CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 6 and 6.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
11451 CVE-2012-0672 119 DoS Exec Code Overflow Mem. Corr. 2012-05-08 2017-12-06
6.8
None Remote Medium Not required Partial Partial Partial
WebKit in Apple iOS before 5.1.1 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site.
11452 CVE-2012-0661 399 DoS Exec Code 2012-05-10 2017-12-04
6.8
None Remote Medium Not required Partial Partial Partial
Use-after-free vulnerability in QuickTime in Apple Mac OS X 10.7.x before 10.7.4 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted movie file with JPEG2000 encoding.
11453 CVE-2012-0660 119 DoS Exec Code Overflow 2012-05-10 2012-05-29
6.8
None Remote Medium Not required Partial Partial Partial
Buffer underflow in QuickTime in Apple Mac OS X before 10.7.4 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted MPEG file.
11454 CVE-2012-0659 189 DoS Exec Code Overflow 2012-05-10 2012-05-29
6.8
None Remote Medium Not required Partial Partial Partial
Integer overflow in QuickTime in Apple Mac OS X before 10.7.4 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted MPEG file.
11455 CVE-2012-0658 119 DoS Exec Code Overflow 2012-05-10 2012-05-29
6.8
None Remote Medium Not required Partial Partial Partial
Buffer overflow in QuickTime in Apple Mac OS X before 10.7.4 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted audio sample tables in a movie file that is progressively downloaded.
11456 CVE-2012-0656 362 2012-05-10 2017-12-04
6.9
None Local Medium Not required Complete Complete Complete
Race condition in LoginUIFramework in Apple Mac OS X 10.7.x before 10.7.4, when the Guest account is enabled, allows physically proximate attackers to login to arbitrary accounts by entering the account name and no password.
11457 CVE-2012-0655 310 2012-05-10 2017-12-04
6.4
None Remote Low Not required Partial Partial None
libsecurity in Apple Mac OS X before 10.7.4 does not properly restrict the length of RSA keys within X.509 certificates, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by conducting a spoofing or network-sniffing attack during communication with a site that uses a short key.
11458 CVE-2012-0654 119 DoS Exec Code Overflow 2012-05-10 2017-12-04
6.8
None Remote Medium Not required Partial Partial Partial
libsecurity in Apple Mac OS X before 10.7.4 accesses uninitialized memory locations during the processing of X.509 certificates, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted certificate.
11459 CVE-2012-0649 362 +Priv 2012-05-10 2017-12-04
6.9
None Local Medium Not required Complete Complete Complete
Race condition in the initialization routine in blued in Bluetooth in Apple Mac OS X before 10.7.4 allows local users to gain privileges via vectors involving a temporary file.
11460 CVE-2012-0644 362 Bypass 2012-03-08 2018-11-29
6.9
None Local Medium Not required Complete Complete Complete
Race condition in the Passcode Lock feature in Apple iOS before 5.1 allows physically proximate attackers to bypass intended passcode requirements via a slide-to-dial gesture.
11461 CVE-2012-0608 119 DoS Exec Code Overflow Mem. Corr. 2012-03-08 2018-11-29
6.8
None Remote Medium Not required Partial Partial Partial
WebKit, as used in Apple iOS before 5.1 and iTunes before 10.6, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2012-03-07-1 and APPLE-SA-2012-03-07-2.
11462 CVE-2012-0584 20 2012-03-12 2018-01-05
6.4
None Remote Low Not required None Partial Partial
The Internationalized Domain Name (IDN) feature in Apple Safari before 5.1.4 on Windows does not properly restrict the characters in URLs, which allows remote attackers to spoof a domain name via unspecified homoglyphs.
11463 CVE-2012-0575 2012-05-03 2016-11-04
6.8
None Remote Medium Not required Partial Partial Partial
Unspecified vulnerability in the Oracle FLEXCUBE Universal Banking component in Oracle Financial Services Software 10.0.0 through 10.5.0 and 11.0.0 through 11.2.0 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Core.
11464 CVE-2012-0564 2012-05-03 2017-12-06
6.5
None Remote Low Single system Partial Partial Partial
Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.50 and 8.51 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to Query.
