| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complex
ity
|
Authen
tication
|
Confiden
tiality
|
Integrity
|
Availa
bility
|
|
1 |
CVE-2012-2922 |
200 |
|
+Info |
2012-05-21 |
2012-05-22 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The request_path function in includes/bootstrap.inc in Drupal 7.14 and earlier allows remote attackers to obtain sensitive information via the q[] parameter to index.php, which reveals the installation path in an error message. |
|
2 |
CVE-2012-2905 |
264 |
1
|
+Info |
2012-05-21 |
2012-05-22 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Artiphp CMS 5.5.0 Neo (r422) stores database backups with predictable names under the web root with insufficient access control, which allows remote attackers to obtain sensitive information via a direct request. |
|
3 |
CVE-2012-2567 |
255 |
|
+Info |
2012-05-22 |
2012-05-23 |
2.6 |
None |
Remote |
High |
Not required |
Partial |
None |
None |
|
The Xelex MobileTrack application 2.3.7 and earlier for Android uses hardcoded credentials, which allows remote attackers to obtain sensitive information via an unencrypted (1) FTP or (2) HTTP session. |
|
4 |
CVE-2012-2423 |
200 |
|
+Info |
2012-04-25 |
2012-04-27 |
1.8 |
None |
Local Network |
High |
Not required |
Partial |
None |
None |
|
The intu-help-qb (aka Intuit Help System Async Pluggable Protocol) handlers in HelpAsyncPluggableProtocol.dll in Intuit QuickBooks 2009 through 2012, when Internet Explorer is used, provide different responses to remote requests depending on whether a ZIP pathname is valid, which allows remote attackers to obtain potentially sensitive information about the installation path and product version via a series of requests involving the Msxml2.XMLHTTP object. |
|
5 |
CVE-2012-2422 |
200 |
|
+Info |
2012-04-25 |
2012-04-27 |
2.9 |
None |
Local Network |
Medium |
Not required |
Partial |
None |
None |
|
Intuit QuickBooks 2009 through 2012 might allow remote attackers to obtain pathname information via the qbwc://docontrol/GetCompanyFile functionality. |
|
6 |
CVE-2012-2420 |
200 |
|
Overflow +Info |
2012-04-25 |
2012-05-22 |
1.8 |
None |
Local Network |
High |
Not required |
Partial |
None |
None |
|
The intu-help-qb (aka Intuit Help System Async Pluggable Protocol) handlers in HelpAsyncPluggableProtocol.dll in Intuit QuickBooks 2009 through 2012, when Internet Explorer is used, might allow remote attackers to obtain sensitive information via a URI with a % (percent) character as its (1) last or (2) second-to-last character, in situations where a certain "post-URL data" buffer contains a 0x0000 character but a buffer overflow does not occur. |
|
7 |
CVE-2012-2223 |
200 |
|
+Info |
2012-04-11 |
2012-04-11 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The xplat agent in Novell ZENworks Configuration Management (ZCM) 10.3.x before 10.3.4 and 11.x before 11.2 enables the HTTP TRACE method, which might make it easier for remote attackers to conduct cross-site tracing (XST) attacks via unspecified vectors. |
|
8 |
CVE-2012-2162 |
310 |
|
+Info |
2012-05-01 |
2012-05-13 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The Web Server Plug-in in IBM WebSphere Application Server (WAS) 8.0 and earlier uses unencrypted HTTP communication after expiration of the plugin-key.kdb password, which allows remote attackers to obtain sensitive information by sniffing the network, or spoof arbitrary servers via a man-in-the-middle attack. |
|
9 |
CVE-2012-1993 |
|
|
+Info |
2012-04-18 |
2012-04-19 |
3.2 |
None |
Local |
Low |
Single system |
Partial |
Partial |
None |
|
Unspecified vulnerability in HP System Management Homepage (SMH) before 7.0 allows local users to modify data or obtain sensitive information via unknown vectors. |
|
10 |
CVE-2012-1977 |
255 |
|
+Info |
2012-05-09 |
2012-05-10 |
7.8 |
None |
Remote |
Low |
Not required |
Complete |
None |
None |
|
WellinTech KingSCADA 3.0 uses a cleartext base64 format for storage of passwords in user.db, which allows context-dependent attackers to obtain sensitive information by reading this file. |
|
11 |
CVE-2012-1930 |
264 |
|
+Info |
2012-03-27 |
2012-04-16 |
4.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Opera before 11.62 on UNIX uses world-readable permissions for temporary files during printing, which allows local users to obtain sensitive information by reading these files. |
|
12 |
CVE-2012-1926 |
200 |
|
Bypass +Info |
2012-03-27 |
2012-04-16 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Opera before 11.62 allows remote attackers to bypass the Same Origin Policy via the (1) history.pushState and (2) history.replaceState functions in conjunction with cross-domain frames, leading to unintended read access to history.state information. |
|
13 |
CVE-2012-1923 |
310 |
