Weekly Vulnerabilities Reports > October 22 to 28, 2012
Overview
68 new vulnerabilities reported during this period, including 16 critical vulnerabilities and 17 high severity vulnerabilities. This weekly summary report vulnerabilities in 54 products from 41 vendors including Cisco, Adobe, Intelliants, Atutor, and Redhat. Vulnerabilities are notably categorized as "Cross-site Scripting", "Improper Restriction of Operations within the Bounds of a Memory Buffer", "SQL Injection", "Permissions, Privileges, and Access Controls", and "Cross-Site Request Forgery (CSRF)".
- 66 reported vulnerabilities are remotely exploitables.
- 12 reported vulnerabilities have public exploit available.
- 36 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 62 reported vulnerabilities are exploitable by an anonymous user.
- Cisco has the most reported vulnerabilities, with 6 reported vulnerabilities.
- Cisco has the most reported critical vulnerabilities, with 6 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
16 Critical Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2012-10-26 | CVE-2012-4501 | Apache Citrix | Permissions, Privileges, and Access Controls vulnerability in multiple products Citrix Cloud.com CloudStack, and Apache CloudStack pre-release, allows remote attackers to make arbitrary API calls by leveraging the system user account, as demonstrated by API calls to delete VMs. | 10.0 |
2012-10-25 | CVE-2011-5227 | Enterasys | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Enterasys Netsight Stack-based buffer overflow in the Syslog service (nssyslogd.exe) in Enterasys Network Management Suite (NMS) before 4.1.0.80 allows remote attackers to execute arbitrary code via a long PRIO field in a message to UDP port 514. | 10.0 |
2012-10-25 | CVE-2012-3506 | Apache | Security vulnerability in Apache Ofbiz 10.04.01/10.04.02 Unspecified vulnerability in the Apache Open For Business Project (aka OFBiz) 10.04.x before 10.04.03 has unknown impact and attack vectors. | 10.0 |
2012-10-23 | CVE-2012-5273 | Adobe | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Adobe Shockwave Player Buffer overflow in Adobe Shockwave Player before 11.6.8.638 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2012-4172, CVE-2012-4173, CVE-2012-4174, and CVE-2012-4175. | 10.0 |
2012-10-23 | CVE-2012-4176 | Adobe | Improper Input Validation vulnerability in Adobe Shockwave Player Array index error in Adobe Shockwave Player before 11.6.8.638 allows attackers to execute arbitrary code via unspecified vectors. | 10.0 |
2012-10-23 | CVE-2012-4175 | Adobe | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Adobe Shockwave Player Buffer overflow in Adobe Shockwave Player before 11.6.8.638 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2012-4172, CVE-2012-4173, CVE-2012-4174, and CVE-2012-5273. | 10.0 |
2012-10-23 | CVE-2012-4174 | Adobe | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Adobe Shockwave Player Buffer overflow in Adobe Shockwave Player before 11.6.8.638 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2012-4172, CVE-2012-4173, CVE-2012-4175, and CVE-2012-5273. | 10.0 |
2012-10-23 | CVE-2012-4173 | Adobe | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Adobe Shockwave Player Buffer overflow in Adobe Shockwave Player before 11.6.8.638 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2012-4172, CVE-2012-4174, CVE-2012-4175, and CVE-2012-5273. | 10.0 |
2012-10-23 | CVE-2012-4172 | Adobe | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Adobe Shockwave Player Buffer overflow in Adobe Shockwave Player before 11.6.8.638 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2012-4173, CVE-2012-4174, CVE-2012-4175, and CVE-2012-5273. | 10.0 |
2012-10-22 | CVE-2012-4406 | Openstack Fedoraproject Redhat | Deserialization of Untrusted Data vulnerability in multiple products OpenStack Object Storage (swift) before 1.7.0 uses the loads function in the pickle Python module unsafely when storing and loading metadata in memcached, which allows remote attackers to execute arbitrary code via a crafted pickle object. | 9.8 |
