Vulnerability Summary for the Week of April 30, 2012
Released
May 08, 2012
Document ID
SB12-128
The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded in the past week. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores.
Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
- High: vulnerabilities with a CVSS base score of 7.0–10.0
- Medium: vulnerabilities with a CVSS base score of 4.0–6.9
- Low: vulnerabilities with a CVSS base score of 0.0–3.9
Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis.
Vulnerability Severity:
High Vulnerabilities
| Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| apache -- qpid | Apache Qpid 0.12 does not properly verify credentials during the joining of a cluster, which allows remote attackers to obtain access to the messaging functionality and job functionality of a cluster by leveraging knowledge of a cluster-username. | 2012-05-03 | 7.5 | CVE-2011-3620 |
| cisco -- ios | Memory leak in Cisco IOS 15.1 and 15.2 allows remote attackers to cause a denial of service (memory consumption) via malformed SIP packets on a NAT interface, aka Bug ID CSCts12366. | 2012-05-02 | 7.8 | CVE-2011-2578 |
| cisco -- ios_xr | The NETIO and IPV4_IO processes in Cisco IOS XR 3.8 through 4.1, as used in Cisco Carrier Routing System and other products, allow remote attackers to cause a denial of service (CPU consumption) via crafted network traffic, aka Bug ID CSCti59888. | 2012-05-02 | 7.8 | CVE-2011-3295 |
| cisco -- adaptive_security_appliance_software | The ESMTP inspection feature on Cisco Adaptive Security Appliances (ASA) 5500 series devices with software 8.2 through 8.5 allows remote attackers to cause a denial of service (CPU consumption) via an unspecified closing sequence, aka Bug ID CSCtt32565. | 2012-05-02 | 7.8 | CVE-2011-4006 |
| cisco -- ios | Cisco IOS 12.0, 15.0, and 15.1, when a Policy Feature Card 3C (PFC3C) is used, does not create a fragment entry during processing of an ICMPv6 ACL, which has unspecified impact and remote attack vectors, aka Bug ID CSCtj90091. | 2012-05-02 | 9.3 | CVE-2011-4012 |
| cisco -- nexus_2148t_fex_switch | Memory leak in libcmd in Cisco NX-OS 5.0 on Nexus switches allows remote authenticated users to cause a denial of service (memory consumption) via SNMP requests, aka Bug ID CSCtr65682. | 2012-05-03 | 7.8 | CVE-2011-4023 |
| cisco -- adaptive_security_appliance_software | Cisco Adaptive Security Appliances (ASA) 5500 series devices with software 8.0 through 8.4 allow remote attackers to cause a denial of service (connection limit exceeded) by triggering a large number of stale connections that result in an incorrect value for an MPF connection count, aka Bug ID CSCtv19854. | 2012-05-03 | 7.8 | CVE-2012-0378 |
| cisco -- ios | Race condition in the Zone-Based Firewall in Cisco IOS 15.1 and 15.2, when IPS policies are configured, allows remote attackers to cause a denial of service (device crash) by sending IPv6 packets, aka Bug ID CSCtk53534. | 2012-05-03 | 7.1 | CVE-2012-1324 |
| google -- chrome | Use-after-free vulnerability in Google Chrome before 18.0.1025.168 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the floating of elements, a different vulnerability than CVE-2011-3081. | 2012-05-01 | 10.0 | CVE-2011-3078 |
| google -- chrome | The Inter-process Communication (IPC) implementation in Google Chrome before 18.0.1025.168 does not properly validate messages, which has unspecified impact and attack vectors. | 2012-05-01 | 10.0 | CVE-2011-3079 |
| google -- chrome | Race condition in the Inter-process Communication (IPC) implementation in Google Chrome before 18.0.1025.168 allows attackers to bypass intended sandbox restrictions via unspecified vectors. | 2012-05-01 | 7.5 | CVE-2011-3080 |
| google -- chrome | Use-after-free vulnerability in Google Chrome before 18.0.1025.168 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the floating of elements, a different vulnerability than CVE-2011-3078. | 2012-05-01 | 10.0 | CVE-2011-3081 |
| google -- chrome | Use-after-free vulnerability in the XML parser in Google Chrome before 18.0.1025.168 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. | 2012-05-01 | 10.0 | CVE-2012-1521 |
| hp -- system_health_application_and_command_line_utilities | Multiple unspecified vulnerabilities in HP System Health Application and Command Line Utilities before 9.0.0 allow remote attackers to execute arbitrary code via unknown vectors. | 2012-05-02 | 7.5 | CVE-2012-2000 |
| hp -- snmp_agents_for_linux | Open redirect vulnerability in HP SNMP Agents for Linux before 9.0.0 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. | 2012-05-02 | 8.3 | CVE-2012-2002 |
| hp -- insight_management_agents | Open redirect vulnerability in HP Insight Management Agents before 9.0.0.0 on Windows Server 2003 and 2008 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. | 2012-05-02 | 8.3 | CVE-2012-2004 |
| ibm -- rational_appscan | The Enterprise Console client in IBM Rational AppScan Enterprise 5.x and 8.x before 8.5.0.1 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2012-05-03 | 9.3 | CVE-2012-0732 |
| ibm -- rational_appscan | IBM Rational AppScan Enterprise 5.x and 8.x before 8.5.0.1 does not properly import jobs, which allows man-in-the-middle attackers to obtain sensitive information or possibly have unspecified other impact via a crafted job. | 2012-05-03 | 7.6 | CVE-2012-0734 |
| ibm -- rational_appscan | IBM Rational AppScan Enterprise 5.x and 8.x before 8.5.0.1 does not properly scan file: URLs, which allows man-in-the-middle attackers to obtain sensitive information or possibly have unspecified other impact via a crafted URI. | 2012-05-03 | 7.6 | CVE-2012-0735 |
| ibm -- rational_appscan | IBM Rational AppScan Enterprise 5.x and 8.x before 8.5.0.1 does not properly create scan jobs, which allows remote attackers to execute arbitrary code via a crafted web site. | 2012-05-03 | 9.3 | CVE-2012-0736 |
| justsystems -- ichitaro | Buffer overflow in JustSystems Ichitaro 2011 Sou, Ichitaro 2006 through 2011, Ichitaro Government 2006 through 2010, Ichitaro Portable with oreplug, Ichitaro Viewer, JUST School, JUST School 2009 and 2010, JUST Jump 4, JUST Frontier, oreplug, Shuriken Pro4, Shuriken 2007 through 2010, Shuriken Pro4 Corporate Edition, Shuriken CE/2007 through CE/2009 Corporate Edition, Shuriken 2010 Corporate Edition, Rekishimail Sengokubusho no missho, and Bakumatsushishi no missho allows remote attackers to execute arbitrary code via a crafted image file. | 2012-04-27 | 9.3 | CVE-2012-0269 |
