| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1901 |
CVE-2012-3009 |
264 |
|
|
2012-08-16 |
2012-08-16 |
8.5 |
None |
Remote |
Medium |
??? |
Complete |
Complete |
Complete |
|
Siemens COMOS before 9.1 Patch 413, 9.2 before Update 03 Patch 023, and 10.0 before Patch 005 allows remote authenticated users to obtain database administrative access via unspecified method calls. |
|
1902 |
CVE-2012-3008 |
119 |
|
Exec Code Overflow |
2012-07-20 |
2017-12-22 |
8.5 |
None |
Remote |
Medium |
??? |
Complete |
Complete |
Complete |
|
Stack-based buffer overflow in OSIsoft PI OPC DA Interface before 2.3.20.9 allows remote authenticated users to execute arbitrary code by sending packet data during the processing of messages associated with OPC items. |
|
1903 |
CVE-2012-3007 |
119 |
|
DoS Overflow |
2012-07-05 |
2012-08-14 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
Stack-based buffer overflow in slssvc.exe before 58.x in Invensys Wonderware SuiteLink in the Invensys System Platform software suite, as used in InTouch/Wonderware Application Server IT before 10.5 and WAS before 3.5, DASABCIP before 4.1 SP2, DASSiDirect before 3.0, DAServer Runtime Components before 3.0 SP2, and other products, allows remote attackers to cause a denial of service (daemon crash or hang) via a long Unicode string. |
|
1904 |
CVE-2012-3006 |
310 |
|
|
2012-06-19 |
2019-08-29 |
7.1 |
None |
Remote |
High |
??? |
Complete |
Complete |
Complete |
|
The Innominate mGuard Smart HW before HW-101130 and BD before BD-101030, mGuard industrial RS, mGuard delta HW before HW-103060 and BD before BD-211010, mGuard PCI, mGuard blade, and EAGLE mGuard appliances with software before 7.5.0 do not use a sufficient source of entropy for private keys, which makes it easier for man-in-the-middle attackers to spoof (1) HTTPS or (2) SSH servers by predicting a key value. |
|
1905 |
CVE-2012-3005 |
|
|
+Priv |
2012-07-26 |
2012-07-30 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Untrusted search path vulnerability in Invensys Wonderware InTouch 2012 and earlier, as used in Wonderware Application Server, Wonderware Information Server, Foxboro Control Software, InFusion CE/FE/SCADA, InBatch, and Wonderware Historian, allows local users to gain privileges via a Trojan horse DLL in an unspecified directory. |
|
1906 |
CVE-2012-3004 |
|
|
+Priv |
2012-09-08 |
2012-09-10 |
6.9 |
None |
Local |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Multiple untrusted search path vulnerabilities in RealFlex RealWin before 2.1.13, FlexView before 3.1.86, and RealWinDemo before 2.1.13 allow local users to gain privileges via a Trojan horse (1) realwin.dll or (2) keyhook.dll file in the current working directory. |
|
1907 |
CVE-2012-3003 |
20 |
|
|
2012-06-08 |
2012-06-12 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Open redirect vulnerability in an unspecified web application in Siemens WinCC 7.0 SP3 before Update 2 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in a GET request. |
|
1908 |
CVE-2012-3002 |
287 |
|
Bypass |
2012-12-21 |
2013-03-02 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
The web interface on (1) Foscam and (2) Wansview IP cameras allows remote attackers to bypass authentication, and perform administrative functions or read the admin password, via a direct request to an unspecified URL. |
|
1909 |
CVE-2012-3001 |
78 |
|
Exec Code |
2012-10-22 |
2013-03-02 |
8.5 |
None |
Remote |
Medium |
??? |
Complete |
Complete |
Complete |
|
Mutiny Standard before 4.5-1.12 allows remote attackers to execute arbitrary commands via the network-interface menu, related to a "command injection vulnerability." |
|
1910 |
CVE-2012-2999 |
352 |
|
CSRF |
2012-10-04 |
2013-02-07 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Multiple cross-site request forgery (CSRF) vulnerabilities in the web interface in Cerberus FTP Server before 5.0.5.0 allow remote attackers to hijack the authentication of administrators for requests that (1) add a user account or (2) reconfigure the state of the FTP service, as demonstrated by a request to usermanager/users/modify. |
|
1911 |
CVE-2012-2998 |
89 |
|
Exec Code Sql |
2012-09-28 |
2013-02-14 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in the ad hoc query module in Trend Micro Control Manager (TMCM) before 5.5.0.1823 and 6.0 before 6.0.0.1449 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. |