11465 CVE-2012-0550 2012-05-03 2017-12-06
6.8
None Remote Medium Not required Partial Partial Partial
Unspecified vulnerability in the GlassFish Enterprise Server component in Oracle Sun Products Suite GlassFish Enterprise Server 3.1.1 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Web Container.
11466 CVE-2012-0539 2012-05-03 2017-12-06
6.2
None Local High Not required Complete Complete Complete
Unspecified vulnerability in Oracle Sun Solaris 8, 9, and 10 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to (1) bsmconv and (2) bsmunconv.
11467 CVE-2012-0537 2012-05-03 2017-12-06
6.4
None Remote Low Not required Partial Partial None
Unspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite 12.1.3 allows remote attackers to affect confidentiality and integrity, related to HTML pages.
11468 CVE-2012-0516 2012-05-03 2017-12-12
6.8
None Remote Medium Not required Partial Partial Partial
Unspecified vulnerability in the Oracle iPlanet Web Server component in Oracle Sun Products Suite 7.0 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Administration Console.
11469 CVE-2012-0511 2012-05-03 2013-10-10
6.4
None Remote Low Not required Partial Partial None
Unspecified vulnerability in the OCI component in Oracle Database Server 10.2.0.3, 10.2.0.4, and 11.1.0.7 allows remote attackers to affect confidentiality and integrity via unknown vectors.
11470 CVE-2012-0510 2012-05-03 2013-10-10
6.4
None Remote Low Not required None Partial Partial
Unspecified vulnerability in the Core RDBMS component in Oracle Database Server 10.2.0.3, 10.2.0.4, 10.2.0.5, and 11.1.0.7 allows remote attackers to affect integrity and availability via unknown vectors.
11471 CVE-2012-0502 2012-02-15 2018-01-05
6.4
None Remote Low Not required Partial None Partial
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Update 30 and earlier, 5.0 Update 33 and earlier, and 1.4.2_35 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality and availability, related to AWT.
11472 CVE-2012-0460 264 2012-03-14 2018-01-17
6.4
None Remote Low Not required None Partial Partial
Mozilla Firefox 4.x through 10.0, Firefox ESR 10.x before 10.0.3, Thunderbird 5.0 through 10.0, Thunderbird ESR 10.x before 10.0.3, and SeaMonkey before 2.8 do not properly restrict write access to the window.fullScreen object, which allows remote attackers to spoof the user interface via a crafted web page.
11473 CVE-2012-0458 264 Exec Code 2012-03-14 2018-01-17
6.8
None Remote Medium Not required Partial Partial Partial
Mozilla Firefox before 3.6.28 and 4.x through 10.0, Firefox ESR 10.x before 10.0.3, Thunderbird before 3.1.20 and 5.0 through 10.0, Thunderbird ESR 10.x before 10.0.3, and SeaMonkey before 2.8 do not properly restrict setting the home page through the dragging of a URL to the home button, which allows user-assisted remote attackers to execute arbitrary JavaScript code with chrome privileges via a javascript: URL that is later interpreted in the about:sessionrestore context.
11474 CVE-2012-0430 Bypass 2012-12-25 2013-03-13
6.4
None Remote Low Not required Partial Partial None
Unspecified vulnerability in NetIQ eDirectory 8.8.6.x before 8.8.6.7 and 8.8.7.x before 8.8.7.2 on Windows allows remote attackers to obtain an administrator cookie and bypass authorization checks via unknown vectors.
11475 CVE-2012-0403 22 Dir. Trav. 2012-03-20 2017-12-05
6.3
None Remote Medium Single system Complete None None
Directory traversal vulnerability in EMC RSA enVision 4.x before 4.1 Patch 4 allows remote authenticated users to have an unspecified impact via unknown vectors.
11476 CVE-2012-0401 89 Exec Code Sql 2012-03-20 2017-12-05
6.5
None Remote Low Single system Partial Partial Partial
Multiple SQL injection vulnerabilities in EMC RSA enVision 4.x before 4.1 Patch 4 allow remote authenticated users to execute arbitrary SQL commands via unspecified vectors.
