Weekly Vulnerabilities Reports > April 30 to May 6, 2012

Overview

164 new vulnerabilities reported during this period, including 14 critical vulnerabilities and 24 high severity vulnerabilities. This weekly summary report vulnerabilities in 117 products from 26 vendors including Oracle, Cisco, IBM, SUN, and HP. Vulnerabilities are notably categorized as "Improper Input Validation", "Permissions, Privileges, and Access Controls", "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Cross-site Scripting", and "Improper Authentication".

  • 149 reported vulnerabilities are remotely exploitables.
  • 1 reported vulnerabilities have public exploit available.
  • 12 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 96 reported vulnerabilities are exploitable by an anonymous user.
  • Oracle has the most reported vulnerabilities, with 80 reported vulnerabilities.
  • Vmware has the most reported critical vulnerabilities, with 4 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

14 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2012-05-04 CVE-2012-0202 IBM Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in IBM Cognos TM1

Multiple stack-based buffer overflows in tm1admsd.exe in the Admin Server in IBM Cognos TM1 9.4.x and 9.5.x before 9.5.2 FP2 allow remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via crafted data.

10.0
2012-05-03 CVE-2012-1695 Oracle
SUN
Remote Security vulnerability in Oracle JRockit

Unspecified vulnerability in the Oracle JRockit component in Oracle Fusion Middleware 28.2.2 and earlier, and JDK/JRE 5 and 6 27.7.1 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.

10.0
2012-05-01 CVE-2011-3079 Opensuse
Google
Mozilla
Resource Management Errors vulnerability in multiple products

The Inter-process Communication (IPC) implementation in Google Chrome before 18.0.1025.168, as used in Mozilla Firefox before 38.0 and other products, does not properly validate messages, which has unspecified impact and attack vectors.

10.0
2012-05-04 CVE-2012-0779 Adobe
Apple
Linux
Microsoft
Google
Object Type Confusion Remote Code Execution vulnerability in Adobe Flash Player

Adobe Flash Player before 10.3.183.19 and 11.x before 11.2.202.235 on Windows, Mac OS X, and Linux; before 11.1.111.9 on Android 2.x and 3.x; and before 11.1.115.8 on Android 4.x allows remote attackers to execute arbitrary code via a crafted file, related to an "object confusion vulnerability," as exploited in the wild in May 2012.

9.3
2012-05-03 CVE-2012-0736 IBM Improper Input Validation vulnerability in IBM Rational Appscan

IBM Rational AppScan Enterprise 5.x and 8.x before 8.5.0.1 does not properly create scan jobs, which allows remote attackers to execute arbitrary code via a crafted web site.

9.3
2012-05-02 CVE-2012-1819 Wellintech DLL Loading Arbitrary Code Execution vulnerability in Wellintech Kingview 6.53

Untrusted search path vulnerability in WellinTech KingView 6.53 allows local users to gain privileges via a Trojan horse DLL in the current working directory.

9.3
2012-05-02 CVE-2011-4012 Cisco Remote Security vulnerability in IOS 12.0/15.0/15.1

Cisco IOS 12.0, 15.0, and 15.1, when a Policy Feature Card 3C (PFC3C) is used, does not create a fragment entry during processing of an ICMPv6 ACL, which has unspecified impact and remote attack vectors, aka Bug ID CSCtj90091.

9.3
2012-05-01 CVE-2011-3081 Google
Apple
USE After Free vulnerability in Google Chrome

Use-after-free vulnerability in Google Chrome before 18.0.1025.168 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the floating of elements, a different vulnerability than CVE-2011-3078.

9.3
2012-05-04 CVE-2012-2450 Vmware Products Multiple Memory Corruption Privilege Escalation vulnerability in VMware

VMware Workstation 8.x before 8.0.3, VMware Player 4.x before 4.0.3, VMware Fusion 4.x before 4.1.2, VMware ESXi 3.5 through 5.0, and VMware ESX 3.5 through 4.1 do not properly register SCSI devices, which allows guest OS users to cause a denial of service (invalid write operation and VMX process crash) or possibly execute arbitrary code on the host OS by leveraging administrative privileges on the guest OS.

9.0
2012-05-04 CVE-2012-2449 Vmware Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in VMWare products

VMware Workstation 8.x before 8.0.3, VMware Player 4.x before 4.0.3, VMware Fusion 4.x through 4.1.2, VMware ESXi 3.5 through 5.0, and VMware ESX 3.5 through 4.1 do not properly configure the virtual floppy device, which allows guest OS users to cause a denial of service (out-of-bounds write operation and VMX process crash) or possibly execute arbitrary code on the host OS by leveraging administrative privileges on the guest OS.

9.0
2012-05-04 CVE-2012-1517 Vmware Buffer Errors vulnerability in VMWare ESX and Esxi

The VMX process in VMware ESXi 4.1 and ESX 4.1 does not properly handle RPC commands, which allows guest OS users to cause a denial of service (memory overwrite and process crash) or possibly execute arbitrary code on the host OS via vectors involving function pointers.

9.0
2012-05-04 CVE-2012-1516 Vmware Buffer Errors vulnerability in VMWare ESX and Esxi

The VMX process in VMware ESXi 3.5 through 4.1 and ESX 3.5 through 4.1 does not properly handle RPC commands, which allows guest OS users to cause a denial of service (memory overwrite and process crash) or possibly execute arbitrary code on the host OS via vectors involving data pointers.

9.0
2012-05-03 CVE-2012-0552 Oracle Remote Oracle Spatial vulnerability in Oracle Database Server

Unspecified vulnerability in the Oracle Spatial component in Oracle Database Server 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, and 11.2.0.3 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors.

9.0
2012-05-03 CVE-2012-0208 Oracle Unspecified vulnerability in Oracle SUN products Suite 6.1/6.2

Unspecified vulnerability in the Oracle Grid Engine component in Oracle Sun Products Suite 6.1 and 6.2 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to qrsh.

9.0

24 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2012-05-02 CVE-2012-2004 HP
Microsoft
Improper Input Validation vulnerability in HP Insight Management Agents

Open redirect vulnerability in HP Insight Management Agents before 9.0.0.0 on Windows Server 2003 and 2008 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.

8.3
2012-05-02 CVE-2012-2002 HP Improper Input Validation vulnerability in HP Snmp Agents FOR Linux

Open redirect vulnerability in HP SNMP Agents for Linux before 9.0.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.

8.3
2012-05-03 CVE-2012-0378 Cisco Numeric Errors vulnerability in Cisco products

Cisco Adaptive Security Appliances (ASA) 5500 series devices with software 8.0 through 8.4 allow remote attackers to cause a denial of service (connection limit exceeded) by triggering a large number of stale connections that result in an incorrect value for an MPF connection count, aka Bug ID CSCtv19854.

7.8
2012-05-03 CVE-2011-4023 Cisco Resource Management Errors vulnerability in Cisco products

Memory leak in libcmd in Cisco NX-OS 5.0 on Nexus switches allows remote authenticated users to cause a denial of service (memory consumption) via SNMP requests, aka Bug ID CSCtr65682.

