| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complex
ity
|
Authen
tication
|
Confiden
tiality
|
Integrity
|
Availa
bility
|
|
1 |
CVE-2012-2922 |
200 |
|
+Info |
2012-05-21 |
2012-05-22 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The request_path function in includes/bootstrap.inc in Drupal 7.14 and earlier allows remote attackers to obtain sensitive information via the q[] parameter to index.php, which reveals the installation path in an error message. |
|
2 |
CVE-2012-2423 |
200 |
|
+Info |
2012-04-25 |
2012-04-27 |
1.8 |
None |
Local Network |
High |
Not required |
Partial |
None |
None |
|
The intu-help-qb (aka Intuit Help System Async Pluggable Protocol) handlers in HelpAsyncPluggableProtocol.dll in Intuit QuickBooks 2009 through 2012, when Internet Explorer is used, provide different responses to remote requests depending on whether a ZIP pathname is valid, which allows remote attackers to obtain potentially sensitive information about the installation path and product version via a series of requests involving the Msxml2.XMLHTTP object. |
|
3 |
CVE-2012-2422 |
200 |
|
+Info |
2012-04-25 |
2012-04-27 |
2.9 |
None |
Local Network |
Medium |
Not required |
Partial |
None |
None |
|
Intuit QuickBooks 2009 through 2012 might allow remote attackers to obtain pathname information via the qbwc://docontrol/GetCompanyFile functionality. |
|
4 |
CVE-2012-2420 |
200 |
|
Overflow +Info |
2012-04-25 |
2012-05-22 |
1.8 |
None |
Local Network |
High |
Not required |
Partial |
None |
None |
|
The intu-help-qb (aka Intuit Help System Async Pluggable Protocol) handlers in HelpAsyncPluggableProtocol.dll in Intuit QuickBooks 2009 through 2012, when Internet Explorer is used, might allow remote attackers to obtain sensitive information via a URI with a % (percent) character as its (1) last or (2) second-to-last character, in situations where a certain "post-URL data" buffer contains a 0x0000 character but a buffer overflow does not occur. |
|
5 |
CVE-2012-2223 |
200 |
|
+Info |
2012-04-11 |
2012-04-11 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The xplat agent in Novell ZENworks Configuration Management (ZCM) 10.3.x before 10.3.4 and 11.x before 11.2 enables the HTTP TRACE method, which might make it easier for remote attackers to conduct cross-site tracing (XST) attacks via unspecified vectors. |
|
6 |
CVE-2012-1926 |
200 |
|
Bypass +Info |
2012-03-27 |
2012-04-16 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Opera before 11.62 allows remote attackers to bypass the Same Origin Policy via the (1) history.pushState and (2) history.replaceState functions in conjunction with cross-domain frames, leading to unintended read access to history.state information. |
|
7 |
CVE-2012-1920 |
200 |
|
+Info |
2012-03-27 |
2012-03-28 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
@Mail WebMail Client in AtMail Open-Source 1.04 and earlier allows remote attackers to obtain configuration information via a direct request to install/info.php, which calls the phpinfo function. |
|
8 |
CVE-2012-1902 |
200 |
|
+Info |
2012-04-06 |
2012-04-09 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
show_config_errors.php in phpMyAdmin 3.4.x before 3.4.10.2, when a configuration file does not exist, allows remote attackers to obtain sensitive information via a direct request, which reveals the installation path in an error message about this missing file. |
|
9 |
CVE-2012-1837 |
200 |
|
+Info |
2012-03-21 |
2012-04-12 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The (1) webreports, (2) post/create-role, and (3) post/update-role programs in IBM Tivoli Endpoint Manager (TEM) before 8.2 do not include the HTTPOnly flag in a Set-Cookie header for a cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie. |
|
10 |
CVE-2012-1786 |
200 |
|
+Info |
2012-03-19 |
2012-03-20 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Media Upload form in the Video Embed & Thumbnail Generator plugin before 2.0 for WordPress allows remote attackers to obtain the installation path via unknown vectors. |
|
11 |
CVE-2012-1670 |
200 |
1
|
+Info |
2012-03-31 |
2012-04-02 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
admin/index.php in PHP Grade Book before 1.9.5 BETA allows remote attackers to read the database via a SaveSQL action. |
|
12 |
CVE-2012-1513 |
200 |
|
+Info |
2012-03-16 |
2012-04-24 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
The Web Configuration tool in VMware vCenter Orchestrator (vCO) 4.0 before Update 4, 4.1 before Update 2, and 4.2 before Update 1 places the vCenter Server password in an HTML document, which allows remote authenticated administrators to obtain sensitive information by reading this document. |
|
13 |
CVE-2012-1466 |
200 |
1
|
+Info |
2012-03-19 |
2012-03-27 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
