CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 2 and 2.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
2701 CVE-2012-0954 20 2012-06-19 2012-06-26
2.6
None Remote High Not required None Partial None
APT 0.7.x before 0.7.25 and 0.8.x before 0.8.16, when using the apt-key net-update to import keyrings, relies on GnuPG argument order and does not check GPG subkeys, which might allow remote attackers to install altered packages via a man-in-the-middle (MITM) attack. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-3587.
2702 CVE-2012-0948 264 2012-06-07 2017-08-28
2.1
None Local Low Not required Partial None None
DistUpgrade/DistUpgradeMain.py in Update Manager, as used by Ubuntu 12.04 LTS, 11.10, and 11.04, uses weak permissions for (1) apt-clone_system_state.tar.gz and (2) system_state.tar.gz, which allows local users to obtain repository credentials.
2703 CVE-2012-0943 264 2014-05-22 2014-05-29
2.1
None Local Low Not required None None Partial
debian/guest-account in Light Display Manager (lightdm) 1.0.x before 1.0.6 and 1.1.x before 1.1.7, as used in Ubuntu Linux 11.10, allows local users to delete arbitrary files via a space in the name of a file in /tmp. NOTE: this identifier was SPLIT per ADT1/ADT2 due to different codebases and affected versions. CVE-2012-6648 has been assigned for the gdm-guest-session issue.
2704 CVE-2012-0933 79 1 XSS 2012-01-28 2017-08-28
2.6
None Remote High Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Acidcat CMS 3.5.1, 3.5.2, 3.5.6, and possibly earlier allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) admin_colors.asp, (2) admin_config.asp, and (3) admin_cat_add.asp in admin/.
2705 CVE-2012-0863 310 2012-04-30 2017-12-18
2.1
None Local Low Not required Partial None None
Mumble 1.2.3 and earlier uses world-readable permissions for .local/share/data/Mumble/.mumble.sqlite files in home directories, which might allow local users to obtain a cleartext password and configuration data by reading a file.
2706 CVE-2012-0856 119 DoS Overflow 2012-08-20 2018-10-30
2.6
None Remote High Not required None None Partial
Heap-based buffer overflow in the MPV_frame_start function in libavcodec/mpegvideo.c in FFmpeg before 0.9.1, when the lowres option is enabled, allows remote attackers to cause a denial of service (application crash) via a crafted H263 media file. NOTE: this vulnerability exists because of a regression error.
2707 CVE-2012-0833 264 DoS 2012-07-03 2012-07-17
2.3
None Local Network Medium Single system None None Partial
The acllas__handle_group_entry function in servers/plugins/acl/acllas.c in 389 Directory Server before 1.2.10 does not properly handled access control instructions (ACIs) that use certificate groups, which allows remote authenticated LDAP users with a certificate group to cause a denial of service (infinite loop and CPU consumption) by binding to the server.
2708 CVE-2012-0813 255 +Info 2012-06-29 2012-08-01
2.1
None Local Low Not required Partial None None
Wicd before 1.7.1 saves sensitive information in log files in /var/log/wicd, which allows context-dependent attackers to obtain passwords and other sensitive information.
2709 CVE-2012-0800 200 +Info 2012-07-17 2012-07-17
2.1
None Local Low Not required Partial None None
The form-autocompletion functionality in Moodle 2.0.x before 2.0.7, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 makes it easier for physically proximate attackers to discover passwords by reading the contents of a non-password field, as demonstrated by accessing a create-groups page with Safari on an iPad device.
2710 CVE-2012-0717 287 Bypass 2012-06-20 2012-06-21
2.6
None Remote High Not required None Partial None
IBM WebSphere Application Server 7.0 before 7.0.0.23, when a certain SSLv2 configuration with client authentication is used, allows remote attackers to bypass X.509 client-certificate authentication via unspecified vectors.
2711 CVE-2012-0657 264 Bypass 2012-05-10 2012-05-29
2.1
None Local Low Not required None Partial None
Quartz Composer in Apple Mac OS X before 10.7.4, when the RSS Visualizer screensaver is enabled, allows physically proximate attackers to bypass screen locking and launch a Safari process via unspecified vectors.
2712 CVE-2012-0570 2013-04-17 2017-09-18
2.1
None Local Low Not required None None Partial
Unspecified vulnerability in Oracle Sun Solaris 8, 9, 10, and 11 allows local users to affect availability via unknown vectors related to Libraries/Libc.
