# |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
50251 |
CVE-2012-1658 |
79 |
|
XSS |
2012-09-18 |
2017-08-28 |
2.1 |
None |
Remote |
High |
Single system |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the Read More Link module 6.x-3.x before 6.x-3.1 for Drupal allows remote authenticated users with the access administration pages permission to inject arbitrary web script or HTML via unspecified vectors. |
50252 |
CVE-2012-1657 |
79 |
|
XSS |
2012-09-18 |
2017-08-28 |
2.1 |
None |
Remote |
High |
Single system |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in block_class.module in the Block Class module before 7.x-1.1 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the class name. |
50253 |
CVE-2012-1656 |
89 |
|
Exec Code Sql |
2012-09-18 |
2017-08-28 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
SQL injection vulnerability in the Multisite Search module 6.x-2.2 for Drupal allows remote authenticated users with certain permissions to execute arbitrary SQL commands via the Site table prefix field. |
50254 |
CVE-2012-1655 |
|
|
|
2012-09-18 |
2017-08-28 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
Unspecified vulnerability in the UC PayDutchGroup / WeDeal payment module 6.x-1.0 for Drupal allows remote authenticated users to obtain account credentials via unknown attack vectors. |
50255 |
CVE-2012-1654 |
79 |
|
XSS |
2012-09-18 |
2012-12-20 |
2.1 |
None |
Remote |
High |
Single system |
None |
Partial |
None |
Multiple cross-site scripting (XSS) vulnerabilities in the Data module 6.x-1.x before 6.x-1.0 and 7.x-1.x before 7.x-1.0-alpha3 for Drupal allow remote authenticated users with the administer data tables permission to inject arbitrary web script or HTML via the title parameter in (1) data.views.inc and (2) data_ui/data_ui.admin.inc. |
50256 |
CVE-2012-1653 |
79 |
|
XSS |
2012-09-19 |
2017-08-28 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the Taxonomy Views Integrator (TVI) module 6.x-1.x before 6.x-1.3 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, related to "views pages." |
50257 |
CVE-2012-1652 |
79 |
|
XSS |
2012-09-19 |
2017-08-28 |
2.1 |
None |
Remote |
High |
Single system |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the Hierarchical Select module 6.x-3.x before 6.x-3.8 for Drupal allows remote authenticated users with administer taxonomy permissions to inject arbitrary web script or HTML via unspecified vectors related to "the vocabulary's help text." |
50258 |
CVE-2012-1651 |
79 |
|
XSS |
2012-09-19 |
2012-09-20 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the Submenu Tree module before 6.x-1.5 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. |
50259 |
CVE-2012-1650 |
264 |
|
Bypass |
2012-08-28 |
2017-08-28 |
6.0 |
None |
Remote |
Medium |
Single system |
Partial |
Partial |
Partial |
The ZipCart module 6.x before 6.x-1.4 for Drupal checks the "access content" permission instead of the "access ZipCart downloads" permission when building archives, which allows remote authenticated users with access content permission to bypass intended access restrictions. |
50260 |
CVE-2012-1649 |
264 |
|
|
2012-09-09 |
2017-08-28 |
4.9 |
None |
Remote |
Medium |
Single system |
None |
Partial |
Partial |
Cool Aid module before 6.x-1.9 for Drupal does not enforce access restrictions, which allows remote authenticated users with the administer coolaid permission to modify arbitrary pages via unspecified vectors. |
50261 |
CVE-2012-1648 |
79 |
|
XSS |
2012-09-09 |
2017-08-28 |
2.1 |
None |
Remote |
High |
Single system |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the Cool Aid module before 6.x-1.9 for Drupal allows remote authenticated users with the administer coolaid permission to inject arbitrary web script or HTML via unspecified vectors. |
50262 |
CVE-2012-1647 |
79 |
|
XSS |
2012-08-28 |
2017-08-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Multiple cross-site scripting (XSS) vulnerabilities in the "stand alone PHP application for the OSM Player," as used in the MediaFront module 6.x-1.x before 6.x-1.5 and 7.x-1.x before 7.x-1.5 for Drupal, allow remote attackers to inject arbitrary web script or HTML via (1) $_SERVER['HTTP_HOST'] or (2) $_SERVER['SCRIPT_NAME'] to players/osmplayer/player/OSMPlayer.php, (3) playlist parameter to players/osmplayer/player/getplaylist.php, and possibly other vectors related to $_SESSION. |
50263 |
CVE-2012-1646 |
79 |
|
XSS |
2012-09-25 |