The Traffic Grapher Server for NetMechanica NetDecision before 4.6.1 allows remote attackers to obtain the source code of NtDecision script files with a .nd extension via an invalid version number in an HTTP request, as demonstrated using default.nd. NOTE: some of these details are obtained from third party information. |
|
14 |
CVE-2012-1464 |
200 |
1
|
+Info |
2012-03-19 |
2012-03-27 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Dashboard Server for NetMechanica NetDecision before 4.6.1 allows remote attackers to obtain the installation path via a request with a trailing "?" character, which causes Dashboard to attempt to access a non-existent resource. NOTE: some of these details are obtained from third party information. |
|
15 |
CVE-2012-1249 |
200 |
|
+Info |
2012-05-21 |
2012-05-23 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The iLunascape application 1.0.4.0 and earlier for Android does not properly implement the WebView class, which allows remote attackers to obtain sensitive stored information via a crafted application. |
|
16 |
CVE-2012-1243 |
200 |
|
+Info |
2012-04-21 |
2012-04-23 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The TwitRocker2 application before 1.0.23 for Android does not properly implement the WebView class, which allows remote attackers to obtain sensitive information via a crafted application. |
|
17 |
CVE-2012-1223 |
200 |
|
+Info |
2012-02-21 |
2012-02-22 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
RabidHamster R2/Extreme 1.65 and earlier uses a small search space of values for the PIN number, which allows remote attackers to obtain the PIN number via a brute force attack. |
|
18 |
CVE-2012-0817 |
200 |
|
DoS +Info |
2012-01-30 |
2012-02-24 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Memory leak in smbd in Samba 3.6.x before 3.6.3 allows remote attackers to cause a denial of service (memory and CPU consumption) by making many connection requests. |
|
19 |
CVE-2012-0742 |
200 |
|
+Info |
2012-04-09 |
2012-04-10 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
IBM Tivoli Event Pump 4.2.2, when the LOG_REQUESTS and VALIDATE_SOAP_USERS options are enabled, places credentials into the AOPSCLOG (aka AOPLOG) data set, which allows local users to obtain sensitive information by reading the data. |
|
20 |
CVE-2012-0731 |
200 |
|
+Info |
2012-05-03 |
2012-05-11 |
6.8 |
None |
Remote |
Low |
Single system |
Complete |
None |
None |
|
IBM Rational AppScan Enterprise 5.x and 8.x before 8.5.0.1 does not prevent service-account impersonation, which allows remote authenticated users to read arbitrary files via unspecified vectors. |
|
21 |
CVE-2012-0690 |
200 |
|
+Info |
2012-03-13 |
2012-03-13 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
TIBCO Spotfire Web Application, Web Player Application, Automation Services Application, and Analytics Client Application in Spotfire Analytics Server before 10.1.2; Server before 3.3.3; and Web Player, Automation Services, and Professional before 4.0.2 allow remote attackers to obtain sensitive information via a crafted URL. |
|
22 |
CVE-2012-0689 |
200 |
|
+Info |
2012-03-13 |
2012-03-13 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The server in TIBCO ActiveMatrix Platform in TIBCO Silver Fabric ActiveMatrix Service Grid Distribution 3.1.3, Service Grid and Service Bus 3.x before 3.1.5, BusinessWorks Service Engine 5.9.x before 5.9.3, and BPM before 1.3.0 allows remote attackers to discover credentials via unspecified vectors. |
|
23 |
CVE-2012-0687 |
200 |
|
+Info |
2012-03-13 |
2012-03-14 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
TIBCO ActiveMatrix Runtime Platform in Service Grid and Service Bus 2.x before 2.3.2 and BusinessWorks Service Engine before 5.8.2; TIBCO ActiveMatrix Platform in TIBCO Silver Fabric ActiveMatrix Service Grid Distribution 3.1.3, Service Grid and Service Bus 3.x before 3.1.5, BusinessWorks Service Engine 5.9.x before 5.9.3, and BPM before 1.3.0; TIBCO BusinessEvents Runtime in Enterprise and Inference Editions 3.x before 3.0.3, Standard Edition 4.x before 4.0.2, and Standard Edition and Express 5.0.0; and TIBCO BusinessWorks Engine in TIBCO Silver Fabric ActiveMatrix BusinessWorks Distribution 5.9.2 and ActiveMatrix BusinessWorks before 5.9.3 allow remote attackers to obtain sensitive information via a crafted URL. |
|
24 |
CVE-2012-0652 |
200 |
|
+Info |
2012-05-10 |
2012-05-11 |
4.9 |
None |
Local |
Low |
Not required |
Complete |
None |
None |
|
Login Window in Apple Mac OS X 10.7.3, when Legacy File Vault or networked home directories are enabled, does not properly restrict what is written to the system log for network logins, which allows local users to obtain sensitive information by reading the log. |
|
25 |
CVE-2012-0651 |
200 |
|
+Info |
2012-05-10 |
2012-05-11 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The directory server in Directory Service in Apple Mac OS X 10.6.8 allows remote attackers to obtain sensitive information from process memory via a crafted message. |
|
26 |
CVE-2012-0647 |
200 |
|
+Info |
2012-03-12 |
2012-03-13 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
