Weekly Vulnerabilities Reports > March 12 to 18, 2012
Overview
78 new vulnerabilities reported during this period, including 25 critical vulnerabilities and 12 high severity vulnerabilities. This weekly summary report vulnerabilities in 67 products from 34 vendors including Google, Mozilla, IBM, Vmware, and Microsoft. Vulnerabilities are notably categorized as "Cross-site Scripting", "Resource Management Errors", "Information Exposure", "Permissions, Privileges, and Access Controls", and "Improper Restriction of Operations within the Bounds of a Memory Buffer".
- 74 reported vulnerabilities are remotely exploitables.
- 1 reported vulnerabilities have public exploit available.
- 15 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 75 reported vulnerabilities are exploitable by an anonymous user.
- Google has the most reported vulnerabilities, with 15 reported vulnerabilities.
- Google has the most reported critical vulnerabilities, with 14 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
25 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2012-03-18 | CVE-2012-1774 | Gomlab | Remote Security vulnerability in Gom Media Player Unspecified vulnerability in the Open URL feature in Gretech GOM Media Player before 2.1.39.5101 has unknown impact and attack vectors, a different vulnerability than CVE-2007-5779 and CVE-2012-1264. | 10.0 |
2012-03-15 | CVE-2012-0231 | GE | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in GE Intelligent Platforms Proficy Plant Applications PRLicenseMgr.exe in the Proficy Server License Manager in GE Intelligent Platforms Proficy Plant Applications 5.0 and earlier allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted TCP session on port 12401. | 10.0 |
2012-03-15 | CVE-2012-0230 | GE | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in GE Intelligent Platforms Proficy Plant Applications PRRDS.exe in the Proficy Remote Data Service in GE Intelligent Platforms Proficy Plant Applications 5.0 and earlier allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted TCP session on port 12299. | 10.0 |
2012-03-15 | CVE-2012-0229 | GE | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in GE Intelligent Platforms Proficy Historian The Data Archiver service in GE Intelligent Platforms Proficy Historian 4.5 and earlier allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted session on TCP port 14000 to (1) ihDataArchiver.exe or (2) ihDataArchiver_x64.exe. | 10.0 |
2012-03-15 | CVE-2012-1485 | Netfrontlife | Security vulnerability in NetFront Life Browser for Android Unspecified vulnerability in the NetFront Life Browser (com.access_company.android.nflifebrowser.lite) application 2.2.0 and 2.3.0 for Android has unknown impact and attack vectors. | 10.0 |
2012-03-15 | CVE-2012-1484 | Wali | Security vulnerability in WaliSMS CN for Android Unspecified vulnerability in the WaliSMS CN (cn.com.wali.walisms) application 2.9.2 and 3.7.0 for Android has unknown impact and attack vectors. | 10.0 |
2012-03-15 | CVE-2012-1483 | Zhou BO | Security vulnerability in Zhou BO Message Forwarder 1.12.20110409.1 Unspecified vulnerability in the Message Forwarder (com.gmail.zbnetium) application 1.12.20110409.1 for Android has unknown impact and attack vectors. | 10.0 |
2012-03-15 | CVE-2012-1482 | Touchpal | Security vulnerability in TouchPal Contacts for Android Unspecified vulnerability in the TouchPal Contacts (com.cootek.smartdialer) application 3.3.1 and 4.0.1 for Android has unknown impact and attack vectors. | 10.0 |
2012-03-15 | CVE-2012-1481 | Kashif Masud | Security vulnerability in Kashif Masud Textdroid 2.5.2 Unspecified vulnerability in the Textdroid (com.app.android.textdroid) application 2.5.2 for Android has unknown impact and attack vectors. | 10.0 |
