CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 2 and 2.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
2151 CVE-2012-2687 79 XSS 2012-08-22 2017-09-18
2.6
None Remote High Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the make_variant_list function in mod_negotiation.c in the mod_negotiation module in the Apache HTTP Server 2.4.x before 2.4.3, when the MultiViews option is enabled, allow remote attackers to inject arbitrary web script or HTML via a crafted filename that is not properly handled during construction of a variant list.
2152 CVE-2012-2679 264 +Info 2012-10-22 2017-08-28
2.1
None Local Low Not required Partial None None
Red Hat Network (RHN) Configuration Client (rhncfg-client) in rhncfg before 5.10.27-8 uses weak permissions (world-readable) for /var/log/rhncfg-actions, which allows local users to obtain sensitive information about the rhncfg-client actions by reading the file.
2153 CVE-2012-2672 +Info 2012-06-16 2017-08-28
2.1
None Local Low Not required Partial None None
Oracle Mojarra 2.1.7 does not properly "clean up" the FacesContext reference during startup, which allows local users to obtain context information an access resources from another WAR file by calling the FacesContext.getCurrentInstance function.
2154 CVE-2012-2669 20 2012-12-27 2013-01-29
2.1
None Local Low Not required None Partial None
The main function in tools/hv/hv_kvp_daemon.c in hypervkvpd, as distributed in the Linux kernel before 3.4.5, does not validate the origin of Netlink messages, which allows local users to spoof Netlink communication via a crafted connector message.
2155 CVE-2012-2658 119 DoS Exec Code Overflow 2012-08-31 2017-08-28
2.1
None Local Low Not required None None Partial
** DISPUTED ** Buffer overflow in the SQLDriverConnect function in unixODBC 2.3.1 allows local users to cause a denial of service (crash) via a long string in the DRIVER option. NOTE: this issue might not be a vulnerability, since the ability to set this option typically implies that the attacker already has legitimate access to cause a DoS or execute code, and therefore the issue would not cross privilege boundaries. There may be limited attack scenarios if isql command-line options are exposed to an attacker, although it seems likely that other, more serious issues would also be exposed, and this issue might not cross privilege boundaries in that context.
2156 CVE-2012-2657 119 DoS Exec Code Overflow 2012-08-31 2017-08-28
2.1
None Local Low Not required None None Partial
** DISPUTED ** Buffer overflow in the SQLDriverConnect function in unixODBC 2.0.10, 2.3.1, and earlier allows local users to cause a denial of service (crash) via a long string in the FILEDSN option. NOTE: this issue might not be a vulnerability, since the ability to set this option typically implies that the attacker already has legitimate access to cause a DoS or execute code, and therefore the issue would not cross privilege boundaries. There may be limited attack scenarios if isql command-line options are exposed to an attacker, although it seems likely that other, more serious issues would also be exposed, and this issue might not cross privilege boundaries in that context.
2157 CVE-2012-2639 79 XSS 2012-06-26 2012-06-26
2.6
None Remote High Not required None Partial None
The list_directory function in Lib/SimpleHTTPServer.py in SimpleHTTPServer in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and 2.7.x before 2.7.2 does not place a charset parameter in the Content-Type HTTP header, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 via UTF-7 encoding.
2158 CVE-2012-2634 79 XSS 2012-06-15 2012-06-18
2.6
None Remote High Not required None Partial None
Cross-site scripting (XSS) vulnerability in FeedDemon before 4.0, when the feed preview option is enabled, allows remote attackers to inject arbitrary web script or HTML via a feed.
2159 CVE-2012-2632 Bypass 2012-06-15 2012-06-18
2.6
None Remote High Not required None Partial None
SEIL routers with firmware SEIL/x86 1.00 through 2.35, SEIL/X1 2.30 through 3.75, SEIL/X2 2.30 through 3.75, and SEIL/B1 2.30 through 3.75, when the http-proxy and application-gateway features are enabled, do not properly handle the CONNECT command, which allows remote attackers to bypass intended URL restrictions via a TCP session.
