Weekly Vulnerabilities Reports > December 5 to 11, 2011
Overview
67 new vulnerabilities reported during this period, including 11 critical vulnerabilities and 7 high severity vulnerabilities. This weekly summary report vulnerabilities in 64 products from 44 vendors including Opera, Microsoft, Oneclickorgs, Google, and Apple. Vulnerabilities are notably categorized as "Permissions, Privileges, and Access Controls", "Path Traversal", "Cross-site Scripting", "Information Exposure", and "Improper Input Validation".
- 63 reported vulnerabilities are remotely exploitables.
- 6 reported vulnerabilities have public exploit available.
- 24 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 62 reported vulnerabilities are exploitable by an anonymous user.
- Opera has the most reported vulnerabilities, with 10 reported vulnerabilities.
- Adobe has the most reported critical vulnerabilities, with 3 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
11 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2011-12-09 | CVE-2011-4719 | Google Acer Samsung | Multiple unspecified vulnerabilities in Google Chrome before 16.0.912.63 on the Acer AC700, Samsung Series 5, and Cr-48 Chromebook platforms have unknown impact and attack vectors. | 10.0 |
2011-12-08 | CVE-2011-2653 | Novell | Path Traversal vulnerability in Novell Zenworks Asset Management 7.5 Directory traversal vulnerability in the rtrlet component in Novell ZENworks Asset Management (ZAM) 7.5 allows remote attackers to execute arbitrary code by uploading an executable file. | 10.0 |
2011-12-07 | CVE-2011-4684 | Opera | Cryptographic Issues vulnerability in Opera Browser Opera before 11.60 does not properly handle certificate revocation, which has unspecified impact and remote attack vectors related to "corner cases." | 10.0 |
2011-12-07 | CVE-2011-4683 | Opera | Remote Security vulnerability in Opera Web Browser Unspecified vulnerability in Opera before 11.60 has unknown impact and attack vectors, related to a "moderately severe issue." | 10.0 |
2011-12-05 | CVE-2011-4051 | Indusoft | Improper Authentication vulnerability in Indusoft web Studio 6.1/7.0 CEServer.exe in the CEServer component in the Remote Agent module in InduSoft Web Studio 6.1 and 7.0 does not require authentication, which allows remote attackers to execute arbitrary code via vectors related to creation of a file, loading a DLL, and process control. | 10.0 |
2011-12-05 | CVE-2011-2397 | Ironmountain | Improper Input Validation vulnerability in Ironmountain Connected Backup 8.4 The Agent service in Iron Mountain Connected Backup 8.4 allows remote attackers to execute arbitrary code via a crafted opcode 13 request that triggers use of the LaunchCompoundFileAnalyzer class to send request data to the System.getRunTime.exec method. | 10.0 |
2011-12-07 | CVE-2011-2462 | Adobe | Out-of-bounds Write vulnerability in Adobe Acrobat Unspecified vulnerability in the U3D component in Adobe Reader and Acrobat 10.1.1 and earlier on Windows and Mac OS X, and Adobe Reader 9.x through 9.4.6 on UNIX, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via unknown vectors, as exploited in the wild in December 2011. | 9.8 |
2011-12-07 | CVE-2011-4694 | Adobe Apple Microsoft | Remote Security vulnerability in Adobe Flash Player 11.1.102.55 Unspecified vulnerability in Adobe Flash Player 11.1.102.55 on Windows and Mac OS X allows remote attackers to execute arbitrary code via a crafted SWF file, as demonstrated by the second of two vulnerabilities exploited by the Intevydis vd_adobe_fp module in VulnDisco Step Ahead (SA). | 9.3 |
2011-12-07 | CVE-2011-4693 | Adobe Apple Microsoft | Remote Security vulnerability in Adobe Flash Player 11.1.102.55 Unspecified vulnerability in Adobe Flash Player 11.1.102.55 on Windows and Mac OS X allows remote attackers to execute arbitrary code via a crafted SWF file, as demonstrated by the first of two vulnerabilities exploited by the Intevydis vd_adobe_fp module in VulnDisco Step Ahead (SA). | 9.3 |