2012-03-14 | CVE-2012-1480 | Pansi | Unspecified vulnerability in Pansi SMS 1.97/2.01/2.07 Unspecified vulnerability in the Pansi SMS (com.pansi.msg) application 1.97, 2.01, and 2.07 for Android has unknown impact and attack vectors. | 10.0 |
2012-03-14 | CVE-2012-1479 | Movesti | Unspecified vulnerability in Movesti Acontact 1.8.2 Unspecified vulnerability in the AContact (com.movester.quickcontact) application 1.8.2 for Android has unknown impact and attack vectors. | 10.0 |
2012-03-14 | CVE-2012-1478 | Ucweb | Unspecified vulnerability in Ucweb Ucmobile Blovestorm 2.2.0/3.2.1 Unspecified vulnerability in the UCMobile BloveStorm (com.blovestorm) application 2.2.0 and 3.2.1 for Android has unknown impact and attack vectors. | 10.0 |
2012-03-14 | CVE-2012-1477 | Cnectd | Unspecified vulnerability in Cnectd 3.1.0 Unspecified vulnerability in the Cnectd (mci.cnectd) application 3.1.0 for Android has unknown impact and attack vectors. | 10.0 |
2012-03-14 | CVE-2012-1476 | Kktalk | Unspecified vulnerability in Kktalk 4.0.0/4.1.5 Unspecified vulnerability in the KKtalk (com.kkliaotian.android) application 4.0.0 and 4.1.5 for Android has unknown impact and attack vectors. | 10.0 |
2012-03-14 | CVE-2012-1475 | Qualcomm | Unspecified vulnerability in Qualcomm Yagattatalk Messenger 1.00.01.08 Unspecified vulnerability in the YagattaTalk Messenger (com.iskoot.yagatta.yagattatalk) application 1.00.01.08 for Android has unknown impact and attack vectors. | 10.0 |
2012-03-14 | CVE-2012-1474 | SDO | Unspecified vulnerability in SDO Youni SMS 2.1.0 Unspecified vulnerability in the Youni SMS (com.snda.youni) application 2.1.0c and 2.1.0d for Android has unknown impact and attack vectors. | 10.0 |
2012-03-14 | CVE-2012-1409 | Tinycouch | Unspecified vulnerability in Tinycouch Tiny Password 1.64 Unspecified vulnerability in the Tiny Password (com.tinycouch.android.freepassword) application 1.64 for Android has unknown impact and attack vectors. | 10.0 |
2012-03-14 | CVE-2012-1408 | Creative Core | Unspecified vulnerability in Creative Core APP Lock 1.7.5/1.7.6 Unspecified vulnerability in the App Lock (com.cc.applock) application 1.7.5 and 1.7.6 for Android has unknown impact and attack vectors. | 10.0 |
2012-03-14 | CVE-2012-0124 | HP | Unspecified vulnerability in HP Data Protector Express 5.0/6.0 Unspecified vulnerability in HP Data Protector Express (aka DPX) 5.0.00 before build 59287 and 6.0.00 before build 11974 allows remote attackers to execute arbitrary code or cause a denial of service via unknown vectors. | 10.0 |
2012-03-14 | CVE-2012-0123 | HP | Unspecified vulnerability in HP Data Protector Express 5.0/6.0 Unspecified vulnerability in HP Data Protector Express (aka DPX) 5.0.00 before build 59287 and 6.0.00 before build 11974 allows remote attackers to execute arbitrary code or cause a denial of service via unknown vectors, aka ZDI-CAN-1498. | 10.0 |
2012-03-14 | CVE-2012-0122 | HP | Unspecified vulnerability in HP Data Protector Express 5.0/6.0 Unspecified vulnerability in HP Data Protector Express (aka DPX) 5.0.00 before build 59287 and 6.0.00 before build 11974 allows remote attackers to execute arbitrary code or cause a denial of service via unknown vectors, aka ZDI-CAN-1393. | 10.0 |
2012-03-14 | CVE-2012-0121 | HP | Unspecified vulnerability in HP Data Protector Express 5.0/6.0 Unspecified vulnerability in HP Data Protector Express (aka DPX) 5.0.00 before build 59287 and 6.0.00 before build 11974 allows remote attackers to execute arbitrary code or cause a denial of service via unknown vectors, aka ZDI-CAN-1392. | 10.0 |
2012-03-18 | CVE-2012-1264 | Gomlab | Remote Security vulnerability in Gom Media Player Unspecified vulnerability in Gretech GOM Media Player before 2.1.37.5091 allows remote attackers to execute arbitrary code via a crafted AVI file. | 9.3 |
