| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
151 |
CVE-2012-5140 |
416 |
|
DoS |
2012-12-12 |
2018-10-30 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Use-after-free vulnerability in Google Chrome before 23.0.1271.97 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the URL loader. |
|
152 |
CVE-2012-5139 |
416 |
|
DoS |
2012-12-12 |
2018-10-30 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Use-after-free vulnerability in Google Chrome before 23.0.1271.97 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to visibility events. |
|
153 |
CVE-2012-5138 |
|
|
|
2012-12-04 |
2018-10-30 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Google Chrome before 23.0.1271.95 does not properly handle file paths, which has unspecified impact and attack vectors. |
|
154 |
CVE-2012-5137 |
416 |
|
DoS |
2012-12-04 |
2018-10-30 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
Use-after-free vulnerability in Google Chrome before 23.0.1271.95 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the Media Source API. |
|
155 |
CVE-2012-5129 |
119 |
|
DoS Overflow |
2012-12-04 |
2018-10-30 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Heap-based buffer overflow in the WebGL subsystem in Google Chrome OS before 23.0.1271.94 allows remote attackers to cause a denial of service (GPU process crash) or possibly have unspecified other impact via unknown vectors. |
|
156 |
CVE-2012-5055 |
200 |
|
+Info |
2012-12-05 |
2012-12-28 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
DaoAuthenticationProvider in VMware SpringSource Spring Security before 2.0.8, 3.0.x before 3.0.8, and 3.1.x before 3.1.3 does not check the password if the user is not found, which makes the response delay shorter and might allow remote attackers to enumerate valid usernames via a series of login requests. |
|
157 |
CVE-2012-4991 |
22 |
1
|
Dir. Trav. |
2012-12-13 |
2012-12-13 |
8.5 |
None |
Remote |
Low |
??? |
Complete |
Complete |
None |
|
Multiple directory traversal vulnerabilities in Axway SecureTransport 5.1 SP2 and earlier allow remote authenticated users to (1) read, (2) delete, or (3) create files, or (4) list directories, via a ..%5C (encoded dot dot backslash) in a URI. |
|
158 |
CVE-2012-4985 |
264 |
|
|
2012-12-05 |
2017-08-29 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The Forescout CounterACT NAC device 6.3.4.1 does not block ARP and ICMP traffic from unrecognized clients, which allows remote attackers to conduct ARP poisoning attacks via crafted packets. |
|
159 |
CVE-2012-4983 |
79 |
|
XSS |
2012-12-05 |
2013-02-26 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities on the Forescout CounterACT NAC device before 7.0 allow remote attackers to inject arbitrary web script or HTML via (1) the a parameter to assets/login or (2) the query parameter to assets/rangesearch. |
|
160 |
CVE-2012-4982 |
20 |
|
|
2012-12-05 |
2013-02-26 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Open redirect vulnerability in assets/login on the Forescout CounterACT NAC device before 7.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the a parameter. |
|
161 |
CVE-2012-4977 |
310 |
|
|
2012-12-12 |
2012-12-12 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Layton Helpbox 4.4.0 allows remote attackers to discover cleartext credentials for the login page by sniffing the network. |
|
162 |
CVE-2012-4976 |
200 |
|
+Info |
2012-12-12 |
2012-12-12 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
selectawasset.asp in Layton Helpbox 4.4.0 allows remote attackers to discover ODBC database credentials via an element=sys_asset_id request, which is not properly handled during construction of an error page. |
|
163 |
CVE-2012-4975 |
264 |
|
|
2012-12-12 |
2017-08-29 |
4.0 |
None |
Remote |
Low |
??? |
None |
