Search
Total
201818 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2011-4895 | 1 Tor | 1 Tor | 2011-12-23 | 4.3 MEDIUM | N/A |
| Tor before 0.2.2.34, when configured as a bridge, sets up circuits through a process different from the process used by a client, which makes it easier for remote attackers to enumerate bridges by observing circuit building. | |||||
| CVE-2011-4052 | 1 Indusoft | 1 Web Studio | 2011-12-22 | 9.3 HIGH | N/A |
| Stack-based buffer overflow in CEServer.exe in the CEServer component in the Remote Agent module in InduSoft Web Studio 6.1 and 7.0 allows remote attackers to execute arbitrary code via a crafted 0x15 (aka Remove File) operation for a file with a long name. | |||||
| CVE-2009-3091 | 1 Asus | 1 Asus Wl-330ge | 2011-12-21 | 10.0 HIGH | N/A |
| Unspecified vulnerability on the ASUS WL-330gE has unknown impact and remote attack vectors, as demonstrated by a certain module in VulnDisco Pack Professional 8.11. NOTE: as of 20090903, this disclosure has no actionable information. However, because the VulnDisco Pack author is a reliable researcher, the issue is being assigned a CVE identifier for tracking purposes. | |||||
| CVE-2009-3100 | 2 Sun, X.org | 3 Opensolaris, Solaris, X11 | 2011-12-21 | 4.0 MEDIUM | N/A |
| xscreensaver (aka Gnome-XScreenSaver) in Sun Solaris 9 and 10, OpenSolaris snv_109 through snv_122, and X11 6.4.1 on Solaris 8 does not properly handle Accessibility support, which allows local users to cause a denial of service (system hang) by locking the screen and then attempting to launch an Accessibility pop-up window, related to a regression in certain Solaris and OpenSolaris patches. | |||||
| CVE-2011-4861 | 1 Schneider-electric | 3 Quantum Ethernet Module 140noe77100, Quantum Ethernet Module 140noe77101, Quantum Ethernet Module 140noe77111 | 2011-12-21 | 10.0 HIGH | N/A |
| The modbus_125_handler function in the Schneider Electric Quantum Ethernet Module on the NOE 771 device (aka the Quantum 140NOE771* module) allows remote attackers to install arbitrary firmware updates via a MODBUS 125 function code to TCP port 502. | |||||
| CVE-2011-1511 | 1 Oracle | 1 Sun Products Suite | 2011-12-21 | 6.4 MEDIUM | N/A |
| Unspecified vulnerability in the Oracle GlassFish Server component in Oracle Sun Products Suite 2.1.1 and 3.0.1 allows remote attackers to execute arbitrary code via unknown vectors related to Administration. | |||||
| CVE-2011-4779 | 2011-12-20 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2011-4642. Reason: This candidate is a reservation duplicate of CVE-2011-4642. Notes: All CVE users should reference CVE-2011-4642 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. | |||||
| CVE-2011-4717 | 1 Zftpserver | 1 Zftpserver Suite | 2011-12-20 | 5.5 MEDIUM | N/A |
| Directory traversal vulnerability in zFTPServer Suite 6.0.0.52 allows remote authenticated users to delete arbitrary directories via a crafted RMD (aka rmdir) command. | |||||
| CVE-2011-4723 | 1 D-link | 1 Dir-300 | 2011-12-20 | 6.8 MEDIUM | N/A |
| The D-Link DIR-300 router stores cleartext passwords, which allows context-dependent attackers to obtain sensitive information via unspecified vectors. | |||||
| CVE-2009-3345 | 1 Sap | 1 Crystal Reports Server | 2011-12-20 | 10.0 HIGH | N/A |
| Heap-based buffer overflow in SAP Crystal Reports Server 2008 has unknown impact and attack vectors, as demonstrated by a certain module in VulnDisco Pack Professional 8.3 through 8.11. NOTE: as of 20090917, this disclosure has no actionable information. However, because the VulnDisco Pack author is a reliable researcher, the issue is being assigned a CVE identifier for tracking purposes. | |||||
| CVE-2009-3347 | 1 D-link | 1 Dir-400 | 2011-12-20 | 10.0 HIGH | N/A |
| Buffer overflow on the D-Link DIR-400 wireless router allows remote attackers to execute arbitrary code via unspecified vectors, as demonstrated by a certain module in VulnDisco Pack Professional 8.10 through 8.11. NOTE: as of 20090917, this disclosure has no actionable information. However, because the VulnDisco Pack author is a reliable researcher, the issue is being assigned a CVE identifier for tracking purposes. | |||||
