Medium

DATE	CVE	VULNERABILITY TITLE	RISK
2012-10-10	CVE-2012-3986	Improper Input Validation vulnerability in multiple products Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbird before 16.0, Thunderbird ESR 10.x before 10.0.8, and SeaMonkey before 2.13 do not properly restrict calls to DOMWindowUtils (aka nsDOMWindowUtils) methods, which allows remote attackers to bypass intended access restrictions via crafted JavaScript code. network mozilla canonical redhat debian suse CWE-20	4.3
2012-10-10	CVE-2012-3985	Cross-Site Scripting vulnerability in multiple products Mozilla Firefox before 16.0, Thunderbird before 16.0, and SeaMonkey before 2.13 do not properly implement the HTML5 Same Origin Policy, which allows remote attackers to conduct cross-site scripting (XSS) attacks by leveraging initial-origin access after document.domain has been set. network mozilla canonical suse CWE-79	4.3
2012-10-10	CVE-2012-3984	Mozilla Firefox before 16.0, Thunderbird before 16.0, and SeaMonkey before 2.13 do not properly handle navigation away from a web page that has a SELECT element's menu active, which allows remote attackers to spoof page content via vectors involving absolute positioning and scrolling. network mozilla canonical suse	6.8
2012-10-03	CVE-2012-3489	XXE vulnerability in multiple products The xml_parse function in the libxml2 support in the core server component in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 allows remote authenticated users to determine the existence of arbitrary files or URLs, and possibly obtain file or URL content that triggers a parsing error, via an XML value that refers to (1) a DTD or (2) an entity, related to an XML External Entity (aka XXE) issue. network low complexity postgresql opensuse apple canonical debian redhat CWE-611	6.5
2012-09-05	CVE-2012-3509	Numeric Errors vulnerability in multiple products Multiple integer overflows in the (1) _objalloc_alloc function in objalloc.c and (2) objalloc_alloc macro in include/objalloc.h in GNU libiberty, as used by binutils 2.22, allow remote attackers to cause a denial of service (crash) via vectors related to the "addition of CHUNK_HEADER_SIZE to the length," which triggers a heap-based buffer overflow. network low complexity gnu canonical debian CWE-189	5.0
2012-08-29	CVE-2012-3976	Information Exposure vulnerability in multiple products Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, and SeaMonkey before 2.12 do not properly handle onLocationChange events during navigation between different https sites, which allows remote attackers to spoof the X.509 certificate information in the address bar via a crafted web page. network mozilla opensuse suse redhat canonical CWE-200	4.3
2012-08-29	CVE-2012-3972	Information Exposure vulnerability in multiple products The format-number functionality in the XSLT implementation in Mozilla Firefox before 15.0, Firefox ESR 10.x before 10.0.7, Thunderbird before 15.0, Thunderbird ESR 10.x before 10.0.7, and SeaMonkey before 2.12 allows remote attackers to obtain sensitive information via unspecified vectors that trigger a heap-based buffer over-read. network low complexity mozilla opensuse suse redhat canonical debian CWE-200	5.0
2012-08-07	CVE-2012-2317	Cryptographic Issues vulnerability in multiple products The Debian php_crypt_revamped.patch patch for PHP 5.3.x, as used in the php5 package before 5.3.3-7+squeeze4 in Debian GNU/Linux squeeze, the php5 package before 5.3.2-1ubuntu4.17 in Ubuntu 10.04 LTS, and the php5 package before 5.3.5-1ubuntu7.10 in Ubuntu 11.04, does not properly handle an empty salt string, which might allow remote attackers to bypass authentication by leveraging an application that relies on the PHP crypt function to choose a salt for password hashing. network debian canonical CWE-310	4.3
2012-08-06	CVE-2012-3867	Permissions, Privileges, and Access Controls vulnerability in multiple products lib/puppet/ssl/certificate_authority.rb in Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, does not properly restrict the characters in the Common Name field of a Certificate Signing Request (CSR), which makes it easier for user-assisted remote attackers to trick administrators into signing a crafted agent certificate via ANSI control sequences. network puppet puppetlabs debian canonical opensuse suse CWE-264	4.3
2012-07-25	CVE-2012-3571	Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products ISC DHCP 4.1.2 through 4.2.4 and 4.1-ESV before 4.1-ESV-R6 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a malformed client identifier. low complexity isc canonical debian CWE-119	6.1