2011-12-05 | CVE-2011-4052 | Indusoft | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Indusoft web Studio 6.1/7.0 Stack-based buffer overflow in CEServer.exe in the CEServer component in the Remote Agent module in InduSoft Web Studio 6.1 and 7.0 allows remote attackers to execute arbitrary code via a crafted 0x15 (aka Remove File) operation for a file with a long name. | 9.3 |
2011-12-06 | CVE-2011-4130 | Proftpd | Resource Management Errors vulnerability in Proftpd Use-after-free vulnerability in the Response API in ProFTPD before 1.3.3g allows remote authenticated users to execute arbitrary code via vectors involving an error that occurs after an FTP data transfer. | 9.0 |
7 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2011-12-10 | CVE-2011-4357 | Brandon Long | USE of Externally-Controlled Format String vulnerability in Brandon Long Clearsilver Format string vulnerability in the p_cgi_error function in python/neo_cgi.c in the Python CGI Kit (neo_cgi) module for Clearsilver 0.10.5 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via format string specifiers that are not properly handled when creating CGI error messages using the cgi_error API function. | 7.5 |
2011-12-08 | CVE-2011-4710 | Getpixie Lucidcrew | SQL Injection vulnerability in multiple products Multiple SQL injection vulnerabilities in Pixie CMS 1.01 through 1.04 allow remote attackers to execute arbitrary SQL commands via the (1) pixie_user parameter and (2) Referer HTTP header in a request to the default URI. | 7.5 |
2011-12-08 | CVE-2011-2917 | Mambo Foundation | SQL Injection vulnerability in Mambo-Foundation Mambo SQL injection vulnerability in administrator/index2.php in Mambo CMS 4.6.5 and earlier allows remote attackers to execute arbitrary SQL commands via the zorder parameter. | 7.5 |
2011-12-06 | CVE-2011-4677 | Oneclickorgs | Improper Authentication vulnerability in Oneclickorgs ONE Click Orgs One Click Orgs before 1.2.3 does not have an off autocomplete attribute for authentication fields, which makes it easier for remote attackers to obtain access by leveraging an unattended workstation. | 7.5 |
2011-12-05 | CVE-2011-4543 | Oscommerce | Path Traversal vulnerability in Oscommerce 3.0.2 Multiple directory traversal vulnerabilities in osCommerce 3.0.2 allow remote attackers to include and execute arbitrary local files via a .. | 7.5 |
2011-12-05 | CVE-2011-4162 | HP | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in HP Protecttools Device Access Manager 6.0.0.10/6.0.0.9 The (1) AddUser, (2) AddUserEx, (3) RemoveUser, (4) RemoveUserByGuide, (5) RemoveUserEx, and (6) RemoveUserRegardless methods in HP Protect Tools Device Access Manager (PTDAM) before 6.1.0.1 allow remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via a long SidString argument. | 7.5 |
2011-12-08 | CVE-2011-0291 | Blackberry | Information Exposure vulnerability in Blackberry Tablet OS 1.0.8.4985 The BlackBerry PlayBook service on the Research In Motion (RIM) BlackBerry PlayBook tablet with software before 1.0.8.6067 allows local users to gain privileges via a crafted configuration file in a backup archive. | 7.2 |
49 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2011-12-07 | CVE-2011-4695 | Microsoft | Local Security vulnerability in Windows 7 Home Premium Unspecified vulnerability in Microsoft Windows 7 SP1, when Java is installed, allows local users to bypass Internet Explorer sandbox restrictions and gain privileges via unknown vectors, as demonstrated by the White Phosphorus wp_ie_sandbox_escape module for Immunity CANVAS. | 6.9 |
2011-12-05 | CVE-2011-4356 | Celeryproject | Permissions, Privileges, and Access Controls vulnerability in Celeryproject Celery Celery 2.1 and 2.2 before 2.2.8, 2.3 before 2.3.4, and 2.4 before 2.4.4 changes the effective id but not the real id during processing of the --uid and --gid arguments to celerybeat, celeryd_detach, celeryd-multi, and celeryev, which allows local users to gain privileges via vectors involving crafted code that is executed by the worker process. | 6.9 |