11477 CVE-2012-0394 94 2 Exec Code 2012-01-08 2014-02-20
6.8
None Remote Medium Not required Partial Partial Partial
** DISPUTED ** The DebuggingInterceptor component in Apache Struts before 2.3.1.1, when developer mode is used, allows remote attackers to execute arbitrary commands via unspecified vectors. NOTE: the vendor characterizes this behavior as not "a security vulnerability itself."
11478 CVE-2012-0393 264 1 2012-01-08 2018-11-28
6.4
None Remote Low Not required None Partial Partial
The ParameterInterceptor component in Apache Struts before 2.3.1.1 does not prevent access to public constructors, which allows remote attackers to create or overwrite arbitrary files via a crafted parameter that triggers the creation of a Java object.
11479 CVE-2012-0337 89 Exec Code Sql 2012-05-02 2012-05-11
6.5
None Remote Low Single system Partial Partial Partial
SQL injection vulnerability in the web component in Cisco Unified MeetingPlace 7.1 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, aka Bug ID CSCtx08939.
11480 CVE-2012-0319 94 Exec Code 2012-03-02 2018-01-17
6.5
None Remote Low Single system Partial Partial Partial
The file-management system in Movable Type before 4.38, 5.0x before 5.07, and 5.1x before 5.13 allows remote authenticated users to execute arbitrary commands by leveraging the file-upload feature, related to an "OS Command Injection" issue.
11481 CVE-2012-0317 352 CSRF 2012-03-02 2018-01-17
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in Movable Type before 4.38, 5.0x before 5.07, and 5.1x before 5.13 allow remote attackers to hijack the authentication of arbitrary users for requests that modify data via the (1) commenting feature or (2) community script.
11482 CVE-2012-0314 352 CSRF 2012-02-02 2012-02-08
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities on the eAccess Pocket WiFi (aka GP02) router before 2.00 with firmware 11.203.11.05.168 and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) initialize settings or (2) reboot the device.
11483 CVE-2012-0308 352 CSRF 2012-08-29 2013-10-03
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in Symantec Messaging Gateway (SMG) before 10.0 allows remote attackers to hijack the authentication of administrators.
11484 CVE-2012-0306 119 DoS Exec Code Overflow Mem. Corr. 2012-10-18 2013-02-13
6.8
None Remote Medium Not required Partial Partial Partial
Symantec Ghost Solution Suite 2.x through 2.5.1 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted backup file.
11485 CVE-2012-0304 264 +Priv 2012-06-22 2013-04-01
6.9
None Local Medium Not required Complete Complete Complete
Symantec LiveUpdate Administrator before 2.3.1 uses weak permissions (Everyone: Full Control) for the installation directory, which allows local users to gain privileges via a Trojan horse file.
11486 CVE-2012-0303 352 Exec Code CSRF 2012-07-05 2012-07-06
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in Brightmail Control Center in Symantec Message Filter 6.3 allow remote attackers to hijack the authentication of arbitrary users for requests that (1) execute application commands or (2) create admin accounts.
11487 CVE-2012-0298 264 2012-05-21 2017-12-04
6.4
None Remote Low Not required Partial None Partial
The file-management scripts in the management GUI in Symantec Web Gateway 5.0.x before 5.0.3 allow remote attackers to (1) read or (2) delete arbitrary files via unspecified vectors.
11488 CVE-2012-0293 89 Exec Code Sql 2012-03-17 2018-01-10
6.8
None Remote Medium Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in Symantec Altiris WISE Package Studio before 8.0MR1 allow remote attackers to execute arbitrary SQL commands via unspecified vectors.
11489 CVE-2012-0286 352 CSRF 2012-01-24 2012-01-24
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in Stoneware webNetwork before 6.0.8.0 allows remote attackers to hijack the authentication of unspecified victims for requests that modify user accounts.
11490 CVE-2012-0282 119 1 DoS Exec Code Overflow 2012-07-17 2012-07-18
6.8
None Remote Medium Not required Partial Partial Partial
Heap-based buffer overflow in XnView before 1.99 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted ImageLeftPosition value in an ImageDescriptor structure in a GIF image.