| netgear -- prosafe_fvs318n | The default configuration of the NETGEAR ProSafe FVS318N firewall enables web-based administration on the WAN interface, which allows remote attackers to establish an HTTP connection and possibly have unspecified other impact via unknown vectors. | 2012-04-27 | 7.5 | CVE-2012-2439 |
| oracle -- sun_products_suite | Unspecified vulnerability in the Oracle Grid Engine component in Oracle Sun Products Suite 6.1 and 6.2 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to qrsh. | 2012-05-03 | 9.0 | CVE-2012-0208 |
| oracle -- database_server | Unspecified vulnerability in the Core RDBMS component in Oracle Database Server 11.2.0.2, when running on Windows, allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors. | 2012-05-03 | 7.1 | CVE-2012-0519 |
| oracle -- sun_products_suite | Unspecified vulnerability in the Oracle Grid Engine component in Oracle Sun Products Suite 6.1 and 6.2 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to sgepasswd. | 2012-05-03 | 7.2 | CVE-2012-0523 |
| oracle -- supply_chain_products_suite | Unspecified vulnerability in the Oracle AutoVue Office component in Oracle Supply Chain Products Suite 20.0.2 allows remote attackers to affect confidentiality, integrity, and availability, related to Desktop API. | 2012-05-03 | 7.5 | CVE-2012-0549 |
| oracle -- database_server | Unspecified vulnerability in the Oracle Spatial component in Oracle Database Server 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, and 11.2.0.3 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors. | 2012-05-03 | 9.0 | CVE-2012-0552 |
| oracle -- fusion_middleware | Unspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.3.5 and 8.3.7 allows remote attackers to affect confidentiality, integrity, and availability, related to Outside In Image Export SDK. | 2012-05-03 | 7.5 | CVE-2012-0554 |
| oracle -- fusion_middleware | Unspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.3.5 and 8.3.7 allows remote attackers to affect confidentiality, integrity, and availability, related to Outside In Image Export SDK. | 2012-05-03 | 7.5 | CVE-2012-0555 |
| oracle -- fusion_middleware | Unspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.3.5 and 8.3.7 allows remote attackers to affect confidentiality, integrity, and availability, related to Outside In Image Export SDK. | 2012-05-03 | 7.5 | CVE-2012-0556 |
| oracle -- fusion_middleware | Unspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.3.5 and 8.3.7 allows remote attackers to affect confidentiality, integrity, and availability, related to Outside In Image Export SDK. | 2012-05-03 | 7.5 | CVE-2012-0557 |
| oracle -- fusion_middleware | Unspecified vulnerability in the Oracle JRockit component in Oracle Fusion Middleware 28.2.2 and earlier, and JDK/JRE 5 and 6 27.7.1 and earlier, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. | 2012-05-03 | 10.0 | CVE-2012-1695 |
| oracle -- fusion_middleware | Unspecified vulnerability in the Oracle WebCenter Forms Recognition component in Oracle Fusion Middleware 10.1.3.5 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Designer. | 2012-05-03 | 7.5 | CVE-2012-1709 |
| oracle -- fusion_middleware | Unspecified vulnerability in the Oracle WebCenter Forms Recognition component in Oracle Fusion Middleware 10.1.3.5 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Designer. | 2012-05-03 | 7.5 | CVE-2012-1710 |
| ruggedcom -- ros | RuggedCom Rugged Operating System (ROS) 3.10.x and earlier has a factory account with a password derived from the MAC Address field in the banner, which makes it easier for remote attackers to obtain access by performing a calculation on this address value, and then establishing a (1) TELNET, (2) remote shell (aka rsh), or (3) serial-console session. | 2012-04-27 | 8.5 | CVE-2012-1803 |
| ruggedcom -- ros | RuggedCom Rugged Operating System (ROS) before 3.3 has a factory account with a password derived from the MAC Address field in a banner, which makes it easier for remote attackers to obtain access by performing a calculation on this address value, and then establishing a (1) SSH or (2) HTTPS session, a different vulnerability than CVE-2012-1803. | 2012-04-27 | 8.5 | CVE-2012-2441 |
| tp-link -- 8840t | The default configuration of the TP-Link 8840T router enables web-based administration on the WAN interface, which allows remote attackers to establish an HTTP connection and possibly have unspecified other impact via unknown vectors. | 2012-04-27 | 7.5 | CVE-2012-2440 |
| wellintech -- kingview | Untrusted search path vulnerability in WellinTech KingView 6.53 allows local users to gain privileges via a Trojan horse DLL in the current working directory. | 2012-05-02 | 9.3 | CVE-2012-1819 |
Medium Vulnerabilities
| Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| N/A -- N/A | Heap-based buffer overflow in chan_skinny.c in the Skinny channel driver in Asterisk Open Source 1.6.2.x before 1.6.2.24, 1.8.x before 1.8.11.1, and 10.x before 10.3.1 allows remote authenticated users to cause a denial of service or possibly have unspecified other impact via a series of KEYPAD_BUTTON_MESSAGE events. | 2012-04-30 | 6.5 | CVE-2012-2415 |
| asterisk -- open_source | main/manager.c in the Manager Interface in Asterisk Open Source 1.6.2.x before 1.6.2.24, 1.8.x before 1.8.11.1, and 10.x before 10.3.1 and Asterisk Business Edition C.3.x before C.3.7.4 does not properly enforce System class authorization requirements, which allows remote authenticated users to execute arbitrary commands via (1) the originate action in the MixMonitor application, (2) the SHELL and EVAL functions in the GetVar manager action, or (3) the SHELL and EVAL functions in the Status manager action. | 2012-04-30 | 6.5 | CVE-2012-2414 |
| asterisk -- open_source | chan_sip.c in the SIP channel driver in Asterisk Open Source 1.8.x before 1.8.11.1 and 10.x before 10.3.1 and Asterisk Business Edition C.3.x before C.3.7.4, when the trustrpid option is enabled, allows remote authenticated users to cause a denial of service (daemon crash) by sending a SIP UPDATE message that triggers a connected-line update attempt without an associated channel. | 2012-04-30 | 6.5 | CVE-2012-2416 |
