Weekly Vulnerabilities Reports > February 20 to 26, 2012
Overview
74 new vulnerabilities reported during this period, including 18 critical vulnerabilities and 11 high severity vulnerabilities. This weekly summary report vulnerabilities in 55 products from 34 vendors including Advantech, SAP, IBM, Microsoft, and Cisco. Vulnerabilities are notably categorized as "Cross-site Scripting", "Improper Restriction of Operations within the Bounds of a Memory Buffer", "SQL Injection", "Cross-Site Request Forgery (CSRF)", and "Path Traversal".
- 74 reported vulnerabilities are remotely exploitables.
- 2 reported vulnerabilities have public exploit available.
- 36 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 64 reported vulnerabilities are exploitable by an anonymous user.
- Advantech has the most reported vulnerabilities, with 21 reported vulnerabilities.
- Advantech has the most reported critical vulnerabilities, with 8 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
18 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2012-02-23 | CVE-2012-1288 | UTC | Credentials Management vulnerability in UTC Fire & Security Ge-Mc100-Ntp/Gps-Zb Master Clock Device The UTC Fire & Security GE-MC100-NTP/GPS-ZB Master Clock device uses hardcoded credentials for an administrative account, which makes it easier for remote attackers to obtain access via an HTTP session. | 10.0 |
2012-02-21 | CVE-2012-0243 | Advantech | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Advantech Webaccess 5.0/6.0 Buffer overflow in an ActiveX control in bwocxrun.ocx in Advantech/BroadWin WebAccess before 7.0 allows remote attackers to execute arbitrary code by leveraging the ability to write arbitrary content to any pathname. | 10.0 |
2012-02-21 | CVE-2012-0242 | Advantech | USE of Externally-Controlled Format String vulnerability in Advantech Webaccess 5.0/6.0 Format string vulnerability in Advantech/BroadWin WebAccess before 7.0 allows remote attackers to execute arbitrary code via format string specifiers in a message string. | 10.0 |
2012-02-21 | CVE-2012-0240 | Advantech | Improper Authentication vulnerability in Advantech Webaccess 5.0/6.0 GbScriptAddUp.asp in Advantech/BroadWin WebAccess before 7.0 does not properly perform authentication, which allows remote attackers to execute arbitrary code via unspecified vectors. | 10.0 |
2012-02-21 | CVE-2012-0238 | Advantech | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Advantech Webaccess 5.0/6.0 Stack-based buffer overflow in opcImg.asp in Advantech/BroadWin WebAccess before 7.0 allows remote attackers to execute arbitrary code via unspecified vectors. | 10.0 |
2012-02-21 | CVE-2011-4526 | Advantech | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Advantech Webaccess 5.0/6.0 Buffer overflow in an ActiveX control in Advantech/BroadWin WebAccess before 7.0 might allow remote attackers to execute arbitrary code via a long string value in unspecified parameters. | 10.0 |
2012-02-21 | CVE-2011-4525 | Advantech | Permissions, Privileges, and Access Controls vulnerability in Advantech Webaccess 5.0/6.0 Advantech/BroadWin WebAccess before 7.0 allows remote attackers to trigger the extraction of arbitrary web content into a batch file on a client system, and execute this batch file, via unspecified vectors. | 10.0 |
2012-02-21 | CVE-2011-4524 | Advantech | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Advantech Webaccess 5.0/6.0 Buffer overflow in Advantech/BroadWin WebAccess before 7.0 allows remote attackers to execute arbitrary code via a long string value in unspecified parameters. | 10.0 |
