CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  Take a third party risk management course for FREE
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In 2012

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
251 CVE-2012-5550 89 Exec Code Sql 2012-12-03 2012-12-04
7.5
None Remote Low Not required Partial Partial Partial
SQL injection vulnerability in the Time Spent module 6.x and 7.x for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.
252 CVE-2012-5549 352 CSRF 2012-12-03 2012-12-04
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in the Time Spent module 6.x and 7.x for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.
253 CVE-2012-5548 79 XSS 2012-12-03 2012-12-04
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the Time Spent module 6.x and 7.x for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
254 CVE-2012-5547 352 CSRF 2012-12-03 2012-12-04
6.8
None Remote Medium Not required Partial Partial Partial
Multiple cross-site request forgery (CSRF) vulnerabilities in the Search API module 7.x-1.x before 7.x-1.3 for Drupal allow remote attackers to hijack the authentication of administrators for requests that (1) enable a server via a server action or (2) enable a search index via an enable index action.
255 CVE-2012-5545 79 XSS 2012-12-03 2013-02-26
2.1
None Remote High ??? None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the ShareThis module 7.x-2.x before 7.x-2.5 for Drupal allow remote authenticated users with the "administer sharethis" permission to inject arbitrary web script or HTML via unspecified vectors related to "JavaScript settings."
256 CVE-2012-5544 200 +Info 2012-12-03 2012-12-17
4.0
None Remote Low ??? Partial None None
The Mandrill module 7.x-1.x before 7.x-1.2 for Drupal allows remote authenticated users to obtain password reset links by reading the logs in the Mandrill dashboard.
257 CVE-2012-5543 264 2012-12-03 2012-12-04
4.3
None Remote Medium Not required None Partial None
The Feeds module 7.x-2.x before 7.x-2.0-alpha6 for Drupal, when a field is mapped to the node's author, does not properly check permissions, which allows remote attackers to create arbitrary nodes via a crafted source feed.
258 CVE-2012-5542 352 CSRF 2012-12-03 2017-08-29
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in the Commerce Extra Panes module 7.x-1.x before 7.x-1.1 in Drupal allows remote attackers to hijack the authentication of administrators for requests that enable or disable a Commerce extra panes pane via unspecified vectors related to "the link to reorder items."
259 CVE-2012-5541 79 XSS 2012-12-03 2012-12-04
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the Twitter Pull module 6.x-1.x before 6.x-1.3 and 7.x-1.x before 7.x-1.0-rc3 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to "data coming from Twitter."
260 CVE-2012-5540 79 XSS 2012-12-03 2012-12-04
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the Hostip module 6.x-2.x before 6.x-2.2 and 7.x-2.x before 7.x-2.2 for Drupal allow remote attackers with control of hostip.info to inject arbitrary web script or HTML via unspecified vectors.
261 CVE-2012-5539 264 2012-12-03 2020-05-06
3.5
None Remote Medium ??? None Partial None
The Organic Groups (OG) module 7.x-1.x before 7.x-1.5 for Drupal does not properly maintain pending group memberships, which allows remote authenticated users to post to arbitrary groups by modifying their own account while a pending membership is waiting to be approved.
262 CVE-2012-5538 79 XSS 2012-12-03 2012-12-04
2.1
None Remote High ??? None Partial None
Cross-site scripting (XSS) vulnerability in the FileField Sources module 6.x-1.x before 6.x-1.6 and 7.x-1.x before 7.x-1.6 for Drupal, when the field has "Reference existing" source enabled, allows remote authenticated users to inject arbitrary web script or HTML via the filename of an uploaded file.
263 CVE-2012-5537 94 Exec Code 2012-12-03 2012-12-04
6.0
None Remote Medium ??? Partial Partial Partial
The Simplenews Scheduler module 6.x-2.x before 6.x-2.4 for Drupal allows remote authenticated users with the "send scheduled newsletters" permission to inject arbitrary PHP code into the scheduling form, which is later executed by cron.
264 CVE-2012-5534 20 Exec Code 2012-12-03 2014-02-07
7.5
None Remote Low Not required Partial Partial Partial
The hook_process function in the plugin API for WeeChat 0.3.0 through 0.3.9.1 allows remote attackers to execute arbitrary commands via shell metacharacters in a command from a plugin, related to "shell expansion."
