CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register   Reset Password   Activate Account
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Published In 2012

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2012-6453 79 XSS 2012-12-31 2012-12-31
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the RSS Reader extension before 0.2.6 for MediaWiki allows remote attackers to inject arbitrary web script or HTML via a crafted feed.
2 CVE-2012-6432 264 2012-12-27 2012-12-27
6.8
None Remote Medium Not required Partial Partial Partial
Symfony 2.0.x before 2.0.20, 2.1.x before 2.1.5, and 2.2-dev, when the internal routes configuration is enabled, allows remote attackers to access arbitrary services via vectors involving a URI beginning with a /_internal substring.
3 CVE-2012-6431 264 Bypass 2012-12-27 2013-01-07
6.4
None Remote Low Not required Partial Partial None
Symfony 2.0.x before 2.0.20 does not process URL encoded data consistently within the Routing and Security components, which allows remote attackers to bypass intended URI restrictions via a doubly encoded string.
4 CVE-2012-6428 255 2012-12-23 2013-01-08
10.0
None Remote Low Not required Complete Complete Complete
Carlo Gavazzi EOS-Box with firmware before 1.0.0.1080_2.1.10 establishes multiple hardcoded accounts, which makes it easier for remote attackers to obtain administrative access by reading a password in a PHP script, a similar issue to CVE-2012-5862.
5 CVE-2012-6427 89 Exec Code Sql 2012-12-23 2012-12-24
7.5
None Remote Low Not required Partial Partial Partial
Multiple SQL injection vulnerabilities in Carlo Gavazzi EOS-Box with firmware before 1.0.0.1080_2.1.10 allow remote attackers to execute arbitrary SQL commands via unspecified vectors, a similar issue to CVE-2012-5861.
6 CVE-2012-6422 264 +Priv 2012-12-17 2012-12-21
9.3
None Remote Medium Not required Complete Complete Complete
The kernel in Samsung Galaxy S2, Galaxy Note 2, MEIZU MX, and possibly other Android devices, when running an Exynos 4210 or 4412 processor, uses weak permissions (0666) for /dev/exynos-mem, which allows attackers to read or write arbitrary physical memory and gain privileges via a crafted application, as demonstrated by ExynosAbuse.
7 CVE-2012-6371 310 2012-12-31 2013-01-02
3.3
None Local Network Low Not required Partial None None
The WPA2 implementation on the Belkin N900 F9K1104v1 router establishes a WPS PIN based on 6 digits of the LAN/WLAN MAC address, which makes it easier for remote attackers to obtain access to a Wi-Fi network by reading broadcast packets, a different vulnerability than CVE-2012-4366.
8 CVE-2012-6369 79 1 XSS 2012-12-28 2013-01-08
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the Troubleshooting Reporting System feature in AgileBits 1Password 3.9.9 might allow remote attackers to inject arbitrary web script or HTML via a crafted User-Agent HTTP header that is not properly handled in a View Troubleshooting Report action.
9 CVE-2012-6339 79 XSS 2012-12-31 2012-12-31
4.3
None Remote Medium Not required None Partial None
Multiple cross-site scripting (XSS) vulnerabilities in the administrative web interface in Cerberus FTP Server before 5.0.6.0 allow (1) remote attackers to inject arbitrary web script or HTML via a log entry that is not properly handled within the Log Manager component, and might allow (2) remote authenticated administrators to inject arbitrary web script or HTML via a Messages field to the servermanager program.
10 CVE-2012-6337 200 +Info 2012-12-31 2012-12-31
3.3
None Local Network Low Not required Partial None None
The Track My Mobile feature in the SamsungDive subsystem for Android on Samsung Galaxy devices shows the activation of remote tracking, which might allow physically proximate attackers to defeat a product-recovery effort by tampering with this feature or its location data.
11 CVE-2012-6336 2012-12-31 2013-01-08
3.3
None Local Network Low Not required None Partial None
The Missing Device feature in Lookout allows physically proximate attackers to provide arbitrary location data via a "commonly available simple GPS location spoofer."
12 CVE-2012-6335 2012-12-31 2012-12-31
3.3
None Local Network Low Not required None Partial None
The Anti-theft service in AVG AntiVirus for Android allows physically proximate attackers to provide arbitrary location data via a "commonly available simple GPS location spoofer."
