| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2012-6453 |
79 |
|
XSS |
2012-12-31 |
2012-12-31 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the RSS Reader extension before 0.2.6 for MediaWiki allows remote attackers to inject arbitrary web script or HTML via a crafted feed. |
|
2 |
CVE-2012-6432 |
264 |
|
|
2012-12-27 |
2012-12-27 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Symfony 2.0.x before 2.0.20, 2.1.x before 2.1.5, and 2.2-dev, when the internal routes configuration is enabled, allows remote attackers to access arbitrary services via vectors involving a URI beginning with a /_internal substring. |
|
3 |
CVE-2012-6431 |
264 |
|
Bypass |
2012-12-27 |
2013-01-07 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
|
Symfony 2.0.x before 2.0.20 does not process URL encoded data consistently within the Routing and Security components, which allows remote attackers to bypass intended URI restrictions via a doubly encoded string. |
|
4 |
CVE-2012-6428 |
255 |
|
|
2012-12-23 |
2013-01-08 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Carlo Gavazzi EOS-Box with firmware before 1.0.0.1080_2.1.10 establishes multiple hardcoded accounts, which makes it easier for remote attackers to obtain administrative access by reading a password in a PHP script, a similar issue to CVE-2012-5862. |
|
5 |
CVE-2012-6427 |
89 |
|
Exec Code Sql |
2012-12-23 |
2012-12-24 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Multiple SQL injection vulnerabilities in Carlo Gavazzi EOS-Box with firmware before 1.0.0.1080_2.1.10 allow remote attackers to execute arbitrary SQL commands via unspecified vectors, a similar issue to CVE-2012-5861. |
|
6 |
CVE-2012-6422 |
264 |
|
+Priv |
2012-12-18 |
2012-12-21 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
The kernel in Samsung Galaxy S2, Galaxy Note 2, MEIZU MX, and possibly other Android devices, when running an Exynos 4210 or 4412 processor, uses weak permissions (0666) for /dev/exynos-mem, which allows attackers to read or write arbitrary physical memory and gain privileges via a crafted application, as demonstrated by ExynosAbuse. |
|
7 |
CVE-2012-6371 |
310 |
|
|
2012-12-31 |
2013-01-02 |
3.3 |
None |
Local Network |
Low |
Not required |
Partial |
None |
None |
|
The WPA2 implementation on the Belkin N900 F9K1104v1 router establishes a WPS PIN based on 6 digits of the LAN/WLAN MAC address, which makes it easier for remote attackers to obtain access to a Wi-Fi network by reading broadcast packets, a different vulnerability than CVE-2012-4366. |
|
8 |
CVE-2012-6369 |
79 |
1
|
XSS |
2012-12-28 |
2020-01-22 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Troubleshooting Reporting System feature in AgileBits 1Password 3.9.9 might allow remote attackers to inject arbitrary web script or HTML via a crafted User-Agent HTTP header that is not properly handled in a View Troubleshooting Report action. |
|
9 |
CVE-2012-6339 |
79 |
|
XSS |
2012-12-31 |
2012-12-31 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in the administrative web interface in Cerberus FTP Server before 5.0.6.0 allow (1) remote attackers to inject arbitrary web script or HTML via a log entry that is not properly handled within the Log Manager component, and might allow (2) remote authenticated administrators to inject arbitrary web script or HTML via a Messages field to the servermanager program. |
|
10 |
CVE-2012-6337 |
200 |
|
+Info |
2012-12-31 |
2012-12-31 |
3.3 |
None |
Local Network |
Low |
Not required |
Partial |
None |
None |
|
The Track My Mobile feature in the SamsungDive subsystem for Android on Samsung Galaxy devices shows the activation of remote tracking, which might allow physically proximate attackers to defeat a product-recovery effort by tampering with this feature or its location data. |
|
11 |
CVE-2012-6336 |
|
|
|
2012-12-31 |
2013-01-08 |
3.3 |
None |
Local Network |
Low |
Not required |
None |
Partial |
None |
|
The Missing Device feature in Lookout allows physically proximate attackers to provide arbitrary location data via a "commonly available simple GPS location spoofer." |
|
12 |
CVE-2012-6335 |
|
|
|
2012-12-31 |
2012-12-31 |
3.3 |
None |
Local Network |
Low |
Not required |
None |
Partial |
None |
|
