| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
101 |
CVE-2012-5557 |
264 |
|
+Priv |
2012-12-03 |
2012-12-04 |
3.6 |
None |
Remote |
High |
??? |
Partial |
Partial |
None |
|
The User Read-Only module 6.x-1.x before 6.x-1.4 and 7.x-1.x before 7.x-1.4 for Drupal, does not properly assign roles when there are more than three roles on the site and certain unspecified configurations, which might allow remote authenticated users to gain privileges by performing certain operations, as demonstrated by changing a password. |
|
102 |
CVE-2012-5556 |
352 |
|
CSRF |
2012-12-03 |
2020-02-26 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Multiple cross-site request forgery (CSRF) vulnerabilities in the RESTful Web Services (RESTWS) module 7.x-1.x before 7.x-1.1 and 7.x-2.x before 7.x-2.0-alpha3 for Drupal allow remote attackers to hijack the authentication of arbitrary users via unknown vectors. |
|
103 |
CVE-2012-5554 |
200 |
|
+Info |
2012-12-03 |
2012-12-04 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The default configuration for the Webform CiviCRM Integration module 7.x-3.x before 7.x-3.2 has "Enforce Permissions" disabled, which allows remote attackers to obtain contact information by reading webforms. |
|
104 |
CVE-2012-5553 |
79 |
|
XSS |
2012-12-03 |
2012-12-04 |
2.1 |
None |
Remote |
High |
??? |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in the OM Maximenu module 6.x-1.x before 6.x-1.44 and 7.x-1.x before 7.x-1.44 for Drupal allow remote authenticated users with the "administer OM Maximenu" permission to inject arbitrary web script or HTML via the (1) Menu Title (2) Link Title, (3) Path Query, (4) Anchor, or (5) vocabulary names. |
|
105 |
CVE-2012-5552 |
200 |
|
+Info |
2012-12-03 |
2013-07-20 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Password policy module 6.x-1.x before 6.x-1.5 and 7.x-1.x before 7.x-1.3 for Drupal allows remote attackers to obtain password hashes by sniffing the network, related to "client-side password history checks." |
|
106 |
CVE-2012-5551 |
79 |
|
XSS |
2012-12-03 |
2013-02-26 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in the MailChimp module 7.x-2.x before 7.x-2.7 for Drupal allow remote attackers to inject arbitrary web script or HTML via vectors related to (1) a predictable "webhook URL key" and (2) improper sanitization of "Webhook variables from POST requests." |
|
107 |
CVE-2012-5550 |
89 |
|
Exec Code Sql |
2012-12-03 |
2012-12-04 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in the Time Spent module 6.x and 7.x for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors. |
|
108 |
CVE-2012-5549 |
352 |
|
CSRF |
2012-12-03 |
2012-12-04 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in the Time Spent module 6.x and 7.x for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. |
|
109 |
CVE-2012-5548 |
79 |
|
XSS |
2012-12-03 |
2012-12-04 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Time Spent module 6.x and 7.x for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
110 |
CVE-2012-5547 |
352 |
|
CSRF |
2012-12-03 |
2012-12-04 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Multiple cross-site request forgery (CSRF) vulnerabilities in the Search API module 7.x-1.x before 7.x-1.3 for Drupal allow remote attackers to hijack the authentication of administrators for requests that (1) enable a server via a server action or (2) enable a search index via an enable index action. |
|
111 |
CVE-2012-5545 |
79 |
|
XSS |
2012-12-03 |
2013-02-26 |
2.1 |
None |
Remote |
High |
??? |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in the ShareThis module 7.x-2.x before 7.x-2.5 for Drupal allow remote authenticated users with the "administer sharethis" permission to inject arbitrary web script or HTML via unspecified vectors related to "JavaScript settings." |
|
112 |
CVE-2012-5544 |
200 |
|
+Info |
2012-12-03 |
2012-12-17 |
4.0 |
None |
Remote |
Low |
??? |
Partial |
None |
None |
|
The Mandrill module 7.x-1.x before 7.x-1.2 for Drupal allows remote authenticated users to obtain password reset links by reading the logs in the Mandrill dashboard. |
|
113 |
CVE-2012-5543 |
264 |
|
|
2012-12-03 |
2012-12-04 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The Feeds module 7.x-2.x before 7.x-2.0-alpha6 for Drupal, when a field is mapped to the node's author, does not properly check permissions, which allows remote attackers to create arbitrary nodes via a crafted source feed. |
