly invoke initdb to specify the authentication requirements for a database cluster to be used for the tests, which allows local users to gain privileges by leveraging access to this cluster. | |||||
| CVE-2014-0060 | 1 Postgresql | 1 Postgresql | 2017-12-16 | 4.0 MEDIUM | N/A |
| PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 does not properly enforce the ADMIN OPTION restriction, which allows remote authenticated members of a role to add or remove arbitrary users to that role by calling the SET ROLE command before the associated GRANT command. | |||||
| CVE-2014-0061 | 1 Postgresql | 1 Postgresql | 2017-12-16 | 6.5 MEDIUM | N/A |
| The validator functions for the procedural languages (PLs) in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to gain privileges via a function that is (1) defined in another language or (2) not allowed to be directly called by the user due to permissions. | |||||
| CVE-2012-2217 | 1 Htc | 14 Evo 3d, Evo 3d Software, Evo 4g and 11 more | 2017-12-14 | 6.4 MEDIUM | N/A |
| The HTC IQRD service for Android on the HTC EVO 4G before 4.67.651.3, EVO Design 4G before 2.12.651.5, Shift 4G before 2.77.651.3, EVO 3D before 2.17.651.5, EVO View 4G before 2.23.651.1, Vivid before 3.26.502.56, and Hero does not restrict localhost access to TCP port 2479, which allows remote attackers to (1) send SMS messages, (2) obtain the Network Access Identifier (NAI) and its password, or trigger (3) popup messages or (4) tones via a crafted application that leverages the android.permission.INTERNET permission. | |||||
| CVE-2012-1508 | 1 Vmware | 3 Esx, Esxi, View | 2017-12-13 | 7.2 HIGH | N/A |
| The XPDM display driver in VMware ESXi 4.0, 4.1, and 5.0; VMware ESX 4.0 and 4.1; and VMware View before 4.6.1 allows guest OS users to gain guest OS privileges or cause a denial of service (NULL pointer dereference) via unspecified vectors. | |||||
| CVE-2009-3564 | 3 Centos, Fedoraproject, Reductivelabs | 3 Centos, Fedora, Puppet | 2017-12-09 | 4.7 MEDIUM | N/A |
| puppetmasterd in puppet 0.24.6 does not reset supplementary groups when it switches to a different user, which might allow local users to access restricted files. | |||||
| CVE-2009-3257 | 1 Vtiger | 1 Vtiger Crm | 2017-12-07 | 3.6 LOW | N/A |
| vtiger CRM before 5.1.0 allows remote authenticated users to bypass the permissions on the (1) Account Billing Address and (2) Shipping Address fields in a profile by creating a Sales Order (SO) associated with that profile. | |||||
| CVE-2012-0745 | 1 Ibm | 2 Aix, Vios | 2017-12-07 | 7.2 HIGH | N/A |
| The getpwnam function in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.1.0.10 through 2.2.1.3 does not properly interact with customer-extended LDAP user filtering, which allows local users to gain privileges via unspecified vectors. | |||||
| CVE-2012-1447 | 4 Aladdin, Drweb, Fortinet and 1 more | 4 Esafe, Dr.web Antivirus, Fortinet Antivirus and 1 more | 2017-12-06 | 4.3 MEDIUM | N/A |
| The ELF file parser in Fortinet Antivirus 4.2.254.0, eSafe 7.0.17.0, Dr.Web 5.0.2.03300, and Panda Antivirus 10.0.2.7 allows remote attackers to bypass malware detection via an ELF file with a modified e_version field. NOTE: this may later be SPLIT into multiple CVEs if additional information is published showing that the error occurred independently in different ELF parser implementations. | |||||
| CVE-2012-1455 | 2 Eset, Rising-global | 2 Nod32 Antivirus, Rising Antivirus | 2017-12-06 | 4.3 MEDIUM | N/A |
| The CAB file parser in NOD32 Antivirus 5795 and Rising Antivirus 22.83.00.03 allows remote attackers to bypass malware detection via a CAB file with a modified vMinor version field. NOTE: this may later be SPLIT into multiple CVEs if additional information is published showing that the error occurred independently in different CAB parser implementations. | |||||
| CVE-2011-4773 | 2 Android, Anguanjia | 2 Android, Anguanjia | 2017-12-06 | 5.8 MEDIUM | N/A |
| The AnGuanJia (com.anguanjia.safe) application 2.10.343 for Android does not properly protect data, which allows remote attackers to read or modify SMS messages and a contact list via a crafted application. | |||||
| CVE-2011-4863 | 2 Google, Tencent | 2 Android, Qqpimsecure | 2017-12-06 | 5.8 MEDIUM | N/A |
| The Tencent QQPimSecure (com.tencent.qqpimsecure) application 3.0.2 for Android does not properly protect data, which allows remote attackers to read or modify SMS/MMS messages and a contact list via a crafted application. | |||||