WebKit in Apple Safari before 5.1.4 does not properly handle redirects in conjunction with HTTP authentication, which might allow remote web servers to capture credentials by logging the Authorization HTTP header. |
|
27 |
CVE-2012-0640 |
200 |
|
+Info |
2012-03-12 |
2012-03-13 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
WebKit in Apple Safari before 5.1.4 does not properly implement "From third parties and advertisers" cookie blocking, which makes it easier for remote web servers to track users via a cookie. |
|
28 |
CVE-2012-0456 |
200 |
|
+Info |
2012-03-14 |
2012-03-15 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The SVG Filters implementation in Mozilla Firefox before 3.6.28 and 4.x through 10.0, Firefox ESR 10.x before 10.0.3, Thunderbird before 3.1.20 and 5.0 through 10.0, Thunderbird ESR 10.x before 10.0.3, and SeaMonkey before 2.8 might allow remote attackers to obtain sensitive information from process memory via vectors that trigger an out-of-bounds read. |
|
29 |
CVE-2012-0447 |
200 |
|
+Info |
2012-02-01 |
2012-02-15 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Mozilla Firefox 4.x through 9.0, Thunderbird 5.0 through 9.0, and SeaMonkey before 2.7 do not properly initialize data for image/vnd.microsoft.icon images, which allows remote attackers to obtain potentially sensitive information by reading a PNG image that was created through conversion from an ICO image. |
|
30 |
CVE-2012-0328 |
200 |
|
+Info |
2012-03-19 |
2012-04-16 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Janetter before 3.3.0.0 (aka 3.3.0) allows remote attackers to obtain session information for twitter.com web sites via unspecified vectors. |
|
31 |
CVE-2012-0316 |
200 |
|
+Info |
2012-03-01 |
2012-03-02 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Cookpad 1.5.16 and earlier and Cookpad Noseru 1.1.1 and earlier applications for Android do not properly implement the WebView class, which allows remote attackers to obtain sensitive information via a crafted application. |
|
32 |
CVE-2012-0236 |
200 |
|
+Info |
2012-02-21 |
2012-02-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Advantech/BroadWin WebAccess 7.0 and earlier allows remote attackers to obtain sensitive information via a direct request to a URL. NOTE: the vendor reportedly "does not consider it to be a security risk." |
|
33 |
CVE-2012-0130 |
200 |
|
+Info |
2012-04-05 |
2012-04-12 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
HP Onboard Administrator (OA) before 3.50 allows remote attackers to obtain sensitive information via unspecified vectors. |
|
34 |
CVE-2012-0012 |
200 |
|
+Info |
2012-02-14 |
2012-02-28 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Microsoft Internet Explorer 9 does not properly handle the creation and initialization of string objects, which allows remote attackers to read data from arbitrary process-memory locations via a crafted web site, aka "Null Byte Information Disclosure Vulnerability." |
|
35 |
CVE-2012-0010 |
200 |
|
+Info |
2012-02-14 |
2012-02-28 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Microsoft Internet Explorer 6 through 9 does not properly perform copy-and-paste operations, which allows user-assisted remote attackers to read content from a different (1) domain or (2) zone via a crafted web site, aka "Copy and Paste Information Disclosure Vulnerability." |
|
36 |
CVE-2011-5067 |
200 |
|
+Info |
2012-01-28 |
2012-01-30 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
move_uploaded_file.php in Support Incident Tracker (aka SiT!) 3.65 allows remote authenticated users to obtain sensitive information via the file name, which reveals the installation path in an error message. |
|
37 |
CVE-2011-5066 |
200 |
|
+Info |
2012-01-14 |
2012-02-08 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The SibRaRecoverableSiXaResource class in the Default Messaging Component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.41 does not properly handle a Service Integration Bus (SIB) dump operation involving the First Failure Data Capture (FFDC) introspection code, which allows local users to obtain sensitive information by reading the FFDC log file. |
|
38 |
CVE-2011-4898 |
200 |
1
|
+Info |
2012-01-30 |
2012-01-31 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
** DISPUTED ** wp-admin/setup-config.php in the installation component in WordPress 3.3.1 and earlier generates different error messages for requests lacking a dbname parameter depending on whether the MySQL credentials are valid, which makes it easier for remote attackers to conduct brute-force attacks via a series of requests with different uname and pwd parameters. NOTE: the vendor disputes the significance of this issue; also, it is unclear whether providing intentionally vague error messages during installation would be reasonable from a usability perspective. |
|
39 |
CVE-2011-4897 |
200 |
|
+Info |
2011-12-22 |
