Search
Total
5300 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2012-4500 | 2 Drupal, Nancy Wichmann | 2 Drupal, Announcements | 2013-03-02 | 3.5 LOW | N/A |
| The Announcements module 6.x-1.x before 6.x-1.5 for Drupal allows remote authenticated users with the "access announcements" permission to bypass node access restrictions and possibly have other unspecified impact. | |||||
| CVE-2012-4495 | 2 Drupal, Mime Mail Module Project | 2 Drupal, Mimemail | 2013-03-02 | 4.0 MEDIUM | N/A |
| The Mime Mail module 6.x-1.x before 6.x-1.1 for Drupal does not properly restrict access to files outside Drupal's publish files directory, which allows remote authenticated users to send arbitrary files as attachments. | |||||
| CVE-2012-4491 | 2 Drupal, Earl Dunovant | 2 Drupal, Monthly Archive By Node Type | 2013-03-02 | 5.8 MEDIUM | N/A |
| The Monthly Archive by Node Type module 6.x for Drupal does not properly check permissions defined by node_access modules, which allows remote attackers to access restricted nodes via unspecified vectors. | |||||
| CVE-2012-4016 | 2 Google, Justsystems | 2 Android, Atok | 2013-03-02 | 4.3 MEDIUM | N/A |
| The ATOK application before 1.0.4 for Android allows remote attackers to read the learning information file, and obtain sensitive input-string information, via a crafted application. | |||||
| CVE-2012-4020 | 1 Mosp | 1 Kintai Kanri | 2013-03-02 | 4.0 MEDIUM | N/A |
| MosP kintai kanri before 4.1.0 does not enforce privilege requirements, which allows remote authenticated users to read other users' information via unspecified vectors. | |||||
| CVE-2012-3478 | 1 Pizzashack | 1 Rssh | 2013-03-02 | 2.1 LOW | N/A |
| rssh 2.3.3 and earlier allows local users to bypass intended restricted shell access via crafted environment variables in the command line. | |||||
| CVE-2012-2994 | 1 Cososys | 1 Endpoint Protector Appliace 4 | 2013-03-02 | 7.5 HIGH | N/A |
| The CoSoSys Endpoint Protector 4 appliance establishes an EPProot password based entirely on the appliance serial number, which makes it easier for remote attackers to obtain access via a brute-force attack. | |||||
| CVE-2012-1833 | 1 Springsource | 1 Grails | 2013-03-02 | 5.0 MEDIUM | N/A |
| VMware SpringSource Grails before 1.3.8, and 2.x before 2.0.2, does not properly restrict data binding, which might allow remote attackers to bypass intended access restrictions and modify arbitrary object properties via a crafted request parameter to an application. | |||||
| CVE-2011-2709 | 1 Umich | 2 Libgssapi, Libgssglue | 2013-03-02 | 6.2 MEDIUM | N/A |
| libgssapi and libgssglue before 0.4 do not properly check privileges, which allows local users to load untrusted configuration files and execute arbitrary code via the GSSAPI_MECH_CONF environment variable, as demonstrated using mount.nfs. | |||||
| CVE-2013-0162 | 1 Ryan Davis | 1 Ruby Parser | 2013-03-01 | 2.1 LOW | N/A |
| The diff_pp function in lib/gauntlet_rubyparser.rb in the ruby_parser gem 3.1.1 and earlier for Ruby allows local users to overwrite arbitrary files via a symlink attack on a temporary file with a predictable name in /tmp. | |||||
| CVE-2013-1139 | 1 Cisco | 1 Cloud Portal | 2013-02-27 | 4.0 MEDIUM | N/A |
| The nsAPI interface in Cisco Cloud Portal 9.1 SP1 and SP2, and 9.3 through 9.3.2, does not properly check privileges, which allows remote authenticated users to obtain sensitive information via a crafted URL, aka Bug ID CSCud81134. | |||||
| CVE-2012-5586 | 2 Drupal, Marc Ingram | 2 Drupal, Services | 2013-02-26 | 2.1 LOW | N/A |
