Search
Total
86024 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2012-3378 | 1 Gnome | 1 At-spi2-atk | 2012-09-05 | 3.3 LOW | N/A |
| The register_application function in atk-adaptor/bridge.c in GNOME at-spi2-atk 2.5.2 does not seed the random number generator and generates predictable temporary file names, which makes it easier for local users to create or truncate files via a symlink attack on a temporary socket file in /tmp/at-spi2. | |||||
| CVE-2012-3380 | 1 Naxsi Project | 1 Naxsi | 2012-09-05 | 2.1 LOW | N/A |
| Directory traversal vulnerability in naxsi-ui/nx_extract.py in the Naxsi module before 0.46-1 for Nginx allows local users to read arbitrary files via unspecified vectors. | |||||
| CVE-2012-3801 | 2012-09-05 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2012-2704. Reason: This candidate is a duplicate of CVE-2012-2704. Notes: All CVE users should reference CVE-2012-2704 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. | |||||
| CVE-2012-2374 | 1 Tornadoweb | 1 Tornado | 2012-09-05 | 5.0 MEDIUM | N/A |
| CRLF injection vulnerability in the tornado.web.RequestHandler.set_header function in Tornado before 2.2.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via crafted input. | |||||
| CVE-2012-0808 | 1 Bdale Garbee | 1 As31 | 2012-09-05 | 3.6 LOW | N/A |
| as31 2.3.1-4 does not seed the random number generator and generates predictable temporary file names, which makes it easier for local users to create or truncate files via a symlink attack. | |||||
| CVE-2012-3014 | 1 Garrettcom | 2 Magnum Managed Networks Software-6k, Magnum Managed Networks Software-6k Secure | 2012-09-04 | 7.7 HIGH | N/A |
| The Management Software application in GarrettCom Magnum MNS-6K before 4.4.0, and 14.x before 14.4.0, has a hardcoded password for an administrative account, which allows local users to gain privileges via unspecified vectors. | |||||
| CVE-2012-4747 | 1 Mozilla | 1 Bugzilla | 2012-09-04 | 5.0 MEDIUM | N/A |
| Bugzilla 2.x and 3.x through 3.6.11, 3.7.x and 4.0.x before 4.0.8, 4.1.x and 4.2.x before 4.2.3, and 4.3.x before 4.3.3 stores potentially sensitive information under the web root with insufficient access control, which allows remote attackers to read (1) template (aka .tmpl) files, (2) other custom extension files under extensions/, or (3) custom documentation files under docs/ via a direct request. | |||||
| CVE-2011-4951 | 1 Egroupware | 2 Egroupware, Egroupware Enterprise Line | 2012-09-04 | 5.8 MEDIUM | N/A |
| Open redirect vulnerability in phpgwapi/ntlm/index.php in EGroupware Enterprise Line (EPL) before 11.1.20110804-1 and EGroupware Community Edition before 1.8.001.20110805 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the forward parameter. | |||||
| CVE-2011-5143 | 1 Obm | 1 Open Business Management | 2012-09-04 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in Open Business Management (OBM) 2.3.20 and probably earlier allow remote attackers to inject arbitrary web script or HTML via the (1) tf_name, (2) tf_delegation, and (3) tf_ip parameters to index.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | |||||
| CVE-2012-2083 | 2 Drupal, Fusiondrupalthemes | 2 Drupal, Fusion | 2012-09-04 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the fusion_core_preprocess_page function in fusion_core/template.php in the Fusion module before 6.x-1.13 for Drupal allows remote attackers to inject arbitrary web script or HTML via the q parameter. | |||||
| CVE-2012-2116 | 2 Commerceguys, Drupal | 2 Commerce Reorder, Drupal | 2012-09-04 | 6.8 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in the Commerce Reorder module before 7.x-1.1 for Drupal allows remote attackers to hijack the authentication of arbitrary users for requests that add items to the shopping cart. | |||||
| CVE-2012-2965 | 1 Caucho | 1 Resin | 2012-09-04 | 7.5 HIGH | N/A |
| Caucho Quercus, as distributed in Resin before 4.0.29, does not properly handle unspecified characters in the names of variables, which has unknown impact and remote attack vectors, related to an "HTTP Parameter Contamination" issue. | |||||
| CVE-2012-2966 | 1 Caucho | 1 Resin | 2012-09-04 | 7.5 HIGH | N/A |
| Caucho Quercus, as distributed in Resin before 4.0.29, overwrites entries in the SERVER superglobal array on the basis of POST parameters, which has unspecified impact and remote attack vectors. | |||||
