| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2012-6063 |
399 |
|
DoS Exec Code |
2012-11-30 |
2012-12-19 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Double free vulnerability in the sftp_mkdir function in sftp.c in libssh before 0.5.3 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unspecified vectors, a different vector than CVE-2012-4559. |
|
2 |
CVE-2012-6051 |
310 |
|
DoS |
2012-11-28 |
2012-11-29 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Google CityHash computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table, as demonstrated by a universal multicollision attack. |
|
3 |
CVE-2012-6050 |
16 |
1
|
DoS |
2012-11-27 |
2017-08-29 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
None |
Partial |
|
The winbox service in MikroTik RouterOS 5.15 and earlier allows remote attackers to cause a denial of service (CPU consumption), read the router version, and possibly have other impacts via a request to download the router's DLLs or plugins, as demonstrated by roteros.dll. |
|
4 |
CVE-2012-6049 |
200 |
1
|
+Info |
2012-11-27 |
2017-08-29 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Open Solution Quick.Cart 5.0 allows remote attackers to obtain sensitive information via (1) a long string or (2) invalid characters in a cookie, which reveals the installation path in an error message. |
|
5 |
CVE-2012-6048 |
119 |
1
|
DoS Overflow |
2012-11-27 |
2012-11-27 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Guitar Pro 6.1.1 r10791 allows remote attackers to cause a denial of service (crash) via a long string in a gpx file. |
|
6 |
CVE-2012-6047 |
352 |
1
|
CSRF |
2012-11-27 |
2012-11-27 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in X7 Chat 2.0.5.1 and earlier allows remote attackers to hijack the authentication of administrators for requests that add a user to an arbitrary group via the users page in an adminpanel action to index.php. |
|
7 |
CVE-2012-6046 |
94 |
1
|
|
2012-11-27 |
2017-08-29 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Static code injection vulnerability in admin/banners.php in PHP Enter allows remote attackers to inject arbitrary PHP code into horad.php via the code parameter. |
|
8 |
CVE-2012-6045 |
79 |
1
|
XSS |
2012-11-27 |
2017-08-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in gb/user/index.php in Ramui Forum, possibly 1.0 Beta, allows remote attackers to inject arbitrary web script or HTML via the query parameter. |
|
9 |
CVE-2012-6044 |
20 |
1
|
DoS |
2012-11-26 |
2017-08-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
M-Player 0.4 allows remote attackers to cause a denial of service (crash) via a crafted MP3 file. |
|
10 |
CVE-2012-6043 |
79 |
1
|
XSS |
2012-11-26 |
2017-08-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in downloads.php in PHP-Fusion 7.02.04 allows remote attackers to inject arbitrary web script or HTML via the cat_id parameter. |
|
11 |
CVE-2012-6042 |
119 |
1
|
DoS Overflow |
2012-11-26 |
2012-11-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
GPSMapEdit 1.1.73.2 allows user-assisted remote attackers to cause a denial of service (crash) via a long string in a lst file. |
|
12 |
CVE-2012-6041 |
399 |
|
Exec Code |
2012-11-26 |
2017-08-29 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Double free vulnerability in GreenBrowser before 6.0.1002, when the keyword search bar (F6) is activated, allows remote attackers to execute arbitrary code via a crafted iframe. |
|
13 |
CVE-2012-6040 |
79 |
1
|
XSS |
2012-11-26 |
2017-08-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in users.php in File King Advanced File Management 1.4 allows remote attackers to inject arbitrary web script or HTML via the page parameter. |
|
14 |
CVE-2012-6039 |
89 |
1
|
Exec Code Sql |
2012-11-26 |
2012-11-27 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in view_comments.php in YABSoft Advanced Image Hosting (AIH) Script, possibly 2.3, allows remote attackers to execute arbitrary SQL commands via the gal parameter. |
|
15 |
CVE-2012-6038 |
22 |
1
|
Dir. Trav. |
2012-11-26 |
2017-08-29 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
admin/core/admin_func.php in razorCMS before 1.2.1 does not properly restrict access to certain administrator directories and files, which allows remote authenticated users to read, edit, rename, move, copy and delete files via the (1) dir parameter in a fileman or (2) filemanview action. NOTE: this issue has been referred to as a "path traversal." |
