| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complex
ity
|
Authen
tication
|
Confiden
tiality
|
Integrity
|
Availa
bility
|
|
1 |
CVE-2012-2611 |
20 |
|
Exec Code |
2012-05-15 |
2012-05-15 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
The DiagTraceR3Info function in the Dialog processor in disp+work.exe 7010.29.15.58313 and 7200.70.18.23869 in the Dispatcher in SAP NetWeaver 7.0 EHP1 and EHP2, when a certain Developer Trace configuration is enabled, allows remote attackers to execute arbitrary code via a crafted SAP Diag packet. |
|
2 |
CVE-2012-2562 |
20 |
|
Exec Code |
2012-05-22 |
2012-05-22 |
7.6 |
None |
Remote |
High |
Not required |
Complete |
Complete |
Complete |
|
The Xelex MobileTrack application 2.3.7 and earlier for Android does not verify the origin of SMS commands, which allows remote attackers to execute a (1) LOCATE, (2) TRACK, (3) UPDATECFG, (4) UPDATEACCT, (5) STAT, (6) TERM, or (7) WIPE command via an SMS message. |
|
3 |
CVE-2012-2425 |
20 |
|
DoS |
2012-04-25 |
2012-04-27 |
1.8 |
None |
Local Network |
High |
Not required |
None |
None |
Partial |
|
The intu-help-qb (aka Intuit Help System Async Pluggable Protocol) handlers in HelpAsyncPluggableProtocol.dll in Intuit QuickBooks 2009 through 2012, when Internet Explorer is used, allow remote attackers to cause a denial of service (application crash) via a long URI. |
|
4 |
CVE-2012-2374 |
20 |
|
Http R.Spl. |
2012-05-23 |
2012-05-24 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
CRLF injection vulnerability in the tornado.web.RequestHandler.set_header function in Tornado before 2.2.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via crafted input. |
|
5 |
CVE-2012-2336 |
20 |
|
DoS |
2012-05-11 |
2012-05-14 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
sapi/cgi/cgi_main.c in PHP before 5.3.13 and 5.4.x before 5.4.3, when configured as a CGI script (aka php-cgi), does not properly handle query strings that lack an = (equals sign) character, which allows remote attackers to cause a denial of service (resource consumption) by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'T' case. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1823. |
|
6 |
CVE-2012-2321 |
20 |
|
Exec Code |
2012-05-18 |
2012-05-21 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
The loopback plug-in in ConnMan before 0.85 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) host name or (2) domain name in a DHCP reply. |
|
7 |
CVE-2012-2270 |
20 |
|
|
2012-04-20 |
2012-04-26 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Open redirect vulnerability in index.php (aka the Login Page) in ownCloud 3.0.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirect_url parameter. |
|
8 |
CVE-2012-2268 |
20 |
|
DoS |
2012-04-17 |
2012-04-17 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
master.exe in the SNMP Master Agent in RealNetworks Helix Server and Helix Mobile Server 14.x before 14.3.x allows remote attackers to cause a denial of service (unhandled exception and daemon crash) via a crafted Open-PDU request that triggers incorrect DisplayString processing, a different vulnerability than CVE-2012-1923. |
|
9 |
CVE-2012-2118 |
20 |
|
DoS Exec Code |
2012-05-18 |
2012-05-21 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Format string vulnerability in the LogVHdrMessageVerb function in os/log.c in X.Org X11 1.11 allows attackers to cause a denial of service or possibly execute arbitrary code via format string specifiers in an input device name. |
|
10 |
CVE-2012-2004 |
20 |
|
|
2012-05-02 |
2012-05-03 |
8.3 |
None |
Remote |
Medium |
Not required |
Complete |
Partial |
Partial |
|
Open redirect vulnerability in HP Insight Management Agents before 9.0.0.0 on Windows Server 2003 and 2008 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. |
|
11 |
CVE-2012-2002 |
20 |
|
|
2012-05-02 |
2012-05-11 |
8.3 |
None |
Remote |
Medium |
Not required |
Complete |
Partial |
Partial |
|
Open redirect vulnerability in HP SNMP Agents for Linux before 9.0.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. |
|
12 |
CVE-2012-1929 |
20 |
|
|
2012-03-27 |
2012-04-16 |
6.4 |
None |
Remote |
Low |
Not required |
None |
Partial |
Partial |
|
Opera before 11.62 on Mac OS X allows remote attackers to spoof the address field and security dialogs via crafted styling that causes page content to be displayed outside of the intended content area. |