13 CVE-2012-6334 2012-12-31 2012-12-31
2.9
None Local Network Medium Not required None Partial None
The Track My Mobile feature in the SamsungDive subsystem for Android on Samsung Galaxy devices does not properly implement Location APIs, which allows physically proximate attackers to provide arbitrary location data via a "commonly available simple GPS location spoofer."
14 CVE-2012-6333 399 DoS 2012-12-13 2013-10-10
4.7
None Local Medium Not required None None Complete
Multiple HVM control operations in Xen 3.4 through 4.2 allow local HVM guest OS administrators to cause a denial of service (physical CPU consumption) via a large input.
15 CVE-2012-6325 200 +Info 2012-12-21 2013-01-08
4.0
None Remote Low Single system Partial None None
VMware vCenter Server Appliance (vCSA) 5.0 before Update 2 does not properly parse XML documents, which allows remote authenticated users to read arbitrary files via unspecified vectors.
16 CVE-2012-6324 22 Dir. Trav. 2012-12-21 2012-12-24
4.0
None Remote Low Single system Partial None None
Directory traversal vulnerability in VMware vCenter Server Appliance (vCSA) 5.0 before Update 2 and 5.1 before Patch 1 allows remote authenticated users to read arbitrary files via unspecified vectors.
17 CVE-2012-6314 2012-12-26 2012-12-27
5.0
None Remote Low Not required None Partial None
Citrix XenDesktop Virtual Desktop Agent (VDA) 5.6.x before 5.6.200, when making changes to the server-side policy that control USB redirection, does not propagate changes to the VDA, which allows authenticated users to retain access to the USB device.
18 CVE-2012-6313 200 +Info 2012-12-11 2012-12-11
5.0
None Remote Low Not required Partial None None
simple-gmail-login.php in the Simple Gmail Login plugin before 1.1.4 for WordPress allows remote attackers to obtain sensitive information via a request that lacks a timezone, leading to disclosure of the installation path in a stack trace.
19 CVE-2012-6312 79 XSS 2012-12-11 2012-12-28
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in the Video Lead Form plugin for WordPress allows remote attackers to inject arbitrary web script or HTML via the errMsg parameter in a video-lead-form action to wp-admin/admin.php.
20 CVE-2012-6301 20 1 DoS 2012-12-10 2012-12-11
5.0
None Remote Low Not required None None Partial
The Browser application in Android 4.0.3 allows remote attackers to cause a denial of service (application crash) via a crafted market: URI in the SRC attribute of an IFRAME element.
21 CVE-2012-6299 Bypass 2012-12-26 2012-12-27
10.0
None Remote Low Not required Complete Complete Complete
Unspecified vulnerability in CA IdentityMinder r12.0 through CR16, r12.5 before SP15, and r12.6 GA allows remote attackers to bypass intended access restrictions via unknown vectors.
22 CVE-2012-6298 Exec Code 2012-12-26 2012-12-27
10.0
None Remote Low Not required Complete Complete Complete
Unspecified vulnerability in CA IdentityMinder r12.0 through CR16, r12.5 before SP15, and r12.6 GA allows remote attackers to execute arbitrary commands or modify data via unknown vectors.
23 CVE-2012-6271 2012-12-20 2013-01-29
9.3
None Remote Medium Not required Complete Complete Complete
Adobe Shockwave Player through 11.6.8.638 allows remote attackers to trigger installation of arbitrary signed Xtras via a Shockwave movie that contains an Xtra URL, as demonstrated by a URL for an outdated Xtra.
24 CVE-2012-6270 2012-12-20 2013-01-29
9.3
None Remote Medium Not required Complete Complete Complete
Adobe Shockwave Player through 11.6.8.638 allows remote attackers to trigger installation of a Shockwave Player 10.4.0.025 compatibility feature via a crafted HTML document that references Shockwave content with a certain compatibility parameter, related to a "downgrading" attack.
25 CVE-2012-6067 287 Bypass 2012-12-04 2012-12-05
10.0
None Remote Low Not required Complete Complete Complete
freeFTPd.exe in freeFTPd through 1.0.11 allows remote attackers to bypass authentication via a crafted SFTP session, as demonstrated by an OpenSSH client with modified versions of ssh.c and sshconnect2.c.
26 CVE-2012-6066 287 Bypass 2012-12-04 2012-12-05
9.3
None Remote Medium Not required Complete Complete Complete
freeSSHd.exe in freeSSHd through 1.2.6 allows remote attackers to bypass authentication via a crafted session, as demonstrated by an OpenSSH client with modified versions of ssh.c and sshconnect2.c.
