| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2011-4897 |
200 |
|
+Info |
2011-12-23 |
2011-12-30 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Tor before 0.2.2.25-alpha, when configured as a relay without the Nickname configuration option, uses the local hostname as the Nickname value, which allows remote attackers to obtain potentially sensitive information by reading this value. |
|
2 |
CVE-2011-4896 |
200 |
|
+Info |
2011-12-23 |
2011-12-30 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Tor before 0.2.2.24-alpha continues to use a reachable bridge that was previously configured but is not currently configured, which might allow remote attackers to obtain sensitive information about clients in opportunistic circumstances by monitoring network traffic to the bridge port. |
|
3 |
CVE-2011-4895 |
200 |
|
+Info |
2011-12-23 |
2011-12-23 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Tor before 0.2.2.34, when configured as a bridge, sets up circuits through a process different from the process used by a client, which makes it easier for remote attackers to enumerate bridges by observing circuit building. |
|
4 |
CVE-2011-4894 |
200 |
|
+Info |
2011-12-23 |
2011-12-23 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Tor before 0.2.2.34, when configured as a bridge, uses direct DirPort access instead of a Tor TLS connection for a directory fetch, which makes it easier for remote attackers to enumerate bridges by observing DirPort connections. |
|
5 |
CVE-2011-4853 |
200 |
|
+Info |
2011-12-16 |
2017-08-29 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The Control Panel in Parallels Plesk Panel 10.4.4_build20111103.18 includes an RFC 1918 IP address within a web page, which allows remote attackers to obtain potentially sensitive information by reading this page, as demonstrated by smb/user/list-data/items-per-page/ and certain other files. |
|
6 |
CVE-2011-4852 |
200 |
|
+Info |
2011-12-16 |
2017-08-29 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The Control Panel in Parallels Plesk Panel 10.4.4_build20111103.18 generates web pages containing external links in response to GET requests with query strings for enterprise/mobile-monitor/ and certain other files, which makes it easier for remote attackers to obtain sensitive information by reading (1) web-server access logs or (2) web-server Referer logs, related to a "cross-domain Referer leakage" issue. |
|
7 |
CVE-2011-4850 |
200 |
|
+Info |
2011-12-16 |
2011-12-16 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The Control Panel in Parallels Plesk Panel 10.4.4_build20111103.18 does not include the HTTPOnly flag in a Set-Cookie header for a cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie, as demonstrated by cookies used by help.php and certain other files. |
|
8 |
CVE-2011-4849 |
200 |
|
+Info |
2011-12-16 |
2017-08-29 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The Control Panel in Parallels Plesk Panel 10.4.4_build20111103.18 does not set the secure flag for a cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session, as demonstrated by cookies used by help.php and certain other files. |
|
9 |
CVE-2011-4848 |
200 |
|
Bypass +Info |
2011-12-16 |
2017-08-29 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The Control Panel in Parallels Plesk Panel 10.4.4_build20111103.18 includes a submitted password within an HTTP response body, which allows remote attackers to obtain sensitive information by sniffing the network, as demonstrated by password handling in certain files under [email protected]/[email protected]/backup/local-repository/. |
|
10 |
CVE-2011-4767 |
200 |
|
+Info |
2011-12-16 |
2017-08-29 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Site Editor (aka SiteBuilder) feature in Parallels Plesk Small Business Panel 10.2.0 has web pages containing e-mail addresses that are not intended for correspondence about the local application deployment, which allows remote attackers to obtain potentially sensitive information by reading a page, as demonstrated by js/Wizard/Status.js and certain other files. |
|
11 |
CVE-2011-4766 |
200 |
|
+Info |
2011-12-16 |
2011-12-16 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
** DISPUTED ** The Site Editor (aka SiteBuilder) feature in Parallels Plesk Small Business Panel 10.2.0 allows remote attackers to obtain ASP source code via a direct request to wysiwyg/fckconfig.js. NOTE: CVE disputes this issue because ASP is only used in a JavaScript comment. |
|
12 |
CVE-2011-4765 |
200 |
|
+Info |
2011-12-16 |