2160 CVE-2012-2625 20 DoS 2012-10-31 2018-04-13
2.7
None Local Network Low Single system None None Partial
The PyGrub boot loader in Xen unstable before changeset 25589:60f09d1ab1fe, 4.2.x, and 4.1.x allows local para-virtualized guest users to cause a denial of service (memory consumption) via a large (1) bzip2 or (2) lzma compressed kernel image.
2161 CVE-2012-2567 255 +Info 2012-05-22 2017-08-28
2.6
None Remote High Not required Partial None None
The Xelex MobileTrack application 2.3.7 and earlier for Android uses hardcoded credentials, which allows remote attackers to obtain sensitive information via an unencrypted (1) FTP or (2) HTTP session.
2162 CVE-2012-2531 200 +Info 2012-11-13 2018-10-30
2.1
None Local Low Not required Partial None None
Microsoft Internet Information Services (IIS) 7.5 uses weak permissions for the Operational log, which allows local users to discover credentials by reading this file, aka "Password Disclosure Vulnerability."
2163 CVE-2012-2422 200 +Info 2012-04-25 2017-12-18
2.9
None Local Network Medium Not required Partial None None
Intuit QuickBooks 2009 through 2012 might allow remote attackers to obtain pathname information via the qbwc://docontrol/GetCompanyFile functionality.
2164 CVE-2012-2389 264 +Info 2012-06-21 2013-04-18
2.1
None Local Low Not required Partial None None
hostapd 0.7.3, and possibly other versions before 1.0, uses 0644 permissions for /etc/hostapd/hostapd.conf, which might allow local users to obtain sensitive information such as credentials.
2165 CVE-2012-2362 79 XSS 2012-07-20 2012-11-06
2.6
None Remote High Not required None Partial None
Cross-site scripting (XSS) vulnerability in blog/lib.php in the blog implementation in Moodle 1.9.x before 1.9.18, when Internet Explorer is used, allows remote attackers to inject arbitrary web script or HTML via a crafted parameter to blog/index.php.
2166 CVE-2012-2314 264 2012-07-03 2012-08-13
2.1
None Local Low Not required Partial None None
The bootloader configuration module (pyanaconda/bootloader.py) in Anaconda uses 755 permissions for /etc/grub.d, which allows local users to obtain password hashes and conduct brute force password guessing attacks.
2167 CVE-2012-2300 79 XSS 2012-08-14 2012-08-15
2.1
None Remote High Single system None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the Ubercart module 6.x-2.x before 6.x-2.8 and 7.x-3.x before 7.x-3.1 for Drupal allow remote authenticated users with the administer product classes permission to inject arbitrary web script or HTML via unspecified vectors.
2168 CVE-2012-2299 255 +Info 2012-08-14 2012-08-15
2.1
None Local Low Not required Partial None None
The Ubercart module 6.x-2.x before 6.x-2.8 and 7.x-3.x before 7.x-3.1 for Drupal stores passwords for new customers in plaintext during checkout, which allows local users to obtain sensitive information by reading from the database.
2169 CVE-2012-2297 79 XSS 2012-08-26 2017-08-28
2.1
None Remote High Single system None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the Creative Commons module 6.x-1.x before 6.x-1.1 for Drupal allow remote authenticated users with the administer creative commons permission to inject arbitrary web script or HTML via the (1) creativecommons_user_message or (2) creativecommons_site_license_additional_text parameter.
2170 CVE-2012-2286 +Info 2012-10-10 2013-02-12
2.9
None Local Network Medium Not required Partial None None
Unspecified vulnerability in EMC RSA Adaptive Authentication On-Premise (AAOP) 6.0.2.1 before SP3 P3 allows remote attackers to obtain sensitive information via unknown vectors.