2713 CVE-2012-0568 2013-04-17 2017-09-18
2.1
None Local Low Not required Partial None None
Unspecified vulnerability in Oracle Sun Solaris 8, 9, and 10 allows local users to affect confidentiality via unknown vectors related to Utility/fdformat.
2714 CVE-2012-0563 2012-07-17 2017-08-28
2.1
None Local Low Not required None None Partial
Unspecified vulnerability in Oracle Solaris 9, 10, and 11 allows local users to affect availability via unknown vectors related to Kerberos/klist.
2715 CVE-2012-0548 2012-05-03 2017-12-06
2.1
None Local Low Not required Partial None None
Unspecified vulnerability in Oracle SPARC Enterprise M Series Servers XCP 1110 and earlier allows local users to affect confidentiality, related to XSCF Control Package (XCP).
2716 CVE-2012-0542 2012-05-03 2017-12-06
2.6
None Remote High Not required None Partial None
Unspecified vulnerability in the Oracle iStore component in Oracle E-Business Suite 11.5.10.2, 12.0.4, 12.0.6, 12.1.1, 12.1.2, and 12.1.3 allows remote attackers to affect integrity via unknown vectors related to Runtime Catalog.
2717 CVE-2012-0513 2012-05-03 2017-12-06
2.6
None Remote High Not required None Partial None
Unspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite 12.0.6 and 12.1.3 allows remote attackers to affect integrity, related to REST Services.
2718 CVE-2012-0493 2012-01-18 2018-01-04
2.1
None Remote High Single system None None Partial
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0117, CVE-2012-0486, CVE-2012-0487, CVE-2012-0488, CVE-2012-0489, CVE-2012-0491, and CVE-2012-0495.
2719 CVE-2012-0492 2012-01-18 2018-07-20
2.1
None Remote High Single system None None Partial
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.x and 5.5.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0112, CVE-2012-0115, CVE-2012-0119, CVE-2012-0120, and CVE-2012-0485.
2720 CVE-2012-0475 264 Bypass 2012-04-25 2017-12-18
2.6
None Remote High Not required None Partial None
Mozilla Firefox 4.x through 11.0, Thunderbird 5.0 through 11.0, and SeaMonkey before 2.9 do not properly construct the Origin and Sec-WebSocket-Origin HTTP headers, which might allow remote attackers to bypass an IPv6 literal ACL via a cross-site (1) XMLHttpRequest or (2) WebSocket operation involving a nonstandard port number and an IPv6 address that contains certain zero fields.
2721 CVE-2012-0450 264 2012-02-01 2017-09-18
2.1
None Local Low Not required Partial None None
Mozilla Firefox 4.x through 9.0 and SeaMonkey before 2.7 on Linux and Mac OS X set weak permissions for Firefox Recovery Key.html, which might allow local users to read a Firefox Sync key via standard filesystem operations.
2722 CVE-2012-0433 200 +Info 2018-06-08 2019-10-09
2.1
None Local Low Not required Partial None None
The install-chef-suse.sh script shipped with crowbar before 2012-10-02 is creating files containing confidential data with insecure permissions, allowing local users to read confidential data.
2723 CVE-2012-0421 200 +Info 2012-08-08 2012-08-08
2.1
None Local Low Not required Partial None None
The SUSE Audit Log Keeper daemon before 0.2.1-0.4.6.1 for SUSE Manager and Spacewalk uses world-readable permissions for /etc/auditlog-keeper.conf, which allows local users to obtain passwords by reading this file.
2724 CVE-2012-0321 DoS 2012-03-02 2012-03-05
2.1
None Local Low Not required None None Partial
Unspecified vulnerability in the device driver in Kingsoft Internet Security 2011 allows local users to cause a denial of service via a crafted application.
2725 CVE-2012-0287 79 XSS 2012-01-05 2012-10-11
2.6
None Remote High Not required None Partial None
Cross-site scripting (XSS) vulnerability in wp-comments-post.php in WordPress 3.3.x before 3.3.1, when Internet Explorer is used, allows remote attackers to inject arbitrary web script or HTML via the query string in a POST operation that is not properly handled by the "Duplicate comment detected" feature.
2726 CVE-2012-0099 2012-01-18 2018-01-05
2.6
None Remote High Not required None None Partial
Unspecified vulnerability in Oracle Solaris 9, 10, and 11 Express allows remote attackers to affect availability via unknown vectors related to sshd.
