| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2006-1318 |
94 |
|
Exec Code |
2014-09-19 |
2018-10-12 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Microsoft Office 2003 SP1 and SP2, Office XP SP3, Office 2000 SP3, Office 2004 for Mac, and Office X for Mac do not properly parse record lengths, which allows remote attackers to execute arbitrary code via a malformed control in an Office document, aka "Microsoft Office Control Vulnerability." |
|
2 |
CVE-2011-4887 |
79 |
|
XSS |
2014-09-11 |
2017-08-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Violations Table in the management GUI in the MX Management Server in Imperva SecureSphere Web Application Firewall (WAF) 9.0 allows remote attackers to inject arbitrary web script or HTML via the username field. |
|
3 |
CVE-2012-0984 |
79 |
2
|
XSS |
2014-09-11 |
2017-08-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in XOOPS before 2.5.5 allow remote attackers to inject arbitrary web script or HTML via the (1) to_userid parameter to modules/pm/pmlite.php or the (2) current_file, (3) imgcat_id, or (4) target parameter to class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/xoopsimagemanager/xoopsimagebrowser.php. |
|
4 |
CVE-2012-1032 |
79 |
|
XSS |
2014-09-17 |
2017-08-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Euroling SiteSeeker module 3.x before 3.4.5 for EPiServer allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. |
|
5 |
CVE-2012-1417 |
79 |
2
|
XSS |
2014-09-17 |
2017-08-29 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in Local Phone book and Blacklist form in Yealink VOIP Phones allow remote authenticated users to inject arbitrary web script or HTML via the user field to cgi-bin/ConfigManApp.com. |
|
6 |
CVE-2012-1506 |
89 |
|
Exec Code Sql |
2014-09-17 |
2017-08-29 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in the updateStatus function in lib/models/benefits/Hsp.php in OrangeHRM before 2.7 allows remote authenticated users to execute arbitrary SQL commands via the hspSummaryId parameter to plugins/ajaxCalls/haltResumeHsp.php. NOTE: some of these details are obtained from third party information. |
|
7 |
CVE-2012-1507 |
79 |
|
XSS |
2014-09-17 |
2017-08-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in OrangeHRM before 2.7 allow remote attackers to inject arbitrary web script or HTML via the (1) newHspStatus parameter to plugins/ajaxCalls/haltResumeHsp.php, (2) sortOrder1 parameter to templates/hrfunct/emppop.php, or (3) uri parameter to index.php. |
|
8 |
CVE-2012-1556 |
79 |
|
XSS |
2014-09-12 |
2017-08-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Synology Photo Station 5 for DiskStation Manager (DSM) 3.2-1955 allows remote attackers to inject arbitrary web script or HTML via the name parameter to photo/photo_one.php. |
|
9 |
CVE-2012-2583 |
79 |
1
|
XSS |
2014-09-17 |
2017-08-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in Mini Mail Dashboard Widget plugin 1.42 for WordPress allows remote attackers to inject arbitrary web script or HTML via the body of an email. |
|
10 |
CVE-2012-2588 |
79 |
1
|
XSS |
2014-09-19 |
2017-08-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in MailEnable Enterprise 6.5 allow remote attackers to inject arbitrary web script or HTML via the (1) From, (2) To, or (3) Subject header or (4) body in an SMTP e-mail message. |
|
11 |
CVE-2012-2956 |
89 |
1
|
Exec Code Sql XSS |
2014-09-17 |
2017-08-29 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in SpiceWorks 5.3.75941 allows remote authenticated users to execute arbitrary SQL commands via the id parameter to api_v2.json. NOTE: this entry was SPLIT per ADT2 due to different vulnerability types. CVE-2012-6658 is for the XSS. |
|
12 |
CVE-2012-4226 |
79 |
|
XSS |
2014-09-03 |
2017-08-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in Quick Post Widget plugin 1.9.1 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) Title, (2) Content, or (3) New category field to wordpress/ or (4) query string to wordpress/. |
|
13 |
CVE-2012-4234 |
79 |
1
|
XSS |
2014-09-04 |
2017-08-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the group moderation screen in the control center (control.php) in Phorum before 5.2.19 allows remote attackers to inject arbitrary web script or HTML via the group parameter. |
|
14 |
CVE-2012-4240 |
89 |
1
|
Exec Code Sql |
2014-09-11 |
2017-08-29 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in modules/calendar/json.php in Group-Office community before 4.0.90 allows remote authenticated users to execute arbitrary SQL commands via the sort parameter. |
|
15 |
CVE-2012-4768 |
79 |
1
|
XSS |
2014-09-04 |
2017-08-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Download Monitor plugin before 3.3.5.9 for WordPress allows remote attackers to inject arbitrary web script or HTML via the dlsearch parameter to the default URI. |
