# |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
64201 |
CVE-2012-1670 |
200 |
1
|
+Info |
2012-03-31 |
2017-12-12 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
admin/index.php in PHP Grade Book before 1.9.5 BETA allows remote attackers to read the database via a SaveSQL action. |
64202 |
CVE-2012-1669 |
22 |
1
|
Dir. Trav. |
2014-11-17 |
2014-11-18 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
Directory traversal vulnerability in index.php in phpMoneyBooks before 1.0.3 allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the module parameter. |
64203 |
CVE-2012-1667 |
189 |
|
DoS Mem. Corr. +Info |
2012-06-05 |
2018-01-17 |
8.5 |
None |
Remote |
Low |
Not required |
Partial |
None |
Complete |
ISC BIND 9.x before 9.7.6-P1, 9.8.x before 9.8.3-P1, 9.9.x before 9.9.1-P1, and 9.4-ESV and 9.6-ESV before 9.6-ESV-R7-P1 does not properly handle resource records with a zero-length RDATA section, which allows remote DNS servers to cause a denial of service (daemon crash or data corruption) or obtain sensitive information from process memory via a crafted record. |
64204 |
CVE-2012-1666 |
|
|
+Priv |
2012-09-08 |
2012-09-10 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
Untrusted search path vulnerability in VMware Tools in VMware Workstation before 8.0.4, VMware Player before 4.0.4, VMware Fusion before 4.1.2, VMware View before 5.1, and VMware ESX 4.1 before U3 and 5.0 before P03 allows local users to gain privileges via a Trojan horse tpfc.dll file in the current working directory. |
64205 |
CVE-2012-1665 |
89 |
|
Exec Code Sql |
2015-05-20 |
2015-05-21 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
Multiple SQL injection vulnerabilities in the admin panel in osCMax before 2.5.1 allow (1) remote attackers to execute arbitrary SQL commands via the username parameter in a process action to admin/login.php or (2) remote administrators to execute arbitrary SQL commands via the status parameter to admin/stats_monthly_sales.php or (3) country parameter in a process action to admin/create_account_process.php. |
64206 |
CVE-2012-1664 |
79 |
|
XSS |
2015-05-20 |
2015-05-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Multiple cross-site scripting (XSS) vulnerabilities in the admin panel in osCMax before 2.5.1 allow remote attackers to inject arbitrary web script or HTML via the (1) username parameter in a process action to admin/login.php; (2) pageTitle, (3) current_product_id, or (4) cPath parameter to admin/new_attributes_include.php; (5) sb_id, (6) sb_key, (7) gc_id, (8) gc_key, or (9) path parameter to admin/htaccess.php; (10) title parameter to admin/information_form.php; (11) search parameter to admin/xsell.php; (12) gross or (13) max parameter to admin/stats_products_purchased.php; (14) status parameter to admin/stats_monthly_sales.php; (15) sorted parameter to admin/stats_customers.php; (16) information_id parameter to /admin/information_manager.php; or (17) zID parameter to /admin/geo_zones.php. |
64207 |
CVE-2012-1663 |
399 |
1
|
DoS |
2012-03-13 |
2017-08-28 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
Double free vulnerability in libgnutls in GnuTLS before 3.0.14 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted certificate list. |
64208 |
CVE-2012-1662 |
20 |
|
DoS |
2012-03-21 |
2017-12-12 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
CA ARCserve Backup r12.0 through SP2, r12.5 before SP2, r15 through SP1, and r16 before SP1 on Windows allows remote attackers to cause a denial of service (service shutdown) via a crafted network request. |
64209 |
CVE-2012-1661 |
94 |
2
|
Exec Code |
2012-07-12 |
2012-07-16 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
ESRI ArcMap 9 and ArcGIS 10.0.2.3200 and earlier does not properly prompt users before executing embedded VBA macros, which allows user-assisted remote attackers to execute arbitrary VBA code via a crafted map (.mxd) file. |