11491 CVE-2012-0279 264 +Priv 2012-05-01 2017-08-28
6.9
None Local Medium Not required Complete Complete Complete
Quest Toad for Data Analysts 3.0.1 uses weak permissions (Everyone: Full Control) for the %COMMONPROGRAMFILES%\Quest Shared directory, which allows local users to gain privileges via a Trojan horse file.
11492 CVE-2012-0277 119 1 DoS Exec Code Overflow 2012-07-17 2012-08-01
6.8
None Remote Medium Not required Partial Partial Partial
Heap-based buffer overflow in XnView before 1.99 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted PCT image.
11493 CVE-2012-0276 119 2 DoS Exec Code Overflow 2012-07-17 2012-07-18
6.8
None Remote Medium Not required Partial Partial Partial
Multiple heap-based buffer overflows in XnView before 1.99 allow remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a (1) SGI32LogLum compressed TIFF image or (2) SGI32LogLum compressed TIFF image with the PhotometricInterpretation encoding set to LogL.
11494 CVE-2012-0258 119 Exec Code Overflow 2012-04-02 2013-03-25
6.8
None Remote Medium Not required Partial Partial Partial
Heap-based buffer overflow in the WWCabFile ActiveX component in the Wonderware System Platform in Invensys Wonderware Application Server 2012 and earlier, Foxboro Control Software 3.1 and earlier, InFusion CE/FE/SCADA 2.5 and earlier, Wonderware Information Server 4.5 and earlier, ArchestrA Application Object Toolkit 3.2 and earlier, and InTouch 10.0 through 10.5 might allow remote attackers to execute arbitrary code via a long string to the AddFile member.
11495 CVE-2012-0257 119 Exec Code Overflow 2012-04-02 2013-03-25
6.8
None Remote Medium Not required Partial Partial Partial
Heap-based buffer overflow in the WWCabFile ActiveX component in the Wonderware System Platform in Invensys Wonderware Application Server 2012 and earlier, Foxboro Control Software 3.1 and earlier, InFusion CE/FE/SCADA 2.5 and earlier, Wonderware Information Server 4.5 and earlier, ArchestrA Application Object Toolkit 3.2 and earlier, and InTouch 10.0 through 10.5 might allow remote attackers to execute arbitrary code via a long string to the Open member, leading to a function-pointer overwrite.
11496 CVE-2012-0237 119 Overflow 2012-02-21 2018-01-04
6.4
None Remote Low Not required None Partial Partial
Advantech/BroadWin WebAccess before 7.0 allows remote attackers to (1) enable date and time syncing or (2) disable date and time syncing via a crafted URL.
11497 CVE-2012-0235 352 CSRF 2012-02-21 2018-01-04
6.0
None Remote Medium Single system Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in Advantech/BroadWin WebAccess before 7.0 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
11498 CVE-2012-0232 22 Dir. Trav. 2012-03-15 2012-11-01
6.4
None Remote Low Not required None Partial Partial
Directory traversal vulnerability in rifsrvd.exe in the Remote Interface Service in GE Intelligent Platforms Proficy Real-Time Information Portal 2.6, 3.0, 3.0 SP1, and 3.5 allows remote attackers to modify the configuration via crafted strings.
11499 CVE-2012-0219 119 Exec Code Overflow 2012-06-21 2014-05-09
6.2
None Local High Not required Complete Complete Complete
Heap-based buffer overflow in the xioscan_readline function in xio-readline.c in socat 1.4.0.0 through 1.7.2.0 and 2.0.0-b1 through 2.0.0-b4 allows local users to execute arbitrary code via the READLINE address.
11500 CVE-2012-0205 264 DoS Bypass 2013-01-31 2017-08-28
6.5
None Remote Low Single system Partial Partial Partial
InfoSphere Metadata Workbench (MWB) 8.1 through 8.7 in IBM InfoSphere Information Server 8.1, 8.5 before FP3, and 8.7 does not properly restrict use of the troubleshooting feature, which allows remote authenticated users to bypass intended access restrictions or cause a denial of service (workbench outage) via unspecified vectors.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.