2017-08-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Multiple cross-site scripting (XSS) vulnerabilities in the FAQ module 6.x-1.x before 6.x-1.13 and 7.x-1.x-rc1 for Drupal allow remote authenticated users to inject arbitrary web script or HTML via the (1) title parameter in faq.admin.inc or (2) detailed_question parameter in faq.module. |
50264 |
CVE-2012-1645 |
200 |
|
+Info |
2012-08-28 |
2012-08-29 |
2.6 |
None |
Remote |
High |
Not required |
Partial |
None |
None |
The CDN module 6.x-2.2 and 7.x-2.2 for Drupal, when running in Origin Pull mode with the "Far Future expiration" option enabled, allows remote attackers to read arbitrary PHP files via unspecified vectors, as demonstrated by reading settings.php. |
50265 |
CVE-2012-1644 |
264 |
|
|
2012-08-28 |
2017-08-28 |
2.1 |
None |
Remote |
High |
Single system |
None |
Partial |
None |
The Organic Groups (OG) Vocabulary module 6.x-1.x before 6.x-1.2 for Drupal allows remote authenticated users with certain administrator permissions to modify the vocabularies of other groups via unspecified vectors. |
50266 |
CVE-2012-1643 |
264 |
|
|
2012-08-28 |
2012-08-29 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
The Faster Permissions module 7.x-2.x before 7.x-1.2 for Drupal does not check the "administer permissions" permission, which allows remote attackers to modify access permissions via unspecified vectors. |
50267 |
CVE-2012-1642 |
264 |
|
+Info |
2012-08-28 |
2012-08-29 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
includes/linkchecker.pages.inc in the Link checker module 6.x-2.x before 6.x-2.5 for Drupal does not properly enforce access permissions on broken links, which allows remote attackers to obtain sensitive information via unspecified vectors. |
50268 |
CVE-2012-1641 |
264 |
|
Exec Code |
2012-08-28 |
2012-08-29 |
6.0 |
None |
Remote |
Medium |
Single system |
Partial |
Partial |
Partial |
The finder_import function in the Finder module 6.x-1.x before 6.x-1.26, 7.x-1.x, and 7.x-2.x before 7.x-2.0-alpha8 for Drupal allows remote authenticated users with the administer finder permission to execute arbitrary PHP code via admin/build/finder/import. |
50269 |
CVE-2012-1640 |
79 |
|
XSS |
2012-09-19 |
2017-08-28 |
2.1 |
None |
Remote |
High |
Single system |
None |
Partial |
None |
Multiple cross-site scripting (XSS) vulnerabilities in the Managesite module 6.x-1.x before 6.1-1.1 for Drupal allow remote authenticated users with "administer managesite" permissions to inject arbitrary web script or HTML via the title parameter when (1) adding or (2) updating a category. |
50270 |
CVE-2012-1639 |
79 |
|
XSS |
2012-10-01 |
2017-08-28 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
Multiple cross-site scripting (XSS) vulnerabilities in product/commerce_product.module in the Drupal Commerce module for Drupal before 7.x-1.2 allow remote authenticated users to inject arbitrary web script or HTML via the (1) sku or (2) title parameters. |
50271 |
CVE-2012-1638 |
89 |
|
Exec Code Sql |
2012-09-19 |
2012-09-21 |
6.0 |
None |
Remote |
Medium |
Single system |
Partial |
Partial |
Partial |
SQL injection vulnerability in the Search Autocomplete module before 7.x-2.1 for Drupal allows remote authenticated users with the "use search_autocomplete" permission to execute arbitrary SQL commands via unspecified vectors. |
50272 |
CVE-2012-1636 |
352 |
|
CSRF |
2012-10-01 |
2012-10-02 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site request forgery (CSRF) vulnerability in the stickynote module before 7.x-1.1 for Drupal allows remote attackers to hijack the authentication of users for requests that delete stickynotes via unspecified vectors. |
50273 |
CVE-2012-1635 |
264 |
|
Bypass +Info |
2012-08-28 |
2012-08-29 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
The hook_node_access function in the revisioning module 7.x-1.x before 7.x-1.3 for Drupal checks the permissions of the current user even when it is called to check permissions of other users, which allows remote attackers to bypass intended access restrictions, as demonstrated when using the XML sitemap module to obtain sensitive information about unpublished content. |
50274 |
CVE-2012-1634 |
79 |
|
XSS |
2012-10-06 |
2017-08-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in video_filter.codecs.inc in the Video Filter module 6.x-2.x and 7.x-2.x for Drupal allows remote attackers to inject arbitrary web script or HTML via the EMBEDLOOKUP parameter for Blip.tv links. |
50275 |
CVE-2012-1633 |
352 |
|
CSRF |
2012-09-19 |