2012-10-25 | CVE-2012-3941 | Cisco | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Cisco Webex Recording Format Player Heap-based buffer overflow in the Cisco WebEx Recording Format (WRF) player T27 before LD SP32 EP10 and T28 before T28.4 allows remote attackers to execute arbitrary code via a crafted WRF file, aka Bug ID CSCtz72850. | 9.3 |
2012-10-25 | CVE-2012-3940 | Cisco | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Cisco Webex Recording Format Player Buffer overflow in the Cisco WebEx Recording Format (WRF) player T27 before LD SP32 EP10 and T28 before T28.4 allows remote attackers to execute arbitrary code via a crafted WRF file, aka Bug ID CSCtz72958. | 9.3 |
2012-10-25 | CVE-2012-3939 | Cisco | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Cisco Webex Recording Format Player Buffer overflow in the Cisco WebEx Recording Format (WRF) player T27 before LD SP32 EP10 and T28 before T28.4 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted WRF file, aka Bug ID CSCua61331. | 9.3 |
2012-10-25 | CVE-2012-3938 | Cisco | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Cisco Webex Recording Format Player Buffer overflow in the Cisco WebEx Recording Format (WRF) player T27 before LD SP32 EP10 and T28 before T28.4 allows remote attackers to execute arbitrary code via a crafted WRF file, aka Bug ID CSCtz73583. | 9.3 |
2012-10-25 | CVE-2012-3937 | Cisco | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Cisco Webex Recording Format Player Buffer overflow in the Cisco WebEx Recording Format (WRF) player T27 before LD SP32 EP10 and T28 before T28.4 allows remote attackers to execute arbitrary code via a crafted WRF file, aka Bug ID CSCtz72967. | 9.3 |
2012-10-25 | CVE-2012-3936 | Cisco | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Cisco Webex Recording Format Player Buffer overflow in the Cisco WebEx Recording Format (WRF) player T27 before LD SP32 EP10 and T28 before T28.4 allows remote attackers to execute arbitrary code via a crafted WRF file, aka Bug ID CSCua40962. | 9.3 |
17 High Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2012-10-22 | CVE-2012-3001 | Mutiny | OS Command Injection vulnerability in Mutiny Standard Mutiny Standard before 4.5-1.12 allows remote attackers to execute arbitrary commands via the network-interface menu, related to a "command injection vulnerability." Per: http://www.kb.cert.org/vuls/id/841851 "Impact An authenticated attacker can run arbitrary commands on the appliance." Per: http://www.mutiny.com/products.php "Mutiny is a virtual appliance that uses industry standard SNMP to gather information from IT Infrastructure, process and display the results in a multi-user web front-end that allows administrators and managers alike to quickly asses the health of their estate." | 8.5 |
2012-10-25 | CVE-2011-5235 | Mnogosearch | SQL Injection vulnerability in Mnogosearch SQL injection vulnerability in mnoGoSearch before 3.3.12 allows remote attackers to execute arbitrary SQL commands via the hostname in a hypertext link. | 7.5 |
2012-10-25 | CVE-2011-5234 | Scripte24Shop | SQL Injection vulnerability in Scripte24Shop Social Network Community 2 SQL injection vulnerability in user.php in Social Network Community 2 allows remote attackers to execute arbitrary SQL commands via the userId parameter. | 7.5 |
2012-10-25 | CVE-2011-5230 | Seotoaster | SQL Injection vulnerability in Seotoaster 1.8.2/1.8.3/1.9 Multiple SQL injection vulnerabilities in the selectUserIdByLoginPass function in seotoaster_core/application/models/LoginModel.php in Seotoaster 1.9 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) login parameter to sys/login/index or (2) memberLoginName parameter to sys/login/member. | 7.5 |