2012-02-21 | CVE-2011-4187 | Novell Microsoft | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Novell Iprint Buffer overflow in the GetDriverSettings function in nipplib.dll in Novell iPrint Client before 5.78 on Windows allows remote attackers to execute arbitrary code via a long realm field, a different vulnerability than CVE-2011-3173. | 10.0 |
2012-02-21 | CVE-2011-4185 | Novell Microsoft | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Novell Iprint The GetPrinterURLList2 method in the ActiveX control in Novell iPrint Client before 5.78 on Windows allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2008-2431 and CVE-2008-2436. | 10.0 |
2012-02-21 | CVE-2011-1914 | Advantech | Buffer Errors vulnerability in Advantech products Buffer overflow in the Advantech ADAM OLE for Process Control (OPC) Server ActiveX control in ADAM OPC Server before 3.01.012, Modbus RTU OPC Server before 3.01.010, and Modbus TCP OPC Server before 3.01.010 allows remote attackers to execute arbitrary code via unspecified vectors. | 10.0 |
2012-02-24 | CVE-2012-1206 | Hancom | Numeric Errors vulnerability in Hancom Office 2010 SE 8.5.5 Multiple integer overflows in Hancom Office 2010 SE 8.5.5 allow remote attackers to execute arbitrary code via large dimension values in a (1) JPG image to the ImportGR in the JPG image filter module (HncJpeg10.flt) or (2) PNG image to the PNG image filter module (HncPng10.flt), which triggers a heap-based buffer overflow. | 9.3 |
2012-02-22 | CVE-2012-0315 | Estsoft | Unspecified vulnerability in Estsoft Alftp 4.1/5.0/5.1 Untrusted search path vulnerability in ALFTP before 5.31 allows local users to gain privileges via a Trojan horse executable file in a directory that is accessed for reading an extensionless file, as demonstrated by executing the README.exe file when a user attempts to access the README file. | 9.3 |
2012-02-22 | CVE-2012-0223 | 7T | Unspecified vulnerability in 7T Termis 2.0/2.10 Untrusted search path vulnerability in 7-Technologies (7T) TERMIS 2.10 and earlier allows local users to gain privileges via a Trojan horse DLL in the current working directory, a different vulnerability than CVE-2012-0224. | 9.3 |
2012-02-21 | CVE-2012-0224 | 7T | Unspecified vulnerability in 7T Aquis 1.5 Untrusted search path vulnerability in 7-Technologies (7T) AQUIS 1.5 and earlier allows local users to gain privileges via a Trojan horse DLL in the current working directory, a different vulnerability than CVE-2012-0223. | 9.3 |
2012-02-21 | CVE-2011-4186 | Novell Microsoft | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Novell Iprint Heap-based buffer overflow in nipplib.dll in Novell iPrint Client before 5.78 on Windows allows remote attackers to execute arbitrary code via a crafted client-file-name parameter in a printer-url, a different vulnerability than CVE-2011-1705. | 9.3 |
2012-02-25 | CVE-2012-0365 | Cisco | Path Traversal vulnerability in Cisco products Directory traversal vulnerability in the Local TFTP file-upload application on Cisco SRP 520 series devices with firmware before 1.1.26 and SRP 520W-U and 540 series devices with firmware before 1.2.4 allows remote authenticated users to upload software to arbitrary directories via unspecified vectors, aka Bug ID CSCtw56009. | 9.0 |
2012-02-25 | CVE-2012-0363 | Cisco | Code Injection vulnerability in Cisco products The web interface on Cisco SRP 520 series devices with firmware before 1.1.26 and SRP 520W-U and 540 series devices with firmware before 1.2.4 allows remote authenticated users to execute arbitrary commands via unspecified vectors, related to a "command injection vulnerability," aka Bug ID CSCtt46871. | 9.0 |
