CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 2 and 2.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
2701 CVE-2012-1247 79 XSS 2012-05-15 2017-12-04
2.6
None Remote High Not required None Partial None
Cross-site scripting (XSS) vulnerability in KENT-WEB WEB MART 1.7 and earlier, when Internet Explorer is used, allows remote attackers to inject arbitrary web script or HTML by leveraging support for Cascading Style Sheets (CSS) expressions.
2702 CVE-2012-1164 119 DoS Overflow 2012-06-29 2017-01-06
2.6
None Remote High Not required None None Partial
slapd in OpenLDAP before 2.4.30 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via an LDAP search query with attrsOnly set to true, which causes empty attributes to be returned.
2703 CVE-2012-1060 79 XSS 2012-02-13 2012-02-14
2.1
None Remote High Single system None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in revisioning_theme.inc in the Taxonomy module in the Revisioning module 6.x-3.13 and other versions before 6.x-3.14 for Drupal allow remote authenticated users with certain privileges to inject arbitrary web script or HTML via the (1) tags or (2) term parameters.
2704 CVE-2012-1004 79 XSS 2012-02-07 2012-02-08
2.1
None Remote High Single system None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in UI/Register.pm in Foswiki before 1.1.5 allow remote authenticated users with CHANGE privileges to inject arbitrary web script or HTML via the (1) text, (2) FirstName, (3) LastName, (4) OrganisationName, (5) OrganisationUrl, (6) Profession, (7) Country, (8) State, (9) Address, (10) Location, (11) Telephone, (12) VoIP, (13) InstantMessagingIM, (14) Email, (15) HomePage, or (16) Comment parameter. NOTE: some of these details are obtained from third party information.
2705 CVE-2012-0976 79 1 XSS 2012-02-02 2017-08-28
2.1
None Remote High Single system None Partial None
Cross-site scripting (XSS) vulnerability in admin/EditForm in SilverStripe 2.4.6 allows remote authenticated users with Content Authors privileges to inject arbitrary web script or HTML via the Title parameter. NOTE: some of these details are obtained from third party information.
2706 CVE-2012-0961 200 +Info 2012-12-26 2012-12-31
2.1
None Local Low Not required Partial None None
Apt 0.8.16~exp5ubuntu13.x before 0.8.16~exp5ubuntu13.6, 0.8.16~exp12ubuntu10.x before 0.8.16~exp12ubuntu10.7, and 0.9.7.5ubuntu5.x before 0.9.7.5ubuntu5.2, as used in Ubuntu, uses world-readable permissions for /var/log/apt/term.log, which allows local users to obtain sensitive shell information by reading the log file.
2707 CVE-2012-0959 200 +Info 2012-11-24 2017-08-28
2.1
None Local Low Not required Partial None None
Remote Login Service (RLS) 1.0.0 does not properly clear account information when switching users, which might allow physically proximate users to obtain login credentials.
2708 CVE-2012-0954 20 2012-06-19 2012-06-26
2.6
None Remote High Not required None Partial None
APT 0.7.x before 0.7.25 and 0.8.x before 0.8.16, when using the apt-key net-update to import keyrings, relies on GnuPG argument order and does not check GPG subkeys, which might allow remote attackers to install altered packages via a man-in-the-middle (MITM) attack. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-3587.
2709 CVE-2012-0948 264 2012-06-07 2017-08-28
2.1
None Local Low Not required Partial None None
DistUpgrade/DistUpgradeMain.py in Update Manager, as used by Ubuntu 12.04 LTS, 11.10, and 11.04, uses weak permissions for (1) apt-clone_system_state.tar.gz and (2) system_state.tar.gz, which allows local users to obtain repository credentials.
2710 CVE-2012-0943 264 2014-05-22 2014-05-29
2.1
None Local Low Not required None None Partial
debian/guest-account in Light Display Manager (lightdm) 1.0.x before 1.0.6 and 1.1.x before 1.1.7, as used in Ubuntu Linux 11.10, allows local users to delete arbitrary files via a space in the name of a file in /tmp. NOTE: this identifier was SPLIT per ADT1/ADT2 due to different codebases and affected versions. CVE-2012-6648 has been assigned for the gdm-guest-session issue.
2711 CVE-2012-0933 79 1 XSS 2012-01-28 2017-08-28
2.6
None Remote High Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Acidcat CMS 3.5.1, 3.5.2, 3.5.6, and possibly earlier allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) admin_colors.asp, (2) admin_config.asp, and (3) admin_cat_add.asp in admin/.