265 CVE-2012-5533 399 2 DoS 2012-11-24 2017-08-29
5.0
None Remote Low Not required None None Partial
The http_request_split_value function in request.c in lighttpd before 1.4.32 allows remote attackers to cause a denial of service (infinite loop) via a request with a header containing an empty token, as demonstrated using the "Connection: TE,,Keep-Alive" header.
266 CVE-2012-5532 DoS 2012-12-27 2017-08-29
4.9
None Local Low Not required None None Complete
The main function in tools/hv/hv_kvp_daemon.c in hypervkvpd, as distributed in the Linux kernel before 3.8-rc1, allows local users to cause a denial of service (daemon exit) via a crafted application that sends a Netlink message. NOTE: this vulnerability exists because of an incorrect fix for CVE-2012-2669.
267 CVE-2012-5530 264 2012-11-29 2013-02-26
2.1
None Local Low Not required None Partial None
The (1) pcmd and (2) pmlogger init scripts in Performance Co-Pilot (PCP) before 3.6.10 allow local users to overwrite arbitrary files via a symlink attack on a /var/tmp/##### temporary file.
268 CVE-2012-5529 399 DoS 2012-11-20 2017-08-29
3.5
None Remote Medium ??? None None Partial
TraceManager in Firebird 2.5.0 and 2.5.1, when trace is enabled, allows remote authenticated users to cause a denial of service (NULL pointer dereference and crash) by preparing an empty dynamic SQL query.
269 CVE-2012-5526 16 2012-11-21 2017-08-29
5.0
None Remote Low Not required None Partial None
CGI.pm module before 3.63 for Perl does not properly escape newlines in (1) Set-Cookie or (2) P3P headers, which might allow remote attackers to inject arbitrary headers into responses from applications that use CGI.pm.
270 CVE-2012-5525 DoS 2012-12-13 2017-08-29
4.7
None Local Medium Not required None None Complete
The get_page_from_gfn hypercall function in Xen 4.2 allows local PV guest OS administrators to cause a denial of service (crash) via a crafted GFN that triggers a buffer over-read.
271 CVE-2012-5523 264 +Info 2012-11-16 2021-01-12
5.5
None Remote Low ??? Partial Partial None
core/email_api.php in MantisBT before 1.2.12 does not properly manage the sending of e-mail notifications about restricted bugs, which might allow remote authenticated users to obtain sensitive information by adding a note to a bug before losing permission to view that bug.
272 CVE-2012-5522 264 Bypass 2012-11-16 2021-01-12
5.5
None Remote Low ??? Partial Partial None
MantisBT before 1.2.12 does not use an expected default value during decisions about whether a user may modify the status of a bug, which allows remote authenticated users to bypass intended access restrictions and make status changes by leveraging a blank value for a per-status setting.
273 CVE-2012-5520 20 Exec Code 2012-11-26 2013-11-25
7.5
None Remote Low Not required Partial Partial Partial
The send_to_sourcefire function in manage_sql.c in OpenVAS Manager 3.x before 3.0.4 allows remote attackers to execute arbitrary commands via the (1) IP address or (2) port number field in an OMP request.
274 CVE-2012-5519 264 2012-11-20 2017-08-29
7.2
None Local Low Not required Complete Complete Complete
CUPS 1.4.4, when running in certain Linux distributions such as Debian GNU/Linux, stores the web interface administrator key in /var/run/cups/certs/0 using certain permissions, which allows local users in the lpadmin group to read or write arbitrary files as root by leveraging the web interface.
275 CVE-2012-5517 DoS 2012-12-21 2013-06-21
4.0
None Local High Not required None None Complete
The online_pages function in mm/memory_hotplug.c in the Linux kernel before 3.6 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact in opportunistic circumstances by using memory that was hot-added by an administrator.
276 CVE-2012-5515 DoS 2012-12-13 2017-08-29
4.7
None Local Medium Not required None None Complete
The (1) XENMEM_decrease_reservation, (2) XENMEM_populate_physmap, and (3) XENMEM_exchange hypercalls in Xen 4.2 and earlier allow local guest administrators to cause a denial of service (long loop and hang) via a crafted extent_order value.