| The Services module 6.x-3.x before 6.x-3.3 and 7.x-3.x before 7.x-3.3 for Drupal allows remote authenticated users with the "access user profiles" permission to access arbitrary users' emails via vectors related to the "user index method" and "the path to the user resource." | |||||
| CVE-2012-5530 | 1 Sgi | 1 Performance Co-pilot | 2013-02-26 | 2.1 LOW | N/A |
| The (1) pcmd and (2) pmlogger init scripts in Performance Co-Pilot (PCP) before 3.6.10 allow local users to overwrite arbitrary files via a symlink attack on a /var/tmp/##### temporary file. | |||||
| CVE-2012-5417 | 1 Cisco | 1 Prime Data Center Network Manager | 2013-02-26 | 10.0 HIGH | N/A |
| Cisco Prime Data Center Network Manager (DCNM) before 6.1(1) does not properly restrict access to certain JBoss MainDeployer functionality, which allows remote attackers to execute arbitrary commands via JBoss Application Server Remote Method Invocation (RMI) services, aka Bug ID CSCtz44924. | |||||
| CVE-2013-0164 | 1 Redhat | 2 Openshift, Openshift Origin | 2013-02-25 | 3.6 LOW | N/A |
| The lockwrap function in port-proxy/bin/openshift-port-proxy-cfg in Red Hat OpenShift Origin before 1.1 allows local users to overwrite arbitrary files via a symlink attack on a temporary file with a predictable name in /tmp. | |||||
| CVE-2012-3523 | 1 Isc | 1 Inn | 2013-02-22 | 6.8 MEDIUM | N/A |
| The STARTTLS implementation in nnrpd in INN before 2.5.3 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted sessions by sending a cleartext command that is processed after TLS is in place, related to a "plaintext command injection" attack, a similar issue to CVE-2011-0411. | |||||
| CVE-2013-1111 | 1 Cisco | 2 Ata 187 Analog Telephone Adaptor, Ata 187 Analog Telephone Adaptor Firmware | 2013-02-14 | 9.0 HIGH | N/A |
| The Cisco ATA 187 Analog Telephone Adaptor with firmware 9.2.1.0 and 9.2.3.1 before ES build 4 does not properly implement access control, which allows remote attackers to execute operating-system commands via vectors involving a session on TCP port 7870, aka Bug ID CSCtz67038. | |||||
| CVE-2012-3582 | 1 Symantec | 1 Pgp Universal Server | 2013-02-14 | 2.9 LOW | N/A |
| Symantec PGP Universal Server 3.2.x before 3.2.1 MP2 does not properly manage sessions that include key search requests, which might allow remote attackers to read a private key in opportunistic circumstances by making a request near the end of a user's session. | |||||
| CVE-2012-2289 | 1 Emc | 2 Applicationxtender Desktop, Applicationxtender Web Access .net | 2013-02-14 | 7.5 HIGH | N/A |
| EMC ApplicationXtender Desktop before 6.5 SP2 and ApplicationXtender Web Access .NET before 6.5 SP2 allow remote attackers to upload files to any location, and possibly execute arbitrary code, via unspecified vectors. | |||||
| CVE-2013-0265 | 1 Bitbucket | 1 Xnbd | 2013-02-13 | 2.1 LOW | N/A |
| The redirect_stderr function in xnbd_common.c in xnbd-server and xndb-wrapper in xNBD 0.1.0 allow local users to overwrite arbitrary files via a symlink attack on /tmp/xnbd.log. | |||||
| CVE-2012-2244 | 1 Mahara | 1 Mahara | 2013-02-08 | 6.0 MEDIUM | N/A |
| Mahara 1.4.x before 1.4.5 and 1.5.x before 1.5.4 allows remote authenticated administrators to execute arbitrary programs by modifying the path to clamav. NOTE: this can be exploited without authentication by leveraging CVE-2012-2243. | |||||
| CVE-2013-0838 | 2 Google, Linux | 2 Chrome, Linux Kernel | 2013-02-07 | 7.5 HIGH | N/A |