Partial |
None |
|
editrequestuser.asp in Layton Helpbox 4.4.0 allows remote authenticated users to change arbitrary support-ticket data via a modified sys_request_id parameter. |
|
164 |
CVE-2012-4974 |
264 |
|
+Priv |
2012-12-12 |
2012-12-28 |
6.5 |
None |
Remote |
Low |
??? |
Partial |
Partial |
Partial |
|
Layton Helpbox 4.4.0 allows remote authenticated users to change the login context and gain privileges via a modified (1) loggedinenduser, (2) loggedinendusername, (3) loggedinuserusergroup, (4) loggedinuser, or (5) loggedinusername cookie. |
|
165 |
CVE-2012-4972 |
79 |
|
XSS |
2012-12-12 |
2017-08-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in Layton Helpbox 4.4.0 allow remote attackers to inject arbitrary web script or HTML via the (1) sys_solution_id, (2) sys_requesttype_id, (3) sys_problem_desc, (4) sys_solution_desc, (5) sys_problemsummary, (6) usr_Action_testing, (7) usr_Escalation, or (8) usr_Additional_Resources parameter to writesolutionuser.asp or the (9) sys_solution_id parameter to deletesolution.asp. |
|
166 |
CVE-2012-4971 |
89 |
|
Exec Code Sql |
2012-12-12 |
2012-12-12 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Multiple SQL injection vulnerabilities in Layton Helpbox 4.4.0 allow remote attackers to execute arbitrary SQL commands via the (1) reqclass parameter to editrequestenduser.asp; the (2) sys_request_id parameter to editrequestuser.asp; the (3) sys_request_id parameter to enduseractions.asp; the (4) sys_request_id or (5) confirm parameter to enduserreopenrequeststatus.asp; the (6) searchsql, (7) back, or (8) status parameter to enduserrequests.asp; the (9) sys_userpwd parameter to validateenduserlogin.asp; the (10) sys_userpwd parameter to validateuserlogin.asp; the (11) sql parameter to editenduseruser.asp; the (12) sql parameter to manageenduserrequestclasses.asp; the (13) sql parameter to resetpwdenduser.asp; the (14) sql parameter to disableloginenduser.asp; the (15) sql parameter to deleteenduseruser.asp; the (16) sql parameter to manageendusers.asp; or the (17) site parameter to statsrequestagereport.asp. |
|
167 |
CVE-2012-4932 |
79 |
|
XSS |
2012-12-28 |
2013-10-11 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in SimpleInvoices before stable-2012-1-CIS3000 allow remote attackers to inject arbitrary web script or HTML via (1) the having parameter in a manage action to index.php; (2) the Email field in an Add User action; (3) the Customer Name field in an Add Customer action; the (4) Street address, (5) Street address 2, (6) City, (7) Zip code, (8) State, (9) Country, (10) Mobile Phone, (11) Phone, (12) Fax, (13) Email, (14) PayPal business name, (15) PayPal notify url, (16) PayPal return url, (17) Eway customer ID, (18) Custom field 1, (19) Custom field 2, (20) Custom field 3, or (21) Custom field 4 field in an Add Biller action; (22) the Customer field in an Add Invoice action; the (23) Invoice or (24) Notes field in a Process Payment action; (25) the Payment type description field in a Payment Types action; (26) the Description field in an Invoice Preferences action; (27) the Description field in a Manage Products action; or (28) the Description field in a Tax Rates action. |
|
168 |
CVE-2012-4898 |
310 |
|
|
2012-12-18 |
2013-01-29 |
6.1 |
None |
Remote |
High |
Not required |
Complete |
Partial |
None |
|
Mesh OS before 7.9.1.1 on Tropos wireless mesh routers does not use a sufficient source of entropy for SSH keys, which makes it easier for man-in-the-middle attackers to spoof a device or modify a client-server data stream by leveraging knowledge of a key from a product installation elsewhere. |
|
169 |
CVE-2012-4862 |
255 |
|
+Info |
2012-12-05 |
2017-08-29 |
2.1 |
None |
Local |
Low |
Not required |
Partial |
None |
None |
|