2727 CVE-2012-0097 2012-01-18 2017-08-28
2.1
None Local Low Not required Partial None None
Unspecified vulnerability in Oracle Solaris 11 Express allows local users to affect confidentiality via unknown vectors related to ksh93 Shell.
2728 CVE-2012-0095 2012-10-16 2016-11-22
2.1
None Remote High Single system Partial None None
Unspecified vulnerability in the Oracle Imaging and Process Management component in Oracle Fusion Middleware 10.1.3.6.0 allows remote authenticated users to affect confidentiality via unknown vectors related to Web, a different vulnerability than CVE-2012-0086 and CVE-2012-0108.
2729 CVE-2012-0091 2012-01-18 2017-08-28
2.7
None Local Network High Multiple systems None Partial Partial
Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.52.05 allows remote authenticated users to affect integrity and availability via unknown vectors related to Upgrade Change Assistance.
2730 CVE-2012-0042 DoS 2012-04-11 2017-09-18
2.9
None Local Network Medium Not required None None Partial
Wireshark 1.4.x before 1.4.11 and 1.6.x before 1.6.5 does not properly perform certain string conversions, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted packet, related to epan/to_str.c.
2731 CVE-2012-0034 255 +Info 2013-02-05 2015-01-17
2.1
None Local Low Not required Partial None None
The NonManagedConnectionFactory in JBoss Enterprise Application Platform (EAP) 5.1.2 and 5.2.0, Web Platform (EWP) 5.1.2 and 5.2.0, and BRMS Platform before 5.3.1 logs the username and password in cleartext when an exception is thrown, which allows local users to obtain sensitive information by reading the log file.
2732 CVE-2012-0021 20 DoS 2012-01-27 2018-01-17
2.6
None Remote High Not required None None Partial
The log_cookie function in mod_log_config.c in the mod_log_config module in the Apache HTTP Server 2.2.17 through 2.2.21, when a threaded MPM is used, does not properly handle a %{}C format string, which allows remote attackers to cause a denial of service (daemon crash) via a cookie that lacks both a name and a value.
2733 CVE-2011-5320 119 DoS Overflow 2017-10-18 2017-11-08
2.1
None Local Low Not required None None Partial
scanf and related functions in glibc before 2.15 allow local users to cause a denial of service (segmentation fault) via a large string of 0s.
2734 CVE-2011-5256 79 XSS 2013-02-12 2013-02-13
2.6
None Remote High Not required None Partial None
Cross-site scripting (XSS) vulnerability in the tooltips in LimeSurvey before 1.91+ Build 11379-20111116, when viewing survey results, allows remote attackers to inject arbitrary web script or HTML via unknown parameters.
2735 CVE-2011-5202 119 DoS Overflow 2012-10-01 2017-08-28
2.1
None Local Low Not required None None Partial
BazisVirtualCDBus.sys in WinCDEmu 3.6 allows local users to cause a denial of service (system crash) via the unmount command to batchmnt.exe.
2736 CVE-2011-5193 79 XSS 2012-09-23 2012-10-15
2.6
None Remote High Not required None Partial None
Cross-site scripting (XSS) vulnerability in vendors/samswhois/samswhois.inc.php in the Whois Search plugin 1.4.2.3 for WordPress, when the WHOIS widget is enabled, allows remote attackers to inject arbitrary web script or HTML via the domain parameter to index.php, a different vulnerability than CVE-2011-5194.
2737 CVE-2011-5189 79 XSS 2012-09-20 2017-08-28
2.1
None Remote High Single system None Partial None
Cross-site scripting (XSS) vulnerability in the Webform Validation module 6.x-1.x before 6.x-1.5 and 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with permissions to "update Webform nodes" to inject arbitrary web script or HTML via unspecified vectors.
2738 CVE-2011-5188 79 XSS 2012-09-20 2017-08-28
2.1
None Remote High Single system None Partial None
Cross-site scripting (XSS) vulnerability in the Support Timer module 6.x-1.x before 6.x-1.4 for Drupal allows remote authenticated users with the "track time spent" permission to inject arbitrary web script or HTML via unspecified vectors.
2739 CVE-2011-5187 79 XSS 2012-09-20 2017-08-28
2.1
None Remote High Single system None Partial None
Cross-site scripting (XSS) vulnerability in the Support Ticketing System module 6.x-1.x before 6.x-1.7 for Drupal allows remote authenticated users with the "administer support projects" permission to inject arbitrary web script or HTML via unspecified vectors.