| Google Chrome before 24.0.1312.52 on Linux uses weak permissions for shared memory segments, which has unspecified impact and attack vectors. | |||||
| CVE-2012-5187 | 1 Weathernews | 1 Weathernews Touch | 2013-02-07 | 4.3 MEDIUM | N/A |
| The Weathernews Touch application 2.3.2 and earlier for Android allows attackers to obtain sensitive information about logged locations via a crafted application that leverages read permission for system log files. | |||||
| CVE-2009-3108 | 1 Symantec | 1 Altiris Deployment Solution | 2013-02-07 | 7.2 HIGH | N/A |
| The Aclient GUI in Symantec Altiris Deployment Solution 6.9.x before 6.9 SP3 Build 430 installs a client executable with insecure permissions (Everyone:Full Control), which allows local users to gain privileges by replacing the executable with a Trojan horse program. | |||||
| CVE-2009-3107 | 1 Symantec | 1 Altiris Deployment Solution | 2013-02-07 | 4.8 MEDIUM | N/A |
| Symantec Altiris Deployment Solution 6.9.x before 6.9 SP3 Build 430 does not properly restrict access to the listening port for the DBManager service, which allows remote attackers to bypass authentication and modify tasks or the Altiris Database via a connection to this service. | |||||
| CVE-2012-2292 | 1 Emc | 2 Rsa Archer Egrc, Rsa Archer Smartsuite | 2013-02-06 | 7.5 HIGH | N/A |
| The Silverlight cross-domain policy in EMC RSA Archer SmartSuite Framework 4.x and RSA Archer GRC 5.x before 5.2SP1 does not restrict access to the Archer application, which allows remote attackers to bypass the Same Origin Policy via unspecified vectors. | |||||
| CVE-2013-1110 | 1 Cisco | 1 Webex Training Center | 2013-02-02 | 4.0 MEDIUM | N/A |
| Cisco WebEx Training Center allow remote authenticated users to bypass intended privilege restrictions and (1) enable or (2) disable training-center recordings via a crafted URL, aka Bug ID CSCzu81065. | |||||
| CVE-2013-1108 | 1 Cisco | 1 Webex Training Center | 2013-02-02 | 4.0 MEDIUM | N/A |
| Cisco WebEx Training Center allows remote authenticated users to remove hands-on lab-session reservations via a crafted URL, aka Bug ID CSCzu81064. | |||||
| CVE-2012-4022 | 1 Simon Brown | 1 Pebble | 2013-02-02 | 6.4 MEDIUM | N/A |
| Pebble before 2.6.4 allows remote attackers to trigger loss of blog-entry viewability via a crafted comment. | |||||
| CVE-2012-3516 | 2 Citrix, Xen | 2 Xenserver, Xen | 2013-02-01 | 6.9 MEDIUM | N/A |
| The GNTTABOP_swap_grant_ref sub-operation in the grant table hypercall in Xen 4.2 and Citrix XenServer 6.0.2 allows local guest kernels or administrators to cause a denial of service (host crash) and possibly gain privileges via a crafted grant reference that triggers a write to an arbitrary hypervisor memory location. | |||||
| CVE-2013-0652 | 1 Ge | 1 Intelligent Platforms Proficy Real-time Information Portal | 2013-01-30 | 5.0 MEDIUM | N/A |
| GE Intelligent Platforms Proficy Real-Time Information Portal does not restrict access to methods of an unspecified Java class, which allows remote attackers to obtain a username listing via an RMI call. | |||||
| CVE-2013-0651 | 1 Ge | 1 Intelligent Platforms Proficy Real-time Information Portal | 2013-01-30 | 5.0 MEDIUM | N/A |
| The Portal installation process in GE Intelligent Platforms Proficy Real-Time Information Portal stores sensitive information under the web root with insufficient access control, which allows remote attackers to read configuration files, and discover data-source credentials, via a direct request. | |||||
| CVE-2012-4523 | 1 Uninett | 1 Radsecproxy | 2013-01-30 | 6.4 MEDIUM | N/A |
