CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 2 and 2.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
4551 CVE-2012-5635 264 2013-04-09 2013-04-10
2.1
None Local Low Not required None Partial None
The GlusterFS functionality in Red Hat Storage Management Console 2.0, Native Client, and Server 2.0 allows local users to overwrite arbitrary files via a symlink attack on multiple temporary files created by (1) tests/volume.rc, (2) extras/hook-scripts/S30samba-stop.sh, and possibly other vectors, different vulnerabilities than CVE-2012-4417.
4552 CVE-2012-5619 20 2014-09-29 2014-09-30
2.1
None Local Low Not required Partial None None
The Sleuth Kit (TSK) 4.0.1 does not properly handle "." (dotfile) file system entries in FAT file systems and other file systems for which . is not a reserved name, which allows local users to hide activities it more difficult to conduct forensics activities, as demonstrated by Flame.
4553 CVE-2012-5605 264 2013-01-04 2017-08-29
2.1
None Local Low Not required None Partial None
Grinder in Red Hat CloudForms before 1.1 uses world-writable permissions for /var/lib/pulp/cache/grinder/, which allows local users to modify grinder cache files.
4554 CVE-2012-5588 264 2012-12-26 2012-12-27
2.6
None Remote High Not required None Partial None
The Email Field module 6.x-1.x before 6.x-1.3 for Drupal, when using a field permission module and the field contact field formatter is set to the full or teaser display mode, does not properly check permissions, which allows remote attackers to email the stored address via unspecified vectors.
4555 CVE-2012-5586 264 2012-12-26 2013-02-26
2.1
None Remote High ??? Partial None None
The Services module 6.x-3.x before 6.x-3.3 and 7.x-3.x before 7.x-3.3 for Drupal allows remote authenticated users with the "access user profiles" permission to access arbitrary users' emails via vectors related to the "user index method" and "the path to the user resource."
4556 CVE-2012-5585 79 XSS 2012-12-26 2013-02-26
2.1
None Remote High ??? None Partial None
Cross-site scripting (XSS) vulnerability in the Mixpanel module 6.x-1.x before 6.x-1.1 in Drupal allows remote authenticated users with the "access administration pages" permission to inject arbitrary web script or HTML via the Maxpanel token.
4557 CVE-2012-5578 276 2019-11-25 2019-12-04
2.1
None Local Low Not required Partial None None
Python keyring has insecure permissions on new databases allowing world-readable files to be created
4558 CVE-2012-5561 200 +Info 2013-03-01 2013-03-01
2.1
None Local Low Not required Partial None None
script/katello-generate-passphrase in Katello 1.1 uses world-readable permissions for /etc/katello/secure/passphrase, which allows local users to obtain the passphrase by reading the file.
4559 CVE-2012-5560 264 2014-05-30 2014-06-24
2.1
None Local Low Not required None Partial None
The default configuration in mate-settings-daemon 1.5.3 allows local users to change the timezone for the system via a crafted D-Bus call.
4560 CVE-2012-5559 79 XSS 2012-12-03 2015-06-19
2.6
None Remote High Not required None Partial None
Cross-site scripting (XSS) vulnerability in the page manager node view task in the Chaos tool suite (ctools) module 6.x-1.x before 6.x-1.10 for Drupal allows remote authenticated users with permissions to submit or edit nodes to inject arbitrary web script or HTML via the page title.
4561 CVE-2012-5553 79 XSS 2012-12-03 2012-12-04
2.1
None Remote High ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the OM Maximenu module 6.x-1.x before 6.x-1.44 and 7.x-1.x before 7.x-1.44 for Drupal allow remote authenticated users with the "administer OM Maximenu" permission to inject arbitrary web script or HTML via the (1) Menu Title (2) Link Title, (3) Path Query, (4) Anchor, or (5) vocabulary names.
4562 CVE-2012-5545 79 XSS 2012-12-03 2013-02-26
2.1
None Remote High ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the ShareThis module 7.x-2.x before 7.x-2.5 for Drupal allow remote authenticated users with the "administer sharethis" permission to inject arbitrary web script or HTML via unspecified vectors related to "JavaScript settings."