| CVE-2011-4860 | 1 Schneider-electric | 3 Quantum Ethernet Module 140noe77100, Quantum Ethernet Module 140noe77101, Quantum Ethernet Module 140noe77111 | 2011-12-19 | 10.0 HIGH | N/A |
| The ComputePassword function in the Schneider Electric Quantum Ethernet Module on the NOE 771 device (aka the Quantum 140NOE771* module) generates the password for the fwupgrade account by performing a calculation on the MAC address, which makes it easier for remote attackers to obtain access via a (1) ARP request message or (2) Neighbor Solicitation message. | |||||
| CVE-2011-4750 | 1 Smartertools | 1 Smarterstats | 2011-12-16 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in SmarterTools SmarterStats 6.2.4100 allow remote attackers to inject arbitrary web script or HTML via crafted input to a PHP script, as demonstrated by Default.aspx and certain other files. | |||||
| CVE-2011-4766 | 1 Parallels | 1 Parallels Plesk Small Business Panel | 2011-12-16 | 5.0 MEDIUM | N/A |
| ** DISPUTED ** The Site Editor (aka SiteBuilder) feature in Parallels Plesk Small Business Panel 10.2.0 allows remote attackers to obtain ASP source code via a direct request to wysiwyg/fckconfig.js. NOTE: CVE disputes this issue because ASP is only used in a JavaScript comment. | |||||
| CVE-2011-4768 | 1 Parallels | 1 Parallels Plesk Small Business Panel | 2011-12-16 | 10.0 HIGH | N/A |
| The Site Editor (aka SiteBuilder) feature in Parallels Plesk Small Business Panel 10.2.0 omits the Content-Type header's charset parameter for certain resources, which might allow remote attackers to have an unspecified impact by leveraging an interpretation conflict involving Wizard/Edit/Modules/Image and certain other files. NOTE: it is possible that only clients, not the Plesk product, could be affected by this issue. | |||||
| CVE-2011-4850 | 2 Microsoft, Parallels | 3 Windows 2003 Server, Windows Server 2008, Parallels Plesk Panel | 2011-12-16 | 4.3 MEDIUM | N/A |
| The Control Panel in Parallels Plesk Panel 10.4.4_build20111103.18 does not include the HTTPOnly flag in a Set-Cookie header for a cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie, as demonstrated by cookies used by help.php and certain other files. | |||||
| CVE-2011-4836 | 1 Homeseer | 1 Homeseer Hs2 | 2011-12-15 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the web interface in HomeSeer HS2 2.5.0.20 allows remote attackers to inject arbitrary web script or HTML via a request for a crafted URI. | |||||
| CVE-2011-4835 | 1 Homeseer | 1 Homeseer Hs2 | 2011-12-15 | 7.5 HIGH | N/A |
| Directory traversal vulnerability in the web interface in HomeSeer HS2 2.5.0.20 allows remote attackers to access arbitrary files via unspecified vectors. | |||||
| CVE-2011-4830 | 2 Barter-sites, Joomla | 2 Com Listing, Joomla\! | 2011-12-15 | 3.5 LOW | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in the com_listing component in Barter Sites component 1.3 for Joomla! allow remote authenticated users to inject arbitrary web script or HTML via the (1) listing_title, (2) description, (3) homeurl (aka Website Address), (4) paystring (aka Payment types accepted), (5) sell_price, (6) shipping_cost, and (7) quantity parameters to index.php. | |||||
| CVE-2011-4829 | 2 Barter-sites, Joomla | 2 Com Listing, Joomla\! | 2011-12-15 | 7.5 HIGH | N/A |
| SQL injection vulnerability in the com_listing component in Barter Sites component 1.3 for Joomla! allows remote attackers to execute arbitrary SQL commands via the category_id parameter to index.php. | |||||
| CVE-2011-4825 | 3 Phpletter, Phpmyfaq, Tinymce | 3 Ajax File And Image Manager, Phpmyfaq, Tinymce | 2011-12-15 | 7.5 HIGH | N/A |
| Static code injection vulnerability in inc/function.base.php in Ajax File and Image Manager before 1.1, as used in tinymce before 1.4.2, phpMyFAQ 2.6 before 2.6.19 and 2.7 before 2.7.1, and possibly other products, allows remote attackers to inject arbitrary PHP code into data.php via crafted parameters. | |||||
| CVE-2011-4606 | 1 Artsoft | 1 Rocks\'n\'diamonds | 2011-12-15 | 3.6 LOW | N/A |