| cisco -- unified_contact_center_express | Cisco Unified Contact Center Express (aka CCX) 8.0 and 8.5 allows remote attackers to cause a denial of service via network traffic, as demonstrated by an SEC-BE-STABLE test case, aka Bug ID CSCth33834. | 2012-05-02 | 5.0 | CVE-2011-2583 |
| cisco -- ios | The HTTP client in Cisco IOS 12.4 and 15.0 allows user-assisted remote attackers to cause a denial of service (device crash) via a malformed HTTP response to a request for service installation, aka Bug ID CSCts12249. | 2012-05-02 | 5.4 | CVE-2011-2586 |
| cisco -- carrier_routing_system | Cisco Carrier Routing System 3.9.1 allows remote attackers to cause a denial of service (Metro subsystem crash) via a fragmented GRE packet, aka Bug ID CSCts14887. | 2012-05-02 | 5.0 | CVE-2011-3283 |
| cisco -- adaptive_security_appliance_software | CRLF injection vulnerability in /+CSCOE+/logon.html on Cisco Adaptive Security Appliances (ASA) 5500 series devices with software 8.0 through 8.4 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors, aka Bug ID CSCth63101. | 2012-05-02 | 5.0 | CVE-2011-3285 |
| cisco -- secure_access_control_server | Multiple cross-site request forgery (CSRF) vulnerabilities in the Solution Engine in Cisco Secure Access Control Server (ACS) 5.2 allow remote attackers to hijack the authentication of administrators for requests that insert cross-site scripting (XSS) sequences, aka Bug ID CSCtr78143. | 2012-05-02 | 6.8 | CVE-2011-3293 |
| cisco -- adaptive_security_appliance_software | Cisco Adaptive Security Appliances (ASA) 5500 series devices with software 8.2 through 8.4 process IKE requests despite a vpnclient mode configuration, which allows remote attackers to obtain potentially sensitive information by reading IKE responder traffic, aka Bug ID CSCtt07749. | 2012-05-02 | 4.3 | CVE-2011-3309 |
| cisco -- secure_access_control_server | Multiple cross-site scripting (XSS) vulnerabilities in the Solution Engine in Cisco Secure Access Control Server (ACS) 5.2 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka Bug ID CSCtr78192. | 2012-05-02 | 4.3 | CVE-2011-3317 |
| cisco -- ios | Cisco IOS 15.0 and 15.1 and IOS XE 3.x do not properly handle the "set mpls experimental imposition" command, which allows remote attackers to cause a denial of service (device crash) via network traffic that triggers (1) fragmentation or (2) reassembly, aka Bug ID CSCtr56576. | 2012-05-02 | 5.4 | CVE-2011-4007 |
| cisco -- wireless_control_system_software | The TAC Case Attachment tool in Cisco Wireless Control System (WCS) 7.0 allows remote authenticated users to read arbitrary files under webnms/Temp/ via unspecified vectors, aka Bug ID CSCtq86807. | 2012-05-02 | 4.0 | CVE-2011-4014 |
| cisco -- ios | Cisco IOS 15.2S allows remote attackers to cause a denial of service (interface queue wedge) via malformed UDP traffic on port 465, aka Bug ID CSCts48300. | 2012-05-02 | 5.0 | CVE-2011-4015 |
| cisco -- ios | The PPP implementation in Cisco IOS 12.2 and 15.0 through 15.2, when Point-to-Point Termination and Aggregation (PTA) and L2TP are used, allows remote attackers to cause a denial of service (device crash) via crafted network traffic, aka Bug ID CSCtf71673. | 2012-05-02 | 5.4 | CVE-2011-4016 |
| cisco -- unified_communications_manager | Memory leak in Cisco IOS 12.4 and 15.0 through 15.2, and Cisco Unified Communications Manager (CUCM) 7.x, allows remote attackers to cause a denial of service (memory consumption) via a crafted response to a SIP SUBSCRIBE message, aka Bug IDs CSCto93837 and CSCtj61883. | 2012-05-03 | 5.4 | CVE-2011-4019 |
| cisco -- intrusion_prevention_system | The sensor in Cisco Intrusion Prevention System (IPS) 7.0 and 7.1 allows remote attackers to cause a denial of service (file-handle exhaustion and mainApp hang) by making authentication attempts that exceed the configured limit, aka Bug ID CSCto51204. | 2012-05-03 | 5.0 | CVE-2011-4022 |
| cisco -- ios | Cisco IOS 15.1 and 15.2 and IOS XE 3.x, when configured as an IPsec hub with X.509 certificates in use, allows remote authenticated users to cause a denial of service (segmentation fault and device crash) via unspecified vectors, aka Bug ID CSCtq61128. | 2012-05-03 | 6.3 | CVE-2011-4231 |
| cisco -- unified_meetingplace | The web server in Cisco Unified MeetingPlace 6.1 and 8.5 produces different responses for directory queries depending on whether the directory exists, which allows remote attackers to enumerate directory names via a series of queries, aka Bug ID CSCtt94070. | 2012-05-03 | 5.0 | CVE-2011-4232 |
| cisco -- ciscoworks_common_services | CRLF injection vulnerability in autologin.jsp in Cisco CiscoWorks Common Services 4.0, as used in Cisco Prime LAN Management Solution and other products, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the URL parameter, aka Bug ID CSCtu18693. | 2012-05-03 | 4.3 | CVE-2011-4237 |
| cisco -- small_business_ip_phone_firmware | Cisco Small Business IP phones with SPA 500 series firmware 7.4.9 and earlier do not require authentication for Push XML requests, which allows remote attackers to make telephone calls via an XML document, aka Bug ID CSCts08768. | 2012-05-02 | 5.0 | CVE-2012-0333 |
| cisco -- adaptive_security_appliance_software | Cisco Adaptive Security Appliances (ASA) 5500 series devices with software 7.2 through 8.4 do not properly perform proxy authentication during attempts to cut through a firewall, which allows remote attackers to obtain sensitive information via a connection attempt, aka Bug ID CSCtx42746. | 2012-05-02 | 5.0 | CVE-2012-0335 |
| cisco -- unified_meetingplace | SQL injection vulnerability in the web component in Cisco Unified MeetingPlace 7.1 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, aka Bug ID CSCtx08939. | 2012-05-02 | 6.5 | CVE-2012-0337 |
| cisco -- ios | Cisco IOS 12.2 through 12.4 and 15.0 does not recognize the vrf-also keyword during enforcement of access-class commands, which allows remote attackers to establish SSH connections from arbitrary source IP addresses via a standard SSH client, aka Bug ID CSCsv86113. | 2012-05-02 | 5.0 | CVE-2012-0338 |
