| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complex
ity
|
Authen
tication
|
Confiden
tiality
|
Integrity
|
Availa
bility
|
|
1 |
CVE-2012-0983 |
89 |
1
|
Exec Code Sql |
2012-02-02 |
2012-02-03 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in Scriptsez.net Ez Album allows remote attackers to execute arbitrary SQL commands via the id parameter in a view action to index.php. |
|
2 |
CVE-2012-0982 |
89 |
1
|
Exec Code Sql |
2012-02-02 |
2012-02-03 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in search.php in Vastal I-Tech Agent Zone (aka The Real Estate Script) allows remote attackers to execute arbitrary SQL commands via the price_from parameter. |
|
3 |
CVE-2012-0980 |
89 |
1
|
Exec Code Sql |
2012-02-02 |
2012-02-03 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in download.php in phux Download Manager allows remote attackers to execute arbitrary SQL commands via the file parameter. |
|
4 |
CVE-2012-0935 |
89 |
1
|
Exec Code Sql |
2012-01-28 |
2012-01-30 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in Default.aspx in Aryadad CMS allows remote attackers to execute arbitrary SQL commands via the PageID parameter. |
|
5 |
CVE-2012-0934 |
94 |
|
Exec Code File Inclusion |
2012-01-28 |
2012-02-01 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
PHP remote file inclusion vulnerability in ajax/savetag.php in the Theme Tuner plugin for WordPress before 0.8 allows remote attackers to execute arbitrary PHP code via a URL in the tt-abspath parameter. |
|
6 |
CVE-2012-0931 |
287 |
|
DoS Exec Code |
2012-01-27 |
2012-02-01 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
Schneider Electric Modicon Quantum PLC does not perform authentication between the Unity software and PLC, which allows remote attackers to cause a denial of service or possibly execute arbitrary code via unspecified vectors. |
|
7 |
CVE-2012-0929 |
119 |
|
DoS Overflow |
2012-01-27 |
2012-02-01 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
Multiple buffer overflows in Schneider Electric Modicon Quantum PLC allow remote attackers to cause a denial of service via malformed requests to the (1) FTP server or (2) HTTP server. |
|
8 |
CVE-2012-0913 |
89 |
1
|
Exec Code Sql |
2012-01-24 |
2012-01-25 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in checklogin.aspx in ICloudCenter ICTimeAttendance 1.0 allows remote attackers to execute arbitrary SQL commands via the passw parameter. NOTE: Some of these details are obtained from third party information. |
|
9 |
CVE-2012-0912 |
89 |
|
Exec Code Sql |
2012-01-24 |
2012-01-24 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in Stoneware webNetwork before 6.0.8.0 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. |
|
10 |
CVE-2012-0906 |
89 |
1
|
Exec Code Sql |
2012-01-20 |
2012-01-23 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in the Moviebase addon for deV!L'z Clanportal (DZCP) 1.5.5 allows remote attackers to execute arbitrary SQL commands via the id parameter in a showkat action to index.php. |
|
11 |
CVE-2012-0905 |
89 |
1
|
Exec Code Sql |
2012-01-20 |
2012-02-03 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in deV!L'z Clanportal (DZCP) Gamebase addon allows remote attackers to execute arbitrary SQL commands via the gameid parameter in a detail action to index.php. |
|
12 |
CVE-2012-0809 |
134 |
|
Exec Code |
2012-01-31 |
2012-02-01 |
7.2 |
Admin |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
Format string vulnerability in the sudo_debug function in Sudo 1.8.0 through 1.8.3p1 allows local users to execute arbitrary code via format string sequences in the program name for sudo. |
|
13 |
CVE-2012-0094 |
|
|
|
2012-01-18 |
2012-01-30 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
Unspecified vulnerability in Oracle Solaris 9, 10, and 11 Express allows remote attackers to affect availability, related to TCP/IP. |
|
14 |
CVE-2012-0069 |
89 |
|
Exec Code Sql |
2012-01-24 |
2012-01-24 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in ajax.php in Batavi before 1.2.1 allows remote attackers to execute arbitrary SQL commands via the boxToReload parameter. |
|
15 |
CVE-2012-0035 |
264 |
|
+Priv |
2012-01-19 |
2012-01-30 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