2012-10-25 | CVE-2011-5229 | Apprain | SQL Injection vulnerability in Apprain 0.1.5 SQL injection vulnerability in quickstart/profile/index.php in the Forum module in appRain CMF 0.1.5 allows remote attackers to execute arbitrary SQL commands via the PATH_INFO. | 7.5 |
2012-10-25 | CVE-2011-5222 | Scripte24Shop | SQL Injection vulnerability in Scripte24Shop PHP Flirt-Projekt 4.8 SQL injection vulnerability in rub2_w.php in PHP Flirt-Projekt 4.8 and possibly earlier allows remote attackers to execute arbitrary SQL commands via the rub parameter. | 7.5 |
2012-10-25 | CVE-2011-5218 | Neubivljiv | SQL Injection vulnerability in Neubivljiv Dota Openstats SQL injection vulnerability in DotA OpenStats 1.3.9 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter to index.php. | 7.5 |
2012-10-25 | CVE-2011-5216 | Troyef Wordpress | SQL Injection vulnerability in multiple products SQL injection vulnerability in ajax.php in SCORM Cloud For WordPress plugin before 1.0.7 for WordPress allows remote attackers to execute arbitrary SQL commands via the active parameter. | 7.5 |
2012-10-25 | CVE-2011-5215 | 2Daybiz | SQL Injection vulnerability in 2Daybiz Video Community Portal Script SQL injection vulnerability in index.php in Video Community Portal allows remote attackers to execute arbitrary SQL commands via the id parameter. | 7.5 |
2012-10-25 | CVE-2011-5213 | Browsercrm | SQL Injection vulnerability in Browsercrm Multiple SQL injection vulnerabilities in BrowserCRM 5.100.01 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) login[username] parameter to index.php, (2) parent_id parameter to modules/Documents/version_list.php, or (3) contact_id parameter to modules/Documents/index.php. | 7.5 |
2012-10-24 | CVE-2012-5302 | Tibco | Permissions, Privileges, and Access Controls vulnerability in Tibco Formvine The server in TIBCO Formvine 3.1.x and 3.2.x before 3.2.1 does not properly implement access control, which allows remote attackers to obtain sensitive information or modify data via unspecified vectors. | 7.5 |
2012-10-22 | CVE-2012-5168 | Atutor | Permissions, Privileges, and Access Controls vulnerability in Atutor Acontent 1.0/1.1/1.2 ATutor AContent before 1.2-1 allows remote attackers to modify arbitrary user passwords or category names via a direct request to (1) user/index_inline_editor_submit.php or (2) course_category/index_inline_editor_submit.php. | 7.5 |
2012-10-22 | CVE-2012-5167 | Atutor | SQL Injection vulnerability in Atutor Acontent 1.0/1.1/1.2 Multiple SQL injection vulnerabilities in ATutor AContent before 1.2-1 allow remote attackers to execute arbitrary SQL commands via the (1) field parameter to course_category/index_inline_editor_submit.php or (2) user/index_inline_editor_submit.php; or (3) id parameter to user/user_password.php. | 7.5 |
2012-10-22 | CVE-2012-4990 | Openx | SQL Injection vulnerability in Openx 2.8.10 SQL injection vulnerability in admin/campaign-zone-link.php in OpenX 2.8.10 before revision 81823 allows remote attackers to execute arbitrary SQL commands via the ids[] parameter in a link action. | 7.5 |
2012-10-22 | CVE-2012-4772 | Intelliants | SQL Injection vulnerability in Intelliants Subrion CMS SQL injection vulnerability in register/ in Subrion CMS before 2.2.3 allows remote attackers to execute arbitrary SQL commands via the plan_id parameter. | 7.5 |
2012-10-22 | CVE-2012-4232 | Jcore | SQL Injection vulnerability in Jcore 1.0 SQL injection vulnerability in admin/index.php in jCore before 1.0pre2 allows remote attackers to execute arbitrary SQL commands via the memberloginid cookie. | 7.5 |
2012-10-22 | CVE-2011-5212 | Intelliants | SQL Injection vulnerability in Intelliants Subrion CMS 2.0.4 SQL injection vulnerability in admin/index.php in Subrion CMS 2.0.4 allows remote attackers to execute arbitrary SQL commands via the (1) user name or (2) password field. | 7.5 |
32 Medium Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2012-10-26 | CVE-2012-4729 | Wftpserver | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Wftpserver Wing FTP Server Wing FTP Server before 4.1.1 allows remote authenticated users to cause a denial of service (daemon crash) via two zip commands. | 6.8 |
