CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In November 2010 (CVSS score >= 6)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2010-4312 16 2010-11-26 2018-10-10
6.4
None Remote Low Not required None Partial Partial
The default configuration of Apache Tomcat 6.x does not include the HTTPOnly flag in a Set-Cookie header, which makes it easier for remote attackers to hijack a session via script access to a cookie.
2 CVE-2010-4304 310 2010-11-22 2010-11-30
6.4
None Remote Low Not required Partial Partial None
The web interface in Cisco Unified Videoconferencing (UVC) System 3545, 5110, 5115, and 5230; Unified Videoconferencing 3527 Primary Rate Interface (PRI) Gateway; Unified Videoconferencing 3522 Basic Rate Interfaces (BRI) Gateway; and Unified Videoconferencing 3515 Multipoint Control Unit (MCU) uses predictable session IDs based on time values, which makes it easier for remote attackers to hijack sessions via a brute-force attack, aka Bug ID CSCti54048.
3 CVE-2010-4300 119 1 DoS Exec Code Overflow Mem. Corr. 2010-11-26 2017-09-19
7.5
None Remote Low Not required Partial Partial Partial
Heap-based buffer overflow in the dissect_ldss_transfer function (epan/dissectors/packet-ldss.c) in the LDSS dissector in Wireshark 1.2.0 through 1.2.12 and 1.4.0 through 1.4.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an LDSS packet with a long digest line that triggers memory corruption.
4 CVE-2010-4299 119 Exec Code Overflow 2010-11-22 2017-01-26
9.3
None Remote Medium Not required Complete Complete Complete
Heap-based buffer overflow in ZfHIPCND.exe in Novell Zenworks 7 Handheld Management (ZHM) allows remote attackers to execute arbitrary code via a crafted request to TCP port 2400.
5 CVE-2010-4298 89 Exec Code Sql 2010-11-26 2018-10-10
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the download module in Free Simple Software 1.0 allows remote attackers to execute arbitrary SQL commands via the downloads_id parameter in a download_now action to index.php.
6 CVE-2010-4273 89 2 Exec Code Sql 2010-11-17 2017-08-17
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in imoveis.php in DescargarVista ACC IMoveis 1.1 allows remote attackers to execute arbitrary SQL commands via the id parameter.
7 CVE-2010-4272 89 2 Exec Code Sql 2010-11-17 2017-08-17
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the Pulse Infotech Sponsor Wall (com_sponsorwall) component 1.1 for Joomla! allows remote attackers to execute arbitrary SQL commands via the catid parameter to index.php.
8 CVE-2010-4271 89 Exec Code Sql 2010-11-17 2010-11-18
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in ImpressCMS before 1.2.3 RC2 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
9 CVE-2010-4269 89 2 Exec Code Sql 2010-11-17 2017-08-17
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in managechat.php in Collabtive 0.65 allows remote attackers to execute arbitrary SQL commands via the chatstart[USERTOID] cookie in a pull action.
10 CVE-2010-4268 89 2 Exec Code Sql 2010-11-17 2017-08-17
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the Pulse Infotech Flip Wall (com_flipwall) component 1.1 for Joomla! allows remote attackers to execute arbitrary SQL commands via the catid parameter to index.php.
11 CVE-2010-4236 1 +Priv 2010-11-12 2018-10-10
6.9
None Local Medium Not required Complete Complete Complete
Untrusted search path vulnerability in estaskwrapper in IBM OmniFind Enterprise Edition before 9.1 allows local users to gain privileges via an ES_LIBRARY_PATH environment variable and a modified PATH environment variable, which is used during execution of the estasklight program, a different vulnerability than CVE-2010-3895.
12 CVE-2010-4234 399 1 DoS 2010-11-17 2018-10-10
7.8
None Remote Low Not required None None Complete
The web server on the Camtron CMNC-200 Full HD IP Camera and TecVoz CMNC-200 Megapixel IP Camera with firmware 1.102A-008 allows remote attackers to cause a denial of service (device reboot) via a large number of requests in a short time interval.
13 CVE-2010-4233 255 1 2010-11-17 2018-10-10
10.0
None Remote Low Not required Complete Complete Complete
The Linux installation on the Camtron CMNC-200 Full HD IP Camera and TecVoz CMNC-200 Megapixel IP Camera with firmware 1.102A-008 has a default password of m for the root account, and a default password of merlin for the mg3500 account, which makes it easier for remote attackers to obtain access via the TELNET interface.