|
16 |
CVE-2012-5485 |
94 |
|
Exec Code |
2014-09-30 |
2014-10-10 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
registerConfiglet.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via unspecified vectors, related to the admin interface. |
|
17 |
CVE-2012-5486 |
|
|
|
2014-09-30 |
2014-10-10 |
6.4 |
None |
Remote |
Low |
Not required |
None |
Partial |
Partial |
|
ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character. |
|
18 |
CVE-2012-5487 |
264 |
|
Exec Code Bypass |
2014-09-30 |
2014-10-01 |
8.5 |
None |
Remote |
Medium |
??? |
Complete |
Complete |
Complete |
|
The sandbox whitelisting function (allowmodule.py) in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with certain privileges to bypass the Python sandbox restriction and execute arbitrary Python code via vectors related to importing. |
|
19 |
CVE-2012-5488 |
94 |
|
Exec Code |
2014-09-30 |
2014-10-10 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to createObject. |
|
20 |
CVE-2012-5489 |
264 |
|
|
2014-09-30 |
2014-10-02 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
The App.Undo.UndoSupport.get_request_var_or_attr function in Zope before 2.12.21 and 3.13.x before 2.13.11, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote authenticated users to gain access to restricted attributes via unspecified vectors. |
|
21 |
CVE-2012-5490 |
79 |
|
XSS |
2014-09-30 |
2014-10-01 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in kssdevel.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
22 |
CVE-2012-5491 |
200 |
|
+Info |
2014-09-30 |
2014-10-01 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
z3c.form, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote attackers to obtain the default form field values by leveraging knowledge of the form location and the element id. |
|
23 |
CVE-2012-5492 |
200 |
|
+Info |
2014-09-30 |
2014-10-01 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
uid_catalog.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to obtain metadata about hidden objects via a crafted URL. |
|
24 |
CVE-2012-5493 |
94 |
|
Exec Code Bypass |
2014-09-30 |
2014-10-01 |
8.5 |
None |
Remote |
Medium |
??? |
Complete |
Complete |
Complete |
|
gtbn.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with certain permissions to bypass the Python sandbox and execute arbitrary Python code via unspecified vectors. |
|
25 |
CVE-2012-5494 |
79 |
|
XSS |
2014-09-30 |
2014-10-01 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to "{u,}translate." |
|
26 |
CVE-2012-5495 |
94 |
|
Exec Code |
2014-09-30 |
2014-10-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to "go_back." |
|
27 |
CVE-2012-5496 |
399 |
|
DoS |
2014-09-30 |
2014-10-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
kupu_spellcheck.py in Kupu in Plone before 4.0 allows remote attackers to cause a denial of service (ZServer thread lock) via a crafted URL. |
|
28 |
CVE-2012-5497 |
200 |
|
+Info |
2014-09-30 |
2014-10-10 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
membership_tool.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to enumerate user account names via a crafted URL. |
|
29 |
CVE-2012-5498 |
264 |
|
DoS Bypass |
2014-09-30 |
2015-11-17 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
queryCatalog.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to bypass caching and cause a denial of service via a crafted request to a collection. |
|
30 |
CVE-2012-5499 |
399 |
|
DoS |
2014-09-30 |
2014-10-10 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to cause a denial of service (memory consumption) via a large value, related to formatColumns. |
|
31 |
CVE-2012-5501 |
264 |
|
|
2014-09-30 |
2014-10-01 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
at_download.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to read arbitrary BLOBs (Files and Images) stored on custom content types via a crafted URL. |
|
32 |
CVE-2012-5502 |
79 |
|
XSS |
2014-09-30 |
2014-10-01 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in safe_html.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote authenticated users with permissions to edit content to inject arbitrary web script or HTML via unspecified vectors. |
|
33 |
CVE-2012-5503 |
|
|
|
2014-09-30 |
2014-10-01 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
ftp.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to read hidden folder contents via unspecified vectors. |
|
34 |
CVE-2012-5504 |
79 |
|
XSS |
2014-09-30 |
2014-10-01 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in widget_traversal.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
35 |
CVE-2012-5505 |
200 |
|
+Info |
2014-09-30 |
2014-10-02 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