2012-03-14 | CVE-2012-0457 | Mozilla | Resource Management Errors vulnerability in Mozilla products Use-after-free vulnerability in the nsSMILTimeValueSpec::ConvertBetweenTimeContainer function in Mozilla Firefox before 3.6.28 and 4.x through 10.0, Firefox ESR 10.x before 10.0.3, Thunderbird before 3.1.20 and 5.0 through 10.0, Thunderbird ESR 10.x before 10.0.3, and SeaMonkey before 2.8 might allow remote attackers to execute arbitrary code via an SVG animation. | 9.3 |
2012-03-13 | CVE-2012-0016 | Microsoft | Unspecified vulnerability in Microsoft Expression Design 2/3/4 Untrusted search path vulnerability in Microsoft Expression Design; Expression Design SP1; and Expression Design 2, 3, and 4 allows local users to gain privileges via a Trojan horse DLL in the current working directory, as demonstrated by a directory that contains a .xpr or .DESIGN file, aka "Expression Design Insecure Library Loading Vulnerability." Per: http://technet.microsoft.com/en-us/security/bulletin/ms12-022 'This is a remote code execution vulnerability.' Per: http://cwe.mitre.org/data/definitions/426.html 'CWE-426: Untrusted Search Path' | 9.3 |
12 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2012-03-15 | CVE-2012-0398 | EMC | Permissions, Privileges, and Access Controls vulnerability in EMC Documentum Eroom EMC Documentum eRoom before 7.4.4 does not properly validate session cookies, which allows remote attackers to hijack or replay sessions via unspecified vectors. | 7.5 |
2012-03-14 | CVE-2012-0464 | Mozilla | Resource Management Errors vulnerability in Mozilla products Use-after-free vulnerability in the browser engine in Mozilla Firefox before 3.6.28 and 4.x through 10.0, Firefox ESR 10.x before 10.0.3, Thunderbird before 3.1.20 and 5.0 through 10.0, Thunderbird ESR 10.x before 10.0.3, and SeaMonkey before 2.8 allows remote attackers to execute arbitrary code via vectors involving an empty argument to the array.join function in conjunction with the triggering of garbage collection. | 7.5 |
2012-03-14 | CVE-2012-0463 | Mozilla | Improper Input Validation vulnerability in Mozilla products The nsWindow implementation in the browser engine in Mozilla Firefox before 3.6.28 and 4.x through 10.0, Firefox ESR 10.x before 10.0.3, Thunderbird before 3.1.20 and 5.0 through 10.0, Thunderbird ESR 10.x before 10.0.3, and SeaMonkey before 2.8 does not check the validity of an instance after event dispatching, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors, as demonstrated by Mobile Firefox on Android. | 7.5 |
2012-03-14 | CVE-2012-0462 | Mozilla | Memory Corruption vulnerability in Mozilla Firefox/Thunderbird/SeaMonkey Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 4.x through 10.0, Firefox ESR 10.x before 10.0.3, Thunderbird 5.0 through 10.0, Thunderbird ESR 10.x before 10.0.3, and SeaMonkey before 2.8 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. | 7.5 |
2012-03-14 | CVE-2012-0461 | Mozilla | Memory Corruption vulnerability in Mozilla Firefox/Thunderbird/Seamonkey Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.6.28 and 4.x through 10.0, Firefox ESR 10.x before 10.0.3, Thunderbird before 3.1.20 and 5.0 through 10.0, Thunderbird ESR 10.x before 10.0.3, and SeaMonkey before 2.8 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. | 7.5 |
2012-03-14 | CVE-2012-0459 | Mozilla | Permissions, Privileges, and Access Controls vulnerability in Mozilla products The Cascading Style Sheets (CSS) implementation in Mozilla Firefox 4.x through 10.0, Firefox ESR 10.x before 10.0.3, Thunderbird 5.0 through 10.0, Thunderbird ESR 10.x before 10.0.3, and SeaMonkey before 2.8 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via dynamic modification of a keyframe followed by access to the cssText of the keyframe. | 7.5 |