2017-04-28 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Cross-site request forgery (CSRF) vulnerability in the Password Policy module before 6.x-1.4 and 7.x-1.0 beta3 for Drupal allows remote attackers to hijack the authentication of administrative users for requests that unblock a user. |
50276 |
CVE-2012-1632 |
79 |
|
XSS |
2012-09-19 |
2012-09-20 |
2.1 |
None |
Remote |
High |
Single system |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in password_policy.admin.inc in the Password Policy module before 6.x-1.4 and 7.x-1.0 beta3 for Drupal allows remote authenticated users with administer policies permissions to inject arbitrary web script or HTML via the name parameter. |
50277 |
CVE-2012-1631 |
352 |
|
CSRF |
2012-09-19 |
2017-08-28 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Cross-site request forgery (CSRF) vulnerability in the Admin:hover module for Drupal allows remote attackers to hijack the authentication of administrators for requests that unpublish all nodes, and possibly other actions, via unspecified vectors. |
50278 |
CVE-2012-1630 |
79 |
|
XSS |
2012-09-19 |
2017-08-28 |
2.1 |
None |
Remote |
High |
Single system |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the Taxonomy Navigator module for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via unspecified vectors. |
50279 |
CVE-2012-1629 |
79 |
|
XSS |
2012-09-19 |
2017-08-28 |
2.1 |
None |
Remote |
High |
Single system |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the Taxotouch module for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via unspecified vectors. |
50280 |
CVE-2012-1628 |
79 |
|
XSS |
2012-09-19 |
2017-08-28 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the SuperCron module for Drupal allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. |
50281 |
CVE-2012-1627 |
79 |
|
XSS |
2012-09-19 |
2012-10-15 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in vud_term.module in the Vote Up/Down module 6.x-2.x before 6.x-2.8 and 6.x-3.x before 6.x-3.1 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via taxonomy terms. |
50282 |
CVE-2012-1626 |
89 |
|
Exec Code Sql |
2012-09-19 |
2017-08-28 |
6.0 |
None |
Remote |
Medium |
Single system |
Partial |
Partial |
Partial |
SQL injection vulnerability in the conversion form for Events in the Date module 6.x-2.x before 6.x-2.8 for Drupal allows remote authenticated users with the "administer Date Tools" privilege to execute arbitrary SQL commands via unspecified vectors. |
50283 |
CVE-2012-1625 |
94 |
|
Exec Code |
2012-09-19 |
2012-09-20 |
6.0 |
None |
Remote |
Medium |
Single system |
Partial |
Partial |
Partial |
Eval injection vulnerability in the fillpdf_form_export_decode function in fillpdf.admin.inc in the Fill PDF module 6.x-1.x before 6.x-1.16 and 7.x-1.x before 7.x-1.2 for Drupal allows remote authenticated users with administer PDFs privileges to execute arbitrary PHP code via unspecified vectors. NOTE: Some of these details are obtained from third party information. |
50284 |
CVE-2012-1624 |
79 |
|
XSS |
2012-10-06 |
2017-08-28 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
Multiple cross-site scripting (XSS) vulnerabilities in the Lingotek module 6.x-1.x before 6.x-1.40 for Drupal allow remote authenticated users to inject arbitrary web script or HTML when (1) creating or (2) editing page content. |
50285 |
CVE-2012-1623 |
264 |
|
Bypass |
2012-10-06 |
2012-10-08 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
The Registration Codes module before 6.x-2.4 for Drupal does not restrict access to the registration code list, which might allow remote attackers to bypass intended registration restrictions. |
50286 |
CVE-2012-1621 |
79 |
|
XSS |
2014-06-19 |
2018-05-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Multiple cross-site scripting (XSS) vulnerabilities in Apache Open For Business Project (aka OFBiz) 10.04.x before 10.04.02 allow remote attackers to inject arbitrary web script or HTML via (1) a parameter array in freemarker templates, the (2) contentId or (3) mapKey parameter in a cms event request, which are not properly handled in an error message, or unspecified input in (4) an ajax request to the getServerError function in checkoutProcess.js or (5) a Webslinger component request. NOTE: some of these details are obtained from third party information. |
50287 |
CVE-2012-1620 |
264 |
|
+Info |
2012-07-12 |
2017-08-28 |
3.6 |
None |
Local |
Low |
Not required |
Partial |
Partial |
None |
slock 0.9 does not properly handle the XRaiseWindow event when the screen is locked, which might allow physically proximate attackers to obtain sensitive information by pressing a button, which reveals the desktop and active windows. |