7.8
2012-05-02 CVE-2011-4006 Cisco Improper Input Validation vulnerability in Cisco products

The ESMTP inspection feature on Cisco Adaptive Security Appliances (ASA) 5500 series devices with software 8.2 through 8.5 allows remote attackers to cause a denial of service (CPU consumption) via an unspecified closing sequence, aka Bug ID CSCtt32565.

7.8
2012-05-02 CVE-2011-3295 Cisco Improper Input Validation vulnerability in Cisco IOS XR

The NETIO and IPV4_IO processes in Cisco IOS XR 3.8 through 4.1, as used in Cisco Carrier Routing System and other products, allow remote attackers to cause a denial of service (CPU consumption) via crafted network traffic, aka Bug ID CSCti59888.

7.8
2012-05-02 CVE-2011-2578 Cisco Resource Management Errors vulnerability in Cisco IOS 15.1/15.2

Memory leak in Cisco IOS 15.1 and 15.2 allows remote attackers to cause a denial of service (memory consumption) via malformed SIP packets on a NAT interface, aka Bug ID CSCts12366.

7.8
2012-05-03 CVE-2012-0735 IBM Improper Input Validation vulnerability in IBM Rational Appscan

IBM Rational AppScan Enterprise 5.x and 8.x before 8.5.0.1 does not properly scan file: URLs, which allows man-in-the-middle attackers to obtain sensitive information or possibly have unspecified other impact via a crafted URI.

7.6
2012-05-03 CVE-2012-0734 IBM Multiple Security vulnerability in IBM Rational Products

IBM Rational AppScan Enterprise 5.x and 8.x before 8.5.0.1 does not properly import jobs, which allows man-in-the-middle attackers to obtain sensitive information or possibly have unspecified other impact via a crafted job.

7.6
2012-05-01 CVE-2011-3080 Google Race Condition vulnerability in Google Chrome

Race condition in the Inter-process Communication (IPC) implementation in Google Chrome before 18.0.1025.168 allows attackers to bypass intended sandbox restrictions via unspecified vectors.

7.6
2012-05-04 CVE-2012-2448 Vmware Buffer Errors vulnerability in VMWare ESX and Esxi

VMware ESXi 3.5 through 5.0 and ESX 3.5 through 4.1 allow remote attackers to execute arbitrary code or cause a denial of service (memory overwrite) via NFS traffic.

7.5
2012-05-03 CVE-2011-3620 Apache Improper Authentication vulnerability in Apache Qpid 0.12

Apache Qpid 0.12 does not properly verify credentials during the joining of a cluster, which allows remote attackers to obtain access to the messaging functionality and job functionality of a cluster by leveraging knowledge of a cluster-username.

7.5
2012-05-03 CVE-2012-1710 Oracle Unspecified vulnerability in Oracle Fusion Middleware 10.1.3.5

Unspecified vulnerability in the Oracle WebCenter Forms Recognition component in Oracle Fusion Middleware 10.1.3.5 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Designer, a different vulnerability than CVE-2012-1709.

7.5
2012-05-03 CVE-2012-1709 Oracle Unspecified vulnerability in Oracle Fusion Middleware 10.1.3.5

Unspecified vulnerability in the Oracle WebCenter Forms Recognition component in Oracle Fusion Middleware 10.1.3.5 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Designer, a different vulnerability than CVE-2012-1710.

7.5
2012-05-03 CVE-2012-0557 Oracle Remote vulnerability in Oracle Fusion Middleware 8.3.5.0/8.3.7.0

Unspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.3.5 and 8.3.7 allows remote attackers to affect confidentiality, integrity, and availability, related to Outside In Image Export SDK, a different vulnerability than CVE-2012-0554, CVE-2012-0555, and CVE-2012-0556.

7.5
2012-05-03 CVE-2012-0556 Oracle Remote vulnerability in Oracle Fusion Middleware 8.3.5.0/8.3.7.0

Unspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.3.5 and 8.3.7 allows remote attackers to affect confidentiality, integrity, and availability, related to Outside In Image Export SDK, a different vulnerability than CVE-2012-0554, CVE-2012-0555, and CVE-2012-0557.

7.5
2012-05-03 CVE-2012-0555 Oracle Remote vulnerability in Oracle Fusion Middleware 8.3.5.0/8.3.7.0

Unspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.3.5 and 8.3.7 allows remote attackers to affect confidentiality, integrity, and availability, related to Outside In Image Export SDK, a different vulnerability than CVE-2012-0554, CVE-2012-0556, and CVE-2012-0557.

7.5
2012-05-03 CVE-2012-0554 Oracle Remote vulnerability in Oracle Fusion Middleware 8.3.5.0/8.3.7.0

Unspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.3.5 and 8.3.7 allows remote attackers to affect confidentiality, integrity, and availability, related to Outside In Image Export SDK, a different vulnerability than CVE-2012-0555, CVE-2012-0556, and CVE-2012-0557.

7.5
2012-05-03 CVE-2012-0549 Oracle Unspecified vulnerability in Oracle Supply Chain products Suite 20.1.1

Unspecified vulnerability in the Oracle AutoVue Office component in Oracle Supply Chain Products Suite 20.1.1 allows remote attackers to affect confidentiality, integrity, and availability, related to Desktop API.

7.5
2012-05-02 CVE-2012-2000 HP Remote Code Execution vulnerability in HP System Health Application and Command Line Utilities

Multiple unspecified vulnerabilities in HP System Health Application and Command Line Utilities before 9.0.0 allow remote attackers to execute arbitrary code via unknown vectors.

7.5
2012-05-04 CVE-2012-0745 IBM Permissions, Privileges, and Access Controls vulnerability in IBM AIX and Vios

The getpwnam function in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.1.0.10 through 2.2.1.3 does not properly interact with customer-extended LDAP user filtering, which allows local users to gain privileges via unspecified vectors.

7.2
2012-05-03 CVE-2012-0523 Oracle Unspecified vulnerability in Oracle SUN products Suite 6.1/6.2

Unspecified vulnerability in the Oracle Grid Engine component in Oracle Sun Products Suite 6.1 and 6.2 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to sgepasswd.

7.2
2012-05-03 CVE-2012-1324 Cisco Race Condition vulnerability in Cisco IOS 15.1/15.2

Race condition in the Zone-Based Firewall in Cisco IOS 15.1 and 15.2, when IPS policies are configured, allows remote attackers to cause a denial of service (device crash) by sending IPv6 packets, aka Bug ID CSCtk53534.

7.1
2012-05-03 CVE-2012-0519 Oracle
Microsoft
Remote Core RDBMS vulnerability in Oracle Database Server 11.2.0.2

Unspecified vulnerability in the Core RDBMS component in Oracle Database Server 11.2.0.2, when running on Windows, allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors.

7.1

104 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2012-05-01 CVE-2012-0279 Quest Permissions, Privileges, and Access Controls vulnerability in Quest Toad for Data Analysts 3.0.1

Quest Toad for Data Analysts 3.0.1 uses weak permissions (Everyone: Full Control) for the %COMMONPROGRAMFILES%\Quest Shared directory, which allows local users to gain privileges via a Trojan horse file.