2171 CVE-2012-2284 255 2012-10-18 2013-04-18
2.1
None Local Low Not required Partial None None
The (1) install and (2) upgrade processes in EMC NetWorker Module for Microsoft Applications (NMM) 2.2.1, 2.3 before build 122, and 2.4 before build 375, when Exchange Server is used, allow local users to read cleartext administrator credentials via unspecified vectors.
2172 CVE-2012-2082 79 XSS 2012-08-14 2017-08-28
2.1
None Remote High Single system None Partial None
Cross-site scripting (XSS) vulnerability in the Chaos tool suite (aka CTools) module 7.x-1.x before 7.x-1.0 for Drupal allows remote authenticated users with the post comments permission to inject arbitrary web script or HTML via a user signature.
2173 CVE-2012-2076 79 XSS 2012-08-14 2017-08-28
2.1
None Remote High Single system None Partial None
Cross-site scripting (XSS) vulnerability in the administration forms in the ShareThis module 7.x-2.x before 7.x-2.3 for Drupal allows remote authenticated users with administer sharethis permissions to inject arbitrary web script or HTML via unspecified vectors.
2174 CVE-2012-2075 79 XSS 2012-08-14 2017-08-28
2.1
None Remote High Single system None Partial None
Cross-site scripting (XSS) vulnerability in the Contact Save module 6.x-1.x before 6.x-1.5 for Drupal allows remote authenticated users with the access site-wide contact form permission to inject arbitrary web script or HTML via unspecified vectors.
2175 CVE-2012-2072 79 XSS 2012-08-14 2017-08-28
2.1
None Remote High Single system None Partial None
Cross-site scripting (XSS) vulnerability in the Share Buttons (AddToAny) module 6.x-3.x before 6.x-3.4 for Drupal allows remote authenticated users with the administer addtoany permission to inject arbitrary web script or HTML via unspecified vectors.
2176 CVE-2012-2071 79 XSS 2012-08-14 2017-08-28
2.1
None Remote High Single system None Partial None
Cross-site scripting (XSS) vulnerability in the Contact Forms module 6.x-1.x before 6.x-1.13 for Drupal when the core contact form is enabled, allows remote authenticated users with the administer site-wide contact form permission to inject arbitrary web script or HTML via unspecified vectors.
2177 CVE-2012-2070 79 XSS 2012-08-14 2017-08-28
2.1
None Remote High Single system None Partial None
Cross-site scripting (XSS) vulnerability in the MultiBlock module 6.x-1.x before 6.x-1.4 and 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with the administer blocks permission to inject arbitrary web script or HTML via the block title.
2178 CVE-2012-2068 79 XSS 2012-09-04 2017-08-28
2.1
None Remote High Single system None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in fancy_slide.module in the Fancy Slide module before 6.x-2.7 for Drupal allow remote authenticated users with the administer fancy_slide permission to inject arbitrary web script or HTML via the (1) node_title or (2) nodequeue_title parameter.
2179 CVE-2012-1986 264 2012-05-29 2017-08-28
2.1
None Remote High Single system Partial None None
Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with an authorized SSL key and certain permissions on the puppet master to read arbitrary files via a symlink attack in conjunction with a crafted REST request for a file in a filebucket.
2180 CVE-2012-1945 200 +Info 2012-06-05 2017-12-28
2.9
None Local Network Medium Not required Partial None None
Mozilla Firefox 4.x through 12.0, Firefox ESR 10.x before 10.0.5, Thunderbird 5.0 through 12.0, Thunderbird ESR 10.x before 10.0.5, and SeaMonkey before 2.10 allow local users to obtain sensitive information via an HTML document that loads a shortcut (aka .lnk) file for display within an IFRAME element, as demonstrated by a network share implemented by (1) Microsoft Windows or (2) Samba.
2181 CVE-2012-1923 310 +Info 2012-04-17 2017-12-28
2.1
None Local Low Not required Partial None None
RealNetworks Helix Server and Helix Mobile Server 14.x before 14.3.x store passwords in cleartext under adm_b_db\users\, which allows local users to obtain sensitive information by reading a database.
