CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
  What's the CVSS score of your company?
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities (CVSS score between 2 and 2.99)

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
2151 CVE-2011-4132 20 DoS 2012-01-27 2017-12-29
2.1
None Local Low Not required None None Partial
The cleanup_journal_tail function in the Journaling Block Device (JBD) functionality in the Linux kernel 2.6 allows local users to cause a denial of service (assertion error and kernel oops) via an ext3 or ext4 image with an "invalid log first block value."
2152 CVE-2011-4142 255 +Info 2012-01-19 2012-01-19
2.1
None Local Low Not required Partial None None
The Web Search feature in EMC SourceOne Email Management 6.5 before 6.5.2.4033, 6.6 before 6.6.1.2194, and 6.7 before 6.7.2.2033 places cleartext credentials in log files, which allows local users to obtain sensitive information by reading these files.
2153 CVE-2011-4327 200 +Info 2014-02-03 2014-02-21
2.1
None Local Low Not required Partial None None
ssh-keysign.c in ssh-keysign in OpenSSH before 5.8p2 on certain platforms executes ssh-rand-helper with unintended open file descriptors, which allows local users to obtain sensitive key information via the ptrace system call.
2154 CVE-2011-4344 79 XSS 2011-12-01 2016-06-13
2.6
None Remote High Not required None Partial None
Cross-site scripting (XSS) vulnerability in Jenkins Core in Jenkins before 1.438, and 1.409 LTS before 1.409.3 LTS, when a stand-alone container is used, allows remote attackers to inject arbitrary web script or HTML via vectors related to error messages.
2155 CVE-2011-4345 79 XSS 2011-11-30 2017-02-17
2.6
None Remote High Not required None Partial None
Cross-site scripting (XSS) vulnerability in Namazu before 2.0.21, when Internet Explorer 6 or 7 is used, allows remote attackers to inject arbitrary web script or HTML via a cookie.
2156 CVE-2011-4363 59 2012-10-07 2012-10-08
2.6
None Local High Not required None Partial Partial
ProcessTable.pm in the Proc::ProcessTable module 0.45 for Perl, when TTY information caching is enabled, allows local users to overwrite arbitrary files via a symlink attack on /tmp/TTYDEVS.
2157 CVE-2011-4457 200 +Info 2011-11-17 2011-11-18
2.6
None Remote High Not required Partial None None
OWASP HTML Sanitizer (aka owasp-java-html-sanitizer) before 88, when JavaScript is disabled, allows user-assisted remote attackers to obtain potentially sensitive information via a crafted FORM element within a NOSCRIPT element.
2158 CVE-2011-4607 119 Overflow 2013-08-23 2019-03-21
2.1
None Local Low Not required Partial None None
PuTTY 0.59 through 0.61 does not clear sensitive process memory when managing user replies that occur during keyboard-interactive authentication, which might allow local users to read login passwords by obtaining access to the process' memory.
2159 CVE-2011-4623 189 DoS Overflow 2012-09-25 2012-09-26
2.1
None Local Low Not required None None Partial
Integer overflow in the rsCStrExtendBuf function in runtime/stringbuf.c in the imfile module in rsyslog 4.x before 4.6.6, 5.x before 5.7.4, and 6.x before 6.1.4 allows local users to cause a denial of service (daemon hang) via a large file, which triggers a heap-based buffer overflow.
2160 CVE-2011-4872 200 +Info 2012-02-05 2012-02-16
2.6
None Remote High Not required Partial None None
Multiple HTC Android devices including Desire HD FRG83D and GRI40, Glacier FRG83, Droid Incredible FRF91, Thunderbolt 4G FRG83D, Sensation Z710e GRI40, Sensation 4G GRI40, Desire S GRI40, EVO 3D GRI40, and EVO 4G GRI40 allow remote attackers to obtain 802.1X Wi-Fi credentials and SSID via a crafted application that uses the android.permission.ACCESS_WIFI_STATE permission to call the toString method on the WifiConfiguration class.
2161 CVE-2011-4915 200 +Info 2020-02-20 2020-02-25
2.1
None Local Low Not required Partial None None
fs/proc/base.c in the Linux kernel through 3.1 allows local users to obtain sensitive keystroke information via access to /proc/interrupts.