|
16 |
CVE-2012-6037 |
79 |
|
XSS |
2012-11-24 |
2013-02-08 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in Mahara 1.4.x before 1.4.5 and 1.5.x before 1.5.4, and other versions including 1.2, allow remote attackers to inject arbitrary web script or HTML via a CSV header with "unknown fields," which are not properly handled in error messages in the (1) bulk user, (2) group, and (3) group member upload capabilities. NOTE: this issue was originally part of CVE-2012-2243, but that ID was SPLIT due to different issues by different researchers. |
|
17 |
CVE-2012-6036 |
264 |
|
DoS Exec Code Mem. Corr. |
2012-11-23 |
2017-08-29 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The (1) memc_save_get_next_page, (2) tmemc_restore_put_page and (3) tmemc_restore_flush_page functions in the Transcendent Memory (TMEM) in Xen 4.0, 4.1, and 4.2 do not check for negative id pools, which allows local guest OS users to cause a denial of service (memory corruption and host crash) or possibly execute arbitrary code via unspecified vectors. NOTE: this issue was originally published as part of CVE-2012-3497, which was too general; CVE-2012-3497 has been SPLIT into this ID and others. |
|
18 |
CVE-2012-6035 |
20 |
|
DoS Exec Code Mem. Corr. |
2012-11-23 |
2017-08-29 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
The do_tmem_destroy_pool function in the Transcendent Memory (TMEM) in Xen 4.0, 4.1, and 4.2 does not properly validate pool ids, which allows local guest OS users to cause a denial of service (memory corruption and host crash) or execute arbitrary code via unspecified vectors. NOTE: this issue was originally published as part of CVE-2012-3497, which was too general; CVE-2012-3497 has been SPLIT into this ID and others. |
|
19 |
CVE-2012-6034 |
20 |
|
DoS Exec Code Mem. Corr. |
2012-11-23 |
2017-08-29 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The (1) tmemc_save_get_next_page and (2) tmemc_save_get_next_inv functions and the (3) TMEMC_SAVE_GET_POOL_UUID sub-operation in the Transcendent Memory (TMEM) in Xen 4.0, 4.1, and 4.2 "do not check incoming guest output buffer pointers," which allows local guest OS users to cause a denial of service (memory corruption and host crash) or execute arbitrary code via unspecified vectors. NOTE: this issue was originally published as part of CVE-2012-3497, which was too general; CVE-2012-3497 has been SPLIT into this ID and others. |
|
20 |
CVE-2012-6033 |
264 |
|
|
2012-11-23 |
2017-08-29 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The do_tmem_control function in the Transcendent Memory (TMEM) in Xen 4.0, 4.1, and 4.2 does not properly check privileges, which allows local guest OS users to access control stack operations via unspecified vectors. NOTE: this issue was originally published as part of CVE-2012-3497, which was too general; CVE-2012-3497 has been SPLIT into this ID and others. |
|
21 |
CVE-2012-6032 |
189 |
|
DoS Overflow Mem. Corr. |
2012-11-23 |
2017-08-29 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
Multiple integer overflows in the (1) tmh_copy_from_client and (2) tmh_copy_to_client functions in the Transcendent Memory (TMEM) in Xen 4.0, 4.1, and 4.2 allow local guest OS users to cause a denial of service (memory corruption and host crash) via unspecified vectors. NOTE: this issue was originally published as part of CVE-2012-3497, which was too general; CVE-2012-3497 has been SPLIT into this ID and others. |
|
22 |
CVE-2012-6031 |
20 |
|
DoS |
2012-11-23 |
2017-08-29 |
4.7 |
None |
Local |
Medium |
Not required |
None |
None |
Complete |
|
The do_tmem_get function in the Transcendent Memory (TMEM) in Xen 4.0, 4.1, and 4.2 allow local guest OS users to cause a denial of service (CPU hang and host crash) via unspecified vectors related to a spinlock being held in the "bad_copy error path." NOTE: this issue was originally published as part of CVE-2012-3497, which was too general; CVE-2012-3497 has been SPLIT into this ID and others. |
|
23 |
CVE-2012-6030 |
20 |
|
DoS |
2012-11-23 |
2017-08-29 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
The do_tmem_op function in the Transcendent Memory (TMEM) in Xen 4.0, 4.1, and 4.2 allow local guest OS users to cause a denial of service (host crash) and possibly have other unspecified impacts via unspecified vectors related to "broken locking checks" in an "error path." NOTE: this issue was originally published as part of CVE-2012-3497, which was too general; CVE-2012-3497 has been SPLIT into this ID and others. |