| Artsoft Entertainment Rocks'n'Diamonds (aka rocksndiamonds) 3.3.0.1 allows local users to overwrite arbitrary files via a symlink attack on .rocksndiamonds/cache/artworkinfo.cache under a user's home directory. | |||||
| CVE-2011-4828 | 1 Autosectools | 1 V-cms | 2011-12-15 | 7.5 HIGH | N/A |
| Unrestricted file upload vulnerability in includes/inline_image_upload.php in AutoSec Tools V-CMS 1.0 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in temp/. | |||||
| CVE-2011-4837 | 1 Homeseer | 1 Homeseer Hs2 | 2011-12-15 | 6.8 MEDIUM | N/A |
| Cross-site request forgery (CSRF) vulnerability in /ctrl in the web interface in HomeSeer HS2 2.5.0.20 allows remote attackers to hijack the authentication of admins for requests that execute arbitrary programs. | |||||
| CVE-2010-1680 | 2011-12-15 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2010. Notes: none. | |||||
| CVE-2011-4064 | 1 Phpmyadmin | 1 Phpmyadmin | 2011-12-15 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the setup interface in phpMyAdmin 3.4.x before 3.4.6 allows remote attackers to inject arbitrary web script or HTML via a crafted value. | |||||
| CVE-2011-2306 | 1 Oracle | 1 Linux | 2011-12-15 | 5.5 MEDIUM | N/A |
| Unspecified vulnerability in Oracle Linux 4 and 5 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to "Oracle validated." | |||||
| CVE-2009-3819 | 2 Typo3, Urs Maag | 2 Typo3, Maag Randomimage | 2011-12-14 | 10.0 HIGH | N/A |
| Unspecified vulnerability in the Random Images (maag_randomimage) extension 1.6.4 and earlier for TYPO3 allows remote attackers to execute arbitrary shell commands via unspecified vectors. | |||||
| CVE-2009-3820 | 2 Flagbit, Typo3 | 2 Fb Filebase, Typo3 | 2011-12-14 | 7.5 HIGH | N/A |
| SQL injection vulnerability in the Flagbit Filebase (fb_filebase) extension 0.1.0 for TYPO3 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | |||||
| CVE-2009-3821 | 2 Apache, Typo3 | 2 Solr, Typo3 | 2011-12-14 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in the Apache Solr Search (solr) extension 1.0.0 for TYPO3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2011-4001 | 1 Mawashimono | 1 Nikki | 2011-12-14 | 7.5 HIGH | N/A |
| Directory traversal vulnerability in HP no Mawashimono Nikki 6.6 and earlier allows remote attackers to read and modify arbitrary files via unspecified vectors. | |||||
| CVE-2011-4002 | 1 Mawashimono | 1 Nikki | 2011-12-14 | 7.5 HIGH | N/A |
| HP no Mawashimono Nikki 6.6 and earlier allows remote attackers to execute arbitrary commands via unspecified vectors, related to a "command injection vulnerability." | |||||
| CVE-2011-4202 | 1 Restorepoint | 1 Restorepoint | 2011-12-13 | 7.2 HIGH | N/A |
| The Tadasoft Restorepoint 3.2 evaluation image uses weak permissions (www write access) for unspecified scripts, which allows local users to gain privileges by modifying a script file. | |||||
| CVE-2011-4201 | 1 Restorepoint | 1 Restorepoint | 2011-12-13 | 9.3 HIGH | N/A |
| remote_support.cgi in the Tadasoft Restorepoint 3.2 evaluation image allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) pid1 or (2) pid2 parameter in a stop_remote_support action. | |||||
| CVE-2011-4062 | 1 Freebsd | 1 Freebsd | 2011-12-13 | 7.2 HIGH | N/A |
| Buffer overflow in the kernel in FreeBSD 7.3 through 9.0-RC1 allows local users to cause a denial of service (panic) or possibly gain privileges via a bind system call with a long pathname for a UNIX socket. | |||||
| CVE-2011-4404 | 1 Vmware | 1 Vcenter Update Manager | 2011-12-13 | 5.0 MEDIUM | N/A |
| The default configuration of the HTTP server in Jetty in vSphere Update Manager in VMware vCenter Update Manager 4.0 before Update 4 and 4.1 before Update 2 allows remote attackers to conduct directory traversal attacks and read arbitrary files via unspecified vectors, a related issue to CVE-2009-1523. | |||||
| CVE-2011-4435 | 1 Ibm | 1 Db2 Tools For Z\/os | 2011-12-13 | 5.0 MEDIUM | N/A |
| The web-server component in the Consolidation and Analysis Engine (CAE) Server in DB2 Query Monitor in IBM DB2 Tools 2.3.0 for z/OS does not prevent directory browsing, which allows remote attackers to obtain sensitive information via HTTP requests. | |||||