2712 CVE-2012-0863 310 2012-04-30 2017-12-18
2.1
None Local Low Not required Partial None None
Mumble 1.2.3 and earlier uses world-readable permissions for .local/share/data/Mumble/.mumble.sqlite files in home directories, which might allow local users to obtain a cleartext password and configuration data by reading a file.
2713 CVE-2012-0856 119 DoS Overflow 2012-08-20 2018-10-30
2.6
None Remote High Not required None None Partial
Heap-based buffer overflow in the MPV_frame_start function in libavcodec/mpegvideo.c in FFmpeg before 0.9.1, when the lowres option is enabled, allows remote attackers to cause a denial of service (application crash) via a crafted H263 media file. NOTE: this vulnerability exists because of a regression error.
2714 CVE-2012-0833 264 DoS 2012-07-03 2012-07-17
2.3
None Local Network Medium Single system None None Partial
The acllas__handle_group_entry function in servers/plugins/acl/acllas.c in 389 Directory Server before 1.2.10 does not properly handled access control instructions (ACIs) that use certificate groups, which allows remote authenticated LDAP users with a certificate group to cause a denial of service (infinite loop and CPU consumption) by binding to the server.
2715 CVE-2012-0813 255 +Info 2012-06-29 2012-08-01
2.1
None Local Low Not required Partial None None
Wicd before 1.7.1 saves sensitive information in log files in /var/log/wicd, which allows context-dependent attackers to obtain passwords and other sensitive information.
2716 CVE-2012-0800 200 +Info 2012-07-17 2012-07-17
2.1
None Local Low Not required Partial None None
The form-autocompletion functionality in Moodle 2.0.x before 2.0.7, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 makes it easier for physically proximate attackers to discover passwords by reading the contents of a non-password field, as demonstrated by accessing a create-groups page with Safari on an iPad device.
2717 CVE-2012-0717 287 Bypass 2012-06-20 2012-06-21
2.6
None Remote High Not required None Partial None
IBM WebSphere Application Server 7.0 before 7.0.0.23, when a certain SSLv2 configuration with client authentication is used, allows remote attackers to bypass X.509 client-certificate authentication via unspecified vectors.
2718 CVE-2012-0657 264 Bypass 2012-05-10 2012-05-29
2.1
None Local Low Not required None Partial None
Quartz Composer in Apple Mac OS X before 10.7.4, when the RSS Visualizer screensaver is enabled, allows physically proximate attackers to bypass screen locking and launch a Safari process via unspecified vectors.
2719 CVE-2012-0570 2013-04-17 2017-09-18
2.1
None Local Low Not required None None Partial
Unspecified vulnerability in Oracle Sun Solaris 8, 9, 10, and 11 allows local users to affect availability via unknown vectors related to Libraries/Libc.
2720 CVE-2012-0568 2013-04-17 2017-09-18
2.1
None Local Low Not required Partial None None
Unspecified vulnerability in Oracle Sun Solaris 8, 9, and 10 allows local users to affect confidentiality via unknown vectors related to Utility/fdformat.
2721 CVE-2012-0563 2012-07-17 2017-08-28
2.1
None Local Low Not required None None Partial
Unspecified vulnerability in Oracle Solaris 9, 10, and 11 allows local users to affect availability via unknown vectors related to Kerberos/klist.
2722 CVE-2012-0548 2012-05-03 2017-12-06
2.1
None Local Low Not required Partial None None
Unspecified vulnerability in Oracle SPARC Enterprise M Series Servers XCP 1110 and earlier allows local users to affect confidentiality, related to XSCF Control Package (XCP).
2723 CVE-2012-0542 2012-05-03 2017-12-06
2.6
None Remote High Not required None Partial None
Unspecified vulnerability in the Oracle iStore component in Oracle E-Business Suite 11.5.10.2, 12.0.4, 12.0.6, 12.1.1, 12.1.2, and 12.1.3 allows remote attackers to affect integrity via unknown vectors related to Runtime Catalog.
2724 CVE-2012-0513 2012-05-03 2017-12-06
2.6
None Remote High Not required None Partial None
Unspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite 12.0.6 and 12.1.3 allows remote attackers to affect integrity, related to REST Services.