| CVE-2012-2967 | 1 Caucho | 1 Resin | 2012-09-04 | 7.5 HIGH | N/A |
| Caucho Quercus, as distributed in Resin before 4.0.29, does not properly implement the == (equals sign equals sign) operator for comparisons, which has unspecified impact and context-dependent attack vectors. | |||||
| CVE-2012-2968 | 1 Caucho | 1 Resin | 2012-09-04 | 5.0 MEDIUM | N/A |
| Directory traversal vulnerability in Caucho Quercus, as distributed in Resin before 4.0.29, allows remote attackers to create files in arbitrary directories via a .. (dot dot) in a pathname within an HTTP request. | |||||
| CVE-2012-2969 | 1 Caucho | 1 Resin | 2012-09-04 | 6.4 MEDIUM | N/A |
| Caucho Quercus, as distributed in Resin before 4.0.29, allows remote attackers to bypass intended restrictions on filename extensions for created files via a %00 sequence in a pathname within an HTTP request. | |||||
| CVE-2011-4950 | 1 Egroupware | 2 Egroupware, Egroupware Enterprise Line | 2012-09-03 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in phpgwapi/js/jscalendar/test.php in EGroupware Enterprise Line (EPL) before 11.1.20110804-1 and EGroupware Community Edition before 1.8.001.20110805 allows remote attackers to inject arbitrary web script or HTML via the lang parameter. | |||||
| CVE-2011-5150 | 1 Spamtitan | 1 Spamtitan | 2012-09-03 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in SpamTitan 5.07 and possibly earlier allow remote attackers or authenticated users to inject arbitrary web script or HTML via the (1) ipaddress or (2) domain parameter to setup-network.php, different vectors than CVE-2011-5149. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | |||||
| CVE-2009-5123 | 1 Comodo | 1 Comodo Internet Security | 2012-09-03 | 4.3 MEDIUM | N/A |
| The Antivirus component in Comodo Internet Security before 3.11.108364.552 allows remote attackers to cause a denial of service (memory consumption) via a crafted compressed file. | |||||
| CVE-2011-4948 | 1 Egroupware | 2 Egroupware, Egroupware Enterprise Line | 2012-09-03 | 5.0 MEDIUM | N/A |
| Directory traversal vulnerability in admin/remote.php in EGroupware Enterprise Line (EPL) before 11.1.20110804-1 and EGroupware Community Edition before 1.8.001.20110805 allows remote attackers to read arbitrary files via a ..%2f (encoded dot dot slash) in the type parameter. | |||||
| CVE-2012-4742 | 1 Packetfence | 1 Packetfence | 2012-09-03 | 7.5 HIGH | N/A |
| The web_node_register function in web.pm in PacketFence before 3.0.2 might allow remote attackers to execute arbitrary code via unspecified vectors. | |||||
| CVE-2012-4746 | 1 Zte | 1 Zxdsl | 2012-09-03 | 6.8 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in accessaccount.cgi in ZTE ZXDSL 831IIV7.5.0a_Z29_OV allows remote attackers to hijack the authentication of administrators for requests that change the administrator password via the sysPassword parameter. | |||||
| CVE-2011-4598 | 1 Digium | 1 Asterisk | 2012-09-01 | 4.3 MEDIUM | N/A |
| The handle_request_info function in channels/chan_sip.c in Asterisk Open Source 1.6.2.x before 1.6.2.21 and 1.8.x before 1.8.7.2, when automon is enabled, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted sequence of SIP requests. | |||||
| CVE-2012-3379 | 2012-08-31 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2012-0808. Reason: This candidate is a duplicate of CVE-2012-0808. Notes: All CVE users should reference CVE-2012-0808 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. | |||||
| CVE-2012-4686 | 1 Vbulletin | 1 Vbulletin | 2012-08-29 | 7.5 HIGH | N/A |
| SQL injection vulnerability in announcement.php in vBulletin 4.1.10 allows remote attackers to execute arbitrary SQL commands via the announcementid parameter. | |||||
| CVE-2011-5128 | 2 Bueltge, Wordpress | 2 Adminimize, Wordpress | 2012-08-29 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in the Adminimize plugin before 1.7.22 for WordPress allow remote attackers to inject arbitrary web script or HTML via the page parameter to (1) inc-options/deinstall_options.php, (2) inc-options/theme_options.php, or (3) inc-options/im_export_options.php, or the (4) post or (5) post_ID parameters to adminimize.php, different vectors than CVE-2011-4926. | |||||
| CVE-2010-5152 | 2 Avg, Microsoft | 2 Internet Security, Windows Xp | 2012-08-29 | 6.2 MEDIUM | N/A |