2011-12-30 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Tor before 0.2.2.25-alpha, when configured as a relay without the Nickname configuration option, uses the local hostname as the Nickname value, which allows remote attackers to obtain potentially sensitive information by reading this value. |
|
40 |
CVE-2011-4896 |
200 |
|
+Info |
2011-12-22 |
2011-12-30 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Tor before 0.2.2.24-alpha continues to use a reachable bridge that was previously configured but is not currently configured, which might allow remote attackers to obtain sensitive information about clients in opportunistic circumstances by monitoring network traffic to the bridge port. |
|
41 |
CVE-2011-4895 |
200 |
|
+Info |
2011-12-22 |
2011-12-23 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Tor before 0.2.2.34, when configured as a bridge, sets up circuits through a process different from the process used by a client, which makes it easier for remote attackers to enumerate bridges by observing circuit building. |
|
42 |
CVE-2011-4894 |
200 |
|
+Info |
2011-12-22 |
2011-12-23 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Tor before 0.2.2.34, when configured as a bridge, uses direct DirPort access instead of a Tor TLS connection for a directory fetch, which makes it easier for remote attackers to enumerate bridges by observing DirPort connections. |
|
43 |
CVE-2011-4872 |
200 |
|
+Info |
2012-02-05 |
2012-02-16 |
2.6 |
None |
Remote |
High |
Not required |
Partial |
None |
None |
|
Multiple HTC Android devices including Desire HD FRG83D and GRI40, Glacier FRG83, Droid Incredible FRF91, Thunderbolt 4G FRG83D, Sensation Z710e GRI40, Sensation 4G GRI40, Desire S GRI40, EVO 3D GRI40, and EVO 4G GRI40 allow remote attackers to obtain 802.1X Wi-Fi credentials and SSID via a crafted application that uses the android.permission.ACCESS_WIFI_STATE permission to call the toString method on the WifiConfiguration class. |
|
44 |
CVE-2011-4866 |
200 |
|
+Info |
2012-01-24 |
2012-01-25 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
|
The Kaixin001 (com.kaixin001.activity) application 1.3.1 and 1.3.3 for Android does not properly protect data, which allows remote attackers to read or modify contact information and a cleartext password via a crafted application. |
|
45 |
CVE-2011-4853 |
200 |
|
+Info |
2011-12-16 |
2012-02-16 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The Control Panel in Parallels Plesk Panel 10.4.4_build20111103.18 includes an RFC 1918 IP address within a web page, which allows remote attackers to obtain potentially sensitive information by reading this page, as demonstrated by smb/user/list-data/items-per-page/ and certain other files. |
|
46 |
CVE-2011-4852 |
200 |
|
+Info |
2011-12-16 |
2012-02-16 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The Control Panel in Parallels Plesk Panel 10.4.4_build20111103.18 generates web pages containing external links in response to GET requests with query strings for enterprise/mobile-monitor/ and certain other files, which makes it easier for remote attackers to obtain sensitive information by reading (1) web-server access logs or (2) web-server Referer logs, related to a "cross-domain Referer leakage" issue. |
|
47 |
CVE-2011-4850 |
200 |
|
+Info |
2011-12-16 |
2011-12-16 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The Control Panel in Parallels Plesk Panel 10.4.4_build20111103.18 does not include the HTTPOnly flag in a Set-Cookie header for a cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie, as demonstrated by cookies used by help.php and certain other files. |
|
48 |
CVE-2011-4849 |
200 |
|
+Info |
2011-12-16 |
2012-02-01 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The Control Panel in Parallels Plesk Panel 10.4.4_build20111103.18 does not set the secure flag for a cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session, as demonstrated by cookies used by help.php and certain other files. |
|
49 |
CVE-2011-4848 |
200 |
|
Bypass +Info |
2011-12-16 |
2012-02-01 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The Control Panel in Parallels Plesk Panel 10.4.4_build20111103.18 includes a submitted password within an HTTP response body, which allows remote attackers to obtain sensitive information by sniffing the network, as demonstrated by password handling in certain files under client@1/domain@1/backup/local-repository/. |
|
50 |
CVE-2011-4817 |
200 |
|
+Info |
2012-03-12 |
2012-03-13 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
The About option on the Help menu in IBM Maximo Asset Management and Asset Management Essentials 6.2, 7.1, and 7.5; IBM Tivoli Asset Management for IT 6.2, 7.1, and 7.2; IBM Tivoli Service Request Manager 7.1 and 7.2; IBM Maximo Service Desk 6.2; and IBM Tivoli Change and Configuration Management Database (CCMDB) 6.2, 7.1, and 7.2 shows the username, which might allow remote authenticated users to have an unspecified impact via a targeted attack against the corresponding user account. |