2725 CVE-2012-0493 2012-01-18 2018-01-04
2.1
None Remote High Single system None None Partial
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0117, CVE-2012-0486, CVE-2012-0487, CVE-2012-0488, CVE-2012-0489, CVE-2012-0491, and CVE-2012-0495.
2726 CVE-2012-0492 2012-01-18 2018-07-20
2.1
None Remote High Single system None None Partial
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.x and 5.5.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0112, CVE-2012-0115, CVE-2012-0119, CVE-2012-0120, and CVE-2012-0485.
2727 CVE-2012-0475 264 Bypass 2012-04-25 2017-12-18
2.6
None Remote High Not required None Partial None
Mozilla Firefox 4.x through 11.0, Thunderbird 5.0 through 11.0, and SeaMonkey before 2.9 do not properly construct the Origin and Sec-WebSocket-Origin HTTP headers, which might allow remote attackers to bypass an IPv6 literal ACL via a cross-site (1) XMLHttpRequest or (2) WebSocket operation involving a nonstandard port number and an IPv6 address that contains certain zero fields.
2728 CVE-2012-0450 264 2012-02-01 2017-09-18
2.1
None Local Low Not required Partial None None
Mozilla Firefox 4.x through 9.0 and SeaMonkey before 2.7 on Linux and Mac OS X set weak permissions for Firefox Recovery Key.html, which might allow local users to read a Firefox Sync key via standard filesystem operations.
2729 CVE-2012-0433 200 +Info 2018-06-08 2019-10-09
2.1
None Local Low Not required Partial None None
The install-chef-suse.sh script shipped with crowbar before 2012-10-02 is creating files containing confidential data with insecure permissions, allowing local users to read confidential data.
2730 CVE-2012-0421 200 +Info 2012-08-08 2012-08-08
2.1
None Local Low Not required Partial None None
The SUSE Audit Log Keeper daemon before 0.2.1-0.4.6.1 for SUSE Manager and Spacewalk uses world-readable permissions for /etc/auditlog-keeper.conf, which allows local users to obtain passwords by reading this file.
2731 CVE-2012-0321 DoS 2012-03-02 2012-03-05
2.1
None Local Low Not required None None Partial
Unspecified vulnerability in the device driver in Kingsoft Internet Security 2011 allows local users to cause a denial of service via a crafted application.
2732 CVE-2012-0287 79 XSS 2012-01-05 2012-10-11
2.6
None Remote High Not required None Partial None
Cross-site scripting (XSS) vulnerability in wp-comments-post.php in WordPress 3.3.x before 3.3.1, when Internet Explorer is used, allows remote attackers to inject arbitrary web script or HTML via the query string in a POST operation that is not properly handled by the "Duplicate comment detected" feature.
2733 CVE-2012-0099 2012-01-18 2018-01-05
2.6
None Remote High Not required None None Partial
Unspecified vulnerability in Oracle Solaris 9, 10, and 11 Express allows remote attackers to affect availability via unknown vectors related to sshd.
2734 CVE-2012-0097 2012-01-18 2017-08-28
2.1
None Local Low Not required Partial None None
Unspecified vulnerability in Oracle Solaris 11 Express allows local users to affect confidentiality via unknown vectors related to ksh93 Shell.
2735 CVE-2012-0095 2012-10-16 2016-11-22
2.1
None Remote High Single system Partial None None
Unspecified vulnerability in the Oracle Imaging and Process Management component in Oracle Fusion Middleware 10.1.3.6.0 allows remote authenticated users to affect confidentiality via unknown vectors related to Web, a different vulnerability than CVE-2012-0086 and CVE-2012-0108.
2736 CVE-2012-0091 2012-01-18 2017-08-28
2.7
None Local Network High Multiple systems None Partial Partial
Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.52.05 allows remote authenticated users to affect integrity and availability via unknown vectors related to Upgrade Change Assistance.
2737 CVE-2012-0042 DoS 2012-04-11 2017-09-18
2.9
None Local Network Medium Not required None None Partial
Wireshark 1.4.x before 1.4.11 and 1.6.x before 1.6.5 does not properly perform certain string conversions, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted packet, related to epan/to_str.c.
2738 CVE-2012-0034 255 +Info 2013-02-05 2015-01-17
2.1
None Local Low Not required Partial None None
The NonManagedConnectionFactory in JBoss Enterprise Application Platform (EAP) 5.1.2 and 5.2.0, Web Platform (EWP) 5.1.2 and 5.2.0, and BRMS Platform before 5.3.1 logs the username and password in cleartext when an exception is thrown, which allows local users to obtain sensitive information by reading the log file.
