Weekly Vulnerabilities Reports > September 10 to 16, 2012
Overview
140 new vulnerabilities reported during this period, including 16 critical vulnerabilities and 15 high severity vulnerabilities. This weekly summary report vulnerabilities in 100 products from 45 vendors including Apple, Cisco, IBM, Google, and Realnetworks. Vulnerabilities are notably categorized as "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Cross-site Scripting", "Permissions, Privileges, and Access Controls", "SQL Injection", and "Resource Management Errors".
- 137 reported vulnerabilities are remotely exploitables.
- 25 reported vulnerabilities have public exploit available.
- 25 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 123 reported vulnerabilities are exploitable by an anonymous user.
- Apple has the most reported vulnerabilities, with 51 reported vulnerabilities.
- Apple has the most reported critical vulnerabilities, with 6 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
16 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2012-09-16 | CVE-2012-3088 | Cisco | Remote Security vulnerability in Cisco Anyconnect Secure Mobility Client 3.1.0/3.2.0 Cisco AnyConnect Secure Mobility Client 3.1.x before 3.1.00495, and 3.2.x, does not check whether an HTTP request originally contains ScanSafe headers, which allows remote attackers to have an unspecified impact via a crafted request, aka Bug ID CSCua13166. | 9.3 |
2012-09-15 | CVE-2012-4924 | Asus | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Asus Ipswcom Activex Component and Net4Switch Buffer overflow in the CxDbgPrint function in the ipswcom.dll ActiveX component 1.0.0.1 for ASUS Net4Switch 1.0.0020 allows remote attackers to execute arbitrary code via a long parameter to the Alert method. | 9.3 |
2012-09-15 | CVE-2011-5172 | Powerproduction | Buffer Errors vulnerability in Powerproduction Storyboard Quick 6.0 Stack-based buffer overflow in StoryBoard Quick 6 Build 3786, and possibly StoryBoard Artist and StoryBoard Studio, allows remote attackers to execute arbitrary code via a long string in the string element field in a frame xml file. | 9.3 |
2012-09-15 | CVE-2011-5171 | Cyberlink | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Cyberlink Power2Go 7.0/8.0 Multiple stack-based buffer overflows in CyberLink Power2Go 7 (build 196) and 8 (build 1031) allow remote attackers to execute arbitrary code via the (1) src and (2) name parameters in a p2g project file. | 9.3 |
2012-09-15 | CVE-2011-5170 | Castillobueno | Buffer Errors vulnerability in Castillobueno Ccmplayer 1.5 Stack-based buffer overflow in Castillo Bueno Systems CCMPlayer 1.5 allows remote attackers to execute arbitrary code via a long track name in an m3u playlist. | 9.3 |
2012-09-15 | CVE-2011-5167 | Oracle Tidestone | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products Heap-based buffer overflow in the SetDevNames method of the Tidestone Formula One ActiveX control (TTF16.ocx) 6.3.5 Build 1 in Oracle Hyperion Strategic Finance 12.x and possibly earlier allows remote attackers to execute arbitrary code via a long string to the DriverName parameter. | 9.3 |
2012-09-15 | CVE-2011-5165 | Cleanersoft | Buffer Errors vulnerability in Cleanersoft Free MP3 CD Ripper 1.1/2.5 Stack-based buffer overflow in Free MP3 CD Ripper 1.1, 2.6 and earlier, when converting a file, allows user-assisted remote attackers to execute arbitrary code via a crafted .wav file. | 9.3 |
2012-09-15 | CVE-2011-5164 | Vandyke | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Vandyke Absoluteftp Stack-based buffer overflow in VanDyke Software AbsoluteFTP 1.9.6 through 2.2.10 allows remote FTP servers to execute arbitrary code via a crafted file name in a LIST command response. | 9.3 |
2012-09-15 | CVE-2011-5162 | Gomlab | Buffer Errors vulnerability in Gomlab GOM Player 2.1.33.5071 Stack-based buffer overflow in GOM Player 2.1.33.5071 allows user-assisted remote attackers to execute arbitrary code via a .ASX file with a long URI in the "ref href" tag. | 9.3 |
2012-09-13 | CVE-2012-4907 | Permissions, Privileges, and Access Controls vulnerability in Google Chrome Google Chrome before 18.0.1025308 on Android does not properly restrict access from JavaScript code to Android APIs, which allows remote attackers to have an unspecified impact via a crafted web page. | 9.3 | |
2012-09-13 | CVE-2012-3701 | Apple | Buffer Errors vulnerability in Apple Iphone OS and Itunes WebKit, as used in Apple iTunes before 10.7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2012-09-12-1. | 9.3 |
2012-09-13 | CVE-2012-3687 | Apple | Buffer Errors vulnerability in Apple Iphone OS and Itunes WebKit, as used in Apple iTunes before 10.7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2012-09-12-1. | 9.3 |
2012-09-13 | CVE-2012-3632 | Apple | Buffer Errors vulnerability in Apple Iphone OS and Itunes WebKit, as used in Apple iTunes before 10.7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2012-09-12-1. | 9.3 |
2012-09-13 | CVE-2012-3621 | Apple | Buffer Errors vulnerability in Apple Iphone OS and Itunes WebKit, as used in Apple iTunes before 10.7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2012-09-12-1. | 9.3 |
2012-09-13 | CVE-2012-3607 | Apple | Buffer Errors vulnerability in Apple Iphone OS and Itunes WebKit, as used in Apple iTunes before 10.7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2012-09-12-1. | 9.3 |