2011-12-08 | CVE-2011-4315 | F5 Fedoraproject Suse | Out-of-bounds Write vulnerability in multiple products Heap-based buffer overflow in compression-pointer processing in core/ngx_resolver.c in nginx before 1.0.10 allows remote resolvers to cause a denial of service (daemon crash) or possibly have unspecified other impact via a long response. | 6.8 |
2011-12-08 | CVE-2011-1530 | MIT | Resource Management Errors vulnerability in MIT Kerberos 5.1.9/5.1.9.1/5.1.9.2 The process_tgs_req function in do_tgs_req.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.9 through 1.9.2 allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted TGS request that triggers an error other than the KRB5_KDB_NOENTRY error. | 6.8 |
2011-12-07 | CVE-2011-4682 | Opera | Permissions, Privileges, and Access Controls vulnerability in Opera Browser The JavaScript engine in Opera before 11.60 does not properly implement the in operator, which allows remote attackers to bypass the Same Origin Policy via vectors related to variables on different web sites. | 6.4 |
2011-12-05 | CVE-2011-4675 | Widelands | Path Traversal vulnerability in Widelands The pathname canonicalization functionality in io/filesystem/filesystem.cc in Widelands before 15.1 expands leading ~ (tilde) characters to home-directory pathnames but does not restrict use of these characters in strings received from the network, which might allow remote attackers to conduct absolute path traversal attacks and overwrite arbitrary files via a ~ in a pathname that is used for a file transfer in an Internet game, a different vulnerability than CVE-2011-1932. | 6.4 |
2011-12-05 | CVE-2011-1932 | Widelands | Path Traversal vulnerability in Widelands Directory traversal vulnerability in io/filesystem/filesystem.cc in Widelands before 15.1 might allow remote attackers to overwrite arbitrary files via . | 6.4 |
2011-12-06 | CVE-2011-4553 | Oneclickorgs | Improper Input Validation vulnerability in Oneclickorgs ONE Click Orgs Multiple open redirect vulnerabilities in One Click Orgs before 1.2.3 allow (1) remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the return_to parameter, and allow (2) remote authenticated users to redirect users to arbitrary web sites and conduct phishing attacks via crafted characters in the domain name of a subdomain. | 5.8 |
2011-12-06 | CVE-2011-4554 | Oneclickorgs | Improper Input Validation vulnerability in Oneclickorgs ONE Click Orgs One Click Orgs before 1.2.3 allows remote authenticated users to trigger crafted SMTP traffic via (1) " (double quote) and newline characters in an org name or (2) " (double quote) characters in an e-mail address, related to a "2nd Order SMTP Injection" issue. | 5.5 |
2011-12-08 | CVE-2011-4716 | Dream Multimedia TV | Path Traversal vulnerability in Dream-Multimedia-Tv products Directory traversal vulnerability in file in DreamBox DM800 1.6rc3, 1.5rc1, and earlier allows remote attackers to read arbitrary files via the file parameter. | 5.0 |
2011-12-08 | CVE-2011-4715 | Koha | Path Traversal vulnerability in Koha and Liblime Koha Directory traversal vulnerability in cgi-bin/koha/mainpage.pl in Koha 3.4 before 3.4.7 and 3.6 before 3.6.1, and LibLime Koha 4.2 and earlier allows remote attackers to read arbitrary files via a .. | 5.0 |
2011-12-08 | CVE-2011-4714 | Vvertex | Path Traversal vulnerability in Vvertex Muster Directory traversal vulnerability in Virtual Vertex Muster before 6.20 allows remote attackers to read arbitrary files via a \.. | 5.0 |
2011-12-08 | CVE-2011-4713 | Oscss | Path Traversal vulnerability in Oscss Directory traversal vulnerability in catalog/content.php in osCSS2 2.1.0 and earlier allows remote attackers to read arbitrary files via a .. | 5.0 |
2011-12-08 | CVE-2011-4712 | Monoxide0184 | Path Traversal vulnerability in Monoxide0184 Oxide Webserver Directory traversal vulnerability in Oxide WebServer allows remote attackers to read arbitrary files via a ..\ (dot dot backslash) in an HTTP request. | 5.0 |