2739 CVE-2012-0021 20 DoS 2012-01-27 2018-01-17
2.6
None Remote High Not required None None Partial
The log_cookie function in mod_log_config.c in the mod_log_config module in the Apache HTTP Server 2.2.17 through 2.2.21, when a threaded MPM is used, does not properly handle a %{}C format string, which allows remote attackers to cause a denial of service (daemon crash) via a cookie that lacks both a name and a value.
2740 CVE-2011-5320 119 DoS Overflow 2017-10-18 2017-11-08
2.1
None Local Low Not required None None Partial
scanf and related functions in glibc before 2.15 allow local users to cause a denial of service (segmentation fault) via a large string of 0s.
2741 CVE-2011-5256 79 XSS 2013-02-12 2013-02-13
2.6
None Remote High Not required None Partial None
Cross-site scripting (XSS) vulnerability in the tooltips in LimeSurvey before 1.91+ Build 11379-20111116, when viewing survey results, allows remote attackers to inject arbitrary web script or HTML via unknown parameters.
2742 CVE-2011-5202 119 DoS Overflow 2012-10-01 2017-08-28
2.1
None Local Low Not required None None Partial
BazisVirtualCDBus.sys in WinCDEmu 3.6 allows local users to cause a denial of service (system crash) via the unmount command to batchmnt.exe.
2743 CVE-2011-5193 79 XSS 2012-09-23 2012-10-15
2.6
None Remote High Not required None Partial None
Cross-site scripting (XSS) vulnerability in vendors/samswhois/samswhois.inc.php in the Whois Search plugin 1.4.2.3 for WordPress, when the WHOIS widget is enabled, allows remote attackers to inject arbitrary web script or HTML via the domain parameter to index.php, a different vulnerability than CVE-2011-5194.
2744 CVE-2011-5189 79 XSS 2012-09-20 2017-08-28
2.1
None Remote High Single system None Partial None
Cross-site scripting (XSS) vulnerability in the Webform Validation module 6.x-1.x before 6.x-1.5 and 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with permissions to "update Webform nodes" to inject arbitrary web script or HTML via unspecified vectors.
2745 CVE-2011-5188 79 XSS 2012-09-20 2017-08-28
2.1
None Remote High Single system None Partial None
Cross-site scripting (XSS) vulnerability in the Support Timer module 6.x-1.x before 6.x-1.4 for Drupal allows remote authenticated users with the "track time spent" permission to inject arbitrary web script or HTML via unspecified vectors.
2746 CVE-2011-5187 79 XSS 2012-09-20 2017-08-28
2.1
None Remote High Single system None Partial None
Cross-site scripting (XSS) vulnerability in the Support Ticketing System module 6.x-1.x before 6.x-1.7 for Drupal allows remote authenticated users with the "administer support projects" permission to inject arbitrary web script or HTML via unspecified vectors.
2747 CVE-2011-5146 59 2012-08-31 2012-09-05
2.6
None Local High Not required None Partial Partial
Bokken before 1.6 and 1.5-x before 1.5-3 for Debian allows local users to overwrite arbitrary files via a symlink attack on /tmp/graph.dot.
2748 CVE-2011-5066 200 +Info 2012-01-14 2012-02-08
2.1
None Local Low Not required Partial None None
The SibRaRecoverableSiXaResource class in the Default Messaging Component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.41 does not properly handle a Service Integration Bus (SIB) dump operation involving the First Failure Data Capture (FFDC) introspection code, which allows local users to obtain sensitive information by reading the FFDC log file.
2749 CVE-2011-5056 20 DoS 2012-01-07 2017-12-05
2.1
None Local Low Not required None None Partial
The authoritative server in MaraDNS through 2.0.04 computes hash values for DNS data without restricting the ability to trigger hash collisions predictably, which might allow local users to cause a denial of service (CPU consumption) via crafted records in zone files, a different vulnerability than CVE-2012-0024.
2750 CVE-2011-4940 79 XSS 2012-06-27 2013-05-14
2.6
None Remote High Not required None Partial None
The list_directory function in Lib/SimpleHTTPServer.py in SimpleHTTPServer in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and 2.7.x before 2.7.2 does not place a charset parameter in the Content-Type HTTP header, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 via UTF-7 encoding.
Total number of vulnerabilities : 4880   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 (This Page)56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.