The Host Connect emulator in IBM Rational Developer for System z 7.1 through 8.5.1 does not properly store the SSL certificate password, which allows local users to obtain sensitive information via unspecified vectors. |
|
170 |
CVE-2012-4859 |
|
|
|
2012-12-21 |
2017-08-29 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
Unspecified vulnerability in IBM Tivoli Storage Manager for Space Management (aka TSM HSM) before 6.2.5.0 and 6.3.x before 6.3.1.0 allows local users to read or modify file system objects via unknown vectors. |
|
171 |
CVE-2012-4857 |
119 |
|
Exec Code Overflow |
2012-12-08 |
2017-08-29 |
9.0 |
None |
Remote |
Low |
??? |
Complete |
Complete |
Complete |
|
Buffer overflow in IBM Informix 11.50 through 11.50.xC9W2 and 11.70 before 11.70.xC7 allows remote authenticated users to execute arbitrary code via a crafted SQL statement. |
|
172 |
CVE-2012-4856 |
255 |
|
Exec Code |
2012-12-20 |
2017-08-29 |
7.9 |
None |
Local Network |
Medium |
Not required |
Complete |
Complete |
Complete |
|
The Service Processor in the IBM Power 5 91##-### and 940#-### before SF240_418_382 does not ensure that firewall code is executed, which allows remote attackers to execute arbitrary code via unspecified vectors. |
|
173 |
CVE-2012-4848 |
79 |
|
XSS |
2012-12-19 |
2017-08-29 |
3.5 |
None |
Remote |
Medium |
??? |
None |
Partial |
None |
|
Multiple cross-site scripting (XSS) vulnerabilities in IBM Lotus Foundations Start before 1.2.2c allow remote authenticated users to inject arbitrary web script or HTML via a Webconfig Users user-attribute field, as demonstrated by the (1) First Name or (2) Last Name field. |
|
174 |
CVE-2012-4846 |
200 |
|
+Info |
2012-12-19 |
2017-08-29 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
IBM Lotus Notes 8.5.x before 8.5.3 FP3 does not include the HTTPOnly flag in a Set-Cookie header for a web-application cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie, aka SPRs JMAS7TRNLN and SRAO8U3Q68. |
|
175 |
CVE-2012-4839 |
|
|
|
2012-12-20 |
2017-08-29 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The OSLC interface in the Web Client (aka CQ Web) in IBM Rational ClearQuest 7.1.2.x before 7.1.2.9 and 8.0.0.x before 8.0.0.5 allows remote attackers to conduct phishing attacks via a FRAME element. |
|
176 |
CVE-2012-4838 |
|
|
+Info |
2012-12-08 |
2021-11-08 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
IBM Flex System Chassis Management Module (CMM) and Integrated Management Module 2 (IMM2) allow local users to obtain sensitive information about (1) local accounts, (2) SSH private keys, (3) SSL/TLS private keys, (4) SNMPv3 communities, and (5) LDAP credentials by leveraging unspecified side effects of service or maintenance activity. |
|
177 |
CVE-2012-4816 |
264 |
|
Bypass |
2012-12-26 |
2017-08-29 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
IBM Rational Automation Framework (RAF) 3.x through 3.0.0.5 allows remote attackers to bypass intended Env Gen Wizard (aka Environment Generation Wizard) access restrictions by visiting context roots in HTTP sessions on port 8080. |
|
178 |
CVE-2012-4792 |
399 |
|
Exec Code |
2012-12-30 |
2020-09-28 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Use-after-free vulnerability in Microsoft Internet Explorer 6 through 8 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to an object that (1) was not properly allocated or (2) is deleted, as demonstrated by a CDwnBindInfo object, and exploited in the wild in December 2012. |
|
179 |
CVE-2012-4791 |
94 |
|
DoS |
2012-12-12 |
2019-06-01 |
3.5 |
None |
Remote |
Medium |
??? |
None |
None |
Partial |
|
Microsoft Exchange Server 2007 SP3 and 2010 SP1 and SP2 allows remote authenticated users to cause a denial of service (Information Store service hang) by subscribing to a crafted RSS feed, aka "RSS Feed May Cause Exchange DoS Vulnerability." |