2012-09-13 | CVE-2012-3606 | Apple | Buffer Errors vulnerability in Apple Iphone OS and Itunes WebKit, as used in Apple iTunes before 10.7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2012-09-12-1. | 9.3 |
15 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2012-09-13 | CVE-2012-3703 | Apple | Memory Corruption vulnerability in WebKit WebKit, as used in Apple iTunes before 10.7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2012-09-12-1. | 8.3 |
2012-09-16 | CVE-2012-3079 | Cisco | Resource Management Errors vulnerability in Cisco IOS 12.2 Cisco IOS 12.2 allows remote attackers to cause a denial of service (CPU consumption) by establishing many IPv6 neighbors, aka Bug ID CSCtn78957. | 7.8 |
2012-09-16 | CVE-2012-3060 | Cisco | Resource Management Errors vulnerability in Cisco Unity Connection 8.6/9.0/9.5 Cisco Unity Connection (UC) 8.6, 9.0, and 9.5 allows remote attackers to cause a denial of service (CPU consumption) via malformed UDP packets, aka Bug ID CSCtz76269. | 7.8 |
2012-09-12 | CVE-2012-4629 | Cisco | Resource Management Errors vulnerability in Cisco products The Cisco ASA-CX Context-Aware Security module before 9.0.2-103 for Adaptive Security Appliances (ASA) devices, and Prime Security Manager (aka PRSM) before 9.0.2-103, allows remote attackers to cause a denial of service (disk consumption and application hang) via unspecified IPv4 packets that trigger log entries, aka Bug ID CSCub70603. | 7.8 |
2012-09-12 | CVE-2012-3935 | Cisco | Buffer Errors vulnerability in Cisco products Cisco Unified Presence (CUP) before 8.6(3) and Jabber Extensible Communications Platform (aka Jabber XCP) before 5.3 allow remote attackers to cause a denial of service (process crash) via a crafted XMPP stream header, aka Bug ID CSCtu32832. | 7.8 |
2012-09-15 | CVE-2012-4927 | Limesurvey | SQL Injection vulnerability in Limesurvey SQL injection vulnerability in Limesurvey (a.k.a PHPSurveyor) before 1.91+ Build 120224 and earlier allows remote attackers to execute arbitrary SQL commands via the fieldnames parameter to index.php. | 7.5 |
2012-09-15 | CVE-2012-4925 | Imgpals | SQL Injection vulnerability in Imgpals IMG Pals Photo Host 1.0 Multiple SQL injection vulnerabilities in approve.php in Img Pals Photo Host 1.0 allow remote attackers to execute arbitrary SQL commands via the u parameter in a (1) app0 or (2) app1 action. | 7.5 |
2012-09-15 | CVE-2011-5169 | Dell | SQL Injection vulnerability in Dell Sonicwall Viewpoint 6.0 SQL injection vulnerability in sgms/reports/scheduledreports/configure/scheduleProps.jsp in SonicWall ViewPoint 6.0 SP2 allows remote attackers to execute arbitrary SQL commands via the scheduleID parameter. | 7.5 |
2012-09-15 | CVE-2011-5166 | Elif Keir | Buffer Errors vulnerability in Elif Keir Knftp 1.0.0 Multiple stack-based buffer overflows in KnFTP 1.0.0 allow remote attackers to execute arbitrary code via a long string to the (1) USER, (2) PASS, (3) REIN, (4) QUIT, (5) PORT, (6) PASV, (7) TYPE, (8) STRU, (9) MODE, (10) RETR, (11) STOR, (12) APPE, (13) ALLO, (14) REST, (15) RNFR, (16) RNTO, (17) ABOR, (18) DELE, (19) CWD, (20) LIST, (21) NLST, (22) SITE, (23) STST, (24) HELP, (25) NOOP, (26) MKD, (27) RMD, (28) PWD, (29) CDUP, (30) STOU, (31) SNMT, (32) SYST, and (33) XPWD commands. | 7.5 |
2012-09-13 | CVE-2012-4908 | Permissions, Privileges, and Access Controls vulnerability in Google Chrome Google Chrome before 18.0.1025308 on Android allows remote attackers to bypass the Same Origin Policy and obtain access to local files via vectors involving a symlink. | 7.5 | |
2012-09-12 | CVE-2012-3234 | Realnetworks | Numeric Errors vulnerability in Realnetworks Realplayer and Realplayer SP RealNetworks RealPlayer before 15.0.6.14, RealPlayer SP 1.0 through 1.1.5, and Mac RealPlayer before 12.0.1.1750 do not properly handle codec frame sizes in RealAudio files, which allows remote attackers to cause a denial of service (divide-by-zero error and application crash) or possibly have unspecified other impact via a crafted file. | 7.5 |
2012-09-12 | CVE-2012-2409 | Realnetworks | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Realnetworks Realplayer and Realplayer SP Buffer overflow in RealNetworks RealPlayer before 15.0.6.14, RealPlayer SP 1.0 through 1.1.5, and Mac RealPlayer before 12.0.1.1750 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted RealMedia file, a different vulnerability than CVE-2012-2410. | 7.5 |
2012-09-12 | CVE-2012-2407 | Realnetworks | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Realnetworks Realplayer and Realplayer SP Buffer overflow in RealNetworks RealPlayer before 15.0.6.14, RealPlayer SP 1.0 through 1.1.5, and Mac RealPlayer before 12.0.1.1750 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted AAC file that is not properly handled during stream-data unpacking. | 7.5 |
2012-09-15 | CVE-2011-5174 | Intel | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Intel products Buffer overflow in Intel Trusted Execution Technology (TXT) SINIT Authenticated Code Modules (ACM) in Intel Q67 Express, C202, C204, C206 Chipsets, and Mobile Intel QM67, and QS67 Chipset before 2nd_gen_i5_i7_SINIT_51.BIN Express; Intel Q57, 3450 Chipsets and Mobile Intel QM57 and QS57 Express Chipset before i5_i7_DUAL_SINIT_51.BIN and i7_QUAD_SINIT_51.BIN; Mobile Intel GM45, GS45, and PM45 Express Chipset before GM45_GS45_PM45_SINIT_51.BIN; Intel Q35 Express Chipsets before Q35_SINIT_51.BIN; and Intel 5520, 5500, X58, and 7500 Chipsets before SINIT ACM 1.1 allows local users to bypass the Trusted Execution Technology protection mechanism and perform other unspecified SINIT ACM functions via unspecified vectors. | 7.2 |
