| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
49851 |
CVE-2012-2250 |
|
|
DoS |
2014-02-02 |
2014-02-21 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Tor before 0.2.3.24-rc allows remote attackers to cause a denial of service (assertion failure and daemon exit) by performing link protocol negotiation incorrectly. |
|
49852 |
CVE-2012-2249 |
|
|
DoS |
2014-02-02 |
2014-02-21 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Tor before 0.2.3.23-rc allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a renegotiation attempt that occurs after the initiation of the V3 link protocol. |
|
49853 |
CVE-2012-2247 |
79 |
|
XSS |
2012-11-24 |
2013-02-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Mahara 1.4.x before 1.4.5 and 1.5.x before 1.5.4 allows remote attackers to inject arbitrary web script or HTML via vectors related to artefact/file/ and a crafted SVG file. |
|
49854 |
CVE-2012-2246 |
20 |
|
Bypass CSRF |
2012-11-24 |
2017-08-28 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Mahara 1.4.x before 1.4.5 and 1.5.x before 1.5.4 allows remote attackers to conduct clickjacking attacks to delete arbitrary users and bypass CSRF protection via account/delete.php. |
|
49855 |
CVE-2012-2244 |
264 |
|
|
2012-11-24 |
2013-02-07 |
6.0 |
None |
Remote |
Medium |
Single system |
Partial |
Partial |
Partial |
|
Mahara 1.4.x before 1.4.5 and 1.5.x before 1.5.4 allows remote authenticated administrators to execute arbitrary programs by modifying the path to clamav. NOTE: this can be exploited without authentication by leveraging CVE-2012-2243. |
|
49856 |
CVE-2012-2243 |
79 |
|
Exec Code XSS |
2012-11-24 |
2013-02-07 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Mahara 1.4.x before 1.4.5 and 1.5.x before 1.5.4 allows remote attackers to inject arbitrary web script or HTML by uploading an XML file with the xhtml extension, which is rendered inline as script. NOTE: this can be leveraged with CVE-2012-2244 to execute arbitrary code without authentication, as demonstrated by modifying the clamav path. |
|
49857 |
CVE-2012-2242 |
20 |
|
Exec Code |
2012-09-30 |
2013-04-18 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
scripts/dget.pl in devscripts before 2.10.73 allows remote attackers to execute arbitrary commands via a crafted (1) .dsc or (2) .changes file, related to "arguments to external commands" that are not properly escaped, a different vulnerability than CVE-2012-2240. |
|
49858 |
CVE-2012-2241 |
20 |
|
|
2012-09-30 |
2017-08-28 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
scripts/dget.pl in devscripts before 2.12.3 allows remote attackers to delete arbitrary files via a crafted (1) .dsc or (2) .changes file, probably related to a NULL byte in a filename. |
|
49859 |
CVE-2012-2239 |
94 |
|
|
2012-11-24 |
2013-02-07 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
|
Mahara 1.4.x before 1.4.4 and 1.5.x before 1.5.3 allows remote attackers to read arbitrary files or create TCP connections via an XML external entity (XXE) injection attack, as demonstrated by reading config.php. |
|
49860 |
CVE-2012-2236 |
89 |
|
Exec Code Sql |
2012-04-20 |
2012-04-20 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in users.php in PHP Gift Registry 1.5.5 allows remote authenticated users to execute arbitrary SQL commands via the userid parameter in an edit action. |
|
49861 |
CVE-2012-2235 |
79 |
|
XSS |
2012-05-27 |
2012-05-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Support Incident Tracker (SiT!) 3.65 and earlier allows remote attackers to inject arbitrary web script or HTML via the id parameter to index.php, which is not properly handled in an error message. |
|
49862 |
CVE-2012-2234 |
79 |
1
|
XSS |
2012-04-21 |
2017-12-12 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in sources/users.queries.php in TeamPass before 2.1.6 allows remote authenticated users to inject arbitrary web script or HTML via the login parameter in an add_new_user action. |
|
49863 |
CVE-2012-2230 |
310 |
|
|
2012-04-12 |
2017-12-19 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
Cloudera Manager 3.7.x before 3.7.5 and Service and Configuration Manager 3.5, when Kerberos is not enabled, does not properly install taskcontroller.cfg, which allows remote authenticated users to impersonate arbitrary user accounts via unspecified vectors, a different vulnerability than CVE-2012-1574. |
|
49864 |
CVE-2012-2223 |
200 |
|
+Info |
2012-04-11 |
2017-12-19 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The xplat agent in Novell ZENworks Configuration Management (ZCM) 10.3.x before 10.3.4 and 11.x before 11.2 enables the HTTP TRACE method, which might make it easier for remote attackers to conduct cross-site tracing (XST) attacks via unspecified vectors. |
|
