CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In 2012

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
851 CVE-2012-4495 264 2012-10-31 2013-03-02
4.0
None Remote Low ??? None Partial None
The Mime Mail module 6.x-1.x before 6.x-1.1 for Drupal does not properly restrict access to files outside Drupal's publish files directory, which allows remote authenticated users to send arbitrary files as attachments.
852 CVE-2012-4494 264 Bypass 2012-10-31 2012-11-02
4.3
None Remote Medium Not required None Partial None
The Shibboleth authentication module 7.x-4.0 for Drupal does not properly check the active status of users, which allows remote blocked users to access bypass intended access restrictions and possibly have other impacts by logging in.
853 CVE-2012-4493 79 XSS 2012-11-02 2012-11-06
2.1
None Remote High ??? None Partial None
Cross-site scripting (XSS) vulnerability in the administrative interface in the Better Revisions module 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with the "administer better revisions" permission to inject arbitrary web script or HTML via unspecified vectors.
854 CVE-2012-4492 79 XSS 2012-10-31 2013-03-02
2.1
None Remote High ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the Shorten URLs module 6.x-1.x before 6.x-1.13 and 7.x-1.x before 7.x-1.2 for Drupal allow remote authenticated users with certain permissions to inject arbitrary web script or HTML via unspecified vectors to the (1) report or (2) Custom Services List page.
855 CVE-2012-4491 264 2012-10-31 2013-03-02
5.8
None Remote Medium Not required Partial Partial None
The Monthly Archive by Node Type module 6.x for Drupal does not properly check permissions defined by node_access modules, which allows remote attackers to access restricted nodes via unspecified vectors.
856 CVE-2012-4490 79 XSS 2012-10-31 2013-03-02
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the Excluded Users module 6.x-1.x before 6.x-1.1 for Drupal allow remote attackers to inject arbitrary web script or HTML via a (1) user name or (2) email address.
857 CVE-2012-4489 20 2012-10-31 2013-03-02
5.8
None Remote Medium Not required Partial Partial None
Open redirect vulnerability in the securelogin_secure_redirect function in the Secure Login module 7.x-1.x before 7.x-1.3 for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the q parameter.
858 CVE-2012-4488 264 2012-10-31 2012-11-02
5.0
None Remote Low Not required Partial None None
The Location module 6.x before 6.x-3.2 and 7.x before 7.x-3.0-alpha1 for Drupal does not properly check user or node access permissions, which allows remote attackers to read node or user results via the location search page.
859 CVE-2012-4487 264 2012-11-02 2012-11-05
4.0
None Remote Low ??? None Partial None
The Subuser module before 6.x-1.8 for Drupal does not properly check "switch subuser" permissions, which allows remote authenticated parent users to change their role by switching to a subuser they created.
860 CVE-2012-4486 352 CSRF 2012-11-02 2012-11-06
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in the Subuser module before 6.x-1.8 for Drupal allows remote attackers to hijack the authentication of arbitrary users for requests that switch the user to a subuser via unspecified vectors.
861 CVE-2012-4485 79 XSS 2012-10-31 2013-07-20
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the galleryformatter_field_formatter_view functiuon in galleryformatter.tpl.php the Gallery formatter module before 7.x-1.2 for Drupal allow remote authenticated users with permissions to create a node or entity to inject arbitrary web script or HTML via the (1) title or (2) alt parameter.
862 CVE-2012-4484 79 XSS 2012-10-31 2018-06-27
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the administrative interface in the Campaign Monitor module before 6.x-2.5 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: this refers to an issue in an independently developed Drupal module, and NOT an issue in the Campaign Monitor software itself (described on the campaignmonitor.com web site).
863 CVE-2012-4483 264 +Info 2012-10-31 2012-11-13
5.0
None Remote Low Not required Partial None None
The commons_discussion_views_default_views function in modules/features/commons_discussion/commons_discussion.views_default.inc in the Drupal Commons module 6.x-2.x before 6.x-2.8 for Drupal does not properly enforce intended node access restrictions, which might allow remote attackers to obtain sensitive information via the recent comments listing.