2012-09-14 | CVE-2012-3955 | ISC Debian Canonical | Denial of Service vulnerability in ISC DHCP IPv6 Lease Expiration Handling ISC DHCP 4.1.x before 4.1-ESV-R7 and 4.2.x before 4.2.4-P2 allows remote attackers to cause a denial of service (daemon crash) in opportunistic circumstances by establishing an IPv6 lease in an environment where the lease expiration time is later reduced. | 7.1 |
103 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2012-09-16 | CVE-2012-3052 | Cisco | Unspecified vulnerability in Cisco VPN Client Untrusted search path vulnerability in Cisco VPN Client 5.0 allows local users to gain privileges via a Trojan horse DLL in the current working directory, aka Bug ID CSCua28747. | 6.9 |
2012-09-16 | CVE-2012-3908 | Cisco | Cross-Site Request Forgery (CSRF) vulnerability in Cisco products Multiple cross-site request forgery (CSRF) vulnerabilities in the ISE Administrator user interface (aka the Apache Tomcat interface) on Cisco Identity Services Engine (ISE) 3300 series appliances before 1.1.0.665 Cumulative Patch 1 allow remote attackers to hijack the authentication of administrators, aka Bug ID CSCty46684. | 6.8 |
2012-09-15 | CVE-2012-2275 | Teamst | Cross-Site Request Forgery (CSRF) vulnerability in Teamst Testlink Multiple cross-site request forgery (CSRF) vulnerabilities in TestLink 1.9.3 and earlier allow remote attackers to hijack the authentication of users for requests that add, delete, or modify sensitive information, as demonstrated by changing the administrator's email via an editUser action to lib/usermanagement/userInfo.php. | 6.8 |
2012-09-15 | CVE-2011-5173 | Bugbear | Buffer Errors vulnerability in Bugbear Flatout 2005 Buffer overflow in Bugbear Entertainment FlatOut 2005 allows user-assisted remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string in the title field in a bed file. | 6.8 |
2012-09-13 | CVE-2012-3712 | Apple | Memory Corruption vulnerability in WebKit WebKit, as used in Apple iTunes before 10.7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2012-09-12-1. | 6.8 |
2012-09-13 | CVE-2012-3711 | Apple | Memory Corruption vulnerability in WebKit WebKit, as used in Apple iTunes before 10.7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2012-09-12-1. | 6.8 |
2012-09-13 | CVE-2012-3710 | Apple | Memory Corruption vulnerability in WebKit WebKit, as used in Apple iTunes before 10.7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2012-09-12-1. | 6.8 |
2012-09-13 | CVE-2012-3709 | Apple | Memory Corruption vulnerability in WebKit WebKit, as used in Apple iTunes before 10.7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2012-09-12-1. | 6.8 |
2012-09-13 | CVE-2012-3708 | Apple | Memory Corruption vulnerability in WebKit WebKit, as used in Apple iTunes before 10.7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2012-09-12-1. | 6.8 |
2012-09-13 | CVE-2012-3707 | Apple | Memory Corruption vulnerability in WebKit WebKit, as used in Apple iTunes before 10.7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2012-09-12-1. | 6.8 |
2012-09-13 | CVE-2012-3706 | Apple | Memory Corruption vulnerability in WebKit WebKit, as used in Apple iTunes before 10.7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2012-09-12-1. | 6.8 |
2012-09-13 | CVE-2012-3705 | Apple | Memory Corruption vulnerability in WebKit WebKit, as used in Apple iTunes before 10.7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2012-09-12-1. | 6.8 |
2012-09-13 | CVE-2012-3704 | Apple | Memory Corruption vulnerability in WebKit WebKit, as used in Apple iTunes before 10.7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2012-09-12-1. | 6.8 |
2012-09-13 | CVE-2012-3702 | Apple | Memory Corruption vulnerability in WebKit WebKit, as used in Apple iTunes before 10.7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2012-09-12-1. | 6.8 |
2012-09-13 | CVE-2012-3700 | Apple | Memory Corruption vulnerability in WebKit WebKit, as used in Apple iTunes before 10.7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2012-09-12-1. | 6.8 |
2012-09-13 | CVE-2012-3699 | Apple | Memory Corruption vulnerability in WebKit WebKit, as used in Apple iTunes before 10.7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2012-09-12-1. | 6.8 |
2012-09-13 | CVE-2012-3692 | Apple | Memory Corruption vulnerability in WebKit WebKit, as used in Apple iTunes before 10.7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2012-09-12-1. | 6.8 |
2012-09-13 | CVE-2012-3688 | Apple | Memory Corruption vulnerability in WebKit WebKit, as used in Apple iTunes before 10.7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2012-09-12-1. | 6.8 |
2012-09-13 | CVE-2012-3685 | Apple | Memory Corruption vulnerability in WebKit WebKit, as used in Apple iTunes before 10.7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2012-09-12-1. | 6.8 |
2012-09-13 | CVE-2012-3684 | Apple | Memory Corruption vulnerability in WebKit WebKit, as used in Apple iTunes before 10.7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2012-09-12-1. | 6.8 |
2012-09-13 | CVE-2012-3677 | Apple | Memory Corruption vulnerability in WebKit WebKit, as used in Apple iTunes before 10.7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2012-09-12-1. | 6.8 |