27 CVE-2012-6065 Exec Code 2012-12-03 2012-12-04
4.6
None Remote High Single system Partial Partial Partial
The OM Maximenu module 6.x-1.43 and earlier for Drupal, when the "Title has PHP" option is enabled, allows remote authenticated users with the "Administer OM Maximenu" permission to execute arbitrary PHP code via a "Link Title," a different vulnerability than CVE-2012-5553.
28 CVE-2012-6064 22 1 Dir. Trav. CSRF 2012-12-03 2012-12-04
3.5
None Remote Medium Single system None Partial None
Directory traversal vulnerability in lib/filemanager/imagemanager/images.php in CMS Made Simple (CMSMS) before 1.11.2.1 allows remote authenticated administrators to delete arbitrary files via a .. (dot dot) in the deld parameter. NOTE: this can be leveraged using CSRF (CVE-2012-5450) to allow remote attackers to delete arbitrary files.
29 CVE-2012-6063 399 DoS Exec Code 2012-11-30 2012-12-19
7.5
None Remote Low Not required Partial Partial Partial
Double free vulnerability in the sftp_mkdir function in sftp.c in libssh before 0.5.3 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unspecified vectors, a different vector than CVE-2012-4559.
30 CVE-2012-6062 20 DoS 2012-12-05 2013-11-02
5.0
None Remote Low Not required None None Partial
The dissect_rtcp_app function in epan/dissectors/packet-rtcp.c in the RTCP dissector in Wireshark 1.6.x before 1.6.12 and 1.8.x before 1.8.4 allows remote attackers to cause a denial of service (infinite loop) via a crafted packet.
31 CVE-2012-6061 189 DoS Overflow 2012-12-05 2013-11-02
5.0
None Remote Low Not required None None Partial
The dissect_wtp_common function in epan/dissectors/packet-wtp.c in the WTP dissector in Wireshark 1.6.x before 1.6.12 and 1.8.x before 1.8.4 uses an incorrect data type for a certain length field, which allows remote attackers to cause a denial of service (integer overflow and infinite loop) via a crafted value in a packet.
32 CVE-2012-6060 189 DoS Overflow 2012-12-05 2013-11-02
5.0
None Remote Low Not required None None Partial
Integer overflow in the dissect_iscsi_pdu function in epan/dissectors/packet-iscsi.c in the iSCSI dissector in Wireshark 1.6.x before 1.6.12 and 1.8.x before 1.8.4 allows remote attackers to cause a denial of service (infinite loop) via a malformed packet.
33 CVE-2012-6059 20 DoS 2012-12-05 2013-11-02
5.0
None Remote Low Not required None None Partial
The dissect_isakmp function in epan/dissectors/packet-isakmp.c in the ISAKMP dissector in Wireshark 1.6.x before 1.6.12 and 1.8.x before 1.8.4 uses an incorrect data structure to determine IKEv2 decryption parameters, which allows remote attackers to cause a denial of service (application crash) via a malformed packet.
34 CVE-2012-6058 189 DoS Overflow 2012-12-05 2013-11-02
5.0
None Remote Low Not required None None Partial
Integer overflow in the dissect_icmpv6 function in epan/dissectors/packet-icmpv6.c in the ICMPv6 dissector in Wireshark 1.6.x before 1.6.12 and 1.8.x before 1.8.4 allows remote attackers to cause a denial of service (infinite loop) via a crafted Number of Sources value.
35 CVE-2012-6057 189 DoS Overflow 2012-12-05 2013-11-02
5.0
None Remote Low Not required None None Partial
The dissect_eigrp_metric_comm function in epan/dissectors/packet-eigrp.c in the EIGRP dissector in Wireshark 1.8.x before 1.8.4 uses the wrong data type for a certain offset value, which allows remote attackers to cause a denial of service (integer overflow and infinite loop) via a malformed packet.
36 CVE-2012-6056 189 DoS Overflow 2012-12-05 2013-11-02
5.0
None Remote Low Not required None None Partial
Integer overflow in the dissect_sack_chunk function in epan/dissectors/packet-sctp.c in the SCTP dissector in Wireshark 1.8.x before 1.8.4 allows remote attackers to cause a denial of service (infinite loop) via a crafted Duplicate TSN count.