| cisco -- ios | Cisco IOS 12.2 through 12.4 and 15.0 does not recognize the vrf-also keyword during enforcement of access-class commands, which allows remote attackers to establish TELNET connections from arbitrary source IP addresses via a standard TELNET client, aka Bug ID CSCsi77774. | 2012-05-02 | 5.0 | CVE-2012-0339 |
| cisco -- ip_communicator | The sccp-protocol component in Cisco IP Communicator (CIPC) 7.0 through 8.6 does not limit the rate of SCCP messages to Cisco Unified Communications Manager (CUCM), which allows remote attackers to cause a denial of service via vectors that trigger (1) on hook and (2) off hook messages, as demonstrated by a Plantronics headset, aka Bug ID CSCti40315. | 2012-05-02 | 5.0 | CVE-2012-0361 |
| cisco -- ios | The extended ACL functionality in Cisco IOS 12.2(58)SE2 and 15.0(1)SE discards all lines that end with a log or time keyword, which allows remote attackers to bypass intended access restrictions in opportunistic circumstances by sending network traffic, aka Bug ID CSCts01106. | 2012-05-02 | 4.3 | CVE-2012-0362 |
| cisco -- unified_communications_manager | The voice-sipstack component in Cisco Unified Communications Manager (CUCM) 8.5 allows remote attackers to cause a denial of service (core dump) via vectors involving SIP messages that arrive after an upgrade, aka Bug ID CSCtj87367. | 2012-05-03 | 5.0 | CVE-2012-0376 |
| cisco -- ios | dot11t/t_if_dot11_hal_ath.c in Cisco IOS 12.3, 12.4, 15.0, and 15.1 allows remote attackers to cause a denial of service (assertion failure and reboot) via 802.11 wireless traffic, as demonstrated by a video call from Apple iOS 5.0 on an iPhone 4S, aka Bug ID CSCtt94391. | 2012-05-03 | 6.1 | CVE-2012-1327 |
| cisco -- unified_ip_phone | Cisco Unified IP Phones 9900 series devices with firmware 9.1 and 9.2 do not properly handle downloads of configuration information to an RT phone, which allows local users to gain privileges via unspecified injected data, aka Bug ID CSCts32237. | 2012-05-03 | 4.6 | CVE-2012-1328 |
| hp -- snmp_agents_for_linux | Cross-site scripting (XSS) vulnerability in HP SNMP Agents for Linux before 9.0.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 2012-05-02 | 4.3 | CVE-2012-2001 |
| hp -- insight_management_agents | Cross-site request forgery (CSRF) vulnerability in HP Insight Management Agents before 9.0.0.0 on Windows Server 2003 and 2008 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. | 2012-05-02 | 6.8 | CVE-2012-2003 |
| hp -- insight_management_agents | Cross-site scripting (XSS) vulnerability in HP Insight Management Agents before 9.0.0.0 on Windows Server 2003 and 2008 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 2012-05-02 | 4.3 | CVE-2012-2005 |
| hp -- insight_management_agents | Unspecified vulnerability in HP Insight Management Agents before 9.0.0.0 on Windows Server 2003 and 2008 allows remote attackers to modify data or cause a denial of service via unknown vectors. | 2012-05-02 | 4.9 | CVE-2012-2006 |
| htc -- evo_3d_software | The HTC IQRD service for Android on the HTC EVO 4G before 4.67.651.3, EVO Design 4G before 2.12.651.5, Shift 4G before 2.77.651.3, EVO 3D before 2.17.651.5, EVO View 4G before 2.23.651.1, Vivid before 3.26.502.56, and Hero does not restrict localhost access to TCP port 2479, which allows remote attackers to (1) send SMS messages, (2) obtain the Network Access Identifier (NAI) and its password, or trigger (3) popup messages or (4) tones via a crafted application that leverages the android.permission.INTERNET permission. | 2012-05-01 | 6.4 | CVE-2012-2217 |
| ibm -- rational_appscan | Unrestricted file upload vulnerability in IBM Rational AppScan Enterprise 5.x and 8.x before 8.5.0.1 allows remote authenticated users to execute arbitrary ASP.NET code by uploading a .aspx file, and then accessing it via unspecified vectors. | 2012-05-03 | 6.0 | CVE-2012-0729 |
| ibm -- rational_appscan | Multiple cross-site request forgery (CSRF) vulnerabilities in IBM Rational AppScan Enterprise 5.x and 8.x before 8.5.0.1 allow remote attackers to hijack the authentication of administrators for requests that create administrative accounts. | 2012-05-03 | 6.0 | CVE-2012-0730 |
| ibm -- rational_appscan | IBM Rational AppScan Enterprise 5.x and 8.x before 8.5.0.1 does not prevent service-account impersonation, which allows remote authenticated users to read arbitrary files via unspecified vectors. | 2012-05-03 | 6.8 | CVE-2012-0731 |
| ibm -- rational_appscan | IBM Rational AppScan Enterprise 5.x and 8.x before 8.5.0.1, when Integrated Windows authentication is used, allows remote authenticated users to obtain administrative privileges by hijacking a session associated with the service account. | 2012-05-03 | 6.0 | CVE-2012-0733 |
| ibm -- websphere_application_server | The Web Server Plug-in in IBM WebSphere Application Server (WAS) 8.0 and earlier uses unencrypted HTTP communication after expiration of the plugin-key.kdb password, which allows remote attackers to obtain sensitive information by sniffing the network, or spoof arbitrary servers via a man-in-the-middle attack. | 2012-05-01 | 6.8 | CVE-2012-2162 |
| justsystems -- ichitaro | Untrusted search path vulnerability in JustSystems Ichitaro 2011 Sou, Ichitaro 2006 through 2011, Ichitaro Government 2006 through 2010, Ichitaro Portable with oreplug, Ichitaro Viewer, JUST School, JUST School 2009 and 2010, JUST Jump 4, JUST Frontier, and oreplug allows local users to gain privileges via a Trojan horse DLL in the current working directory. | 2012-04-27 | 6.9 | CVE-2012-1242 |
| mcafee -- web_gateway | ** DISPUTED ** McAfee Web Gateway 7.0 allows remote attackers to bypass the access configuration for the CONNECT method by providing an arbitrary allowed hostname in the Host HTTP header. NOTE: this issue might not be reproducible, because the researcher did not provide configuration details for the vulnerable system, and the observed behavior might be consistent with a configuration that was (perhaps inadvertently) designed to allow access based on Host HTTP headers. | 2012-04-28 | 5.0 | CVE-2012-2212 |
| mozilla -- bugzilla | Bugzilla 3.5.x and 3.6.x before 3.6.9, 3.7.x and 4.0.x before 4.0.6, and 4.1.x and 4.2.x before 4.2.1, when the inbound_proxies option is enabled, does not properly validate the X-Forwarded-For HTTP header, which allows remote attackers to bypass the lockout policy via a series of authentication requests with (1) different IP address strings in this header or (2) a long string in this header. | 2012-04-27 | 4.3 | CVE-2012-0465 |