14 CVE-2010-4232 287 1 Bypass 2010-11-17 2018-10-10
10.0
None Remote Low Not required Complete Complete Complete
The web-based administration interface on the Camtron CMNC-200 Full HD IP Camera and TecVoz CMNC-200 Megapixel IP Camera with firmware 1.102A-008 allows remote attackers to bypass authentication via a // (slash slash) at the beginning of a URI, as demonstrated by the //system.html URI.
15 CVE-2010-4231 22 1 Dir. Trav. 2010-11-17 2018-10-10
7.8
None Remote Low Not required Complete None None
Directory traversal vulnerability in the web-based administration interface on the Camtron CMNC-200 Full HD IP Camera and TecVoz CMNC-200 Megapixel IP Camera with firmware 1.102A-008 allows remote attackers to read arbitrary files via a .. (dot dot) in the URI.
16 CVE-2010-4230 119 1 Exec Code Overflow 2010-11-17 2018-10-10
9.3
None Remote Medium Not required Complete Complete Complete
Stack-based buffer overflow in a certain ActiveX control for the Camtron CMNC-200 Full HD IP Camera and TecVoz CMNC-200 Megapixel IP Camera with firmware 1.102A-008 allows remote attackers to execute arbitrary code via a long string in the first argument to the connect method.
17 CVE-2010-4221 119 Exec Code Overflow 2010-11-09 2011-09-15
10.0
None Remote Low Not required Complete Complete Complete
Multiple stack-based buffer overflows in the pr_netio_telnet_gets function in netio.c in ProFTPD before 1.3.3c allow remote attackers to execute arbitrary code via vectors involving a TELNET IAC escape character to a (1) FTP or (2) FTPS server.
18 CVE-2010-4218 2010-11-09 2017-08-17
10.0
None Remote Low Not required Complete Complete Complete
Unspecified vulnerability in Web Services in IBM ENOVIA 6 has unknown impact and attack vectors, related to a system that becomes "exposed to the internet."
19 CVE-2010-4215 264 +Priv 2010-11-17 2017-08-17
6.5
None Remote Low ??? Partial Partial Partial
UI/Manage.pm in Foswiki 1.1.0 and 1.1.1 allows remote authenticated users to gain privileges by modifying the GROUP and ALLOWTOPICCHANGE preferences in the topic preferences for Main.AdminGroup.
20 CVE-2010-4210 264 DoS Exec Code 2010-11-22 2017-10-05
7.2
None Local Low Not required Complete Complete Complete
The pfs_getextattr function in FreeBSD 7.x before 7.3-RELEASE and 8.x before 8.0-RC1 unlocks a mutex that was not previously locked, which allows local users to cause a denial of service (kernel panic), overwrite arbitrary memory locations, and possibly execute arbitrary code via vectors related to opening a file on a file system that uses pseudofs.
21 CVE-2010-4206 787 DoS Exec Code 2010-11-06 2020-07-31
6.8
None Remote Medium Not required Partial Partial Partial
Array index error in the FEBlend::apply function in WebCore/platform/graphics/filters/FEBlend.cpp in WebKit, as used in Google Chrome before 7.0.517.44, webkitgtk before 1.2.6, and other products, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted SVG document, related to effects in the application of filters.
22 CVE-2010-4205 DoS 2010-11-06 2020-07-31
7.5
None Remote Low Not required Partial Partial Partial
Google Chrome before 7.0.517.44 does not properly handle the data types of event objects, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.
23 CVE-2010-4204 DoS 2010-11-06 2020-07-31
7.5
None Remote Low Not required Partial Partial Partial
WebKit, as used in Google Chrome before 7.0.517.44, webkitgtk before 1.2.6, and other products, accesses a frame object after this object has been destroyed, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.
24 CVE-2010-4203 190 DoS Exec Code Mem. Corr. 2010-11-06 2020-07-31
10.0
None Remote Low Not required Complete Complete Complete
WebM libvpx (aka the VP8 Codec SDK) before 0.9.5, as used in Google Chrome before 7.0.517.44, allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via invalid frames.