|
24 |
CVE-2012-5920 |
79 |
|
XSS |
2012-11-20 |
2017-08-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Google Web Toolkit (GWT) 2.4 through 2.5 Final, as used in JBoss Operations Network (ON) 3.1.1 and possibly other products, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: this issue exists because of an incomplete fix for CVE-2012-4563. |
|
25 |
CVE-2012-5919 |
79 |
1
|
XSS |
2012-11-19 |
2017-08-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in Havalite 1.0.4 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) find or (2) replace fields to havalite/findReplace.php; (3) username parameter to havalite/hava_login.php, (4) the Edit Article module, or (5) hava_post.php in the postAuthor module; (6) postId parameter to hava_post.php; (7) userId parameter to hava_user.php; or (8) linkId parameter to hava_link.php. |
|
26 |
CVE-2012-5918 |
264 |
1
|
|
2012-11-19 |
2012-11-19 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
|
razorCMS 1.2 allows remote authenticated users to access administrator directories and files by creating and deleting a directory. |
|
27 |
CVE-2012-5917 |
119 |
1
|
DoS Overflow |
2012-11-17 |
2017-08-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
SnackAmp 3.1.3 allows remote attackers to cause a denial of service (application crash) via a long string in an aiff file. |
|
28 |
CVE-2012-5916 |
200 |
1
|
+Info |
2012-11-17 |
2017-08-29 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Neocrome Seditio build 161 allows remote attackers to obtain sensitive information via a direct request to (1) docs/new/seditio-createnew-160.sql, (2) docs/upgrade/sedito_convert_to_utf8.optional.sql, or (3) system/install/install.parser.sql. |
|
29 |
CVE-2012-5915 |
200 |
1
|
+Info |
2012-11-17 |
2017-08-29 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Neocrome Seditio build 161 and earlier allows remote attackers to obtain sensitive information via direct request to (1) view.php, (2) plugins/contact/lang/contact.en.lang.php, (3) system/lang/en/main.lang.php, (4) system/lang/en/message.lang.php, or (5) system/core/view/view.inc.php, which reveals the installation path in an error message. |
|
30 |
CVE-2012-5914 |
79 |
1
|
XSS |
2012-11-17 |
2017-08-29 |
2.6 |
None |
Remote |
High |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in the sed_import function in system/functions.php in Neocrome Seditio build 160 and 161 allow remote attackers to inject arbitrary web script or HTML via the (1) newmsg or (2) rtext parameter. NOTE: some of these details are obtained from third party information. |
|
31 |
CVE-2012-5913 |
79 |
1
|
XSS |
2012-11-17 |
2017-08-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in wp-integrator.php in the WordPress Integrator module 1.32 for WordPress allows remote attackers to inject arbitrary web script or HTML via the redirect_to parameter to wp-login.php. |
|
32 |
CVE-2012-5912 |
89 |
2
|
Exec Code Sql |
2012-11-17 |
2017-08-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Multiple SQL injection vulnerabilities in PicoPublisher 2.0 allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) page.php or (2) single.php. |
|
33 |
CVE-2012-5911 |
79 |
1
|
XSS |
2012-11-17 |
2017-08-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in blogs/blog1.php in b2evolution 4.1.3 allows remote attackers to inject arbitrary web script or HTML via the message body. |
|
34 |
CVE-2012-5910 |
89 |
1
|
Exec Code Sql |
2012-11-17 |
2017-08-29 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in blogs/htsrv/viewfile.php in b2evolution 4.1.3 allows remote authenticated users to execute arbitrary SQL commands via the root parameter. |
|
35 |
CVE-2012-5909 |
89 |
1
|
Exec Code Sql |
2012-11-17 |
2017-08-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in admin/modules/user/users.php in MyBB (aka MyBulletinBoard) 1.6.6 allows remote attackers to execute arbitrary SQL commands via the conditions[usergroup][] parameter in a search action to admin/index.php. |
|
36 |
CVE-2012-5908 |
79 |
1
|
XSS |
2012-11-17 |
2017-08-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in admin/modules/user/users.php in MyBB (aka MyBulletinBoard) 1.6.6 allows remote attackers to inject arbitrary web script or HTML via the conditions[usergroup][] parameter in a search action to admin/index.php. |
