Vulnerabilities > Configuration
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2011-11-19 | CVE-2011-4404 | Configuration vulnerability in VMWare Vcenter Update Manager 4.0/4.1 The default configuration of the HTTP server in Jetty in vSphere Update Manager in VMware vCenter Update Manager 4.0 before Update 4 and 4.1 before Update 2 allows remote attackers to conduct directory traversal attacks and read arbitrary files via unspecified vectors, a related issue to CVE-2009-1523. | 5.0 |
| 2011-10-29 | CVE-2011-1370 | Configuration vulnerability in IBM Lotus Sametime The default configuration of the Sametime configuration servlet (SCS) in the server in IBM Lotus Sametime 7.0 through 8.5.2 does not enable an authentication requirement, which allows remote attackers to read the configuration settings by examining a response message. | 5.0 |
| 2011-10-05 | CVE-2000-1247 | Configuration vulnerability in Apache Jserv 1.1.2 The default configuration of the jserv-status handler in jserv.conf in Apache JServ 1.1.2 includes an "allow from 127.0.0.1" line, which allows local users to discover JDBC passwords or other sensitive information via a direct request to the jserv/ URI. | 2.1 |
| 2011-08-18 | CVE-2011-2981 | Configuration vulnerability in Mozilla Firefox, Seamonkey and Thunderbird The event-management implementation in Mozilla Firefox before 3.6.20, SeaMonkey 2.x, Thunderbird 3.x before 3.1.12, and possibly other products does not properly select the context for script to run in, which allows remote attackers to bypass the Same Origin Policy or execute arbitrary JavaScript code with chrome privileges via a crafted web site. | 9.3 |
| 2011-08-05 | CVE-2011-3008 | Configuration vulnerability in Avaya Secure Access Link Gateway 1.5/1.8/2.0 The default configuration of Avaya Secure Access Link (SAL) Gateway 1.5, 1.8, and 2.0 contains certain domain names in the Secondary Core Server URL and Secondary Remote Server URL fields, which allows remote attackers to obtain sensitive information by leveraging administrative access to these domain names, as demonstrated by alarm and log information. | 5.0 |
| 2011-07-06 | CVE-2011-2666 | Configuration vulnerability in Digium Asterisk The default configuration of the SIP channel driver in Asterisk Open Source 1.4.x through 1.4.41.2 and 1.6.2.x through 1.6.2.18.2 does not enable the alwaysauthreject option, which allows remote attackers to enumerate account names by making a series of invalid SIP requests and observing the differences in the responses for different usernames, a different vulnerability than CVE-2011-2536. | 5.0 |
| 2011-06-09 | CVE-2011-2395 | Configuration vulnerability in Cisco IOS The Neighbor Discovery (ND) protocol implementation in Cisco IOS on unspecified switches allows remote attackers to bypass the Router Advertisement Guarding functionality via a fragmented IPv6 packet in which the Router Advertisement (RA) message is contained in the second fragment, as demonstrated by (1) a packet in which the first fragment contains a long Destination Options extension header or (2) a packet in which the first fragment contains an ICMPv6 Echo Request message. | 5.0 |
| 2011-05-31 | CVE-2011-1645 | Configuration vulnerability in Cisco products The web management interface on the Cisco RVS4000 Gigabit Security Router with software 1.x before 1.3.3.4 and 2.x before 2.0.2.7, and the WRVS4400N Gigabit Security Router with software before 2.0.2.1, allows remote attackers to read the backup configuration file, and consequently execute arbitrary code, via unspecified vectors, aka Bug ID CSCtn23871. | 9.3 |
| 2011-05-24 | CVE-2011-2166 | Configuration vulnerability in Dovecot script-login in Dovecot 2.0.x before 2.0.13 does not follow the user and group configuration settings, which might allow remote authenticated users to bypass intended access restrictions by leveraging a script. | 6.5 |
| 2011-05-24 | CVE-2011-1424 | Configuration vulnerability in EMC Sourceone Email Management 6.5.2.3668 The default configuration of ExShortcut\Web.config in EMC SourceOne Email Management before 6.6 SP1, when the Mobile Services component is used, does not properly set the localOnly attribute of the trace element, which allows remote authenticated users to obtain sensitive information via ASP.NET Application Tracing. | 3.5 |