2012-09-13 | CVE-2012-3676 | Apple | Memory Corruption vulnerability in WebKit WebKit, as used in Apple iTunes before 10.7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2012-09-12-1. | 6.8 |
2012-09-13 | CVE-2012-3675 | Apple | Memory Corruption vulnerability in WebKit WebKit, as used in Apple iTunes before 10.7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2012-09-12-1. | 6.8 |
2012-09-13 | CVE-2012-3673 | Apple | Memory Corruption vulnerability in WebKit WebKit, as used in Apple iTunes before 10.7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2012-09-12-1. | 6.8 |
2012-09-13 | CVE-2012-3672 | Apple | Memory Corruption vulnerability in WebKit WebKit, as used in Apple iTunes before 10.7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2012-09-12-1. | 6.8 |
2012-09-13 | CVE-2012-3671 | Apple | Memory Corruption vulnerability in WebKit WebKit, as used in Apple iTunes before 10.7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2012-09-12-1. | 6.8 |
2012-09-13 | CVE-2012-3660 | Apple | Memory Corruption vulnerability in WebKit WebKit, as used in Apple iTunes before 10.7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2012-09-12-1. | 6.8 |
2012-09-13 | CVE-2012-3659 | Apple | Memory Corruption vulnerability in WebKit WebKit, as used in Apple iTunes before 10.7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2012-09-12-1. | 6.8 |
2012-09-13 | CVE-2012-3658 | Apple | Memory Corruption vulnerability in WebKit WebKit, as used in Apple iTunes before 10.7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2012-09-12-1. | 6.8 |
2012-09-13 | CVE-2012-3657 | Apple | Memory Corruption vulnerability in WebKit WebKit, as used in Apple iTunes before 10.7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2012-09-12-1. | 6.8 |
2012-09-13 | CVE-2012-3654 | Apple | Memory Corruption vulnerability in WebKit WebKit, as used in Apple iTunes before 10.7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2012-09-12-1. | 6.8 |
2012-09-13 | CVE-2012-3652 | Apple | Memory Corruption vulnerability in WebKit WebKit, as used in Apple iTunes before 10.7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2012-09-12-1. | 6.8 |
2012-09-13 | CVE-2012-3651 | Apple | Memory Corruption vulnerability in WebKit WebKit, as used in Apple iTunes before 10.7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2012-09-12-1. | 6.8 |
2012-09-13 | CVE-2012-3649 | Apple | Memory Corruption vulnerability in WebKit WebKit, as used in Apple iTunes before 10.7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2012-09-12-1. | 6.8 |
2012-09-13 | CVE-2012-3648 | Apple | Memory Corruption vulnerability in WebKit WebKit, as used in Apple iTunes before 10.7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2012-09-12-1. | 6.8 |
2012-09-13 | CVE-2012-3647 | Apple | Memory Corruption vulnerability in WebKit WebKit, as used in Apple iTunes before 10.7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2012-09-12-1. | 6.8 |
2012-09-13 | CVE-2012-3643 | Apple | Memory Corruption vulnerability in WebKit WebKit, as used in Apple iTunes before 10.7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2012-09-12-1. | 6.8 |
2012-09-13 | CVE-2012-3624 | Apple | Memory Corruption vulnerability in WebKit WebKit, as used in Apple iTunes before 10.7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2012-09-12-1. | 6.8 |
2012-09-13 | CVE-2012-3623 | Apple | Memory Corruption vulnerability in WebKit WebKit, as used in Apple iTunes before 10.7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2012-09-12-1. | 6.8 |
2012-09-13 | CVE-2012-3622 | Apple | Memory Corruption vulnerability in WebKit WebKit, as used in Apple iTunes before 10.7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2012-09-12-1. | 6.8 |
2012-09-13 | CVE-2012-3617 | Apple | Memory Corruption vulnerability in WebKit WebKit, as used in Apple iTunes before 10.7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2012-09-12-1. | 6.8 |
2012-09-13 | CVE-2012-3616 | Apple | Memory Corruption vulnerability in WebKit WebKit, as used in Apple iTunes before 10.7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2012-09-12-1. | 6.8 |
2012-09-13 | CVE-2012-3614 | Apple | Memory Corruption vulnerability in WebKit WebKit, as used in Apple iTunes before 10.7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2012-09-12-1. | 6.8 |
2012-09-13 | CVE-2012-3613 | Apple | Memory Corruption vulnerability in WebKit WebKit, as used in Apple iTunes before 10.7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2012-09-12-1. | 6.8 |
2012-09-13 | CVE-2012-3612 | Apple | Memory Corruption vulnerability in WebKit WebKit, as used in Apple iTunes before 10.7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2012-09-12-1. | 6.8 |
2012-09-13 | CVE-2012-3602 | Apple | Memory Corruption vulnerability in WebKit WebKit, as used in Apple iTunes before 10.7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2012-09-12-1. | 6.8 |
2012-09-13 | CVE-2012-3601 | Apple | Memory Corruption vulnerability in WebKit WebKit, as used in Apple iTunes before 10.7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2012-09-12-1. | 6.8 |
2012-09-13 | CVE-2012-3598 | Apple | Unspecified vulnerability in Apple Itunes WebKit, as used in Apple iTunes before 10.7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2012-09-12-1. | 6.8 |