25 CVE-2010-4202 190 DoS Overflow 2010-11-06 2020-07-31
7.5
None Remote Low Not required Partial Partial Partial
Multiple integer overflows in Google Chrome before 7.0.517.44 on Linux allow remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted font.
26 CVE-2010-4201 416 DoS 2010-11-06 2020-07-31
7.5
None Remote Low Not required Partial Partial Partial
Use-after-free vulnerability in Google Chrome before 7.0.517.44 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving text control selections.
27 CVE-2010-4199 20 DoS 2010-11-06 2020-07-31
6.8
None Remote Medium Not required Partial Partial Partial
Google Chrome before 7.0.517.44 does not properly perform a cast of an unspecified variable during processing of an SVG use element, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted SVG document.
28 CVE-2010-4198 20 DoS Mem. Corr. 2010-11-06 2020-07-31
6.8
None Remote Medium Not required Partial Partial Partial
WebKit, as used in Google Chrome before 7.0.517.44, webkitgtk before 1.2.6, and other products, does not properly handle large text areas, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted HTML document.
29 CVE-2010-4197 416 DoS 2010-11-06 2020-07-31
7.5
None Remote Low Not required Partial Partial Partial
Use-after-free vulnerability in WebKit, as used in Google Chrome before 7.0.517.44, webkitgtk before 1.2.6, and other products, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving text editing.
30 CVE-2010-4186 89 1 Exec Code Sql 2010-11-05 2017-08-17
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in process.asp in OnlineTechTools Online Work Order System (OWOS) Professional Edition 2.10 allows remote attackers to execute arbitrary SQL commands via the password parameter. NOTE: some of these details are obtained from third party information.
31 CVE-2010-4185 89 1 Exec Code Sql 2010-11-05 2018-10-10
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in index.php in Energine, possibly 2.3.8 and earlier, allows remote attackers to execute arbitrary SQL commands via the NRGNSID cookie.
32 CVE-2010-4182 Exec Code 2010-11-04 2010-11-05
9.3
None Remote Medium Not required Complete Complete Complete
Untrusted search path vulnerability in the Data Access Objects (DAO) library (dao360.dll) in Microsoft Windows XP Professional SP3, Windows Server 2003 R2 Enterprise Edition SP3, Windows Vista Business SP1, and Windows 7 Professional allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse msjet49.dll that is located in the same folder as a file that is processed by dao360.dll. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
33 CVE-2010-4167 +Priv 2010-11-22 2018-01-06
6.9
None Local Medium Not required Complete Complete Complete
Untrusted search path vulnerability in configure.c in ImageMagick before 6.6.5-5, when MAGICKCORE_INSTALLED_SUPPORT is defined, allows local users to gain privileges via a Trojan horse configuration file in the current working directory.
34 CVE-2010-4159 +Priv 2010-11-17 2010-12-09
6.9
None Local Medium Not required Complete Complete Complete
Untrusted search path vulnerability in metadata/loader.c in Mono 2.8 and earlier allows local users to gain privileges via a Trojan horse shared library in the current working directory.
35 CVE-2010-4154 22 1 Dir. Trav. 2010-11-03 2017-08-17
9.3
None Remote Medium Not required Complete Complete Complete
Directory traversal vulnerability in Rhino Software, Inc. FTP Voyager 15.2.0.11, and possibly earlier, allows remote FTP servers to write arbitrary files via a "..\" (dot dot backslash) in a filename.
36 CVE-2010-4153 22 Dir. Trav. 2010-11-03 2017-08-17
9.3
None Remote Medium Not required Complete Complete Complete
Directory traversal vulnerability in CrossFTP Pro 1.65a, and probably earlier, allows remote FTP servers to write arbitrary files via a "..\" (dot dot backslash) in a filename.
37 CVE-2010-4152 89 Exec Code Sql 2010-11-03 2018-10-10
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in catalog/index.shtml in 4site CMS 2.6, and possibly earlier, allows remote attackers to execute arbitrary SQL commands via the cat parameter. NOTE: the i and th vectors are already covered by CVE-2009-0646.
38 CVE-2010-4151 89 1 Exec Code Sql 2010-11-03 2018-10-10
6.8
None Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in misc.php in DeluxeBB 1.3, and possibly earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the xthedateformat parameter in a register action, a different vector than CVE-2005-2989, CVE-2006-2503, and CVE-2009-1033.