6.9
2012-05-03 CVE-2012-1703 Oracle
Redhat
Mariadb
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.61 and earlier, and 5.5.21 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server Optimizer, a different vulnerability than CVE-2012-1690.
6.8
2012-05-03 CVE-2012-0575 Oracle Remote vulnerability in Oracle FLEXCUBE Universal Banking

Unspecified vulnerability in the Oracle FLEXCUBE Universal Banking component in Oracle Financial Services Software 10.0.0 through 10.5.0 and 11.0.0 through 11.2.0 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Core.

6.8
2012-05-03 CVE-2012-1936 Wordpress Cross-Site Request Forgery (CSRF) vulnerability in Wordpress

** DISPUTED ** The wp_create_nonce function in wp-includes/pluggable.php in WordPress 3.3.1 and earlier associates a nonce with a user account instead of a user session, which might make it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks on specific actions and objects by sniffing the network, as demonstrated by attacks against the wp-admin/admin-ajax.php and wp-admin/user-new.php scripts.

6.8
2012-05-03 CVE-2012-0550 Oracle Unspecified vulnerability in Oracle Glassfish Server 3.1.1

Unspecified vulnerability in the GlassFish Enterprise Server component in Oracle Sun Products Suite GlassFish Enterprise Server 3.1.1 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Web Container.

6.8
2012-05-03 CVE-2012-0516 Oracle Remote Oracle iPlanet Web Server vulnerability in Oracle SUN products Suite 7.0

Unspecified vulnerability in the Oracle iPlanet Web Server component in Oracle Sun Products Suite 7.0 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Administration Console.

6.8
2012-05-03 CVE-2012-0731 IBM Information Exposure vulnerability in IBM Rational Appscan

IBM Rational AppScan Enterprise 5.x and 8.x before 8.5.0.1 does not prevent service-account impersonation, which allows remote authenticated users to read arbitrary files via unspecified vectors.

6.8
2012-05-02 CVE-2012-2003 HP
Microsoft
Cross-Site Request Forgery (CSRF) vulnerability in HP Insight Management Agents

Cross-site request forgery (CSRF) vulnerability in HP Insight Management Agents before 9.0.0.0 on Windows Server 2003 and 2008 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

6.8
2012-05-02 CVE-2011-3293 Cisco Cross-Site Request Forgery (CSRF) vulnerability in Cisco Secure Access Control Server 5.2

Multiple cross-site request forgery (CSRF) vulnerabilities in the Solution Engine in Cisco Secure Access Control Server (ACS) 5.2 allow remote attackers to hijack the authentication of administrators for requests that insert cross-site scripting (XSS) sequences, aka Bug ID CSCtr78143.

6.8
2012-05-01 CVE-2012-2162 IBM Cryptographic Issues vulnerability in IBM Websphere Application Server

The Web Server Plug-in in IBM WebSphere Application Server (WAS) 8.0 and earlier uses unencrypted HTTP communication after expiration of the plugin-key.kdb password, which allows remote attackers to obtain sensitive information by sniffing the network, or spoof arbitrary servers via a man-in-the-middle attack.

6.8
2012-05-01 CVE-2012-1521 Google
Apple
USE After Free vulnerability in Google Chrome

Use-after-free vulnerability in the XML parser in Google Chrome before 18.0.1025.168 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.

6.8
2012-05-01 CVE-2011-3078 Google
Apple
USE After Free vulnerability in Google Chrome

Use-after-free vulnerability in Google Chrome before 18.0.1025.168 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the floating of elements, a different vulnerability than CVE-2011-3081.

6.8
2012-05-03 CVE-2012-1691 SUN Local Solaris vulnerability in SUN Sunos 5.11

Unspecified vulnerability in Oracle Sun Solaris 11 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Kernel/Privileges.

6.6
2012-05-03 CVE-2012-0564 Oracle Remote vulnerability in Oracle PeopleSoft Enterprise PeopleTools

Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.50 and 8.51 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to Query.

6.5
2012-05-02 CVE-2012-0337 Cisco SQL Injection vulnerability in Cisco Unified Meetingplace 7.1

SQL injection vulnerability in the web component in Cisco Unified MeetingPlace 7.1 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, aka Bug ID CSCtx08939.

6.5
2012-04-30 CVE-2012-2416 Asterisk Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Asterisk Open Source

chan_sip.c in the SIP channel driver in Asterisk Open Source 1.8.x before 1.8.11.1 and 10.x before 10.3.1 and Asterisk Business Edition C.3.x before C.3.7.4, when the trustrpid option is enabled, allows remote authenticated users to cause a denial of service (daemon crash) by sending a SIP UPDATE message that triggers a connected-line update attempt without an associated channel.

6.5
2012-04-30 CVE-2012-2415 Asterisk Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Asterisk Open Source

Heap-based buffer overflow in chan_skinny.c in the Skinny channel driver in Asterisk Open Source 1.6.2.x before 1.6.2.24, 1.8.x before 1.8.11.1, and 10.x before 10.3.1 allows remote authenticated users to cause a denial of service or possibly have unspecified other impact via a series of KEYPAD_BUTTON_MESSAGE events.

6.5
2012-04-30 CVE-2012-2414 Asterisk Improper Authentication vulnerability in Asterisk Open Source

main/manager.c in the Manager Interface in Asterisk Open Source 1.6.2.x before 1.6.2.24, 1.8.x before 1.8.11.1, and 10.x before 10.3.1 and Asterisk Business Edition C.3.x before C.3.7.4 does not properly enforce System class authorization requirements, which allows remote authenticated users to execute arbitrary commands via (1) the originate action in the MixMonitor application, (2) the SHELL and EVAL functions in the GetVar manager action, or (3) the SHELL and EVAL functions in the Status manager action.

6.5
2012-04-30 CVE-2012-2111 Samba Permissions, Privileges, and Access Controls vulnerability in Samba

The (1) CreateAccount, (2) OpenAccount, (3) AddAccountRights, and (4) RemoveAccountRights LSA RPC procedures in smbd in Samba 3.4.x before 3.4.17, 3.5.x before 3.5.15, and 3.6.x before 3.6.5 do not properly restrict modifications to the privileges database, which allows remote authenticated users to obtain the "take ownership" privilege via an LSA connection.

6.5
2012-05-03 CVE-2012-1694 SUN Remote Solaris vulnerability in SUN Sunos 5.10

Unspecified vulnerability in Oracle Sun Solaris 10 allows remote attackers to affect confidentiality and integrity, related to libsasl.

6.4
2012-05-03 CVE-2012-0537 Oracle Remote Oracle Application Object Library vulnerability in Oracle E-Business Suite 12.1.3

Unspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite 12.1.3 allows remote attackers to affect confidentiality and integrity, related to HTML pages.

6.4
2012-05-03 CVE-2012-0511 Oracle Unspecified vulnerability in Oracle Database Server 10.2.0.4/11.1.0.7

Unspecified vulnerability in the OCI component in Oracle Database Server 10.2.0.3, 10.2.0.4, and 11.1.0.7 allows remote attackers to affect confidentiality and integrity via unknown vectors.