864 CVE-2012-4482 20 2012-10-31 2012-11-02
5.0
None Remote Low Not required None Partial None
The Ubercart SecureTrading Payment Method module 6.x for Drupal does not properly verify payment notification information, which allows remote attackers to purchase an item without paying via unspecified vectors.
865 CVE-2012-4479 89 Exec Code Sql 2012-11-30 2012-12-03
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the Drag & Drop Gallery module 6.x for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
866 CVE-2012-4478 352 CSRF 2012-11-30 2012-12-03
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in the Drag & Drop Gallery module 6.x for Drupal allows remote attackers to hijack the authentication of administrators.
867 CVE-2012-4477 264 Bypass 2012-11-30 2012-12-03
5.0
None Remote Low Not required None Partial None
Unspecified vulnerability in the Drag & Drop Gallery module 6.x for Drupal allows remote attackers to bypass access restrictions via unknown attack vectors.
868 CVE-2012-4476 79 XSS 2012-11-30 2012-12-03
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the Drag & Drop Gallery module 6.x for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
869 CVE-2012-4475 264 2012-11-30 2012-12-03
5.0
None Remote Low Not required None Partial None
The Security Questions module for Drupal 6.x-1.x before 6.x-1.1 and 7.x-1.x before 7.x-1.1 does not properly restrict access, which allows remote attackers to edit an arbitrary user's questions and answers via unspecified vectors.
870 CVE-2012-4474 79 XSS 2012-11-30 2013-01-30
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the Colorbox Node module 7.x-2.x before 7.x-2.2 for Drupal allow remote attackers to inject arbitrary web script or HTML via unspecified parameters.
871 CVE-2012-4473 264 2012-11-30 2013-01-30
3.5
None Remote Medium ??? Partial None None
The Restrict node page view module 7.x-1.x before 7.x-1.2 for Drupal allows remote authenticated users with the "view any node page" or "view any node {type} page" permission to access unpublished nodes via a direct request.
872 CVE-2012-4472 Exec Code 2012-11-30 2013-01-30
5.1
None Remote High Not required Partial Partial Partial
Unrestricted file upload vulnerability in upload.php in the Drag & Drop Gallery module 6.x-1.5 and earlier for Drupal allows remote attackers to execute arbitrary PHP code by uploading a file with an executable extension followed by a safe extension, then accessing it via a direct request to the directory specified by the filedir parameter.
873 CVE-2012-4471 264 2012-11-30 2013-01-30
5.0
None Remote Low Not required None Partial None
The Search Autocomplete module 7.x-2.x before 7.x-2.4 for Drupal does not properly restrict access to the module admin page, which allows remote attackers to disable an autocompletion or change the priority order via unspecified vectors.
874 CVE-2012-4470 264 Bypass 2012-11-30 2013-01-30
7.5
None Remote Low Not required Partial Partial Partial
The Listhandler module 6.x-1.x before 6.x-1.1 for Drupal does not properly check permissions when importing emails, which allows remote comment authors to bypass access restrictions and possibly have other unspecified impact.
875 CVE-2012-4469 79 XSS 2012-11-30 2012-12-03
2.6
None Remote High Not required None Partial None
Cross-site scripting (XSS) vulnerability in the Hashcash module 6.x-2.x before 6.x-2.6 and 7.x-2.x before 7.x-2.2 for Drupal, when "Log failed hashcash" is enabled, allows remote attackers to inject arbitrary web script or HTML via an invalid token, which is not properly handled when administrators use the Database logging module.
876 CVE-2012-4468 79 XSS 2012-11-30 2013-01-30
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the Privatemsg module 7.x-1.x before 7.x-1.3 for Drupal allows remote attackers to inject arbitrary web script or HTML via a user name in a private message.
877 CVE-2012-4467 399 DoS +Info 2012-10-10 2013-01-30
6.6
None Local Low Not required Complete None Complete
The (1) do_siocgstamp and (2) do_siocgstampns functions in net/socket.c in the Linux kernel before 3.5.4 use an incorrect argument order, which allows local users to obtain sensitive information from kernel memory or cause a denial of service (system crash) via a crafted ioctl call.