Untrusted search path vulnerability in EDE in CEDET before 1.0.1, as used in GNU Emacs before 23.4 and other products, allows local users to gain privileges via a crafted Lisp expression in a Project.ede file in the directory, or a parent directory, of an opened file. |
|
16 |
CVE-2012-0029 |
119 |
|
DoS Exec Code Overflow |
2012-01-27 |
2012-02-02 |
7.4 |
None |
Local Network |
Medium |
Single system |
Complete |
Complete |
Complete |
|
Heap-based buffer overflow in the process_tx_desc function in the e1000 emulation (hw/e1000.c) in qemu-kvm 0.12, and possibly other versions, allows guest OS users to cause a denial of service (QEMU crash) and possibly execute arbitrary code via crafted legacy mode packets. |
|
17 |
CVE-2011-5072 |
89 |
|
Exec Code Sql |
2012-01-29 |
2012-02-02 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Multiple SQL injection vulnerabilities in Support Incident Tracker (aka SiT!) before 3.65 allow remote attackers to execute arbitrary SQL commands via the (1) start parameter to portal/kb.php; (2) contractid parameter to contract_add_service.php; (3) id parameter to edit_escalation_path.php; (4) unlock, (5) lock, or (6) selected parameter to holding_queue.php; inc parameter in a report action to (7) report_customers.php or (8) report_incidents_by_site.php; (9) start parameter to search.php; or (10) sites parameter to transactions.php. |
|
18 |
CVE-2011-5071 |
89 |
|
Exec Code Sql |
2012-01-28 |
2012-02-02 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Multiple SQL injection vulnerabilities in Support Incident Tracker (aka SiT!) before 3.64 allow remote attackers to execute arbitrary SQL commands via the (1) exc[] parameter to report_marketing.php, (2) selected[] parameter to tasks.php, (3) sites[] parameter to billable_incidents.php, or (4) search_string parameter to search.php. NOTE: some of these details are obtained from third party information. |
|
19 |
CVE-2011-5061 |
94 |
|
Exec Code |
2012-01-13 |
2012-01-16 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
functions.php in WHMCompleteSolution (WHMCS) 4.0.x through 5.0.x allows remote attackers to trigger arbitrary code execution in the Smarty templating system by submitting a crafted ticket, related to improper handling of characters in the subject field. |
|
20 |
CVE-2011-5051 |
|
|
Exec Code |
2012-01-04 |
2012-01-05 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Multiple unrestricted file upload vulnerabilities in the WP Symposium plugin before 11.12.24 for WordPress allow remote attackers to execute arbitrary code by uploading a file with an executable extension using (1) uploadify/upload_admin_avatar.php or (2) uploadify/upload_profile_avatar.php, then accessing it via a direct request to the file in an unspecified directory inside the webroot. |
|
21 |
CVE-2011-5049 |
399 |
1
|
DoS |
2012-01-04 |
2012-01-05 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
MySQL 5.5.8, when running on Windows, allows remote attackers to cause a denial of service (NULL pointer dereference) via a crafted packet to TCP port 3306. |
|
22 |
CVE-2011-5044 |
264 |
1
|
Exec Code |
2011-12-30 |
2012-01-02 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
SopCast 3.4.7.45585 uses weak permissions (Everyone:Full Control) for Diagnose.exe, which allows local users to execute arbitrary code by replacing Diagnose.exe with a Trojan horse program. |
|
23 |
CVE-2011-5039 |
89 |
1
|
Exec Code Sql |
2011-12-30 |
2012-01-02 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Multiple SQL injection vulnerabilities in Infoproject Biznis Heroj allow remote attackers to execute arbitrary SQL commands via the (1) username and (2) password parameters to login.php, (3) the filter parameter to widget.dokumenti_lista.php, and (4) the fin_nalog_id parameter to nalozi_naslov.php. |
|
24 |
CVE-2011-5038 |
89 |
|
Exec Code Sql |
2011-12-30 |
2012-01-02 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in hitCode hitAppoint 4.5.17 and possibly earlier allows remote attackers to execute arbitrary SQL commands via the username parameter to index.php. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
|
25 |
CVE-2011-5034 |
20 |
|
DoS |
2011-12-29 |
2012-01-19 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