50288 |
CVE-2012-1617 |
22 |
|
Dir. Trav. |
2012-09-25 |
2017-08-28 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
Directory traversal vulnerability in combine.php in OSClass before 2.3.6 allows remote attackers to read and write arbitrary files via a .. (dot dot) in the type parameter. NOTE: this vulnerability can be leveraged to upload arbitrary files. |
50289 |
CVE-2012-1614 |
200 |
2
|
+Info |
2012-09-04 |
2012-09-05 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
Coppermine Photo Gallery before 1.5.20 allows remote attackers to obtain sensitive information via (1) a direct request to plugins/visiblehookpoints/index.php, an invalid (2) page or (3) cat parameter to thumbnails.php, an invalid (4) page parameter to usermgr.php, or an invalid (5) newer_than or (6) older_than parameter to search.inc.php, which reveals the installation path in an error message. |
50290 |
CVE-2012-1613 |
79 |
2
|
XSS |
2012-09-04 |
2013-07-04 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in edit_one_pic.php in Coppermine Photo Gallery before 1.5.20 allows remote authenticated users with certain privileges to inject arbitrary web script or HTML via the keywords parameter. |
50291 |
CVE-2012-1612 |
79 |
|
XSS |
2012-09-06 |
2012-09-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the update manager in Joomla! 2.5.x before 2.5.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
50292 |
CVE-2012-1611 |
264 |
|
+Info |
2012-09-06 |
2013-10-03 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
Joomla! 2.5.x before 2.5.4 does not properly check permissions, which allows attackers to obtain sensitive "administrative back end" information via unknown attack vectors. NOTE: this might be a duplicate of CVE-2012-1599. |
50293 |
CVE-2012-1610 |
189 |
|
DoS Overflow |
2012-06-05 |
2017-08-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
Integer overflow in the GetEXIFProperty function in magick/property.c in ImageMagick before 6.7.6-4 allows remote attackers to cause a denial of service (out-of-bounds read) via a large component count for certain EXIF tags in a JPEG image. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0259. |
50294 |
CVE-2012-1608 |
20 |
|
XSS Bypass |
2012-09-04 |
2012-09-05 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
The t3lib_div::RemoveXSS API method in TYPO3 4.4.0 through 4.4.13, 4.5.0 through 4.5.13, 4.6.0 through 4.6.6, 4.7, and 6.0 allows remote attackers to bypass the cross-site scripting (XSS) protection mechanism and inject arbitrary web script or HTML via non printable characters. |
50295 |
CVE-2012-1607 |
200 |
|
+Info |
2012-09-04 |
2012-09-05 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
The Command Line Interface (CLI) script in TYPO3 4.4.0 through 4.4.13, 4.5.0 through 4.5.13, 4.6.0 through 4.6.6, 4.7, and 6.0 allows remote attackers to obtain the database name via a direct request. |
50296 |
CVE-2012-1606 |
79 |
|
XSS |
2012-09-04 |
2012-09-05 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
Multiple cross-site scripting (XSS) vulnerabilities in the Backend component in TYPO3 4.4.0 through 4.4.13, 4.5.0 through 4.5.13, 4.6.0 through 4.6.6, 4.7, and 6.0 allow remote authenticated backend users to inject arbitrary web script or HTML via unspecified vectors. |
50297 |
CVE-2012-1605 |
|
|
Exec Code |
2012-09-04 |
2012-09-05 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
The Extbase Framework in TYPO3 4.6.x through 4.6.6, 4.7, and 6.0 unserializes untrusted data, which allows remote attackers to unserialize arbitrary objects and possibly execute arbitrary code via vectors related to "a missing signature (HMAC) for a request argument." |
50298 |
CVE-2012-1604 |
79 |
1
|
XSS |
2012-10-01 |
2012-10-02 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in NextBBS 0.6 allows remote attackers to inject arbitrary web script or HTML via the do parameter to index.php. |
50299 |
CVE-2012-1601 |
399 |
|
DoS |
2012-05-17 |
2018-01-04 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
The KVM implementation in the Linux kernel before 3.3.6 allows host OS users to cause a denial of service (NULL pointer dereference and host OS crash) by making a KVM_CREATE_IRQCHIP ioctl call after a virtual CPU already exists. |
50300 |
CVE-2012-1600 |
79 |
|
XSS |
2014-05-13 |
2018-10-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Multiple cross-site scripting (XSS) vulnerabilities in functions.php in phpPgAdmin before 5.0.4 allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) type of a function. |