2011-12-08 | CVE-2011-4711 | Namazu | Path Traversal vulnerability in Namazu Multiple directory traversal vulnerabilities in namazu.cgi in Namazu before 2.0.16 allow remote attackers to read arbitrary files via a .. | 5.0 |
2011-12-08 | CVE-2011-4539 | ISC Canonical Debian | Improper Input Validation vulnerability in multiple products dhcpd in ISC DHCP 4.x before 4.2.3-P1 and 4.1-ESV before 4.1-ESV-R4 does not properly handle regular expressions in dhcpd.conf, which allows remote attackers to cause a denial of service (daemon crash) via a crafted request packet. | 5.0 |
2011-12-08 | CVE-2011-3179 | Novell | Information Exposure vulnerability in Novell Groupwise Messenger and Messenger The server process in Novell Messenger 2.1 and 2.2.x before 2.2.1, and Novell GroupWise Messenger 2.04 and earlier, allows remote attackers to read from arbitrary memory locations via a crafted command. | 5.0 |
2011-12-07 | CVE-2011-4692 | Apple | Permissions, Privileges, and Access Controls vulnerability in multiple products WebKit, as used in Apple Safari 5.1.1 and earlier and Google Chrome 15 and earlier, does not prevent capture of data about the time required for image loading, which makes it easier for remote attackers to determine whether an image exists in the browser cache via crafted JavaScript code, as demonstrated by visipisi. | 5.0 |
2011-12-07 | CVE-2011-4691 | Permissions, Privileges, and Access Controls vulnerability in Google Chrome Google Chrome 15.0.874.121 and earlier does not prevent capture of data about the times of Same Origin Policy violations during IFRAME loading attempts, which makes it easier for remote attackers to determine whether a document exists in the browser cache via crafted JavaScript code. | 5.0 | |
2011-12-07 | CVE-2011-4690 | Opera | Permissions, Privileges, and Access Controls vulnerability in Opera Browser Opera 11.60 and earlier does not prevent capture of data about the times of Same Origin Policy violations during IFRAME loading attempts, which makes it easier for remote attackers to determine whether a document exists in the browser cache via crafted JavaScript code. | 5.0 |
2011-12-07 | CVE-2011-4689 | Microsoft | Permissions, Privileges, and Access Controls vulnerability in Microsoft Internet Explorer Microsoft Internet Explorer 6 through 9 does not prevent capture of data about the times of Same Origin Policy violations during IFRAME loading attempts, which makes it easier for remote attackers to determine whether a document exists in the browser cache via crafted JavaScript code. | 5.0 |
2011-12-07 | CVE-2011-4688 | Mozilla | Permissions, Privileges, and Access Controls vulnerability in Mozilla Firefox Mozilla Firefox 8.0.1 and earlier does not prevent capture of data about the times of Same Origin Policy violations during IFRAME loading attempts, which makes it easier for remote attackers to determine whether a document exists in the browser cache via crafted JavaScript code. | 5.0 |
2011-12-07 | CVE-2011-4687 | Opera | Resource Management Errors vulnerability in Opera Browser Opera before 11.60 allows remote attackers to cause a denial of service (CPU and memory consumption) via unspecified content on a web page, as demonstrated by a page under the cisco.com home page. | 5.0 |
2011-12-07 | CVE-2011-4686 | Opera | Unspecified vulnerability in Opera Browser Unspecified vulnerability in the Web Workers implementation in Opera before 11.60 allows remote attackers to cause a denial of service (application crash) via unknown vectors. | 5.0 |
2011-12-07 | CVE-2011-4685 | Opera | Improper Input Validation vulnerability in Opera Browser Dragonfly in Opera before 11.60 allows remote attackers to cause a denial of service (application crash) via unspecified content on a web page, as demonstrated by forbes.com. | 5.0 |
2011-12-07 | CVE-2011-4681 | Opera | Permissions, Privileges, and Access Controls vulnerability in Opera Browser Opera before 11.60 does not properly consider the number of . | 5.0 |