11 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2012-02-21 | CVE-2012-1222 | Rabidhamster | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Rabidhamster R2/Extreme 1.51/1.65 Stack-based buffer overflow in RabidHamster R2/Extreme 1.65 and earlier allows remote authenticated users to execute arbitrary code via a long string to TCP port 23. | 8.5 |
2012-02-25 | CVE-2012-0364 | Cisco | Permissions, Privileges, and Access Controls vulnerability in Cisco products Cisco SRP 520 series devices with firmware before 1.1.26 and SRP 520W-U and 540 series devices with firmware before 1.2.4 allow remote attackers to replace the configuration file via an upload request to an unspecified URL, aka Bug ID CSCtw55495. | 7.8 |
2012-02-24 | CVE-2012-1210 | Powie | SQL Injection vulnerability in Powie Pfile 1.02 SQL injection vulnerability in pfile/file.php in Powie pFile 1.02 allows remote attackers to execute arbitrary SQL commands via the id parameter. | 7.5 |
2012-02-24 | CVE-2012-1205 | Alanft Wordpress | Code Injection vulnerability in Alanft Relocate-Upload 0.10/0.11 PHP remote file inclusion vulnerability in relocate-upload.php in Relocate Upload plugin before 0.20 for WordPress allows remote attackers to execute arbitrary PHP code via a URL in the abspath parameter. | 7.5 |
2012-02-24 | CVE-2012-0999 | Lepton CMS | SQL Injection vulnerability in Lepton-Cms Lepton SQL injection vulnerability in modules/news/rss.php in LEPTON before 1.1.4 allows remote attackers to execute arbitrary SQL commands via the group_id parameter. | 7.5 |
2012-02-24 | CVE-2012-0998 | Lepton CMS | Path Traversal vulnerability in Lepton-Cms Lepton Directory traversal vulnerability in account/preferences.php in LEPTON before 1.1.4 allows remote attackers to include and execute arbitrary files via a .. | 7.5 |
2012-02-23 | CVE-2012-1294 | Contimex | SQL Injection vulnerability in Contimex Impulsio CMS SQL injection vulnerability in CONTIMEX Impulsio CMS allows remote attackers to execute arbitrary SQL commands via the id parameter to index.php. | 7.5 |
2012-02-21 | CVE-2012-1218 | Freelancerkit | SQL Injection vulnerability in Freelancerkit 2.35 Multiple SQL injection vulnerabilities in freelancerKit 2.35 allow remote attackers to execute arbitrary SQL commands via unspecified vectors to the (1) notes and (2) tickets components. | 7.5 |
2012-02-21 | CVE-2012-0244 | Advantech | SQL Injection vulnerability in Advantech Webaccess 5.0/6.0 Multiple SQL injection vulnerabilities in Advantech/BroadWin WebAccess before 7.0 allow remote attackers to execute arbitrary SQL commands via crafted string input. | 7.5 |
2012-02-21 | CVE-2012-0234 | Advantech | SQL Injection vulnerability in Advantech Webaccess 5.0/6.0 SQL injection vulnerability in Advantech/BroadWin WebAccess before 7.0 allows remote attackers to execute arbitrary SQL commands via a malformed URL. | 7.5 |
2012-02-21 | CVE-2011-4521 | Advantech | SQL Injection vulnerability in Advantech Webaccess 5.0/6.0 SQL injection vulnerability in Advantech/BroadWin WebAccess before 7.0 allows remote attackers to execute arbitrary SQL commands via crafted string input. | 7.5 |
45 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2012-02-24 | CVE-2012-0997 | 11In1 | Cross-Site Request Forgery (CSRF) vulnerability in 11In1 1.2.1 Cross-site request forgery (CSRF) vulnerability in admin/index.php in 11in1 1.2.1 stable 12-31-2011 allows remote attackers to hijack the authentication of administrators for requests that add new topics via an addTopic action. | 6.8 |