2012-09-12 | CVE-2012-2410 | Realnetworks | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Realnetworks Realplayer and Realplayer SP Buffer overflow in RealNetworks RealPlayer before 15.0.6.14, RealPlayer SP 1.0 through 1.1.5, and Mac RealPlayer before 12.0.1.1750 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted RealMedia file, a different vulnerability than CVE-2012-2409. | 6.8 |
2012-09-12 | CVE-2012-2408 | Realnetworks | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Realnetworks Realplayer and Realplayer SP The AAC SDK in RealNetworks RealPlayer before 15.0.6.14, RealPlayer SP 1.0 through 1.1.5, and Mac RealPlayer before 12.0.1.1750 allows remote attackers to cause a denial of service (heap memory corruption) or possibly have unspecified other impact via a crafted AAC file that is not properly handled during decoding. | 6.8 |
2012-09-11 | CVE-2012-4893 | Gentoo | Cross-Site Request Forgery (CSRF) vulnerability in Gentoo Webmin Multiple cross-site request forgery (CSRF) vulnerabilities in file/show.cgi in Webmin 1.590 and earlier allow remote attackers to hijack the authentication of privileged users for requests that (1) read files or execute (2) tar, (3) zip, or (4) gzip commands, a different issue than CVE-2012-2982. | 6.8 |
2012-09-10 | CVE-2012-2184 | IBM | Unspecified vulnerability in IBM products Session fixation vulnerability in IBM Maximo Asset Management 7.1 through 7.5, as used in SmartCloud Control Desk, Tivoli Asset Management for IT, Tivoli Service Request Manager, Maximo Service Desk, and Change and Configuration Management Database (CCMDB), allows remote attackers to hijack web sessions via unspecified vectors. | 6.8 |
2012-09-10 | CVE-2012-2183 | IBM | Unspecified vulnerability in IBM products Session fixation vulnerability in IBM Maximo Asset Management 6.2 through 7.5, as used in SmartCloud Control Desk, Tivoli Asset Management for IT, Tivoli Service Request Manager, Maximo Service Desk, and Change and Configuration Management Database (CCMDB), allows remote attackers to hijack web sessions via unspecified vectors. | 6.8 |
2012-09-10 | CVE-2012-0714 | IBM | Cross-Site Request Forgery (CSRF) vulnerability in IBM products Cross-site request forgery (CSRF) vulnerability in IBM Maximo Asset Management 6.2 through 7.5, as used in SmartCloud Control Desk, Tivoli Asset Management for IT, Tivoli Service Request Manager, Maximo Service Desk, and Change and Configuration Management Database (CCMDB), allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. | 6.8 |
2012-09-14 | CVE-2010-5106 | Wordpress | Permissions, Privileges, and Access Controls vulnerability in Wordpress The XML-RPC remote publishing interface in xmlrpc.php in WordPress before 3.0.3 does not properly check capabilities, which allows remote authenticated users to bypass intended access restrictions, and publish, edit, or delete posts, by leveraging the Author or Contributor role. | 6.5 |
2012-09-11 | CVE-2012-2982 | Gentoo | Unspecified vulnerability in Gentoo Webmin file/show.cgi in Webmin 1.590 and earlier allows remote authenticated users to execute arbitrary commands via an invalid character in a pathname, as demonstrated by a | (pipe) character. | 6.5 |
2012-09-10 | CVE-2012-0747 | IBM | SQL Injection vulnerability in IBM products SQL injection vulnerability in IBM Maximo Asset Management 6.2 through 7.5, as used in SmartCloud Control Desk, Tivoli Asset Management for IT, Tivoli Service Request Manager, Maximo Service Desk, and Change and Configuration Management Database (CCMDB), allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. | 6.5 |
2012-09-10 | CVE-2012-0728 | IBM | SQL Injection vulnerability in IBM products SQL injection vulnerability in IBM Maximo Asset Management 7.1 through 7.5, as used in SmartCloud Control Desk, Tivoli Asset Management for IT, Tivoli Service Request Manager, Maximo Service Desk, and Change and Configuration Management Database (CCMDB), allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. | 6.5 |
2012-09-10 | CVE-2012-0727 | IBM | SQL Injection vulnerability in IBM products SQL injection vulnerability in IBM Maximo Asset Management 7.5, as used in SmartCloud Control Desk, Tivoli Asset Management for IT, Tivoli Service Request Manager, Maximo Service Desk, and Change and Configuration Management Database (CCMDB), allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. | 6.5 |
2012-09-15 | CVE-2012-4926 | Imgpals | Improper Authentication vulnerability in Imgpals IMG Pals Photo Host 1.0 approve.php in Img Pals Photo Host 1.0 does not authenticate requests, which allows remote attackers to change the activation of administrators via the u parameter in an (1) app0 (disable) or (2) app1 (enable) action. | 6.4 |
2012-09-16 | CVE-2012-3895 | Cisco | Denial-Of-Service vulnerability in IOS Cisco IOS 15.0 through 15.3 allows remote authenticated users to cause a denial of service (device crash) via an MVPNv6 update, aka Bug ID CSCty89224. | 6.3 |
2012-09-16 | CVE-2012-3893 | Cisco | Denial-Of-Service vulnerability in Cisco IOS 15.2/15.3 The FlexVPN implementation in Cisco IOS 15.2 and 15.3 allows remote authenticated users to cause a denial of service (spoke crash) via spoke-to-spoke traffic, aka Bug ID CSCtz02622. | 6.3 |
2012-09-16 | CVE-2012-3051 | Cisco | Remote Denial of Service vulnerability in Cisco Nexus 7000 Series Switches NX-OS Cisco NX-OS 5.2 and 6.1 on Nexus 7000 series switches allows remote attackers to cause a denial of service (process crash or packet loss) via a large number of ARP packets, aka Bug ID CSCtr44822. | 6.1 |