|
1912 |
CVE-2012-2996 |
352 |
|
CSRF |
2012-09-17 |
2013-04-13 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in saveAccountSubTab.imss in Trend Micro InterScan Messaging Security Suite 7.1-Build_Win32_1394 allows remote attackers to hijack the authentication of administrators for requests that create admin accounts via a saveAuth action. |
|
1913 |
CVE-2012-2995 |
79 |
|
XSS |
2012-09-17 |
2013-04-13 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in Trend Micro InterScan Messaging Security Suite 7.1-Build_Win32_1394 allow remote attackers to inject arbitrary web script or HTML via (1) the wrsApprovedURL parameter to addRuleAttrWrsApproveUrl.imss or (2) the src parameter to initUpdSchPage.imss. |
|
1914 |
CVE-2012-2994 |
264 |
|
|
2012-09-18 |
2013-03-02 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The CoSoSys Endpoint Protector 4 appliance establishes an EPProot password based entirely on the appliance serial number, which makes it easier for remote attackers to obtain access via a brute-force attack. |
|
1915 |
CVE-2012-2993 |
310 |
|
|
2012-09-18 |
2017-08-29 |
2.6 |
None |
Remote |
High |
Not required |
Partial |
None |
None |
|
Microsoft Windows Phone 7 does not verify the domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof an SSL server for the (1) POP3, (2) IMAP, or (3) SMTP protocol via an arbitrary valid certificate. |
|
1916 |
CVE-2012-2991 |
|
|
|
2012-09-19 |
2013-03-02 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
The PayPal (aka MODULE_PAYMENT_PAYPAL_STANDARD) module before 1.1 in osCommerce Online Merchant before 2.3.4 allows remote attackers to set the payment recipient via a modified value of the merchant's e-mail address, as demonstrated by setting the recipient to one's self. |
|
1917 |
CVE-2012-2990 |
94 |
|
|
2012-08-24 |
2012-08-29 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
The MASetupCaller ActiveX control before 1.4.2012.508 in MASetupCaller.dll in MarkAny ContentSAFER, as distributed in Samsung KIES before 2.3.2.12074_13_13, does not properly implement unspecified methods, which allows remote attackers to download an arbitrary program onto a client machine, and execute this program, via a crafted HTML document. |
|
1918 |
CVE-2012-2986 |
78 |
|
Exec Code |
2012-08-20 |
2012-08-21 |
7.7 |
None |
Local Network |
Low |
??? |
Complete |
Complete |
Complete |
|
lhn/public/network/ping in HP SAN/iQ 9.5 on the HP Virtual SAN Appliance allows remote authenticated users to execute arbitrary commands via shell metacharacters in the (1) first, (2) third, or (3) fourth parameter. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-4361. |
|
1919 |
CVE-2012-2985 |
79 |
|
XSS |
2012-08-21 |
2012-08-21 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in InsertDocument.aspx in CuteSoft Cute Editor 6.4 allows remote authenticated users to inject arbitrary web script or HTML via the _UploadID parameter. |
|
1920 |
CVE-2012-2984 |
79 |
|
XSS |
2012-08-24 |
2013-03-22 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in monitor/m_overview.ink in Websense Content Gateway before 7.7.3 allow remote attackers to inject arbitrary web script or HTML via the (1) menu or (2) item parameter. |
|
1921 |
CVE-2012-2983 |
287 |
|
|
2012-09-11 |
2013-05-30 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
file/edit_html.cgi in Webmin 1.590 and earlier does not perform an authorization check before showing a file's unedited contents, which allows remote attackers to read arbitrary files via the file field. |
|
1922 |
CVE-2012-2982 |
|
|
Exec Code |
2012-09-11 |
2013-05-30 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
file/show.cgi in Webmin 1.590 and earlier allows remote authenticated users to execute arbitrary commands via an invalid character in a pathname, as demonstrated by a | (pipe) character. |
|
1923 |
CVE-2012-2981 |
20 |
|
Exec Code |
2012-09-11 |
2013-05-30 |
6.0 |
None |
Remote |
Medium |
??? |
Partial |
Partial |
Partial |
|
Webmin 1.590 and earlier allows remote authenticated users to execute arbitrary Perl code via a crafted file associated with the type (aka monitor type name) parameter. |
|
1924 |
CVE-2012-2980 |
255 |
|
+Info |
2012-08-21 |
2012-08-21 |
7.1 |
None |
Remote |
Medium |
Not required |
Complete |
None |
None |
|