49865 |
CVE-2012-2217 |
264 |
|
|
2012-05-01 |
2017-12-13 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
|
The HTC IQRD service for Android on the HTC EVO 4G before 4.67.651.3, EVO Design 4G before 2.12.651.5, Shift 4G before 2.77.651.3, EVO 3D before 2.17.651.5, EVO View 4G before 2.23.651.1, Vivid before 3.26.502.56, and Hero does not restrict localhost access to TCP port 2479, which allows remote attackers to (1) send SMS messages, (2) obtain the Network Access Identifier (NAI) and its password, or trigger (3) popup messages or (4) tones via a crafted application that leverages the android.permission.INTERNET permission. |
|
49866 |
CVE-2012-2215 |
22 |
|
Dir. Trav. |
2012-04-09 |
2017-08-28 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Directory traversal vulnerability in the Preboot Service in Novell ZENworks Configuration Management (ZCM) 11.1 and 11.1a allows remote attackers to read arbitrary files via an opcode 0x21 request. |
|
49867 |
CVE-2012-2214 |
399 |
|
DoS |
2012-07-03 |
2017-12-28 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
None |
Partial |
|
proxy.c in libpurple in Pidgin before 2.10.4 does not properly handle canceled SOCKS5 connection attempts, which allows user-assisted remote authenticated users to cause a denial of service (application crash) via a sequence of XMPP file-transfer requests. |
|
49868 |
CVE-2012-2213 |
264 |
|
Bypass |
2012-04-28 |
2012-04-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
** DISPUTED ** Squid 3.1.9 allows remote attackers to bypass the access configuration for the CONNECT method by providing an arbitrary allowed hostname in the Host HTTP header. NOTE: this issue might not be reproducible, because the researcher is unable to provide a squid.conf file for a vulnerable system, and the observed behavior is consistent with a squid.conf file that was (perhaps inadvertently) designed to allow access based on a "req_header Host" acl regex that matches www.uol.com.br. |
|
49869 |
CVE-2012-2212 |
264 |
|
Bypass |
2012-04-28 |
2014-03-19 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
** DISPUTED ** McAfee Web Gateway 7.0 allows remote attackers to bypass the access configuration for the CONNECT method by providing an arbitrary allowed hostname in the Host HTTP header. NOTE: this issue might not be reproducible, because the researcher did not provide configuration details for the vulnerable system, and the observed behavior might be consistent with a configuration that was (perhaps inadvertently) designed to allow access based on Host HTTP headers. |
|
49870 |
CVE-2012-2211 |
79 |
1
|
XSS |
2012-11-22 |
2012-11-22 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in phpgwapi/inc/common_functions_inc.php in eGroupware before 1.8.004.20120405 allows remote attackers to inject arbitrary web script or HTML via the menuaction parameter to etemplate/process_exec.php. NOTE: some of these details are obtained from third party information. |
|
49871 |
CVE-2012-2209 |
79 |
1
|
XSS |
2012-08-14 |
2017-08-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in admin.php in Piwigo before 2.3.4 allow remote attackers to inject arbitrary web script or HTML via the (1) section parameter in the configuration module, (2) installstatus parameter in the languages_new module, or (3) theme parameter in the theme module. |
|
49872 |
CVE-2012-2206 |
264 |
1
|
|
2012-08-17 |
2017-08-28 |
3.5 |
None |
Remote |
Medium |
Single system |
Partial |
None |
None |
|
The Web Gateway component in IBM WebSphere MQ File Transfer Edition 7.0.4 and earlier allows remote authenticated users to read files of arbitrary users via vectors involving a username in a URI, as demonstrated by a modified metadata=fteSamplesUser field to the /transfer URI. |
|
49873 |
CVE-2012-2205 |
79 |
|
XSS |
2012-08-17 |
2017-08-28 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in IBM Rational ClearQuest 7.1.x before 7.1.2.7 and 8.x before 8.0.0.3 allows remote authenticated users to inject arbitrary web script or HTML via a workspace query. |
|
49874 |
CVE-2012-2202 |
22 |
|
Dir. Trav. |
2012-07-27 |
2017-12-21 |
3.5 |
None |
Remote |
Medium |
Single system |
Partial |
None |
None |
|
Directory traversal vulnerability in javatester_init.php in IBM Lotus Protector for Mail Security 2.1, 2.5, 2.5.1, and 2.8 and IBM ISS Proventia Network Mail Security System allows remote authenticated administrators to read arbitrary files via a .. (dot dot) in the template parameter. |
|
49875 |
CVE-2012-2199 |
399 |
|
DoS |
2012-09-25 |
2017-08-28 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The server message channel agent in the queue manager in the server in IBM WebSphere MQ 7.0.1 before 7.0.1.9, 7.1, and 7.5 on Solaris allows remote attackers to cause a denial of service (invalid address alignment exception and daemon crash) via vectors involving a multiplexed channel. |