2012-02-21 | CVE-2012-1227 | Pluck CMS | Cross-Site Request Forgery (CSRF) vulnerability in Pluck-Cms Pluck 4.7 Multiple cross-site request forgery (CSRF) vulnerabilities in admin.php in pluck 4.7 allow remote attackers to hijack the authentication of admins for requests that (1) modify the admin email address or (2) modify the blog title via a settings action; (3) add a page via an editpage action, or (4) add a categorie via the blog module. | 6.8 |
2012-02-21 | CVE-2012-1220 | Devincentiis | Cross-Site Request Forgery (CSRF) vulnerability in Devincentiis Gazie Cross-site request forgery (CSRF) vulnerability in modules/config/admin_utente.php in GAzie 5.20 and earlier allows remote attackers to hijack the authentication of administrators for requests that change account information via an update action, as demonstrated by changing the password. | 6.8 |
2012-02-21 | CVE-2012-1216 | Pbboard | Cross-Site Request Forgery (CSRF) vulnerability in Pbboard 2.1.4 Multiple cross-site request forgery (CSRF) vulnerabilities in admin.php in PBBoard 2.1.4 allow remote attackers to hijack the authentication of administrators for requests that (1) upload a file via an add action or (2) change the contents of a file via a dit action. | 6.8 |
2012-02-21 | CVE-2012-0993 | Zenphoto | Code Injection vulnerability in Zenphoto 1.4.2 Eval injection vulnerability in zp-core/zp-extensions/viewer_size_image.php in ZENphoto 1.4.2, when the viewer_size_image plugin is enabled, allows remote attackers to execute arbitrary PHP code via the viewer_size_image_saved cookie. | 6.8 |
2012-02-21 | CVE-2012-1234 | Advantech | SQL Injection vulnerability in Advantech Webaccess 5.0/6.0 SQL injection vulnerability in Advantech/BroadWin WebAccess 7.0 allows remote authenticated users to execute arbitrary SQL commands via a malformed URL. | 6.5 |
2012-02-21 | CVE-2012-0237 | Advantech | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Advantech Webaccess 5.0/6.0 Advantech/BroadWin WebAccess before 7.0 allows remote attackers to (1) enable date and time syncing or (2) disable date and time syncing via a crafted URL. | 6.4 |
2012-02-21 | CVE-2012-1235 | Advantech | Cross-Site Request Forgery (CSRF) vulnerability in Advantech Webaccess 5.0/6.0 Cross-site request forgery (CSRF) vulnerability in Advantech/BroadWin WebAccess 7.0 allows remote authenticated users to hijack the authentication of unspecified victims via unknown vectors. | 6.0 |
2012-02-21 | CVE-2012-0994 | Zenphoto | SQL Injection vulnerability in Zenphoto 1.4.2 SQL injection vulnerability in the Manage Albums feature in zp-core/admin-albumsort.php in ZENphoto 1.4.2 allows remote authenticated users to execute arbitrary SQL commands via the sortableList parameter. | 6.0 |
2012-02-21 | CVE-2012-0235 | Advantech | Cross-Site Request Forgery (CSRF) vulnerability in Advantech Webaccess 5.0/6.0 Cross-site request forgery (CSRF) vulnerability in Advantech/BroadWin WebAccess before 7.0 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. | 6.0 |
2012-02-21 | CVE-2012-0865 | Cubecart | Improper Input Validation vulnerability in Cubecart Multiple open redirect vulnerabilities in CubeCart 3.0.20 and earlier allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) r parameter to switch.php or (2) goto parameter to admin/login.php. | 5.8 |
2012-02-25 | CVE-2012-0453 | Mozilla | Cross-Site Request Forgery (CSRF) vulnerability in Mozilla Bugzilla Cross-site request forgery (CSRF) vulnerability in xmlrpc.cgi in Bugzilla 4.0.2 through 4.0.4 and 4.1.1 through 4.2rc2, when mod_perl is used, allows remote attackers to hijack the authentication of arbitrary users for requests that modify the product's installation via the XML-RPC API. | 5.1 |