6.4
2012-05-03 CVE-2012-0510 Oracle Security Bypass vulnerability in Oracle Database Server OCIPasswordChange API

Unspecified vulnerability in the Core RDBMS component in Oracle Database Server 10.2.0.3, 10.2.0.4, 10.2.0.5, and 11.1.0.7 allows remote attackers to affect integrity and availability via unknown vectors.

6.4
2012-05-01 CVE-2012-2217 HTC Permissions, Privileges, and Access Controls vulnerability in HTC products

The HTC IQRD service for Android on the HTC EVO 4G before 4.67.651.3, EVO Design 4G before 2.12.651.5, Shift 4G before 2.77.651.3, EVO 3D before 2.17.651.5, EVO View 4G before 2.23.651.1, Vivid before 3.26.502.56, and Hero does not restrict localhost access to TCP port 2479, which allows remote attackers to (1) send SMS messages, (2) obtain the Network Access Identifier (NAI) and its password, or trigger (3) popup messages or (4) tones via a crafted application that leverages the android.permission.INTERNET permission.

6.4
2012-05-03 CVE-2011-4231 Cisco Improper Input Validation vulnerability in Cisco IOS and IOS XE

Cisco IOS 15.1 and 15.2 and IOS XE 3.x, when configured as an IPsec hub with X.509 certificates in use, allows remote authenticated users to cause a denial of service (segmentation fault and device crash) via unspecified vectors, aka Bug ID CSCtq61128.

6.3
2012-05-03 CVE-2012-0539 SUN Local Solaris vulnerability in SUN Sunos 5.10/5.8/5.9

Unspecified vulnerability in Oracle Sun Solaris 8, 9, and 10 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to (1) bsmconv and (2) bsmunconv.

6.2
2012-05-03 CVE-2012-1327 Cisco Improper Access Control vulnerability in Cisco IOS

dot11t/t_if_dot11_hal_ath.c in Cisco IOS 12.3, 12.4, 15.0, and 15.1 allows remote attackers to cause a denial of service (assertion failure and reboot) via 802.11 wireless traffic, as demonstrated by a video call from Apple iOS 5.0 on an iPhone 4S, aka Bug ID CSCtt94391.

6.1
2012-05-03 CVE-2012-0733 IBM Permissions, Privileges, and Access Controls vulnerability in IBM Rational Appscan

IBM Rational AppScan Enterprise 5.x and 8.x before 8.5.0.1, when Integrated Windows authentication is used, allows remote authenticated users to obtain administrative privileges by hijacking a session associated with the service account.

6.0
2012-05-03 CVE-2012-0730 IBM Cross-Site Request Forgery (CSRF) vulnerability in IBM Rational Appscan

Multiple cross-site request forgery (CSRF) vulnerabilities in IBM Rational AppScan Enterprise 5.x and 8.x before 8.5.0.1 allow remote attackers to hijack the authentication of administrators for requests that create administrative accounts.

6.0
2012-05-03 CVE-2012-0729 IBM Multiple Security vulnerability in IBM Rational Products

Unrestricted file upload vulnerability in IBM Rational AppScan Enterprise 5.x and 8.x before 8.5.0.1 allows remote authenticated users to execute arbitrary ASP.NET code by uploading a .aspx file, and then accessing it via unspecified vectors.

6.0
2012-05-03 CVE-2012-1683 SUN Local Solaris vulnerability in Oracle Sun Products Suite

Unspecified vulnerability in Oracle Sun Solaris 8, 9, 10, and 11 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to gssd.

5.9
2012-05-03 CVE-2012-0551 Oracle
SUN
Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE 7 update 4 and earlier and 6 update 32 and earlier, and the GlassFish Enterprise Server component in Oracle Sun Products Suite GlassFish Enterprise Server 3.1.1, allows remote attackers to affect confidentiality and integrity via unknown vectors related to Web Container or Deployment.
5.8
2012-05-03 CVE-2012-0528 Oracle Remote Session Fixation vulnerability in Oracle Database Server

Unspecified vulnerability in the Enterprise Manager Base Platform component in Oracle Database Server 10.2.0.3, 10.2.0.4, 10.2.0.5, and 11.1.0.7, and Oracle Enterprise Manager Grid Control, allows remote attackers to affect confidentiality and integrity via unknown vectors related to Security Framework.

5.8
2012-05-03 CVE-2012-0732 IBM Cryptographic Issues vulnerability in IBM Rational Appscan

The Enterprise Console client in IBM Rational AppScan Enterprise 5.x and 8.x before 8.5.0.1 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

5.8
2012-05-03 CVE-2012-0567 Oracle Remote vulnerability in Oracle FLEXCUBE Universal Banking

Unspecified vulnerability in the Oracle FLEXCUBE Universal Banking component in Oracle Financial Services Software 10.0.0 through 10.5.0 and 11.0.0 through 11.2.0 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Core, a different vulnerability than CVE-2012-0545 and CVE-2012-0546.

5.5
2012-05-03 CVE-2012-0565 Oracle Remote Oracle Agile vulnerability in Oracle Supply Chain products Suite 5.2.2/6.0.0/6.1.1

Unspecified vulnerability in the Oracle Agile component in Oracle Supply Chain Products Suite 5.2.2, 6.0.0, and 6.1.1 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Install.

5.5
2012-05-03 CVE-2012-0538 Oracle Remote vulnerability in Oracle PeopleSoft Enterprise PeopleTools

Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.50, 8.51, and 8.52 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Search.

5.5
2012-05-03 CVE-2012-0532 Oracle Remote vulnerability in Oracle Identity Manager

Unspecified vulnerability in the Identity Manager component in Oracle Fusion Middleware 11.1.1.3 and 11.1.1.5 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to User Config Management.

5.5
2012-05-03 CVE-2012-0517 Oracle Remote vulnerability in Oracle Peoplesoft products 9.0

Unspecified vulnerability in the PeopleSoft Enterprise HRMS component in Oracle PeopleSoft Products 9.0 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to eCompensation Manager Desktop.

5.5
2012-05-03 CVE-2012-0512 Oracle SQL Injection vulnerability in Oracle Database Server 11.1.0.7/11.2.0.2

Unspecified vulnerability in the Enterprise Manager Base Platform component in Oracle Database Server 11.1.0.7 and 11.2.0.2 and Oracle Enterprise Manager Grid Control allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Enterprise Config Management.

5.5
2012-05-03 CVE-2011-4019 Cisco Resource Management Errors vulnerability in Cisco IOS and Unified Communications Manager

Memory leak in Cisco IOS 12.4 and 15.0 through 15.2, and Cisco Unified Communications Manager (CUCM) 7.x, allows remote attackers to cause a denial of service (memory consumption) via a crafted response to a SIP SUBSCRIBE message, aka Bug IDs CSCto93837 and CSCtj61883.

5.4
2012-05-02 CVE-2011-4016 Cisco Improper Input Validation vulnerability in Cisco IOS

The PPP implementation in Cisco IOS 12.2 and 15.0 through 15.2, when Point-to-Point Termination and Aggregation (PTA) and L2TP are used, allows remote attackers to cause a denial of service (device crash) via crafted network traffic, aka Bug ID CSCtf71673.