878 CVE-2012-4465 119 DoS Exec Code Overflow 2012-10-10 2013-01-30
6.5
None Remote Low ??? Partial Partial Partial
Heap-based buffer overflow in the substr function in parsing.c in cgit 0.9.0.3 and earlier allows remote authenticated users to cause a denial of service (crash) and possibly execute arbitrary code via an empty username in the "Author" field in a commit.
879 CVE-2012-4463 20 Exec Code 2012-10-10 2017-08-29
5.1
None Remote High Not required Partial Partial Partial
Midnight Commander (mc) 4.8.5 does not properly handle the (1) MC_EXT_SELECTED or (2) MC_EXT_ONLYTAGGED environment variables when multiple files are selected, which allows user-assisted remote attackers to execute arbitrary commands via a crafted file name.
880 CVE-2012-4457 287 2012-10-09 2018-11-16
4.0
None Remote Low ??? Partial None None
OpenStack Keystone Essex before 2012.1.2 and Folsom before folsom-3 does not properly handle authorization tokens for disabled tenants, which allows remote authenticated users to access the tenant's resources by requesting a token for the tenant.
881 CVE-2012-4456 287 2012-10-09 2018-11-16
7.5
None Remote Low Not required Partial Partial Partial
The (1) OS-KSADM/services and (2) tenant APIs in OpenStack Keystone Essex before 2012.1.2 and Folsom before folsom-2 do not properly validate X-Auth-Token, which allow remote attackers to read the roles for an arbitrary user or get, create, or delete arbitrary services.
882 CVE-2012-4455 59 2012-10-10 2017-08-29
6.2
None Local High Not required Complete Complete Complete
openCryptoki 2.4.1 allows local users to create or set world-writable permissions on arbitrary files via a symlink attack on the (1) LCK..opencryptoki or (2) LCK..opencryptoki_stdll file in /var/lock/.
883 CVE-2012-4454 264 2012-10-10 2017-08-29
2.9
None Local Network Medium Not required None Partial None
openCryptoki before 2.4.1, when using spinlocks, allows local users to create or set world-writable permissions on arbitrary files via a symlink attack on the (1) .pkapi_xpk or (2) .pkcs11spinloc file in /tmp.
884 CVE-2012-4453 276 +Info 2012-10-09 2020-10-09
2.1
None Local Low Not required Partial None None
dracut.sh in dracut, as used in Red Hat Enterprise Linux 6, Fedora 16 and 17, and possibly other products, creates initramfs images with world-readable permissions, which might allow local users to obtain sensitive information.
885 CVE-2012-4452 264 Bypass 2012-10-09 2013-01-15
2.1
None Local Low Not required None Partial None
MySQL 5.0.88, and possibly other versions and platforms, allows local users to bypass certain privilege checks by calling CREATE TABLE on a MyISAM table with modified (1) DATA DIRECTORY or (2) INDEX DIRECTORY arguments that are originally associated with pathnames without symlinks, and that can point to tables created at a future time at which a pathname is modified to contain a symlink to a subdirectory of the MySQL data home directory, related to incorrect calculation of the mysql_unpacked_real_data_home value. NOTE: this vulnerability exists because of a CVE-2009-4030 regression, which was not omitted in other packages and versions such as MySQL 5.0.95 in Red Hat Enterprise Linux 6.
886 CVE-2012-4450 264 Bypass 2012-10-01 2013-03-08
6.0
None Remote Medium ??? Partial Partial Partial
389 Directory Server 1.2.10 does not properly update the ACL when a DN entry is moved by a modrdn operation, which allows remote authenticated users with certain permissions to bypass ACL restrictions and access the DN entry.
887 CVE-2012-4448 352 1 CSRF 2012-09-28 2012-10-01
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in wp-admin/index.php in WordPress 3.4.2 allows remote attackers to hijack the authentication of administrators for requests that modify an RSS URL via a dashboard_incoming_links edit action.
888 CVE-2012-4447 119 DoS Exec Code Overflow 2012-10-28 2013-02-08
6.8
None Remote Medium Not required Partial Partial Partial
Heap-based buffer overflow in tif_pixarlog.c in LibTIFF before 4.0.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted TIFF image using the PixarLog Compression format.