2162 CVE-2011-4922 200 +Info 2012-08-08 2017-09-19
2.1
None Local Low Not required Partial None None
cipher.c in the Cipher API in libpurple in Pidgin before 2.7.10 retains encryption-key data in process memory, which might allow local users to obtain sensitive information by reading a core file or other representation of memory contents.
2163 CVE-2011-4940 79 XSS 2012-06-27 2019-10-25
2.6
None Remote High Not required None Partial None
The list_directory function in Lib/SimpleHTTPServer.py in SimpleHTTPServer in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and 2.7.x before 2.7.2 does not place a charset parameter in the Content-Type HTTP header, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 via UTF-7 encoding.
2164 CVE-2011-5056 400 DoS 2012-01-08 2020-08-14
2.1
None Local Low Not required None None Partial
The authoritative server in MaraDNS through 2.0.04 computes hash values for DNS data without restricting the ability to trigger hash collisions predictably, which might allow local users to cause a denial of service (CPU consumption) via crafted records in zone files, a different vulnerability than CVE-2012-0024.
2165 CVE-2011-5066 200 +Info 2012-01-15 2012-02-08
2.1
None Local Low Not required Partial None None
The SibRaRecoverableSiXaResource class in the Default Messaging Component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.41 does not properly handle a Service Integration Bus (SIB) dump operation involving the First Failure Data Capture (FFDC) introspection code, which allows local users to obtain sensitive information by reading the FFDC log file.
2166 CVE-2011-5146 59 2012-08-31 2012-09-05
2.6
None Local High Not required None Partial Partial
Bokken before 1.6 and 1.5-x before 1.5-3 for Debian allows local users to overwrite arbitrary files via a symlink attack on /tmp/graph.dot.
2167 CVE-2011-5187 79 XSS 2012-09-20 2017-08-29
2.1
None Remote High ??? None Partial None
Cross-site scripting (XSS) vulnerability in the Support Ticketing System module 6.x-1.x before 6.x-1.7 for Drupal allows remote authenticated users with the "administer support projects" permission to inject arbitrary web script or HTML via unspecified vectors.
2168 CVE-2011-5188 79 XSS 2012-09-20 2017-08-29
2.1
None Remote High ??? None Partial None
Cross-site scripting (XSS) vulnerability in the Support Timer module 6.x-1.x before 6.x-1.4 for Drupal allows remote authenticated users with the "track time spent" permission to inject arbitrary web script or HTML via unspecified vectors.
2169 CVE-2011-5189 79 XSS 2012-09-20 2017-08-29
2.1
None Remote High ??? None Partial None
Cross-site scripting (XSS) vulnerability in the Webform Validation module 6.x-1.x before 6.x-1.5 and 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with permissions to "update Webform nodes" to inject arbitrary web script or HTML via unspecified vectors.
2170 CVE-2011-5193 79 XSS 2012-09-23 2012-10-15
2.6
None Remote High Not required None Partial None
Cross-site scripting (XSS) vulnerability in vendors/samswhois/samswhois.inc.php in the Whois Search plugin 1.4.2.3 for WordPress, when the WHOIS widget is enabled, allows remote attackers to inject arbitrary web script or HTML via the domain parameter to index.php, a different vulnerability than CVE-2011-5194.
2171 CVE-2011-5202 119 DoS Overflow 2012-10-01 2017-08-29
2.1
None Local Low Not required None None Partial
BazisVirtualCDBus.sys in WinCDEmu 3.6 allows local users to cause a denial of service (system crash) via the unmount command to batchmnt.exe.
2172 CVE-2011-5256 79 XSS 2013-02-12 2013-02-13
2.6
None Remote High Not required None Partial None
Cross-site scripting (XSS) vulnerability in the tooltips in LimeSurvey before 1.91+ Build 11379-20111116, when viewing survey results, allows remote attackers to inject arbitrary web script or HTML via unknown parameters.
2173 CVE-2011-5320 119 DoS Overflow 2017-10-18 2017-11-08
2.1
None Local Low Not required None None Partial
scanf and related functions in glibc before 2.15 allow local users to cause a denial of service (segmentation fault) via a large string of 0s.
2174 CVE-2012-0021 20 DoS 2012-01-28 2021-06-06
2.6
None Remote High Not required None None Partial
The log_cookie function in mod_log_config.c in the mod_log_config module in the Apache HTTP Server 2.2.17 through 2.2.21, when a threaded MPM is used, does not properly handle a %{}C format string, which allows remote attackers to cause a denial of service (daemon crash) via a cookie that lacks both a name and a value.