64210 |
CVE-2012-1656 |
89 |
|
Exec Code Sql |
2012-09-18 |
2017-08-28 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
SQL injection vulnerability in the Multisite Search module 6.x-2.2 for Drupal allows remote authenticated users with certain permissions to execute arbitrary SQL commands via the Site table prefix field. |
64211 |
CVE-2012-1655 |
|
|
|
2012-09-18 |
2017-08-28 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
Unspecified vulnerability in the UC PayDutchGroup / WeDeal payment module 6.x-1.0 for Drupal allows remote authenticated users to obtain account credentials via unknown attack vectors. |
64212 |
CVE-2012-1650 |
264 |
|
Bypass |
2012-08-28 |
2017-08-28 |
6.0 |
None |
Remote |
Medium |
Single system |
Partial |
Partial |
Partial |
The ZipCart module 6.x before 6.x-1.4 for Drupal checks the "access content" permission instead of the "access ZipCart downloads" permission when building archives, which allows remote authenticated users with access content permission to bypass intended access restrictions. |
64213 |
CVE-2012-1649 |
264 |
|
|
2012-09-09 |
2017-08-28 |
4.9 |
None |
Remote |
Medium |
Single system |
None |
Partial |
Partial |
Cool Aid module before 6.x-1.9 for Drupal does not enforce access restrictions, which allows remote authenticated users with the administer coolaid permission to modify arbitrary pages via unspecified vectors. |
64214 |
CVE-2012-1647 |
79 |
|
XSS |
2012-08-28 |
2017-08-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Multiple cross-site scripting (XSS) vulnerabilities in the "stand alone PHP application for the OSM Player," as used in the MediaFront module 6.x-1.x before 6.x-1.5 and 7.x-1.x before 7.x-1.5 for Drupal, allow remote attackers to inject arbitrary web script or HTML via (1) $_SERVER['HTTP_HOST'] or (2) $_SERVER['SCRIPT_NAME'] to players/osmplayer/player/OSMPlayer.php, (3) playlist parameter to players/osmplayer/player/getplaylist.php, and possibly other vectors related to $_SESSION. |
64215 |
CVE-2012-1646 |
79 |
|
XSS |
2012-09-25 |
2017-08-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Multiple cross-site scripting (XSS) vulnerabilities in the FAQ module 6.x-1.x before 6.x-1.13 and 7.x-1.x-rc1 for Drupal allow remote authenticated users to inject arbitrary web script or HTML via the (1) title parameter in faq.admin.inc or (2) detailed_question parameter in faq.module. |
64216 |
CVE-2012-1643 |
264 |
|
|
2012-08-28 |
2012-08-29 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
The Faster Permissions module 7.x-2.x before 7.x-1.2 for Drupal does not check the "administer permissions" permission, which allows remote attackers to modify access permissions via unspecified vectors. |
64217 |
CVE-2012-1642 |
264 |
|
+Info |
2012-08-28 |
2012-08-29 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
includes/linkchecker.pages.inc in the Link checker module 6.x-2.x before 6.x-2.5 for Drupal does not properly enforce access permissions on broken links, which allows remote attackers to obtain sensitive information via unspecified vectors. |
64218 |
CVE-2012-1641 |
264 |
|
Exec Code |
2012-08-28 |
2012-08-29 |
6.0 |
None |
Remote |
Medium |
Single system |
Partial |
Partial |
Partial |
The finder_import function in the Finder module 6.x-1.x before 6.x-1.26, 7.x-1.x, and 7.x-2.x before 7.x-2.0-alpha8 for Drupal allows remote authenticated users with the administer finder permission to execute arbitrary PHP code via admin/build/finder/import. |
64219 |
CVE-2012-1638 |
89 |
|
Exec Code Sql |
2012-09-19 |
2012-09-21 |
6.0 |
None |
Remote |
Medium |
Single system |
Partial |
Partial |
Partial |
SQL injection vulnerability in the Search Autocomplete module before 7.x-2.1 for Drupal allows remote authenticated users with the "use search_autocomplete" permission to execute arbitrary SQL commands via unspecified vectors. |
64220 |
CVE-2012-1636 |
