| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
151 |
CVE-2012-5819 |
20 |
|
|
2012-11-04 |
2017-08-29 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
FilesAnywhere does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. |
|
152 |
CVE-2012-5818 |
20 |
|
|
2012-11-04 |
2017-08-29 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
ElephantDrive does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. |
|
153 |
CVE-2012-5817 |
20 |
|
|
2012-11-04 |
2017-08-29 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Codehaus XFire 1.2.6 and earlier, as used in the Amazon EC2 API Tools Java library and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. |
|
154 |
CVE-2012-5816 |
20 |
|
|
2012-11-04 |
2017-08-29 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
AOL Instant Messenger (AIM) 1.0.1.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. |
|
155 |
CVE-2012-5815 |
20 |
|
|
2012-11-04 |
2017-08-29 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
The Rackspace app 2.1.5 for iOS does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. |
|
156 |
CVE-2012-5814 |
20 |
|
|
2012-11-04 |
2017-08-29 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Weberknecht, as used in GitHub Gaug.es and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. |
|
157 |
CVE-2012-5813 |
20 |
|
|
2012-11-04 |
2017-08-29 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
The Android_Pusher library for Android does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. |
|
158 |
CVE-2012-5812 |
20 |
|
|
2012-11-04 |
2017-08-29 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
The ACRA library for Android does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. |
|
159 |
CVE-2012-5811 |
310 |
|
|
2012-11-04 |
2015-11-04 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
The Breezy application for Android does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. |
|
160 |
CVE-2012-5810 |
310 |
|
|
2012-11-04 |
2016-03-23 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
The Chase mobile banking application for Android does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, related to overriding the default X509TrustManager. NOTE: this vulnerability was fixed in the summer of 2012, but the version number was not changed or is not known. |
|
161 |
CVE-2012-5809 |
310 |
|
|
2012-11-04 |
2015-11-04 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
The Groupon Redemptions application for Android does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. |
|
162 |
CVE-2012-5808 |
20 |
|
|
2012-11-04 |
2012-11-05 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
The LinkPoint module in Zen Cart does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. |
|
163 |
CVE-2012-5807 |
20 |
|
|
2012-11-04 |
2012-11-06 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
The Authorize.Net eCheck module in Zen Cart does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. |
|
164 |
CVE-2012-5806 |
20 |
|
|
2012-11-04 |
2012-11-06 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
The PayPal Payments Pro module in Zen Cart does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, related to use of the PHP fsockopen function, a different vulnerability than CVE-2012-5805. |
|
165 |
CVE-2012-5805 |
20 |
|
|
2012-11-04 |
2012-11-06 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
The PayPal IPN functionality in Zen Cart does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, a different vulnerability than CVE-2012-5806. |
|
166 |
CVE-2012-5804 |
20 |
|
|
2012-11-04 |
2017-08-29 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
The CyberSource module in Ubercart does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. |
|
167 |
CVE-2012-5803 |
20 |
|
|
2012-11-04 |
2017-08-29 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
The Authorize.Net module in Ubercart does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. |
|
168 |
CVE-2012-5802 |
20 |
|
|
2012-11-04 |
2017-08-29 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
The PayPal module in Ubercart does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. |
|
169 |
CVE-2012-5801 |
20 |
|
|
2012-11-04 |
2012-11-05 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
The PayPal module in PrestaShop does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, related to use of the PHP fsockopen function. |
|
170 |
CVE-2012-5800 |
20 |
|
|
2012-11-04 |
2017-08-29 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
The eBay module in PrestaShop does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. |
|
171 |
CVE-2012-5799 |
20 |
|
|
2012-11-04 |
2012-11-06 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
The Canada Post (aka CanadaPost) module in PrestaShop does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, related to use of the PHP fsockopen function. |
|
172 |
CVE-2012-5798 |
20 |
|
|
2012-11-04 |
2012-11-05 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
The PayPal Pro PayFlow EC module in osCommerce does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. |
|
173 |
CVE-2012-5797 |
20 |
|
|
2012-11-04 |
2017-08-29 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
The PayPal Pro PayFlow module in osCommerce does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. |
|
174 |
CVE-2012-5796 |
20 |
|
|
2012-11-04 |
2017-08-29 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
The PayPal Pro module in osCommerce does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. |
|
175 |
CVE-2012-5795 |
20 |
|
|
2012-11-04 |
2017-08-29 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
The PayPal Express module in osCommerce does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. |
|
176 |
CVE-2012-5794 |
20 |
|
|
2012-11-04 |
2017-08-29 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
The MoneyBookers module in osCommerce does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. |
|
177 |
CVE-2012-5793 |
20 |
|
|
2012-11-04 |
2017-08-29 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
The Authorize.Net module in osCommerce does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. |
|
178 |
CVE-2012-5792 |
20 |
|
|
2012-11-04 |
2017-08-29 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
The Sage Pay Direct module in osCommerce does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. |
|
179 |
CVE-2012-5791 |
20 |
|
|
2012-11-04 |
2017-08-29 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
PayPal Invoicing does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. |