5.4
2012-05-02 CVE-2011-4007 Cisco Improper Input Validation vulnerability in Cisco IOS and IOS XE

Cisco IOS 15.0 and 15.1 and IOS XE 3.x do not properly handle the "set mpls experimental imposition" command, which allows remote attackers to cause a denial of service (device crash) via network traffic that triggers (1) fragmentation or (2) reassembly, aka Bug ID CSCtr56576.

5.4
2012-05-02 CVE-2011-2586 Cisco Improper Input Validation vulnerability in Cisco IOS 12.4/15.0

The HTTP client in Cisco IOS 12.4 and 15.0 allows user-assisted remote attackers to cause a denial of service (device crash) via a malformed HTTP response to a request for service installation, aka Bug ID CSCts12249.

5.4
2012-05-01 CVE-2012-0878 Pythonpaste Permissions, Privileges, and Access Controls vulnerability in Pythonpaste Paste

Paste Script 1.7.5 and earlier does not properly set group memberships during execution with root privileges, which might allow remote attackers to bypass intended file-access restrictions by leveraging a web application that uses the local filesystem.

5.1
2012-05-03 CVE-2012-0580 Oracle Remote Oracle Agile PLM for Process vulnerability in Oracle Supply Chain products Suite 5.2.2/6.0.0/6.1.1

Unspecified vulnerability in the Oracle Agile PLM for Process component in Oracle Supply Chain Products Suite 5.2.2, 6.0.0, and 6.1.1 allows remote attackers to affect integrity via unknown vectors related to Supplier Portal.

5.0
2012-05-03 CVE-2012-0376 Cisco Denial-Of-Service vulnerability in Cisco Unified Communications Manager 8.5

The voice-sipstack component in Cisco Unified Communications Manager (CUCM) 8.5 allows remote attackers to cause a denial of service (core dump) via vectors involving SIP messages that arrive after an upgrade, aka Bug ID CSCtj87367.

5.0
2012-05-03 CVE-2012-0535 Oracle Remote Oracle Application Object Library vulnerability in Oracle E-Business Suite 12.0.6/12.1.3

Unspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite 12.0.6 and 12.1.3 allows remote attackers to affect confidentiality via unknown vectors related to Change Password Page.

5.0
2012-05-03 CVE-2011-4232 Cisco Information Exposure vulnerability in Cisco Unified Meetingplace 6.1/8.5

The web server in Cisco Unified MeetingPlace 6.1 and 8.5 produces different responses for directory queries depending on whether the directory exists, which allows remote attackers to enumerate directory names via a series of queries, aka Bug ID CSCtt94070.

5.0
2012-05-03 CVE-2011-4022 Cisco Improper Authentication vulnerability in Cisco Intrusion Prevention System 7.0/7.1

The sensor in Cisco Intrusion Prevention System (IPS) 7.0 and 7.1 allows remote attackers to cause a denial of service (file-handle exhaustion and mainApp hang) by making authentication attempts that exceed the configured limit, aka Bug ID CSCto51204.

5.0
2012-05-02 CVE-2012-0361 Cisco Permissions, Privileges, and Access Controls vulnerability in Cisco IP Communicator

The sccp-protocol component in Cisco IP Communicator (CIPC) 7.0 through 8.6 does not limit the rate of SCCP messages to Cisco Unified Communications Manager (CUCM), which allows remote attackers to cause a denial of service via vectors that trigger (1) on hook and (2) off hook messages, as demonstrated by a Plantronics headset, aka Bug ID CSCti40315.

5.0
2012-05-02 CVE-2012-0339 Cisco Improper Input Validation vulnerability in Cisco IOS

Cisco IOS 12.2 through 12.4 and 15.0 does not recognize the vrf-also keyword during enforcement of access-class commands, which allows remote attackers to establish TELNET connections from arbitrary source IP addresses via a standard TELNET client, aka Bug ID CSCsi77774.

5.0
2012-05-02 CVE-2012-0338 Cisco Improper Input Validation vulnerability in Cisco IOS

Cisco IOS 12.2 through 12.4 and 15.0 does not recognize the vrf-also keyword during enforcement of access-class commands, which allows remote attackers to establish SSH connections from arbitrary source IP addresses via a standard SSH client, aka Bug ID CSCsv86113.

5.0
2012-05-02 CVE-2012-0335 Cisco Improper Authentication vulnerability in Cisco products

Cisco Adaptive Security Appliances (ASA) 5500 series devices with software 7.2 through 8.4 do not properly perform proxy authentication during attempts to cut through a firewall, which allows remote attackers to obtain sensitive information via a connection attempt, aka Bug ID CSCtx42746.

5.0
2012-05-02 CVE-2012-0333 Cisco Improper Authentication vulnerability in Cisco products

Cisco Small Business IP phones with SPA 500 series firmware 7.4.9 and earlier do not require authentication for Push XML requests, which allows remote attackers to make telephone calls via an XML document, aka Bug ID CSCts08768.

5.0
2012-05-02 CVE-2011-4015 Cisco Improper Input Validation vulnerability in Cisco IOS 15.2S

Cisco IOS 15.2S allows remote attackers to cause a denial of service (interface queue wedge) via malformed UDP traffic on port 465, aka Bug ID CSCts48300.

5.0
2012-05-02 CVE-2011-3285 Cisco Improper Input Validation vulnerability in Cisco products

CRLF injection vulnerability in /+CSCOE+/logon.html on Cisco Adaptive Security Appliances (ASA) 5500 series devices with software 8.0 through 8.4 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors, aka Bug ID CSCth63101.

5.0
2012-05-02 CVE-2011-3283 Cisco Improper Input Validation vulnerability in Cisco Carrier Routing System 3.9.1

Cisco Carrier Routing System 3.9.1 allows remote attackers to cause a denial of service (Metro subsystem crash) via a fragmented GRE packet, aka Bug ID CSCts14887.

5.0
2012-05-02 CVE-2011-2583 Cisco Improper Input Validation vulnerability in Cisco Unified Contact Center Express 8.0/8.5

Cisco Unified Contact Center Express (aka CCX) 8.0 and 8.5 allows remote attackers to cause a denial of service via network traffic, as demonstrated by an SEC-BE-STABLE test case, aka Bug ID CSCth33834.

5.0
2012-05-03 CVE-2012-1692 SUN Local vulnerability in SUN Sunos 5.10

Unspecified vulnerability in Oracle Sun Solaris 10 allows local users to affect availability, related to SCTP.

4.9
2012-05-03 CVE-2012-1681 SUN Unspecified vulnerability in SUN Sunos

Unspecified vulnerability in Oracle Sun Solaris 8, 9, 10, and 11 allows local users to affect availability via unknown vectors related to Kernel/sockfs.

4.9
2012-05-03 CVE-2012-0573 Oracle Remote vulnerability in Oracle FLEXCUBE Universal Banking

Unspecified vulnerability in the Oracle FLEXCUBE Universal Banking component in Oracle Financial Services Software 10.0.0 through 10.5.0 and 11.0.0 through 11.4.0 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Core.