| ** DISPUTED ** Race condition in AVG Internet Security 9.0.791 on Windows XP allows local users to bypass kernel-mode hook handlers, and execute dangerous code that would otherwise be blocked by a handler but not blocked by signature-based malware detection, via certain user-space memory changes during hook-handler execution, aka an argument-switch attack or a KHOBE attack. NOTE: this issue is disputed by some third parties because it is a flaw in a protection mechanism for situations where a crafted program has already begun to execute. | |||||
| CVE-2010-5153 | 2 Avira, Microsoft | 2 Premium Security Suite, Windows Xp | 2012-08-29 | 6.2 MEDIUM | N/A |
| ** DISPUTED ** Race condition in Avira Premium Security Suite 10.0.0.536 on Windows XP allows local users to bypass kernel-mode hook handlers, and execute dangerous code that would otherwise be blocked by a handler but not blocked by signature-based malware detection, via certain user-space memory changes during hook-handler execution, aka an argument-switch attack or a KHOBE attack. NOTE: this issue is disputed by some third parties because it is a flaw in a protection mechanism for situations where a crafted program has already begun to execute. | |||||
| CVE-2012-1635 | 2 Drupal, Rik De Boer | 2 Drupal, Revisioning | 2012-08-29 | 6.4 MEDIUM | N/A |
| The hook_node_access function in the revisioning module 7.x-1.x before 7.x-1.3 for Drupal checks the permissions of the current user even when it is called to check permissions of other users, which allows remote attackers to bypass intended access restrictions, as demonstrated when using the XML sitemap module to obtain sensitive information about unpublished content. | |||||
| CVE-2012-1641 | 2 Danielb, Drupal | 2 Finder, Drupal | 2012-08-29 | 6.0 MEDIUM | N/A |
| The finder_import function in the Finder module 6.x-1.x before 6.x-1.26, 7.x-1.x, and 7.x-2.x before 7.x-2.0-alpha8 for Drupal allows remote authenticated users with the administer finder permission to execute arbitrary PHP code via admin/build/finder/import. | |||||
| CVE-2012-1642 | 2 Drupal, Yaml-fuer-drupal | 2 Drupal, Linkchecker | 2012-08-29 | 5.0 MEDIUM | N/A |
| includes/linkchecker.pages.inc in the Link checker module 6.x-2.x before 6.x-2.5 for Drupal does not properly enforce access permissions on broken links, which allows remote attackers to obtain sensitive information via unspecified vectors. | |||||
| CVE-2012-1643 | 2 Drupal, Jason Savino | 2 Drupal, Fp | 2012-08-29 | 5.0 MEDIUM | N/A |
| The Faster Permissions module 7.x-2.x before 7.x-1.2 for Drupal does not check the "administer permissions" permission, which allows remote attackers to modify access permissions via unspecified vectors. | |||||
| CVE-2012-1645 | 2 Drupal, Wimleers | 2 Drupal, Cdn | 2012-08-29 | 2.6 LOW | N/A |
| The CDN module 6.x-2.2 and 7.x-2.2 for Drupal, when running in Origin Pull mode with the "Far Future expiration" option enabled, allows remote attackers to read arbitrary PHP files via unspecified vectors, as demonstrated by reading settings.php. | |||||
| CVE-2012-1977 | 1 Wellintech | 1 Kingview | 2012-08-29 | 7.1 HIGH | N/A |
| WellinTech KingSCADA 3.0 uses a cleartext base64 format for storage of passwords in user.db, which allows context-dependent attackers to obtain sensitive information by reading this file. | |||||
| CVE-2012-2324 | 1 Mybb | 1 Mybb | 2012-08-29 | 7.5 HIGH | N/A |
| Multiple SQL injection vulnerabilities in MyBB (aka MyBulletinBoard) before 1.6.7 allow remote administrators to execute arbitrary SQL commands via unspecified vectors in the (1) user search or (2) Mail Log in the Admin Control Panel (ACP). | |||||
| CVE-2012-2587 | 1 Afterlogic | 1 Mailsuite Pro | 2012-08-29 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in AfterLogic MailSuite Pro 6.3 allow remote attackers to inject arbitrary web script or HTML via an e-mail message body with a crafted SRC attribute of (1) an IFRAME element or (2) a SCRIPT element. | |||||
| CVE-2012-2990 | 1 Samsung | 1 Kies | 2012-08-29 | 9.3 HIGH | N/A |
| The MASetupCaller ActiveX control before 1.4.2012.508 in MASetupCaller.dll in MarkAny ContentSAFER, as distributed in Samsung KIES before 2.3.2.12074_13_13, does not properly implement unspecified methods, which allows remote attackers to download an arbitrary program onto a client machine, and execute this program, via a crafted HTML document. | |||||