2012-10-24 | CVE-2012-5387 | Videousermanuals Wordpress | Cross-Site Request Forgery (CSRF) vulnerability in Videousermanuals White-Label-Cms Cross-site request forgery (CSRF) vulnerability in wlcms-plugin.php in the White Label CMS plugin before 1.5.1 for WordPress allows remote attackers to hijack the authentication of administrators for requests that modify the developer name via the wlcms_o_developer_name parameter in a save action to wp-admin/admin.php, as demonstrated by a developer name containing XSS sequences. | 6.8 |
2012-10-22 | CVE-2012-4773 | Intelliants | Cross-Site Request Forgery (CSRF) vulnerability in Intelliants Subrion CMS Multiple cross-site request forgery (CSRF) vulnerabilities in Subrion CMS before 2.2.3 allow remote attackers to hijack the authentication of administrators for requests that add, delete, or modify sensitive information, as demonstrated by adding an administrator account via an add action to admin/accounts/add/. | 6.8 |
2012-10-22 | CVE-2012-1900 | Razorcms | Cross-Site Request Forgery (CSRF) vulnerability in Razorcms Cross-site request forgery (CSRF) vulnerability in admin/index.php in RazorCMS 1.2.1 and earlier allows remote attackers to hijack the authentication of administrators for requests that delete arbitrary web pages via a showcats action. | 6.8 |
2012-10-22 | CVE-2012-5454 | Atutor | Permissions, Privileges, and Access Controls vulnerability in Atutor Acontent 1.2 user/index_inline_editor_submit.php in ATutor AContent 1.2-1 does not properly restrict access, which allows remote authenticated users to modify arbitrary user passwords via a crafted request. | 6.5 |
2012-10-22 | CVE-2012-5453 | Atutor | SQL Injection vulnerability in Atutor Acontent 1.2 SQL injection vulnerability in user/index_inline_editor_submit.php in ATutor AContent 1.2-1 allows remote authenticated users to execute arbitrary SQL commands via the field parameter. | 6.5 |
2012-10-22 | CVE-2012-4511 | Gnome | Information Exposure vulnerability in Gnome Libsocialweb services/flickr/flickr.c in libsocialweb before 0.25.21 automatically connects to Flickr when no Flickr account is set, which might allow remote attackers to obtain sensitive information via a man-in-the-middle (MITM) attack. | 5.8 |
2012-10-22 | CVE-2011-4129 | Gnome | Information Exposure vulnerability in Gnome Libsocialweb (1) services/twitter/twitter-contact-view.c and (2) services/twitter/twitter-item-view.c in libsocialweb before 0.25.20 automatically connect to Twitter when no Twitter account is set, which might allow remote attackers to obtain sensitive information via a man-in-the-middle (MITM) attack. | 5.8 |
2012-10-25 | CVE-2011-5219 | Mpdf1 | Path Traversal vulnerability in Mpdf1 Mpdf 5.2 Directory traversal vulnerability in examples/show_code.php in mPDF 5.3 and earlier allows remote attackers to read arbitrary files via a .. | 5.0 |
2012-10-25 | CVE-2011-5217 | Hitachi | Path Traversal vulnerability in Hitachi products Directory traversal vulnerability in the PXE Mtftp service in Hitachi JP1/ServerConductor/DeploymentManager before 08-55 Japanese and before 08-51 English allows remote attackers to read arbitrary files via unknown vectors. | 5.0 |
2012-10-22 | CVE-2012-4507 | Claws Mail | Denial of Service vulnerability in Claws-Mail 3.8.1 The strchr function in procmime.c in Claws Mail (aka claws-mail) 3.8.1 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) via a crafted email. | 5.0 |
2012-10-22 | CVE-2012-3466 | Gnome | Permissions, Privileges, and Access Controls vulnerability in Gnome Gnome-Keyring 3.4.0/3.4.1 GNOME gnome-keyring 3.4.0 through 3.4.1, when gpg-cache-method is set to "idle" or "timeout," does not properly limit the amount of time a passphrase is cached, which allows attackers to have an unspecified impact via unknown attack vectors. | 4.4 |