|
114 |
CVE-2012-5542 |
352 |
|
CSRF |
2012-12-03 |
2017-08-29 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in the Commerce Extra Panes module 7.x-1.x before 7.x-1.1 in Drupal allows remote attackers to hijack the authentication of administrators for requests that enable or disable a Commerce extra panes pane via unspecified vectors related to "the link to reorder items." |
|
115 |
CVE-2012-5541 |
79 |
|
XSS |
2012-12-03 |
2012-12-04 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Twitter Pull module 6.x-1.x before 6.x-1.3 and 7.x-1.x before 7.x-1.0-rc3 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to "data coming from Twitter." |
|
116 |
CVE-2012-5540 |
79 |
|
XSS |
2012-12-03 |
2012-12-04 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in the Hostip module 6.x-2.x before 6.x-2.2 and 7.x-2.x before 7.x-2.2 for Drupal allow remote attackers with control of hostip.info to inject arbitrary web script or HTML via unspecified vectors. |
|
117 |
CVE-2012-5539 |
264 |
|
|
2012-12-03 |
2020-05-06 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
The Organic Groups (OG) module 7.x-1.x before 7.x-1.5 for Drupal does not properly maintain pending group memberships, which allows remote authenticated users to post to arbitrary groups by modifying their own account while a pending membership is waiting to be approved. |
|
118 |
CVE-2012-5538 |
79 |
|
XSS |
2012-12-03 |
2012-12-04 |
2.1 |
None |
Remote |
High |
??? |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the FileField Sources module 6.x-1.x before 6.x-1.6 and 7.x-1.x before 7.x-1.6 for Drupal, when the field has "Reference existing" source enabled, allows remote authenticated users to inject arbitrary web script or HTML via the filename of an uploaded file. |
|
119 |
CVE-2012-5537 |
94 |
|
Exec Code |
2012-12-03 |
2012-12-04 |
6.0 |
None |
Remote |
Medium |
??? |
Partial |
Partial |
Partial |
|
The Simplenews Scheduler module 6.x-2.x before 6.x-2.4 for Drupal allows remote authenticated users with the "send scheduled newsletters" permission to inject arbitrary PHP code into the scheduling form, which is later executed by cron. |
|
120 |
CVE-2012-5534 |
20 |
|
Exec Code |
2012-12-03 |
2014-02-07 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The hook_process function in the plugin API for WeeChat 0.3.0 through 0.3.9.1 allows remote attackers to execute arbitrary commands via shell metacharacters in a command from a plugin, related to "shell expansion." |
|
121 |
CVE-2012-5532 |
|
|
DoS |
2012-12-27 |
2017-08-29 |
4.9 |
None |
Local |
Low |
Not required |
None |
None |
Complete |
|
The main function in tools/hv/hv_kvp_daemon.c in hypervkvpd, as distributed in the Linux kernel before 3.8-rc1, allows local users to cause a denial of service (daemon exit) via a crafted application that sends a Netlink message. NOTE: this vulnerability exists because of an incorrect fix for CVE-2012-2669. |
|
122 |
CVE-2012-5525 |
|
|
DoS |
2012-12-13 |
2017-08-29 |
4.7 |
None |
Local |
Medium |
Not required |
None |
None |
Complete |
|
The get_page_from_gfn hypercall function in Xen 4.2 allows local PV guest OS administrators to cause a denial of service (crash) via a crafted GFN that triggers a buffer over-read. |
|
123 |
CVE-2012-5517 |
|
|
DoS |
2012-12-21 |
2013-06-21 |
4.0 |
None |
Local |
High |
Not required |
None |
None |
Complete |
|
The online_pages function in mm/memory_hotplug.c in the Linux kernel before 3.6 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact in opportunistic circumstances by using memory that was hot-added by an administrator. |
|
124 |
CVE-2012-5515 |
|
|
DoS |
2012-12-13 |
2017-08-29 |
4.7 |
None |
Local |
Medium |
Not required |
None |
None |
Complete |
|
The (1) XENMEM_decrease_reservation, (2) XENMEM_populate_physmap, and (3) XENMEM_exchange hypercalls in Xen 4.2 and earlier allow local guest administrators to cause a denial of service (long loop and hang) via a crafted extent_order value. |
|
125 |
CVE-2012-5514 |
|
|
DoS |
2012-12-13 |
2017-08-29 |
4.7 |
None |
Local |
Medium |
Not required |
None |
None |
Complete |
|