The Samsung and HTC onTouchEvent method implementation for Android on the T-Mobile myTouch 3G Slide, HTC Merge, Sprint EVO Shift 4G, HTC ChaCha, AT&T Status, HTC Desire Z, T-Mobile G2, T-Mobile myTouch 4G Slide, and Samsung Galaxy S stores touch coordinates in the dmesg buffer, which allows remote attackers to obtain sensitive information via a crafted application, as demonstrated by PIN numbers, telephone numbers, and text messages. |
|
1925 |
CVE-2012-2978 |
119 |
|
DoS Overflow |
2012-07-27 |
2017-12-22 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
query.c in NSD 3.0.x through 3.0.8, 3.1.x through 3.1.1, and 3.2.x before 3.2.12 allows remote attackers to cause a denial of service (NULL pointer dereference and child process crash) via a crafted DNS packet. |
|
1926 |
CVE-2012-2977 |
264 |
|
|
2012-07-23 |
2017-12-22 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
The management console in Symantec Web Gateway 5.0.x before 5.0.3.18 allows remote attackers to change arbitrary passwords via crafted input to an application script. |
|
1927 |
CVE-2012-2976 |
78 |
|
Exec Code |
2012-07-23 |
2017-12-22 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
The management console in Symantec Web Gateway 5.0.x before 5.0.3.18 allows remote attackers to execute arbitrary shell commands via crafted input to application scripts, related to an "injection" issue. |
|
1928 |
CVE-2012-2975 |
79 |
|
XSS |
2012-09-11 |
2012-09-12 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the traffic overview page on the F5 ASM appliance 10.0.0 through 11.2.0 HF2 allows remote attackers to inject arbitrary web script or HTML via crafted requests that are later listed on a summary page. |
|
1929 |
CVE-2012-2974 |
287 |
|
Bypass |
2012-07-19 |
2017-12-22 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
The web interface on the SMC SMC8024L2 switch allows remote attackers to bypass authentication and obtain administrative access via a direct request to a .html file under (1) status/, (2) system/, (3) ports/, (4) trunks/, (5) vlans/, (6) qos/, (7) rstp/, (8) dot1x/, (9) security/, (10) igmps/, or (11) snmp/. |
|
1930 |
CVE-2012-2972 |
20 |
|
DoS |
2012-10-20 |
2021-04-07 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The (1) server and (2) agent components in CA ARCserve Backup r12.5, r15, and r16 on Windows do not properly validate RPC requests, which allows remote attackers to cause a denial of service (service crash) via a crafted request. |
|
1931 |
CVE-2012-2971 |
94 |
|
DoS Exec Code |
2012-10-20 |
2021-04-07 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The server in CA ARCserve Backup r12.5, r15, and r16 on Windows does not properly process RPC requests, which allows remote attackers to execute arbitrary code or cause a denial of service via a crafted request. |
|
1932 |
CVE-2012-2970 |
399 |
|
DoS |
2012-07-09 |
2012-07-10 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
The Synel SY-780/A Time & Attendance terminal allows remote attackers to cause a denial of service (device hang) via network traffic to port (1) 1641, (2) 3734, or (3) 3735. |
|
1933 |
CVE-2012-2969 |
264 |
|
Bypass |
2012-08-12 |
2012-09-04 |
6.4 |
None |
Remote |
Low |
Not required |
None |
Partial |
Partial |
|
Caucho Quercus, as distributed in Resin before 4.0.29, allows remote attackers to bypass intended restrictions on filename extensions for created files via a %00 sequence in a pathname within an HTTP request. |
|
1934 |
CVE-2012-2968 |
22 |
|
Dir. Trav. |
2012-08-12 |
2012-09-04 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Directory traversal vulnerability in Caucho Quercus, as distributed in Resin before 4.0.29, allows remote attackers to create files in arbitrary directories via a .. (dot dot) in a pathname within an HTTP request. |
|
1935 |
CVE-2012-2967 |
|
|
|
2012-08-12 |
2012-09-04 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Caucho Quercus, as distributed in Resin before 4.0.29, does not properly implement the == (equals sign equals sign) operator for comparisons, which has unspecified impact and context-dependent attack vectors. |
|
1936 |
CVE-2012-2966 |
|
|
|
2012-08-12 |
2012-09-04 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Caucho Quercus, as distributed in Resin before 4.0.29, overwrites entries in the SERVER superglobal array on the basis of POST parameters, which has unspecified impact and remote attack vectors. |
|
1937 |
CVE-2012-2965 |
20 |
|
|
2012-08-12 |