| radsecproxy before 1.6.1 does not properly verify certificates when there are configuration blocks with CA settings that are unrelated to the block being used for verifying the certificate chain, which might allow remote attackers to bypass intended access restrictions and spoof clients. | |||||
| CVE-2012-4471 | 2 Dominique Clause, Drupal | 2 Search Autocomplete, Drupal | 2013-01-30 | 5.0 MEDIUM | N/A |
| The Search Autocomplete module 7.x-2.x before 7.x-2.4 for Drupal does not properly restrict access to the module admin page, which allows remote attackers to disable an autocompletion or change the priority order via unspecified vectors. | |||||
| CVE-2012-4470 | 2 Drupal, Philip Ludlam | 2 Drupal, Listhandler | 2013-01-30 | 7.5 HIGH | N/A |
| The Listhandler module 6.x-1.x before 6.x-1.1 for Drupal does not properly check permissions when importing emails, which allows remote comment authors to bypass access restrictions and possibly have other unspecified impact. | |||||
| CVE-2012-4473 | 2 Christian Johansson, Drupal | 2 Restrict Node Page View, Drupal | 2013-01-30 | 3.5 LOW | N/A |
| The Restrict node page view module 7.x-1.x before 7.x-1.2 for Drupal allows remote authenticated users with the "view any node page" or "view any node {type} page" permission to access unpublished nodes via a direct request. | |||||
| CVE-2012-5444 | 1 Cisco | 2 Telepresence Video Communication Server, Telepresence Video Communication Servers Software | 2013-01-29 | 5.0 MEDIUM | N/A |
| Cisco TelePresence Video Communication Server (VCS) X7.0.3 does not properly process certain search rules, which allows remote attackers to create conferences via an unspecified Conductor request, aka Bug ID CSCub67989. | |||||
| CVE-2009-1953 | 1 Ibm | 1 Filenet Content Manager | 2013-01-29 | 4.6 MEDIUM | N/A |
| IBM FileNet Content Manager 4.0, 4.0.1, and 4.5, as used in IBM WebSphere Application Server (WAS) and Oracle BEA WebLogic Application Server, when the CE Web Services listener has a certain WSEAF configuration, does not properly restrict use of a cached Subject, which allows remote attackers to obtain access with the credentials of a recently authenticated user via unspecified vectors. | |||||
| CVE-2006-2560 | 1 Sitecom | 2 Wl-153, Wl-153 Router Firmware | 2013-01-24 | 7.5 HIGH | N/A |
| Sitecom WL-153 router firmware before 1.38 allows remote attackers to bypass access restrictions and conduct unauthorized operations via a UPnP request with a modified InternalClient parameter, which is not validated, as demonstrated by using AddPortMapping to forward arbitrary traffic. | |||||
| CVE-2012-2291 | 3 Apple, Emc, Hp | 4 Mac Os X, Avamar, Avamar Plugin and 1 more | 2013-01-22 | 7.2 HIGH | N/A |
| EMC Avamar Client 4.x, 5.x, and 6.x on HP-UX and Mac OS X, and the EMC Avamar plugin 4.x, 5.x, and 6.x for Oracle, uses world-writable permissions for cache directories, which allows local users to gain privileges via an unspecified symlink attack. | |||||
| CVE-2013-0172 | 1 Samba | 1 Samba | 2013-01-18 | 3.5 LOW | N/A |
| Samba 4.0.x before 4.0.1, in certain Active Directory domain-controller configurations, does not properly interpret Access Control Entries that are based on an objectClass, which allows remote authenticated users to bypass intended restrictions on modifying LDAP directory objects by leveraging (1) objectClass access by a user, (2) objectClass access by a group, or (3) write access to an attribute. | |||||
| CVE-2013-0629 | 1 Adobe | 1 Coldfusion | 2013-01-18 | 4.3 MEDIUM | N/A |