|
180 |
CVE-2012-5790 |
20 |
|
|
2012-11-04 |
2017-08-29 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
PayPal Payments Standard PHP Library 20120427 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, related to misinterpretation of a certain TRUE value. |
|
181 |
CVE-2012-5789 |
20 |
|
|
2012-11-04 |
2017-08-29 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
PayPal Payments Standard PHP Library before 20120427 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, related to intentional disabling of certificate-validation checks through a "FALSE" value. |
|
182 |
CVE-2012-5788 |
20 |
|
|
2012-11-04 |
2017-08-29 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
The PayPal IPN utility does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, related to use of the PHP fsockopen function. |
|
183 |
CVE-2012-5787 |
20 |
|
|
2012-11-04 |
2017-08-29 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
The PayPal merchant SDK does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. |
|
184 |
CVE-2012-5786 |
20 |
|
Bypass |
2012-11-04 |
2019-06-11 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
** DISPUTED ** The wsdl_first_https sample code in distribution/src/main/release/samples/wsdl_first_https/src/main/ in Apache CXF before 2.7.0 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. NOTE: The vendor states that the sample had specifically used a flag to bypass the DN check. |
|
185 |
CVE-2012-5785 |
20 |
|
|
2012-11-04 |
2017-08-29 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Apache Axis2/Java 1.6.2 and earlier does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. |
|
186 |
CVE-2012-5784 |
20 |
|
|
2012-11-04 |
2019-06-07 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Apache Axis 1.4 and earlier, as used in PayPal Payments Pro, PayPal Mass Pay, PayPal Transactional Information SOAP, the Java Message Service implementation in Apache ActiveMQ, and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. |
|
187 |
CVE-2012-5783 |
295 |
|
|
2012-11-04 |
2021-04-23 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. |
|
188 |
CVE-2012-5782 |
20 |
|
|
2012-11-04 |
2017-08-29 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Amazon Flexible Payments Service (FPS) PHP Library does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, related to misinterpretation of a certain "true" value. |
|
189 |
CVE-2012-5781 |
20 |
|
|
2012-11-04 |
2021-05-10 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Amazon Elastic Load Balancing API Tools does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, related to overriding the default JDK X509TrustManager. |
|
190 |
CVE-2012-5780 |
20 |
|
|
2012-11-04 |
2012-11-20 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
The Amazon merchant SDK does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. |
|
191 |
CVE-2012-5777 |
94 |
1
|
Exec Code |
2012-11-16 |
2017-08-29 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Eval injection vulnerability in the ReplaceListVars function in the template parser in e/class/connect.php in EmpireCMS 6.6 allows user-assisted remote attackers to execute arbitrary PHP code via a crafted template. |
|
192 |
CVE-2012-5765 |
200 |
|
+Info |
2012-12-20 |
2017-08-29 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The Web Client (aka CQ Web) in IBM Rational ClearQuest 7.1.2.x before 7.1.2.9 and 8.0.0.x before 8.0.0.5 allows remote attackers to obtain sensitive information via unspecified vectors that trigger a SQL error message. |
|
193 |
CVE-2012-5759 |
264 |
|
Bypass |
2012-11-23 |
2017-08-29 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
|
The IBM WebSphere DataPower XC10 Appliance 2.0.0.0 through 2.0.0.3 and 2.1.0.0 through 2.1.0.2 allows remote authenticated users to bypass intended administrative-role requirements and perform arbitrary JMX operations via unspecified vectors. |
|
194 |
CVE-2012-5758 |
287 |
|
DoS |
2012-11-23 |
2017-08-29 |
7.8 |
None |
Remote |
Low |
Not required |
None |
None |
Complete |
|
The IBM WebSphere DataPower XC10 Appliance 2.0.0.0 through 2.0.0.3 and 2.1.0.0 through 2.1.0.2 does not require authentication for an unspecified interface, which allows remote attackers to cause a denial of service (process exit) via unknown vectors. |
|
195 |
CVE-2012-5756 |
310 |
|
|
2012-11-23 |
2017-08-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The IBM WebSphere DataPower XC10 Appliance 2.0.0.0 through 2.0.0.3 and 2.1.0.0 through 2.1.0.2, when a collective configuration is enabled, has a single secret key that is shared across different customers' installations, which allows remote attackers to spoof a container server by (1) sniffing the network to locate a cleartext transmission of this key or (2) leveraging knowledge of this key from another installation. |
|
196 |
CVE-2012-5705 |
79 |
|
XSS |
2012-11-01 |
2012-11-02 |
2.1 |
None |
Remote |
High |
??? |
None |
Partial |
None |
|
Cross-site scripting (XSS) vulnerability in the settings page (admin/settings/hotblocks) in the Hotblocks module 6.x-1.x before 6.x-1.8 for Drupal allows remote authenticated users with the "administer hotblocks" permission to inject arbitrary web script or HTML via the "block names." |
|
197 |
CVE-2012-5704 |
399 |
|
DoS |
2012-11-01 |
2012-11-01 |
3.5 |
None |
Remote |
Medium |
??? |
None |
None |
Partial |
|
The Hotblocks module 6.x-1.x before 6.x-1.8 for Drupal allows remote authenticated users with the "administer hotblocks" permission to cause a denial of service (infinite loop and time out) via a block that references itself. |
|
198 |
CVE-2012-5703 |
20 |
|
DoS |
2012-11-20 |
2013-03-12 |
5.0 |
None |
Remote |
Low |
Not required |
None |
None |
Partial |
|
The vSphere API in VMware ESXi 4.1 and ESX 4.1 allows remote attackers to cause a denial of service (host daemon crash) via an invalid value in a (1) RetrieveProp or (2) RetrievePropEx SOAP request. |
|
199 |
CVE-2012-5692 |
|
|
|
2012-10-31 |
2020-06-03 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Unspecified vulnerability in admin/sources/base/core.php in Invision Power Board (aka IPB or IP.Board) 3.1.x through 3.3.x has unknown impact and remote attack vectors. |
|
200 |
CVE-2012-5691 |
119 |
|
Exec Code Overflow |
2012-12-19 |
2012-12-19 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Buffer overflow in RealNetworks RealPlayer before 16.0.0.282 and RealPlayer SP 1.0 through 1.1.5 allows remote attackers to execute arbitrary code via a crafted RealMedia file. |