| mozilla -- bugzilla | template/en/default/list/list.js.tmpl in Bugzilla 2.x and 3.x before 3.6.9, 3.7.x and 4.0.x before 4.0.6, and 4.1.x and 4.2.x before 4.2.1 does not properly handle multiple logins, which allows remote attackers to conduct cross-site scripting (XSS) attacks and obtain sensitive bug information via a crafted web page. | 2012-04-27 | 4.0 | CVE-2012-0466 |
| mysql -- mysql | Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.60 and earlier, and 5.5.19 and earlier, allows remote authenticated users to affect availability, related to MyISAM. | 2012-05-03 | 4.0 | CVE-2012-0583 |
| mysql -- mysql | Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.61 and earlier, and 5.5.21 and earlier, allows remote authenticated users to affect availability, related to Server DML. | 2012-05-03 | 4.0 | CVE-2012-1688 |
| mysql -- mysql | Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.61 and earlier, and 5.5.21 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server Optimizer. | 2012-05-03 | 4.0 | CVE-2012-1690 |
| mysql -- mysql | Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.19 and earlier allows remote authenticated users to affect availability via unknown vectors related to Server Optimizer. | 2012-05-03 | 4.0 | CVE-2012-1696 |
| mysql -- mysql | Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.21 and earlier allows remote authenticated users to affect availability via unknown vectors related to Partition. | 2012-05-03 | 4.0 | CVE-2012-1697 |
| mysql -- mysql | Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.61 and earlier, and 5.5.21 and earlier, allows remote authenticated users to affect availability via unknown vectors related to Server Optimizer. | 2012-05-03 | 6.8 | CVE-2012-1703 |
| nttdocomo -- spmode_mail_android | The NTT DOCOMO sp mode mail application 5400 and earlier for Android does not properly verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2012-04-27 | 6.4 | CVE-2012-1244 |
| oracle -- database_server | Unspecified vulnerability in the Core RDBMS component in Oracle Database Server 10.2.0.3, 10.2.0.4, 10.2.0.5, and 11.1.0.7 allows remote attackers to affect integrity and availability via unknown vectors. | 2012-05-03 | 6.4 | CVE-2012-0510 |
| oracle -- database_server | Unspecified vulnerability in the OCI component in Oracle Database Server 10.2.0.3, 10.2.0.4, and 11.1.0.7 allows remote attackers to affect confidentiality and integrity via unknown vectors. | 2012-05-03 | 6.4 | CVE-2012-0511 |
| oracle -- database_server | Unspecified vulnerability in the Enterprise Manager Base Platform component in Oracle Database Server 11.1.0.7 and 11.2.0.2 and Oracle Enterprise Manager Grid Control allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Enterprise Config Management. | 2012-05-03 | 5.5 | CVE-2012-0512 |
| oracle -- peoplesoft_products | Unspecified vulnerability in the PeopleSoft Enterprise CRM component in Oracle PeopleSoft Products 9.1 allows remote authenticated users to affect confidentiality, related to SEC. | 2012-05-03 | 4.0 | CVE-2012-0514 |
| oracle -- fusion_middleware | Unspecified vulnerability in the Identity Manager Connector component in Oracle Fusion Middleware 9.1.0.4 allows remote authenticated users to affect integrity via unknown vectors. | 2012-05-03 | 4.0 | CVE-2012-0515 |
| oracle -- sun_products_suite | Unspecified vulnerability in the Oracle iPlanet Web Server component in Oracle Sun Products Suite 7.0 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Administration Console. | 2012-05-03 | 6.8 | CVE-2012-0516 |
| oracle -- peoplesoft_products | Unspecified vulnerability in the PeopleSoft Enterprise HRMS component in Oracle PeopleSoft Products 9.0 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to eCompensation Manager Desktop. | 2012-05-03 | 5.5 | CVE-2012-0517 |
| oracle -- database_server | Unspecified vulnerability in the Enterprise Manager Base Platform component in Oracle Database Server 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, and 11.2.0.2, and in Oracle Enterprise Manager Grid Control 10.2.0.5 and 11.1.0.1, allows remote attackers to affect integrity via unknown vectors related to Security Framework. | 2012-05-03 | 4.3 | CVE-2012-0520 |
| oracle -- peoplesoft_products | Unspecified vulnerability in the PeopleSoft Enterprise HCM component in Oracle PeopleSoft Products 9.1 Bundle #9 allows remote authenticated users to affect confidentiality via unknown vectors related to Human Resources. | 2012-05-03 | 4.0 | CVE-2012-0521 |
| oracle -- fusion_middleware | Unspecified vulnerability in the Oracle JDeveloper component in Oracle Fusion Middleware 10.1.3.5 allows remote attackers to affect integrity via unknown vectors related to Java Business Objects. | 2012-05-03 | 4.3 | CVE-2012-0522 |
| oracle -- database_server | Unspecified vulnerability in the Enterprise Manager Base Platform component in Oracle Database Server 11.1.0.7, 11.2.0.2, and 11.2.0.3, and Oracle Enterprise Manager Grid Control 10.2.0.5 and 11.1.0.1, allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Enterprise Config Management. | 2012-05-03 | 4.9 | CVE-2012-0525 |
| oracle -- database_server | Unspecified vulnerability in the Enterprise Manager Base Platform component in Oracle Database Server 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, and 11.2.0.3, and Oracle Enterprise Manager Grid Control 10.2.0.5, allows remote attackers to affect integrity via unknown vectors related to Schema Management. | 2012-05-03 | 4.3 | CVE-2012-0526 |
| oracle -- database_server | Unspecified vulnerability in the Enterprise Manager Base Platform component in Oracle Database Server 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, and 11.2.0.3, and Oracle Enterprise Manager Grid Control 10.2.0.5, allows remote attackers to affect integrity via unknown vectors related to Schema Management. | 2012-05-03 | 4.3 | CVE-2012-0527 |
| oracle -- database_server | Unspecified vulnerability in the Enterprise Manager Base Platform component in Oracle Database Server 10.2.0.3, 10.2.0.4, 10.2.0.5, and 11.1.0.7, and Oracle Enterprise Manager Grid Control, allows remote attackers to affect confidentiality and integrity via unknown vectors related to Security Framework. | 2012-05-03 | 5.8 | CVE-2012-0528 |