|
49876 |
CVE-2012-2196 |
200 |
|
+Info |
2012-07-25 |
2017-12-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
IBM DB2 9.1 before FP12, 9.5 through FP9, 9.7 through FP6, 9.8 through FP5, and 10.1 allows remote attackers to read arbitrary XML files via the (1) GET_WRAP_CFG_C or (2) GET_WRAP_CFG_C2 stored procedure. |
|
49877 |
CVE-2012-2194 |
22 |
|
Dir. Trav. |
2012-07-25 |
2017-12-21 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Directory traversal vulnerability in the SQLJ.DB2_INSTALL_JAR stored procedure in IBM DB2 9.1 before FP12, 9.5 through FP9, 9.7 through FP6, 9.8 through FP5, and 10.1 allows remote attackers to replace JAR files via unspecified vectors. |
|
49878 |
CVE-2012-2193 |
79 |
|
XSS |
2013-03-04 |
2017-08-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Query Studio in IBM Cognos Business Intelligence (BI) 8.4.1 before IF1, 10.1 before IF2, 10.1.1 before IF2, and 10.2 before IF1 allows user-assisted remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
49879 |
CVE-2012-2192 |
399 |
|
DoS |
2012-06-20 |
2017-08-28 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
The socketpair function in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.1.4-FP-25 SP-02 allows local users to cause a denial of service (system crash) via a crafted application that leverages the presence of a socket on the free list. |
|
49880 |
CVE-2012-2191 |
20 |
|
DoS |
2012-08-08 |
2017-08-28 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
IBM Global Security Kit (aka GSKit) before 8.0.14.22, as used in IBM Rational Directory Server, IBM Tivoli Directory Server, and other products, does not properly validate data during execution of a protection mechanism against the Vaudenay SSL CBC timing attack, which allows remote attackers to cause a denial of service (application crash) via crafted values in the TLS Record Layer, a different vulnerability than CVE-2012-2333. |
|
49881 |
CVE-2012-2190 |
310 |
|
DoS |
2012-08-21 |
2017-08-28 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
IBM Global Security Kit (aka GSKit), as used in IBM HTTP Server in IBM WebSphere Application Server (WAS) 6.1.x before 6.1.0.45, 7.0.x before 7.0.0.25, 8.0.x before 8.0.0.4, and 8.5.x before 8.5.0.1, allows remote attackers to cause a denial of service (daemon crash) via a crafted ClientHello message in the TLS Handshake Protocol. |
|
49882 |
CVE-2012-2187 |
310 |
|
|
2012-09-25 |
2013-02-12 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
IBM Remote Supervisor Adapter II firmware for System x3650, x3850 M2, and x3950 M2 1.13 and earlier generates weak RSA keys, which makes it easier for attackers to defeat cryptographic protection mechanisms via unspecified vectors. |
|
49883 |
CVE-2012-2185 |
200 |
|
+Info |
2012-09-10 |
2017-08-28 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
IBM Maximo Asset Management 6.2 through 7.5, as used in SmartCloud Control Desk, Tivoli Asset Management for IT, Tivoli Service Request Manager, Maximo Service Desk, and Change and Configuration Management Database (CCMDB), allows remote authenticated users to obtain sensitive information via unspecified vectors. |
|
49884 |
CVE-2012-2184 |
|
|
|
2012-09-10 |
2017-08-28 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Session fixation vulnerability in IBM Maximo Asset Management 7.1 through 7.5, as used in SmartCloud Control Desk, Tivoli Asset Management for IT, Tivoli Service Request Manager, Maximo Service Desk, and Change and Configuration Management Database (CCMDB), allows remote attackers to hijack web sessions via unspecified vectors. |
|
49885 |
CVE-2012-2183 |
|
|
|
2012-09-10 |
2017-08-28 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Session fixation vulnerability in IBM Maximo Asset Management 6.2 through 7.5, as used in SmartCloud Control Desk, Tivoli Asset Management for IT, Tivoli Service Request Manager, Maximo Service Desk, and Change and Configuration Management Database (CCMDB), allows remote attackers to hijack web sessions via unspecified vectors. |
|
49886 |
CVE-2012-2181 |
22 |
|
Dir. Trav. |
2012-07-03 |
2017-08-28 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Directory traversal vulnerability in the Dojo module in IBM WebSphere Portal 7.0.0.1 and 7.0.0.2 before CF14, and 8.0, allows remote attackers to read arbitrary files via a crafted URL. |
|
49887 |
CVE-2012-2180 |
|
|
DoS |
2012-06-20 |
2018-10-02 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The chaining functionality in the Distributed Relational Database Architecture (DRDA) module in IBM DB2 9.7 before FP6 and 9.8 before FP5 allows remote attackers to cause a denial of service (NULL pointer dereference, and resource consumption or daemon crash) via a crafted request. |