The guest_physmap_mark_populate_on_demand function in Xen 4.2 and earlier does not properly unlock the subject GFNs when checking if they are in use, which allows local guest HVM administrators to cause a denial of service (hang) via unspecified vectors. |
|
126 |
CVE-2012-5513 |
20 |
|
DoS +Priv |
2012-12-13 |
2017-08-29 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
The XENMEM_exchange handler in Xen 4.2 and earlier does not properly check the memory address, which allows local PV guest OS administrators to cause a denial of service (crash) or possibly gain privileges via unspecified vectors that overwrite memory in the hypervisor reserved range. |
|
127 |
CVE-2012-5512 |
16 |
|
DoS +Info |
2012-12-13 |
2017-08-29 |
3.2 |
None |
Local |
Low |
??? |
Partial |
None |
Partial |
|
Array index error in the HVMOP_set_mem_access handler in Xen 4.1 allows local HVM guest OS administrators to cause a denial of service (crash) or obtain sensitive information via unspecified vectors. |
|
128 |
CVE-2012-5511 |
119 |
|
DoS Overflow |
2012-12-13 |
2017-08-29 |
4.7 |
None |
Local |
Medium |
Not required |
None |
None |
Complete |
|
Stack-based buffer overflow in the dirty video RAM tracking functionality in Xen 3.4 through 4.1 allows local HVM guest OS administrators to cause a denial of service (crash) via a large bitmap image. |
|
129 |
CVE-2012-5510 |
|
|
DoS |
2012-12-13 |
2017-08-29 |
4.7 |
None |
Local |
Medium |
Not required |
None |
None |
Complete |
|
Xen 4.x, when downgrading the grant table version, does not properly remove the status page from the tracking list when freeing the page, which allows local guest OS administrators to cause a denial of service (hypervisor crash) via unspecified vectors. |
|
130 |
CVE-2012-5483 |
264 |
|
|
2012-12-26 |
2017-08-29 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
tools/sample_data.sh in OpenStack Keystone 2012.1.3, when access to Amazon Elastic Compute Cloud (Amazon EC2) is configured, uses world-readable permissions for /etc/keystone/ec2rc, which allows local users to obtain access to EC2 services by reading administrative access and secret values from this file. |
|
131 |
CVE-2012-5469 |
264 |
|
Bypass |
2012-12-20 |
2012-12-28 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The Portable phpMyAdmin plugin before 1.3.1 for WordPress allows remote attackers to bypass authentication and obtain phpMyAdmin console access via a direct request to wp-content/plugins/portable-phpmyadmin/wp-pma-mod. |
|
132 |
CVE-2012-5468 |
119 |
|
DoS Exec Code Overflow |
2012-12-18 |
2017-08-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Heap-based buffer overflow in iconvert.c in the bogolexer component in Bogofilter before 1.2.3 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an email containing a base64 string that is decoded to incomplete multibyte characters. |
|
133 |
CVE-2012-5450 |
352 |
1
|
CSRF |
2012-12-03 |
2017-08-29 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in lib/filemanager/imagemanager/images.php in CMS Made Simple (CMSMS) 1.11.2 and earlier allows remote attackers to hijack the authentication of administrators for requests that delete arbitrary files via the deld parameter. |
|
134 |
CVE-2012-5445 |
20 |
|
DoS Exec Code |
2012-12-28 |
2013-03-04 |
6.8 |
None |
Local |
Low |
??? |
Complete |
Complete |
Complete |
|
The kernel in Cisco Native Unix (CNU) on Cisco Unified IP Phone 7900 series devices (aka TNP phones) with software before 9.3.1-ES10 does not properly validate unspecified system calls, which allows attackers to execute arbitrary code or cause a denial of service (memory overwrite) via a crafted binary. |
|
135 |
CVE-2012-5367 |
89 |
1
|
Exec Code Sql CSRF |
2012-12-03 |
2017-08-29 |
6.0 |
None |
Remote |
Medium |
??? |
Partial |
Partial |
Partial |
|
Multiple SQL injection vulnerabilities in OrangeHRM 2.7.1 RC 1 allow remote authenticated administrators to execute arbitrary SQL commands via the sortField parameter to (1) viewCustomers, (2) viewPayGrades, or (3) viewSystemUsers in symfony/web/index.php/admin/, as demonstrated using cross-site request forgery (CSRF) attacks. |
|
136 |
CVE-2012-5195 |
119 |
|
DoS Exec Code Overflow |
2012-12-18 |
2016-12-08 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Heap-based buffer overflow in the Perl_repeatcpy function in util.c in Perl 5.12.x before 5.12.5, 5.14.x before 5.14.3, and 5.15.x before 15.15.5 allows context-dependent attackers to cause a denial of service (memory consumption and crash) or possibly execute arbitrary code via the 'x' string repeat operator. |