4.9
2012-05-03 CVE-2012-0525 Oracle SQL Injection vulnerability in Oracle Enterprise Manager

Unspecified vulnerability in the Enterprise Manager Base Platform component in Oracle Database Server 11.1.0.7, 11.2.0.2, and 11.2.0.3, and Oracle Enterprise Manager Grid Control 10.2.0.5 and 11.1.0.1, allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Enterprise Config Management.

4.9
2012-05-02 CVE-2012-2006 HP
Microsoft
Remote Security vulnerability in HP Insight Management Agents Unspecified

Unspecified vulnerability in HP Insight Management Agents before 9.0.0.0 on Windows Server 2003 and 2008 allows remote attackers to modify data or cause a denial of service via unknown vectors.

4.9
2012-05-03 CVE-2012-1706 Oracle Remote vulnerability in Oracle FLEXCUBE Direct Banking

Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking component in Oracle Financial Services Software 5.0.2, 5.3.0 through 5.3.4, 6.0.1, and 6.2.0 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Logging.

4.7
2012-05-03 CVE-2012-1328 Cisco Code Injection vulnerability in Cisco Unified IP Phone and Unified IP Phone Firmware

Cisco Unified IP Phones 9900 series devices with firmware 9.1 and 9.2 do not properly handle downloads of configuration information to an RT phone, which allows local users to gain privileges via unspecified injected data, aka Bug ID CSCts32237.

4.6
2012-05-03 CVE-2012-1708 Oracle Remote Application Express vulnerability in Oracle Database Server 4.0/4.1

Unspecified vulnerability in the Application Express component in Oracle Database Server 4.0 and 4.1 allows remote attackers to affect integrity via unknown vectors.

4.3
2012-05-03 CVE-2012-1684 SUN Unspecified vulnerability in SUN Sunos

Unspecified vulnerability in Oracle Sun Solaris 8, 9, 10, and 11 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Password Policy.

4.3
2012-05-03 CVE-2012-0581 Oracle Remote Oracle Agile vulnerability in Oracle Supply Chain products Suite 6.0.0

Unspecified vulnerability in the Oracle Agile component in Oracle Supply Chain Products Suite 5.2.2, 6.0.0, and 6.1.1 allows remote attackers to affect integrity, related to SCRM - Company Profiles.

4.3
2012-05-03 CVE-2012-0566 Oracle Remote Oracle Agile vulnerability in Oracle Supply Chain products Suite 5.2.2/6.0.0/6.1.1

Unspecified vulnerability in the Oracle Agile component in Oracle Supply Chain Products Suite 5.2.2, 6.0.0, and 6.1.1 allows remote attackers to affect integrity via unknown vectors related to Supplier Portal.

4.3
2012-05-03 CVE-2012-0560 Oracle Remote vulnerability in Oracle PeopleSoft Enterprise PeopleTools

Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.50, 8.51, and 8.52 allows remote attackers to affect integrity via unknown vectors related to Portal.

4.3
2012-05-03 CVE-2012-0558 Oracle Remote Primavera P6 Enterprise Project Portfolio Management Vulnerabi in Oracle Primavera

Unspecified vulnerability in the Primavera P6 Enterprise Project Portfolio Management component in Oracle Primavera Products Suite 6.2.1, 8.0, 8.1, and 8.2 allows remote attackers to affect integrity via unknown vectors related to Web application.

4.3
2012-05-03 CVE-2012-0543 Oracle Remote vulnerability in Oracle Fusion Middleware 10.1.3.4.1/10.1.3.4.2

Unspecified vulnerability in the BI Publisher (formerly XML Publisher) component in Oracle Fusion Middleware 10.1.3.4.1 and 10.1.3.4.2 allows remote attackers to affect integrity via unknown vectors related to Administration.

4.3
2012-05-03 CVE-2012-0527 Oracle Remote HTTP Response Splitting vulnerability in Oracle Database Server

Unspecified vulnerability in the Enterprise Manager Base Platform component in Oracle Database Server 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, and 11.2.0.3, and Oracle Enterprise Manager Grid Control 10.2.0.5, allows remote attackers to affect integrity via unknown vectors related to Schema Management, a different vulnerability than CVE-2012-0526.

4.3
2012-05-03 CVE-2012-0526 Oracle Remote HTTP Response Splitting vulnerability in Oracle Database Server

Unspecified vulnerability in the Enterprise Manager Base Platform component in Oracle Database Server 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, and 11.2.0.3, and Oracle Enterprise Manager Grid Control 10.2.0.5, allows remote attackers to affect integrity via unknown vectors related to Schema Management, a different vulnerability than CVE-2012-0527.

4.3
2012-05-03 CVE-2012-0522 Oracle Remote vulnerability in Oracle Fusion Middleware 10.1.3.5

Unspecified vulnerability in the Oracle JDeveloper component in Oracle Fusion Middleware 10.1.3.5 allows remote attackers to affect integrity via unknown vectors related to Java Business Objects.

4.3
2012-05-03 CVE-2012-0520 Oracle Remote Enterprise Manager Base Platform vulnerability in Oracle Database Server

Unspecified vulnerability in the Enterprise Manager Base Platform component in Oracle Database Server 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, and 11.2.0.2, and in Oracle Enterprise Manager Grid Control 10.2.0.5 and 11.1.0.1, allows remote attackers to affect integrity via unknown vectors related to Security Framework.

4.3
2012-05-03 CVE-2011-4237 Cisco Code Injection vulnerability in Cisco Ciscoworks Common Services 4.0

CRLF injection vulnerability in autologin.jsp in Cisco CiscoWorks Common Services 4.0, as used in Cisco Prime LAN Management Solution and other products, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the URL parameter, aka Bug ID CSCtu18693.

4.3
2012-05-03 CVE-2012-1190 Phpmyadmin Cross-Site Scripting vulnerability in PHPmyadmin

Cross-site scripting (XSS) vulnerability in the replication-setup functionality in js/replication.js in phpMyAdmin 3.4.x before 3.4.10.1 allows user-assisted remote attackers to inject arbitrary web script or HTML via a crafted database name.

4.3
2012-05-02 CVE-2012-2005 HP
Microsoft
Cross-Site Scripting vulnerability in HP Insight Management Agents

Cross-site scripting (XSS) vulnerability in HP Insight Management Agents before 9.0.0.0 on Windows Server 2003 and 2008 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2012-05-02 CVE-2012-2001 HP Cross-Site Scripting vulnerability in HP Snmp Agents FOR Linux

Cross-site scripting (XSS) vulnerability in HP SNMP Agents for Linux before 9.0.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2012-05-02 CVE-2012-0362 Cisco Permissions, Privileges, and Access Controls vulnerability in Cisco IOS 12.2(58)Ses/15.0(1)Se

The extended ACL functionality in Cisco IOS 12.2(58)SE2 and 15.0(1)SE discards all lines that end with a log or time keyword, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by sending network traffic, aka Bug ID CSCts01106.

4.3
2012-05-02 CVE-2011-3317 Cisco Cross-Site Scripting vulnerability in Cisco Secure Access Control Server 5.2

Multiple cross-site scripting (XSS) vulnerabilities in the Solution Engine in Cisco Secure Access Control Server (ACS) 5.2 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka Bug ID CSCtr78192.