|
+Info |
2012-04-17 |
2012-04-17 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
RealNetworks Helix Server and Helix Mobile Server 14.x before 14.3.x store passwords in cleartext under adm_b_db\users\, which allows local users to obtain sensitive information by reading a database. |
|
14 |
CVE-2012-1920 |
200 |
|
+Info |
2012-03-27 |
2012-03-28 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
@Mail WebMail Client in AtMail Open-Source 1.04 and earlier allows remote attackers to obtain configuration information via a direct request to install/info.php, which calls the phpinfo function. |
|
15 |
CVE-2012-1902 |
200 |
|
+Info |
2012-04-06 |
2012-04-09 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
show_config_errors.php in phpMyAdmin 3.4.x before 3.4.10.2, when a configuration file does not exist, allows remote attackers to obtain sensitive information via a direct request, which reveals the installation path in an error message about this missing file. |
|
16 |
CVE-2012-1838 |
287 |
|
Bypass +Info |
2012-03-22 |
2012-04-12 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The web management interface on the LG-Nortel ELO GS24M switch allows remote attackers to bypass authentication, and consequently obtain cleartext credential and configuration information, via a direct request to a configuration web page. |
|
17 |
CVE-2012-1837 |
200 |
|
+Info |
2012-03-21 |
2012-04-12 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The (1) webreports, (2) post/create-role, and (3) post/update-role programs in IBM Tivoli Endpoint Manager (TEM) before 8.2 do not include the HTTPOnly flag in a Set-Cookie header for a cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie. |
|
18 |
CVE-2012-1786 |
200 |
|
+Info |
2012-03-19 |
2012-03-20 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Media Upload form in the Video Embed & Thumbnail Generator plugin before 2.0 for WordPress allows remote attackers to obtain the installation path via unknown vectors. |
|
19 |
CVE-2012-1670 |
200 |
1
|
+Info |
2012-03-31 |
2012-04-02 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
admin/index.php in PHP Grade Book before 1.9.5 BETA allows remote attackers to read the database via a SaveSQL action. |
|
20 |
CVE-2012-1513 |
200 |
|
+Info |
2012-03-16 |
2012-04-24 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
The Web Configuration tool in VMware vCenter Orchestrator (vCO) 4.0 before Update 4, 4.1 before Update 2, and 4.2 before Update 1 places the vCenter Server password in an HTML document, which allows remote authenticated administrators to obtain sensitive information by reading this document. |
|
21 |
CVE-2012-1466 |
200 |
1
|
+Info |
2012-03-19 |
2012-03-27 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
The Traffic Grapher Server for NetMechanica NetDecision before 4.6.1 allows remote attackers to obtain the source code of NtDecision script files with a .nd extension via an invalid version number in an HTTP request, as demonstrated using default.nd. NOTE: some of these details are obtained from third party information. |
|
22 |
CVE-2012-1464 |
200 |
1
|
+Info |
2012-03-19 |
2012-03-27 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Dashboard Server for NetMechanica NetDecision before 4.6.1 allows remote attackers to obtain the installation path via a request with a trailing "?" character, which causes Dashboard to attempt to access a non-existent resource. NOTE: some of these details are obtained from third party information. |
|
23 |
CVE-2012-1292 |
|
|
+Info |
2012-02-23 |
2012-02-27 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Unspecified vulnerability in the MessagingSystem servlet in SAP NetWeaver 7.0 allows remote attackers to obtain sensitive information about the MessagingSystem Performance Data via unspecified vectors. |
|
24 |
CVE-2012-1291 |
|
|
+Info |
2012-02-23 |
2012-02-24 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Unspecified vulnerability in the com.sap.aii.mdt.amt.web.AMTPageProcessor servlet in SAP NetWeaver 7.0 allows remote attackers to obtain sensitive information about the Adapter Monitor via unspecified vectors, possibly related to the EnableInvokerServletGlobally property in the servlet_jsp service. |
|
25 |
CVE-2012-1249 |
200 |
|
+Info |
2012-05-21 |
2012-05-23 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The iLunascape application 1.0.4.0 and earlier for Android does not properly implement the WebView class, which allows remote attackers to obtain sensitive stored information via a crafted application. |
|
26 |
CVE-2012-1244 |
20 |
|
+Info |
2012-04-27 |
2012-04-30 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
|
The NTT DOCOMO sp mode mail application 5400 and earlier for Android does not properly verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. |