2012-03-14 | CVE-2012-0454 | Mozilla Microsoft | Resource Management Errors vulnerability in Mozilla products Use-after-free vulnerability in Mozilla Firefox 4.x through 10.0, Firefox ESR 10.x before 10.0.3, Thunderbird 5.0 through 10.0, Thunderbird ESR 10.x before 10.0.3, and SeaMonkey before 2.8 on 32-bit Windows 7 platforms allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors involving use of the file-open dialog in a child window, related to the IUnknown_QueryService function in the Windows shlwapi.dll library. | 7.5 |
2012-03-13 | CVE-2012-1663 | GNU | Resource Management Errors vulnerability in GNU Gnutls Double free vulnerability in libgnutls in GnuTLS before 3.0.14 allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted certificate list. | 7.5 |
2012-03-12 | CVE-2012-1557 | Parallels | SQL Injection vulnerability in Parallels Plesk Panel SQL injection vulnerability in admin/plib/api-rpc/Agent.php in Parallels Plesk Panel 7.x and 8.x before 8.6 MU#2, 9.x before 9.5 MU#11, 10.0.x before MU#13, 10.1.x before MU#22, 10.2.x before MU#16, and 10.3.x before MU#5 allows remote attackers to execute arbitrary SQL commands via unspecified vectors, as exploited in the wild in March 2012. | 7.5 |
2012-03-16 | CVE-2012-1510 | Vmware | Buffer Errors vulnerability in VMWare Esx, Esxi and View Buffer overflow in the WDDM display driver in VMware ESXi 4.0, 4.1, and 5.0; VMware ESX 4.0 and 4.1; and VMware View before 4.6.1 allows guest OS users to gain guest OS privileges via unspecified vectors. | 7.2 |
2012-03-16 | CVE-2012-1509 | Vmware | Buffer Errors vulnerability in VMWare View 4.0.0/4.5/4.6.0 Buffer overflow in the XPDM display driver in VMware View before 4.6.1 allows guest OS users to gain guest OS privileges via unspecified vectors. | 7.2 |
2012-03-16 | CVE-2012-1508 | Vmware | Permissions, Privileges, and Access Controls vulnerability in VMWare Esx, Esxi and View The XPDM display driver in VMware ESXi 4.0, 4.1, and 5.0; VMware ESX 4.0 and 4.1; and VMware View before 4.6.1 allows guest OS users to gain guest OS privileges or cause a denial of service (NULL pointer dereference) via unspecified vectors. | 7.2 |
41 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2012-03-13 | CVE-2012-0008 | Microsoft | Local Privilege Escalation vulnerability in Microsoft Visual Studio 2008/2010 Untrusted search path vulnerability in Microsoft Visual Studio 2008 SP1, 2010, and 2010 SP1 allows local users to gain privileges via a Trojan horse add-in in an unspecified directory, aka "Visual Studio Add-In Vulnerability." Per: http://technet.microsoft.com/en-us/security/bulletin/ms12-021 'An attacker could then place a specially crafted add-in in the path used by Visual Studio. | 6.9 |
2012-03-17 | CVE-2012-0293 | Symantec | SQL Injection vulnerability in Symantec Altiris Wise Package Studio 7/7.0 Multiple SQL injection vulnerabilities in Symantec Altiris WISE Package Studio before 8.0MR1 allow remote attackers to execute arbitrary SQL commands via unspecified vectors. | 6.8 |
2012-03-16 | CVE-2012-1514 | Vmware | Cross-Site Request Forgery (CSRF) vulnerability in VMWare Vshield Manager Cross-site request forgery (CSRF) vulnerability in VMware vShield Manager (vSM) 1.0.1 before Update 2 and 4.1.0 before Update 2 allows remote attackers to hijack the authentication of arbitrary users. | 6.8 |