2012-02-24 | CVE-2012-1207 | Fork CMS | Path Traversal vulnerability in Fork-Cms Fork CMS 3.2.4 Directory traversal vulnerability in frontend/core/engine/javascript.php in Fork CMS 3.2.4 and possibly other versions before 3.2.5 allows remote attackers to read arbitrary files via a .. | 5.0 |
2012-02-24 | CVE-2012-0996 | 11In1 | Path Traversal vulnerability in 11In1 1.2.1 Multiple directory traversal vulnerabilities in 11in1 1.2.1 stable 12-31-2011 allow remote attackers to read arbitrary files via a .. | 5.0 |
2012-02-23 | CVE-2012-1292 | SAP | Input Validation vulnerability in SAP Netweaver 7.0 Unspecified vulnerability in the MessagingSystem servlet in SAP NetWeaver 7.0 allows remote attackers to obtain sensitive information about the MessagingSystem Performance Data via unspecified vectors. | 5.0 |
2012-02-23 | CVE-2012-1291 | SAP | Input Validation vulnerability in SAP Netweaver 7.0 Unspecified vulnerability in the com.sap.aii.mdt.amt.web.AMTPageProcessor servlet in SAP NetWeaver 7.0 allows remote attackers to obtain sensitive information about the Adapter Monitor via unspecified vectors, possibly related to the EnableInvokerServletGlobally property in the servlet_jsp service. | 5.0 |
2012-02-23 | CVE-2012-0823 | Webmproject | Improper Input Validation vulnerability in Webmproject Libvpx VP8 Codec SDK (libvpx) before 1.0.0 "Duclair" allows remote attackers to cause a denial of service (application crash) via (1) unspecified "corrupt input" or (2) by "starting decoding from a P-frame," which triggers an out-of-bounds read, related to "the clamping of motion vectors in SPLITMV blocks". | 5.0 |
2012-02-22 | CVE-2012-1256 | Easyvista | Improper Authentication vulnerability in Easyvista The single sign-on (SSO) implementation in EasyVista before 2010.1.1.89 allows remote attackers to bypass authentication via a modified url_account parameter, in conjunction with a valid login name in the SSPI_HEADER parameter, to index.php. | 5.0 |
2012-02-22 | CVE-2012-0291 | Symantec | Improper Input Validation vulnerability in Symantec products Symantec pcAnywhere through 12.5.3, Altiris IT Management Suite pcAnywhere Solution 7.0 (aka 12.5.x) and 7.1 (aka 12.6.x), Altiris Client Management Suite pcAnywhere Solution 7.0 (aka 12.5.x) and 7.1 (aka 12.6.x), and Altiris Deployment Solution Remote pcAnywhere Solution 7.1 (aka 12.5.x and 12.6.x) allow remote attackers to cause a denial of service (application crash or hang) via (1) malformed data from a client, (2) malformed data from a server, or (3) an invalid response. | 5.0 |
2012-02-21 | CVE-2012-1223 | Rabidhamster | Information Exposure vulnerability in Rabidhamster R2/Extreme 1.51/1.65 RabidHamster R2/Extreme 1.65 and earlier uses a small search space of values for the PIN number, which allows remote attackers to obtain the PIN number via a brute force attack. | 5.0 |
2012-02-21 | CVE-2012-1221 | Rabidhamster | Path Traversal vulnerability in Rabidhamster R2/ and R2/Extreme Directory traversal vulnerability in the telnet server in RabidHamster R2/Extreme 1.65 and earlier allows remote attackers to read arbitrary files via a .. | 5.0 |
2012-02-21 | CVE-2012-0241 | Advantech | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Advantech Webaccess 5.0/6.0 Advantech/BroadWin WebAccess before 7.0 allows remote attackers to cause a denial of service (memory corruption) via a modified stream identifier to a function. | 5.0 |
2012-02-21 | CVE-2012-0239 | Advantech | Improper Authentication vulnerability in Advantech Webaccess 5.0/6.0 uaddUpAdmin.asp in Advantech/BroadWin WebAccess before 7.0 does not properly perform authentication, which allows remote attackers to modify an administrative password via a password-change request. | 5.0 |