2175 CVE-2012-0034 255 +Info 2013-02-05 2015-01-18
2.1
None Local Low Not required Partial None None
The NonManagedConnectionFactory in JBoss Enterprise Application Platform (EAP) 5.1.2 and 5.2.0, Web Platform (EWP) 5.1.2 and 5.2.0, and BRMS Platform before 5.3.1 logs the username and password in cleartext when an exception is thrown, which allows local users to obtain sensitive information by reading the log file.
2176 CVE-2012-0042 DoS 2012-04-11 2017-09-19
2.9
None Local Network Medium Not required None None Partial
Wireshark 1.4.x before 1.4.11 and 1.6.x before 1.6.5 does not properly perform certain string conversions, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a crafted packet, related to epan/to_str.c.
2177 CVE-2012-0091 2012-01-18 2017-08-29
2.7
None Local Network High ??? None Partial Partial
Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft Products 8.52.05 allows remote authenticated users to affect integrity and availability via unknown vectors related to Upgrade Change Assistance.
2178 CVE-2012-0095 2012-10-16 2016-11-22
2.1
None Remote High ??? Partial None None
Unspecified vulnerability in the Oracle Imaging and Process Management component in Oracle Fusion Middleware 10.1.3.6.0 allows remote authenticated users to affect confidentiality via unknown vectors related to Web, a different vulnerability than CVE-2012-0086 and CVE-2012-0108.
2179 CVE-2012-0097 2012-01-18 2017-08-29
2.1
None Local Low Not required Partial None None
Unspecified vulnerability in Oracle Solaris 11 Express allows local users to affect confidentiality via unknown vectors related to ksh93 Shell.
2180 CVE-2012-0099 2012-01-18 2018-01-06
2.6
None Remote High Not required None None Partial
Unspecified vulnerability in Oracle Solaris 9, 10, and 11 Express allows remote attackers to affect availability via unknown vectors related to sshd.
2181 CVE-2012-0287 79 XSS 2012-01-06 2021-07-23
2.6
None Remote High Not required None Partial None
Cross-site scripting (XSS) vulnerability in wp-comments-post.php in WordPress 3.3.x before 3.3.1, when Internet Explorer is used, allows remote attackers to inject arbitrary web script or HTML via the query string in a POST operation that is not properly handled by the "Duplicate comment detected" feature.
2182 CVE-2012-0321 DoS 2012-03-02 2012-03-05
2.1
None Local Low Not required None None Partial
Unspecified vulnerability in the device driver in Kingsoft Internet Security 2011 allows local users to cause a denial of service via a crafted application.
2183 CVE-2012-0421 200 +Info 2012-08-08 2012-08-08
2.1
None Local Low Not required Partial None None
The SUSE Audit Log Keeper daemon before 0.2.1-0.4.6.1 for SUSE Manager and Spacewalk uses world-readable permissions for /etc/auditlog-keeper.conf, which allows local users to obtain passwords by reading this file.
2184 CVE-2012-0433 200 +Info 2018-06-08 2019-10-09
2.1
None Local Low Not required Partial None None
The install-chef-suse.sh script shipped with crowbar before 2012-10-02 is creating files containing confidential data with insecure permissions, allowing local users to read confidential data.
2185 CVE-2012-0450 264 2012-02-01 2017-09-19
2.1
None Local Low Not required Partial None None
Mozilla Firefox 4.x through 9.0 and SeaMonkey before 2.7 on Linux and Mac OS X set weak permissions for Firefox Recovery Key.html, which might allow local users to read a Firefox Sync key via standard filesystem operations.
2186 CVE-2012-0475 264 Bypass 2012-04-25 2017-12-19
2.6
None Remote High Not required None Partial None
Mozilla Firefox 4.x through 11.0, Thunderbird 5.0 through 11.0, and SeaMonkey before 2.9 do not properly construct the Origin and Sec-WebSocket-Origin HTTP headers, which might allow remote attackers to bypass an IPv6 literal ACL via a cross-site (1) XMLHttpRequest or (2) WebSocket operation involving a nonstandard port number and an IPv6 address that contains certain zero fields.