2012-03-14 | CVE-2012-0458 | Mozilla | Permissions, Privileges, and Access Controls vulnerability in Mozilla products Mozilla Firefox before 3.6.28 and 4.x through 10.0, Firefox ESR 10.x before 10.0.3, Thunderbird before 3.1.20 and 5.0 through 10.0, Thunderbird ESR 10.x before 10.0.3, and SeaMonkey before 2.8 do not properly restrict setting the home page through the dragging of a URL to the home button, which allows user-assisted remote attackers to execute arbitrary JavaScript code with chrome privileges via a javascript: URL that is later interpreted in the about:sessionrestore context. | 6.8 |
2012-03-13 | CVE-2011-1397 | IBM | Cross-Site Request Forgery (CSRF) vulnerability in IBM products Cross-site request forgery (CSRF) vulnerability in the Labor Reporting page in IBM Maximo Asset Management and Asset Management Essentials 6.2, 7.1, and 7.5; IBM Tivoli Asset Management for IT 6.2, 7.1, and 7.2; IBM Tivoli Service Request Manager 7.1 and 7.2; IBM Maximo Service Desk 6.2; and IBM Tivoli Change and Configuration Management Database (CCMDB) 6.2, 7.1, and 7.2 allows remote attackers to hijack the authentication of arbitrary users. | 6.8 |
2012-03-13 | CVE-2011-4816 | IBM | SQL Injection vulnerability in IBM products SQL injection vulnerability in the KPI component in IBM Maximo Asset Management and Asset Management Essentials 6.2, 7.1, and 7.5; IBM Tivoli Asset Management for IT 6.2, 7.1, and 7.2; IBM Tivoli Service Request Manager 7.1 and 7.2; IBM Maximo Service Desk 6.2; and IBM Tivoli Change and Configuration Management Database (CCMDB) 6.2, 7.1, and 7.2 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. | 6.5 |
2012-03-15 | CVE-2012-0232 | GE | Path Traversal vulnerability in GE Intelligent Platforms Proficy Real-Time Information Portal 2.6/3.0/3.5 Directory traversal vulnerability in rifsrvd.exe in the Remote Interface Service in GE Intelligent Platforms Proficy Real-Time Information Portal 2.6, 3.0, 3.0 SP1, and 3.5 allows remote attackers to modify the configuration via crafted strings. | 6.4 |
2012-03-15 | CVE-2011-4939 | Pidgin | Permissions, Privileges, and Access Controls vulnerability in Pidgin The pidgin_conv_chat_rename_user function in gtkconv.c in Pidgin before 2.10.2 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) by changing a nickname while in an XMPP chat room. | 6.4 |
2012-03-14 | CVE-2012-0460 | Mozilla | Permissions, Privileges, and Access Controls vulnerability in Mozilla products Mozilla Firefox 4.x through 10.0, Firefox ESR 10.x before 10.0.3, Thunderbird 5.0 through 10.0, Thunderbird ESR 10.x before 10.0.3, and SeaMonkey before 2.8 do not properly restrict write access to the window.fullScreen object, which allows remote attackers to spoof the user interface via a crafted web page. | 6.4 |
2012-03-13 | CVE-2012-1472 | Vmware | Improper Input Validation vulnerability in VMWare Vcenter Chargeback Manager VMware vCenter Chargeback Manager (aka CBM) before 2.0.1 does not properly handle XML API requests, which allows remote attackers to read arbitrary files or cause a denial of service via unspecified vectors. | 6.4 |
2012-03-12 | CVE-2012-0584 | Apple Microsoft | Improper Input Validation vulnerability in Apple Safari The Internationalized Domain Name (IDN) feature in Apple Safari before 5.1.4 on Windows does not properly restrict the characters in URLs, which allows remote attackers to spoof a domain name via unspecified homoglyphs. | 6.4 |
2012-03-17 | CVE-2012-0326 | Tetsuya Aoyama | Permissions, Privileges, and Access Controls vulnerability in Tetsuya Aoyama Twicca The twicca application 0.7.0 through 0.9.30 for Android does not properly restrict the use of network privileges, which allows remote attackers to read media files on an SD card via a crafted application. | 5.0 |
2012-03-15 | CVE-2012-1165 | Openssl | Resource Management Errors vulnerability in Openssl The mime_param_cmp function in crypto/asn1/asn_mime.c in OpenSSL before 0.9.8u and 1.x before 1.0.0h allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted S/MIME message, a different vulnerability than CVE-2006-7250. | 5.0 |