2182 CVE-2012-1820 DoS 2012-06-13 2013-03-01
2.9
None Local Network Medium Not required None None Partial
The bgp_capability_orf function in bgpd in Quagga 0.99.20.1 and earlier allows remote attackers to cause a denial of service (assertion failure and daemon exit) by leveraging a BGP peering relationship and sending a malformed Outbound Route Filtering (ORF) capability TLV in an OPEN message.
2183 CVE-2012-1792 79 XSS 2012-05-27 2012-05-28
2.6
None Remote High Not required None Partial None
Cross-site scripting (XSS) vulnerability in osCommerce/OM/Core/Site/Setup/Application/Install/RPC/DBCheck.php in OSCommerce Online Merchant 3.0.2, when the software is being installed, allows remote attackers to inject arbitrary web script or HTML via the name parameter to oscommerce/index.php, which is not properly handled in an error message. NOTE: this might not be a vulnerability, since the ability to access oscommerce/index.php during installation may already imply administrator privileges.
2184 CVE-2012-1773 2012-07-17 2018-10-12
2.1
None Local Low Not required None None Partial
Unspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.3.5 and 8.3.7 allows context-dependent attackers to affect availability via unknown vectors related to Outside In Filters, a different vulnerability than CVE-2012-1766, CVE-2012-1767, CVE-2012-1769, CVE-2012-1770, CVE-2012-1771, CVE-2012-1772, CVE-2012-3106, CVE-2012-3107, CVE-2012-3108, and CVE-2012-3110.
2185 CVE-2012-1772 2012-07-17 2018-10-12
2.1
None Local Low Not required None None Partial
Unspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.3.5 and 8.3.7 allows context-dependent attackers to affect availability via unknown vectors related to Outside In Filters, a different vulnerability than CVE-2012-1766, CVE-2012-1767, CVE-2012-1769, CVE-2012-1770, CVE-2012-1771, CVE-2012-1773, CVE-2012-3106, CVE-2012-3107, CVE-2012-3108, and CVE-2012-3110.
2186 CVE-2012-1771 2012-07-17 2018-10-12
2.1
None Local Low Not required None None Partial
Unspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.3.5 and 8.3.7 allows context-dependent attackers to affect availability via unknown vectors related to Outside In Filters, a different vulnerability than CVE-2012-1766, CVE-2012-1767, CVE-2012-1769, CVE-2012-1770, CVE-2012-1772, CVE-2012-1773, CVE-2012-3106, CVE-2012-3107, CVE-2012-3108, and CVE-2012-3110.
2187 CVE-2012-1770 2012-07-17 2018-10-12
2.1
None Local Low Not required None None Partial
Unspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.3.5 and 8.3.7 allows context-dependent attackers to affect availability via unknown vectors related to Outside In Filters, a different vulnerability than CVE-2012-1766, CVE-2012-1767, CVE-2012-1769, CVE-2012-1771, CVE-2012-1772, CVE-2012-1773, CVE-2012-3106, CVE-2012-3107, CVE-2012-3108, and CVE-2012-3110.
2188 CVE-2012-1769 2012-07-17 2018-10-12
2.1
None Local Low Not required None None Partial
Unspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.3.5 and 8.3.7 allows context-dependent attackers to affect availability via unknown vectors related to Outside In Filters, a different vulnerability than CVE-2012-1766, CVE-2012-1767, CVE-2012-1770, CVE-2012-1771, CVE-2012-1772, CVE-2012-1773, CVE-2012-3106, CVE-2012-3107, CVE-2012-3108, and CVE-2012-3110.
2189 CVE-2012-1768 2012-07-17 2018-10-12
2.1
None Local Low Not required None None Partial
Unspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.3.7 allows context-dependent attackers to affect availability via unknown vectors related to Outside In Filters, a different vulnerability than CVE-2012-3109.