2012-10-26 | CVE-2012-5470 | Videolan | Buffer Errors vulnerability in Videolan VLC Media Player 2.0.3 libpng_plugin in VideoLAN VLC media player 2.0.3 allows remote attackers to cause a denial of service (application crash) via a crafted PNG file. | 4.3 |
2012-10-26 | CVE-2012-4019 | C61 | Cross-Site Scripting vulnerability in C61 Tokyo BBS Cross-site scripting (XSS) vulnerability in tokyo_bbs.cgi in Come on Girls Interface (CGI) Tokyo BBS allows remote attackers to inject arbitrary web script or HTML via vectors related to the error page. | 4.3 |
2012-10-25 | CVE-2011-5233 | Irfanview | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Irfanview Heap-based buffer overflow in IrfanView before 4.32 allows remote attackers to execute arbitrary code via crafted "Rows Per Strip" and "Samples Per Pixel" values in a TIFF image file. | 4.3 |
2012-10-25 | CVE-2011-5228 | Apprain | Cross-Site Scripting vulnerability in Apprain 0.1.5 Cross-site scripting (XSS) vulnerability in the Search module (quickstart/search) in appRain CMF 0.1.5 allows remote attackers to inject arbitrary web script or HTML via the ss parameter. | 4.3 |
2012-10-25 | CVE-2011-5223 | Cacti | Cross-Site Scripting vulnerability in Cacti Cross-site request forgery (CSRF) vulnerability in logout.php in Cacti before 0.8.7i allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. | 4.3 |
2012-10-25 | CVE-2011-5221 | Websvn | Cross-Site Scripting vulnerability in Websvn Cross-site scripting (XSS) vulnerability in the getLog function in svnlook.php in WebSVN before 2.3.1 allows remote attackers to inject arbitrary web script or HTML via the path parameter to (1) comp.php, (2) diff.php, or (3) revision.php. | 4.3 |
2012-10-25 | CVE-2011-5220 | Cristopher SHI | Cross-Site Scripting vulnerability in Cristopher SHI PHP-Scms 1.6.7 Cross-site scripting (XSS) vulnerability in templates/default/Admin/Login.html in PHP-SCMS 1.6.8 and earlier allows remote attackers to inject arbitrary web script or HTML via the lang parameter to index.php. | 4.3 |
2012-10-25 | CVE-2011-5214 | Browsercrm | Cross-Site Scripting vulnerability in Browsercrm Multiple cross-site scripting (XSS) vulnerabilities in BrowserCRM 5.100.01 and earlier allow remote attackers to inject arbitrary web script or HTML via the PATH_INFO to (1) index.php, (2) modules/admin/admin_module_index.php, or (3) modules/calendar/customise_calendar_times.php; login[] parameter to (4) index.php or (5) pub/clients.php; or framed parameter to (6) licence/index.php or (7) licence/view.php. | 4.3 |
2012-10-25 | CVE-2012-5672 | Microsoft | Denial of Service vulnerability in Microsoft Excel, Excel Viewer and Office Microsoft Excel Viewer (aka Xlview.exe) and Excel in Microsoft Office 2007 (aka Office 12) allow remote attackers to cause a denial of service (read access violation and application crash) via a crafted spreadsheet file, as demonstrated by a .xls file with battery voltage data. | 4.3 |
2012-10-25 | CVE-2012-5368 | Phpmyadmin | Cross-Site Scripting vulnerability in PHPmyadmin phpMyAdmin 3.5.x before 3.5.3 uses JavaScript code that is obtained through an HTTP session to phpmyadmin.net without SSL, which allows man-in-the-middle attackers to conduct cross-site scripting (XSS) attacks by modifying this code. | 4.3 |
2012-10-24 | CVE-2012-5456 | Zoner | Cryptographic Issues vulnerability in Zoner Antivirus Free 1.7.0 The Zoner AntiVirus Free application for Android does not verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, as demonstrated by a server used for updating virus signature files. | 4.3 |
2012-10-22 | CVE-2012-5455 | Joomla | Cross-Site Scripting vulnerability in Joomla Joomla! 3.0.0 Cross-site scripting (XSS) vulnerability in the language search component in Joomla! before 3.0.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to a "typographical error." | 4.3 |