| CVE-2011-4544 | 1 Prestashop | 1 Prestashop | 2011-12-13 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in Prestashop before 1.5 allow remote attackers to inject arbitrary web script or HTML via the (1) address or (2) relativ_base_dir parameter to modules/mondialrelay/googlemap.php; the (3) relativ_base_dir, (4) Pays, (5) Ville, (6) CP, (7) Poids, (8) Action, or (9) num parameter to prestashop/modules/mondialrelay/googlemap.php; (10) the num_mode parameter to modules/mondialrelay/kit_mondialrelay/RechercheDetailPointRelais_ajax.php; (11) the Expedition parameter to modules/mondialrelay/kit_mondialrelay/SuiviExpedition_ajax.php; or the (12) folder or (13) name parameter to admin/ajaxfilemanager/ajax_save_text.php. | |||||
| CVE-2011-4545 | 1 Prestashop | 1 Prestashop | 2011-12-13 | 5.0 MEDIUM | N/A |
| CRLF injection vulnerability in admin/displayImage.php in Prestashop 1.4.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the name parameter. | |||||
| CVE-2011-4671 | 2 Adrotateplugin, Wordpress | 2 Adrotate, Wordpress | 2011-12-13 | 7.5 HIGH | N/A |
| SQL injection vulnerability in adrotate/adrotate-out.php in the AdRotate plugin 3.6.6, and other versions before 3.6.8, for WordPress allows remote attackers to execute arbitrary SQL commands via the track parameter (aka redirect URL). | |||||
| CVE-2011-1161 | 2011-12-12 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2011-1160, CVE-2011-1162. Reason: This candidate was withdrawn by its CNA. Further investigation showed that only two candidates, CVE-2011-1160 and CVE-2011-1162, were needed for the set of security issues in question. Notes: none. | |||||
| CVE-2011-4323 | 2011-12-12 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2011-2726. Reason: This candidate is a duplicate of CVE-2011-2726. Notes: All CVE users should reference CVE-2011-2726 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. | |||||
| CVE-2011-4359 | 2011-12-12 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2011-4343. Reason: This candidate is a duplicate of CVE-2011-4343. Notes: All CVE users should reference CVE-2011-4343 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. | |||||
| CVE-2011-3633 | 2011-12-12 | N/A | N/A | ||
| ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2011-4062. Reason: This candidate is a duplicate of CVE-2011-4062. Notes: All CVE users should reference CVE-2011-4062 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. | |||||
| CVE-2011-4349 | 1 Freedesktop | 1 Colord | 2011-12-12 | 4.6 MEDIUM | N/A |
| Multiple SQL injection vulnerabilities in (1) cd-mapping-db.c and (2) cd-device-db.c in colord before 0.1.15 allow local users to execute arbitrary SQL commands via vectors related to color devices and (a) device id, (b) property, or (c) profile id. | |||||
| CVE-2011-2917 | 1 Mambo-foundation | 1 Mambo | 2011-12-09 | 7.5 HIGH | N/A |
| SQL injection vulnerability in administrator/index2.php in Mambo CMS 4.6.5 and earlier allows remote attackers to execute arbitrary SQL commands via the zorder parameter. | |||||
| CVE-2011-4713 | 1 Oscss | 1 Oscss | 2011-12-09 | 5.0 MEDIUM | N/A |
| Directory traversal vulnerability in catalog/content.php in osCSS2 2.1.0 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the _ID parameter to (1) catalog/shopping_cart.php or (2) catalog/content.php. | |||||
| CVE-2011-4263 | 1 Apc | 1 Powerchute | 2011-12-08 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in Schneider Electric PowerChute Business Edition before 8.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2006-5242 | 1 Etomite | 1 Etomite | 2011-12-08 | 7.5 HIGH | N/A |
| SQL injection vulnerability in Etomite Content Management System (CMS) before 0.6.1.1 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | |||||
| CVE-2011-4051 | 1 Indusoft | 1 Web Studio | 2011-12-08 | 10.0 HIGH | N/A |
| CEServer.exe in the CEServer component in the Remote Agent module in InduSoft Web Studio 6.1 and 7.0 does not require authentication, which allows remote attackers to execute arbitrary code via vectors related to creation of a file, loading a DLL, and process control. | |||||