|
13 |
CVE-2012-1928 |
20 |
|
|
2012-03-27 |
2012-04-16 |
6.4 |
None |
Remote |
Low |
Not required |
None |
Partial |
Partial |
|
Opera before 11.62 allows remote attackers to spoof the address field by triggering a page reload followed by a redirect to a different domain. |
|
14 |
CVE-2012-1927 |
20 |
|
|
2012-03-27 |
2012-04-16 |
6.4 |
None |
Remote |
Low |
Not required |
None |
Partial |
Partial |
|
Opera before 11.62 allows remote attackers to spoof the address field by triggering the launch of a dialog window associated with a different domain. |
|
15 |
CVE-2012-1823 |
20 |
|
Exec Code |
2012-05-11 |
2012-05-11 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not properly handle query strings that lack an = (equals sign) character, which allows remote attackers to execute arbitrary code by placing command-line options in the query string, related to lack of skipping a certain php_getopt for the 'd' case. |
|
16 |
CVE-2012-1785 |
20 |
|
Exec Code |
2012-03-19 |
2012-03-20 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
kg_callffmpeg.php in the Video Embed & Thumbnail Generator plugin before 2.0 for WordPress allows remote attackers to execute arbitrary commands via unspecified vectors. |
|
17 |
CVE-2012-1783 |
20 |
1
|
DoS |
2012-03-19 |
2012-03-20 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
Tiny Server 1.1.9 and earlier allows remote attackers to cause a denial of service (crash) via a long string in a GET request without an HTTP version number. |
|
18 |
CVE-2012-1662 |
20 |
|
DoS |
2012-03-21 |
2012-04-12 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
CA ARCserve Backup r12.0 through SP2, r12.5 before SP2, r15 through SP1, and r16 before SP1 on Windows allows remote attackers to cause a denial of service (service shutdown) via a crafted network request. |
|
19 |
CVE-2012-1589 |
20 |
|
|
2012-05-18 |
2012-05-21 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Open redirect vulnerability in the Form API in Drupal 7.x before 7.13 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via crafted parameters in a destination URL. |
|
20 |
CVE-2012-1472 |
20 |
|
DoS |
2012-03-12 |
2012-03-13 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
None |
Partial |
|
VMware vCenter Chargeback Manager (aka CBM) before 2.0.1 does not properly handle XML API requests, which allows remote attackers to read arbitrary files or cause a denial of service via unspecified vectors. |
|
21 |
CVE-2012-1244 |
20 |
|
+Info |
2012-04-27 |
2012-04-30 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
|
The NTT DOCOMO sp mode mail application 5400 and earlier for Android does not properly verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. |
|
22 |
CVE-2012-1198 |
20 |
1
|
Exec Code |
2012-02-17 |
2012-02-24 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
base_ag_main.php in Basic Analysis and Security Engine (BASE) 1.4.5 allows remote attackers to execute arbitrary code by uploading contents of the file with an executable extension via a create action, then accessing it via a view action. |
|
23 |
CVE-2012-1191 |
20 |
|
|
2012-02-17 |
2012-02-20 |
6.4 |
None |
Remote |
Low |
Not required |
None |
Partial |
Partial |
|
The resolver in dnscache in Daniel J. Bernstein djbdns 1.05 overwrites cached server names and TTL values in NS records during the processing of a response to an A record query, which allows remote attackers to trigger continued resolvability of revoked domain names via a "ghost domain names" attack. |
|
24 |
CVE-2012-1172 |
20 |
|
DoS Dir. Trav. |
2012-05-23 |
2012-05-24 |
5.8 |
None |
Remote |
Medium |
Not required |
None |
Partial |
Partial |
|
The file-upload implementation in rfc1867.c in PHP before 5.4.0 does not properly handle invalid [ (open square bracket) characters in name values, which makes it easier for remote attackers to cause a denial of service (malformed $_FILES indexes) or conduct directory traversal attacks during multi-file uploads by leveraging a script that lacks its own filename restrictions. |
|
25 |
CVE-2012-1035 |
20 |
|
DoS |
2012-02-08 |
2012-02-09 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
AdaCore Ada Web Services (AWS) before 2.10.2 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. |
|
26 |
CVE-2012-1023 |