2190 CVE-2012-1767 2012-07-17 2018-10-12
2.1
None Local Low Not required None None Partial
Unspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.3.5 and 8.3.7 allows context-dependent attackers to affect availability via unknown vectors related to Outside In Filters, a different vulnerability than CVE-2012-1766, CVE-2012-1769, CVE-2012-1770, CVE-2012-1771, CVE-2012-1772, CVE-2012-1773, CVE-2012-3106, CVE-2012-3107, CVE-2012-3108, and CVE-2012-3110.
2191 CVE-2012-1766 2012-07-17 2018-10-12
2.1
None Local Low Not required None None Partial
Unspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.3.5 and 8.3.7 allows context-dependent attackers to affect availability via unknown vectors related to Outside In Filters, a different vulnerability than CVE-2012-1767, CVE-2012-1769, CVE-2012-1770, CVE-2012-1771, CVE-2012-1772, CVE-2012-1773, CVE-2012-3106, CVE-2012-3107, CVE-2012-3108, and CVE-2012-3110.
2192 CVE-2012-1744 2012-07-17 2017-08-28
2.1
None Local Low Not required None None Partial
Unspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.3.5 and 8.3.7 allows context-dependent users to affect availability via unknown vectors related to Outside In Filters.
2193 CVE-2012-1743 2012-07-17 2017-08-28
2.8
None Remote Medium Multiple systems Partial None None
Unspecified vulnerability in the Oracle Clinical Remote Data Capture Option component in Oracle Industry Applications 4.6.0.x, 4.6.2, and 4.6.3 allows remote authenticated users to affect confidentiality, related to HTML Surround.
2194 CVE-2012-1717 2012-06-16 2018-01-17
2.1
None Local Low Not required Partial None None
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 update 32 and earlier, 5 update 35 and earlier, and 1.4.2_37 and earlier allows local users to affect confidentiality via unknown vectors related to printing on Solaris or Linux.
2195 CVE-2012-1698 2012-05-03 2017-12-06
2.1
None Remote High Single system Partial None None
Unspecified vulnerability in Oracle Sun Solaris 11 allows remote authenticated users to affect confidentiality, related to Kernel/GLD.
2196 CVE-2012-1693 2012-05-03 2017-12-06
2.6
None Remote High Not required None None Partial
Unspecified vulnerability in Oracle SPARC Enterprise M Series Servers XCP 1110 allows remote attackers to affect availability, related to XSCF Control Package (XCP).
2197 CVE-2012-1660 79 XSS 2012-09-18 2017-08-28
2.1
None Remote High Single system None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in components/select.inc in the Webform module 6.x-3.x before 6.x-3.17 and 7.x-3.x before 7.x-3.17 for Drupal, when the "Select (or other)" module is enabled, allow remote authenticated users with the create webform content permission to inject arbitrary web script or HTML via vectors related to (1) checkboxes or (2) radios.
2198 CVE-2012-1659 79 XSS 2012-09-18 2017-08-28
2.1
None Remote High Single system None Partial None
Cross-site scripting (XSS) vulnerability in the Node Recommendation module 6.x-1.x before 6.x-1.1 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via unspecified vectors.
2199 CVE-2012-1658 79 XSS 2012-09-18 2017-08-28
2.1
None Remote High Single system None Partial None
Cross-site scripting (XSS) vulnerability in the Read More Link module 6.x-3.x before 6.x-3.1 for Drupal allows remote authenticated users with the access administration pages permission to inject arbitrary web script or HTML via unspecified vectors.
2200 CVE-2012-1657 79 XSS 2012-09-18 2017-08-28
2.1
None Remote High Single system None Partial None
Cross-site scripting (XSS) vulnerability in block_class.module in the Block Class module before 7.x-1.1 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via the class name.
Total number of vulnerabilities : 4392   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 (This Page)45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.