|
27 |
CVE-2012-1243 |
200 |
|
+Info |
2012-04-21 |
2012-04-23 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The TwitRocker2 application before 1.0.23 for Android does not properly implement the WebView class, which allows remote attackers to obtain sensitive information via a crafted application. |
|
28 |
CVE-2012-1223 |
200 |
|
+Info |
2012-02-21 |
2012-02-22 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
RabidHamster R2/Extreme 1.65 and earlier uses a small search space of values for the PIN number, which allows remote attackers to obtain the PIN number via a brute force attack. |
|
29 |
CVE-2012-1180 |
399 |
|
+Info |
2012-04-17 |
2012-05-22 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Use-after-free vulnerability in nginx before 1.0.14 and 1.1.x before 1.1.17 allows remote HTTP servers to obtain sensitive information from process memory via a crafted backend response, in conjunction with a client request. |
|
30 |
CVE-2012-1085 |
|
|
+Info |
2012-02-14 |
2012-02-24 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Unspecified vulnerability in the BE User Switch (beuserswitch) extension 0.0.1 for TYPO3 allows remote attackers to obtain sensitive information via unknown vectors. |
|
31 |
CVE-2012-1078 |
264 |
|
+Info |
2012-02-14 |
2012-02-24 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The System Utilities (sysutils) extension 1.0.3 and earlier for TYPO3 allows remote attackers to obtain sensitive information via unspecified vectors related to improper "protection" of the "backup output directory." |
|
32 |
CVE-2012-0817 |
200 |
|
DoS +Info |
2012-01-30 |
2012-02-24 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Memory leak in smbd in Samba 3.6.x before 3.6.3 allows remote attackers to cause a denial of service (memory and CPU consumption) by making many connection requests. |
|
33 |
CVE-2012-0814 |
255 |
|
+Info |
2012-01-27 |
2012-02-16 |
3.5 |
None |
Remote |
Medium |
Single system |
Partial |
None |
None |
|
The auth_parse_options function in auth-options.c in sshd in OpenSSH before 5.7 provides debug messages containing authorized_keys command options, which allows remote authenticated users to obtain potentially sensitive information by reading these messages, as demonstrated by the shared user account required by Gitolite. NOTE: this can cross privilege boundaries because a user account may intentionally have no shell or filesystem access, and therefore may have no supported way to read an authorized_keys file in its own home directory. |
|
34 |
CVE-2012-0769 |
189 |
|
+Info |
2012-03-05 |
2012-04-19 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Adobe Flash Player before 10.3.183.16 and 11.x before 11.1.102.63 on Windows, Mac OS X, Linux, and Solaris; before 11.1.111.7 on Android 2.x and 3.x; and before 11.1.115.7 on Android 4.x does not properly handle integers, which allows attackers to obtain sensitive information via unspecified vectors. |
|
35 |
CVE-2012-0742 |
200 |
|
+Info |
2012-04-09 |
2012-04-10 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
IBM Tivoli Event Pump 4.2.2, when the LOG_REQUESTS and VALIDATE_SOAP_USERS options are enabled, places credentials into the AOPSCLOG (aka AOPLOG) data set, which allows local users to obtain sensitive information by reading the data. |
|
36 |
CVE-2012-0735 |
20 |
|
+Info |
2012-05-03 |
2012-05-11 |
7.6 |
None |
Remote |
High |
Not required |
Complete |
Complete |
Complete |
|
IBM Rational AppScan Enterprise 5.x and 8.x before 8.5.0.1 does not properly scan file: URLs, which allows man-in-the-middle attackers to obtain sensitive information or possibly have unspecified other impact via a crafted URI. |
|
37 |
CVE-2012-0734 |
|
|
+Info |
2012-05-03 |
2012-05-11 |
7.6 |
None |
Remote |
High |
Not required |
Complete |
Complete |
Complete |
|
IBM Rational AppScan Enterprise 5.x and 8.x before 8.5.0.1 does not properly import jobs, which allows man-in-the-middle attackers to obtain sensitive information or possibly have unspecified other impact via a crafted job. |
|
38 |
CVE-2012-0732 |
20 |
|
+Info |
2012-05-03 |
2012-05-11 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
The Enterprise Console client in IBM Rational AppScan Enterprise 5.x and 8.x before 8.5.0.1 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. |
|
39 |
CVE-2012-0731 |
200 |
|
+Info |
2012-05-03 |
2012-05-11 |
6.8 |
None |
Remote |
Low |
Single system |
Complete |
None |
None |
|
IBM Rational AppScan Enterprise 5.x and 8.x before 8.5.0.1 does not prevent service-account impersonation, which allows remote authenticated users to read arbitrary files via unspecified vectors. |
|
40 |
CVE-2012-0690 |
200 |
|
+Info |
2012-03-13 |