The Anti-theft service in AVG AntiVirus for Android allows physically proximate attackers to provide arbitrary location data via a "commonly available simple GPS location spoofer." |
|
13 |
CVE-2012-6333 |
399 |
|
DoS |
2012-12-13 |
2017-08-29 |
4.7 |
None |
Local |
Medium |
Not required |
None |
None |
Complete |
|
Multiple HVM control operations in Xen 3.4 through 4.2 allow local HVM guest OS administrators to cause a denial of service (physical CPU consumption) via a large input. |
|
14 |
CVE-2012-6325 |
200 |
|
+Info |
2012-12-21 |
2013-01-08 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
VMware vCenter Server Appliance (vCSA) 5.0 before Update 2 does not properly parse XML documents, which allows remote authenticated users to read arbitrary files via unspecified vectors. |
|
15 |
CVE-2012-6324 |
22 |
|
Dir. Trav. |
2012-12-21 |
2018-12-06 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
Directory traversal vulnerability in VMware vCenter Server Appliance (vCSA) 5.0 before Update 2 and 5.1 before Patch 1 allows remote authenticated users to read arbitrary files via unspecified vectors. |
|
16 |
CVE-2012-6314 |
|
|
|
2012-12-26 |
2017-08-29 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Citrix XenDesktop Virtual Desktop Agent (VDA) 5.6.x before 5.6.200, when making changes to the server-side policy that control USB redirection, does not propagate changes to the VDA, which allows authenticated users to retain access to the USB device. |
|
17 |
CVE-2012-6313 |
200 |
|
+Info |
2012-12-11 |
2012-12-11 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
simple-gmail-login.php in the Simple Gmail Login plugin before 1.1.4 for WordPress allows remote attackers to obtain sensitive information via a request that lacks a timezone, leading to disclosure of the installation path in a stack trace. |
|
18 |
CVE-2012-6312 |
79 |
|
XSS |
2012-12-11 |
2012-12-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Video Lead Form plugin for WordPress allows remote attackers to inject arbitrary web script or HTML via the errMsg parameter in a video-lead-form action to wp-admin/admin.php. |
|
19 |
CVE-2012-6301 |
20 |
1
|
DoS |
2012-12-10 |
2012-12-11 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The Browser application in Android 4.0.3 allows remote attackers to cause a denial of service (application crash) via a crafted market: URI in the SRC attribute of an IFRAME element. |
|
20 |
CVE-2012-6299 |
|
|
Bypass |
2012-12-26 |
2018-08-13 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Unspecified vulnerability in CA IdentityMinder r12.0 through CR16, r12.5 before SP15, and r12.6 GA allows remote attackers to bypass intended access restrictions via unknown vectors. |
|
21 |
CVE-2012-6298 |
|
|
Exec Code |
2012-12-26 |
2018-08-13 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Unspecified vulnerability in CA IdentityMinder r12.0 through CR16, r12.5 before SP15, and r12.6 GA allows remote attackers to execute arbitrary commands or modify data via unknown vectors. |
|
22 |
CVE-2012-6271 |
|
|
|
2012-12-20 |
2017-11-17 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Adobe Shockwave Player through 11.6.8.638 allows remote attackers to trigger installation of arbitrary signed Xtras via a Shockwave movie that contains an Xtra URL, as demonstrated by a URL for an outdated Xtra. |
|
23 |
CVE-2012-6270 |
|
|
|
2012-12-20 |
2017-11-17 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Adobe Shockwave Player through 11.6.8.638 allows remote attackers to trigger installation of a Shockwave Player 10.4.0.025 compatibility feature via a crafted HTML document that references Shockwave content with a certain compatibility parameter, related to a "downgrading" attack. |
|
24 |
CVE-2012-6067 |
287 |
|
Bypass |
2012-12-04 |
2012-12-05 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
freeFTPd.exe in freeFTPd through 1.0.11 allows remote attackers to bypass authentication via a crafted SFTP session, as demonstrated by an OpenSSH client with modified versions of ssh.c and sshconnect2.c. |
|
25 |
CVE-2012-6066 |
287 |
|
Bypass |
2012-12-04 |
2012-12-05 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
freeSSHd.exe in freeSSHd through 1.2.6 allows remote attackers to bypass authentication via a crafted session, as demonstrated by an OpenSSH client with modified versions of ssh.c and sshconnect2.c. |