4.3
2012-05-02 CVE-2011-3309 Cisco Information Exposure vulnerability in Cisco products

Cisco Adaptive Security Appliances (ASA) 5500 series devices with software 8.2 through 8.4 process IKE requests despite a vpnclient mode configuration, which allows remote attackers to obtain potentially sensitive information by reading IKE responder traffic, aka Bug ID CSCtt07749.

4.3
2012-05-03 CVE-2012-1707 Oracle Remote vulnerability in Oracle FLEXCUBE Direct Banking

Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking component in Oracle Financial Services Software 5.0.2, 5.3.0 through 5.3.4, 6.0.1, and 6.2.0 allows remote authenticated users to affect confidentiality via unknown vectors related to Core-Base, a different vulnerability than CVE-2012-1704.

4.0
2012-05-03 CVE-2012-1697 Mysql
Oracle
Remote MySQL Server vulnerability in Oracle MySQL

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.21 and earlier allows remote authenticated users to affect availability via unknown vectors related to Partition.

4.0
2012-05-03 CVE-2012-1696 Mysql
Oracle
Remote MySQL Server vulnerability in Oracle MySQL

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.19 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server Optimizer.

4.0
2012-05-03 CVE-2012-1690 Mysql
Oracle
Remote MySQL Server vulnerability in Oracle MySQL

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.61 and earlier, and 5.5.21 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server Optimizer, a different vulnerability than CVE-2012-1703.

4.0
2012-05-03 CVE-2012-1688 Mysql
Oracle
Remote MySQL Server vulnerability in Oracle MySQL

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.61 and earlier, and 5.5.21 and earlier, allows remote authenticated users to affect availability, related to Server DML.

4.0
2012-05-03 CVE-2012-1674 Oracle Remote Siebel Clinical vulnerability in Oracle Industry Applications

Unspecified vulnerability in the Siebel Clinical component in Oracle Industry Applications 7.7, 7.8, 8.0.0.x, 8.1.1.x, and 8.2.2.x allows remote authenticated users to affect integrity via unknown vectors related to Web UI, a different vulnerability than CVE-2012-0582.

4.0
2012-05-03 CVE-2012-0583 Mysql
Oracle
Remote MySQL Server vulnerability in Oracle MySQL

Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.60 and earlier, and 5.5.19 and earlier, allows remote authenticated users to affect availability, related to MyISAM.

4.0
2012-05-03 CVE-2012-0582 Oracle Remote Siebel Clinical vulnerability in Oracle Industry Applications

Unspecified vulnerability in the Siebel Clinical component in Oracle Industry Applications 7.7, 7.8, 8.0.0.x, 8.1.1.x, and 8.2.2.x allows remote authenticated users to affect integrity via unknown vectors related to Web UI, a different vulnerability than CVE-2012-1674.

4.0
2012-05-03 CVE-2012-0576 Oracle Remote vulnerability in Oracle FLEXCUBE Direct Banking

Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking component in Oracle Financial Services Software 6.0.1 and 6.2.0 allows remote authenticated users to affect integrity via unknown vectors related to Core-Help.

4.0
2012-05-03 CVE-2012-0571 Oracle Remote vulnerability in Oracle FLEXCUBE Universal Bank

Unspecified vulnerability in the Oracle FLEXCUBE Universal Banking component in Oracle Financial Services Software 10.0.0 through 10.5.0 and 11.0.0 through 11.4.0 allows remote authenticated users to affect integrity via unknown vectors related to Core, a different vulnerability than CVE-2012-0544.

4.0
2012-05-03 CVE-2012-0562 Oracle Remote vulnerability in Oracle Peoplesoft products 9.1

Unspecified vulnerability in the PeopleSoft Enterprise HRMS component in Oracle PeopleSoft Products 9.1 allows remote authenticated users to affect confidentiality via unknown vectors related to Candidate Gateway, a different vulnerability than CVE-2012-1748.

4.0
2012-05-03 CVE-2012-0559 Oracle Remote vulnerability in Oracle PeopleSoft Enterprise SCM

Unspecified vulnerability in the PeopleSoft Enterprise SCM component in Oracle PeopleSoft Products 9.0 and 9.1 allows remote authenticated users to affect confidentiality via unknown vectors related to Billing.

4.0
2012-05-03 CVE-2012-0536 Oracle Remote vulnerability in Oracle Peoplesoft products 8.9

Unspecified vulnerability in the PeopleSoft Enterprise HRMS component in Oracle PeopleSoft Products 8.9 through Bundle #26 allows remote authenticated users to affect confidentiality via unknown vectors related to eCompensation.

4.0
2012-05-03 CVE-2012-0534 Oracle Remote RDBMS Core vulnerability in Oracle Database Server

Unspecified vulnerability in the RDBMS Core component in Oracle Database Server 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, and 11.2.0.3 allows remote authenticated users to affect integrity via unknown vectors related to Create Session.

4.0
2012-05-03 CVE-2012-0533 Oracle Remote vulnerability in Oracle PeopleSoft Enterprise FCSM

Unspecified vulnerability in the PeopleSoft Enterprise FCSM component in Oracle PeopleSoft Products 9.0 and 9.1 allows remote authenticated users to affect confidentiality via unknown vectors related to Receivables.

4.0
2012-05-03 CVE-2012-0530 Oracle Remote vulnerability in Oracle PeopleSoft Enterprise SCM

Unspecified vulnerability in the PeopleSoft Enterprise SCM component in Oracle PeopleSoft Products 9.0 and 9.1 allows remote authenticated users to affect integrity via unknown vectors related to eProcurement.

4.0
2012-05-03 CVE-2012-0521 Oracle Remote vulnerability in Oracle Peoplesoft products 9.1

Unspecified vulnerability in the PeopleSoft Enterprise HCM component in Oracle PeopleSoft Products 9.1 Bundle #9 allows remote authenticated users to affect confidentiality via unknown vectors related to Human Resources.

4.0
2012-05-03 CVE-2012-0515 Oracle Remote vulnerability in Oracle Fusion Middleware 9.1.0.4

Unspecified vulnerability in the Identity Manager Connector component in Oracle Fusion Middleware 9.1.0.4 allows remote authenticated users to affect integrity via unknown vectors.

4.0
2012-05-03 CVE-2012-0514 Oracle Remote vulnerability in Oracle Peoplesoft products 9.1

Unspecified vulnerability in the PeopleSoft Enterprise CRM component in Oracle PeopleSoft Products 9.1 allows remote authenticated users to affect confidentiality, related to SEC.

4.0
2012-05-02 CVE-2011-4014 Cisco Information Exposure vulnerability in Cisco Wireless Control System Software

The TAC Case Attachment tool in Cisco Wireless Control System (WCS) 7.0 allows remote authenticated users to read arbitrary files under webnms/Temp/ via unspecified vectors, aka Bug ID CSCtq86807.

4.0

22 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2012-05-03 CVE-2012-0546 Oracle Remote vulnerability in Oracle FLEXCUBE Universal Banking

Unspecified vulnerability in the Oracle FLEXCUBE Universal Banking component in Oracle Financial Services Software 10.0.0 through 10.5.0 and 11.0.0 through 11.2.0 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Core, a different vulnerability than CVE-2012-0545 and CVE-2012-0567.