2017-08-29 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The Site Editor (aka SiteBuilder) feature in Parallels Plesk Small Business Panel 10.2.0 does not include the HTTPOnly flag in a Set-Cookie header for a cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie, as demonstrated by cookies used by Wizard/Edit/Modules/ImageGallery/MultiImagesUpload and certain other files. |
|
13 |
CVE-2011-4760 |
200 |
|
+Info |
2011-12-16 |
2017-08-29 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Parallels Plesk Small Business Panel 10.2.0 has web pages containing e-mail addresses that are not intended for correspondence about the local application deployment, which allows remote attackers to obtain potentially sensitive information by reading a page, as demonstrated by smb/email-address/list and certain other files. |
|
14 |
CVE-2011-4759 |
200 |
|
+Info |
2011-12-16 |
2017-08-29 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Parallels Plesk Small Business Panel 10.2.0 generates web pages containing external links in response to GET requests with query strings for [email protected]/[email protected]/hosting/file-manager/ and certain other files, which makes it easier for remote attackers to obtain sensitive information by reading (1) web-server access logs or (2) web-server Referer logs, related to a "cross-domain Referer leakage" issue. |
|
15 |
CVE-2011-4758 |
310 |
|
+Info |
2011-12-16 |
2017-08-29 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Parallels Plesk Small Business Panel 10.2.0 receives cleartext password input over HTTP, which allows remote attackers to obtain sensitive information by sniffing the network, as demonstrated by forms in smb/auth and certain other files. |
|
16 |
CVE-2011-4756 |
200 |
|
+Info |
2011-12-16 |
2017-08-29 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Parallels Plesk Small Business Panel 10.2.0 does not include the HTTPOnly flag in a Set-Cookie header for a cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie, as demonstrated by cookies used by domains/sitebuilder_edit.php and certain other files. |
|
17 |
CVE-2011-4751 |
200 |
|
+Info |
2011-12-16 |
2017-08-29 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
SmarterTools SmarterStats 6.2.4100 generates web pages containing external links in response to GET requests with query strings for frmGettingStarted.aspx, which makes it easier for remote attackers to obtain sensitive information by reading (1) web-server access logs or (2) web-server Referer logs, related to a "cross-domain Referer leakage" issue. |
|
18 |
CVE-2011-4748 |
200 |
|
+Info |
2011-12-16 |
2019-04-22 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The billing system for Parallels Plesk Panel 10.3.1_build1013110726.09 has web pages containing e-mail addresses that are not intended for correspondence about the local application deployment, which allows remote attackers to obtain potentially sensitive information by reading a page, as demonstrated by js/ajax/core/ajax.inc.js and certain other files. |
|
19 |
CVE-2011-4742 |
200 |
|
+Info |
2011-12-16 |
2019-04-22 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Control Panel in Parallels Plesk Panel 10.2.0 build 20110407.20 has web pages containing e-mail addresses that are not intended for correspondence about the local application deployment, which allows remote attackers to obtain potentially sensitive information by reading a page, as demonstrated by smb/user/list and certain other files. |
|
20 |
CVE-2011-4741 |
200 |
|
+Info |
2011-12-16 |
2019-04-22 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Control Panel in Parallels Plesk Panel 10.2.0 build 20110407.20 includes a database connection string within a web page, which allows remote attackers to obtain potentially sensitive information by reading this page, as demonstrated by [email protected]/[email protected]/hosting/aspdotnet/. |
|
21 |
CVE-2011-4740 |
200 |
|
+Info |
2011-12-16 |
2019-04-22 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The Control Panel in Parallels Plesk Panel 10.2.0 build 20110407.20 generates web pages containing external links in response to GET requests with query strings for smb/app/search-data/catalogId/marketplace and certain other files, which makes it easier for remote attackers to obtain sensitive information by reading (1) web-server access logs or (2) web-server Referer logs, related to a "cross-domain Referer leakage" issue. |
|
22 |
CVE-2011-4738 |
200 |
|
+Info |
2011-12-16 |
2019-04-22 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Control Panel in Parallels Plesk Panel 10.2.0 build 20110407.20 does not include the HTTPOnly flag in a Set-Cookie header for a cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie, as demonstrated by cookies used by get_password.php and certain other files. |
|
23 |
CVE-2011-4737 |
200 |
|
Bypass +Info |
2011-12-16 |