2012-09-11 | CVE-2012-3572 | Nurul Hidayah Hamazulan Oscc | Improper Input Validation vulnerability in multiple products Open Source Competency Center (OSCC) MyMeeting 3.0.1 and earlier, and MyMesyuarat 09b-1, does not properly verify uploaded documents, which allows remote authenticated users to execute arbitrary PHP code via a crafted document. | 6.0 |
2012-09-11 | CVE-2012-2981 | Gentoo | Improper Input Validation vulnerability in Gentoo Webmin Webmin 1.590 and earlier allows remote authenticated users to execute arbitrary Perl code via a crafted file associated with the type (aka monitor type name) parameter. | 6.0 |
2012-09-10 | CVE-2012-4404 | Moinmo | Permissions, Privileges, and Access Controls vulnerability in Moinmo Moinmoin security/__init__.py in MoinMoin 1.9 through 1.9.4 does not properly handle group names that contain virtual group names such as "All," "Known," or "Trusted," which allows remote authenticated users with virtual group membership to be treated as a member of the group. | 6.0 |
2012-09-16 | CVE-2012-3919 | Cisco | Resource Management Errors vulnerability in Cisco Application Control Engine Module 3.0 The Cisco Application Control Engine (ACE) module 3.0 for Cisco Catalyst switches and Cisco routers does not properly monitor Load Balancer (LB) queues, which allows remote attackers to cause a denial of service (incorrect memory access and module reboot) via application traffic, aka Bug ID CSCtw70879. | 5.0 |
2012-09-16 | CVE-2012-3915 | Cisco | Buffer Errors vulnerability in Cisco IOS 15.2 The DMVPN tunnel implementation in Cisco IOS 15.2 allows remote attackers to cause a denial of service (persistent IKE state) via a large volume of hub-to-spoke traffic, aka Bug ID CSCtq39602. | 5.0 |
2012-09-16 | CVE-2012-3901 | Cisco | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Cisco products The updateTime function in sensorApp on Cisco IPS 4200 series sensors 7.0 and 7.1 allows remote attackers to cause a denial of service (process crash and traffic-inspection outage) via network traffic, aka Bug ID CSCta96144. | 5.0 |
2012-09-16 | CVE-2012-3899 | Cisco | Resource Management Errors vulnerability in Cisco products sensorApp on Cisco IPS 4200 series sensors 6.0, 6.2, and 7.0 does not properly allocate memory, which allows remote attackers to cause a denial of service (memory corruption and process crash, and traffic-inspection outage) via network traffic, aka Bug ID CSCtn23051. | 5.0 |
2012-09-16 | CVE-2012-3094 | Cisco Linux | Information Exposure vulnerability in Cisco Anyconnect Secure Mobility Client 3.1.0 The VPN downloader in the download_install component in Cisco AnyConnect Secure Mobility Client 3.1.x before 3.1.00495 on Linux accepts arbitrary X.509 server certificates without user interaction, which allows remote attackers to obtain sensitive information via vectors involving an invalid certificate, aka Bug ID CSCua11967. | 5.0 |
2012-09-15 | CVE-2012-4001 | Google Apache | Improper Input Validation vulnerability in Google MOD Pagespeed The mod_pagespeed module before 0.10.22.6 for the Apache HTTP Server does not properly verify its host name, which allows remote attackers to trigger HTTP requests to arbitrary hosts via unspecified vectors, as demonstrated by requests to intranet servers. | 5.0 |
2012-09-14 | CVE-2012-4817 | IBM | Unspecified vulnerability in IBM AIX and Vios The NFSv4 client implementation in IBM AIX 5.3, 6.1, and 7.1, and VIOS before 2.2.1.4-FP-25 SP-02, does not properly handle GID values, which allows remote attackers to cause a denial of service via unspecified vectors. | 5.0 |
2012-09-14 | CVE-2012-4683 | Bitcoin | Denial-Of-Service vulnerability in Bitcoin-Qt Unspecified vulnerability in bitcoind and Bitcoin-Qt allows attackers to cause a denial of service via unknown vectors, a different vulnerability than CVE-2012-4682. | 5.0 |
2012-09-14 | CVE-2012-4682 | Bitcoin | Denial-Of-Service vulnerability in Bitcoin-Qt Unspecified vulnerability in bitcoind and Bitcoin-Qt allows attackers to cause a denial of service via unknown vectors, a different vulnerability than CVE-2012-4683. | 5.0 |
2012-09-14 | CVE-2012-4922 | Torproject | Improper Input Validation vulnerability in Torproject TOR The tor_timegm function in common/util.c in Tor before 0.2.2.39, and 0.2.3.x before 0.2.3.22-rc, does not properly validate time values, which allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a malformed directory object, a different vulnerability than CVE-2012-4419. | 5.0 |
2012-09-14 | CVE-2012-4419 | Torproject | Unspecified vulnerability in Torproject TOR The compare_tor_addr_to_addr_policy function in or/policies.c in Tor before 0.2.2.39, and 0.2.3.x before 0.2.3.21-rc, allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a zero-valued port field that is not properly handled during policy comparison. | 5.0 |
2012-09-13 | CVE-2012-4906 | Permissions, Privileges, and Access Controls vulnerability in Google Chrome Google Chrome before 18.0.1025308 on Android does not properly restrict access to file: URLs, which allows remote attackers to obtain sensitive information via unspecified vectors, as demonstrated by obtaining credential data, a different vulnerability than CVE-2012-4903. | 5.0 | |