2011-12-07 | CVE-2010-5073 | Permissions, Privileges, and Access Controls vulnerability in Google Chrome The JavaScript implementation in Google Chrome 4 does not properly restrict the set of values contained in the object returned by the getComputedStyle method, which allows remote attackers to obtain sensitive information about visited web pages by calling this method. | 5.0 | |
2011-12-07 | CVE-2010-5072 | Opera | Permissions, Privileges, and Access Controls vulnerability in Opera Browser 10.50 The JavaScript implementation in Opera 10.5 does not properly restrict the set of values contained in the object returned by the getComputedStyle method, which allows remote attackers to obtain sensitive information about visited web pages by calling this method. | 5.0 |
2011-12-07 | CVE-2010-5071 | Microsoft | Permissions, Privileges, and Access Controls vulnerability in Microsoft IE and Internet Explorer The JavaScript implementation in Microsoft Internet Explorer 8.0 and earlier does not properly restrict the set of values contained in the object returned by the getComputedStyle method, which allows remote attackers to obtain sensitive information about visited web pages by calling this method. | 5.0 |
2011-12-07 | CVE-2010-5070 | Apple | Permissions, Privileges, and Access Controls vulnerability in Apple Safari The JavaScript implementation in Apple Safari 4 does not properly restrict the set of values contained in the object returned by the getComputedStyle method, which allows remote attackers to obtain sensitive information about visited web pages by calling this method, a different vulnerability than CVE-2010-2264. | 5.0 |
2011-12-07 | CVE-2002-2437 | Mozilla | Permissions, Privileges, and Access Controls vulnerability in Mozilla Firefox, Seamonkey and Thunderbird The JavaScript implementation in Mozilla Firefox before 4.0, Thunderbird before 3.3, and SeaMonkey before 2.1 does not properly restrict the set of values contained in the object returned by the getComputedStyle method, which allows remote attackers to obtain sensitive information about visited web pages by calling this method. | 5.0 |
2011-12-06 | CVE-2011-4678 | Oneclickorgs | Credentials Management vulnerability in Oneclickorgs ONE Click Orgs The password reset feature in One Click Orgs before 1.2.3 generates different error messages for failed reset attempts depending on whether the e-mail address is registered, which allows remote attackers to enumerate user accounts via a series of requests. | 5.0 |
2011-12-10 | CVE-2011-4349 | Freedesktop | SQL Injection vulnerability in Freedesktop Colord Multiple SQL injection vulnerabilities in (1) cd-mapping-db.c and (2) cd-device-db.c in colord before 0.1.15 allow local users to execute arbitrary SQL commands via vectors related to color devices and (a) device id, (b) property, or (c) profile id. | 4.6 |
2011-12-08 | CVE-2011-4709 | Hotaru | Cross-Site Scripting vulnerability in Hotaru CMS and Search Plugin Multiple cross-site scripting (XSS) vulnerabilities in Hotaru.php in the Search plugin 1.3 for Hotaru CMS allow remote attackers to inject arbitrary web script or HTML via the (1) SITE_NAME parameter to admin_index.php, or the (2) return and (3) search parameters to index.php. | 4.3 |
2011-12-08 | CVE-2011-4708 | IBM | Cross-Site Scripting vulnerability in IBM Rational Asset Manager Cross-site scripting (XSS) vulnerability in IBM Rational Asset Manager before 7.5.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
2011-12-08 | CVE-2011-4707 | SAP | Cross-Site Scripting vulnerability in SAP Netweaver Multiple cross-site scripting (XSS) vulnerabilities in the Virus Scan Interface in SAP Netweaver allow remote attackers to inject arbitrary web script or HTML via the (1) instname parameter to the VsiTestScan servlet and (2) name parameter to the VsiTestServlet servlet. | 4.3 |
2011-12-08 | CVE-2011-4265 | Phpwebsite | Cross-Site Scripting vulnerability in PHPwebsite Cross-site scripting (XSS) vulnerability in phpWebSite before 1.0.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
2011-12-08 | CVE-2011-4264 | Etomite | Cross-Site Scripting vulnerability in Etomite Cross-site scripting (XSS) vulnerability in Etomite before 1.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