37 CVE-2012-6055 189 DoS 2012-12-05 2013-11-02
5.0
None Remote Low Not required None None Partial
epan/dissectors/packet-3g-a11.c in the 3GPP2 A11 dissector in Wireshark 1.8.x before 1.8.4 allows remote attackers to cause a denial of service (infinite loop) via a zero value in a sub-type length field.
38 CVE-2012-6054 189 DoS 2012-12-05 2013-11-02
5.0
None Remote Low Not required None None Partial
The dissect_sflow_245_address_type function in epan/dissectors/packet-sflow.c in the sFlow dissector in Wireshark 1.8.x before 1.8.4 does not properly handle length calculations for an invalid IP address type, which allows remote attackers to cause a denial of service (infinite loop) via a packet that is neither IPv4 nor IPv6.
39 CVE-2012-6053 189 DoS 2012-12-05 2013-11-02
5.0
None Remote Low Not required None None Partial
epan/dissectors/packet-usb.c in the USB dissector in Wireshark 1.6.x before 1.6.12 and 1.8.x before 1.8.4 relies on a length field to calculate an offset value, which allows remote attackers to cause a denial of service (infinite loop) via a zero value for this field.
40 CVE-2012-6052 200 +Info 2012-12-05 2013-11-02
5.0
None Remote Low Not required Partial None None
Wireshark 1.8.x before 1.8.4 allows remote attackers to obtain sensitive hostname information by reading pcap-ng files.
41 CVE-2012-6051 310 DoS 2012-11-28 2012-11-29
5.0
None Remote Low Not required None None Partial
Google CityHash computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table, as demonstrated by a universal multicollision attack.
42 CVE-2012-6050 16 1 DoS 2012-11-26 2012-11-28
6.4
None Remote Low Not required Partial None Partial
The winbox service in MikroTik RouterOS 5.15 and earlier allows remote attackers to cause a denial of service (CPU consumption), read the router version, and possibly have other impacts via a request to download the router's DLLs or plugins, as demonstrated by roteros.dll.
43 CVE-2012-6049 200 1 +Info 2012-11-26 2012-11-27
5.0
None Remote Low Not required Partial None None
Open Solution Quick.Cart 5.0 allows remote attackers to obtain sensitive information via (1) a long string or (2) invalid characters in a cookie, which reveals the installation path in an error message.
44 CVE-2012-6048 119 1 DoS Overflow 2012-11-26 2012-11-27
5.0
None Remote Low Not required None None Partial
Guitar Pro 6.1.1 r10791 allows remote attackers to cause a denial of service (crash) via a long string in a gpx file.
45 CVE-2012-6047 352 1 CSRF 2012-11-26 2012-11-27
6.8
None Remote Medium Not required Partial Partial Partial
Cross-site request forgery (CSRF) vulnerability in X7 Chat 2.0.5.1 and earlier allows remote attackers to hijack the authentication of administrators for requests that add a user to an arbitrary group via the users page in an adminpanel action to index.php.
46 CVE-2012-6046 94 1 2012-11-26 2012-11-27
10.0
None Remote Low Not required Complete Complete Complete
Static code injection vulnerability in admin/banners.php in PHP Enter allows remote attackers to inject arbitrary PHP code into horad.php via the code parameter.
47 CVE-2012-6045 79 1 XSS 2012-11-26 2012-11-27
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in gb/user/index.php in Ramui Forum, possibly 1.0 Beta, allows remote attackers to inject arbitrary web script or HTML via the query parameter.
48 CVE-2012-6044 20 1 DoS 2012-11-26 2012-11-27
4.3
None Remote Medium Not required None None Partial
M-Player 0.4 allows remote attackers to cause a denial of service (crash) via a crafted MP3 file.
49 CVE-2012-6043 79 1 XSS 2012-11-26 2012-11-27
4.3
None Remote Medium Not required None Partial None
Cross-site scripting (XSS) vulnerability in downloads.php in PHP-Fusion 7.02.04 allows remote attackers to inject arbitrary web script or HTML via the cat_id parameter.
50 CVE-2012-6042 119 1 DoS Overflow 2012-11-26 2012-11-27
4.3
None Remote Medium Not required None None Partial
GPSMapEdit 1.1.73.2 allows user-assisted remote attackers to cause a denial of service (crash) via a long string in a lst file.
Total number of vulnerabilities : 5297   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.