2012-09-13 | CVE-2012-4903 | Permissions, Privileges, and Access Controls vulnerability in Google Chrome Google Chrome before 18.0.1025308 on Android does not properly restrict access to file: URLs, which allows remote attackers to obtain sensitive information via unspecified vectors, as demonstrated by obtaining credential data, a different vulnerability than CVE-2012-4906. | 5.0 | |
2012-09-12 | CVE-2012-2048 | Adobe | Local Denial of Service vulnerability in Adobe ColdFusion Unspecified vulnerability in Adobe ColdFusion 10 and earlier allows attackers to cause a denial of service via unknown vectors. | 5.0 |
2012-09-11 | CVE-2012-2983 | Gentoo | Improper Authentication vulnerability in Gentoo Webmin file/edit_html.cgi in Webmin 1.590 and earlier does not perform an authorization check before showing a file's unedited contents, which allows remote attackers to read arbitrary files via the file field. | 5.0 |
2012-09-15 | CVE-2012-4928 | Oxwall | Cross-Site Scripting vulnerability in Oxwall 1.1.1 Cross-site scripting (XSS) vulnerability in ow_updates/index.php in Oxwall 1.1.1 allows remote attackers to inject arbitrary web script or HTML via the plugin parameter. | 4.3 |
2012-09-15 | CVE-2012-4923 | Endian | Cross-Site Scripting vulnerability in Endian Firewall 2.4 Multiple cross-site scripting (XSS) vulnerabilities in Endian Firewall 2.4 allow remote attackers to inject arbitrary web script or HTML via the (1) createrule parameter to dnat.cgi, (2) addrule parameter to dansguardian.cgi, or (3) PATH_INFO to openvpn_users.cgi. | 4.3 |
2012-09-15 | CVE-2012-4336 | Mike Carr | Cross-Site Scripting vulnerability in Mike Carr Flogr Multiple cross-site scripting (XSS) vulnerabilities in index.php in Flogr 2.5.6 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the PATH_INFO or (2) an arbitrary parameter. | 4.3 |
2012-09-15 | CVE-2012-3458 | Python | Cryptographic Issues vulnerability in Python Beaker Beaker before 1.6.4, when using PyCrypto to encrypt sessions, uses AES in ECB cipher mode, which might allow remote attackers to obtain portions of sensitive session data via unspecified vectors. | 4.3 |
2012-09-15 | CVE-2012-3233 | Kayako | Cross-Site Scripting vulnerability in Kayako Fusion 4.40.1148 Cross-site scripting (XSS) vulnerability in __swift/thirdparty/PHPExcel/PHPExcel/Shared/JAMA/docs/download.php in Kayako Fusion 4.40.1148, and possibly before 4.50.1581, allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO. | 4.3 |
2012-09-15 | CVE-2012-4360 | Google Apache | Cross-Site Scripting vulnerability in Google MOD Pagespeed 0.10.19.1/0.10.22.4 Cross-site scripting (XSS) vulnerability in the mod_pagespeed module 0.10.19.1 through 0.10.22.4 for the Apache HTTP Server allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
2012-09-14 | CVE-2012-4013 | Cybozu | Information Exposure vulnerability in Cybozu Kunai Browser FOR Remote Service The WebView class in the Cybozu KUNAI Browser for Remote Service application beta for Android allows remote attackers to execute arbitrary JavaScript code, and obtain sensitive information, via a crafted application that places this code into a local file associated with a file: URL. | 4.3 |
2012-09-13 | CVE-2012-4909 | Information Exposure vulnerability in Google Chrome Google Chrome before 18.0.1025308 on Android allows remote attackers to obtain cookie information via a crafted application. | 4.3 | |
2012-09-13 | CVE-2012-4905 | Cross-Site Scripting vulnerability in Google Chrome Cross-site scripting (XSS) vulnerability in Google Chrome before 18.0.1025308 on Android allows remote attackers to inject arbitrary web script or HTML via an extra in an Intent object, aka "Universal XSS (UXSS)." | 4.3 | |
2012-09-13 | CVE-2012-4904 | Cross-Site Scripting vulnerability in Google Chrome Cross-application scripting vulnerability in Google Chrome before 18.0.1025308 on Android allows remote attackers to inject arbitrary web script via unspecified vectors, as demonstrated by "Universal XSS (UXSS)" attacks against the current tab. | 4.3 | |
2012-09-11 | CVE-2012-2975 | F5 | Cross-Site Scripting vulnerability in F5 Application Security Manager Appliance 10.0.0/11.2.0 Cross-site scripting (XSS) vulnerability in the traffic overview page on the F5 ASM appliance 10.0.0 through 11.2.0 HF2 allows remote attackers to inject arbitrary web script or HTML via crafted requests that are later listed on a summary page. | 4.3 |
2012-09-11 | CVE-2012-2536 | Microsoft | Cross-Site Scripting vulnerability in Microsoft products Cross-site scripting (XSS) vulnerability in Microsoft Systems Management Server 2003 SP3 and System Center Configuration Manager 2007 SP2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka "Reflected XSS Vulnerability." | 4.3 |
2012-09-11 | CVE-2012-1892 | Microsoft | Cross-Site Scripting vulnerability in Microsoft Visual Studio Team Foundation Server 2010 Cross-site scripting (XSS) vulnerability in Microsoft Visual Studio Team Foundation Server 2010 SP1 allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka "XSS Vulnerability." | 4.3 |
2012-09-10 | CVE-2012-4892 | Flatnux | Cross-Site Scripting vulnerability in Flatnux Multiple cross-site scripting (XSS) vulnerabilities in FlatnuX CMS 2012-03.08 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) title_en, (2) summary_en, or (3) body_en parameter in a submitnews action to the news module, a different vulnerability than CVE-2012-4890. | 4.3 |