352 |
|
CSRF |
2012-10-01 |
2012-10-02 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site request forgery (CSRF) vulnerability in the stickynote module before 7.x-1.1 for Drupal allows remote attackers to hijack the authentication of users for requests that delete stickynotes via unspecified vectors. |
64221 |
CVE-2012-1635 |
264 |
|
Bypass +Info |
2012-08-28 |
2012-08-29 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
The hook_node_access function in the revisioning module 7.x-1.x before 7.x-1.3 for Drupal checks the permissions of the current user even when it is called to check permissions of other users, which allows remote attackers to bypass intended access restrictions, as demonstrated when using the XML sitemap module to obtain sensitive information about unpublished content. |
64222 |
CVE-2012-1634 |
79 |
|
XSS |
2012-10-06 |
2017-08-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in video_filter.codecs.inc in the Video Filter module 6.x-2.x and 7.x-2.x for Drupal allows remote attackers to inject arbitrary web script or HTML via the EMBEDLOOKUP parameter for Blip.tv links. |
64223 |
CVE-2012-1633 |
352 |
|
CSRF |
2012-09-19 |
2017-04-28 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Cross-site request forgery (CSRF) vulnerability in the Password Policy module before 6.x-1.4 and 7.x-1.0 beta3 for Drupal allows remote attackers to hijack the authentication of administrative users for requests that unblock a user. |
64224 |
CVE-2012-1631 |
352 |
|
CSRF |
2012-09-19 |
2017-08-28 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
Cross-site request forgery (CSRF) vulnerability in the Admin:hover module for Drupal allows remote attackers to hijack the authentication of administrators for requests that unpublish all nodes, and possibly other actions, via unspecified vectors. |
64225 |
CVE-2012-1626 |
89 |
|
Exec Code Sql |
2012-09-19 |
2017-08-28 |
6.0 |
None |
Remote |
Medium |
Single system |
Partial |
Partial |
Partial |
SQL injection vulnerability in the conversion form for Events in the Date module 6.x-2.x before 6.x-2.8 for Drupal allows remote authenticated users with the "administer Date Tools" privilege to execute arbitrary SQL commands via unspecified vectors. |
64226 |
CVE-2012-1625 |
94 |
|
Exec Code |
2012-09-19 |
2012-09-20 |
6.0 |
None |
Remote |
Medium |
Single system |
Partial |
Partial |
Partial |
Eval injection vulnerability in the fillpdf_form_export_decode function in fillpdf.admin.inc in the Fill PDF module 6.x-1.x before 6.x-1.16 and 7.x-1.x before 7.x-1.2 for Drupal allows remote authenticated users with administer PDFs privileges to execute arbitrary PHP code via unspecified vectors. NOTE: Some of these details are obtained from third party information. |
64227 |
CVE-2012-1623 |
264 |
|
Bypass |
2012-10-06 |
2012-10-08 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
The Registration Codes module before 6.x-2.4 for Drupal does not restrict access to the registration code list, which might allow remote attackers to bypass intended registration restrictions. |
64228 |
CVE-2012-1622 |
|
|
Exec Code |
2017-10-26 |
2017-11-14 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
Apache OFBiz 10.04.x before 10.04.02 allows remote attackers to execute arbitrary code via unspecified vectors. |
64229 |
CVE-2012-1621 |
79 |
|
XSS |
2014-06-19 |
2018-05-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Multiple cross-site scripting (XSS) vulnerabilities in Apache Open For Business Project (aka OFBiz) 10.04.x before 10.04.02 allow remote attackers to inject arbitrary web script or HTML via (1) a parameter array in freemarker templates, the (2) contentId or (3) mapKey parameter in a cms event request, which are not properly handled in an error message, or unspecified input in (4) an ajax request to the getServerError function in checkoutProcess.js or (5) a Webslinger component request. NOTE: some of these details are obtained from third party information. |