20 |
1
|
|
2012-02-07 |
2012-02-24 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Open redirect vulnerability in admin/index.php in 4images 1.7.10 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the redirect parameter. |
|
27 |
CVE-2012-1010 |
20 |
1
|
Exec Code |
2012-02-07 |
2012-02-08 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Unrestricted file upload vulnerability in actions.php in the AllWebMenus plugin before 1.1.8 for WordPress allows remote attackers to execute arbitrary PHP code by uploading a ZIP file containing a PHP file, then accessing it via a direct request to the file in an unspecified directory. |
|
28 |
CVE-2012-1008 |
20 |
1
|
DoS |
2012-02-07 |
2012-02-24 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
OfficeSIP Server 3.1 allows remote attackers to cause a denial of service (daemon crash) via a crafted To header in a SIP INVITE message. |
|
29 |
CVE-2012-0992 |
20 |
|
Exec Code |
2012-02-07 |
2012-02-08 |
8.5 |
None |
Remote |
Medium |
Single system |
Complete |
Complete |
Complete |
|
interface/fax/fax_dispatch.php in OpenEMR 4.1.0 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the file parameter. |
|
30 |
CVE-2012-0879 |
20 |
|
DoS |
2012-05-17 |
2012-05-17 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
The I/O implementation for block devices in the Linux kernel before 2.6.33 does not properly handle the CLONE_IO feature, which allows local users to cause a denial of service (I/O instability) by starting multiple processes that share an I/O context. |
|
31 |
CVE-2012-0865 |
20 |
|
|
2012-02-21 |
2012-02-24 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Multiple open redirect vulnerabilities in CubeCart 3.0.20 and earlier allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) r parameter to switch.php or (2) goto parameter to admin/login.php. |
|
32 |
CVE-2012-0840 |
20 |
|
DoS |
2012-02-10 |
2012-02-13 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
tables/apr_hash.c in the Apache Portable Runtime (APR) library through 1.4.5 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. |
|
33 |
CVE-2012-0839 |
20 |
|
DoS |
2012-02-08 |
2012-02-24 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
OCaml 3.12.1 and earlier computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. |
|
34 |
CVE-2012-0838 |
20 |
|
Exec Code |
2012-03-02 |
2012-03-05 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Apache Struts 2 before 2.2.3.1 evaluates a string as an OGNL expression during the handling of a conversion error, which allows remote attackers to modify run-time data values, and consequently execute arbitrary code, via invalid input to a field. |
|
35 |
CVE-2012-0823 |
20 |
|
DoS |
2012-02-23 |
2012-03-20 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
VP8 Codec SDK (libvpx) before 1.0.0 "Duclair" allows remote attackers to cause a denial of service (application crash) via (1) unspecified "corrupt input" or (2) by "starting decoding from a P-frame," which triggers an out-of-bounds read, related to "the clamping of motion vectors in SPLITMV blocks". |
|
36 |
CVE-2012-0788 |
20 |
|
DoS |
2012-02-14 |
2012-02-14 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The PDORow implementation in PHP before 5.3.9 does not properly interact with the session feature, which allows remote attackers to cause a denial of service (application crash) via a crafted application that uses a PDO driver for a fetch and then calls the session_start function, as demonstrated by a crash of the Apache HTTP Server. |
|
37 |
CVE-2012-0736 |
20 |
|
Exec Code |
2012-05-03 |
2012-05-11 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
IBM Rational AppScan Enterprise 5.x and 8.x before 8.5.0.1 does not properly create scan jobs, which allows remote attackers to execute arbitrary code via a crafted web site. |
|
38 |
CVE-2012-0735 |
20 |
|
+Info |
2012-05-03 |
2012-05-11 |
7.6 |
None |
Remote |
High |
Not required |
Complete |
Complete |
Complete |
|
IBM Rational AppScan Enterprise 5.x and 8.x before 8.5.0.1 does not properly scan file: URLs, which allows man-in-the-middle attackers to obtain sensitive information or possibly have unspecified other impact via a crafted URI. |
|
39 |
CVE-2012-0732 |
20 |
|
+Info |
2012-05-03 |
2012-05-11 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