3.6
2012-05-03 CVE-2012-0545 Oracle Remote vulnerability in Oracle FLEXCUBE Universal Banking

Unspecified vulnerability in the Oracle FLEXCUBE Universal Banking component in Oracle Financial Services Software 10.0.0 through 10.5.0 and 11.0.0 through 11.2.0 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Core, a different vulnerability than CVE-2012-0546 and CVE-2012-0567.

3.6
2012-05-02 CVE-2011-3289 Cisco Permissions, Privileges, and Access Controls vulnerability in Cisco IOS

Cisco IOS 12.4 and 15.0 through 15.2 allows physically proximate attackers to bypass the No Service Password-Recovery feature and read the start-up configuration via unspecified vectors, aka Bug ID CSCtr97640.

3.6
2012-05-03 CVE-2012-1704 Oracle Remote Oracle FLEXCUBE Direct Banking vulnerability in Oracle Financial Services

Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking component in Oracle Financial Services Software 5.0.2, 5.3.0 through 5.3.4, 6.0.1, and 6.2.0 allows remote authenticated users to affect confidentiality via unknown vectors related to Core-Base, a different vulnerability than CVE-2012-1707.

3.5
2012-05-03 CVE-2012-1679 Oracle Remote Oracle FLEXCUBE Direct Banking vulnerability in Oracle Financial Services

Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking component in Oracle Financial Services Software 5.0.2, 5.3.0 through 5.3.4, 6.0.1, and 6.2.0 allows remote authenticated users to affect integrity via unknown vectors related to Core-Base.

3.5
2012-05-03 CVE-2012-1676 Oracle Remote Oracle FLEXCUBE Direct Banking vulnerability in Oracle Financial Services

Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking component in Oracle Financial Services Software 5.0.2, 5.3.0 through 5.3.4, 6.0.1, and 6.2.0 allows remote authenticated users to affect confidentiality via unknown vectors related to Virtual Banking.

3.5
2012-05-03 CVE-2012-0579 Oracle Remote Oracle FLEXCUBE Universal Banking vulnerability in Oracle Financial Services

Unspecified vulnerability in the Oracle FLEXCUBE Universal Banking component in Oracle Financial Services Software 10.0.0 through 10.5.0 and 11.0.0 through 11.4.0 allows remote authenticated users to affect confidentiality via unknown vectors related to Core.

3.5
2012-05-03 CVE-2012-0577 Oracle Remote Oracle FLEXCUBE Universal Banking vulnerability in Oracle Financial Services

Unspecified vulnerability in the Oracle FLEXCUBE Universal Banking component in Oracle Financial Services Software 10.0.0 through 10.5.0 and 11.0.0 through 11.4.0 allows remote authenticated users to affect availability via unknown vectors related to Core.

3.5
2012-05-03 CVE-2012-0561 Oracle Remote vulnerability in Oracle PeopleSoft Enterprise PeopleTools

Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.50, 8.51, and 8.52 allows remote authenticated users to affect integrity, related to PIA Core Technology.

3.5
2012-05-03 CVE-2012-0544 Oracle Remote Oracle FLEXCUBE Universal Banking vulnerability in Oracle Financial Services

Unspecified vulnerability in the Oracle FLEXCUBE Universal Banking component in Oracle Financial Services Software 10.0.0 through 10.5.0 and 11.0.0 through 11.4.0 allows remote authenticated users to affect integrity via unknown vectors related to Core, a different vulnerability than CVE-2012-0571.

3.5
2012-05-03 CVE-2012-0541 Oracle Remote Oracle FLEXCUBE Direct Banking vulnerability in Oracle Financial Services

Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking component in Oracle Financial Services Software 5.0.2, 5.3.0 through 5.3.4, 6.0.1, and 6.2.0 allows remote authenticated users to affect confidentiality via unknown vectors related to Core-My Services.

3.5
2012-05-03 CVE-2012-0531 Oracle Remote vulnerability in Oracle Peoplesoft products 9.1

Unspecified vulnerability in the PeopleSoft Enterprise Portal component in Oracle PeopleSoft Products 9.1 allows remote authenticated users to affect integrity via unknown vectors related to Enterprise Portal.

3.5
2012-05-03 CVE-2012-0529 Oracle Remote vulnerability in Oracle Peoplesoft products 8.51

Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.51 allows remote authenticated users to affect integrity via unknown vectors related to core.

3.5
2012-05-03 CVE-2012-0509 Oracle Remote Oracle FLEXCUBE Direct Banking vulnerability in Oracle Financial Services Software 5.0.2/5.3.0/5.3.4

Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking component in Oracle Financial Services Software 5.0.2 and 5.3.0 through 5.3.4 allows remote authenticated users to affect integrity via unknown vectors related to Core-Base.

3.5
2012-05-03 CVE-2012-0737 IBM Cross-Site Scripting vulnerability in IBM Rational Appscan

Cross-site scripting (XSS) vulnerability in IBM Rational AppScan Enterprise 5.x and 8.x before 8.5.0.1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.

3.5
2012-05-03 CVE-2012-0524 Oracle Local vulnerability in Oracle PeopleSoft Enterprise PeopleTools

Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.50, 8.51, and 8.52 allows local users to affect confidentiality and integrity via unknown vectors related to File Processing.

3.2
2012-05-03 CVE-2012-1693 Oracle Remote vulnerability in Oracle SPARC Enterprise M Series Servers

Unspecified vulnerability in Oracle SPARC Enterprise M Series Servers XCP 1110 allows remote attackers to affect availability, related to XSCF Control Package (XCP).

2.6
2012-05-03 CVE-2012-0542 Oracle Remote Oracle iStore vulnerability in Oracle E-Business Suite

Unspecified vulnerability in the Oracle iStore component in Oracle E-Business Suite 11.5.10.2, 12.0.4, 12.0.6, 12.1.1, 12.1.2, and 12.1.3 allows remote attackers to affect integrity via unknown vectors related to Runtime Catalog.

2.6
2012-05-03 CVE-2012-0513 Oracle Remote Oracle Application Object Library Vulnerabilty in Oracle E-Business Suite 12.0.6/12.1.3

Unspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite 12.0.6 and 12.1.3 allows remote attackers to affect integrity, related to REST Services.

2.6
2012-05-03 CVE-2012-1698 SUN Remote vulnerability in SUN Sunos 5.11

Unspecified vulnerability in Oracle Sun Solaris 11 allows remote authenticated users to affect confidentiality, related to Kernel/GLD.

2.1
2012-05-03 CVE-2012-0548 Oracle Local vulnerability in Oracle SPARC Enterprise M Series Servers

Unspecified vulnerability in Oracle SPARC Enterprise M Series Servers XCP 1110 and earlier allows local users to affect confidentiality, related to XSCF Control Package (XCP).

2.1
2012-04-30 CVE-2012-0863 Mumble Cryptographic Issues vulnerability in Mumble

Mumble 1.2.3 and earlier uses world-readable permissions for .local/share/data/Mumble/.mumble.sqlite files in home directories, which might allow local users to obtain a cleartext password and configuration data by reading a file.

2.1