2011-12-08 | CVE-2011-4054 | CA | Cross-Site Scripting vulnerability in CA Siteminder Cross-site scripting (XSS) vulnerability in login.fcc in CA SiteMinder R6 SP6 before CR7 and R12 SP3 before CR8 allows remote attackers to inject arbitrary web script or HTML via the postpreservationdata parameter. | 4.3 |
2011-12-07 | CVE-2011-4680 | Vtiger | Cross-Site Scripting vulnerability in Vtiger CRM Multiple cross-site scripting (XSS) vulnerabilities in the customer portal in vtiger CRM before 5.2.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
2011-12-07 | CVE-2011-4263 | APC | Cross-Site Scripting vulnerability in APC Powerchute 6.0/7.0.4/7.1 Cross-site scripting (XSS) vulnerability in Schneider Electric PowerChute Business Edition before 8.5 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
2011-12-07 | CVE-2010-5074 | Mozilla | Race Condition vulnerability in Mozilla Firefox, Seamonkey and Thunderbird The layout engine in Mozilla Firefox before 4.0, Thunderbird before 3.3, and SeaMonkey before 2.1 executes different code for visited and unvisited links during the processing of Cascading Style Sheets (CSS) token sequences, which makes it easier for remote attackers to obtain sensitive information about visited web pages via a timing attack. | 4.3 |
2011-12-07 | CVE-2010-5069 | Information Exposure vulnerability in Google Chrome The Cascading Style Sheets (CSS) implementation in Google Chrome 4 does not properly handle the :visited pseudo-class, which allows remote attackers to obtain sensitive information about visited web pages via a crafted HTML document. | 4.3 | |
2011-12-07 | CVE-2010-5068 | Opera | Information Exposure vulnerability in Opera Browser 10.50 The Cascading Style Sheets (CSS) implementation in Opera 10.5 does not properly handle the :visited pseudo-class, which allows remote attackers to obtain sensitive information about visited web pages via a crafted HTML document, a related issue to CVE-2010-2264. | 4.3 |
2011-12-07 | CVE-2002-2436 | Mozilla | Information Exposure vulnerability in Mozilla Firefox, Seamonkey and Thunderbird The Cascading Style Sheets (CSS) implementation in Mozilla Firefox before 4.0, Thunderbird before 3.3, and SeaMonkey before 2.1 does not properly handle the :visited pseudo-class, which allows remote attackers to obtain sensitive information about visited web pages via a crafted HTML document, a related issue to CVE-2010-2264. | 4.3 |
2011-12-07 | CVE-2002-2435 | Microsoft | Information Exposure vulnerability in Microsoft IE and Internet Explorer The Cascading Style Sheets (CSS) implementation in Microsoft Internet Explorer 8.0 and earlier does not properly handle the :visited pseudo-class, which allows remote attackers to obtain sensitive information about visited web pages via a crafted HTML document, a related issue to CVE-2010-2264. | 4.3 |
2011-12-06 | CVE-2011-4552 | Oneclickorgs | Cross-Site Scripting vulnerability in Oneclickorgs ONE Click Orgs Multiple cross-site scripting (XSS) vulnerabilities in One Click Orgs before 1.2.3 allow remote attackers to inject arbitrary web script or HTML via the description field of (1) a new vote or (2) the eject member proposal feature. | 4.3 |
2011-12-07 | CVE-2011-4679 | Vtiger | Permissions, Privileges, and Access Controls vulnerability in Vtiger CRM vtiger CRM before 5.3.0 does not properly recognize the disabled status of a field in the Leads module, which allows remote authenticated users to bypass intended access restrictions by reading a previously created report. | 4.0 |
2011-12-06 | CVE-2011-4555 | Oneclickorgs | Credentials Management vulnerability in Oneclickorgs ONE Click Orgs One Click Orgs before 1.2.3 does not require unique e-mail addresses for user accounts, which allows remote authenticated users to cause a denial of service (login disruption) or spoof votes or comments by selecting a conflicting e-mail address. | 4.0 |
0 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|