|
180 |
CVE-2012-4787 |
399 |
|
Exec Code |
2012-12-12 |
2020-09-28 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Use-after-free vulnerability in Microsoft Internet Explorer 9 and 10 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to an object that (1) was not properly initialized or (2) is deleted, aka "Improper Ref Counting Use After Free Vulnerability." |
|
181 |
CVE-2012-4786 |
94 |
|
Exec Code |
2012-12-12 |
2018-10-12 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
The kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, Windows 7 Gold and SP1, Windows 8, Windows Server 2012, and Windows RT allow remote attackers to execute arbitrary code via a crafted TrueType Font (TTF) file, aka "TrueType Font Parsing Vulnerability." |
|
182 |
CVE-2012-4782 |
399 |
|
Exec Code |
2012-12-12 |
2020-09-28 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Use-after-free vulnerability in Microsoft Internet Explorer 9 and 10 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to a deleted object, aka "CMarkup Use After Free Vulnerability." |
|
183 |
CVE-2012-4781 |
94 |
|
Exec Code |
2012-12-12 |
2018-10-12 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Use-after-free vulnerability in Microsoft Internet Explorer 6 through 10 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to a deleted object, aka "InjectHTMLStream Use After Free Vulnerability." |
|
184 |
CVE-2012-4774 |
94 |
|
Exec Code |
2012-12-12 |
2020-09-28 |
9.3 |
None |
Remote |
Medium |
Not required |
Complete |
Complete |
Complete |
|
Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allow remote attackers to execute arbitrary code via a crafted (1) file name or (2) subfolder name that triggers use of unallocated memory as the destination of a copy operation, aka "Windows Filename Parsing Vulnerability." |
|
185 |
CVE-2012-4698 |
200 |
|
+Info |
2012-12-23 |
2013-05-21 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Siemens RuggedCom Rugged Operating System (ROS) before 3.12, ROX I OS through 1.14.5, ROX II OS through 2.3.0, and RuggedMax OS through 4.2.1.4621.22 use hardcoded private keys for SSL and SSH communication, which makes it easier for man-in-the-middle attackers to spoof servers and decrypt network traffic by leveraging the availability of these keys within ROS files at all customer installations. |
|
186 |
CVE-2012-4693 |
310 |
|
|
2012-12-18 |
2012-12-19 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
Invensys Wonderware InTouch 2012 R2 and earlier and Siemens ProcessSuite use a weak encryption algorithm for data in Ps_security.ini, which makes it easier for local users to discover passwords by reading this file. |
|
187 |
CVE-2012-4691 |
399 |
|
DoS |
2012-12-18 |
2013-01-29 |
3.3 |
None |
Local Network |
Low |
Not required |
None |
None |
Partial |
|
Memory leak in Siemens Automation License Manager (ALM) 4.x and 5.x before 5.2 allows remote attackers to cause a denial of service (memory consumption) via crafted packets. |
|
188 |
CVE-2012-4690 |
16 |
|
DoS |
2012-12-08 |
2013-05-21 |
7.1 |
None |
Remote |
Medium |
Not required |
None |
None |
Complete |
|
Rockwell Automation Allen-Bradley MicroLogix controller 1100, 1200, 1400, and 1500; SLC 500 controller platform; and PLC-5 controller platform, when Static status is not enabled, allow remote attackers to cause a denial of service via messages that trigger modification of status bits. |
|
189 |
CVE-2012-4688 |
287 |
|
Bypass |
2012-12-31 |
2012-12-31 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The Central application in i-GEN opLYNX before 2.01.9 allows remote attackers to bypass authentication via vectors involving the disabling of browser JavaScript support. |
|
190 |
CVE-2012-4687 |