|
26 |
CVE-2012-6065 |
|
|
Exec Code |
2012-12-03 |
2012-12-04 |
4.6 |
None |
Remote |
High |
??? |
Partial |
Partial |
Partial |
|
The OM Maximenu module 6.x-1.43 and earlier for Drupal, when the "Title has PHP" option is enabled, allows remote authenticated users with the "Administer OM Maximenu" permission to execute arbitrary PHP code via a "Link Title," a different vulnerability than CVE-2012-5553. |
|
27 |
CVE-2012-6064 |
22 |
1
|
Dir. Trav. CSRF |
2012-12-03 |
2017-08-29 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Directory traversal vulnerability in lib/filemanager/imagemanager/images.php in CMS Made Simple (CMSMS) before 1.11.2.1 allows remote authenticated administrators to delete arbitrary files via a .. (dot dot) in the deld parameter. NOTE: this can be leveraged using CSRF (CVE-2012-5450) to allow remote attackers to delete arbitrary files. |
|
28 |
CVE-2012-6063 |
399 |
|
DoS Exec Code |
2012-11-30 |
2012-12-19 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Double free vulnerability in the sftp_mkdir function in sftp.c in libssh before 0.5.3 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unspecified vectors, a different vector than CVE-2012-4559. |
|
29 |
CVE-2012-6062 |
20 |
|
DoS |
2012-12-05 |
2017-09-19 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The dissect_rtcp_app function in epan/dissectors/packet-rtcp.c in the RTCP dissector in Wireshark 1.6.x before 1.6.12 and 1.8.x before 1.8.4 allows remote attackers to cause a denial of service (infinite loop) via a crafted packet. |
|
30 |
CVE-2012-6061 |
189 |
|
DoS Overflow |
2012-12-05 |
2017-09-19 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The dissect_wtp_common function in epan/dissectors/packet-wtp.c in the WTP dissector in Wireshark 1.6.x before 1.6.12 and 1.8.x before 1.8.4 uses an incorrect data type for a certain length field, which allows remote attackers to cause a denial of service (integer overflow and infinite loop) via a crafted value in a packet. |
|
31 |
CVE-2012-6060 |
189 |
|
DoS Overflow |
2012-12-05 |
2017-09-19 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Integer overflow in the dissect_iscsi_pdu function in epan/dissectors/packet-iscsi.c in the iSCSI dissector in Wireshark 1.6.x before 1.6.12 and 1.8.x before 1.8.4 allows remote attackers to cause a denial of service (infinite loop) via a malformed packet. |
|
32 |
CVE-2012-6059 |
20 |
|
DoS |
2012-12-05 |
2017-09-19 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The dissect_isakmp function in epan/dissectors/packet-isakmp.c in the ISAKMP dissector in Wireshark 1.6.x before 1.6.12 and 1.8.x before 1.8.4 uses an incorrect data structure to determine IKEv2 decryption parameters, which allows remote attackers to cause a denial of service (application crash) via a malformed packet. |
|
33 |
CVE-2012-6058 |
189 |
|
DoS Overflow |
2012-12-05 |
2017-09-19 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Integer overflow in the dissect_icmpv6 function in epan/dissectors/packet-icmpv6.c in the ICMPv6 dissector in Wireshark 1.6.x before 1.6.12 and 1.8.x before 1.8.4 allows remote attackers to cause a denial of service (infinite loop) via a crafted Number of Sources value. |
|
34 |
CVE-2012-6057 |
189 |
|
DoS Overflow |
2012-12-05 |
2017-09-19 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The dissect_eigrp_metric_comm function in epan/dissectors/packet-eigrp.c in the EIGRP dissector in Wireshark 1.8.x before 1.8.4 uses the wrong data type for a certain offset value, which allows remote attackers to cause a denial of service (integer overflow and infinite loop) via a malformed packet. |
|
35 |
CVE-2012-6056 |
189 |
|
DoS Overflow |
2012-12-05 |
2017-09-19 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Integer overflow in the dissect_sack_chunk function in epan/dissectors/packet-sctp.c in the SCTP dissector in Wireshark 1.8.x before 1.8.4 allows remote attackers to cause a denial of service (infinite loop) via a crafted Duplicate TSN count. |
|
36 |
CVE-2012-6055 |
189 |
|
DoS |
2012-12-05 |
2017-09-19 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
epan/dissectors/packet-3g-a11.c in the 3GPP2 A11 dissector in Wireshark 1.8.x before 1.8.4 allows remote attackers to cause a denial of service (infinite loop) via a zero value in a sub-type length field. |