64230 |
CVE-2012-1618 |
|
|
Sql |
2012-10-06 |
2012-10-08 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
Interaction error in the PostgreSQL JDBC driver before 8.2, when used with a PostgreSQL server with the "standard_conforming_strings" option enabled, such as the default configuration of PostgreSQL 9.1, does not properly escape unspecified JDBC statement parameters, which allows remote attackers to perform SQL injection attacks. NOTE: as of 20120330, it was claimed that the upstream developer planned to dispute this issue, but an official dispute has not been posted as of 20121005. |
64231 |
CVE-2012-1617 |
22 |
|
Dir. Trav. |
2012-09-25 |
2017-08-28 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
Directory traversal vulnerability in combine.php in OSClass before 2.3.6 allows remote attackers to read and write arbitrary files via a .. (dot dot) in the type parameter. NOTE: this vulnerability can be leveraged to upload arbitrary files. |
64232 |
CVE-2012-1616 |
399 |
|
DoS Exec Code |
2012-06-21 |
2017-08-28 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
Use-after-free vulnerability in icclib before 2.13, as used by Argyll CMS before 1.4 and possibly other programs, allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted ICC profile file. |
64233 |
CVE-2012-1614 |
200 |
2
|
+Info |
2012-09-04 |
2012-09-05 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
Coppermine Photo Gallery before 1.5.20 allows remote attackers to obtain sensitive information via (1) a direct request to plugins/visiblehookpoints/index.php, an invalid (2) page or (3) cat parameter to thumbnails.php, an invalid (4) page parameter to usermgr.php, or an invalid (5) newer_than or (6) older_than parameter to search.inc.php, which reveals the installation path in an error message. |
64234 |
CVE-2012-1612 |
79 |
|
XSS |
2012-09-06 |
2012-09-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in the update manager in Joomla! 2.5.x before 2.5.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
64235 |
CVE-2012-1611 |
264 |
|
+Info |
2012-09-06 |
2013-10-03 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
Joomla! 2.5.x before 2.5.4 does not properly check permissions, which allows attackers to obtain sensitive "administrative back end" information via unknown attack vectors. NOTE: this might be a duplicate of CVE-2012-1599. |
64236 |
CVE-2012-1610 |
189 |
|
DoS Overflow |
2012-06-05 |
2017-08-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
Integer overflow in the GetEXIFProperty function in magick/property.c in ImageMagick before 6.7.6-4 allows remote attackers to cause a denial of service (out-of-bounds read) via a large component count for certain EXIF tags in a JPEG image. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-0259. |
64237 |
CVE-2012-1608 |
20 |
|
XSS Bypass |
2012-09-04 |
2012-09-05 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
The t3lib_div::RemoveXSS API method in TYPO3 4.4.0 through 4.4.13, 4.5.0 through 4.5.13, 4.6.0 through 4.6.6, 4.7, and 6.0 allows remote attackers to bypass the cross-site scripting (XSS) protection mechanism and inject arbitrary web script or HTML via non printable characters. |
64238 |
CVE-2012-1607 |
200 |
|
+Info |
2012-09-04 |
2012-09-05 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
The Command Line Interface (CLI) script in TYPO3 4.4.0 through 4.4.13, 4.5.0 through 4.5.13, 4.6.0 through 4.6.6, 4.7, and 6.0 allows remote attackers to obtain the database name via a direct request. |
64239 |
CVE-2012-1605 |
|
|
Exec Code |
2012-09-04 |
2012-09-05 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
The Extbase Framework in TYPO3 4.6.x through 4.6.6, 4.7, and 6.0 unserializes untrusted data, which allows remote attackers to unserialize arbitrary objects and possibly execute arbitrary code via vectors related to "a missing signature (HMAC) for a request argument." |