2012-10-22 | CVE-2012-5452 | Intelliants | Cross-Site Scripting vulnerability in Intelliants Subrion CMS 2.2.1 Multiple cross-site scripting (XSS) vulnerabilities in Subrion CMS 2.2.1 allow remote attackers to inject arbitrary web script or HTML via the (1) multi_title parameter to blocks/add/; (2) cost, (3) days, or (4) title[en] parameter to plans/add/; (5) name or (6) title[en] parameter to fields/group/add/ in admin/manage/; or (7) f[accounts][fullname] or (8) f[accounts][username] parameter to advsearch/. | 4.3 |
2012-10-22 | CVE-2012-5169 | Atutor | Cross-Site Scripting vulnerability in Atutor Acontent 1.2 Multiple cross-site scripting (XSS) vulnerabilities in file_manager/preview_top.php in ATutor AContent before 1.2-2 allow remote attackers to inject arbitrary web script or HTML via the (1) pathext, (2) popup, (3) framed, or (4) file parameter. | 4.3 |
2012-10-22 | CVE-2012-4989 | Openx | Cross-Site Scripting vulnerability in Openx 2.8.10 Cross-site scripting (XSS) vulnerability in admin/plugin-index.php in OpenX 2.8.10 before revision 81823 allows remote attackers to inject arbitrary web script or HTML via the parent parameter in an info action. | 4.3 |
2012-10-22 | CVE-2012-4771 | Intelliants | Cross-Site Scripting vulnerability in Intelliants Subrion CMS Multiple cross-site scripting (XSS) vulnerabilities in Subrion CMS before 2.2.3 allow remote attackers to inject arbitrary web script or HTML via the id parameter to (1) admin/accounts/, (2) admin/manage/, or (3) admin/manage/blocks/edit/; or (4) group parameter to admin/configuration/. | 4.3 |
2012-10-22 | CVE-2012-4231 | Jcore | Cross-Site Scripting vulnerability in Jcore 1.0 Cross-site scripting (XSS) vulnerability in admin/index.php in jCore before 1.0pre2 allows remote attackers to inject arbitrary web script or HTML via the path parameter. | 4.3 |
2012-10-22 | CVE-2012-1154 | Redhat | Permissions, Privileges, and Access Controls vulnerability in Redhat Jboss Enterprise Application Platform and MOD Cluster mod_cluster 1.0.10 before 1.0.10 CP03 and 1.1.x before 1.1.4, as used in JBoss Enterprise Application Platform 5.1.2, when "ROOT" is set to excludedContexts, exposes the root context of the server, which allows remote attackers to bypass access restrictions and gain access to applications deployed on the root context via unspecified vectors. | 4.3 |
2012-10-22 | CVE-2011-5211 | Intelliants | Cross-Site Scripting vulnerability in Intelliants Subrion CMS 2.0.4 Cross-site scripting (XSS) vulnerability in the poll module in Subrion CMS 2.0.4 allows remote attackers to inject arbitrary web script or HTML via the title field. | 4.3 |
2012-10-22 | CVE-2010-4821 | Phpmyfaq | Cross-Site Scripting vulnerability in PHPmyfaq Cross-site scripting (XSS) vulnerability in phpMyFAQ before 2.6.9 allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to index.php. | 4.3 |
3 Low Vulnerabilities
DATE | CVE | VENDOR | VULNERABILITY | CVSS |
---|---|---|---|---|
2012-10-25 | CVE-2012-5339 | Phpmyadmin | Cross-Site Scripting vulnerability in PHPmyadmin Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 3.5.x before 3.5.3 allow remote authenticated users to inject arbitrary web script or HTML via a crafted name of (1) an event, (2) a procedure, or (3) a trigger. | 3.5 |
2012-10-24 | CVE-2012-5388 | Videousermanuals Wordpress | Cross-Site Scripting vulnerability in Videousermanuals White-Label-Cms 1.5 Cross-site scripting (XSS) vulnerability in wlcms-plugin.php in the White Label CMS plugin 1.5 for WordPress allows remote authenticated administrators to inject arbitrary web script or HTML via the wlcms_o_developer_name parameter in a save action to wp-admin/admin.php, a related issue to CVE-2012-5387. | 3.5 |
2012-10-22 | CVE-2012-2679 | Redhat | Permissions, Privileges, and Access Controls vulnerability in Redhat Rhncfg 5.10.27 Red Hat Network (RHN) Configuration Client (rhncfg-client) in rhncfg before 5.10.27-8 uses weak permissions (world-readable) for /var/log/rhncfg-actions, which allows local users to obtain sensitive information about the rhncfg-client actions by reading the file. | 2.1 |