| oracle -- peoplesoft_products | Unspecified vulnerability in the PeopleSoft Enterprise SCM component in Oracle PeopleSoft Products 9.0 and 9.1 allows remote authenticated users to affect integrity via unknown vectors related to eProcurement. | 2012-05-03 | 4.0 | CVE-2012-0530 |
| oracle -- fusion_middleware | Unspecified vulnerability in the Identity Manager component in Oracle Fusion Middleware 11.1.1.3 and 11.1.1.5 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to User Config Management. | 2012-05-03 | 5.5 | CVE-2012-0532 |
| oracle -- peoplesoft_products | Unspecified vulnerability in the PeopleSoft Enterprise FCSM component in Oracle PeopleSoft Products 9.0 and 9.1 allows remote authenticated users to affect confidentiality via unknown vectors related to Receivables. | 2012-05-03 | 4.0 | CVE-2012-0533 |
| oracle -- database_server | Unspecified vulnerability in the RDBMS Core component in Oracle Database Server 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, and 11.2.0.3 allows remote authenticated users to affect integrity via unknown vectors related to Create Session. | 2012-05-03 | 4.0 | CVE-2012-0534 |
| oracle -- e-business_suite | Unspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite 12.0.6 and 12.1.3 allows remote attackers to affect confidentiality via unknown vectors related to Change Password Page. | 2012-05-03 | 5.0 | CVE-2012-0535 |
| oracle -- peoplesoft_products | Unspecified vulnerability in the PeopleSoft Enterprise HRMS component in Oracle PeopleSoft Products 8.9 through Bundle #26 allows remote authenticated users to affect confidentiality via unknown vectors related to eCompensation. | 2012-05-03 | 4.0 | CVE-2012-0536 |
| oracle -- e-business_suite | Unspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite 12.1.3 allows remote attackers to affect confidentiality and integrity, related to HTML pages. | 2012-05-03 | 6.4 | CVE-2012-0537 |
| oracle -- peoplesoft_products | Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.50, 8.51, and 8.52 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Search. | 2012-05-03 | 5.5 | CVE-2012-0538 |
| oracle -- fusion_middleware | Unspecified vulnerability in the BI Publisher (formerly XML Publisher) component in Oracle Fusion Middleware 10.1.3.4.1 and 10.1.3.4.2 allows remote attackers to affect integrity via unknown vectors related to Administration. | 2012-05-03 | 4.3 | CVE-2012-0543 |
| oracle -- glassfish_server | Unspecified vulnerability in the GlassFish Enterprise Server component in Oracle Sun Products Suite GlassFish Enterprise Server 3.1.1 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Web Container. | 2012-05-03 | 6.8 | CVE-2012-0550 |
| oracle -- glassfish_server | Unspecified vulnerability in the GlassFish Enterprise Server component in Oracle Sun Products Suite GlassFish Enterprise Server 3.1.1 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Web Container. | 2012-05-03 | 5.8 | CVE-2012-0551 |
| oracle -- primavera_products_suite | Unspecified vulnerability in the Primavera P6 Enterprise Project Portfolio Management component in Oracle Primavera Products Suite 6.2.1, 8.0, 8.1, and 8.2 allows remote attackers to affect integrity via unknown vectors related to Web application. | 2012-05-03 | 4.3 | CVE-2012-0558 |
| oracle -- peoplesoft_products | Unspecified vulnerability in the PeopleSoft Enterprise SCM component in Oracle PeopleSoft Products 9.0 and 9.1 allows remote authenticated users to affect confidentiality via unknown vectors related to Billing. | 2012-05-03 | 4.0 | CVE-2012-0559 |
| oracle -- peoplesoft_products | Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.50, 8.51, and 8.52 allows remote attackers to affect integrity via unknown vectors related to Portal. | 2012-05-03 | 4.3 | CVE-2012-0560 |
| oracle -- peoplesoft_products | Unspecified vulnerability in the PeopleSoft Enterprise HRMS component in Oracle PeopleSoft Products 9.1 allows remote authenticated users to affect confidentiality via unknown vectors related to Candidate Gateway. | 2012-05-03 | 4.0 | CVE-2012-0562 |
| oracle -- peoplesoft_products | Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.50 and 8.51 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to Query. | 2012-05-03 | 6.5 | CVE-2012-0564 |
| oracle -- supply_chain_products_suite | Unspecified vulnerability in the Oracle Agile component in Oracle Supply Chain Products Suite 6.0.0 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Install. | 2012-05-03 | 5.5 | CVE-2012-0565 |
| oracle -- supply_chain_products_suite | Unspecified vulnerability in the Oracle Agile component in Oracle Supply Chain Products Suite 6.0.0 allows remote attackers to affect integrity via unknown vectors related to Supplier Portal. | 2012-05-03 | 4.3 | CVE-2012-0566 |
| oracle -- financial_services_software | Unspecified vulnerability in the Oracle FLEXCUBE Universal Banking component in Oracle Financial Services Software 10.0.0 through 10.5.0 and 11.0.0 through 11.2.0 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Core. | 2012-05-03 | 5.5 | CVE-2012-0567 |
| oracle -- financial_services_software | Unspecified vulnerability in the Oracle FLEXCUBE Universal Banking component in Oracle Financial Services Software 10.0.0 through 10.5.0 and 11.0.0 through 11.4.0 allows remote authenticated users to affect integrity via unknown vectors related to Core. | 2012-05-03 | 4.0 | CVE-2012-0571 |
| oracle -- financial_services_software | Unspecified vulnerability in the Oracle FLEXCUBE Universal Banking component in Oracle Financial Services Software 10.0.0 through 10.5.0 and 11.0.0 through 11.4.0 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Core. | 2012-05-03 | 4.9 | CVE-2012-0573 |
| oracle -- financial_services_software | Unspecified vulnerability in the Oracle FLEXCUBE Universal Banking component in Oracle Financial Services Software 10.0.0 through 10.5.0 and 11.0.0 through 11.2.0 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Core. | 2012-05-03 | 6.8 | CVE-2012-0575 |
| oracle -- financial_services_software | Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking component in Oracle Financial Services Software 6.0.1 and 6.2.0 allows remote authenticated users to affect integrity via unknown vectors related to Core-Help. | 2012-05-03 | 4.0 | CVE-2012-0576 |