2012-09-10 | CVE-2012-4891 | Manageengine | Cross-Site Scripting vulnerability in Manageengine Firewall Analyzer 7.2 Cross-site scripting (XSS) vulnerability in fw/index2.do in ManageEngine Firewall Analyzer 7.2 allows remote attackers to inject arbitrary web script or HTML via the url parameter, a different vector than CVE-2012-4889. | 4.3 |
2012-09-10 | CVE-2012-4890 | Flatnux | Cross-Site Scripting vulnerability in Flatnux Multiple cross-site scripting (XSS) vulnerabilities in FlatnuX CMS 2011 08.09.2 and earlier allow remote attackers to inject arbitrary web script or HTML via a (1) comment to the news, (2) title to the news, or (3) the folder names in a gallery. | 4.3 |
2012-09-10 | CVE-2012-4889 | Manageengine | Cross-Site Scripting vulnerability in Manageengine Firewall Analyzer 7.2 Multiple cross-site scripting (XSS) vulnerabilities in ManageEngine Firewall Analyzer 7.2 allow remote attackers to inject arbitrary web script or HTML via the (1) subTab or (2) tab parameter to createAnomaly.do; (3) url, (4) subTab, or (5) tab parameter to mindex.do; (6) tab parameter to index2.do; or (7) port parameter to syslogViewer.do. | 4.3 |
2012-09-10 | CVE-2012-3326 | IBM | Cross-Site Scripting vulnerability in IBM products Cross-site scripting (XSS) vulnerability in IBM Maximo Asset Management 7.5, as used in SmartCloud Control Desk, Tivoli Asset Management for IT, Tivoli Service Request Manager, Maximo Service Desk, and Change and Configuration Management Database (CCMDB), allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
2012-09-10 | CVE-2012-3313 | IBM | Cross-Site Scripting vulnerability in IBM products Cross-site scripting (XSS) vulnerability in IBM Maximo Asset Management 6.2 through 7.5, as used in SmartCloud Control Desk, Tivoli Asset Management for IT, Tivoli Service Request Manager, Maximo Service Desk, and Change and Configuration Management Database (CCMDB), allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
2012-09-16 | CVE-2012-3096 | Cisco | Denial-Of-Service vulnerability in Cisco Unity Connection 7.1/8.0/8.5 Cisco Unity Connection (UC) 7.1, 8.0, and 8.5 allows remote authenticated users to cause a denial of service (resource consumption and administration outage) via extended use of the product, aka Bug ID CSCtd79132. | 4.0 |
2012-09-14 | CVE-2012-4421 | Wordpress | Permissions, Privileges, and Access Controls vulnerability in Wordpress The create_post function in wp-includes/class-wp-atom-server.php in WordPress before 3.4.2 does not perform a capability check, which allows remote authenticated users to bypass intended access restrictions and publish new posts by leveraging the Contributor role and using the Atom Publishing Protocol (aka AtomPub) feature. | 4.0 |
2012-09-10 | CVE-2012-2185 | IBM | Information Exposure vulnerability in IBM products IBM Maximo Asset Management 6.2 through 7.5, as used in SmartCloud Control Desk, Tivoli Asset Management for IT, Tivoli Service Request Manager, Maximo Service Desk, and Change and Configuration Management Database (CCMDB), allows remote authenticated users to obtain sensitive information via unspecified vectors. | 4.0 |
6 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2012-09-16 | CVE-2012-3924 | Cisco | Unspecified vulnerability in Cisco IOS 15.1/15.2 The SSLVPN implementation in Cisco IOS 15.1 and 15.2, when DTLS is enabled, does not properly handle certain outbound ACL configurations, which allows remote authenticated users to cause a denial of service (device crash) via a session involving a PPP over ATM (PPPoA) interface, aka Bug ID CSCty97961. | 3.5 |
2012-09-16 | CVE-2012-3923 | Cisco | Unspecified vulnerability in Cisco IOS The SSLVPN implementation in Cisco IOS 12.4, 15.0, 15.1, and 15.2, when DTLS is not enabled, does not properly handle certain outbound ACL configurations, which allows remote authenticated users to cause a denial of service (device crash) via a session involving a PPP over ATM (PPPoA) interface, aka Bug ID CSCte41827. | 3.5 |
2012-09-14 | CVE-2012-4422 | Wordpress | Permissions, Privileges, and Access Controls vulnerability in Wordpress wp-admin/plugins.php in WordPress before 3.4.2, when the multisite feature is enabled, does not check for network-administrator privileges before performing a network-wide activation of an installed plugin, which might allow remote authenticated users to make unintended plugin changes by leveraging the Administrator role. | 3.5 |
2012-09-10 | CVE-2012-0746 | IBM | Cross-Site Scripting vulnerability in IBM products Cross-site scripting (XSS) vulnerability in IBM Maximo Asset Management 7.5, as used in SmartCloud Control Desk, Tivoli Asset Management for IT, Tivoli Service Request Manager, Maximo Service Desk, and Change and Configuration Management Database (CCMDB), allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. | 3.5 |
2012-09-15 | CVE-2012-4930 | Google Mozilla | Cryptographic Issues vulnerability in multiple products The SPDY protocol 3 and earlier, as used in Mozilla Firefox, Google Chrome, and other products, can perform TLS encryption of compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown string in an HTTP header, aka a "CRIME" attack. | 2.6 |
2012-09-15 | CVE-2012-4929 | Debian Mozilla | Cryptographic Issues vulnerability in multiple products The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google Chrome, Qt, and other products, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown string in an HTTP header, aka a "CRIME" attack. | 2.6 |