310 |
|
|
2012-12-08 |
2012-12-26 |
7.6 |
None |
Remote |
High |
Not required |
Complete |
Complete |
Complete |
|
Post Oak AWAM Bluetooth Reader Traffic System does not use a sufficient source of entropy for private keys, which makes it easier for man-in-the-middle attackers to spoof a device by predicting a key value. |
|
191 |
CVE-2012-4616 |
22 |
|
Dir. Trav. |
2012-12-26 |
2012-12-27 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Directory traversal vulnerability in the Web UI in EMC Data Protection Advisor (DPA) 5.6 through SP1, 5.7 through SP1, and 5.8 through SP4 allows remote attackers to read arbitrary files via unspecified vectors. |
|
192 |
CVE-2012-4609 |
20 |
|
|
2012-12-05 |
2012-12-05 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The web interface in EMC RSA NetWitness Informer before 2.0.5.6 allows remote attackers to conduct clickjacking attacks via unspecified vectors. |
|
193 |
CVE-2012-4608 |
352 |
|
CSRF |
2012-12-05 |
2012-12-05 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Cross-site request forgery (CSRF) vulnerability in the web interface in EMC RSA NetWitness Informer before 2.0.5.6 allows remote attackers to hijack the authentication of arbitrary users. |
|
194 |
CVE-2012-4565 |
189 |
|
DoS |
2012-12-21 |
2013-08-22 |
4.7 |
None |
Local |
Medium |
Not required |
None |
None |
Complete |
|
The tcp_illinois_info function in net/ipv4/tcp_illinois.c in the Linux kernel before 3.4.19, when the net.ipv4.tcp_congestion_control illinois setting is enabled, allows local users to cause a denial of service (divide-by-zero error and OOPS) by reading TCP stats. |
|
195 |
CVE-2012-4534 |
399 |
|
DoS |
2012-12-19 |
2017-09-19 |
2.6 |
None |
Remote |
High |
Not required |
None |
None |
Partial |
|
org/apache/tomcat/util/net/NioEndpoint.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.28, when the NIO connector is used in conjunction with sendfile and HTTPS, allows remote attackers to cause a denial of service (infinite loop) by terminating the connection during the reading of a response. |
|
196 |
CVE-2012-4528 |
|
|
Bypass |
2012-12-28 |
2021-02-12 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
The mod_security2 module before 2.7.0 for the Apache HTTP Server allows remote attackers to bypass rules, and deliver arbitrary POST data to a PHP application, via a multipart request in which an invalid part precedes the crafted data. |
|
197 |
CVE-2012-4508 |
362 |
|
+Info |
2012-12-21 |
2014-01-08 |
1.9 |
None |
Local |
Medium |
Not required |
Partial |
None |
None |
|
Race condition in fs/ext4/extents.c in the Linux kernel before 3.4.16 allows local users to obtain sensitive information from a deleted file by reading an extent that was not properly marked as uninitialized. |
|
198 |
CVE-2012-4444 |
|
|
Bypass |
2012-12-21 |
2013-06-15 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
The ip6_frag_queue function in net/ipv6/reassembly.c in the Linux kernel before 2.6.36 allows remote attackers to bypass intended network restrictions via overlapping IPv6 fragments. |
|
199 |
CVE-2012-4431 |
264 |
|
Bypass CSRF |
2012-12-19 |
2017-09-19 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
org/apache/catalina/filters/CsrfPreventionFilter.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.32 allows remote attackers to bypass the cross-site request forgery (CSRF) protection mechanism via a request that lacks a session identifier. |
|
200 |
CVE-2012-4350 |
|
|
+Priv |
2012-12-18 |
2013-03-14 |
7.2 |
None |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
Multiple unquoted Windows search path vulnerabilities in the (1) Manager and (2) Agent components in Symantec Enterprise Security Manager (ESM) before 11.0 allow local users to gain privileges via unspecified vectors. |