|
137 |
CVE-2012-5183 |
200 |
|
+Info |
2012-12-26 |
2013-01-08 |
2.6 |
None |
Remote |
High |
Not required |
Partial |
None |
None |
|
The Loctouch application 3.4.6 and earlier for Android allows attackers to obtain sensitive information about logged locations via a crafted application that leverages read permission for system log files. |
|
138 |
CVE-2012-5182 |
200 |
|
+Info |
2012-12-26 |
2013-01-08 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The Loctouch application 3.4.6 and earlier for Android does not properly handle implicit intents, which allows attackers to obtain sensitive information about logged locations via a crafted application. |
|
139 |
CVE-2012-5181 |
79 |
|
XSS |
2012-12-21 |
2017-11-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in concrete5 Japanese 5.5.1 through 5.5.2.1 and concrete5 English 5.5.0 through 5.6.0.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
140 |
CVE-2012-5180 |
200 |
|
+Info |
2012-12-26 |
2013-01-08 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The Opera Mobile application before 12.1 and Opera Mini application before 7.5 for Android do not properly implement the WebView class, which allows attackers to obtain sensitive information via a crafted application. |
|
141 |
CVE-2012-5179 |
264 |
|
+Info |
2012-12-26 |
2020-02-19 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The Boat Browser application before 4.2 and Boat Browser Mini application before 3.9 for Android do not properly implement the WebView class, which allows attackers to obtain sensitive information via a crafted application. |
|
142 |
CVE-2012-5178 |
352 |
|
CSRF |
2012-12-19 |
2013-01-29 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in the Welcart plugin before 1.2.2 for WordPress allows remote attackers to hijack the authentication of arbitrary users for requests that complete a purchase. |
|
143 |
CVE-2012-5177 |
79 |
|
XSS |
2012-12-19 |
2012-12-19 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the Welcart plugin before 1.2.2 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
|
144 |
CVE-2012-5176 |
79 |
|
XSS |
2012-12-06 |
2012-12-06 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in KENT-WEB ACCESS REPORT 5.02 and earlier allows remote attackers to inject arbitrary web script or HTML via vectors related to tag embedding. |
|
145 |
CVE-2012-5175 |
79 |
|
XSS |
2012-12-06 |
2012-12-06 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in KENT-WEB ACCESS REPORT 4.2 and earlier allows remote attackers to inject arbitrary web script or HTML via vectors related to access-log data. |
|
146 |
CVE-2012-5161 |
|
|
Exec Code |
2012-12-26 |
2017-08-29 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
The XML Service interface in Citrix XenApp 6.5 and 6.5 Feature Pack 1 allows remote attackers to execute arbitrary code via unspecified vectors. |
|
147 |
CVE-2012-5144 |
119 |
|
DoS Overflow Mem. Corr. |
2012-12-12 |
2018-10-30 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Google Chrome before 23.0.1271.97, and Libav 0.7.x before 0.7.7 and 0.8.x before 0.8.5, do not properly perform AAC decoding, which allows remote attackers to cause a denial of service (stack memory corruption) or possibly have unspecified other impact via vectors related to "an off-by-one overwrite when switching to LTP profile from MAIN." |
|
148 |
CVE-2012-5143 |
190 |
|
DoS Overflow |
2012-12-12 |
2018-10-30 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Integer overflow in Google Chrome before 23.0.1271.97 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to PPAPI image buffers. |
|
149 |
CVE-2012-5142 |
94 |
|
DoS Exec Code |
2012-12-12 |
2018-10-30 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Google Chrome before 23.0.1271.97 does not properly handle history navigation, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via unspecified vectors. |
|
150 |
CVE-2012-5141 |
|
|
|
2012-12-12 |
2018-10-30 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Google Chrome before 23.0.1271.97 does not properly restrict instantiation of the Chromoting client plug-in, which has unspecified impact and attack vectors. |