|
37 |
CVE-2012-5907 |
22 |
1
|
Dir. Trav. |
2012-11-17 |
2017-08-29 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Directory traversal vulnerability in json.php in TomatoCart 1.2.0 Alpha 2 and possibly earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the module parameter in a "3" action. |
|
38 |
CVE-2012-5906 |
79 |
1
|
XSS |
2012-11-17 |
2017-08-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in GreenBrowser 6.1.0117 and 6.1.0216 allow remote attackers to inject arbitrary web script or HTML via (1) the URI in an about: page or (2) the last visited URL in the LastVisitWriteEn function in function.js. |
|
39 |
CVE-2012-5905 |
119 |
2
|
DoS Overflow |
2012-11-17 |
2017-08-29 |
4.0 |
None |
Remote |
Low |
??? |
None |
None |
Partial |
|
Buffer overflow in KnFTPd 1.0.0 allows remote authenticated users to cause a denial of service (crash) via a long string in a FEAT command. |
|
40 |
CVE-2012-5904 |
119 |
|
Exec Code Overflow |
2012-11-17 |
2017-08-29 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Heap-based buffer overflow in IrfanView before 4.33 allows remote attackers to execute arbitrary code via a crafted RLE compressed bitmap file such as a DIB, RLE, or BMP image. |
|
41 |
CVE-2012-5903 |
79 |
1
|
XSS |
2012-11-17 |
2017-08-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Simple Machines Forum (SMF) 2.0.2 allows remote attackers to inject arbitrary web script or HTML via the scheduled parameter to index.php. |
|
42 |
CVE-2012-5902 |
79 |
1
|
XSS |
2012-11-17 |
2017-08-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in ptk/lib/modal_bookmark.php in DFLabs PTK 1.0.5 allows remote attackers to inject arbitrary web script or HTML via the arg4 parameter. |
|
43 |
CVE-2012-5901 |
264 |
1
|
|
2012-11-17 |
2017-08-29 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
DFLabs PTK 1.0.5 stores data files with predictable names under the web document root with insufficient access control, which allows remote attackers to read logs, images, or reports via a direct request to the file in the (1) log, (2) images, or (3) report directory. |
|
44 |
CVE-2012-5900 |
89 |
2
|
Exec Code Sql |
2012-11-17 |
2013-01-15 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Multiple SQL injection vulnerabilities in SAMEDIA LandShop 0.9.2 allow remote attackers to execute arbitrary SQL commands via the (1) OB_ID parameter in a single action to admin/action/objects.php, (2) AREA_ID parameter in a single action to admin/action/areas.php, or (3) start parameter in a show action to admin/action/pdf.php. |
|
45 |
CVE-2012-5899 |
79 |
2
|
XSS |
2012-11-17 |
2013-01-15 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in admin/action/objects.php in SAMEDIA LandShop 0.9.2 allows remote attackers to inject arbitrary web script or HTML via the OTR_HEADS[] parameter in an edit action. NOTE: some of these details are obtained from third party information. |
|
46 |
CVE-2012-5898 |
352 |
2
|
CSRF |
2012-11-17 |
2012-11-19 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in SAMEDIA LandShop 0.9.2 allows remote attackers to hijack the authentication of administrators for requests that change account settings. |
|
47 |
CVE-2012-5897 |
264 |
1
|
|
2012-11-17 |
2017-09-02 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
The (1) SimpleTree and (2) ReportTree classes in the ARDoc ActiveX control (ARDoc.dll) in Quest InTrust 10.4.0.853 and earlier do not properly implement the SaveToFile method, which allows remote attackers to write or overwrite arbitrary files via the bstrFileName argument. |
|
48 |
CVE-2012-5896 |
|
3
|
Exec Code |
2012-11-17 |
2017-08-29 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
The Annotation Objects Extension ActiveX control in AnnotateX.dll in Quest InTrust 10.4.0.853 and earlier does not properly implement the Add method, which allows remote attackers to execute arbitrary code via a memory address in the first argument, related to an "uninitialized pointer." |
|
49 |
CVE-2012-5895 |
|
|
|
2012-11-17 |
2017-08-29 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Multiple unspecified vulnerabilities in iRODS before 3.1 have unknown impact and attack vectors. |
|
50 |
CVE-2012-5894 |
89 |
1
|
Exec Code Sql |
2012-11-17 |
2017-08-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in hava_post.php in Havalite CMS 1.1.0 and earlier allows remote attackers to execute arbitrary SQL commands via the postId parameter. |