Apache Geronimo 2.2.1 and earlier computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. NOTE: this might overlap CVE-2011-4461. |
|
26 |
CVE-2011-5031 |
89 |
1
|
Exec Code Sql |
2011-12-29 |
2011-12-30 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Multiple SQL injection vulnerabilities in servlet/capexweb.parentvalidatepassword in cApexWEB 1.1 allow remote attackers to execute arbitrary SQL commands via the (1) dfuserid and (2) dfpassword parameters. NOTE: some of these details are obtained from third party information. |
|
27 |
CVE-2011-5022 |
89 |
|
Exec Code Sql |
2011-12-29 |
2011-12-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in search.php in Pligg CMS 1.1.2 allows remote attackers to execute arbitrary SQL commands via the status parameter. |
|
28 |
CVE-2011-5021 |
94 |
|
DoS Bypass |
2011-12-28 |
2011-12-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
PHPIDS before 0.7 does not properly implement Regular Expression Denial of Service (ReDoS) filters, which allows remote attackers to bypass rulesets and add PHP sequences to a file via unspecified vectors. |
|
29 |
CVE-2011-5008 |
189 |
|
Exec Code Overflow |
2011-12-24 |
2011-12-27 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Integer overflow in the GatewayService component in 3S CoDeSys 3.4 SP4 Patch 2 allows remote attackers to execute arbitrary code via a large size value in the packet header, which triggers a heap-based buffer overflow. |
|
30 |
CVE-2011-5005 |
|
1
|
Exec Code |
2011-12-24 |
2011-12-27 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Unrestricted file upload vulnerability in QuiXplorer 2.3 and earlier allows remote attackers to execute arbitrary code by uploading a file with an executable extension using the upload action to index.php, then accessing it via a direct request to the file in an unspecified directory. |
|
31 |
CVE-2011-4899 |
|
1
|
Exec Code Sql XSS |
2012-01-30 |
2012-01-31 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
** DISPUTED ** wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier does not ensure that the specified MySQL database service is appropriate, which allows remote attackers to configure an arbitrary database via the dbhost and dbname parameters, and subsequently conduct static code injection and cross-site scripting (XSS) attacks via (1) an HTTP request or (2) a MySQL query. NOTE: the vendor disputes the significance of this issue; however, remote code execution makes the issue important in many realistic environments. |
|
32 |
CVE-2011-4869 |
399 |
|
DoS |
2011-12-20 |
2011-12-31 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
validator/val_nsec3.c in Unbound before 1.4.13p2 does not properly perform proof processing for NSEC3-signed zones, which allows remote DNS servers to cause a denial of service (daemon crash) via a malformed response that lacks expected NSEC3 records, a different vulnerability than CVE-2011-4528. |
|
33 |
CVE-2011-4847 |
89 |
|
Exec Code Sql |
2011-12-16 |
2012-02-01 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in the Control Panel in Parallels Plesk Panel 10.4.4_build20111103.18 allows remote attackers to execute arbitrary SQL commands via a certificateslist cookie to notification@/. |
|
34 |
CVE-2011-4838 |
20 |
|
DoS |
2011-12-29 |
2011-12-30 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
JRuby before 1.6.5.1 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. |
|
35 |
CVE-2011-4835 |
22 |
|
Dir. Trav. |
2011-12-14 |
2011-12-15 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Directory traversal vulnerability in the web interface in HomeSeer HS2 2.5.0.20 allows remote attackers to access arbitrary files via unspecified vectors. |
|
36 |
CVE-2011-4833 |
89 |
|
Exec Code Sql |
2011-12-14 |
2011-12-15 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Multiple SQL injection vulnerabilities in the Leads module in SugarCRM 6.1 before 6.1.7, 6.2 before 6.2.4, 6.3 before 6.3.0RC3, and 6.4 before 6.4.0beta1 allow remote attackers to execute arbitrary SQL commands via the (1) where and (2) order parameters in a get_full_list action to index.php. |
|
37 |
CVE-2011-4832 |
22 |
1
|
Dir. Trav. |
2011-12-14 |