| oracle -- supply_chain_products_suite | Unspecified vulnerability in the Oracle Agile PLM for Process component in Oracle Supply Chain Products Suite 6.0.0 allows remote attackers to affect integrity via unknown vectors related to Supplier Portal. | 2012-05-03 | 5.0 | CVE-2012-0580 |
| oracle -- supply_chain_products_suite | Unspecified vulnerability in the Oracle Agile component in Oracle Supply Chain Products Suite 6.0.0 allows remote attackers to affect integrity, related to SCRM - Company Profiles. | 2012-05-03 | 4.3 | CVE-2012-0581 |
| oracle -- industry_applications | Unspecified vulnerability in the Siebel Clinical component in Oracle Industry Applications 7.7, 7.8, 8.0.0.x, 8.1.1.x, and 8.2.2.x allows remote authenticated users to affect integrity via unknown vectors related to Web UI. | 2012-05-03 | 4.0 | CVE-2012-0582 |
| oracle -- industry_applications | Unspecified vulnerability in the Siebel Clinical component in Oracle Industry Applications 7.7, 7.8, 8.0.0.x, 8.1.1.x, and 8.2.2.x allows remote authenticated users to affect integrity via unknown vectors related to Web UI. | 2012-05-03 | 4.0 | CVE-2012-1674 |
| oracle -- financial_services_software | Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking component in Oracle Financial Services Software 5.0.2, 5.3.0 through 5.3.4, 6.0.1, and 6.2.0 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Logging. | 2012-05-03 | 4.7 | CVE-2012-1706 |
| oracle -- financial_services_software | Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking component in Oracle Financial Services Software 5.0.2, 5.3.0 through 5.3.4, 6.0.1, and 6.2.0 allows remote authenticated users to affect confidentiality via unknown vectors related to Core-Base. | 2012-05-03 | 4.0 | CVE-2012-1707 |
| oracle -- database_server | Unspecified vulnerability in the Application Express component in Oracle Database Server 4.0 and 4.1 allows remote attackers to affect integrity via unknown vectors. | 2012-05-03 | 4.3 | CVE-2012-1708 |
| osqa -- osqa | Cross-site scripting (XSS) vulnerability in the cleanup_urls function in forum/utils/html.py in OSQA before 1234, and 0.9.0 Beta 3 and earlier, allows remote attackers to inject arbitrary web script or HTML via vectors related to a crafted URI. | 2012-04-27 | 4.3 | CVE-2012-1245 |
| phpmyadmin -- phpmyadmin | Cross-site scripting (XSS) vulnerability in the replication-setup functionality in js/replication.js in phpMyAdmin 3.4.x before 3.4.10.1 allows user-assisted remote attackers to inject arbitrary web script or HTML via a crafted database name. | 2012-05-03 | 4.3 | CVE-2012-1190 |
| pythonpaste -- paste | Paste Script 1.7.5 and earlier does not properly set group memberships during execution with root privileges, which might allow remote attackers to bypass intended file-access restrictions by leveraging a web application that uses the local filesystem. | 2012-05-01 | 5.1 | CVE-2012-0878 |
| quest -- toad_for_data_analysts | Quest Toad for Data Analysts 3.0.1 uses weak permissions (Everyone: Full Control) for the %COMMONPROGRAMFILES%Quest Shared directory, which allows local users to gain privileges via a Trojan horse file. | 2012-05-01 | 6.9 | CVE-2012-0279 |
| samba -- samba | The (1) CreateAccount, (2) OpenAccount, (3) AddAccountRights, and (4) RemoveAccountRights LSA RPC procedures in smbd in Samba 3.4.x before 3.4.17, 3.5.x before 3.5.15, and 3.6.x before 3.6.5 do not properly restrict modifications to the privileges database, which allows remote authenticated users to obtain the "take ownership" privilege via an LSA connection. | 2012-04-30 | 6.5 | CVE-2012-2111 |
| squid-cache -- squid | ** DISPUTED ** Squid 3.1.9 allows remote attackers to bypass the access configuration for the CONNECT method by providing an arbitrary allowed hostname in the Host HTTP header. NOTE: this issue might not be reproducible, because the researcher is unable to provide a squid.conf file for a vulnerable system, and the observed behavior is consistent with a squid.conf file that was (perhaps inadvertently) designed to allow access based on a "req_header Host" acl regex that matches www.uol.com.br. | 2012-04-28 | 5.0 | CVE-2012-2213 |
| sun -- sunos | Unspecified vulnerability in Oracle Sun Solaris 8, 9, and 10 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to (1) bsmconv and (2) bsmunconv. | 2012-05-03 | 6.2 | CVE-2012-0539 |
| sun -- sunos | Unspecified vulnerability in Oracle Sun Solaris 8, 9, 10, and 11 allows local users to affect availability via unknown vectors related to Kernel/sockfs. | 2012-05-03 | 4.9 | CVE-2012-1681 |
| sun -- sunos | Unspecified vulnerability in Oracle Sun Solaris 8, 9, 10, and 11 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to gssd. | 2012-05-03 | 5.9 | CVE-2012-1683 |
| sun -- sunos | Unspecified vulnerability in Oracle Sun Solaris 8, 9, 10, and 11 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Password Policy. | 2012-05-03 | 4.3 | CVE-2012-1684 |
| sun -- sunos | Unspecified vulnerability in Oracle Sun Solaris 11 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Kernel/Privileges. | 2012-05-03 | 6.6 | CVE-2012-1691 |
| sun -- sunos | Unspecified vulnerability in Oracle Sun Solaris 10 allows local users to affect availability, related to SCTP. | 2012-05-03 | 4.9 | CVE-2012-1692 |
| sun -- sunos | Unspecified vulnerability in Oracle Sun Solaris 10 allows remote attackers to affect confidentiality and integrity, related to libsasl. | 2012-05-03 | 6.4 | CVE-2012-1694 |
| wordpress -- wordpress | ** DISPUTED ** The wp_create_nonce function in wp-includes/pluggable.php in WordPress 3.3.1 and earlier associates a nonce with a user account instead of a user session, which might make it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks on specific actions and objects by sniffing the network, as demonstrated by attacks against the wp-admin/admin-ajax.php and wp-admin/user-new.php scripts. NOTE: the vendor reportedly disputes the significance of this issue because wp_create_nonce operates as intended, even if it is arguably inconsistent with certain CSRF protection details advocated by external organizations. | 2012-05-03 | 6.8 | CVE-2012-1936 |
Low Vulnerabilities
| Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| cisco -- ios | Cisco IOS 12.4 and 15.0 through 15.2 allows physically proximate attackers to bypass the No Service Password-Recovery feature and read the start-up configuration via unspecified vectors, aka Bug ID CSCtr97640. | 2012-05-02 | 3.6 | CVE-2011-3289 |
| ibm -- rational_appscan | Cross-site scripting (XSS) vulnerability in IBM Rational AppScan Enterprise 5.x and 8.x before 8.5.0.1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. | 2012-05-03 | 3.5 | CVE-2012-0737 |
| mumble -- mumble | Mumble 1.2.3 and earlier uses world-readable permissions for .local/share/data/Mumble/.mumble.sqlite files in home directories, which might allow local users to obtain a cleartext password and configuration data by reading a file. | 2012-04-30 | 2.1 | CVE-2012-0863 |
| oracle -- financial_services_software | Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking component in Oracle Financial Services Software 5.0.2 and 5.3.0 through 5.3.4 allows remote authenticated users to affect integrity via unknown vectors related to Core-Base. | 2012-05-03 | 3.5 | CVE-2012-0509 |
| oracle -- e-business_suite | Unspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite 12.0.6 and 12.1.3 allows remote attackers to affect integrity, related to REST Services. | 2012-05-03 | 2.6 | CVE-2012-0513 |
| oracle -- peoplesoft_products | Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.50, 8.51, and 8.52 allows local users to affect confidentiality and integrity via unknown vectors related to File Processing. | 2012-05-03 | 3.2 | CVE-2012-0524 |
| oracle -- peoplesoft_products | Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.51 allows remote authenticated users to affect integrity via unknown vectors related to core. | 2012-05-03 | 3.5 | CVE-2012-0529 |
| oracle -- peoplesoft_products | Unspecified vulnerability in the PeopleSoft Enterprise Portal component in Oracle PeopleSoft Products 9.1 allows remote authenticated users to affect integrity via unknown vectors related to Enterprise Portal. | 2012-05-03 | 3.5 | CVE-2012-0531 |
| oracle -- financial_services_software | Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking component in Oracle Financial Services Software 5.0.2, 5.3.0 through 5.3.4, 6.0.1, and 6.2.0 allows remote authenticated users to affect confidentiality via unknown vectors related to Core-My Services. | 2012-05-03 | 3.5 | CVE-2012-0541 |
| oracle -- e-business_suite | Unspecified vulnerability in the Oracle iStore component in Oracle E-Business Suite 11.5.10.2, 12.0.4, 12.0.6, 12.1.1, 12.1.2, and 12.1.3 allows remote attackers to affect integrity via unknown vectors related to Runtime Catalog. | 2012-05-03 | 2.6 | CVE-2012-0542 |
| oracle -- financial_services_software | Unspecified vulnerability in the Oracle FLEXCUBE Universal Banking component in Oracle Financial Services Software 10.0.0 through 10.5.0 and 11.0.0 through 11.4.0 allows remote authenticated users to affect integrity via unknown vectors related to Core. | 2012-05-03 | 3.5 | CVE-2012-0544 |
| oracle -- financial_services_software | Unspecified vulnerability in the Oracle FLEXCUBE Universal Banking component in Oracle Financial Services Software 10.0.0 through 10.5.0 and 11.0.0 through 11.2.0 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Core. | 2012-05-03 | 3.6 | CVE-2012-0545 |
| oracle -- financial_services_software | Unspecified vulnerability in the Oracle FLEXCUBE Universal Banking component in Oracle Financial Services Software 10.0.0 through 10.5.0 and 11.0.0 through 11.2.0 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Core. | 2012-05-03 | 3.6 | CVE-2012-0546 |
| oracle -- xcp | Unspecified vulnerability in Oracle SPARC Enterprise M Series Servers XCP 1110 and earlier allows local users to affect confidentiality, related to XSCF Control Package (XCP). | 2012-05-03 | 2.1 | CVE-2012-0548 |
| oracle -- peoplesoft_products | Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.50, 8.51, and 8.52 allows remote authenticated users to affect integrity, related to PIA Core Technology. | 2012-05-03 | 3.5 | CVE-2012-0561 |
| oracle -- financial_services_software | Unspecified vulnerability in the Oracle FLEXCUBE Universal Banking component in Oracle Financial Services Software 10.0.0 through 10.5.0 and 11.0.0 through 11.4.0 allows remote authenticated users to affect availability via unknown vectors related to Core. | 2012-05-03 | 3.5 | CVE-2012-0577 |
| oracle -- financial_services_software | Unspecified vulnerability in the Oracle FLEXCUBE Universal Banking component in Oracle Financial Services Software 10.0.0 through 10.5.0 and 11.0.0 through 11.4.0 allows remote authenticated users to affect confidentiality via unknown vectors related to Core. | 2012-05-03 | 3.5 | CVE-2012-0579 |
| oracle -- financial_services_software | Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking component in Oracle Financial Services Software 5.0.2, 5.3.0 through 5.3.4, 6.0.1, and 6.2.0 allows remote authenticated users to affect confidentiality via unknown vectors related to Virtual Banking. | 2012-05-03 | 3.5 | CVE-2012-1676 |
| oracle -- financial_services_software | Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking component in Oracle Financial Services Software 5.0.2, 5.3.0 through 5.3.4, 6.0.1, and 6.2.0 allows remote authenticated users to affect integrity via unknown vectors related to Core-Base. | 2012-05-03 | 3.5 | CVE-2012-1679 |
| oracle -- xcp | Unspecified vulnerability in Oracle SPARC Enterprise M Series Servers XCP 1110 allows remote attackers to affect availability, related to XSCF Control Package (XCP). | 2012-05-03 | 2.6 | CVE-2012-1693 |
| oracle -- financial_services_software | Unspecified vulnerability in the Oracle FLEXCUBE Direct Banking component in Oracle Financial Services Software 5.0.2, 5.3.0 through 5.3.4, 6.0.1, and 6.2.0 allows remote authenticated users to affect confidentiality via unknown vectors related to Core-Base. | 2012-05-03 | 3.5 | CVE-2012-1704 |
| sun -- sunos | Unspecified vulnerability in Oracle Sun Solaris 11 allows remote authenticated users to affect confidentiality, related to Kernel/GLD. | 2012-05-03 | 2.1 | CVE-2012-1698 |
Please share your thoughts
We recently updated our anonymous product survey; we’d welcome your feedback.