2012-03-15 | CVE-2012-1178 | Pidgin | Resource Management Errors vulnerability in Pidgin The msn_oim_report_to_user function in oim.c in the MSN protocol plugin in libpurple in Pidgin before 2.10.2 allows remote servers to cause a denial of service (application crash) via an OIM message that lacks UTF-8 encoding. | 5.0 |
2012-03-14 | CVE-2012-0456 | Mozilla | Information Exposure vulnerability in Mozilla products The SVG Filters implementation in Mozilla Firefox before 3.6.28 and 4.x through 10.0, Firefox ESR 10.x before 10.0.3, Thunderbird before 3.1.20 and 5.0 through 10.0, Thunderbird ESR 10.x before 10.0.3, and SeaMonkey before 2.8 might allow remote attackers to obtain sensitive information from process memory via vectors that trigger an out-of-bounds read. | 5.0 |
2012-03-13 | CVE-2012-0770 | Adobe | Unspecified vulnerability in Adobe Coldfusion Adobe ColdFusion 8.0, 8.0.1, 9.0, and 9.0.1 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. | 5.0 |
2012-03-13 | CVE-2012-0006 | Microsoft | Resource Management Errors vulnerability in Microsoft Windows Server 2003 and Windows Server 2008 The DNS server in Microsoft Windows Server 2003 SP2 and Server 2008 SP2, R2, and R2 SP1 does not properly handle objects in memory during record lookup, which allows remote attackers to cause a denial of service (daemon restart) via a crafted query, aka "DNS Denial of Service Vulnerability." | 5.0 |
2012-03-13 | CVE-2012-0690 | Tibco | Information Exposure vulnerability in Tibco products TIBCO Spotfire Web Application, Web Player Application, Automation Services Application, and Analytics Client Application in Spotfire Analytics Server before 10.1.2; Server before 3.3.3; and Web Player, Automation Services, and Professional before 4.0.2 allow remote attackers to obtain sensitive information via a crafted URL. | 5.0 |
2012-03-13 | CVE-2012-0689 | Tibco | Information Exposure vulnerability in Tibco products The server in TIBCO ActiveMatrix Platform in TIBCO Silver Fabric ActiveMatrix Service Grid Distribution 3.1.3, Service Grid and Service Bus 3.x before 3.1.5, BusinessWorks Service Engine 5.9.x before 5.9.3, and BPM before 1.3.0 allows remote attackers to discover credentials via unspecified vectors. | 5.0 |
2012-03-13 | CVE-2012-0687 | Tibco | Information Exposure vulnerability in Tibco products TIBCO ActiveMatrix Runtime Platform in Service Grid and Service Bus 2.x before 2.3.2 and BusinessWorks Service Engine before 5.8.2; TIBCO ActiveMatrix Platform in TIBCO Silver Fabric ActiveMatrix Service Grid Distribution 3.1.3, Service Grid and Service Bus 3.x before 3.1.5, BusinessWorks Service Engine 5.9.x before 5.9.3, and BPM before 1.3.0; TIBCO BusinessEvents Runtime in Enterprise and Inference Editions 3.x before 3.0.3, Standard Edition 4.x before 4.0.2, and Standard Edition and Express 5.0.0; and TIBCO BusinessWorks Engine in TIBCO Silver Fabric ActiveMatrix BusinessWorks Distribution 5.9.2 and ActiveMatrix BusinessWorks before 5.9.3 allow remote attackers to obtain sensitive information via a crafted URL. | 5.0 |
2012-03-13 | CVE-2012-0884 | Openssl | Cryptographic Issues vulnerability in Openssl The implementation of Cryptographic Message Syntax (CMS) and PKCS #7 in OpenSSL before 0.9.8u and 1.x before 1.0.0h does not properly restrict certain oracle behavior, which makes it easier for context-dependent attackers to decrypt data via a Million Message Attack (MMA) adaptive chosen ciphertext attack. | 5.0 |