2011-12-15 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Directory traversal vulnerability in CaupoShop Pro 2.x, CaupoShop Classic 3.01, and CaupoShop Pro 3.70 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the template parameter in a template action. |
|
38 |
CVE-2011-4829 |
89 |
1
|
Exec Code Sql |
2011-12-14 |
2011-12-15 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in the com_listing component in Barter Sites component 1.3 for Joomla! allows remote attackers to execute arbitrary SQL commands via the category_id parameter to index.php. |
|
39 |
CVE-2011-4828 |
94 |
|
Exec Code |
2011-12-14 |
2011-12-15 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Unrestricted file upload vulnerability in includes/inline_image_upload.php in AutoSec Tools V-CMS 1.0 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in temp/. |
|
40 |
CVE-2011-4825 |
94 |
1
|
|
2011-12-14 |
2011-12-15 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Static code injection vulnerability in inc/function.base.php in Ajax File and Image Manager before 1.1, as used in tinymce before 1.4.2, phpMyFAQ 2.6 before 2.6.19 and 2.7 before 2.7.1, and possibly other products, allows remote attackers to inject arbitrary PHP code into data.php via crafted parameters. |
|
41 |
CVE-2011-4824 |
89 |
|
Exec Code Sql |
2011-12-14 |
2011-12-15 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in auth_login.php in Cacti before 0.8.7h allows remote attackers to execute arbitrary SQL commands via the login_username parameter. |
|
42 |
CVE-2011-4823 |
89 |
1
|
Exec Code Sql |
2011-12-14 |
2011-12-15 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Multiple SQL injection vulnerabilities in Vik Real Estate (com_vikrealestate) component 1.0 for Joomla! allow remote attackers to execute arbitrary SQL commands via the (1) contract parameter in a results action and (2) imm parameter in a show action to index.php. |
|
43 |
CVE-2011-4815 |
20 |
|
DoS |
2011-12-29 |
2011-12-30 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
Ruby (aka CRuby) before 1.8.7-p357 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. |
|
44 |
CVE-2011-4811 |
89 |
1
|
Exec Code Sql |
2011-12-13 |
2011-12-14 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in pokaz_podkat.php in BestShopPro allows remote attackers to execute arbitrary SQL commands via the str parameter. |
|
45 |
CVE-2011-4808 |
89 |
1
|
Exec Code Sql |
2011-12-13 |
2011-12-14 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in the HM Community (com_hmcommunity) component before 1.01 for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in a fnd_home action to index.php. |
|
46 |
CVE-2011-4803 |
89 |
1
|
Exec Code Sql |
2011-12-13 |
2011-12-14 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in wptouch/ajax.php in the WPTouch plugin for WordPress allows remote attackers to execute arbitrary SQL commands via the id parameter. |
|
47 |
CVE-2011-4801 |
89 |
1
|
Exec Code Sql |
2011-12-13 |
2011-12-14 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in akeyActivationLogin.do in Authenex Web Management Control in Authenex Strong Authentication System (ASAS) Server 3.1.0.2 and 3.1.0.3 allows remote attackers to execute arbitrary SQL commands via the username parameter. |
|
48 |
CVE-2011-4788 |
22 |
|
Dir. Trav. |
2012-01-12 |
2012-01-13 |
7.8 |
None |
Remote |
Low |
Not required |
Complete |
None |
None |
|
Absolute path traversal vulnerability in the web interface on HP StorageWorks P2000 G3 MSA array systems allows remote attackers to read arbitrary files via a pathname in the URI. |
|
49 |
CVE-2011-4785 |
200 |
|
Dir. Trav. +Info |
2012-01-10 |
2012-01-17 |
7.8 |
None |
Remote |
Low |
Not required |
Complete |
None |
None |
|
Directory traversal vulnerability in the HP-ChaiSOE/1.0 web server on the HP LaserJet P3015 printer with firmware before 07.080.3, LaserJet 4650 printer with firmware 07.006.0, and LaserJet 2430 printer with firmware 08.113.0_I35128 allows remote attackers to read arbitrary files via unspecified vectors, a different vulnerability than CVE-2008-4419. |
|
50 |
CVE-2011-4784 |
20 |
|
+Priv |
2011-12-26 |
2011-12-27 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
The NVIDIA Stereoscopic 3D driver before 7.17.12.7565 does not properly handle commands sent to a named pipe, which allows local users to gain privileges via a crafted application. |