277 CVE-2012-5514 DoS 2012-12-13 2017-08-29
4.7
None Local Medium Not required None None Complete
The guest_physmap_mark_populate_on_demand function in Xen 4.2 and earlier does not properly unlock the subject GFNs when checking if they are in use, which allows local guest HVM administrators to cause a denial of service (hang) via unspecified vectors.
278 CVE-2012-5513 20 DoS +Priv 2012-12-13 2017-08-29
6.9
None Local Medium Not required Complete Complete Complete
The XENMEM_exchange handler in Xen 4.2 and earlier does not properly check the memory address, which allows local PV guest OS administrators to cause a denial of service (crash) or possibly gain privileges via unspecified vectors that overwrite memory in the hypervisor reserved range.
279 CVE-2012-5512 16 DoS +Info 2012-12-13 2017-08-29
3.2
None Local Low ??? Partial None Partial
Array index error in the HVMOP_set_mem_access handler in Xen 4.1 allows local HVM guest OS administrators to cause a denial of service (crash) or obtain sensitive information via unspecified vectors.
280 CVE-2012-5511 119 DoS Overflow 2012-12-13 2017-08-29
4.7
None Local Medium Not required None None Complete
Stack-based buffer overflow in the dirty video RAM tracking functionality in Xen 3.4 through 4.1 allows local HVM guest OS administrators to cause a denial of service (crash) via a large bitmap image.
281 CVE-2012-5510 DoS 2012-12-13 2017-08-29
4.7
None Local Medium Not required None None Complete
Xen 4.x, when downgrading the grant table version, does not properly remove the status page from the tracking list when freeing the page, which allows local guest OS administrators to cause a denial of service (hypervisor crash) via unspecified vectors.
282 CVE-2012-5483 264 2012-12-26 2017-08-29
2.1
None Local Low Not required Partial None None
tools/sample_data.sh in OpenStack Keystone 2012.1.3, when access to Amazon Elastic Compute Cloud (Amazon EC2) is configured, uses world-readable permissions for /etc/keystone/ec2rc, which allows local users to obtain access to EC2 services by reading administrative access and secret values from this file.
283 CVE-2012-5482 264 2012-11-11 2017-08-29
5.5
None Remote Low ??? None Partial Partial
The v2 API in OpenStack Glance Grizzly, Folsom (2012.2), and Essex (2012.1) allows remote authenticated users to delete arbitrary non-protected images via an image deletion request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-4573.
284 CVE-2012-5481 264 Bypass 2012-11-21 2020-12-01
4.0
None Remote Low ??? Partial None None
Moodle 2.3.x before 2.3.3 allows remote authenticated users to bypass the moodle/role:manage capability requirement and read all capability data by visiting the Check Permissions page.
285 CVE-2012-5480 264 Bypass 2012-11-21 2020-12-01
6.4
None Remote Low Not required Partial None Partial
The Database activity module in Moodle 2.1.x before 2.1.9, 2.2.x before 2.2.6, and 2.3.x before 2.3.3 allows remote attackers to bypass intended restrictions on reading other participants' entries via an advanced search.
286 CVE-2012-5479 264 2012-11-21 2020-12-01
6.5
None Remote Low ??? Partial Partial Partial
The Portfolio plugin in Moodle 2.1.x before 2.1.9, 2.2.x before 2.2.6, and 2.3.x before 2.3.3 allows remote authenticated users to upload and execute files via a modified Portfolio API callback.
287 CVE-2012-5473 200 +Info 2012-11-21 2020-12-01
4.0
None Remote Low ??? Partial None None
The Database activity module in Moodle 2.1.x before 2.1.9, 2.2.x before 2.2.6, and 2.3.x before 2.3.3 allows remote authenticated users to read activity entries of a different group's users via an advanced search.
288 CVE-2012-5472 264 Bypass 2012-11-21 2013-06-21
4.0
None Remote Low ??? None Partial None
lib/formslib.php in Moodle 2.2.x before 2.2.6 and 2.3.x before 2.3.3 allows remote authenticated users to bypass intended access restrictions via a modified value of a frozen form field.