|
37 |
CVE-2012-6054 |
189 |
|
DoS |
2012-12-05 |
2017-09-19 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The dissect_sflow_245_address_type function in epan/dissectors/packet-sflow.c in the sFlow dissector in Wireshark 1.8.x before 1.8.4 does not properly handle length calculations for an invalid IP address type, which allows remote attackers to cause a denial of service (infinite loop) via a packet that is neither IPv4 nor IPv6. |
|
38 |
CVE-2012-6053 |
189 |
|
DoS |
2012-12-05 |
2017-09-19 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
epan/dissectors/packet-usb.c in the USB dissector in Wireshark 1.6.x before 1.6.12 and 1.8.x before 1.8.4 relies on a length field to calculate an offset value, which allows remote attackers to cause a denial of service (infinite loop) via a zero value for this field. |
|
39 |
CVE-2012-6052 |
200 |
|
+Info |
2012-12-05 |
2017-09-19 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Wireshark 1.8.x before 1.8.4 allows remote attackers to obtain sensitive hostname information by reading pcap-ng files. |
|
40 |
CVE-2012-6051 |
310 |
|
DoS |
2012-11-28 |
2012-11-29 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Google CityHash computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table, as demonstrated by a universal multicollision attack. |
|
41 |
CVE-2012-6050 |
16 |
1
|
DoS |
2012-11-27 |
2017-08-29 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
None |
Partial |
|
The winbox service in MikroTik RouterOS 5.15 and earlier allows remote attackers to cause a denial of service (CPU consumption), read the router version, and possibly have other impacts via a request to download the router's DLLs or plugins, as demonstrated by roteros.dll. |
|
42 |
CVE-2012-6049 |
200 |
1
|
+Info |
2012-11-27 |
2017-08-29 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Open Solution Quick.Cart 5.0 allows remote attackers to obtain sensitive information via (1) a long string or (2) invalid characters in a cookie, which reveals the installation path in an error message. |
|
43 |
CVE-2012-6048 |
119 |
1
|
DoS Overflow |
2012-11-27 |
2012-11-27 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Guitar Pro 6.1.1 r10791 allows remote attackers to cause a denial of service (crash) via a long string in a gpx file. |
|
44 |
CVE-2012-6047 |
352 |
1
|
CSRF |
2012-11-27 |
2012-11-27 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in X7 Chat 2.0.5.1 and earlier allows remote attackers to hijack the authentication of administrators for requests that add a user to an arbitrary group via the users page in an adminpanel action to index.php. |
|
45 |
CVE-2012-6046 |
94 |
1
|
|
2012-11-27 |
2017-08-29 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Static code injection vulnerability in admin/banners.php in PHP Enter allows remote attackers to inject arbitrary PHP code into horad.php via the code parameter. |
|
46 |
CVE-2012-6045 |
79 |
1
|
XSS |
2012-11-27 |
2017-08-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in gb/user/index.php in Ramui Forum, possibly 1.0 Beta, allows remote attackers to inject arbitrary web script or HTML via the query parameter. |
|
47 |
CVE-2012-6044 |
20 |
1
|
DoS |
2012-11-26 |
2017-08-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
M-Player 0.4 allows remote attackers to cause a denial of service (crash) via a crafted MP3 file. |
|
48 |
CVE-2012-6043 |
79 |
1
|
XSS |
2012-11-26 |
2017-08-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in downloads.php in PHP-Fusion 7.02.04 allows remote attackers to inject arbitrary web script or HTML via the cat_id parameter. |
|
49 |
CVE-2012-6042 |
119 |
1
|
DoS Overflow |
2012-11-26 |
2012-11-28 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
None |
Partial |
|
GPSMapEdit 1.1.73.2 allows user-assisted remote attackers to cause a denial of service (crash) via a long string in a lst file. |
|
50 |
CVE-2012-6041 |
399 |
|
Exec Code |
2012-11-26 |
2017-08-29 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Double free vulnerability in GreenBrowser before 6.0.1002, when the keyword search bar (F6) is activated, allows remote attackers to execute arbitrary code via a crafted iframe. |
