Vulnerabilities > Configuration

DATE CVE VULNERABILITY TITLE RISK
2012-12-08 CVE-2012-4690 Configuration vulnerability in Rockwellautomation products
Rockwell Automation Allen-Bradley MicroLogix controller 1100, 1200, 1400, and 1500; SLC 500 controller platform; and PLC-5 controller platform, when Static status is not enabled, allow remote attackers to cause a denial of service via messages that trigger modification of status bits.
7.1
2012-12-05 CVE-2011-2730 Configuration vulnerability in Springsource Spring Framework
VMware SpringSource Spring Framework before 2.5.6.SEC03, 2.5.7.SR023, and 3.x before 3.0.6, when a container supports Expression Language (EL), evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive information via a (1) name attribute in a (a) spring:hasBindErrors tag; (2) path attribute in a (b) spring:bind or (c) spring:nestedpath tag; (3) arguments, (4) code, (5) text, (6) var, (7) scope, or (8) message attribute in a (d) spring:message or (e) spring:theme tag; or (9) var, (10) scope, or (11) value attribute in a (f) spring:transform tag, aka "Expression Language Injection." Per update to Hyperlink Record 1199655 (http://support.springsource.com/security/cve-2011-2730), the score has been adjusted based on remote code execution Per update to http://support.springsource.com/security/cve-2011-2730
network
low complexity
springsource CWE-16
7.5
2012-11-27 CVE-2012-6050 Configuration vulnerability in Mikrotik Routeros 5.15
The winbox service in MikroTik RouterOS 5.15 and earlier allows remote attackers to cause a denial of service (CPU consumption), read the router version, and possibly have other impacts via a request to download the router's DLLs or plugins, as demonstrated by roteros.dll.
network
low complexity
mikrotik CWE-16
6.4
2012-11-23 CVE-2012-3496 Configuration vulnerability in multiple products
XENMEM_populate_physmap in Xen 4.0, 4.1, and 4.2, and Citrix XenServer 6.0.2 and earlier, when translating paging mode is not used, allows local PV OS guest kernels to cause a denial of service (BUG triggered and host crash) via invalid flags such as MEMF_populate_on_demand.
local
citrix xen CWE-16
4.7
2012-11-21 CVE-2012-5526 Configuration vulnerability in Andy Armstrong Cgi.Pm
CGI.pm module before 3.63 for Perl does not properly escape newlines in (1) Set-Cookie or (2) P3P headers, which might allow remote attackers to inject arbitrary headers into responses from applications that use CGI.pm.
network
low complexity
andy-armstrong CWE-16
5.0
2012-11-21 CVE-2012-4537 Configuration vulnerability in XEN
Xen 3.4 through 4.2, and possibly earlier versions, does not properly synchronize the p2m and m2p tables when the set_p2m_entry function fails, which allows local HVM guest OS administrators to cause a denial of service (memory consumption and assertion failure), aka "Memory mapping failure DoS vulnerability."
local
low complexity
xen CWE-16
2.1
2012-08-23 CVE-2009-5120 Configuration vulnerability in Websense web Filter and Websense web Security
The default configuration of Apache Tomcat in Websense Manager in Websense Web Security 7.0 and Web Filter 7.0 allows connections to TCP port 1812 from arbitrary source IP addresses, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via UTF-7 text to the 404 error page of a Project Woodstock service on this port.
network
websense CWE-16
4.3
2012-08-23 CVE-2009-5119 Configuration vulnerability in Websense web Filter and Websense web Security
The default configuration of Apache Tomcat in Websense Manager in Websense Web Security 7.0 and Web Filter 7.0 enables weak SSL ciphers in conf/server.xml, which makes it easier for remote attackers to obtain sensitive information by sniffing the network and then conducting a brute-force attack against encrypted session data.
network
websense CWE-16
4.3
2012-08-07 CVE-2012-3413 Configuration vulnerability in KDE PIM 4.6/4.8
The HTMLQuoteColorer::process function in messageviewer/htmlquotecolorer.cpp in KDE PIM 4.6 through 4.8 does not disable JavaScript, Java, and Plugins, which allows remote attackers to inject arbitrary web script or HTML via a crafted email.
network
kde CWE-16
4.3
2012-08-06 CVE-2012-1909 Configuration vulnerability in Bitcoin Core and Wxbitcoin
The Bitcoin protocol, as used in bitcoind before 0.4.4, wxBitcoin, Bitcoin-Qt, and other programs, does not properly handle multiple transactions with the same identifier, which allows remote attackers to cause a denial of service (unspendable transaction) by leveraging the ability to create a duplicate coinbase transaction.
network
low complexity
bitcoin CWE-16
5.0