2012-03-13 | CVE-2011-1394 | IBM | Resource Management Errors vulnerability in IBM products IBM Maximo Asset Management and Asset Management Essentials 6.2, 7.1, and 7.5; IBM Tivoli Asset Management for IT 6.2, 7.1, and 7.2; IBM Tivoli Service Request Manager 7.1 and 7.2; IBM Maximo Service Desk 6.2; and IBM Tivoli Change and Configuration Management Database (CCMDB) 6.2, 7.1, and 7.2 allow remote attackers to cause a denial of service (memory consumption) by establishing many UI sessions within one HTTP session. | 5.0 |
2012-03-12 | CVE-2012-0647 | Apple | Information Exposure vulnerability in Apple Safari WebKit in Apple Safari before 5.1.4 does not properly handle redirects in conjunction with HTTP authentication, which might allow remote web servers to capture credentials by logging the Authorization HTTP header. | 5.0 |
2012-03-12 | CVE-2012-0640 | Apple | Information Exposure vulnerability in Apple Safari WebKit in Apple Safari before 5.1.4 does not properly implement "From third parties and advertisers" cookie blocking, which makes it easier for remote web servers to track users via a cookie. | 5.0 |
2012-03-12 | CVE-2012-1558 | Yassl | Resource Management Errors vulnerability in Yassl Cyassl yaSSL CyaSSL before 2.0.8 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted X.509 certificate. | 5.0 |
2012-03-16 | CVE-2012-1512 | Vmware | Cross-Site Scripting vulnerability in VMWare Vsphere 5.0 Cross-site scripting (XSS) vulnerability in the internal browser in vSphere Client in VMware vSphere 4.1 before Update 2 and 5.0 before Update 1 allows remote attackers to inject arbitrary web script or HTML via a crafted log-file entry. | 4.3 |
2012-03-16 | CVE-2012-1511 | Vmware | Cross-Site Scripting vulnerability in VMWare View 4.0.0/4.5/4.6.0 Cross-site scripting (XSS) vulnerability in View Manager Portal in VMware View before 4.6.1 allows remote attackers to inject arbitrary web script or HTML via a crafted URL. | 4.3 |
2012-03-15 | CVE-2012-0404 | EMC | Cross-Site Scripting vulnerability in EMC Documentum Eroom Cross-site scripting (XSS) vulnerability in EMC Documentum eRoom before 7.4.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
2012-03-14 | CVE-2012-0455 | Mozilla | Cross-Site Scripting vulnerability in Mozilla products Mozilla Firefox before 3.6.28 and 4.x through 10.0, Firefox ESR 10.x before 10.0.3, Thunderbird before 3.1.20 and 5.0 through 10.0, Thunderbird ESR 10.x before 10.0.3, and SeaMonkey before 2.8 do not properly restrict drag-and-drop operations on javascript: URLs, which allows user-assisted remote attackers to conduct cross-site scripting (XSS) attacks via a crafted web page, related to a "DragAndDropJacking" issue. | 4.3 |
2012-03-14 | CVE-2012-0451 | Mozilla | Code Injection vulnerability in Mozilla products CRLF injection vulnerability in Mozilla Firefox 4.x through 10.0, Firefox ESR 10.x before 10.0.3, Thunderbird 5.0 through 10.0, Thunderbird ESR 10.x before 10.0.3, and SeaMonkey before 2.8 allows remote web servers to bypass intended Content Security Policy (CSP) restrictions and possibly conduct cross-site scripting (XSS) attacks via crafted HTTP headers. | 4.3 |
2012-03-13 | CVE-2012-0152 | Microsoft | Improper Input Validation vulnerability in Microsoft Windows 7 and Windows Server 2008 The Remote Desktop Protocol (RDP) service in Microsoft Windows Server 2008 R2 and R2 SP1 and Windows 7 Gold and SP1 allows remote attackers to cause a denial of service (application hang) via a series of crafted packets, aka "Terminal Server Denial of Service Vulnerability." | 4.3 |
2012-03-13 | CVE-2012-1099 | Rubyonrails | Cross-Site Scripting vulnerability in Rubyonrails Rails and Ruby ON Rails Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/form_options_helper.rb in the select helper in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving certain generation of OPTION elements within SELECT elements. | 4.3 |