2012-09-04 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Caucho Quercus, as distributed in Resin before 4.0.29, does not properly handle unspecified characters in the names of variables, which has unknown impact and remote attack vectors, related to an "HTTP Parameter Contamination" issue. |
|
1938 |
CVE-2012-2964 |
20 |
|
+Info |
2012-08-12 |
2012-08-13 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The BreakingPoint Storm appliance before 3.0 requires cleartext credentials for establishing a session from a GUI administrative client, which allows remote attackers to obtain sensitive information by sniffing the network for XML documents. |
|
1939 |
CVE-2012-2963 |
287 |
|
+Info |
2012-08-12 |
2012-08-13 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The administrative interface in the embedded web server on the BreakingPoint Storm appliance before 3.0 does not require authentication for the gwt/BugReport script, which allows remote attackers to obtain sensitive information by downloading a .tgz file. |
|
1940 |
CVE-2012-2962 |
89 |
1
|
Exec Code Sql |
2012-07-30 |
2018-03-12 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in d4d/statusFilter.php in Plixer Scrutinizer (aka Dell SonicWALL Scrutinizer) before 9.5.2 allows remote authenticated users to execute arbitrary SQL commands via the q parameter. |
|
1941 |
CVE-2012-2961 |
89 |
|
Exec Code Sql |
2012-07-23 |
2017-12-22 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in the management console in Symantec Web Gateway 5.0.x before 5.0.3.18 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. |
|
1942 |
CVE-2012-2960 |
79 |
|
XSS |
2012-08-08 |
2013-02-20 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the import functionality in HP ArcSight Connector appliance 6.2.0.6244.0 and ArcSight Logger appliance 5.2.0.6288.0 allows remote attackers to inject arbitrary web script or HTML via a crafted file. |
|
1943 |
CVE-2012-2959 |
352 |
|
CSRF |
2012-06-11 |
2012-06-12 |
5.1 |
None |
Remote |
High |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in password-manager/changePasswords.do in BMC Identity Management Suite 7.5.00.103 allows remote attackers to hijack the authentication of administrators for requests that change passwords. |
|
1944 |
CVE-2012-2957 |
264 |
|
+Priv File Inclusion |
2012-07-23 |
2017-12-22 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
The management console in Symantec Web Gateway 5.0.x before 5.0.3.18 allows local users to gain privileges by modifying files, related to a "file inclusion" issue. |
|
1945 |
CVE-2012-2955 |
79 |
|
XSS |
2012-07-20 |
2017-12-22 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in the administrative user interface in IBM Lotus Protector for Mail Security 2.1, 2.5, 2.5.1, and 2.8 and IBM ISS Proventia Network Mail Security System allow remote attackers to inject arbitrary web script or HTML via the query string. |
|
1946 |
CVE-2012-2953 |
78 |
|
Exec Code |
2012-07-23 |
2017-12-22 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
The management console in Symantec Web Gateway 5.0.x before 5.0.3.18 allows remote attackers to execute arbitrary commands via crafted input to application scripts. |
|
1947 |
CVE-2012-2952 |
89 |
1
|
Exec Code Sql |
2012-05-29 |
2017-08-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in add_ons.php in Jaow 2.4.5 and earlier allows remote attackers to execute arbitrary SQL commands via the add_ons parameter. |
|
1948 |
CVE-2012-2951 |
89 |
|
Exec Code Sql |
2012-05-29 |
2012-05-30 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQL injection vulnerability in plog-rss.php in Plogger allows remote attackers to execute arbitrary SQL commands via the id parameter. |
|
1949 |
CVE-2012-2949 |
264 |
|
+Priv |
2012-05-29 |
2012-05-30 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
The ZTE sync_agent program for Android 2.3.4 on the Score M device uses a hardcoded ztex1609523 password to control access to commands, which allows remote attackers to gain privileges via a crafted application. |
|
1950 |
CVE-2012-2948 |
399 |
|
DoS |
2012-06-02 |
2017-08-29 |
4.0 |
None |
Remote |
Low |
??? |
None |
None |
Partial |
|
chan_skinny.c in the Skinny (aka SCCP) channel driver in Certified Asterisk 1.8.11-cert before 1.8.11-cert2 and Asterisk Open Source 1.8.x before 1.8.12.1 and 10.x before 10.4.1 allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) by closing a connection in off-hook mode. |