2012-03-13 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
TIBCO Spotfire Web Application, Web Player Application, Automation Services Application, and Analytics Client Application in Spotfire Analytics Server before 10.1.2; Server before 3.3.3; and Web Player, Automation Services, and Professional before 4.0.2 allow remote attackers to obtain sensitive information via a crafted URL. |
|
41 |
CVE-2012-0689 |
200 |
|
+Info |
2012-03-13 |
2012-03-13 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The server in TIBCO ActiveMatrix Platform in TIBCO Silver Fabric ActiveMatrix Service Grid Distribution 3.1.3, Service Grid and Service Bus 3.x before 3.1.5, BusinessWorks Service Engine 5.9.x before 5.9.3, and BPM before 1.3.0 allows remote attackers to discover credentials via unspecified vectors. |
|
42 |
CVE-2012-0687 |
200 |
|
+Info |
2012-03-13 |
2012-03-14 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
TIBCO ActiveMatrix Runtime Platform in Service Grid and Service Bus 2.x before 2.3.2 and BusinessWorks Service Engine before 5.8.2; TIBCO ActiveMatrix Platform in TIBCO Silver Fabric ActiveMatrix Service Grid Distribution 3.1.3, Service Grid and Service Bus 3.x before 3.1.5, BusinessWorks Service Engine 5.9.x before 5.9.3, and BPM before 1.3.0; TIBCO BusinessEvents Runtime in Enterprise and Inference Editions 3.x before 3.0.3, Standard Edition 4.x before 4.0.2, and Standard Edition and Express 5.0.0; and TIBCO BusinessWorks Engine in TIBCO Silver Fabric ActiveMatrix BusinessWorks Distribution 5.9.2 and ActiveMatrix BusinessWorks before 5.9.3 allow remote attackers to obtain sensitive information via a crafted URL. |
|
43 |
CVE-2012-0652 |
200 |
|
+Info |
2012-05-10 |
2012-05-11 |
4.9 |
None |
Local |
Low |
Not required |
Complete |
None |
None |
|
Login Window in Apple Mac OS X 10.7.3, when Legacy File Vault or networked home directories are enabled, does not properly restrict what is written to the system log for network logins, which allows local users to obtain sensitive information by reading the log. |
|
44 |
CVE-2012-0651 |
200 |
|
+Info |
2012-05-10 |
2012-05-11 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The directory server in Directory Service in Apple Mac OS X 10.6.8 allows remote attackers to obtain sensitive information from process memory via a crafted message. |
|
45 |
CVE-2012-0647 |
200 |
|
+Info |
2012-03-12 |
2012-03-13 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
WebKit in Apple Safari before 5.1.4 does not properly handle redirects in conjunction with HTTP authentication, which might allow remote web servers to capture credentials by logging the Authorization HTTP header. |
|
46 |
CVE-2012-0641 |
20 |
|
+Info |
2012-03-08 |
2012-03-09 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
CFNetwork in Apple iOS before 5.1 does not properly construct request headers during parsing of URLs, which allows remote attackers to obtain sensitive information via a malformed URL, a different vulnerability than CVE-2011-3447. |
|
47 |
CVE-2012-0640 |
200 |
|
+Info |
2012-03-12 |
2012-03-13 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
WebKit in Apple Safari before 5.1.4 does not properly implement "From third parties and advertisers" cookie blocking, which makes it easier for remote web servers to track users via a cookie. |
|
48 |
CVE-2012-0473 |
189 |
|
+Info |
2012-04-25 |
2012-04-25 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The WebGLBuffer::FindMaxUshortElement function in Mozilla Firefox 4.x through 11.0, Firefox ESR 10.x before 10.0.4, Thunderbird 5.0 through 11.0, Thunderbird ESR 10.x before 10.0.4, and SeaMonkey before 2.9 calls the FindMaxElementInSubArray function with incorrect template arguments, which allows remote attackers to obtain sensitive information from video memory via a crafted WebGL.drawElements call. |
|
49 |
CVE-2012-0466 |
264 |
|
XSS +Info |
2012-04-27 |
2012-04-30 |
4.0 |
None |
Remote |
High |
Not required |
Partial |
Partial |
None |
|
template/en/default/list/list.js.tmpl in Bugzilla 2.x and 3.x before 3.6.9, 3.7.x and 4.0.x before 4.0.6, and 4.1.x and 4.2.x before 4.2.1 does not properly handle multiple logins, which allows remote attackers to conduct cross-site scripting (XSS) attacks and obtain sensitive bug information via a crafted web page. |
|
50 |
CVE-2012-0456 |
200 |
|
+Info |
2012-03-14 |
2012-03-15 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The SVG Filters implementation in Mozilla Firefox before 3.6.28 and 4.x through 10.0, Firefox ESR 10.x before 10.0.3, Thunderbird before 3.1.20 and 5.0 through 10.0, Thunderbird ESR 10.x before 10.0.3, and SeaMonkey before 2.8 might allow remote attackers to obtain sensitive information from process memory via vectors that trigger an out-of-bounds read. |