4563 CVE-2012-5538 79 XSS 2012-12-03 2012-12-04
2.1
None Remote High ??? None Partial None
Cross-site scripting (XSS) vulnerability in the FileField Sources module 6.x-1.x before 6.x-1.6 and 7.x-1.x before 7.x-1.6 for Drupal, when the field has "Reference existing" source enabled, allows remote authenticated users to inject arbitrary web script or HTML via the filename of an uploaded file.
4564 CVE-2012-5530 264 2012-11-29 2013-02-26
2.1
None Local Low Not required None Partial None
The (1) pcmd and (2) pmlogger init scripts in Performance Co-Pilot (PCP) before 3.6.10 allow local users to overwrite arbitrary files via a symlink attack on a /var/tmp/##### temporary file.
4565 CVE-2012-5527 522 2019-11-25 2019-12-11
2.1
None Local Low Not required Partial None None
Claws Mail vCalendar plugin: credentials exposed on interface
4566 CVE-2012-5516 200 +Info 2013-01-04 2017-08-29
2.1
None Local Low Not required Partial None None
Red Hat Enterprise Virtualization Manager (RHEV-M) before 3.1, when moving disks between storage domains, does not properly wipe-after-delete, which prevents disks from being securely deleted and might allow local users to obtain sensitive information via unspecified vectors.
4567 CVE-2012-5509 264 2013-03-12 2013-03-18
2.1
None Local Low Not required Partial None None
aeolus-configserver-setup in the Aeolas Configuration Server, as used in Red Hat CloudForms Cloud Engine before 1.1.2, uses world-readable permissions for a temporary file in /tmp, which allows local users to read credentials by reading this file.
4568 CVE-2012-5483 264 2012-12-26 2017-08-29
2.1
None Local Low Not required Partial None None
tools/sample_data.sh in OpenStack Keystone 2012.1.3, when access to Amazon Elastic Compute Cloud (Amazon EC2) is configured, uses world-readable permissions for /etc/keystone/ec2rc, which allows local users to obtain access to EC2 services by reading administrative access and secret values from this file.
4569 CVE-2012-5476 200 +Info 2019-12-30 2020-01-09
2.1
None Local Low Not required Partial None None
Within the RHOS Essex Preview (2012.2) of the OpenStack dashboard package, the file /etc/quantum/quantum.conf is world readable which exposes the admin password and token value.
4570 CVE-2012-5474 311 2019-12-30 2021-03-09
2.1
None Local Low Not required Partial None None
The file /etc/openstack-dashboard/local_settings within Red Hat OpenStack Platform 2.0 and RHOS Essex Release (python-django-horizon package before 2012.1.1) is world readable and exposes the secret key value.
4571 CVE-2012-5349 79 1 XSS 2012-10-09 2017-08-29
2.6
None Remote High Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in pay.php in the Pay With Tweet plugin before 1.2 allow remote attackers to inject arbitrary web script or HTML via the (1) link, (2) title, or (3) dl parameter.
4572 CVE-2012-5325 79 1 XSS 2012-10-08 2017-08-29
2.1
None Remote High ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the scr_do_redirect function in scr.php in the Shortcode Redirect plugin 1.0.01 and earlier for WordPress allow remote authenticated users with certain permissions to inject arbitrary web script or HTML via the (1) url or (2) sec attributes in a redirect tag.
4573 CVE-2012-5307 79 XSS 2012-10-08 2012-10-08
2.6
None Remote High Not required None Partial None
Cross-site scripting (XSS) vulnerability in servlet/traveler in IBM Lotus Notes Traveler before 8.5.3.3 Interim Fix 1, when Firefox is used, allows remote attackers to inject arbitrary web script or HTML via the redirectURL parameter, a different vulnerability than CVE-2012-4824 and CVE-2012-4825.
4574 CVE-2012-5233 79 XSS 2012-10-01 2012-10-02
2.1
None Remote High ??? None Partial None
Cross-site scripting (XSS) vulnerability in the stickynote module before 7.x-1.1 for Drupal allows remote authenticated users with edit stickynotes privileges to inject arbitrary web script or HTML via unspecified vecotrs.
4575 CVE-2012-5183 200 +Info 2012-12-26 2013-01-08
2.6
None Remote High Not required Partial None None
The Loctouch application 3.4.6 and earlier for Android allows attackers to obtain sensitive information about logged locations via a crafted application that leverages read permission for system log files.