2740 CVE-2011-5146 59 2012-08-31 2012-09-05
2.6
None Local High Not required None Partial Partial
Bokken before 1.6 and 1.5-x before 1.5-3 for Debian allows local users to overwrite arbitrary files via a symlink attack on /tmp/graph.dot.
2741 CVE-2011-5066 200 +Info 2012-01-14 2012-02-08
2.1
None Local Low Not required Partial None None
The SibRaRecoverableSiXaResource class in the Default Messaging Component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.41 does not properly handle a Service Integration Bus (SIB) dump operation involving the First Failure Data Capture (FFDC) introspection code, which allows local users to obtain sensitive information by reading the FFDC log file.
2742 CVE-2011-5056 20 DoS 2012-01-07 2017-12-05
2.1
None Local Low Not required None None Partial
The authoritative server in MaraDNS through 2.0.04 computes hash values for DNS data without restricting the ability to trigger hash collisions predictably, which might allow local users to cause a denial of service (CPU consumption) via crafted records in zone files, a different vulnerability than CVE-2012-0024.
2743 CVE-2011-4940 79 XSS 2012-06-27 2013-05-14
2.6
None Remote High Not required None Partial None
The list_directory function in Lib/SimpleHTTPServer.py in SimpleHTTPServer in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and 2.7.x before 2.7.2 does not place a charset parameter in the Content-Type HTTP header, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 via UTF-7 encoding.
2744 CVE-2011-4922 200 +Info 2012-08-08 2017-09-18
2.1
None Local Low Not required Partial None None
cipher.c in the Cipher API in libpurple in Pidgin before 2.7.10 retains encryption-key data in process memory, which might allow local users to obtain sensitive information by reading a core file or other representation of memory contents.
2745 CVE-2011-4872 200 +Info 2012-02-05 2012-02-16
2.6
None Remote High Not required Partial None None
Multiple HTC Android devices including Desire HD FRG83D and GRI40, Glacier FRG83, Droid Incredible FRF91, Thunderbolt 4G FRG83D, Sensation Z710e GRI40, Sensation 4G GRI40, Desire S GRI40, EVO 3D GRI40, and EVO 4G GRI40 allow remote attackers to obtain 802.1X Wi-Fi credentials and SSID via a crafted application that uses the android.permission.ACCESS_WIFI_STATE permission to call the toString method on the WifiConfiguration class.
2746 CVE-2011-4623 189 DoS Overflow 2012-09-25 2012-09-26
2.1
None Local Low Not required None None Partial
Integer overflow in the rsCStrExtendBuf function in runtime/stringbuf.c in the imfile module in rsyslog 4.x before 4.6.6, 5.x before 5.7.4, and 6.x before 6.1.4 allows local users to cause a denial of service (daemon hang) via a large file, which triggers a heap-based buffer overflow.
2747 CVE-2011-4607 119 Overflow 2013-08-23 2013-08-29
2.1
None Local Low Not required Partial None None
PuTTY 0.59 through 0.61 does not clear sensitive process memory when managing user replies that occur during keyboard-interactive authentication, which might allow local users to read login passwords by obtaining access to the process' memory.
2748 CVE-2011-4457 200 +Info 2011-11-17 2011-11-18
2.6
None Remote High Not required Partial None None
OWASP HTML Sanitizer (aka owasp-java-html-sanitizer) before 88, when JavaScript is disabled, allows user-assisted remote attackers to obtain potentially sensitive information via a crafted FORM element within a NOSCRIPT element.
2749 CVE-2011-4363 59 2012-10-07 2012-10-08
2.6
None Local High Not required None Partial Partial
ProcessTable.pm in the Proc::ProcessTable module 0.45 for Perl, when TTY information caching is enabled, allows local users to overwrite arbitrary files via a symlink attack on /tmp/TTYDEVS.
2750 CVE-2011-4345 79 XSS 2011-11-29 2017-02-16
2.6
None Remote High Not required None Partial None
Cross-site scripting (XSS) vulnerability in Namazu before 2.0.21, when Internet Explorer 6 or 7 is used, allows remote attackers to inject arbitrary web script or HTML via a cookie.
Total number of vulnerabilities : 4868   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 (This Page)56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.