| CVE-2012-3508 | 1 Roundcube | 1 Webmail | 2012-08-29 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in program/lib/washtml.php in Roundcube Webmail 0.8.0 allows remote attackers to inject arbitrary web script or HTML by using "javascript:" in an href attribute in the body of an HTML-formatted email. | |||||
| CVE-2012-1916 | 1 Atmail | 1 Atmail Open | 2012-08-29 | 7.5 HIGH | N/A |
| @Mail WebMail Client in AtMail Open-Source before 1.05 allows remote attackers to execute arbitrary code via an e-mail attachment with an executable extension, leading to the creation of an executable file under tmp/. | |||||
| CVE-2012-1917 | 1 Atmail | 1 Atmail Open | 2012-08-29 | 5.0 MEDIUM | N/A |
| compose.php in @Mail WebMail Client in AtMail Open-Source before 1.05 does not properly handle ../ (dot dot slash) sequences in the unique parameter, which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a ..././ (dot dot dot slash dot slash) sequence. | |||||
| CVE-2012-1919 | 1 Atmail | 1 Atmail Open | 2012-08-29 | 6.4 MEDIUM | N/A |
| CRLF injection vulnerability in mime.php in @Mail WebMail Client in AtMail Open-Source before 1.05 allows remote attackers to conduct directory traversal attacks and read arbitrary files via a %0A sequence followed by a .. (dot dot) in the file parameter. | |||||
| CVE-2012-3539 | 2012-08-28 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2012-4681. Reason: This candidate is a duplicate of CVE-2012-4681. Notes: All CVE users should reference CVE-2012-4681 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. | |||||
| CVE-2012-1586 | 1 Debian | 1 Cifs-utils | 2012-08-28 | 2.1 LOW | N/A |
| mount.cifs in cifs-utils 2.6 allows local users to determine the existence of arbitrary files or directories via the file path in the second argument, which reveals their existence in an error message. | |||||
| CVE-2012-1835 | 2 Timely, Wordpress | 2 All-in-one Event Calendar, Wordpress | 2012-08-28 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in the All-in-One Event Calendar plugin 1.4 and 1.5 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) title parameter to app/view/agenda-widget-form.php; (2) args, (3) title, (4) before_title, or (5) after_title parameter to app/view/agenda-widget.php; (6) button_value parameter to app/view/box_publish_button.php; or (7) msg parameter to /app/view/save_successful.php. | |||||
| CVE-2012-4332 | 2 Barandisolutions, Wordpress | 2 Shareyourcart, Wordpress | 2012-08-28 | 5.0 MEDIUM | N/A |
| The ShareYourCart plugin 1.7.1 for WordPress allows remote attackers to obtain the installation path via unspecified vectors related to the SDK. | |||||
| CVE-2012-1587 | 2012-08-27 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2011-4944. Reason: This candidate is a duplicate of CVE-2011-4944. Notes: All CVE users should reference CVE-2011-4944 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. | |||||
| CVE-2011-5127 | 2 Bluecoat, Microsoft | 2 Reporter, Windows | 2012-08-27 | 10.0 HIGH | N/A |
| Directory traversal vulnerability in Blue Coat Reporter 9.x before 9.2.4.13, 9.2.5.x before 9.2.5.1, and 9.3 before 9.3.1.2 on Windows allows remote attackers to read arbitrary files, and consequently execute arbitrary code, via an unspecified HTTP request. | |||||
| CVE-2011-5126 | 1 Bluecoat | 1 Sgos | 2012-08-27 | 5.0 MEDIUM | N/A |
| Blue Coat ProxySG 6.1 before SGOS 6.1.5.1 and 6.2 before SGOS 6.2.2.1 writes the secure heap to core images, which allows context-dependent attackers to obtain sensitive authentication information by leveraging read access to a downloaded core file. | |||||
| CVE-2011-5124 | 1 Bluecoat | 2 Proxyone, Proxysg | 2012-08-27 | 10.0 HIGH | N/A |
| Stack-based buffer overflow in the BCAAA component before build 60258, as used by Blue Coat ProxySG 4.2.3 through 6.1 and ProxyOne, allows remote attackers to execute arbitrary code via a large packet to the synchronization port (16102/tcp). | |||||
| CVE-2010-5189 | 1 Bluecoat | 16 Proxysg, Proxysg Sg210-10, Proxysg Sg210-25 and 13 more | 2012-08-27 | 9.3 HIGH | N/A |
| Blue Coat ProxySG before SGOS 4.3.4.1, 5.x before SGOS 5.4.5.1, 5.5 before SGOS 5.5.4.1, and 6.x before SGOS 6.1.1.1 allows remote authenticated users to execute arbitrary CLI commands by leveraging read-only administrator privileges and establishing an HTTPS session. | |||||