2019-04-22 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Control Panel in Parallels Plesk Panel 10.2.0 build 20110407.20 includes a submitted password within an HTTP response body, which allows remote attackers to obtain sensitive information by sniffing the network, as demonstrated by password handling in [email protected]/[email protected]/odbc/[email protected]/properties/. |
|
24 |
CVE-2011-4736 |
310 |
|
+Info |
2011-12-16 |
2019-04-22 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Control Panel in Parallels Plesk Panel 10.2.0 build 20110407.20 receives cleartext password input over HTTP, which allows remote attackers to obtain sensitive information by sniffing the network, as demonstrated by forms in login_up.php3 and certain other files. |
|
25 |
CVE-2011-4731 |
200 |
|
+Info |
2011-12-16 |
2019-04-22 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Server Administration Panel in Parallels Plesk Panel 10.2.0_build1011110331.18 includes an RFC 1918 IP address within a web page, which allows remote attackers to obtain potentially sensitive information by reading this page, as demonstrated by admin/home/admin and certain other files. |
|
26 |
CVE-2011-4729 |
|
|
+Info |
2011-12-16 |
2019-04-22 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Server Administration Panel in Parallels Plesk Panel 10.2.0_build1011110331.18 does not include the HTTPOnly flag in a Set-Cookie header for a cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie, as demonstrated by cookies used by login_up.php3 and certain other files. |
|
27 |
CVE-2011-4728 |
200 |
|
+Info |
2011-12-16 |
2019-04-22 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Server Administration Panel in Parallels Plesk Panel 10.2.0_build1011110331.18 does not set the secure flag for a cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session, as demonstrated by cookies used by login_up.php3 and certain other files. |
|
28 |
CVE-2011-4723 |
310 |
|
+Info |
2011-12-20 |
2023-04-26 |
6.8 |
None |
Remote |
Low |
??? |
Complete |
None |
None |
|
The D-Link DIR-300 router stores cleartext passwords, which allows context-dependent attackers to obtain sensitive information via unspecified vectors. |
|
29 |
CVE-2011-4598 |
200 |
|
DoS +Info |
2011-12-15 |
2012-09-01 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
The handle_request_info function in channels/chan_sip.c in Asterisk Open Source 1.6.2.x before 1.6.2.21 and 1.8.x before 1.8.7.2, when automon is enabled, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted sequence of SIP requests. |
|
30 |
CVE-2011-4597 |
200 |
|
+Info |
2011-12-15 |
2012-11-06 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The SIP over UDP implementation in Asterisk Open Source 1.4.x before 1.4.43, 1.6.x before 1.6.2.21, and 1.8.x before 1.8.7.2 uses different port numbers for responses to invalid requests depending on whether a SIP username exists, which allows remote attackers to enumerate usernames via a series of requests. |
|
31 |
CVE-2011-4507 |
310 |
|
Bypass +Info |
2011-11-22 |
2011-11-22 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The D-Link DIR-685 router, when certain WPA and WPA2 configurations are used, does not maintain an encrypted wireless network during transfer of a large amount of network traffic, which allows remote attackers to obtain sensitive information or bypass authentication via a Wi-Fi device. |
|
32 |
CVE-2011-4497 |
200 |
|
+Info |
2011-11-21 |
2011-11-21 |
3.3 |
None |
Local Network |
Low |
Not required |
Partial |
None |
None |
|
QIS_wizard.htm on the ASUS RT-N56U router with firmware before 1.0.1.4o allows remote attackers to obtain the administrator password via a flag=detect request. |
|
33 |
CVE-2011-4457 |
200 |
|
+Info |
2011-11-17 |
2011-11-18 |
2.6 |
None |
Remote |
High |
Not required |
Partial |
None |
None |
|
OWASP HTML Sanitizer (aka owasp-java-html-sanitizer) before 88, when JavaScript is disabled, allows user-assisted remote attackers to obtain potentially sensitive information via a crafted FORM element within a NOSCRIPT element. |
|
34 |
CVE-2011-4435 |
264 |
|
+Info |
2011-11-11 |
2011-12-13 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The web-server component in the Consolidation and Analysis Engine (CAE) Server in DB2 Query Monitor in IBM DB2 Tools 2.3.0 for z/OS does not prevent directory browsing, which allows remote attackers to obtain sensitive information via HTTP requests. |
|
35 |
CVE-2011-4214 |
287 |
|
Bypass +Info |
2011-11-01 |
2012-01-27 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
OneOrZero Action & Information Management System (AIMS) 2.7.0 allows remote attackers to bypass authentication and obtain administrator privileges via a crafted oozimsrememberme cookie. |