4576 CVE-2012-5179 264 +Info 2012-12-26 2020-02-19
2.1
None Local Low Not required Partial None None
The Boat Browser application before 4.2 and Boat Browser Mini application before 3.9 for Android do not properly implement the WebView class, which allows attackers to obtain sensitive information via a crafted application.
4577 CVE-2012-5077 2012-10-16 2017-09-19
2.6
None Remote High Not required Partial None None
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier, 6 Update 35 and earlier, 5.0 Update 36 and earlier, and 1.4.2_38 and earlier allows remote attackers to affect confidentiality via unknown vectors related to Security.
4578 CVE-2012-5065 2012-10-17 2013-10-11
2.1
None Local Low Not required None Partial None
Unspecified vulnerability in the Oracle WebCenter Sites component in Oracle Fusion Middleware 6.1, 6.2, 6.3.x, 7, 7.0.1, 7.0.2, 7.0.3, 7.5, 7.6.1, 7.6.2, and 11.1.1.6.0 allows local users to affect integrity via unknown vectors related to ImagePicker.
4579 CVE-2012-4930 310 2012-09-15 2013-01-30
2.6
None Remote High Not required Partial None None
The SPDY protocol 3 and earlier, as used in Mozilla Firefox, Google Chrome, and other products, can perform TLS encryption of compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown string in an HTTP header, aka a "CRIME" attack.
4580 CVE-2012-4929 310 2012-09-15 2018-04-22
2.6
None Remote High Not required Partial None None
The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google Chrome, Qt, and other products, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown string in an HTTP header, aka a "CRIME" attack.
4581 CVE-2012-4899 310 2012-10-10 2013-01-30
2.1
None Local Low Not required Partial None None
WellinTech KingView 6.5.3 and earlier uses a weak password-hashing algorithm, which makes it easier for local users to discover credentials by reading an unspecified file.
4582 CVE-2012-4862 255 +Info 2012-12-05 2017-08-29
2.1
None Local Low Not required Partial None None
The Host Connect emulator in IBM Rational Developer for System z 7.1 through 8.5.1 does not properly store the SSL certificate password, which allows local users to obtain sensitive information via unspecified vectors.
4583 CVE-2012-4833 264 2012-10-01 2017-08-29
2.1
None Local Low Not required None None Partial
fuser in IBM AIX 6.1 and 7.1, and VIOS 2.2.1.4-FP-25 SP-02, does not properly restrict the -k option, which allows local users to kill arbitrary processes via a crafted command line.
4584 CVE-2012-4615 310 1 +Info 2012-11-27 2013-08-17
2.1
None Local Low Not required Partial None None
EMC Smarts Network Configuration Manager (NCM) before 9.1 uses a hardcoded encryption key for the storage of credentials, which allows local users to obtain sensitive information via unspecified vectors.
4585 CVE-2012-4600 79 XSS 2012-08-31 2018-08-13
2.6
None Remote High Not required None Partial None
Cross-site scripting (XSS) vulnerability in Open Ticket Request System (OTRS) Help Desk 2.4.x before 2.4.14, 3.0.x before 3.0.16, and 3.1.x before 3.1.10, when Firefox or Opera is used, allows remote attackers to inject arbitrary web script or HTML via an e-mail message body with nested HTML tags.
4586 CVE-2012-4589 2012-08-22 2017-08-29
2.1
None Local Low Not required None Partial None
Login.aspx in the Portal in McAfee Enterprise Mobility Manager (EMM) before 10.0 does not have an off autocomplete attribute for unspecified form fields, which makes it easier for remote attackers to obtain access by leveraging an unattended workstation.
4587 CVE-2012-4578 310 2012-08-21 2017-08-29
2.1
None Local Low Not required None Partial None
The geli encryption provider 7 before r239184 on FreeBSD 10 uses a weak Master Key, which makes it easier for local users to defeat a cryptographic protection mechanism via a brute-force attack.
4588 CVE-2012-4574 255 2013-01-04 2017-08-29
2.1
None Local Low Not required Partial None None
Pulp in Red Hat CloudForms before 1.1 uses world-readable permissions for pulp.conf, which allows local users to read the administrative password by reading this file.