39 CVE-2010-4149 22 1 Dir. Trav. 2010-11-02 2018-10-10
9.3
None Remote Medium Not required Complete Complete Complete
Directory traversal vulnerability in FreshWebMaster Fresh FTP 5.36, 5.37, and possibly earlier, allows remote FTP servers to write arbitrary files via a "..\" (dot dot backslash) in a filename. NOTE: some of these details are obtained from third party information.
40 CVE-2010-4148 22 1 Dir. Trav. 2010-11-02 2017-08-17
9.3
None Remote Medium Not required Complete Complete Complete
Directory traversal vulnerability in AnyConnect 1.2.3.0, and possibly earlier, allows remote FTP servers to write arbitrary files via a "..\" (dot dot backslash) in a filename.
41 CVE-2010-4147 89 Exec Code Sql 2010-11-02 2017-08-17
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in Pentasoft Avactis Shopping Cart 1.9.1 build 8356 free edition and earlier allow remote attackers to execute arbitrary SQL commands via the User-Agent header to (1) index.php and (2) product-list.php.
42 CVE-2010-4144 89 2 Exec Code Sql 2010-11-02 2017-08-17
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in radyo.asp in Kisisel Radyo Script allows remote attackers to execute arbitrary SQL commands via the Id parameter.
43 CVE-2010-4143 89 1 Exec Code Sql 2010-11-02 2010-11-03
6.8
None Remote Medium Not required Partial Partial Partial
SQL injection vulnerability in chart.php in phpCheckZ 1.1.0, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the id parameter.
44 CVE-2010-4142 119 2 DoS Exec Code Overflow 2010-11-02 2010-11-04
10.0
None Remote Low Not required Complete Complete Complete
Multiple stack-based buffer overflows in DATAC RealWin 2.0 Build 6.1.8.10 and earlier allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long (1) SCPC_INITIALIZE, (2) SCPC_INITIALIZE_RF, or (3) SCPC_TXTEVENT packet. NOTE: it was later reported that 1.06 is also affected by one of these requests.
45 CVE-2010-4107 22 1 Dir. Trav. 2010-11-17 2017-08-17
7.8
None Remote Low Not required Complete None None
The default configuration of the PJL Access value in the File System External Access settings on HP LaserJet MFP printers, Color LaserJet MFP printers, and LaserJet 4100, 4200, 4300, 5100, 8150, and 9000 printers enables PJL commands that use the device's filesystem, which allows remote attackers to read arbitrary files via a command inside a print job, as demonstrated by a directory traversal attack.
46 CVE-2010-4106 352 CSRF 2010-11-02 2017-08-17
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in HP Insight Control for Linux before 6.2 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
47 CVE-2010-4105 Bypass +Info 2010-11-02 2019-10-09
6.4
None Remote Low Not required Partial Partial None
Unspecified vulnerability in HP Insight Orchestration before 6.2 allows remote attackers to bypass intended access restrictions, and obtain sensitive information or modify data, via unknown vectors.
48 CVE-2010-4092 399 Exec Code 2010-11-05 2017-09-19
9.3
None Remote Medium Not required Complete Complete Complete
Use-after-free vulnerability in an unspecified compatibility component in Adobe Shockwave Player before 11.5.9.620 allows user-assisted remote attackers to execute arbitrary code via a crafted web site, related to the Shockwave Settings window and an unloaded library. NOTE: some of these details are obtained from third party information.
49 CVE-2010-4091 119 1 DoS Exec Code Overflow Mem. Corr. 2010-11-07 2018-10-30
9.3
None Remote Medium Not required Complete Complete Complete
The EScript.api plugin in Adobe Reader and Acrobat 10.x before 10.0.1, 9.x before 9.4.1, and 8.x before 8.2.6 on Windows and Mac OS X allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted PDF document that triggers memory corruption, involving the printSeps function. NOTE: some of these details are obtained from third party information.
50 CVE-2010-4032 352 CSRF 2010-11-02 2017-08-17
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in HP Insight Control Performance Management before 6.2 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
Total number of vulnerabilities : 166   Page : 1 (This Page)2 3 4
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.