889 CVE-2012-4445 119 DoS Overflow 2012-10-10 2017-08-29
4.3
None Remote Medium Not required None None Partial
Heap-based buffer overflow in the eap_server_tls_process_fragment function in eap_server_tls_common.c in the EAP authentication server in hostapd 0.6 through 1.0 allows remote attackers to cause a denial of service (crash or abort) via a small "TLS Message Length" value in an EAP-TLS message with the "More Fragments" flag set.
890 CVE-2012-4444 Bypass 2012-12-21 2013-06-15
5.0
None Remote Low Not required None Partial None
The ip6_frag_queue function in net/ipv6/reassembly.c in the Linux kernel before 2.6.36 allows remote attackers to bypass intended network restrictions via overlapping IPv6 fragments.
891 CVE-2012-4443 264 +Priv 2012-10-05 2020-03-26
6.9
None Local Medium Not required Complete Complete Complete
Monkey HTTP Daemon 0.9.3 uses a real UID of root and a real GID of root during execution of CGI scripts, which might allow local users to gain privileges by leveraging cgi-bin write access.
892 CVE-2012-4442 264 Bypass 2012-10-05 2020-03-26
4.7
None Local Medium Not required Complete None None
Monkey HTTP Daemon 0.9.3 retains the supplementary group IDs of the root account during operations with a non-root effective UID, which might allow local users to bypass intended file-read restrictions by leveraging a race condition in a file-permission check.
893 CVE-2012-4437 79 XSS 2012-10-01 2015-11-16
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the SmartyException class in Smarty (aka smarty-php) before 3.1.12 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors that trigger a Smarty exception.
894 CVE-2012-4436 119 DoS Exec Code Overflow 2012-10-22 2012-11-08
4.4
None Local Medium Not required Partial Partial Partial
Buffer overflow in the run_last_args function in client/fwknop.c in fwknop before 2.0.3, when processing --last, might allow local users to cause a denial of service (client crash) and possibly execute arbitrary code via many .fwknop.run arguments.
895 CVE-2012-4435 20 DoS 2012-10-22 2017-08-29
4.0
None Remote Low ??? None None Partial
fwknop before 2.0.3 does not properly validate IP addresses, which allows remote authenticated users to cause a denial of service (server crash) via a long IP address.
896 CVE-2012-4433 189 DoS Exec Code Overflow 2012-11-18 2017-08-29
7.5
None Remote Low Not required Partial Partial Partial
Multiple integer overflows in operations/external/ppm-load.c in GEGL (Generic Graphics Library) 0.2.0 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a large (1) width or (2) height value in a Portable Pixel Map (ppm) image, which triggers a heap-based buffer overflow.
897 CVE-2012-4432 399 Exec Code 2012-10-01 2017-08-29
7.5
None Remote Low Not required Partial Partial Partial
Use-after-free vulnerability in opngreduc.c in OptiPNG Hg and 0.7.x before 0.7.3 might allow remote attackers to execute arbitrary code via unspecified vectors related to "palette reduction."
898 CVE-2012-4431 264 Bypass CSRF 2012-12-19 2017-09-19
4.3
None Remote Medium Not required None Partial None
org/apache/catalina/filters/CsrfPreventionFilter.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.32 allows remote attackers to bypass the cross-site request forgery (CSRF) protection mechanism via a request that lacks a session identifier.
899 CVE-2012-4430 264 +Info 2012-10-10 2018-10-09
4.0
None Remote Low ??? Partial None None
The dump_resource function in dird/dird_conf.c in Bacula before 5.2.11 does not properly enforce ACL rules, which allows remote authenticated users to obtain resource dump information via unspecified vectors.
900 CVE-2012-4429 200 +Info 2012-10-01 2017-08-29
5.0
None Remote Low Not required Partial None None
Vino 2.28, 2.32, 3.4.2, and earlier allows remote attackers to read clipboard activity by listening on TCP port 5900.
Total number of vulnerabilities : 5297   Page : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 (This Page)19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.