2012-02-21 | CVE-2012-0236 | Advantech | Information Exposure vulnerability in Advantech Webaccess 5.0/6.0 Advantech/BroadWin WebAccess 7.0 and earlier allows remote attackers to obtain sensitive information via a direct request to a URL. | 5.0 |
2012-02-24 | CVE-2012-1213 | Zimbra | Cross-Site Scripting vulnerability in Zimbra Cross-site scripting (XSS) vulnerability in zimbra/h/calendar in Zimbra Web Client in Zimbra Collaboration Suite (ZCS) 6.x before 6.0.15 and 7.x before 7.1.3 allows remote attackers to inject arbitrary web script or HTML via the view parameter. | 4.3 |
2012-02-24 | CVE-2012-1212 | Smwplus | Cross-Site Scripting vulnerability in Smwplus Smw+ Cross-site scripting (XSS) vulnerability in the smwfOnSfSetTargetName function in extensions/SMWHalo/includes/SMW_Initialize.php in Semantic Enterprise Wiki (SMW+) 1.5.6, 1.6.0_2 and earlier allows remote attackers to inject arbitrary web script or HTML via the target parameter to index.php/Special:FormEdit. | 4.3 |
2012-02-24 | CVE-2012-1211 | Powie | Cross-Site Scripting vulnerability in Powie Pfile 1.02 Cross-site scripting (XSS) vulnerability in pfile/kommentar.php in Powie pFile 1.02 allows remote attackers to inject arbitrary web script or HTML via the filecat parameter. | 4.3 |
2012-02-24 | CVE-2012-1209 | Fork CMS | Cross-Site Scripting vulnerability in Fork-Cms Fork CMS 3.2.4 Cross-site scripting (XSS) vulnerability in backend/core/engine/base.php in Fork CMS 3.2.4 and possibly other versions before 3.2.5 allows remote attackers to inject arbitrary web script or HTML via the highlight parameter. | 4.3 |
2012-02-24 | CVE-2012-1208 | Fork CMS | Cross-Site Scripting vulnerability in Fork-Cms Fork CMS 3.2.4 Multiple cross-site scripting (XSS) vulnerabilities in backend/core/engine/base.php in Fork CMS 3.2.4 and possibly other versions before 3.2.5 allow remote attackers to inject arbitrary web script or HTML via the (1) report parameter to blog/settings or (2) error parameter to users/index. | 4.3 |
2012-02-24 | CVE-2012-1000 | Lepton CMS | Cross-Site Scripting vulnerability in Lepton-Cms Lepton Multiple cross-site scripting (XSS) vulnerabilities in LEPTON 1.1.3 and other versions before 1.1.4 allow remote attackers to inject arbitrary web script or HTML via the (1) message parameter to admins/login/forgot/index.php, or the (2) display_name or (3) email parameter to account/preferences.php. | 4.3 |
2012-02-23 | CVE-2012-1290 | SAP | Cross-Site Scripting vulnerability in SAP Netweaver 7.0 Cross-site scripting (XSS) vulnerability in b2b/auction/container.jsp in the Internet Sales (crm.b2b) module in SAP NetWeaver 7.0 allows remote attackers to inject arbitrary web script or HTML via the _loadPage parameter. | 4.3 |
2012-02-23 | CVE-2012-0873 | Boonex | Cross-Site Scripting vulnerability in Boonex Dolphin Multiple cross-site scripting (XSS) vulnerabilities in Boonex Dolphin before 7.0.8 allow remote attackers to inject arbitrary web script or HTML via the (1) explain parameter to explanation.php or the (2) photos_only, (3) online_only, or (4) mode parameters to viewFriends.php. | 4.3 |
2012-02-23 | CVE-2012-0707 | IBM | Cross-Site Scripting vulnerability in IBM Websphere Application Server 7.2 Cross-site scripting (XSS) vulnerability in IBM WebSphere Lombardi Edition 7.2 allows remote attackers to inject arbitrary web script or HTML via crafted text input to a coach that is configured with a document attachment control section. | 4.3 |
2012-02-21 | CVE-2012-1224 | Contentlion | Cross-Site Scripting vulnerability in Contentlion Alpha 1.3 Cross-site scripting (XSS) vulnerability in system/classes/login.php in ContentLion Alpha 1.3 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO. | 4.3 |