|
36 |
CVE-2011-4169 |
|
|
DoS +Info |
2011-12-27 |
2019-10-09 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Unspecified vulnerability in HP Managed Printing Administration before 2.6.4 allows remote attackers to obtain sensitive information, modify data, or cause a denial of service via unknown vectors. |
|
37 |
CVE-2011-4158 |
|
|
+Info |
2011-11-16 |
2018-10-09 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
Unspecified vulnerability in HP Directories Support for ProLiant Management Processors 3.10 and 3.20 for Integrated Lights-Out iLO2 and iLO3 allows remote authenticated users to obtain sensitive information via unknown vectors. |
|
38 |
CVE-2011-4107 |
200 |
1
|
+Info |
2011-11-17 |
2017-08-29 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The simplexml_load_string function in the XML import plug-in (libraries/import/xml.php) in phpMyAdmin 3.4.x before 3.4.7.1 and 3.3.x before 3.3.10.5 allows remote authenticated users to read arbitrary files via XML data containing external entity references, aka an XML external entity (XXE) injection attack. |
|
39 |
CVE-2011-4048 |
255 |
|
+Info |
2011-11-12 |
2015-10-03 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The Dell KACE K2000 System Deployment Appliance has a default username and password for the read-only reporting account, which makes it easier for remote attackers to obtain sensitive information from the database by leveraging the default credentials. |
|
40 |
CVE-2011-4046 |
310 |
|
+Info |
2011-11-12 |
2011-11-15 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Dell KACE K2000 System Deployment Appliance stores the recovery account password in cleartext within a PHP script, which allows context-dependent attackers to obtain sensitive information by examining script source code. |
|
41 |
CVE-2011-3975 |
200 |
|
+Info |
2011-10-03 |
2017-08-29 |
2.6 |
None |
Remote |
High |
Not required |
Partial |
None |
None |
|
A certain HTC update for Android 2.3.4 build GRJ22, when the Sense interface is used on the HTC EVO 3D, EVO 4G, ThunderBolt, and unspecified other devices, provides the HtcLoggers.apk application, which allows user-assisted remote attackers to obtain a list of telephone numbers from a log, and other sensitive information, by leveraging the android.permission.INTERNET application permission and establishing TCP sessions to 127.0.0.1 on port 65511 and a second port. |
|
42 |
CVE-2011-3826 |
200 |
|
+Info |
2011-09-24 |
2012-05-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Zikula 1.2.4 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by themes/voodoodolly/version.php and certain other files. |
|
43 |
CVE-2011-3825 |
200 |
|
+Info |
2011-09-24 |
2012-05-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Zend Framework 1.11.3 in Zend Server CE 5.1.0 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by Validate.php and certain other files. |
|
44 |
CVE-2011-3824 |
200 |
|
+Info |
2011-09-24 |
2012-05-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Your Own URL Shortener (YOURLS) 1.5 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by includes/auth.php and certain other files. |
|
45 |
CVE-2011-3823 |
200 |
|
+Info |
2011-09-24 |
2012-05-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Yamamah 1.0 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by themes/default/index.php and certain other files. |
|
46 |
CVE-2011-3822 |
200 |
|
+Info |
2011-09-24 |
2012-05-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
XOOPS 2.5.0 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by modules/system/xoops_version.php and certain other files. |
|
47 |
CVE-2011-3821 |
200 |
|
+Info |
2011-09-24 |
2012-05-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
xajax 0.6 beta1 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by xajax_core/plugin_layer/xajaxScriptPlugin.inc.php and certain other files. |
|
48 |
CVE-2011-3820 |
200 |
|
+Info |
2011-09-24 |
2012-05-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
WSN Software 6.0.6 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by includes/prestart.php and certain other files. |
|
49 |
CVE-2011-3819 |
200 |
|
+Info |
2011-09-24 |
2012-05-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
WoW Server Status 4.1 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by status.php and certain other files. |
|
50 |
CVE-2011-3818 |
200 |
|
+Info |
2011-09-24 |
2012-05-21 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
WordPress 2.9.2 and 3.0.4 allows remote attackers to obtain sensitive information via a direct request to a .php file, which reveals the installation path in an error message, as demonstrated by wp-admin/includes/user.php and certain other files. |