64240 |
CVE-2012-1604 |
79 |
1
|
XSS |
2012-10-01 |
2012-10-02 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Cross-site scripting (XSS) vulnerability in NextBBS 0.6 allows remote attackers to inject arbitrary web script or HTML via the do parameter to index.php. |
64241 |
CVE-2012-1603 |
89 |
1
|
Exec Code Sql |
2012-10-01 |
2012-10-02 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
Multiple SQL injection vulnerabilities in ajaxserver.php in NextBBS 0.6 allow remote attackers to execute arbitrary SQL commands via the (1) curstr parameter in the findUsers function, (2) id parameter in the isIdAvailable function, or (3) username parameter in the getGreetings function. |
64242 |
CVE-2012-1602 |
287 |
1
|
Bypass |
2012-10-01 |
2012-10-02 |
7.5 |
User |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
user.php in NextBBS 0.6 allows remote attackers to bypass authentication and gain administrator access by setting the userkey cookie to 1. |
64243 |
CVE-2012-1601 |
399 |
|
DoS |
2012-05-17 |
2018-01-04 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
The KVM implementation in the Linux kernel before 3.3.6 allows host OS users to cause a denial of service (NULL pointer dereference and host OS crash) by making a KVM_CREATE_IRQCHIP ioctl call after a virtual CPU already exists. |
64244 |
CVE-2012-1600 |
79 |
|
XSS |
2014-05-13 |
2018-10-30 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
Multiple cross-site scripting (XSS) vulnerabilities in functions.php in phpPgAdmin before 5.0.4 allow remote attackers to inject arbitrary web script or HTML via the (1) name or (2) type of a function. |
64245 |
CVE-2012-1599 |
264 |
|
+Info |
2012-12-03 |
2012-12-04 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
Joomla! 1.5.x before 1.5.26 does not properly check permissions, which allows attackers to obtain sensitive "administrative back end information" via unknown vectors. NOTE: this might be a duplicate of CVE-2012-1611. |
64246 |
CVE-2012-1598 |
264 |
|
|
2012-12-03 |
2012-12-04 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
Joomla! 1.5.x before 1.5.26 has unspecified impact and attack vectors related to "insufficient randomness" and a "password reset vulnerability." |
64247 |
CVE-2012-1596 |
399 |
|
DoS |
2012-04-11 |
2017-12-28 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
The mp2t_process_fragmented_payload function in epan/dissectors/packet-mp2t.c in the MP2T dissector in Wireshark 1.4.x before 1.4.12 and 1.6.x before 1.6.6 allows remote attackers to cause a denial of service (application crash) via a packet containing an invalid pointer value that triggers an incorrect memory-allocation attempt. |
64248 |
CVE-2012-1595 |
399 |
|
DoS |
2012-04-11 |
2017-12-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
The pcap_process_pseudo_header function in wiretap/pcap-common.c in Wireshark 1.4.x before 1.4.12 and 1.6.x before 1.6.6 allows remote attackers to cause a denial of service (application crash) via a WTAP_ENCAP_ERF file containing an Extension or Multi-Channel header with an invalid pseudoheader size, related to the pcap and pcap-ng file parsers. |
64249 |
CVE-2012-1591 |
264 |
|
|
2012-09-30 |
2013-12-12 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
The image module in Drupal 7.x before 7.14 does not properly check permissions when caching derivative image styles of private images, which allows remote attackers to read private image styles. |
64250 |
CVE-2012-1590 |
264 |
|
+Info |
2012-09-30 |
2013-12-12 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
The forum list in Drupal 7.x before 7.14 does not properly check user permissions for unpublished forum posts, which allows remote authenticated users to obtain sensitive information such as the post title via the forum overview page. |