289 CVE-2012-5471 264 2012-11-21 2020-12-01
6.5
None Remote Low ??? Partial Partial Partial
The Dropbox Repository File Picker in Moodle 2.1.x before 2.1.9, 2.2.x before 2.2.6, and 2.3.x before 2.3.3 allows remote authenticated users to access the Dropbox of a different user by leveraging an unattended workstation after a logout.
290 CVE-2012-5470 119 1 DoS Overflow 2012-10-26 2017-09-19
4.3
None Remote Medium Not required None None Partial
libpng_plugin in VideoLAN VLC media player 2.0.3 allows remote attackers to cause a denial of service (application crash) via a crafted PNG file.
291 CVE-2012-5469 264 Bypass 2012-12-20 2012-12-28
7.5
None Remote Low Not required Partial Partial Partial
The Portable phpMyAdmin plugin before 1.3.1 for WordPress allows remote attackers to bypass authentication and obtain phpMyAdmin console access via a direct request to wp-content/plugins/portable-phpmyadmin/wp-pma-mod.
292 CVE-2012-5468 119 DoS Exec Code Overflow 2012-12-18 2017-08-29
7.5
None Remote Low Not required Partial Partial Partial
Heap-based buffer overflow in iconvert.c in the bogolexer component in Bogofilter before 1.2.3 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an email containing a base64 string that is decoded to incomplete multibyte characters.
293 CVE-2012-5459 +Priv 2012-11-14 2017-08-29
7.9
None Local Network Medium Not required Complete Complete Complete
Untrusted search path vulnerability in VMware Workstation 8.x before 8.0.5 and VMware Player 4.x before 4.0.5 on Windows allows host OS users to gain host OS privileges via a Trojan horse DLL in a "system folder."
294 CVE-2012-5458 264 +Priv 2012-11-14 2017-08-29
8.3
None Local Network Low Not required Complete Complete Complete
VMware Workstation 8.x before 8.0.5 and VMware Player 4.x before 4.0.5 on Windows use weak permissions for unspecified process threads, which allows host OS users to gain host OS privileges via a crafted application.
295 CVE-2012-5456 310 2012-10-24 2021-11-22
4.3
None Remote Medium Not required None Partial None
The Zoner AntiVirus Free application for Android does not verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate, as demonstrated by a server used for updating virus signature files.
296 CVE-2012-5455 79 XSS 2012-10-22 2017-08-29
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the language search component in Joomla! before 3.0.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to a "typographical error."
297 CVE-2012-5454 264 2012-10-22 2013-04-11
6.5
None Remote Low ??? Partial Partial Partial
user/index_inline_editor_submit.php in ATutor AContent 1.2-1 does not properly restrict access, which allows remote authenticated users to modify arbitrary user passwords via a crafted request. NOTE: this might be due to an incomplete fix for CVE-2012-5168.
298 CVE-2012-5453 89 Exec Code Sql 2012-10-22 2013-04-11
6.5
None Remote Low ??? Partial Partial Partial
SQL injection vulnerability in user/index_inline_editor_submit.php in ATutor AContent 1.2-1 allows remote authenticated users to execute arbitrary SQL commands via the field parameter. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-5167.
299 CVE-2012-5452 79 2 XSS 2012-10-22 2017-08-29
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in Subrion CMS 2.2.1 allow remote attackers to inject arbitrary web script or HTML via the (1) multi_title parameter to blocks/add/; (2) cost, (3) days, or (4) title[en] parameter to plans/add/; (5) name or (6) title[en] parameter to fields/group/add/ in admin/manage/; or (7) f[accounts][fullname] or (8) f[accounts][username] parameter to advsearch/. NOTE: This might overlap CVE-2011-5211. NOTE: it was later reported that the f[accounts][fullname] and f[accounts][username] vectors might also affect 2.2.2.
300 CVE-2012-5450 352 1 CSRF 2012-12-03 2017-08-29
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in lib/filemanager/imagemanager/images.php in CMS Made Simple (CMSMS) 1.11.2 and earlier allows remote attackers to hijack the authentication of administrators for requests that delete arbitrary files via the deld parameter.
Total number of vulnerabilities : 5297   Page : 1 2 3 4 5 6 (This Page)7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.