|
49888 |
CVE-2012-2179 |
264 |
|
|
2012-06-22 |
2017-08-28 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
libodm.a in IBM AIX 5.3, 6.1, and 7.1 allows local users to overwrite arbitrary files via a symlink attack on a temporary file. |
|
49889 |
CVE-2012-2177 |
79 |
|
XSS |
2013-03-04 |
2017-08-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in IBM Cognos Business Intelligence (BI) 8.4.1 before IF1, 10.1 before IF2, 10.1.1 before IF2, and 10.2 before IF1 allows user-assisted remote attackers to inject arbitrary web script or HTML via vectors related to the search feature. |
|
49890 |
CVE-2012-2173 |
255 |
|
+Info |
2012-06-20 |
2017-08-28 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The ODBC driver in IBM Security AppScan Source 7.x and 8.x before 8.6 sends an SHA-1 hash of the connection password during connections to a solidDB database, which allows remote attackers to obtain sensitive information by sniffing the network. |
|
49891 |
CVE-2012-2172 |
79 |
|
XSS |
2012-06-22 |
2017-08-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in SoftwareRegistration.do in the Storage Manager Profiler in IBM System Storage DS Storage Manager before 10.83.xx.18 on DS Series devices allows remote attackers to inject arbitrary web script or HTML via the updateRegn parameter. |
|
49892 |
CVE-2012-2171 |
89 |
|
Exec Code Sql |
2012-06-22 |
2017-08-28 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in ModuleServlet.do in the Storage Manager Profiler in IBM System Storage DS Storage Manager before 10.83.xx.18 on DS Series devices allows remote authenticated users to execute arbitrary SQL commands via the selectedModuleOnly parameter in a state_viewmodulelog action to the ModuleServlet URI. |
|
49893 |
CVE-2012-2170 |
264 |
|
+Info |
2012-06-20 |
2017-08-28 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The Application Snoop Servlet in IBM WebSphere Application Server 7.0 before 7.0.0.23 does not properly restrict access, which allows remote attackers to obtain sensitive client and request information via a direct request. |
|
49894 |
CVE-2012-2169 |
79 |
|
XSS |
2012-08-17 |
2017-08-28 |
3.5 |
None |
Remote |
Medium |
Single system |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the file-upload functionality in the Web client in IBM Rational ClearQuest 7.1.x before 7.1.2.7 allows remote authenticated users to inject arbitrary web script or HTML via the File Description field. |
|
49895 |
CVE-2012-2168 |
200 |
|
+Info |
2012-08-17 |
2017-08-28 |
4.0 |
None |
Remote |
Low |
Single system |
Partial |
None |
None |
|
IBM Rational ClearQuest 7.1.x before 7.1.2.7 and 8.x before 8.0.0.3 allows remote authenticated users to obtain sensitive stack-trace information from CM server error messages via an invalid parameter. |
|
49896 |
CVE-2012-2165 |
200 |
|
+Info |
2012-08-17 |
2017-08-28 |
3.5 |
None |
Remote |
Medium |
Single system |
Partial |
None |
None |
|
IBM Rational ClearQuest 7.1.x before 7.1.2.7 and 8.x before 8.0.0.3, when ClearQuest Authentication is enabled, allows remote authenticated users to read password hashes via a user query. |
|
49897 |
CVE-2012-2164 |
264 |
|
Bypass |
2012-08-17 |
2017-08-28 |
5.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
None |
|
The Web client in IBM Rational ClearQuest 7.1.x before 7.1.2.7 and 8.x before 8.0.0.3 allows remote authenticated users to bypass intended access restrictions, and use the Site Administration menu to modify system settings, via a parameter-tampering attack. |
|
49898 |
CVE-2012-2162 |
310 |
|
+Info |
2012-05-01 |
2017-08-28 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The Web Server Plug-in in IBM WebSphere Application Server (WAS) 8.0 and earlier uses unencrypted HTTP communication after expiration of the plugin-key.kdb password, which allows remote attackers to obtain sensitive information by sniffing the network, or spoof arbitrary servers via a man-in-the-middle attack. |
|
49899 |
CVE-2012-2161 |
79 |
|
XSS |
2012-06-20 |
2017-08-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in deferredView.jsp in IBM Eclipse Help System (IEHS), as used in IBM Security AppScan Source 7.x and 8.x before 8.6 and IBM SPSS Data Collection Developer Library 6.0 and 6.0.1, allows remote attackers to inject arbitrary web script or HTML via a crafted URL. |
|
49900 |
CVE-2012-2159 |
20 |
|
|
2012-06-20 |
2017-08-28 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Open redirect vulnerability in IBM Eclipse Help System (IEHS), as used in IBM Security AppScan Source 7.x and 8.x before 8.6 and IBM SPSS Data Collection Developer Library 6.0 and 6.0.1, allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. |