2187 CVE-2012-0492 2012-01-18 2019-12-17
2.1
None Remote High ??? None None Partial
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.1.x and 5.5.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0112, CVE-2012-0115, CVE-2012-0119, CVE-2012-0120, and CVE-2012-0485.
2188 CVE-2012-0493 2012-01-18 2019-12-17
2.1
None Remote High ??? None None Partial
Unspecified vulnerability in the MySQL Server component in Oracle MySQL 5.5.x allows remote authenticated users to affect availability via unknown vectors, a different vulnerability than CVE-2012-0117, CVE-2012-0486, CVE-2012-0487, CVE-2012-0488, CVE-2012-0489, CVE-2012-0491, and CVE-2012-0495.
2189 CVE-2012-0513 2012-05-03 2017-12-07
2.6
None Remote High Not required None Partial None
Unspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite 12.0.6 and 12.1.3 allows remote attackers to affect integrity, related to REST Services.
2190 CVE-2012-0542 2012-05-03 2017-12-07
2.6
None Remote High Not required None Partial None
Unspecified vulnerability in the Oracle iStore component in Oracle E-Business Suite 11.5.10.2, 12.0.4, 12.0.6, 12.1.1, 12.1.2, and 12.1.3 allows remote attackers to affect integrity via unknown vectors related to Runtime Catalog.
2191 CVE-2012-0548 2012-05-03 2017-12-07
2.1
None Local Low Not required Partial None None
Unspecified vulnerability in Oracle SPARC Enterprise M Series Servers XCP 1110 and earlier allows local users to affect confidentiality, related to XSCF Control Package (XCP).
2192 CVE-2012-0563 2012-07-17 2017-08-29
2.1
None Local Low Not required None None Partial
Unspecified vulnerability in Oracle Solaris 9, 10, and 11 allows local users to affect availability via unknown vectors related to Kerberos/klist.
2193 CVE-2012-0568 2013-04-17 2017-09-19
2.1
None Local Low Not required Partial None None
Unspecified vulnerability in Oracle Sun Solaris 8, 9, and 10 allows local users to affect confidentiality via unknown vectors related to Utility/fdformat.
2194 CVE-2012-0570 2013-04-17 2017-09-19
2.1
None Local Low Not required None None Partial
Unspecified vulnerability in Oracle Sun Solaris 8, 9, 10, and 11 allows local users to affect availability via unknown vectors related to Libraries/Libc.
2195 CVE-2012-0657 264 Bypass 2012-05-11 2012-05-30
2.1
None Local Low Not required None Partial None
Quartz Composer in Apple Mac OS X before 10.7.4, when the RSS Visualizer screensaver is enabled, allows physically proximate attackers to bypass screen locking and launch a Safari process via unspecified vectors.
2196 CVE-2012-0717 287 Bypass 2012-06-20 2012-06-21
2.6
None Remote High Not required None Partial None
IBM WebSphere Application Server 7.0 before 7.0.0.23, when a certain SSLv2 configuration with client authentication is used, allows remote attackers to bypass X.509 client-certificate authentication via unspecified vectors.
2197 CVE-2012-0800 200 +Info 2012-07-17 2020-12-01
2.1
None Local Low Not required Partial None None
The form-autocompletion functionality in Moodle 2.0.x before 2.0.7, 2.1.x before 2.1.4, and 2.2.x before 2.2.1 makes it easier for physically proximate attackers to discover passwords by reading the contents of a non-password field, as demonstrated by accessing a create-groups page with Safari on an iPad device.
2198 CVE-2012-0813 255 +Info 2012-06-29 2012-08-01
2.1
None Local Low Not required Partial None None
Wicd before 1.7.1 saves sensitive information in log files in /var/log/wicd, which allows context-dependent attackers to obtain passwords and other sensitive information.
2199 CVE-2012-0833 264 DoS 2012-07-03 2012-07-17
2.3
None Local Network Medium ??? None None Partial
The acllas__handle_group_entry function in servers/plugins/acl/acllas.c in 389 Directory Server before 1.2.10 does not properly handled access control instructions (ACIs) that use certificate groups, which allows remote authenticated LDAP users with a certificate group to cause a denial of service (infinite loop and CPU consumption) by binding to the server.
2200 CVE-2012-0842 200 +Info 2019-11-19 2019-11-20
2.1
None Local Low Not required Partial None None
surf: cookie jar has read access from other local user
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.