4589 CVE-2012-4571 310 2012-11-30 2012-12-03
2.1
None Local Low Not required Partial None None
Python Keyring 0.9.1 does not securely initialize the cipher when encrypting passwords for CryptedFileKeyring files, which makes it easier for local users to obtain passwords via a brute-force attack.
4590 CVE-2012-4544 20 DoS 2012-10-31 2017-08-29
2.1
None Local Low Not required None None Partial
The PV domain builder in Xen 4.2 and earlier does not validate the size of the kernel or ramdisk (1) before or (2) after decompression, which allows local guest administrators to cause a denial of service (domain 0 memory consumption) via a crafted (a) kernel or (b) ramdisk.
4591 CVE-2012-4539 399 DoS 2012-11-21 2017-08-29
2.1
None Local Low Not required None None Partial
Xen 4.0 through 4.2, when running 32-bit x86 PV guests on 64-bit hypervisors, allows local guest OS administrators to cause a denial of service (infinite loop and hang or crash) via invalid arguments to GNTTABOP_get_status_frames, aka "Grant table hypercall infinite loop DoS vulnerability."
4592 CVE-2012-4537 16 DoS 2012-11-21 2017-08-29
2.1
None Local Low Not required None None Partial
Xen 3.4 through 4.2, and possibly earlier versions, does not properly synchronize the p2m and m2p tables when the set_p2m_entry function fails, which allows local HVM guest OS administrators to cause a denial of service (memory consumption and assertion failure), aka "Memory mapping failure DoS vulnerability."
4593 CVE-2012-4536 DoS 2012-11-21 2017-08-29
2.1
None Local Low Not required None None Partial
The (1) domain_pirq_to_emuirq and (2) physdev_unmap_pirq functions in Xen 2.2 allows local guest OS administrators to cause a denial of service (Xen crash) via a crafted pirq value that triggers an out-of-bounds read.
4594 CVE-2012-4534 399 DoS 2012-12-19 2017-09-19
2.6
None Remote High Not required None None Partial
org/apache/tomcat/util/net/NioEndpoint.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.28, when the NIO connector is used in conjunction with sendfile and HTTPS, allows remote attackers to cause a denial of service (infinite loop) by terminating the connection during the reading of a response.
4595 CVE-2012-4530 200 +Info 2013-02-18 2013-06-05
2.1
None Local Low Not required Partial None None
The load_script function in fs/binfmt_script.c in the Linux kernel before 3.7.2 does not properly handle recursion, which allows local users to obtain sensitive information from kernel stack memory via a crafted application.
4596 CVE-2012-4497 79 XSS 2012-11-02 2017-11-29
2.1
None Remote High ??? None Partial None
Cross-site scripting (XSS) vulnerability in the "3 slide gallery" in the Elegant Theme module 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with the "administer themes" permission to inject arbitrary web script or HTML via a slide URL.
4597 CVE-2012-4496 79 XSS 2012-10-31 2017-11-30
2.1
None Remote High ??? None Partial None
Cross-site scripting (XSS) vulnerability in the Custom Publishing Options module 6.x-1.x before 6.x-1.4 for Drupal allows remote authenticated users with the "administer nodes" permission to inject arbitrary web script or HTML via the status labels parameter.
4598 CVE-2012-4493 79 XSS 2012-11-02 2012-11-06
2.1
None Remote High ??? None Partial None
Cross-site scripting (XSS) vulnerability in the administrative interface in the Better Revisions module 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with the "administer better revisions" permission to inject arbitrary web script or HTML via unspecified vectors.
4599 CVE-2012-4492 79 XSS 2012-10-31 2013-03-02
2.1
None Remote High ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the Shorten URLs module 6.x-1.x before 6.x-1.13 and 7.x-1.x before 7.x-1.2 for Drupal allow remote authenticated users with certain permissions to inject arbitrary web script or HTML via unspecified vectors to the (1) report or (2) Custom Services List page.
4600 CVE-2012-4469 79 XSS 2012-11-30 2012-12-03
2.6
None Remote High Not required None Partial None
Cross-site scripting (XSS) vulnerability in the Hashcash module 6.x-2.x before 6.x-2.6 and 7.x-2.x before 7.x-2.2 for Drupal, when "Log failed hashcash" is enabled, allows remote attackers to inject arbitrary web script or HTML via an invalid token, which is not properly handled when administrators use the Database logging module.
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.