2012-03-13 | CVE-2012-1098 | Rubyonrails | Cross-Site Scripting vulnerability in Rubyonrails Rails and Ruby ON Rails Cross-site scripting (XSS) vulnerability in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving a SafeBuffer object that is manipulated through certain methods. | 4.3 |
2012-03-13 | CVE-2012-0688 | Tibco | Cross-Site Scripting vulnerability in Tibco products Cross-site scripting (XSS) vulnerability in TIBCO ActiveMatrix Platform in TIBCO Silver Fabric ActiveMatrix Service Grid Distribution 3.1.3, Service Grid and Service Bus 3.x before 3.1.5, BusinessWorks Service Engine 5.9.x before 5.9.3, and BPM before 1.3.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
2012-03-13 | CVE-2012-0195 | IBM | Cross-Site Scripting vulnerability in IBM products Cross-site scripting (XSS) vulnerability in the Start Center Layout and Configuration component in IBM Maximo Asset Management and Asset Management Essentials 6.2, 7.1, and 7.5; IBM Tivoli Asset Management for IT 6.2, 7.1, and 7.2; IBM Tivoli Service Request Manager 7.1 and 7.2; IBM Maximo Service Desk 6.2; and IBM Tivoli Change and Configuration Management Database (CCMDB) 6.2, 7.1, and 7.2 allows remote attackers to inject arbitrary web script or HTML via the display name. | 4.3 |
2012-03-13 | CVE-2011-4819 | IBM | Cross-Site Scripting vulnerability in IBM products Multiple cross-site scripting (XSS) vulnerabilities in IBM Maximo Asset Management and Asset Management Essentials 6.2, 7.1, and 7.5 allow remote attackers to inject arbitrary web script or HTML via the uisesionid parameter to (1) maximo.jsp or (2) the default URI under ui/. | 4.3 |
2012-03-13 | CVE-2011-4818 | IBM | Improper Input Validation vulnerability in IBM products Open redirect vulnerability in IBM Maximo Asset Management and Asset Management Essentials 6.2, 7.1, and 7.5 allows remote authenticated users to redirect users to arbitrary web sites and conduct phishing attacks via the uisessionid parameter to an unspecified component. | 4.3 |
2012-03-13 | CVE-2011-1396 | IBM | Cross-Site Scripting vulnerability in IBM products Cross-site scripting (XSS) vulnerability in IBM Maximo Asset Management and Asset Management Essentials 6.2, 7.1, and 7.5 allows remote attackers to inject arbitrary web script or HTML via the reportType parameter to an unspecified component. | 4.3 |
2012-03-13 | CVE-2011-1395 | IBM | Cross-Site Scripting vulnerability in IBM products Cross-site scripting (XSS) vulnerability in imicon.jsp in IBM Maximo Asset Management and Asset Management Essentials 6.2, 7.1, and 7.5 allows remote attackers to inject arbitrary web script or HTML via the controlid parameter. | 4.3 |
2012-03-16 | CVE-2012-1513 | Vmware | Information Exposure vulnerability in VMWare Vcenter Orchestrator 4.0/4.1 The Web Configuration tool in VMware vCenter Orchestrator (vCO) 4.0 before Update 4, 4.1 before Update 2, and 4.2 before Update 1 places the vCenter Server password in an HTML document, which allows remote authenticated administrators to obtain sensitive information by reading this document. | 4.0 |
2012-03-13 | CVE-2011-4817 | IBM | Information Exposure vulnerability in IBM products The About option on the Help menu in IBM Maximo Asset Management and Asset Management Essentials 6.2, 7.1, and 7.5; IBM Tivoli Asset Management for IT 6.2, 7.1, and 7.2; IBM Tivoli Service Request Manager 7.1 and 7.2; IBM Maximo Service Desk 6.2; and IBM Tivoli Change and Configuration Management Database (CCMDB) 6.2, 7.1, and 7.2 shows the username, which might allow remote authenticated users to have an unspecified impact via a targeted attack against the corresponding user account. | 4.0 |
0 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|