The Enterprise Console client in IBM Rational AppScan Enterprise 5.x and 8.x before 8.5.0.1 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. |
|
40 |
CVE-2012-0710 |
20 |
|
DoS |
2012-03-20 |
2012-04-13 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
IBM DB2 9.1 before FP11, 9.5 before FP9, 9.7 before FP5, and 9.8 before FP4 allows remote attackers to cause a denial of service (daemon crash) via a crafted Distributed Relational Database Architecture (DRDA) request. |
|
41 |
CVE-2012-0709 |
20 |
|
Bypass |
2012-03-20 |
2012-04-13 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
IBM DB2 9.5 before FP9, 9.7 through FP5, and 9.8 through FP4 does not properly check variables, which allows remote authenticated users to bypass intended restrictions on viewing table data by leveraging the CREATEIN privilege to execute crafted SQL CREATE VARIABLE statements. |
|
42 |
CVE-2012-0676 |
20 |
|
|
2012-05-10 |
2012-05-11 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
WebKit in Apple Safari before 5.1.7 does not properly track state information during the processing of form input, which allows remote attackers to fill in form fields on the pages of arbitrary web sites via unspecified vectors. |
|
43 |
CVE-2012-0674 |
20 |
|
|
2012-05-08 |
2012-05-08 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Safari in Apple iOS before 5.1.1 allows remote attackers to spoof the location bar's URL via a crafted web site. |
|
44 |
CVE-2012-0641 |
20 |
|
+Info |
2012-03-08 |
2012-03-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
CFNetwork in Apple iOS before 5.1 does not properly construct request headers during parsing of URLs, which allows remote attackers to obtain sensitive information via a malformed URL, a different vulnerability than CVE-2011-3447. |
|
45 |
CVE-2012-0584 |
20 |
|
|
2012-03-12 |
2012-03-13 |
6.4 |
None |
Remote |
Low |
Not required |
None |
Partial |
Partial |
|
The Internationalized Domain Name (IDN) feature in Apple Safari before 5.1.4 on Windows does not properly restrict the characters in URLs, which allows remote attackers to spoof a domain name via unspecified homoglyphs. |
|
46 |
CVE-2012-0463 |
20 |
|
DoS Exec Code Mem. Corr. |
2012-03-14 |
2012-03-15 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The nsWindow implementation in the browser engine in Mozilla Firefox before 3.6.28 and 4.x through 10.0, Firefox ESR 10.x before 10.0.3, Thunderbird before 3.1.20 and 5.0 through 10.0, Thunderbird ESR 10.x before 10.0.3, and SeaMonkey before 2.8 does not check the validity of an instance after event dispatching, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors, as demonstrated by Mobile Firefox on Android. |
|
47 |
CVE-2012-0448 |
20 |
|
|
2012-02-02 |
2012-02-15 |
4.0 |
None |
Remote |
Low |
Single system |
None |
Partial |
None |
|
Bugzilla 2.x and 3.x before 3.4.14, 3.5.x and 3.6.x before 3.6.8, 3.7.x and 4.0.x before 4.0.4, and 4.1.x and 4.2.x before 4.2rc2 does not reject non-ASCII characters in e-mail addresses of new user accounts, which makes it easier for remote authenticated users to spoof other user accounts by choosing a similar e-mail address. |
|
48 |
CVE-2012-0391 |
20 |
1
|
Exec Code |
2012-01-08 |
2012-01-10 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter. |
|
49 |
CVE-2012-0385 |
20 |
|
DoS |
2012-03-29 |
2012-04-04 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
The Smart Install feature in Cisco IOS 12.2, 15.0, 15.1, and 15.2 allows remote attackers to cause a denial of service (device reload) by sending a malformed Smart Install message over TCP, aka Bug ID CSCtt16051. |
|
50 |
CVE-2012-0356 |
20 |
|
DoS |
2012-03-14 |
2012-03-15 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
Cisco Adaptive Security Appliances (ASA) 5500 series devices, and the ASA Services Module (ASASM) in Cisco Catalyst 6500 series devices, with software 7.0 through 7.2 before 7.2(5.7), 8.0 before 8.0(5.27), 8.1 before 8.1(2.53), 8.2 before 8.2(5.8), 8.3 before 8.3(2.25), 8.4 before 8.4(2.5), and 8.5 before 8.5(1.2) and the Firewall Services Module (FWSM) 3.1 and 3.2 before 3.2(23) and 4.0 and 4.1 before 4.1(8) in Cisco Catalyst 6500 series devices, when multicast routing is enabled, allow remote attackers to cause a denial of service (device reload) via a crafted IPv4 PIM message, aka Bug IDs CSCtr47517 and CSCtu97367. |