atat.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to read private data structures via a request for a view without a name. |
|
36 |
CVE-2012-5506 |
399 |
|
DoS |
2014-09-30 |
2014-10-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to cause a denial of service (infinite loop) via an RSS feed request for a folder the user does not have permission to access. |
|
37 |
CVE-2012-5507 |
362 |
|
|
2014-09-30 |
2014-10-02 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
AccessControl/AuthEncoding.py in Zope before 2.13.19, as used in Plone before 4.2.3 and 4.3 before beta 1, allows remote attackers to obtain passwords via vectors involving timing discrepancies in password validation. |
|
38 |
CVE-2012-5619 |
20 |
|
|
2014-09-29 |
2014-09-30 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The Sleuth Kit (TSK) 4.0.1 does not properly handle "." (dotfile) file system entries in FAT file systems and other file systems for which . is not a reserved name, which allows local users to hide activities it more difficult to conduct forensics activities, as demonstrated by Flame. |
|
39 |
CVE-2012-5621 |
20 |
|
DoS |
2014-09-29 |
2017-08-29 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
lib/engine/components/opal/opal-call.cpp in ekiga before 4.0.0 allows remote attackers to cause a denial of service (crash) via an OPAL connection with a party name that contains invalid UTF-8 strings. |
|
40 |
CVE-2012-5700 |
79 |
1
|
XSS |
2014-09-22 |
2017-08-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in Baby Gekko before 1.2.2f allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter to admin/index.php or the (2) username or (3) password parameter in blocks/loginbox/loginbox.template.php to index.php. NOTE: some of these details are obtained from third party information. |
|
41 |
CVE-2012-6107 |
310 |
|
|
2014-09-29 |
2017-08-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Apache Axis2/C does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. |
|
42 |
CVE-2012-6110 |
264 |
|
|
2014-09-29 |
2017-08-29 |
2.1 |
None |
Local |
Low |
Not required |
None |
Partial |
None |
|
bcron-exec in bcron before 0.10 does not close file descriptors associated with temporary files when running a cron job, which allows local users to modify job files and send spam messages by accessing an open file descriptor. |
|
43 |
CVE-2012-6153 |
20 |
|
|
2014-09-04 |
2018-01-05 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
http/conn/ssl/AbstractVerifier.java in Apache Commons HttpClient before 4.2.3 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5783. |
|
44 |
CVE-2012-6316 |
79 |
|
XSS |
2014-09-30 |
2014-10-01 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in the TP-LINK TL-WR841N router with firmware 3.13.9 Build 120201 Rel.54965n and earlier allow remote administrators to inject arbitrary web script or HTML via the (1) username or (2) pwd parameter to userRpm/NoipDdnsRpm.htm. |
|
45 |
CVE-2012-6657 |
264 |
|
DoS |
2014-09-28 |
2016-08-23 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
The sock_setsockopt function in net/core/sock.c in the Linux kernel before 3.5.7 does not ensure that a keepalive action is associated with a stream socket, which allows local users to cause a denial of service (system crash) by leveraging the ability to create a raw socket. |
|
46 |
CVE-2012-6658 |
79 |
1
|
XSS |
2014-09-17 |
2014-09-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in SpiceWorks 5.3.75941 allow remote attackers to inject arbitrary web script or HTML via the (1) syslocation, (2) syscontact, or (3) sysName configuration in snmpd.conf. NOTE: this entry was SPLIT from CVE-2012-2956 per ADT2 due to different vulnerability types. |
|
47 |
CVE-2012-6659 |
79 |
|
XSS |
2014-09-19 |
2014-09-19 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the admin interface in Phorum before 5.2.19 allows remote attackers to inject arbitrary web script or HTML via a crafted URL. |
|
48 |
CVE-2013-1874 |
|
|
Exec Code |
2014-09-29 |
2017-08-29 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Untrusted search path vulnerability in csi in Chicken before 4.8.2 allows local users to execute arbitrary code via a Trojan horse .csirc in the current working directory. |
|
49 |
CVE-2013-2100 |
310 |
|
|
2014-09-29 |
2017-08-29 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
The urlopen function in pym/portage/util/_urlopen.py in Gentoo Portage 2.1.12, when using HTTPS, does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and modify binary package lists via a crafted certificate. |
|
50 |
CVE-2013-2586 |
79 |
1
|
XSS |
2014-09-29 |
2017-08-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
XAMPP 1.8.1 does not properly restrict access to xampp/lang.php, which allows remote attackers to modify xampp/lang.tmp and execute cross-site scripting (XSS) attacks via the WriteIntoLocalDisk method. |