2012-02-21 | CVE-2012-1219 | Freelancerkit | Cross-Site Scripting vulnerability in Freelancerkit 2.35 Multiple cross-site scripting (XSS) vulnerabilities in freelancerKit 2.35 allow remote attackers to inject arbitrary web script or HTML via the (1) ticket parameter to tickets.php, (2) title parameter to notes.php, or (3) task parameter to todo.php. | 4.3 |
2012-02-21 | CVE-2012-1217 | Simhl | Cross-Site Scripting vulnerability in Simhl Sths V2 web Portal 2.2 Multiple cross-site scripting (XSS) vulnerabilities in STHS v2 Web Portal 2.2 allow remote attackers to inject arbitrary web script or HTML via the team parameter to (1) prospects.php, (2) prospect.php, or (3) team.php. | 4.3 |
2012-02-21 | CVE-2012-1215 | Yoono | Cross-Site Scripting vulnerability in Yoono FOR Firefox Cross-site scripting (XSS) vulnerability in the Add friends module in the Yoono extension before 7.7.8 for Firefox allows remote attackers to inject arbitrary web script or HTML via the create field in a "Create a group" action. | 4.3 |
2012-02-21 | CVE-2012-1214 | Yoono | Cross-Site Scripting vulnerability in Yoono Desktop Cross-site scripting (XSS) vulnerability in the Add friends module in Yoono Desktop Application before 1.8.21 allows remote attackers to inject arbitrary web script or HTML via the create field in a "Create a group" action. | 4.3 |
2012-02-21 | CVE-2012-0995 | Zenphoto | Cross-Site Scripting vulnerability in Zenphoto 1.4.2 Multiple cross-site scripting (XSS) vulnerabilities in ZENphoto 1.4.2 allow remote attackers to inject arbitrary web script or HTML via the (1) msg parameter in an external action to zp-core/admin.php, (2) PATH_INTO to an unspecified URL, as demonstrated using /1/, (3) PATH_INFO to zp-core/admin.php, or (4) album parameter to zp-core/admin-edit.php. | 4.3 |
2012-02-21 | CVE-2012-0233 | Advantech | Cross-Site Scripting vulnerability in Advantech Webaccess 5.0/6.0 Cross-site scripting (XSS) vulnerability in Advantech/BroadWin WebAccess before 7.0 allows remote attackers to inject arbitrary web script or HTML via a malformed URL. | 4.3 |
2012-02-21 | CVE-2011-4523 | Advantech | Cross-Site Scripting vulnerability in Advantech Webaccess 5.0/6.0 Cross-site scripting (XSS) vulnerability in bwview.asp in Advantech/BroadWin WebAccess before 7.0 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters. | 4.3 |
2012-02-21 | CVE-2011-4522 | Advantech | Cross-Site Scripting vulnerability in Advantech Webaccess 5.0/6.0 Cross-site scripting (XSS) vulnerability in bwerrdn.asp in Advantech/BroadWin WebAccess before 7.0 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters. | 4.3 |
2012-02-23 | CVE-2012-1289 | SAP | Path Traversal vulnerability in SAP Netweaver 7.0 Multiple directory traversal vulnerabilities in SAP NetWeaver 7.0 allow remote authenticated users to read arbitrary files via a .. | 4.0 |
2012-02-21 | CVE-2012-0200 | IBM | Unspecified vulnerability in IBM Soliddb The server in IBM solidDB 6.5 before Interim Fix 6 does not properly initialize data structures, which allows remote authenticated users to cause a denial of service (daemon crash) via a SELECT statement with a redundant WHERE condition. | 4.0 |
2012-02-21 | CVE-2011-4890 | IBM | Improper Input Validation vulnerability in IBM Soliddb The server in IBM solidDB 6.5 before FP9 and 7.0 before FP1 allows remote authenticated users to cause a denial of service (daemon crash) via a SELECT statement with a ROWNUM condition involving a subquery. | 4.0 |
0 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|