| Adobe ColdFusion 9.0, 9.0.1, 9.0.2, and 10, when a password is not configured, allows attackers to access restricted directories via unspecified vectors, as exploited in the wild in January 2013. | |||||
| CVE-2012-5155 | 2 Apple, Google | 2 Mac Os X, Chrome | 2013-01-16 | 5.0 MEDIUM | N/A |
| Google Chrome before 24.0.1312.52 on Mac OS X does not use an appropriate sandboxing approach for worker processes, which makes it easier for remote attackers to bypass intended access restrictions via unspecified vectors. | |||||
| CVE-2012-4549 | 1 Redhat | 1 Jboss Enterprise Application Platform | 2013-01-15 | 5.8 MEDIUM | N/A |
| The processInvocation function in org.jboss.as.ejb3.security.AuthorizationInterceptor in JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) before 6.0.1, authorizes all requests when no roles are allowed for an Enterprise Java Beans (EJB) method invocation, which allows attackers to bypass intended access restrictions for EJB methods. | |||||
| CVE-2010-2224 | 1 Redhat | 1 Enterprise Virtualization Manager | 2013-01-15 | 2.1 LOW | N/A |
| The snapshot merging functionality in Red Hat Enterprise Virtualization Manager (aka RHEV-M) before 2.2 does not properly pass the postzero parameter during operations on deleted volumes, which allows guest OS users to obtain sensitive information by examining the disk blocks associated with a deleted virtual machine. | |||||
| CVE-2012-4452 | 1 Oracle | 1 Mysql | 2013-01-15 | 2.1 LOW | N/A |
| MySQL 5.0.88, and possibly other versions and platforms, allows local users to bypass certain privilege checks by calling CREATE TABLE on a MyISAM table with modified (1) DATA DIRECTORY or (2) INDEX DIRECTORY arguments that are originally associated with pathnames without symlinks, and that can point to tables created at a future time at which a pathname is modified to contain a symlink to a subdirectory of the MySQL data home directory, related to incorrect calculation of the mysql_unpacked_real_data_home value. NOTE: this vulnerability exists because of a CVE-2009-4030 regression, which was not omitted in other packages and versions such as MySQL 5.0.95 in Red Hat Enterprise Linux 6. | |||||
| CVE-2012-2693 | 1 Redhat | 1 Libvirt | 2013-01-15 | 3.7 LOW | N/A |
| libvirt, possibly before 0.9.12, does not properly assign USB devices to virtual machines when multiple devices have the same vendor and product ID, which might cause the wrong device to be associated with a guest and might allow local users to access unintended USB devices. | |||||
| CVE-2012-5584 | 2 Drupal, M2osw | 2 Drupal, Tableofcontents | 2013-01-08 | 4.3 MEDIUM | N/A |
| The Table of Contents module 6.x-3.x before 6.x-3.8 for Drupal does not properly check node permissions, which allows remote attackers to read a node's headers by accessing a table of contents block. | |||||
| CVE-2011-4316 | 1 Redhat | 1 Enterprise Virtualization Manager | 2013-01-07 | 3.7 LOW | N/A |
| Red Hat Enterprise Virtualization Manager (RHEV-M) before 3.1, in certain unspecified conditions, does not lock the desktop screen between SPICE sessions, which allows local users with access to a virtual machine to gain access to other users' desktop sessions via unspecified vectors. | |||||
| CVE-2012-6431 | 1 Sensiolabs | 1 Symfony | 2013-01-07 | 6.4 MEDIUM | N/A |
| Symfony 2.0.x before 2.0.20 does not process URL encoded data consistently within the Routing and Security components, which allows remote attackers to bypass intended URI restrictions via a doubly encoded string. | |||||